Analysis Report bin.sh.2

Overview

General Information

Sample Name:	bin.sh.2
Analysis ID:	321472
MD5:	a73ddd6ec22462db955439f665cad4e6
SHA1:	ac6962542a4b23ac13bddff22f8df9aeb702ef12
SHA256:	b5cf68c7cb5bb2d21d60bf6654926f61566d95bfd7c9f9e182d032f1da5b4605

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Sample is packed with UPX

Creates hidden files and/or directories

Executes the "grep" command used to find patterns in files or piped streams

Executes the "mkdir" command used to create folders

Executes the "mktemp" command used to create a temporary unique file name

Executes the "rm" command used to delete files or directories

Executes the "sleep" command used to delay execution and potentially evade sandboxes

Sample contains only a LOAD segment without any section mappings

Uses the "uname" system call to query kernel version information (possible evasion)

Yara signature match

Classification

Signatures

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: bin.sh.2

Avira: detected

Multi AV Scanner detection for submitted file

Source: bin.sh.2	Virustotal: Detection: 61%	Perma Link
Source: bin.sh.2	Metadefender: Detection: 15%	Perma Link
Source: bin.sh.2	ReversingLabs: Detection: 58%

Source: bin.sh.2

String found in binary or memory: http://upx.sf.net

System Summary:

Sample contains only a LOAD segment without any section mappings

Source: LOAD without section mappings

Program segment: 0x400000

Yara signature match

Source: bin.sh.2, type: SAMPLE

Matched rule: SUSP_ELF_LNX_UPX_Compressed_File date = 2018-12-12, author = Florian Roth, description = Detects a suspicious ELF binary with UPX compression, reference = Internal Research, score = 038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4

Source: classification engine

Classification label: mal60.evad.lin2@0/11@0/0

Data Obfuscation:

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.95 Copyright (C) 1996-2018 the UPX Team. All Rights Reserved. $

Persistence and Installation Behavior:

Creates hidden files and/or directories

Source: /bin/mkdir (PID: 3734)	Directory: .cache
Source: /bin/mkdir (PID: 3743)	Directory: .cache

Executes the "grep" command used to find patterns in files or piped streams

Source: /bin/egrep (PID: 3744)

Grep executable: /bin/grep -> grep -E [^[:print:]] /home/user/.cache/logrotate/status

Executes the "mkdir" command used to create folders

Source: /sbin/resolvconf (PID: 3695)	Mkdir executable: /bin/mkdir -> mkdir -p /run/resolvconf/interface
Source: /bin/dash (PID: 3734)	Mkdir executable: /bin/mkdir -> mkdir -p /home/user/.cache/logrotate
Source: /bin/dash (PID: 3743)	Mkdir executable: /bin/mkdir -> mkdir -p /home/user/.cache/upstart

Executes the "mktemp" command used to create a temporary unique file name

Source: /bin/dash (PID: 3774)

Mktemp executable: /bin/mktemp -> mktemp

Executes the "rm" command used to delete files or directories

Source: /bin/dash (PID: 3871)

Rm executable: /bin/rm -> rm -f /tmp/tmp.Z3ICkFc8SF

Malware Analysis System Evasion:

Executes the "sleep" command used to delay execution and potentially evade sandboxes

Source: /bin/dash (PID: 3192)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3223)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3255)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3276)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3309)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3345)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3373)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3402)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3431)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3457)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3574)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3615)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3638)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3666)	Sleep executable: /bin/sleep -> sleep 1

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/bin.sh.2 (PID: 3475)	Queries kernel information via 'uname':
Source: /usr/share/apport/apport-gtk (PID: 3519)	Queries kernel information via 'uname':
Source: /usr/share/apport/apport-gtk (PID: 3546)	Queries kernel information via 'uname':

Screenshots

No Screenshots

Network Map

No contacted IP infos

ID:	321472
Product:	CloudBasic
Start time:	15:29:47
Start date:	22.11.2020
Sample:	bin.sh.2
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171)
Architecture:	LINUX
MD5:	a73ddd6ec22462db955439f665cad4e6
SHA1:	ac6962542a4b23ac13bddff22f8df9aeb702ef12
SHA256:	b5cf68c7cb5bb2d21d60bf6654926f61566d95bfd7c9f9e182d032f1da5b4605
Filetype:	ELF Executable and Linkable format (Linux) (4029/14) 50.16%

Name	Type	MD5	SHA1	SHA256
/home/user/.cache/logrotate/status.tmp	ASCII text	81E1C88877780640AE38C5043C3AA449	8497BDB1BEC9BF382130124B8F15F51C714A53F9	F04D0012E18ED4128CD0F309328937A02883D313650F803C865870211389C520
/home/user/.cache/upstart/dbus.log.1.gz	Sun Nov 22 14:29:52 2020, from Unix	210B9D0369D90FBFD26488500C287AFB	EAA04F4D00EC810987011FEE12C1ED133B9355B0	3D6DDB22CB4AF7091C87F955E1B261E893606592727DBE89D822F2F50AB71188
/home/user/.cache/upstart/gnome-keyring-ssh.log.1.gz	Mon Jul 27 09:05:22 2020, from Unix	2B8D9549C00943FB9FFC73FD80E6AC1A	E6348E8BB25396F0542E7E74AE30AF03F48E237E	606AE477FACBE88A7BF8C1718AE0259E50487BB5F98B80F0E2895DD799BBE858
/home/user/.cache/upstart/gpg-agent.log.1.gz	Mon Jul 27 09:05:26 2020, from Unix	13A3054AF030A536BDA784F022481B4C	062CEC7C61E642887CE10970A7353066C4283DFD	0D9475D2511F0A2C555242326C2D4EB69E4456726BDDB84913B95EC59F8FDCF6
/home/user/.cache/upstart/ssh-agent.log.1.gz	Mon Jul 27 09:05:22 2020, from Unix	32CF70DC61DECD8DFBC64EB2F2529FAC	DAC70D15E4E11407299DC63AAA6774A2393C2316	5F46EF0AAB4AD28F5384537011EDB096F22592BE4EA83194C1A52A11ECAD51D5
/home/user/.cache/upstart/startxfce4.log.1.gz	Sun Nov 22 15:30:16 2020, from Unix	A4C3C148AC5FCAF118ACF2C180C9E35B	1A57B7E35A21ED687755B228193CF322587C363E	4CB232AE63AD2D6EE997E6331250CDA3FAE0AFA732B13A5E38ECBBC609510B5B
/home/user/.cache/upstart/update-notifier-release.log.1.gz	Mon Jul 27 09:05:22 2020, from Unix	6B9C8B79E6508C02BCACF1C11363D3BC	F450E69D5A258FCF4D89E7CDB1FBD7EEC5E19A77	735DFDFE533A05589BFDC9044627395F29312064CFBA09CCB60E010AEC692411
/home/user/.cache/upstart/upstart-event-bridge.log.1.gz	Mon Jul 27 09:05:22 2020, from Unix	1395D405968C76307CBA75C5DDC9CA19	C36CEE03E5DF12FBFB57A5EBCEAE329B41AFA1F7	33785027CEE82E878434593B532FE1DF25D46676379757272C1E15C9AADD3B1F
/tmp/tmp.Z3ICkFc8SF	ASCII text	46261223A62EF65D03C70F15EE935267	E9102D8808BA6E171405F1830BD7C6B8179C9BF2	DFECC8990014230F50FBAD269AD523A74D16CFB455065EC8D9041764D684C239
/var/crash/_usr_share_apport_apport-checkreports.1000.crash	ASCII text	2A772BAFC88F5EBCA5F274D28CD97DDA	682305020D15633613CD6454198EBF2F1B86AF80	00A1B083C79F819F2212E6E97DB3F1F257F97FA0463EA69533DEE0F505B9D90F
/var/crash/_usr_share_apport_apport-gtk.1000.crash	ASCII text	64E7DD2D9BF6A2704E28F4D1C71ABD85	0072FD7EEE4B1666C2FA5A8F2151AF62D0F22D13	D459738CDF00E8B9B72F36288EB77EC62F1151A6E0BED4CB35F0654B04A44F8E

Analysis Report bin.sh.2

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Malware Analysis System Evasion:

Screenshots

Network Map