Loading ...

Play interactive tourEdit tour

Analysis Report testfile

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:202039
Start date:20.01.2020
Start time:02:32:23
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 29s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:testfile
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171)
Detection:MAL
Classification:mal56.lin@0/2@0/0

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold560 - 100falsemalicious

Classification

Analysis Advice

Startup suggests that the sample was not correctly executed possibly due to a missing shebang line



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsCommand-Line Interface1Hidden Files and Directories1Port MonitorsHidden Files and Directories1Credential DumpingSecurity Software Discovery1Application Deployment SoftwareData from Local SystemData CompressedStandard Cryptographic Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesBinary PaddingNetwork SniffingApplication Window DiscoveryRemote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for sampleShow sources
Source: testfileAvira: detection malicious, Label: PERL/Shellbot.B.4
Multi AV Scanner detection for submitted fileShow sources
Source: testfileVirustotal: Detection: 52%Perma Link

Networking:

barindex
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.92.20
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.92.20
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.92.20
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.92.20
Urls found in memory or binary dataShow sources
Source: recently-used.xbel.3SILE0.28.drString found in binary or memory: http://freedesktop.org
Source: recently-used.xbel.3SILE0.28.drString found in binary or memory: http://www.freedesktop.org/standards/desktop-bookmarks
Source: recently-used.xbel.3SILE0.28.drString found in binary or memory: http://www.freedesktop.org/standards/shared-mime-info
Source: testfileString found in binary or memory: http://www.minpop.com/sk12pack/idents.php
Source: testfileString found in binary or memory: http://www.minpop.com/sk12pack/names.php
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51880
Source: unknownNetwork traffic detected: HTTP traffic on port 51880 -> 443

System Summary:

barindex
Sample contains strings that are potentially command stringsShow sources
Source: Initial samplePotential command found: grep {(lc($_) eq "http_proxy") && ($proxy = $ENV{$_})} keys %ENV;
Source: Initial samplePotential command found: print $sock $request;
Source: Initial samplePotential command found: print $socket "$_[1]\n";
Source: Initial samplePotential command found: print $IRC_cur_socket "$_[0]\n";
Source: Initial samplePotential command found: sleep 2;
Source: Initial samplePotential command found: sleep int(rand($2));
Source: Initial samplePotential command found: sleep $sleep;
Source: Initial samplePotential command found: last if $cur_time >= $ftime;
Source: Initial samplePotential command found: last if $cur_time >= $ftime;
Source: Initial samplePotential command found: last if $cur_time >= $ftime;
Source: Initial samplePotential command found: print FILE "$msg" if ($cur_byte <= $bytes);
Source: Initial samplePotential command found: print $fh "$packbyte";
Source: Initial samplePotential command found: print $send "$fbytes";
Source: Initial samplePotential command found: print $fh "$send_bytes";
Classification labelShow sources
Source: classification engineClassification label: mal56.lin@0/2@0/0

Persistence and Installation Behavior:

barindex
Creates hidden files and/or directoriesShow sources
Source: /usr/bin/exo-open (PID: 20837)Directory: /home/user/.cache
Source: /usr/bin/gedit (PID: 20850)Directory: /home/user/.cache

Malware Analysis System Evasion:

barindex
Uses the "uname" system call to query kernel version information (possible evasion)Show sources
Source: /usr/bin/exo-open (PID: 20837)Queries kernel information via 'uname':
Source: /usr/bin/dbus-launch (PID: 20840)Queries kernel information via 'uname':
Source: /usr/bin/gedit (PID: 20850)Queries kernel information via 'uname':
Source: /usr/bin/dbus-launch (PID: 20894)Queries kernel information via 'uname':

Malware Configuration

No configs have been found


Runtime Messages

Command:xdg-open "/tmp/testfile"
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
Standard Error:(gedit:20850): IBUS-WARNING **: The owner of /home/user/.config/ibus/bus is not root!

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 202039 Sample: testfile Startdate: 20/01/2020 Architecture: LINUX Score: 56 19 91.189.92.20, 443, 51880 unknown United Kingdom 2->19 21 Antivirus detection for sample 2->21 23 Multi AV Scanner detection for submitted file 2->23 9 exo-open 2->9         started        signatures3 process4 process5 11 exo-open 9->11         started        13 exo-open dbus-launch 9->13         started        process6 15 exo-open gedit 11->15         started        process7 17 gedit dbus-launch 15->17         started       

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
91.189.92.20test.shGet hashmaliciousBrowse
    X23Get hashmaliciousBrowse
      krCv5DbZqtGet hashmaliciousBrowse
        ZgZPdJQzw1Get hashmaliciousBrowse
          Webmin_CVE-2019-15107.txtGet hashmaliciousBrowse
            pygoGet hashmaliciousBrowse
              http://185.164.72.155/richardGet hashmaliciousBrowse
                gnome-shell-extGet hashmaliciousBrowse
                  Bewerbungsunterlagen_63436181.docGet hashmaliciousBrowse
                    ebola (1)Get hashmaliciousBrowse
                      PYHzF82kiaGet hashmaliciousBrowse
                        3aj8Wem5LH.elfGet hashmaliciousBrowse
                          YTsvq2hd30.elfGet hashmaliciousBrowse
                            1BfrH2cB3o.dmsGet hashmaliciousBrowse
                              qweqweGet hashmaliciousBrowse
                                Z5ackctdAL.binGet hashmaliciousBrowse
                                  625900Get hashmaliciousBrowse
                                    http://51.75.35.174/all/ntpdd.*Get hashmaliciousBrowse
                                      zertumamkbGet hashmaliciousBrowse
                                        fmkbgkdgfuGet hashmaliciousBrowse

                                          Domains

                                          No context

                                          ASN

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          unknownLauncher.apkGet hashmaliciousBrowse
                                          • 216.58.201.99
                                          http://5.45.79.15/input/?mark=20200116-wentontravel.com/cuz&tpl=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&engkey=delonghi%20portafilter%20sizeGet hashmaliciousBrowse
                                          • 185.211.246.22
                                          http://5.45.79.15/input/?mark=20200116-wentontravel.com/cuz&tpl=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&engkey=delonghi portafilter sizeGet hashmaliciousBrowse
                                          • 185.211.246.22
                                          Project2.docGet hashmaliciousBrowse
                                          • 51.15.6.128
                                          https://top4top.io/downloadf-11687unj01-rar.htmlGet hashmaliciousBrowse
                                          • 54.38.152.27
                                          http://www.ltyuye.com/wp-admin/rrktd1y-1v-75/Get hashmaliciousBrowse
                                          • 23.235.217.105
                                          http://txfc58.com/wordpress/m2utbn-3ft4c-07947/Get hashmaliciousBrowse
                                          • 185.216.113.122
                                          instructions 01 18 2020.docGet hashmaliciousBrowse
                                          • 23.235.217.105
                                          instructions 01 18 2020.docGet hashmaliciousBrowse
                                          • 217.160.5.123
                                          PO987889-JAN-20-20-Order_Quote,pdf.exeGet hashmaliciousBrowse
                                          • 172.217.23.193
                                          koadic_test_online_9997_rundll.vbsGet hashmaliciousBrowse
                                          • 79.137.36.9
                                          http://www.searchnewtabs.com/downloadGet hashmaliciousBrowse
                                          • 52.206.61.22
                                          http://91.92.66.124/..j/Get hashmaliciousBrowse
                                          • 91.92.66.124
                                          https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsway.office.com%2FUN0jHy70XUb7BIXa%3Fref%3DLink&data=02%7C01%7Cjh.jackson%40trade.gov%7Cc3e4a0c456a7407e91f408d79a641704%7Ca1d183f26c7b4d9ab9945f2f31b3f780%7C1%7C1%7C637147626986386689&sdata=AhWGM0VN8KygMfO7X6%2FHVaDVvk7tiKzPkuCoZ%2FooVfs%3D&reserved=0Get hashmaliciousBrowse
                                          • 209.197.3.24
                                          http://95.179.163.186Get hashmaliciousBrowse
                                          • 95.179.163.186
                                          https://perfecttux.comGet hashmaliciousBrowse
                                          • 147.75.84.39
                                          INVOICE FAF3766_778982019.docGet hashmaliciousBrowse
                                          • 185.216.113.122
                                          INVOICE FAF3766_778982019.docGet hashmaliciousBrowse
                                          • 217.160.5.123
                                          FileZilla_3.46.3_win64_sponsored-setup.exeGet hashmaliciousBrowse
                                          • 5.62.44.224
                                          Learn Python the Hard Way, 3rd Edition.docxGet hashmaliciousBrowse
                                          • 104.28.6.47

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Antivirus, Machine Learning and Genetic Malware Detection

                                          Initial Sample

                                          SourceDetectionScannerLabelLink
                                          testfile53%VirustotalBrowse
                                          testfile100%AviraPERL/Shellbot.B.4

                                          Dropped Files

                                          No Antivirus matches

                                          Domains

                                          No Antivirus matches

                                          URLs

                                          SourceDetectionScannerLabelLink
                                          http://www.minpop.com/sk12pack/names.php0%VirustotalBrowse
                                          http://www.minpop.com/sk12pack/names.php0%Avira URL Cloudsafe
                                          http://www.minpop.com/sk12pack/idents.php1%VirustotalBrowse
                                          http://www.minpop.com/sk12pack/idents.php0%Avira URL Cloudsafe

                                          Screenshots

                                          Thumbnails

                                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                                          windows-stand

                                          Startup

                                          • system is lnxubuntu1
                                          • exo-open (PID: 20837, Parent: 20760, MD5: 39c5fa78f1cb3d950b9944f784018d3a) Arguments: exo-open /tmp/testfile
                                            • exo-open New Fork (PID: 20840, Parent: 20837)
                                            • dbus-launch (PID: 20840, Parent: 20837, MD5: e4a469f27d130d783c21ce9c1c4456c3) Arguments: dbus-launch --autolaunch=f0b45546524a75b2e6e8e8a55aab94da --binary-syntax --close-stderr
                                            • exo-open New Fork (PID: 20849, Parent: 20837)
                                              • exo-open New Fork (PID: 20850, Parent: 20849)
                                              • gedit (PID: 20850, Parent: 20139, MD5: bb59b5b6a456aef6ae99894261836084) Arguments: gedit /tmp/testfile
                                                • gedit New Fork (PID: 20894, Parent: 20850)
                                                • dbus-launch (PID: 20894, Parent: 20850, MD5: e4a469f27d130d783c21ce9c1c4456c3) Arguments: dbus-launch --autolaunch=f0b45546524a75b2e6e8e8a55aab94da --binary-syntax --close-stderr
                                          • cleanup

                                          Created / dropped Files

                                          /home/user/.cache/dconf/user
                                          Process:/usr/bin/gedit
                                          File Type:data
                                          Size (bytes):3
                                          Entropy (8bit):0.0
                                          Encrypted:false
                                          MD5:693E9AF84D3DFCC71E640E005BDC5E2E
                                          SHA1:29E2DCFBB16F63BB0254DF7585A15BB6FB5E927D
                                          SHA-256:709E80C88487A2411E1EE4DFB9F22A861492D20C4765150C0C794ABD70F8147C
                                          SHA-512:6D518F8B31D1882FEACE10A9215F5D8CF5AFE037652A1D11D9C1408D988C2A4F71A5EDFC85D0712FA3F4E21B2C0A244C8C0D333BAB454311E24067D2A83E5E59
                                          Malicious:false
                                          Reputation:moderate, very likely benign file
                                          Preview: ...
                                          /home/user/.local/share/recently-used.xbel.3SILE0
                                          Process:/usr/bin/gedit
                                          File Type:XML 1.0 document, ASCII text
                                          Size (bytes):790
                                          Entropy (8bit):4.9409419466521225
                                          Encrypted:false
                                          MD5:E6F22D193889C9031EFA9EEC1A9BA63D
                                          SHA1:3086C46B1010E42FBC93C5FC932420D5DB0AF57E
                                          SHA-256:0D5F5A46598ED55128AD67D64133DC70C8DBB5114D5E34CD745D965ABD89B4BC
                                          SHA-512:CD7189D0134F868F50E0476FCDBB2B5EBBACC6EB46C4FA3B4546A0CA669A8745F12D1BB89974B118B62C19C2DE67A37E03EB263F0ECC5CCC4F59865E5168DA8B
                                          Malicious:false
                                          Reputation:low
                                          Preview: <?xml version="1.0" encoding="UTF-8"?>.<xbel version="1.0". xmlns:bookmark="http://www.freedesktop.org/standards/desktop-bookmarks". xmlns:mime="http://www.freedesktop.org/standards/shared-mime-info".>. <bookmark href="file:///tmp/testfile" added="2020-01-20T02:33:22Z" modified="2020-01-20T02:33:22Z" visited="2020-01-20T02:33:22.408190Z">. <info>. <metadata owner="http://freedesktop.org">. <mime:mime-type type="text/plain"/>. <bookmark:groups>. <bookmark:group>gedit</bookmark:group>. </bookmark:groups>. <bookmark:applications>. <bookmark:application name="gedit" exec="&apos;gedit %u&apos;" modified="2020-01-20T02:33:22Z" count="1"/>. </bookmark:applications>. </metadata>. </info>. </bookmark>.</xbel>

                                          Domains and IPs

                                          Contacted Domains

                                          No contacted domains info

                                          URLs from Memory and Binaries

                                          NameSourceMaliciousAntivirus DetectionReputation
                                          http://www.freedesktop.org/standards/desktop-bookmarksrecently-used.xbel.3SILE0.28.drfalse
                                            high
                                            http://www.minpop.com/sk12pack/names.phptestfilefalse
                                            • 0%, Virustotal, Browse
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.freedesktop.org/standards/shared-mime-inforecently-used.xbel.3SILE0.28.drfalse
                                              high
                                              http://freedesktop.orgrecently-used.xbel.3SILE0.28.drfalse
                                                high
                                                http://www.minpop.com/sk12pack/idents.phptestfilefalse
                                                • 1%, Virustotal, Browse
                                                • Avira URL Cloud: safe
                                                unknown

                                                Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public

                                                IPCountryFlagASNASN NameMalicious
                                                91.189.92.20
                                                United Kingdom
                                                41231unknownfalse

                                                Static File Info

                                                General

                                                File type:ASCII text
                                                Entropy (8bit):4.9003864618581465
                                                TrID:
                                                  File name:testfile
                                                  File size:26030
                                                  MD5:4edcfaad2b55ace99e210611637912ea
                                                  SHA1:dc06cc0d265c61221c15ca2188e8d1c25f32c4d6
                                                  SHA256:8651cdfa07da5b01b82f04d145de85be08ed981c99f5a39e91e7fe0fca0d9d7b
                                                  SHA512:fcc1cbf116e17cc381c6b632c8c0256c18454c7641f91e1d8b35ec1b43a62aadb2dee9630f264d45a6cb433d9198b1cd78ca7de3248668a7534bab7357721e71
                                                  SSDEEP:384:nsJDke4XR2it6Mlr8JZNPWtabfy4y+kZGv3lT:nsJ4e4XR2it5lr8JzWtjQkwv3J
                                                  File Content Preview:.my $processo = 'rsync';..$servidor='45.9.148.125' unless $servidor;.my $porta='443';.my @canais=("#007");.my @adms=("A","X");.my @auth=("localhost");..my $linas_max=6;.my $sleep=3;..my $nick = getnick();.my $ircname = getnick();.my $realname = (`uname -a

                                                  Network Behavior

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Jan 20, 2020 02:33:50.243177891 CET51880443192.168.2.2091.189.92.20
                                                  Jan 20, 2020 02:33:50.274295092 CET4435188091.189.92.20192.168.2.20
                                                  Jan 20, 2020 02:34:10.194808006 CET4435188091.189.92.20192.168.2.20
                                                  Jan 20, 2020 02:34:10.194983959 CET4435188091.189.92.20192.168.2.20
                                                  Jan 20, 2020 02:34:10.195031881 CET51880443192.168.2.2091.189.92.20
                                                  Jan 20, 2020 02:34:10.195334911 CET51880443192.168.2.2091.189.92.20
                                                  Jan 20, 2020 02:34:10.195590019 CET51880443192.168.2.2091.189.92.20
                                                  Jan 20, 2020 02:34:10.226983070 CET4435188091.189.92.20192.168.2.20
                                                  Jan 20, 2020 02:34:10.227103949 CET4435188091.189.92.20192.168.2.20

                                                  System Behavior