Loading ...

Play interactive tourEdit tour

Analysis Report 86ac68e5b09d1c4b157193bb6cb34007_2.elf

Overview

General Information

Joe Sandbox Version:26.0.0 Aquamarine
Analysis ID:167253
Start date:25.08.2019
Start time:18:01:39
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 3m 42s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:86ac68e5b09d1c4b157193bb6cb34007_2.elf
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171)
Detection:UNKNOWN
Classification:unknown1.linELF@0/0@0/0
Errors:
  • Nothing to analyse, Joe Sandbox has not found any analysis process or sample

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold10 - 100falseunknown

Classification

Analysis Advice

Non-zero exit code suggests an error during the execution. Lookup the error code for hints.



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsCommand-Line Interface1Winlogon Helper DLLPort MonitorsFile System Logical OffsetsCredential DumpingSecurity Software Discovery1Application Deployment SoftwareData from Local SystemData Encrypted1Standard Cryptographic Protocol1
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesBinary PaddingNetwork SniffingApplication Window DiscoveryRemote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Non-Application Layer Protocol1
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionRootkitInput CaptureQuery RegistryWindows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol1

Signature Overview

Click to jump to signature section


Networking:

barindex
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.92.19
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.92.19
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.92.19
Urls found in memory or binary dataShow sources
Source: 86ac68e5b09d1c4b157193bb6cb34007_2.elfString found in binary or memory: https://r.chanstring.com/s2.toml
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 47156
Source: unknownNetwork traffic detected: HTTP traffic on port 47156 -> 443

System Summary:

barindex
Sample contains strings that are potentially command stringsShow sources
Source: Initial samplePotential command found: pr Cs
Source: Initial samplePotential command found: id
Source: Initial samplePotential command found: nl nl
Source: Initial samplePotential command found: X mX`a
Source: Initial samplePotential command found: gs
Source: Initial samplePotential command found: open
Source: Initial samplePotential command found: red hat
Source: Initial samplePotential command found: as type
Source: Initial samplePotential command found: from signal %v
Source: Initial samplePotential command found: file exists
Source: Initial samplePotential command found: file too large
Source: Initial samplePotential command found: host is down
Source: Initial samplePotential command found: host key
Source: Initial samplePotential command found: status code
Source: Initial samplePotential command found: stop signal:
Source: Initial samplePotential command found: write error: %v
Source: Initial samplePotential command found: curl -fsSL %s?ssh | sh
Source: Initial samplePotential command found: file already exists
Source: Initial samplePotential command found: file does not exist
Source: Initial samplePotential command found: file name too long
Source: Initial samplePotential command found: free list corrupted
Source: Initial samplePotential command found: line %d: %v.%s: %v
Source: Initial samplePotential command found: link has been severed
Source: Initial samplePotential command found: write of Go pointer
Source: Initial samplePotential command found: write on closed buffer
Source: Initial samplePotential command found: file descriptor in bad state
Source: Initial samplePotential command found: file size limit exceeded
Source: Initial samplePotential command found: link number out of range
Source: Initial samplePotential command found: stream error: stream ID %d; %v
Source: Initial samplePotential command found: write on full fixedBuffer
Source: Initial samplePotential command found: systemctl restart %s.service: %#v
Source: Initial samplePotential command found: timeout waiting for client preface
Source: Initial samplePotential command found: timeout waiting for SETTINGS frames from %v
Source: Initial samplePotential command found: line %d: `%v.%s' must be slice type, but %v given
Source: Initial samplePotential command found: line %d: `%v.%s' must be struct or map, but %v given
Source: Initial samplePotential command found: line %d: field corresponding to `%s' is not defined in `%T'
Source: Initial samplePotential command found: kill signal INT
Source: Initial samplePotential command found: start on filesystem or runlevel [2345]
Source: Initial samplePotential command found: stop on runlevel [!2345]
Source: Initial samplePotential command found: test -x {{.Path}} || { stop; exit 0; }
Source: Initial samplePotential command found: cat "$pid_file"
Source: Initial samplePotential command found: echo "Already started"
Source: Initial samplePotential command found: echo "Starting $name"
Source: Initial samplePotential command found: echo $! > "$pid_file"
Source: Initial samplePotential command found: echo "Unable to start, see $stdout_log and $stderr_log"
Source: Initial samplePotential command found: echo -n "Stopping $name.."
Source: Initial samplePotential command found: kill $(get_pid)
Source: Initial samplePotential command found: echo -n "."
Source: Initial samplePotential command found: sleep 1
Source: Initial samplePotential command found: echo "Not stopped; may still be shutting down or shutdown may have failed"
Source: Initial samplePotential command found: echo "Stopped"
Source: Initial samplePotential command found: rm "$pid_file"
Source: Initial samplePotential command found: echo "Not running"
Source: Initial samplePotential command found: echo "Unable to stop, will not attempt to start"
Source: Initial samplePotential command found: echo "Running"
Source: Initial samplePotential command found: echo "Stopped"
Source: Initial samplePotential command found: echo "Usage: $0 {start|stop|restart|status}"
Source: Initial samplePotential command found: X !q A
Sample has stripped symbol tableShow sources
Source: ELF static info symbol of initial sample.symtab present: no
Classification labelShow sources
Source: classification engineClassification label: unknown1.linELF@0/0@0/0

Malware Analysis System Evasion:

barindex
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: 86ac68e5b09d1c4b157193bb6cb34007_2.elfBinary or memory string: QEMU Virtual CPU
Source: 86ac68e5b09d1c4b157193bb6cb34007_2.elfBinary or memory string: traceskiptrailerstrailing datatransferReadertransferWritertransporttrieNodetriggerRatiotripleDESCiphertruncatetruncatedtruncatingMACtryAcquireSematryBacktracktryPutIdleConntryUpdatetryagaintypelinksuint64ValueuintValueunackedSettingsuncacheSpanunclosed actionuncommonuncommonTypeuncommontypeunderflowunexpected %sunexpected )unexpected EOFunexpected typeunexpectedunhandleduniQuoteunicode.Range16unicode.Range32unicode.dunicode/utf8unix-systemvunixgramunixpacketunknown Go typeunknown methodunknown mode: unknown node: unknown pcunknown portunknown versionunknownOptunknownTypeunmarshalunquotedValueunreachableunreachable: unsafe.Pointerunsupported: unusedsinceupdateBlocksurl.Errorurl.EscapeErrorurl.Userinfourl.Valuesurl.encodingurl.temporaryurl.timeouturlencodedurlqueryus-asciiuseNumberusedOldKeyuser canceleduser-agentuser.UseruserTimeusernamevalidSavevalidateTypevalidityvalue for value method valueInterfacevalueQuotedvaluesizevarValuevariablevboxguestvd_flagsvd_versionvdso_infover_hashverifiedChainsverifyDataversion
Source: 86ac68e5b09d1c4b157193bb6cb34007_2.elfBinary or memory string: vboxguest
Source: 86ac68e5b09d1c4b157193bb6cb34007_2.elfBinary or memory string: MACsClientServerMACsServerClientMAX_CONCURRENT_STREAMSMAX_HEADER_LIST_SIZEMB of spans; swept MSpanList_InsertMSpanList_InsertBackMSpanList_RemoveMSpan_Sweep: state=MaxConcurrentStreamsMaxHeaderListSizeMaxIdleConnsPerHostMaxReadFrameSizeMemoryInfoExStatMeroitic_CursiveMeroitic_HieroglyphsMethod Not AllowedMoved PermanentlyMultiple ChoicesNameToCertificateNegotiatedProtocolNetlinkRouteAttrNetlinkRouteRequestNo method specifiedNo space found in %qNoncharacter_Code_PointNumCtxSwitchesStatOPENSSH PRIVATE KEYObjectIdentifierOld_North_ArabianOld_South_ArabianOpenChannelErrorOrganizationalUnitOther_AlphabeticOther_Grapheme_ExtendOther_ID_ContinuePATCHLEVEL = ([\d]+)PKCS1v15DecryptOptionsParseMultipartFormPasswordCallbackPattern_White_SpacePayment RequiredPeerCertificatesPermittedDNSDomainsPolicyIdentifiersPreComputedGroupElementPrecomputedValuesPrecondition FailedPrecondition RequiredProjectiveGroupElementProxy-AuthorizationPublicKeyAlgorithmPublicKeyCallbackPublicSuffixListQEMU Virtual CPURFS specific errorRawSockadd


Runtime Messages

Command:/tmp/86ac68e5b09d1c4b157193bb6cb34007_2.elf
Exit Code:255
Exit Code Info:
Killed:False
Standard Output:
Standard Error:

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 167253 Sample: 86ac68e5b09d1c4b157193bb6cb... Startdate: 25/08/2019 Architecture: LINUX Score: 1 5 91.189.92.19, 443, 47156 unknown United Kingdom 2->5

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
91.189.92.19hostmcGet hashmaliciousBrowse
    file.elfGet hashmaliciousBrowse
      CKvfpSM1AuGet hashmaliciousBrowse
        cmmyfa3Get hashmaliciousBrowse
          http://23.254.204.46/pooGet hashmaliciousBrowse
            http://23.254.204.46/pooGet hashmaliciousBrowse
              hmar6.jarGet hashmaliciousBrowse
                khugepagedsGet hashmaliciousBrowse
                  bwmckudohsGet hashmaliciousBrowse
                    23c98d48062eac1b5cce1e7294dba92f24ad535e0b16abb40370f84552bf8a58Get hashmaliciousBrowse
                      e1subAxOoZ.elfGet hashmaliciousBrowse
                        sample23Get hashmaliciousBrowse
                          http://178.62.117.21/bashGet hashmaliciousBrowse
                            http://178.128.161.173/lmaoWTF/loligang.x86Get hashmaliciousBrowse
                              genesis.binGet hashmaliciousBrowse
                                seasameGet hashmaliciousBrowse
                                  apache2Get hashmaliciousBrowse
                                    test7777Get hashmaliciousBrowse
                                      sshdGet hashmaliciousBrowse
                                        payloadGet hashmaliciousBrowse

                                          Domains

                                          No context

                                          ASN

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          unknownrequest.docGet hashmaliciousBrowse
                                          • 192.168.0.44
                                          FERK444259.docGet hashmaliciousBrowse
                                          • 192.168.0.44
                                          b392e93a5753601db564e6f2dc6a945aac3861bc31e2c1e5e7f3cd4e5bb150a4.jsGet hashmaliciousBrowse
                                          • 192.168.0.40
                                          Setup.exeGet hashmaliciousBrowse
                                          • 192.168.0.40
                                          base64.pdfGet hashmaliciousBrowse
                                          • 192.168.0.40
                                          file.pdfGet hashmaliciousBrowse
                                          • 192.168.0.40
                                          Spread sheet 2.pdfGet hashmaliciousBrowse
                                          • 192.168.0.40
                                          request_08.30.docGet hashmaliciousBrowse
                                          • 192.168.0.44
                                          P_2038402.xlsxGet hashmaliciousBrowse
                                          • 192.168.0.44
                                          48b1cf747a678641566cd1778777ca72.apkGet hashmaliciousBrowse
                                          • 192.168.0.22
                                          seu nome na lista de favorecidos.exeGet hashmaliciousBrowse
                                          • 192.168.0.40
                                          Adm_Boleto.via2.comGet hashmaliciousBrowse
                                          • 192.168.0.40
                                          QuitacaoVotorantim345309.exeGet hashmaliciousBrowse
                                          • 192.168.0.40
                                          pptxb.pdfGet hashmaliciousBrowse
                                          • 192.168.0.40

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Antivirus and Machine Learning Detection

                                          Initial Sample

                                          No Antivirus matches

                                          Dropped Files

                                          No Antivirus matches

                                          Domains

                                          No Antivirus matches

                                          URLs

                                          SourceDetectionScannerLabelLink
                                          https://r.chanstring.com/s2.toml1%virustotalBrowse
                                          https://r.chanstring.com/s2.toml0%Avira URL Cloudsafe

                                          Created / dropped Files

                                          No created / dropped files found

                                          Domains and IPs

                                          Contacted Domains

                                          No contacted domains info

                                          URLs from Memory and Binaries

                                          NameSourceMaliciousAntivirus DetectionReputation
                                          https://r.chanstring.com/s2.toml86ac68e5b09d1c4b157193bb6cb34007_2.elffalse
                                          • 1%, virustotal, Browse
                                          • Avira URL Cloud: safe
                                          unknown

                                          Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public

                                          IPCountryFlagASNASN NameMalicious
                                          91.189.92.19
                                          United Kingdom
                                          41231unknownfalse

                                          Static File Info

                                          General

                                          File type:ELF 64-bit LSB no file type, x86-64, version 1 (SYSV)
                                          Entropy (8bit):5.406045885724864
                                          TrID:
                                          • ELF Executable and Linkable format (Linux) (4029/14) 41.99%
                                          • ELF Executable and Linkable format (generic) (4004/1) 41.73%
                                          • Java Script embedded in Visual Basic Script (1500/0) 15.63%
                                          • Lumena CEL bitmap (63/63) 0.66%
                                          File name:86ac68e5b09d1c4b157193bb6cb34007_2.elf
                                          File size:8444416
                                          MD5:a244f6a12d1395cd3bfb289caaa530b6
                                          SHA1:1bc627b5604f1d1d8b025f3de7b33ab9e222a8f5
                                          SHA256:cfa1e32efbf31177041f40123de108038103d62169965bbee88cc8c79b652a81
                                          SHA512:4973cd1f02e12189b4f43ce5c107b4e1c17082f8f9f4825da79397bf9d7b0c7b6c3db3e32cf87ed3792731e11a298ca7f1d4b21e314049e5c8554b8c64046ab3
                                          SSDEEP:49152:oGf55fLRUSdu/W6cKWz//NVy+PDpfsevq+WxuUxa4PSj0Aep0502ra0fcSQYDan2:zhbNbd4y8NMlckscDFQncJRqNpfx+
                                          File Content Preview:.ELF..............>.......F.....@...................@.8...@.............@.......@.@.....@.@.....P.......P.................................@.......@.....PM=.....PM=......................P=......P}......P}.....a.@.....a.@.......................~............

                                          Static ELF Info

                                          ELF header

                                          Class:ELF64
                                          Data:2's complement, little endian
                                          Version:1 (current)
                                          Machine:Advanced Micro Devices X86-64
                                          Version Number:0x1
                                          Type:NONE (None)
                                          OS/ABI:UNIX - System V
                                          ABI Version:0
                                          Entry Point Address:0x460580
                                          Flags:0x0
                                          ELF Header Size:64
                                          Program Header Offset:64
                                          Program Header Size:56
                                          Number of Program Headers:6
                                          Section Header Offset:400
                                          Section Header Size:64
                                          Number of Section Headers:11
                                          Header String Table Index:6

                                          Sections

                                          NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                                          NULL0x00x00x00x00x0000
                                          .textPROGBITS0x4010000x10000x3d3d500x00x6AX0016
                                          .rodataPROGBITS0x7d50000x3d50000x29de080x00x2A0032
                                          .typelinkPROGBITS0xa72e080x672e080xb0400x00x2A008
                                          .gosymtabPROGBITS0xa7de480x67de480x00x00x2A001
                                          .gopclntabPROGBITS0xa7de600x67de600x162f930x00x2A0032
                                          .shstrtabSTRTAB0x00x7e0e000x610x00x0001
                                          .noptrdataPROGBITS0xbe10000x7e10000x237d40x00x3WA0032
                                          .dataPROGBITS0xc047e00x8047e00x92100x00x3WA0032
                                          .bssNOBITS0xc0da000x80da000x1de380x00x3WA0032
                                          .noptrbssNOBITS0xc2b8400x82b8400x63c00x00x3WA0032

                                          Program Segments

                                          TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                                          PHDR0x400x4000400x4000400x1500x1500x4R 0x1000
                                          LOAD0x00x4000000x4000000x3d4d500x3d4d500x5R E0x1000.text
                                          LOAD0x3d50000x7d50000x7d50000x40be610x40be610x4R 0x1000.rodata .typelink .gosymtab .gopclntab .shstrtab
                                          LOAD0x7e10000xbe10000xbe10000x2ca000x50c000x6RW 0x1000.noptrdata .data .bss .noptrbss
                                          GNU_STACK0x00x00x00x00x00x6RW 0x8
                                          LOOS+50415800x00x00x00x00x00x2a00 0x8

                                          Network Behavior

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Aug 25, 2019 18:03:05.756939888 CEST47156443192.168.2.2091.189.92.19
                                          Aug 25, 2019 18:03:05.787523031 CEST4434715691.189.92.19192.168.2.20
                                          Aug 25, 2019 18:03:25.703845978 CEST4434715691.189.92.19192.168.2.20
                                          Aug 25, 2019 18:03:25.703887939 CEST4434715691.189.92.19192.168.2.20
                                          Aug 25, 2019 18:03:25.704391956 CEST47156443192.168.2.2091.189.92.19
                                          Aug 25, 2019 18:03:25.704560041 CEST47156443192.168.2.2091.189.92.19
                                          Aug 25, 2019 18:03:25.734472036 CEST4434715691.189.92.19192.168.2.20
                                          Aug 25, 2019 18:03:25.734507084 CEST4434715691.189.92.19192.168.2.20

                                          System Behavior