Linux Analysis Report
e6

ID:	1430717
Product:	CloudBasic
Start time:	04:55:47
Start date:	24.04.2024
Sample:	e6
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	8d7aee78e82865f035bc1bc34552cdbd
SHA1:	d59c885ba7deef2a3574c10526aa374f3712b28e
SHA256:	a1bc4dcc43c2a6f64c941c2af0c18299a1c44bb700e6f676cb675e38aeb77785
Filetype:	ELF Executable and Linkable format (Linux) (4029/14) 50.16%

Name	Type	MD5	SHA1	SHA256

Bitcoin Miner

Source: /tmp/e6 (PID: 6223)

Reads CPU info from /sys: /sys/devices/system/cpu/online

Jump to behavior

Networking

Source: e6, 6223.1.00000000006a7000.00000000006ae000.rw-.sdmp	String found in binary or memory: 4. As for your data, if we fail to agree, we will try to sell personal information/trade secrets/databases/source codes - generally speaking, everything that has a value on the darkmarket - to multiple threat actors at ones. Then all of this will be published in our blog - https://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion.
Source: e6, 6223.1.00000000006a7000.00000000006ae000.rw-.sdmp	String found in binary or memory: 2. Paste this link - https://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion.
Source: e6	String found in binary or memory: 4. As for your data, if we fail to agree, we will try to sell personal information/trade secrets/databases/source codes - generally speaking, everything that has a value on the darkmarket - to multiple threat actors at ones. Then all of this will be published in our blog - https://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion.
Source: e6	String found in binary or memory: 2. Paste this link - https://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion.

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42

Source: e6	String found in binary or memory: https://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion.
Source: e6	String found in binary or memory: https://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion.
Source: e6	String found in binary or memory: https://bugs.launchpad.net/ubuntu/
Source: e6	String found in binary or memory: https://gcc.gnu.org/bugsNSt7__cxx1115basic_stringbufIcSt11char_traitsIcESaIcEEE
Source: e6	String found in binary or memory: https://gcc.gnu.org/bugsNSt7__cxx1115basic_stringbufIcSt11char_traitsIcESaIcEEENSt7__cxx1119basic_is
Source: e6	String found in binary or memory: https://www.torproject.org/download/.

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary

Source: LOAD without section mappings

Program segment: 0x400000

Source: classification engine

Classification label: sus22.evad.lin@0/0@0/0

Malware Analysis System Evasion

Source: /tmp/e6 (PID: 6223)

Reads CPU info from /sys: /sys/devices/system/cpu/online

Jump to behavior

Source: /tmp/e6 (PID: 6223)

Queries kernel information via 'uname':

Jump to behavior