Loading ...

Play interactive tourEdit tour

Analysis Report 86ac68e5b09d1c4b157193bb6cb34007_3.elf

Overview

General Information

Joe Sandbox Version:26.0.0 Aquamarine
Analysis ID:167257
Start date:25.08.2019
Start time:18:16:28
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 3m 46s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:86ac68e5b09d1c4b157193bb6cb34007_3.elf
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171)
Detection:CLEAN
Classification:clean2.linELF@0/0@0/0

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold20 - 100falseclean

Classification

Analysis Advice

Non-zero exit code suggests an error during the execution. Lookup the error code for hints.



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsCommand-Line Interface1Hidden Files and Directories1Port MonitorsHidden Files and Directories1Credential DumpingSecurity Software Discovery11Application Deployment SoftwareData from Local SystemData Encrypted1Standard Cryptographic Protocol1
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesBinary PaddingNetwork SniffingApplication Window DiscoveryRemote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Non-Application Layer Protocol1
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionRootkitInput CaptureQuery RegistryWindows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol1

Signature Overview

Click to jump to signature section


Networking:

barindex
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.92.20
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.92.20
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.92.20
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.92.20
Urls found in memory or binary dataShow sources
Source: 86ac68e5b09d1c4b157193bb6cb34007_3.elfString found in binary or memory: https://r.chanstring.com/s2.toml
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51880
Source: unknownNetwork traffic detected: HTTP traffic on port 51880 -> 443

System Summary:

barindex
Sample contains strings that are potentially command stringsShow sources
Source: Initial samplePotential command found: pr Cs
Source: Initial samplePotential command found: id
Source: Initial samplePotential command found: nl nl
Source: Initial samplePotential command found: X mX`a
Source: Initial samplePotential command found: gs
Source: Initial samplePotential command found: open
Source: Initial samplePotential command found: red hat
Source: Initial samplePotential command found: as type
Source: Initial samplePotential command found: from signal %v
Source: Initial samplePotential command found: file exists
Source: Initial samplePotential command found: file too large
Source: Initial samplePotential command found: host is down
Source: Initial samplePotential command found: host key
Source: Initial samplePotential command found: status code
Source: Initial samplePotential command found: stop signal:
Source: Initial samplePotential command found: write error: %v
Source: Initial samplePotential command found: curl -fsSL %s?ssh | sh
Source: Initial samplePotential command found: file already exists
Source: Initial samplePotential command found: file does not exist
Source: Initial samplePotential command found: file name too long
Source: Initial samplePotential command found: free list corrupted
Source: Initial samplePotential command found: line %d: %v.%s: %v
Source: Initial samplePotential command found: link has been severed
Source: Initial samplePotential command found: write of Go pointer
Source: Initial samplePotential command found: write on closed buffer
Source: Initial samplePotential command found: file descriptor in bad state
Source: Initial samplePotential command found: file size limit exceeded
Source: Initial samplePotential command found: link number out of range
Source: Initial samplePotential command found: stream error: stream ID %d; %v
Source: Initial samplePotential command found: write on full fixedBuffer
Source: Initial samplePotential command found: systemctl restart %s.service: %#v
Source: Initial samplePotential command found: timeout waiting for client preface
Source: Initial samplePotential command found: timeout waiting for SETTINGS frames from %v
Source: Initial samplePotential command found: line %d: `%v.%s' must be slice type, but %v given
Source: Initial samplePotential command found: line %d: `%v.%s' must be struct or map, but %v given
Source: Initial samplePotential command found: line %d: field corresponding to `%s' is not defined in `%T'
Source: Initial samplePotential command found: kill signal INT
Source: Initial samplePotential command found: start on filesystem or runlevel [2345]
Source: Initial samplePotential command found: stop on runlevel [!2345]
Source: Initial samplePotential command found: test -x {{.Path}} || { stop; exit 0; }
Source: Initial samplePotential command found: cat "$pid_file"
Source: Initial samplePotential command found: echo "Already started"
Source: Initial samplePotential command found: echo "Starting $name"
Source: Initial samplePotential command found: echo $! > "$pid_file"
Source: Initial samplePotential command found: echo "Unable to start, see $stdout_log and $stderr_log"
Source: Initial samplePotential command found: echo -n "Stopping $name.."
Source: Initial samplePotential command found: kill $(get_pid)
Source: Initial samplePotential command found: echo -n "."
Source: Initial samplePotential command found: sleep 1
Source: Initial samplePotential command found: echo "Not stopped; may still be shutting down or shutdown may have failed"
Source: Initial samplePotential command found: echo "Stopped"
Source: Initial samplePotential command found: rm "$pid_file"
Source: Initial samplePotential command found: echo "Not running"
Source: Initial samplePotential command found: echo "Unable to stop, will not attempt to start"
Source: Initial samplePotential command found: echo "Running"
Source: Initial samplePotential command found: echo "Stopped"
Source: Initial samplePotential command found: echo "Usage: $0 {start|stop|restart|status}"
Source: Initial samplePotential command found: X !q A
Classification labelShow sources
Source: classification engineClassification label: clean2.linELF@0/0@0/0

Persistence and Installation Behavior:

barindex
Creates hidden files and/or directoriesShow sources
Source: /usr/bin/exo-open (PID: 20835)Directory: /home/user/.cache

Malware Analysis System Evasion:

barindex
Uses the "uname" system call to query kernel version information (possible evasion)Show sources
Source: /usr/bin/exo-open (PID: 20835)Queries kernel information via 'uname':
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: 86ac68e5b09d1c4b157193bb6cb34007_3.elfBinary or memory string: QEMU Virtual CPU
Source: 86ac68e5b09d1c4b157193bb6cb34007_3.elfBinary or memory string: traceskiptrailerstrailing datatransferReadertransferWritertransporttrieNodetriggerRatiotripleDESCiphertruncatetruncatedtruncatingMACtryAcquireSematryBacktracktryPutIdleConntryUpdatetryagaintypelinksuint64ValueuintValueunackedSettingsuncacheSpanunclosed actionuncommonuncommonTypeuncommontypeunderflowunexpected %sunexpected )unexpected EOFunexpected typeunexpectedunhandleduniQuoteunicode.Range16unicode.Range32unicode.dunicode/utf8unix-systemvunixgramunixpacketunknown Go typeunknown methodunknown mode: unknown node: unknown pcunknown portunknown versionunknownOptunknownTypeunmarshalunquotedValueunreachableunreachable: unsafe.Pointerunsupported: unusedsinceupdateBlocksurl.Errorurl.EscapeErrorurl.Userinfourl.Valuesurl.encodingurl.temporaryurl.timeouturlencodedurlqueryus-asciiuseNumberusedOldKeyuser canceleduser-agentuser.UseruserTimeusernamevalidSavevalidateTypevalidityvalue for value method valueInterfacevalueQuotedvaluesizevarValuevariablevboxguestvd_flagsvd_versionvdso_infover_hashverifiedChainsverifyDataversion
Source: 86ac68e5b09d1c4b157193bb6cb34007_3.elfBinary or memory string: vboxguest
Source: 86ac68e5b09d1c4b157193bb6cb34007_3.elfBinary or memory string: MACsClientServerMACsServerClientMAX_CONCURRENT_STREAMSMAX_HEADER_LIST_SIZEMB of spans; swept MSpanList_InsertMSpanList_InsertBackMSpanList_RemoveMSpan_Sweep: state=MaxConcurrentStreamsMaxHeaderListSizeMaxIdleConnsPerHostMaxReadFrameSizeMemoryInfoExStatMeroitic_CursiveMeroitic_HieroglyphsMethod Not AllowedMoved PermanentlyMultiple ChoicesNameToCertificateNegotiatedProtocolNetlinkRouteAttrNetlinkRouteRequestNo method specifiedNo space found in %qNoncharacter_Code_PointNumCtxSwitchesStatOPENSSH PRIVATE KEYObjectIdentifierOld_North_ArabianOld_South_ArabianOpenChannelErrorOrganizationalUnitOther_AlphabeticOther_Grapheme_ExtendOther_ID_ContinuePATCHLEVEL = ([\d]+)PKCS1v15DecryptOptionsParseMultipartFormPasswordCallbackPattern_White_SpacePayment RequiredPeerCertificatesPermittedDNSDomainsPolicyIdentifiersPreComputedGroupElementPrecomputedValuesPrecondition FailedPrecondition RequiredProjectiveGroupElementProxy-AuthorizationPublicKeyAlgorithmPublicKeyCallbackPublicSuffixListQEMU Virtual CPURFS specific errorRawSockadd


Runtime Messages

Command:xdg-open "/tmp/86ac68e5b09d1c4b157193bb6cb34007_3.elf"
Exit Code:4
Exit Code Info:
Killed:False
Standard Output:
Standard Error:

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 167257 Sample: 86ac68e5b09d1c4b157193bb6cb... Startdate: 25/08/2019 Architecture: LINUX Score: 2 7 91.189.92.20, 443, 51880 unknown United Kingdom 2->7 5 exo-open 2->5         started        process3

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
91.189.92.20Z5ackctdAL.binGet hashmaliciousBrowse
    qweqweGet hashmaliciousBrowse
      3aj8Wem5LH.elfGet hashmaliciousBrowse
        http://51.75.35.174/all/all.shGet hashmaliciousBrowse
          http://173.208.186.54/w.txtGet hashmaliciousBrowse
            FAWcb99yKFGet hashmaliciousBrowse
              zertumamkbGet hashmaliciousBrowse
                1BfrH2cB3o.dmsGet hashmaliciousBrowse
                  ebola (1)Get hashmaliciousBrowse
                    loliv4.m68kGet hashmaliciousBrowse
                      fmkbgkdgfuGet hashmaliciousBrowse
                        http://51.75.35.174/all/ntpdd.*Get hashmaliciousBrowse
                          gnome-shell-extGet hashmaliciousBrowse
                            http://185.164.72.155/richardGet hashmaliciousBrowse
                              http://185.244.25.145/love/ai.x86Get hashmaliciousBrowse
                                625900Get hashmaliciousBrowse
                                  YTsvq2hd30.elfGet hashmaliciousBrowse
                                    PYHzF82kiaGet hashmaliciousBrowse
                                      Bewerbungsunterlagen_63436181.docGet hashmaliciousBrowse

                                        Domains

                                        No context

                                        ASN

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        unknownrequest.docGet hashmaliciousBrowse
                                        • 192.168.0.44
                                        FERK444259.docGet hashmaliciousBrowse
                                        • 192.168.0.44
                                        b392e93a5753601db564e6f2dc6a945aac3861bc31e2c1e5e7f3cd4e5bb150a4.jsGet hashmaliciousBrowse
                                        • 192.168.0.40
                                        Setup.exeGet hashmaliciousBrowse
                                        • 192.168.0.40
                                        base64.pdfGet hashmaliciousBrowse
                                        • 192.168.0.40
                                        file.pdfGet hashmaliciousBrowse
                                        • 192.168.0.40
                                        Spread sheet 2.pdfGet hashmaliciousBrowse
                                        • 192.168.0.40
                                        request_08.30.docGet hashmaliciousBrowse
                                        • 192.168.0.44
                                        P_2038402.xlsxGet hashmaliciousBrowse
                                        • 192.168.0.44
                                        48b1cf747a678641566cd1778777ca72.apkGet hashmaliciousBrowse
                                        • 192.168.0.22
                                        seu nome na lista de favorecidos.exeGet hashmaliciousBrowse
                                        • 192.168.0.40
                                        Adm_Boleto.via2.comGet hashmaliciousBrowse
                                        • 192.168.0.40
                                        QuitacaoVotorantim345309.exeGet hashmaliciousBrowse
                                        • 192.168.0.40
                                        pptxb.pdfGet hashmaliciousBrowse
                                        • 192.168.0.40

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        No context

                                        Antivirus and Machine Learning Detection

                                        Initial Sample

                                        No Antivirus matches

                                        Dropped Files

                                        No Antivirus matches

                                        Domains

                                        No Antivirus matches

                                        URLs

                                        SourceDetectionScannerLabelLink
                                        https://r.chanstring.com/s2.toml1%virustotalBrowse
                                        https://r.chanstring.com/s2.toml0%Avira URL Cloudsafe

                                        Startup

                                        • system is lnxubuntu1
                                        • exo-open (PID: 20835, Parent: 20760, MD5: 39c5fa78f1cb3d950b9944f784018d3a) Arguments: exo-open /tmp/86ac68e5b09d1c4b157193bb6cb34007_3.elf
                                        • cleanup

                                        Created / dropped Files

                                        No created / dropped files found

                                        Domains and IPs

                                        Contacted Domains

                                        No contacted domains info

                                        URLs from Memory and Binaries

                                        NameSourceMaliciousAntivirus DetectionReputation
                                        https://r.chanstring.com/s2.toml86ac68e5b09d1c4b157193bb6cb34007_3.elffalse
                                        • 1%, virustotal, Browse
                                        • Avira URL Cloud: safe
                                        unknown

                                        Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public

                                        IPCountryFlagASNASN NameMalicious
                                        91.189.92.20
                                        United Kingdom
                                        41231unknownfalse

                                        Static File Info

                                        General

                                        File type:data
                                        Entropy (8bit):5.406046805446988
                                        TrID:
                                        • Java Script embedded in Visual Basic Script (1500/0) 95.97%
                                        • Lumena CEL bitmap (63/63) 4.03%
                                        File name:86ac68e5b09d1c4b157193bb6cb34007_3.elf
                                        File size:8444416
                                        MD5:0f951897a7e15d0fb59a869fa8b4ef68
                                        SHA1:f902904df120ab1f53979a56a68f2b2c7ac3ee2e
                                        SHA256:92eba8af5ad7b0f6564c1b56b7cc23cbe0011eeeca348df5b46d47324f3a9938
                                        SHA512:4b5d70bae55702c914551a3ca25131f713f2842ee1f1a0b02c543c71ece9e1e05a21a2d1fa3612b656c3bf8bc0523832f4036998fa9489ecca46b09c0c89fff8
                                        SSDEEP:49152:iGf55fLRUSdu/W6cKWz//NVy+PDpfsevq+WxuUxa4PSj0Aep0502ra0fcSQYDan2:VhbNbd4y8NMlckscDFQncJRqNpfx+
                                        File Content Preview:.MZ...............>.......F.....@...................@.8...@.............@.......@.@.....@.@.....P.......P.................................@.......@.....PM=.....PM=......................P=......P}......P}.....a.@.....a.@.......................~............

                                        Network Behavior

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Aug 25, 2019 18:17:54.513784885 CEST51880443192.168.2.2091.189.92.20
                                        Aug 25, 2019 18:17:54.543818951 CEST4435188091.189.92.20192.168.2.20
                                        Aug 25, 2019 18:18:14.441250086 CEST4435188091.189.92.20192.168.2.20
                                        Aug 25, 2019 18:18:14.441288948 CEST4435188091.189.92.20192.168.2.20
                                        Aug 25, 2019 18:18:14.441495895 CEST51880443192.168.2.2091.189.92.20
                                        Aug 25, 2019 18:18:14.441783905 CEST51880443192.168.2.2091.189.92.20
                                        Aug 25, 2019 18:18:14.441975117 CEST51880443192.168.2.2091.189.92.20
                                        Aug 25, 2019 18:18:14.471760988 CEST4435188091.189.92.20192.168.2.20
                                        Aug 25, 2019 18:18:14.471848965 CEST4435188091.189.92.20192.168.2.20

                                        System Behavior

                                        General

                                        Start time:18:17:36
                                        Start date:25/08/2019
                                        Path:/usr/bin/exo-open
                                        Arguments:exo-open /tmp/86ac68e5b09d1c4b157193bb6cb34007_3.elf
                                        File size:22856 bytes
                                        MD5 hash:39c5fa78f1cb3d950b9944f784018d3a