Analysis Report MGTyV3yLFW

ID:	321442
Product:	CloudBasic
Start time:	06:17:29
Start date:	22.11.2020
Sample:	MGTyV3yLFW
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171)
Architecture:	LINUX
MD5:	9a0e765eecc5433af3dc726206ecc56e
SHA1:	5996d02c142588b6c1ed850e461845458bd94d17
SHA256:	35ff79dd456fe3054a60fe0a16f38bf5fc3928e1e8439ca4d945573f8c48c0b8
Filetype:	ELF Executable and Linkable format (Linux) (4029/14) 50.16%

Name	Type	MD5	SHA1	SHA256
/home/user/.cache/logrotate/status.tmp	ASCII text	C856E7FFD320C2562194B1FA01EDE94E	9D0035D2FAC642BA6BCC13553EA522D65F60A8F4	793CD30D83F9AB30819601D73964D40060B0888385FD0A99FFB83B5606430E73
/home/user/.cache/upstart/dbus.log.1.gz	Sun Nov 22 05:17:34 2020, from Unix	B725F19E6A1127ACD11E10BA4B3BD6CE	DDD15B156D604B604932115333B7C58921E602D1	25EC0026C6755BC269EA9A498887A4000AFB93A519AE94BD9B4B109A1FCDC1B8
/home/user/.cache/upstart/gnome-keyring-ssh.log.1.gz	Mon Jul 27 09:05:22 2020, from Unix	2B8D9549C00943FB9FFC73FD80E6AC1A	E6348E8BB25396F0542E7E74AE30AF03F48E237E	606AE477FACBE88A7BF8C1718AE0259E50487BB5F98B80F0E2895DD799BBE858
/home/user/.cache/upstart/gpg-agent.log.1.gz	Mon Jul 27 09:05:26 2020, from Unix	13A3054AF030A536BDA784F022481B4C	062CEC7C61E642887CE10970A7353066C4283DFD	0D9475D2511F0A2C555242326C2D4EB69E4456726BDDB84913B95EC59F8FDCF6
/home/user/.cache/upstart/ssh-agent.log.1.gz	Mon Jul 27 09:05:22 2020, from Unix	32CF70DC61DECD8DFBC64EB2F2529FAC	DAC70D15E4E11407299DC63AAA6774A2393C2316	5F46EF0AAB4AD28F5384537011EDB096F22592BE4EA83194C1A52A11ECAD51D5
/home/user/.cache/upstart/startxfce4.log.1.gz	Sun Nov 22 06:17:58 2020, from Unix	ECC112ED0F24742CD719D9CA76C9D02C	90B502A6F2BD9CCFA9A10C9A8E334B961780158B	5A9125BE2B63F2E23D11D0A663C229C4DE6F56583EE26A23427A07BED488A085
/home/user/.cache/upstart/update-notifier-release.log.1.gz	Mon Jul 27 09:05:22 2020, from Unix	6B9C8B79E6508C02BCACF1C11363D3BC	F450E69D5A258FCF4D89E7CDB1FBD7EEC5E19A77	735DFDFE533A05589BFDC9044627395F29312064CFBA09CCB60E010AEC692411
/home/user/.cache/upstart/upstart-event-bridge.log.1.gz	Mon Jul 27 09:05:22 2020, from Unix	1395D405968C76307CBA75C5DDC9CA19	C36CEE03E5DF12FBFB57A5EBCEAE329B41AFA1F7	33785027CEE82E878434593B532FE1DF25D46676379757272C1E15C9AADD3B1F
/tmp/tmp.s1YjGIpgkp	ASCII text	46261223A62EF65D03C70F15EE935267	E9102D8808BA6E171405F1830BD7C6B8179C9BF2	DFECC8990014230F50FBAD269AD523A74D16CFB455065EC8D9041764D684C239

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: MGTyV3yLFW

Avira: detected

Multi AV Scanner detection for submitted file

Source: MGTyV3yLFW	Virustotal: Detection: 68%			Perma Link
Source: MGTyV3yLFW	Metadefender: Detection: 67%			Perma Link
Source: MGTyV3yLFW	ReversingLabs: Detection: 77%

Machine Learning detection for sample

Source: MGTyV3yLFW

Joe Sandbox ML: detected

System Summary:

Malicious sample detected (through community Yara rule)

Source: MGTyV3yLFW, type: SAMPLE

Matched rule: NetWiredRC Author: Jean-Philippe Teissier / @Jipe_

Sample contains symbols with suspicious names

Source: ELF static info symbol of initial sample	Name: DecodeSQLitePayloadData
Source: ELF static info symbol of initial sample	Name: GetChromiumPasswords
Source: ELF static info symbol of initial sample	Name: GetGoogleChromePasswords
Source: ELF static info symbol of initial sample	Name: GetMozillaProductPasswords
Source: ELF static info symbol of initial sample	Name: GetPidginPasswords
Source: ELF static info symbol of initial sample	Name: Password
Source: ELF static info symbol of initial sample	Name: cpGetUsername

Sample has stripped symbol table

Source: ELF static info symbol of initial sample

.symtab present: no

Yara signature match

Source: MGTyV3yLFW, type: SAMPLE

Matched rule: NetWiredRC_B date = 2014-12-23, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = NetWiredRC, version = 1.1

Classification label

Source: classification engine

Classification label: mal68.lin@0/9@0/0

Persistence and Installation Behavior:

Creates hidden files and/or directories

Source: /bin/mkdir (PID: 3647)	Directory: .cache
Source: /bin/mkdir (PID: 3648)	Directory: .cache

Executes the "grep" command used to find patterns in files or piped streams

Source: /bin/egrep (PID: 3649)

Grep executable: /bin/grep -> grep -E [^[:print:]] /home/user/.cache/logrotate/status

Executes the "mkdir" command used to create folders

Source: /sbin/resolvconf (PID: 3609)	Mkdir executable: /bin/mkdir -> mkdir -p /run/resolvconf/interface
Source: /bin/dash (PID: 3647)	Mkdir executable: /bin/mkdir -> mkdir -p /home/user/.cache/logrotate
Source: /bin/dash (PID: 3648)	Mkdir executable: /bin/mkdir -> mkdir -p /home/user/.cache/upstart

Executes the "mktemp" command used to create a temporary unique file name

Source: /bin/dash (PID: 3651)

Mktemp executable: /bin/mktemp -> mktemp

Executes the "rm" command used to delete files or directories

Source: /bin/dash (PID: 3784)

Rm executable: /bin/rm -> rm -f /tmp/tmp.s1YjGIpgkp

Malware Analysis System Evasion:

Executes the "sleep" command used to delay execution and potentially evade sandboxes

Source: /bin/dash (PID: 3192)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3223)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3248)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3279)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3307)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3332)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3370)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3402)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3427)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3455)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3487)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3528)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3543)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3585)	Sleep executable: /bin/sleep -> sleep 1