Edit tour

Linux Analysis Report
xd.x86.elf

Overview

General Information

Sample name:xd.x86.elf
Analysis ID:1669035
MD5:924aa5c4d04108f30f487aa3d71424fd
SHA1:d5ff6d30f2e7e573427a619c6ca052de3318059a
SHA256:6e913e519b174fd6f62fd421733d55af85d8389baaf7a1b4e0c8d88175abdf03
Tags:elfuser-abuse_ch
Infos:

Detection

Score:60
Range:0 - 100

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample is packed with UPX
Detected TCP or UDP traffic on non-standard ports
ELF contains segments with high entropy indicating compressed/encrypted content
Sample contains only a LOAD segment without any section mappings
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1669035
Start date and time:2025-04-19 05:39:24 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 22s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:xd.x86.elf
Detection:MAL
Classification:mal60.evad.linELF@0/0@0/0
Command:/tmp/xd.x86.elf
PID:5441
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
connecterror
Standard Error:
  • system is lnxubuntu20
  • xd.x86.elf (PID: 5441, Parent: 5367, MD5: 924aa5c4d04108f30f487aa3d71424fd) Arguments: /tmp/xd.x86.elf
  • cleanup
SourceRuleDescriptionAuthorStrings
5441.1.0000000008048000.0000000008053000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
  • 0x9200:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x9214:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x9228:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x923c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x9250:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x9264:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x9278:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x928c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x92a0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x92b4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x92c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x92dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x92f0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x9304:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x9318:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x932c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x9340:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x9354:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x9368:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x937c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x9390:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5441.1.0000000008048000.0000000008053000.r-x.sdmpLinux_Trojan_Mirai_b14f4c5dunknownunknown
  • 0x56d0:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
5441.1.0000000008048000.0000000008053000.r-x.sdmpLinux_Trojan_Mirai_88de437funknownunknown
  • 0x6cc2:$a: 24 08 8B 4C 24 04 85 D2 74 0D 31 C0 89 F6 C6 04 08 00 40 39 D0
5441.1.0000000008048000.0000000008053000.r-x.sdmpLinux_Trojan_Mirai_389ee3e9unknownunknown
  • 0x86b8:$a: 89 45 00 EB 2C 8B 4B 04 8B 13 8B 7B 18 8B 01 01 02 8B 02 83
5441.1.0000000008048000.0000000008053000.r-x.sdmpLinux_Trojan_Mirai_cc93863bunknownunknown
  • 0x71b1:$a: C3 57 8B 44 24 0C 8B 4C 24 10 8B 7C 24 08 F3 AA 8B 44 24 08
Click to see the 1 entries
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: xd.x86.elfReversingLabs: Detection: 50%
Source: xd.x86.elfVirustotal: Detection: 42%Perma Link
Source: global trafficTCP traffic: 192.168.2.13:37808 -> 209.141.33.93:5538
Source: unknownTCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknownTCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknownTCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknownTCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknownTCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknownTCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknownTCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknownTCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknownTCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknownTCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknownTCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknownTCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknownTCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknownTCP traffic detected without corresponding DNS query: 209.141.33.93
Source: xd.x86.elfString found in binary or memory: http://upx.sf.net

System Summary

barindex
Source: 5441.1.0000000008048000.0000000008053000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5441.1.0000000008048000.0000000008053000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: 5441.1.0000000008048000.0000000008053000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: 5441.1.0000000008048000.0000000008053000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: 5441.1.0000000008048000.0000000008053000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: 5441.1.0000000008048000.0000000008053000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: LOAD without section mappingsProgram segment: 0xc01000
Source: 5441.1.0000000008048000.0000000008053000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5441.1.0000000008048000.0000000008053000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: 5441.1.0000000008048000.0000000008053000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: 5441.1.0000000008048000.0000000008053000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: 5441.1.0000000008048000.0000000008053000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: 5441.1.0000000008048000.0000000008053000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: classification engineClassification label: mal60.evad.linELF@0/0@0/0

Data Obfuscation

barindex
Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sampleString containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $
Source: xd.x86.elfSubmission file: segment LOAD with 7.8649 entropy (max. 8.0)
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception11
Obfuscated Files or Information
OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local System1
Non-Standard Port
Exfiltration Over Other Network MediumAbuse Accessibility Features
No configs have been found
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1669035 Sample: xd.x86.elf Startdate: 19/04/2025 Architecture: LINUX Score: 60 11 209.141.33.93, 37808, 5538 PONYNETUS United States 2->11 13 Malicious sample detected (through community Yara rule) 2->13 15 Multi AV Scanner detection for submitted file 2->15 17 Sample is packed with UPX 2->17 7 xd.x86.elf 2->7         started        signatures3 process4 process5 9 xd.x86.elf 7->9         started       

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
xd.x86.elf50%ReversingLabsLinux.Worm.Mirai
xd.x86.elf42%VirustotalBrowse
No Antivirus matches
No Antivirus matches
No Antivirus matches

Download Network PCAP: filteredfull

No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
http://upx.sf.netxd.x86.elffalse
    high
    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs
    IPDomainCountryFlagASNASN NameMalicious
    209.141.33.93
    unknownUnited States
    53667PONYNETUSfalse
    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    209.141.33.93xd.arm7.elfGet hashmaliciousMiraiBrowse
      xd.x86_64.elfGet hashmaliciousUnknownBrowse
        xd.arm5.elfGet hashmaliciousUnknownBrowse
          xd.arm.elfGet hashmaliciousUnknownBrowse
            xd.sh4.elfGet hashmaliciousUnknownBrowse
              xd.m68k.elfGet hashmaliciousUnknownBrowse
                xd.ppc.elfGet hashmaliciousUnknownBrowse
                  xd.arm.elfGet hashmaliciousUnknownBrowse
                    xd.spc.elfGet hashmaliciousUnknownBrowse
                      No context
                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      PONYNETUSxd.arm7.elfGet hashmaliciousMiraiBrowse
                      • 209.141.33.93
                      xd.x86_64.elfGet hashmaliciousUnknownBrowse
                      • 209.141.33.93
                      xd.arm5.elfGet hashmaliciousUnknownBrowse
                      • 209.141.33.93
                      xd.arm.elfGet hashmaliciousUnknownBrowse
                      • 209.141.33.93
                      t.elfGet hashmaliciousUnknownBrowse
                      • 205.185.124.66
                      xd.sh4.elfGet hashmaliciousUnknownBrowse
                      • 209.141.33.93
                      xd.m68k.elfGet hashmaliciousUnknownBrowse
                      • 209.141.33.93
                      xd.ppc.elfGet hashmaliciousUnknownBrowse
                      • 209.141.33.93
                      xd.arm.elfGet hashmaliciousUnknownBrowse
                      • 209.141.33.93
                      xd.spc.elfGet hashmaliciousUnknownBrowse
                      • 209.141.33.93
                      No context
                      No context
                      No created / dropped files found
                      File type:ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, no section header
                      Entropy (8bit):7.858562389799457
                      TrID:
                      • ELF Executable and Linkable format (Linux) (4029/14) 50.16%
                      • ELF Executable and Linkable format (generic) (4004/1) 49.84%
                      File name:xd.x86.elf
                      File size:20'068 bytes
                      MD5:924aa5c4d04108f30f487aa3d71424fd
                      SHA1:d5ff6d30f2e7e573427a619c6ca052de3318059a
                      SHA256:6e913e519b174fd6f62fd421733d55af85d8389baaf7a1b4e0c8d88175abdf03
                      SHA512:b164692358d9853a8a73375b89738d5abcb69a19cc333b5b123bffd736a5fc454619dbe3783a6ed249ddacfc9ff144ae552b10045f16c813075e99ae4f44ec04
                      SSDEEP:384:Mx/sti8Q1OOs09u1k/ABs7shvElCKN2eXTkEDNfMY5lXFEnkTiq2Vn01+v1RI:e8QEFtRs7shyzBTkqBMY5l1ExLnZI
                      TLSH:1292C09D992C9E97DC469471B276CB8FF051CC9C9F0E01D4BA8DE143E092119D92FBC8
                      File Content Preview:.ELF.....................U..4...........4. ...(.....................cM..cM...................y...y..................Q.td...............................4UPX!....................Z........?d..ELF.......d.......4. ..4. (.......k.-.#.`...........?..2..|.|Gd..l

                      ELF header

                      Class:ELF32
                      Data:2's complement, little endian
                      Version:1 (current)
                      Machine:Intel 80386
                      Version Number:0x1
                      Type:EXEC (Executable file)
                      OS/ABI:UNIX - Linux
                      ABI Version:0
                      Entry Point Address:0xc05580
                      Flags:0x0
                      ELF Header Size:52
                      Program Header Offset:52
                      Program Header Size:32
                      Number of Program Headers:3
                      Section Header Offset:0
                      Section Header Size:40
                      Number of Section Headers:0
                      Header String Table Index:0
                      TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                      LOAD0x00xc010000xc010000x4d630x4d637.86490x5R E0x1000
                      LOAD0x9e00x80579e00x80579e00x00x00.00000x6RW 0x1000
                      GNU_STACK0x00x00x00x00x00.00000x6RW 0x4

                      Download Network PCAP: filteredfull

                      TimestampSource PortDest PortSource IPDest IP
                      Apr 19, 2025 05:40:16.091209888 CEST378085538192.168.2.13209.141.33.93
                      Apr 19, 2025 05:40:16.234872103 CEST553837808209.141.33.93192.168.2.13
                      Apr 19, 2025 05:40:16.235008001 CEST378085538192.168.2.13209.141.33.93
                      Apr 19, 2025 05:40:16.235150099 CEST378085538192.168.2.13209.141.33.93
                      Apr 19, 2025 05:40:16.378573895 CEST553837808209.141.33.93192.168.2.13
                      Apr 19, 2025 05:40:16.378838062 CEST378085538192.168.2.13209.141.33.93
                      Apr 19, 2025 05:40:16.522361040 CEST553837808209.141.33.93192.168.2.13
                      Apr 19, 2025 05:40:26.245229959 CEST378085538192.168.2.13209.141.33.93
                      Apr 19, 2025 05:40:26.388715029 CEST553837808209.141.33.93192.168.2.13
                      Apr 19, 2025 05:40:26.388787985 CEST553837808209.141.33.93192.168.2.13
                      Apr 19, 2025 05:40:26.389034986 CEST378085538192.168.2.13209.141.33.93
                      Apr 19, 2025 05:40:41.581475973 CEST553837808209.141.33.93192.168.2.13
                      Apr 19, 2025 05:40:41.581659079 CEST378085538192.168.2.13209.141.33.93
                      Apr 19, 2025 05:40:56.725488901 CEST553837808209.141.33.93192.168.2.13
                      Apr 19, 2025 05:40:56.725661993 CEST378085538192.168.2.13209.141.33.93
                      Apr 19, 2025 05:41:11.869412899 CEST553837808209.141.33.93192.168.2.13
                      Apr 19, 2025 05:41:11.869586945 CEST378085538192.168.2.13209.141.33.93
                      Apr 19, 2025 05:41:26.449187994 CEST378085538192.168.2.13209.141.33.93
                      Apr 19, 2025 05:41:26.592852116 CEST553837808209.141.33.93192.168.2.13
                      Apr 19, 2025 05:41:26.592941046 CEST378085538192.168.2.13209.141.33.93
                      Apr 19, 2025 05:41:41.741337061 CEST553837808209.141.33.93192.168.2.13
                      Apr 19, 2025 05:41:41.741470098 CEST378085538192.168.2.13209.141.33.93
                      Apr 19, 2025 05:41:56.885076046 CEST553837808209.141.33.93192.168.2.13
                      Apr 19, 2025 05:41:56.885175943 CEST378085538192.168.2.13209.141.33.93
                      Apr 19, 2025 05:42:12.029207945 CEST553837808209.141.33.93192.168.2.13
                      Apr 19, 2025 05:42:12.029325008 CEST378085538192.168.2.13209.141.33.93

                      System Behavior

                      Start time (UTC):03:40:10
                      Start date (UTC):19/04/2025
                      Path:/tmp/xd.x86.elf
                      Arguments:/tmp/xd.x86.elf
                      File size:20068 bytes
                      MD5 hash:924aa5c4d04108f30f487aa3d71424fd

                      Start time (UTC):03:40:15
                      Start date (UTC):19/04/2025
                      Path:/tmp/xd.x86.elf
                      Arguments:-
                      File size:20068 bytes
                      MD5 hash:924aa5c4d04108f30f487aa3d71424fd