Loading ...

Play interactive tourEdit tour

Analysis Report bin.sh.2

Overview

General Information

Sample Name:bin.sh.2
Analysis ID:321472
MD5:a73ddd6ec22462db955439f665cad4e6
SHA1:ac6962542a4b23ac13bddff22f8df9aeb702ef12
SHA256:b5cf68c7cb5bb2d21d60bf6654926f61566d95bfd7c9f9e182d032f1da5b4605

Detection

Score:60
Range:0 - 100
Whitelisted:false

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Sample is packed with UPX
Creates hidden files and/or directories
Executes the "grep" command used to find patterns in files or piped streams
Executes the "mkdir" command used to create folders
Executes the "mktemp" command used to create a temporary unique file name
Executes the "rm" command used to delete files or directories
Executes the "sleep" command used to delay execution and potentially evade sandboxes
Sample contains only a LOAD segment without any section mappings
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

Startup

  • system is lnxubuntu1
  • dash New Fork (PID: 3190, Parent: 3189)
  • sed (PID: 3190, Parent: 3189, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -n "/^DNS=/ { s/^DNS=/nameserver /; p}" /run/systemd/netif/state /run/systemd/netif/leases/*
  • dash New Fork (PID: 3191, Parent: 3189)
  • sort (PID: 3191, Parent: 3189, MD5: fb4c334af5810c835b37ec2ec14a35bd) Arguments: sort -u
  • dash New Fork (PID: 3192, Parent: 2522)
  • sleep (PID: 3192, Parent: 2522, MD5: e9887f1d8cae3dc50b4cbac09435a162) Arguments: sleep 1
  • dash New Fork (PID: 3218, Parent: 3217)
  • sed (PID: 3218, Parent: 3217, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -n "/^DNS=/ { s/^DNS=/nameserver /; p}" /run/systemd/netif/state /run/systemd/netif/leases/*
  • dash New Fork (PID: 3219, Parent: 3217)
  • sort (PID: 3219, Parent: 3217, MD5: fb4c334af5810c835b37ec2ec14a35bd) Arguments: sort -u
  • dash New Fork (PID: 3223, Parent: 2522)
  • sleep (PID: 3223, Parent: 2522, MD5: e9887f1d8cae3dc50b4cbac09435a162) Arguments: sleep 1
  • dash New Fork (PID: 3246, Parent: 3245)
  • sed (PID: 3246, Parent: 3245, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -n "/^DNS=/ { s/^DNS=/nameserver /; p}" /run/systemd/netif/state /run/systemd/netif/leases/*
  • dash New Fork (PID: 3247, Parent: 3245)
  • sort (PID: 3247, Parent: 3245, MD5: fb4c334af5810c835b37ec2ec14a35bd) Arguments: sort -u
  • dash New Fork (PID: 3255, Parent: 2522)
  • sleep (PID: 3255, Parent: 2522, MD5: e9887f1d8cae3dc50b4cbac09435a162) Arguments: sleep 1
  • dash New Fork (PID: 3274, Parent: 3273)
  • sed (PID: 3274, Parent: 3273, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -n "/^DNS=/ { s/^DNS=/nameserver /; p}" /run/systemd/netif/state /run/systemd/netif/leases/*
  • dash New Fork (PID: 3275, Parent: 3273)
  • sort (PID: 3275, Parent: 3273, MD5: fb4c334af5810c835b37ec2ec14a35bd) Arguments: sort -u
  • dash New Fork (PID: 3276, Parent: 2522)
  • sleep (PID: 3276, Parent: 2522, MD5: e9887f1d8cae3dc50b4cbac09435a162) Arguments: sleep 1
  • dash New Fork (PID: 3302, Parent: 3301)
  • sed (PID: 3302, Parent: 3301, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -n "/^DNS=/ { s/^DNS=/nameserver /; p}" /run/systemd/netif/state /run/systemd/netif/leases/*
  • dash New Fork (PID: 3303, Parent: 3301)
  • sort (PID: 3303, Parent: 3301, MD5: fb4c334af5810c835b37ec2ec14a35bd) Arguments: sort -u
  • dash New Fork (PID: 3309, Parent: 2522)
  • sleep (PID: 3309, Parent: 2522, MD5: e9887f1d8cae3dc50b4cbac09435a162) Arguments: sleep 1
  • dash New Fork (PID: 3330, Parent: 3329)
  • sed (PID: 3330, Parent: 3329, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -n "/^DNS=/ { s/^DNS=/nameserver /; p}" /run/systemd/netif/state /run/systemd/netif/leases/*
  • dash New Fork (PID: 3331, Parent: 3329)
  • sort (PID: 3331, Parent: 3329, MD5: fb4c334af5810c835b37ec2ec14a35bd) Arguments: sort -u
  • dash New Fork (PID: 3345, Parent: 2522)
  • sleep (PID: 3345, Parent: 2522, MD5: e9887f1d8cae3dc50b4cbac09435a162) Arguments: sleep 1
  • dash New Fork (PID: 3358, Parent: 3357)
  • sed (PID: 3358, Parent: 3357, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -n "/^DNS=/ { s/^DNS=/nameserver /; p}" /run/systemd/netif/state /run/systemd/netif/leases/*
  • dash New Fork (PID: 3359, Parent: 3357)
  • sort (PID: 3359, Parent: 3357, MD5: fb4c334af5810c835b37ec2ec14a35bd) Arguments: sort -u
  • dash New Fork (PID: 3373, Parent: 2522)
  • sleep (PID: 3373, Parent: 2522, MD5: e9887f1d8cae3dc50b4cbac09435a162) Arguments: sleep 1
  • dash New Fork (PID: 3386, Parent: 3385)
  • sed (PID: 3386, Parent: 3385, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -n "/^DNS=/ { s/^DNS=/nameserver /; p}" /run/systemd/netif/state /run/systemd/netif/leases/*
  • dash New Fork (PID: 3387, Parent: 3385)
  • sort (PID: 3387, Parent: 3385, MD5: fb4c334af5810c835b37ec2ec14a35bd) Arguments: sort -u
  • dash New Fork (PID: 3402, Parent: 2522)
  • sleep (PID: 3402, Parent: 2522, MD5: e9887f1d8cae3dc50b4cbac09435a162) Arguments: sleep 1
  • dash New Fork (PID: 3414, Parent: 3413)
  • sed (PID: 3414, Parent: 3413, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -n "/^DNS=/ { s/^DNS=/nameserver /; p}" /run/systemd/netif/state /run/systemd/netif/leases/*
  • dash New Fork (PID: 3415, Parent: 3413)
  • sort (PID: 3415, Parent: 3413, MD5: fb4c334af5810c835b37ec2ec14a35bd) Arguments: sort -u
  • dash New Fork (PID: 3431, Parent: 2522)
  • sleep (PID: 3431, Parent: 2522, MD5: e9887f1d8cae3dc50b4cbac09435a162) Arguments: sleep 1
  • dash New Fork (PID: 3442, Parent: 3441)
  • sed (PID: 3442, Parent: 3441, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -n "/^DNS=/ { s/^DNS=/nameserver /; p}" /run/systemd/netif/state /run/systemd/netif/leases/*
  • dash New Fork (PID: 3443, Parent: 3441)
  • sort (PID: 3443, Parent: 3441, MD5: fb4c334af5810c835b37ec2ec14a35bd) Arguments: sort -u
  • dash New Fork (PID: 3457, Parent: 2522)
  • sleep (PID: 3457, Parent: 2522, MD5: e9887f1d8cae3dc50b4cbac09435a162) Arguments: sleep 1
  • bin.sh.2 (PID: 3475, Parent: 3132, MD5: a73ddd6ec22462db955439f665cad4e6) Arguments: /usr/bin/qemu-mips /tmp/bin.sh.2
  • upstart New Fork (PID: 3490, Parent: 2015)
  • sh (PID: 3490, Parent: 2015, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -e /proc/self/fd/9
    • sh New Fork (PID: 3492, Parent: 3490)
    • date (PID: 3492, Parent: 3490, MD5: 54903b613f9019bfca9f5d28a4fff34e) Arguments: date
    • sh New Fork (PID: 3500, Parent: 3490)
    • apport-checkreports (PID: 3500, Parent: 3490, MD5: 1a7d84ebc34df04e55ca3723541f48c9) Arguments: /usr/bin/python3 /usr/share/apport/apport-checkreports --system
  • upstart New Fork (PID: 3517, Parent: 2015)
  • sh (PID: 3517, Parent: 2015, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -e /proc/self/fd/9
    • sh New Fork (PID: 3518, Parent: 3517)
    • date (PID: 3518, Parent: 3517, MD5: 54903b613f9019bfca9f5d28a4fff34e) Arguments: date
    • sh New Fork (PID: 3519, Parent: 3517)
    • apport-gtk (PID: 3519, Parent: 3517, MD5: ec58a49a30ef6a29406a204f28cc7d87) Arguments: /usr/bin/python3 /usr/share/apport/apport-gtk
  • upstart New Fork (PID: 3544, Parent: 2015)
  • sh (PID: 3544, Parent: 2015, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -e /proc/self/fd/9
    • sh New Fork (PID: 3545, Parent: 3544)
    • date (PID: 3545, Parent: 3544, MD5: 54903b613f9019bfca9f5d28a4fff34e) Arguments: date
    • sh New Fork (PID: 3546, Parent: 3544)
    • apport-gtk (PID: 3546, Parent: 3544, MD5: ec58a49a30ef6a29406a204f28cc7d87) Arguments: /usr/bin/python3 /usr/share/apport/apport-gtk
  • dash New Fork (PID: 3572, Parent: 3571)
  • sed (PID: 3572, Parent: 3571, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -n "/^DNS=/ { s/^DNS=/nameserver /; p}" /run/systemd/netif/state /run/systemd/netif/leases/*
  • dash New Fork (PID: 3573, Parent: 3571)
  • sort (PID: 3573, Parent: 3571, MD5: fb4c334af5810c835b37ec2ec14a35bd) Arguments: sort -u
  • dash New Fork (PID: 3574, Parent: 2522)
  • sleep (PID: 3574, Parent: 2522, MD5: e9887f1d8cae3dc50b4cbac09435a162) Arguments: sleep 1
  • dash New Fork (PID: 3600, Parent: 3599)
  • sed (PID: 3600, Parent: 3599, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -n "/^DNS=/ { s/^DNS=/nameserver /; p}" /run/systemd/netif/state /run/systemd/netif/leases/*
  • dash New Fork (PID: 3601, Parent: 3599)
  • sort (PID: 3601, Parent: 3599, MD5: fb4c334af5810c835b37ec2ec14a35bd) Arguments: sort -u
  • dash New Fork (PID: 3615, Parent: 2522)
  • sleep (PID: 3615, Parent: 2522, MD5: e9887f1d8cae3dc50b4cbac09435a162) Arguments: sleep 1
  • dash New Fork (PID: 3628, Parent: 3627)
  • sed (PID: 3628, Parent: 3627, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -n "/^DNS=/ { s/^DNS=/nameserver /; p}" /run/systemd/netif/state /run/systemd/netif/leases/*
  • dash New Fork (PID: 3629, Parent: 3627)
  • sort (PID: 3629, Parent: 3627, MD5: fb4c334af5810c835b37ec2ec14a35bd) Arguments: sort -u
  • dash New Fork (PID: 3638, Parent: 2522)
  • sleep (PID: 3638, Parent: 2522, MD5: e9887f1d8cae3dc50b4cbac09435a162) Arguments: sleep 1
  • dash New Fork (PID: 3656, Parent: 3655)
  • sed (PID: 3656, Parent: 3655, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -n "/^DNS=/ { s/^DNS=/nameserver /; p}" /run/systemd/netif/state /run/systemd/netif/leases/*
  • dash New Fork (PID: 3657, Parent: 3655)
  • sort (PID: 3657, Parent: 3655, MD5: fb4c334af5810c835b37ec2ec14a35bd) Arguments: sort -u
  • dash New Fork (PID: 3666, Parent: 2522)
  • sleep (PID: 3666, Parent: 2522, MD5: e9887f1d8cae3dc50b4cbac09435a162) Arguments: sleep 1
  • dash New Fork (PID: 3683, Parent: 2522)
  • sed (PID: 3683, Parent: 2522, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -n "/^DOMAINS=/ { s/^.*=/search /; p}" /run/systemd/netif/state
  • dash New Fork (PID: 3684, Parent: 2522)
  • resolvconf (PID: 3684, Parent: 2522, MD5: 4e4ff2bfda7a6d18405a462937b63a2e) Arguments: /bin/sh /sbin/resolvconf -a networkd
    • mkdir (PID: 3695, Parent: 3684, MD5: a97f666f21c85ec62ea47d022263ef41) Arguments: mkdir -p /run/resolvconf/interface
    • resolvconf New Fork (PID: 3701, Parent: 3684)
      • sed (PID: 3706, Parent: 3701, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -e s/#.*$// -e s/[[:blank:]]\\+$// -e s/^[[:blank:]]\\+// -e "s/[[:blank:]]\\+/ /g" -e "/^nameserver/!b ENDOFCYCLE" -e "s/$/ /" -e "s/\\([:. ]\\)0\\+/\\10/g" -e "s/\\([:. ]\\)0\\([123456789abcdefABCDEF][[:xdigit:]]*\\)/\\1\\2/g" -e "/::/b ENDOFCYCLE; s/ \\(0[: ]\\)\\+/ ::/" -e "/::/b ENDOFCYCLE; s/:\\(0[: ]\\)\\+/::/" -e ": ENDOFCYCLE" -
      • sed (PID: 3707, Parent: 3701, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -e s/[[:blank:]]\\+$// -e /^$/d
  • dash New Fork (PID: 3734, Parent: 2079)
  • mkdir (PID: 3734, Parent: 2079, MD5: a97f666f21c85ec62ea47d022263ef41) Arguments: mkdir -p /home/user/.cache/logrotate
  • dash New Fork (PID: 3743, Parent: 2079)
  • mkdir (PID: 3743, Parent: 2079, MD5: a97f666f21c85ec62ea47d022263ef41) Arguments: mkdir -p /home/user/.cache/upstart
  • dash New Fork (PID: 3744, Parent: 2079)
  • egrep (PID: 3744, Parent: 2079, MD5: ef55d1537377114cc24cdc398fbdd930) Arguments: /bin/sh /bin/egrep [^[:print:]] /home/user/.cache/logrotate/status
  • grep (PID: 3744, Parent: 2079, MD5: fc9b0a0ff848b35b3716768695bf2427) Arguments: grep -E [^[:print:]] /home/user/.cache/logrotate/status
  • dash New Fork (PID: 3774, Parent: 2079)
  • mktemp (PID: 3774, Parent: 2079, MD5: 91cf2e2a84f3b49fdecdd8b631902009) Arguments: mktemp
  • dash New Fork (PID: 3806, Parent: 2079)
  • cat (PID: 3806, Parent: 2079, MD5: efa10d52f37361f2e3a5d22742f0fcc4) Arguments: cat
  • dash New Fork (PID: 3807, Parent: 2079)
  • logrotate (PID: 3807, Parent: 2079, MD5: d0eaf9942936032d217478b93e9cd4b1) Arguments: logrotate -s /home/user/.cache/logrotate/status /tmp/tmp.Z3ICkFc8SF
    • gzip (PID: 3808, Parent: 3807, MD5: 25ea567880cec4ac02e7a77ad304e3c6) Arguments: /bin/gzip
    • gzip (PID: 3809, Parent: 3807, MD5: 25ea567880cec4ac02e7a77ad304e3c6) Arguments: /bin/gzip
    • gzip (PID: 3810, Parent: 3807, MD5: 25ea567880cec4ac02e7a77ad304e3c6) Arguments: /bin/gzip
    • gzip (PID: 3833, Parent: 3807, MD5: 25ea567880cec4ac02e7a77ad304e3c6) Arguments: /bin/gzip
    • gzip (PID: 3856, Parent: 3807, MD5: 25ea567880cec4ac02e7a77ad304e3c6) Arguments: /bin/gzip
    • gzip (PID: 3861, Parent: 3807, MD5: 25ea567880cec4ac02e7a77ad304e3c6) Arguments: /bin/gzip
    • gzip (PID: 3870, Parent: 3807, MD5: 25ea567880cec4ac02e7a77ad304e3c6) Arguments: /bin/gzip
  • dash New Fork (PID: 3871, Parent: 2079)
  • rm (PID: 3871, Parent: 2079, MD5: b79876063d894c449856cca508ecca7f) Arguments: rm -f /tmp/tmp.Z3ICkFc8SF
  • cleanup

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
bin.sh.2SUSP_ELF_LNX_UPX_Compressed_FileDetects a suspicious ELF binary with UPX compressionFlorian Roth
  • 0x206f8:$s1: PROT_EXEC|PROT_WRITE failed.
  • 0x20767:$s2: $Id: UPX
  • 0x20718:$s3: $Info: This file is packed with the UPX executable packer

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus / Scanner detection for submitted sampleShow sources
Source: bin.sh.2Avira: detected
Multi AV Scanner detection for submitted fileShow sources
Source: bin.sh.2Virustotal: Detection: 61%Perma Link
Source: bin.sh.2Metadefender: Detection: 15%Perma Link
Source: bin.sh.2ReversingLabs: Detection: 58%
Source: bin.sh.2String found in binary or memory: http://upx.sf.net
Source: LOAD without section mappingsProgram segment: 0x400000
Source: bin.sh.2, type: SAMPLEMatched rule: SUSP_ELF_LNX_UPX_Compressed_File date = 2018-12-12, author = Florian Roth, description = Detects a suspicious ELF binary with UPX compression, reference = Internal Research, score = 038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4
Source: classification engineClassification label: mal60.evad.lin2@0/11@0/0

Data Obfuscation:

barindex
Sample is packed with UPXShow sources
Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sampleString containing UPX found: $Id: UPX 3.95 Copyright (C) 1996-2018 the UPX Team. All Rights Reserved. $
Source: /bin/mkdir (PID: 3734)Directory: .cache
Source: /bin/mkdir (PID: 3743)Directory: .cache
Source: /bin/egrep (PID: 3744)Grep executable: /bin/grep -> grep -E [^[:print:]] /home/user/.cache/logrotate/status
Source: /sbin/resolvconf (PID: 3695)Mkdir executable: /bin/mkdir -> mkdir -p /run/resolvconf/interface
Source: /bin/dash (PID: 3734)Mkdir executable: /bin/mkdir -> mkdir -p /home/user/.cache/logrotate
Source: /bin/dash (PID: 3743)Mkdir executable: /bin/mkdir -> mkdir -p /home/user/.cache/upstart
Source: /bin/dash (PID: 3774)Mktemp executable: /bin/mktemp -> mktemp
Source: /bin/dash (PID: 3871)Rm executable: /bin/rm -> rm -f /tmp/tmp.Z3ICkFc8SF
Source: /bin/dash (PID: 3192)Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3223)Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3255)Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3276)Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3309)Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3345)Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3373)Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3402)Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3431)Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3457)Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3574)Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3615)Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3638)Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3666)Sleep executable: /bin/sleep -> sleep 1
Source: /tmp/bin.sh.2 (PID: 3475)Queries kernel information via 'uname':
Source: /usr/share/apport/apport-gtk (PID: 3519)Queries kernel information via 'uname':
Source: /usr/share/apport/apport-gtk (PID: 3546)Queries kernel information via 'uname':

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionHidden Files and Directories1OS Credential DumpingSecurity Software Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsObfuscated Files or Information1LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)File Deletion1Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 321472 Sample: bin.sh.2 Startdate: 22/11/2020 Architecture: LINUX Score: 60 37 Antivirus / Scanner detection for submitted sample 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 Sample is packed with UPX 2->41 7 dash logrotate 2->7         started        9 dash resolvconf 2->9         started        11 upstart sh 2->11         started        13 51 other processes 2->13 process3 process4 31 7 other processes 7->31 15 resolvconf 9->15         started        17 resolvconf mkdir 9->17         started        19 sh date 11->19         started        21 sh apport-checkreports 11->21         started        23 sh date 13->23         started        25 sh apport-gtk 13->25         started        27 sh date 13->27         started        29 sh apport-gtk 13->29         started        process5 33 resolvconf sed 15->33         started        35 resolvconf sed 15->35         started       

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
bin.sh.262%VirustotalBrowse
bin.sh.218%MetadefenderBrowse
bin.sh.259%ReversingLabsLinux.Trojan.Mirai
bin.sh.2100%AviraLINUX/Mirai.ccjqy

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://upx.sf.netbin.sh.2false
    high

    Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox Version:31.0.0 Red Diamond
    Analysis ID:321472
    Start date:22.11.2020
    Start time:15:29:47
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 4m 28s
    Hypervisor based Inspection enabled:false
    Report type:full
    Sample file name:bin.sh.2
    Cookbook file name:defaultlinuxfilecookbook.jbs
    Analysis system description:Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171)
    Detection:MAL
    Classification:mal60.evad.lin2@0/11@0/0


    Runtime Messages

    Command:/tmp/bin.sh.2
    Exit Code:133
    Exit Code Info:
    Killed:False
    Standard Output:

    Standard Error:qemu: uncaught target signal 5 (Trace/breakpoint trap) - core dumped

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASN

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    /home/user/.cache/logrotate/status.tmp
    Process:/usr/sbin/logrotate
    File Type:ASCII text
    Category:dropped
    Size (bytes):1458
    Entropy (8bit):4.849832747748101
    Encrypted:false
    SSDEEP:24:fOeWfnS8MHLIJWfnruvRvLWfnw7WfnDvCvTovMHXIbUvMHtW8MF8iQlovwWfnRvP:2elNHLcsUnfHXaHtWbFLosrHz
    MD5:81E1C88877780640AE38C5043C3AA449
    SHA1:8497BDB1BEC9BF382130124B8F15F51C714A53F9
    SHA-256:F04D0012E18ED4128CD0F309328937A02883D313650F803C865870211389C520
    SHA-512:B4674869AEC0716EB3D98995B7F6DD0F511487CF414C5B45700912A047E5C50A70B8360BBF79195C8F5DEC4E46DF9206BA2074B1DA0B71B860E049C71A8AA4BF
    Malicious:false
    Reputation:low
    Preview: logrotate state -- version 2."/home/user/.cache/upstart/indicator-application.log" 2018-5-7-11:38:22."/home/user/.cache/upstart/indicator-sound.log" 2018-5-7-10:33:19."/home/user/.cache/upstart/update-notifier-crash-_var_crash__usr_share_apport_apport-gtk.1000.crash.log" 2020-11-22-16:0:0."/home/user/.cache/upstart/indicator-session.log" 2018-5-7-11:38:22."/home/user/.cache/upstart/dbus.log" 2020-11-22-16:30:33."/home/user/.cache/upstart/gnome-keyring-ssh.log" 2020-11-22-16:30:33."/home/user/.cache/upstart/indicator-bluetooth.log" 2018-5-7-11:38:22."/home/user/.cache/upstart/indicator-datetime.log" 2018-5-7-11:38:22."/home/user/.cache/upstart/startxfce4.log" 2020-11-22-16:30:33."/home/user/.cache/upstart/update-notifier-release.log" 2020-11-22-16:30:33."/home/user/.cache/upstart/update-notifier-crash-_var_crash__usr_share_apport_apport.0.crash.log" 2020-11-22-16:0:0."/home/user/.cache/upstart/ssh-agent.log" 2020-11-22-16:30:33."/home/user/.cache/upstart/update-notifier-crash-_var_crash
    /home/user/.cache/upstart/dbus.log.1.gz
    Process:/bin/gzip
    File Type:Sun Nov 22 14:29:52 2020, from Unix
    Category:dropped
    Size (bytes):267
    Entropy (8bit):7.17057604794189
    Encrypted:false
    SSDEEP:6:XJ82YlQuom0gW0F46ASWpC8t0BEP80ryEbjL+swraiuWRGI:Xy2/nLT0F48WUTBEEAJPyROi0I
    MD5:210B9D0369D90FBFD26488500C287AFB
    SHA1:EAA04F4D00EC810987011FEE12C1ED133B9355B0
    SHA-256:3D6DDB22CB4AF7091C87F955E1B261E893606592727DBE89D822F2F50AB71188
    SHA-512:10C2A9F0CC432D8C74CD8DD90846511C2E8C2C20A736223910FD0D38CDC10B03F21EB51101160A109A39F8B61197571DE489A1ACB4234387A01A617A788C95FA
    Malicious:false
    Reputation:low
    Preview: .....u._.....N.0...H.Co.E*w.E.8.MbL....EMc.;...3........._~..?.....i....=./(...,........9[....p,......!..p..ANb.e..0....(.y...K...N..<.x..i."+.j=.tfpl..=Ee...."....|`..zb*..KKQ.|Yz..nK!......'"T..f=G=.....s.#.N...eOD....s...u....h@..+...j...P.......A.S.....
    /home/user/.cache/upstart/gnome-keyring-ssh.log.1.gz
    Process:/bin/gzip
    File Type:Mon Jul 27 09:05:22 2020, from Unix
    Category:dropped
    Size (bytes):99
    Entropy (8bit):6.129257882662173
    Encrypted:false
    SSDEEP:3:FtPaGuofByOJ9+JbgcpuvfIMGddoffEwZW/l:XPa25NrQbgYuoMBfMsGl
    MD5:2B8D9549C00943FB9FFC73FD80E6AC1A
    SHA1:E6348E8BB25396F0542E7E74AE30AF03F48E237E
    SHA-256:606AE477FACBE88A7BF8C1718AE0259E50487BB5F98B80F0E2895DD799BBE858
    SHA-512:C2CA8D2DFC0B0E28FDB3E94EF2BE74D7D663E9943EE55D03F9F8C8E1425AC4C0C07391020DEE0931EC9967185BDD75BDA438BC413DDBC6AB18D2EF28388C9D59
    Malicious:false
    Reputation:moderate, very likely benign file
    Preview: ......_....... ....;t...!.@....-.....+B..X.%.J.>..`..jA....:-i.8...i7..f..+....@jB.X.y.OK..Y...
    /home/user/.cache/upstart/gpg-agent.log.1.gz
    Process:/bin/gzip
    File Type:Mon Jul 27 09:05:26 2020, from Unix
    Category:dropped
    Size (bytes):109
    Entropy (8bit):6.285347714840308
    Encrypted:false
    SSDEEP:3:Ft+KspyDBmKyr7JtqZioTFBkdMl/:X+KspyDB94JtYPk+
    MD5:13A3054AF030A536BDA784F022481B4C
    SHA1:062CEC7C61E642887CE10970A7353066C4283DFD
    SHA-256:0D9475D2511F0A2C555242326C2D4EB69E4456726BDDB84913B95EC59F8FDCF6
    SHA-512:EB0A9DDC9D084934F42DF3AC9FE92CE534A841B38F6008774F29788EEFEC4FD22BFE12570B30558A351755347E92742C867B3B65E0616294146C390FB60A3388
    Malicious:false
    Reputation:moderate, very likely benign file
    Preview: ......_.......0....=l...E.C....p&.....fX.L..Wt...)*.*...e.X.......).Fj+.,."E..5f......X.K..w...........
    /home/user/.cache/upstart/ssh-agent.log.1.gz
    Process:/bin/gzip
    File Type:Mon Jul 27 09:05:22 2020, from Unix
    Category:dropped
    Size (bytes):60
    Entropy (8bit):5.121567004295788
    Encrypted:false
    SSDEEP:3:FtPa5qBO0YYLB0trI1mlwdn:XPa5W2Yt02g6n
    MD5:32CF70DC61DECD8DFBC64EB2F2529FAC
    SHA1:DAC70D15E4E11407299DC63AAA6774A2393C2316
    SHA-256:5F46EF0AAB4AD28F5384537011EDB096F22592BE4EA83194C1A52A11ECAD51D5
    SHA-512:D89B691D4403CB3B836F4B50795046DE26AC588D2C03020EC9B944B97259DD7ED759509229E92B601C5050F2A43DCAFA0D098E2EE5E324A56F69E1EE4BB35E87
    Malicious:false
    Reputation:moderate, very likely benign file
    Preview: ......_..+...MLO.+Q(.././(J.-.I,*.Q((.ON-.V024.......["(...
    /home/user/.cache/upstart/startxfce4.log.1.gz
    Process:/bin/gzip
    File Type:Sun Nov 22 15:30:16 2020, from Unix
    Category:dropped
    Size (bytes):1151
    Entropy (8bit):7.838141400213322
    Encrypted:false
    SSDEEP:24:XH8+BojMnJnBU5Lk9eIEtZHE9LYIOzgczACtLQ1vzKpDk/aR:XH8+iI9u5LCEtFE9LBOzjACEKQA
    MD5:A4C3C148AC5FCAF118ACF2C180C9E35B
    SHA1:1A57B7E35A21ED687755B228193CF322587C363E
    SHA-256:4CB232AE63AD2D6EE997E6331250CDA3FAE0AFA732B13A5E38ECBBC609510B5B
    SHA-512:B0BC585DA8371FCA6410E95122F331383620A956371DC99E288B6242221DEE199DF90D8A002D774EBD8501E4CD2B2192595D2353A64A19DA04B285FDA205669F
    Malicious:false
    Reputation:low
    Preview: ......._...V.n.8....?....d;.M.t#....i'...@Ke..D...V.~....9...s. ..W.{E...7.u}..?.~:J...<.3...w..t...)L..`.....R..z.T.fi...g....%7...s......1\...`%......T.._.e.Ln.}.0.......y.@K...$us...;A..jH..`.gt2."1.i..I_.X....h'....(.Q.k........oW..Z1.g...n...U.....B..-......k.$..t.K.v.`.c...~..nKU&.,"J]X..:.-.n.#j..uoq........Y%Y.=G.O..w...?.]@..U...$.Y....7..7s......u:8.K.....pc..-.g)c..KH@.j.m...9._X.S..4...).O.-.k>...&.....N....L.L.:3.W5.f(^...v.~......}.3bE.O......5......<.4y..4.{..3q.R*u..5b'..e+.'.....R.5... X.[..%...}k..kf@H.J../...!r5...*P..$...p..R..a<HG..w..n.$..r.....f,_V.\.x:g.N$f.4.?p3"y.y.).......m....]...x.i..1....3...^.Z....6}......\...A(y..#.g..a...@........Rc.....8Z..f..tHf.^"%........(i...[..Q....6.t4......+"..l.E!..9..$..V.S..h.H..F....BF..Q..d.y.<a..H..../..U.I.]0.9.h...c.J.;....p;.<.I6k....Y.:..9..>......^...w.4..e..K..u...i.DPIg.........rP.....;....>..).(.+*.....E.p..W$....<;..vE\P..*.l.^S....e.>.1|.v.K...EK.B....;...uZPG.8.:J.&.....@
    /home/user/.cache/upstart/update-notifier-release.log.1.gz
    Process:/bin/gzip
    File Type:Mon Jul 27 09:05:22 2020, from Unix
    Category:dropped
    Size (bytes):73
    Entropy (8bit):5.311208593298957
    Encrypted:false
    SSDEEP:3:FtPacK82rsFX+TP4P2gt:XPacf2rNWt
    MD5:6B9C8B79E6508C02BCACF1C11363D3BC
    SHA1:F450E69D5A258FCF4D89E7CDB1FBD7EEC5E19A77
    SHA-256:735DFDFE533A05589BFDC9044627395F29312064CFBA09CCB60E010AEC692411
    SHA-512:AAE4EF554245D1419335B80EA6ED0E357FCC7032BF991D4808B8A2E09F671BA318B7EF0A8824FA334D6B51EF7104351461814D1EE096D357305914A83380CC35
    Malicious:false
    Reputation:moderate, very likely benign file
    Preview: ......_.....S.*.Q02W04.20.22Rpv..Q0202P.K-W(J.IM,NUH,K..IL.I.......5...
    /home/user/.cache/upstart/upstart-event-bridge.log.1.gz
    Process:/bin/gzip
    File Type:Mon Jul 27 09:05:22 2020, from Unix
    Category:dropped
    Size (bytes):68
    Entropy (8bit):5.395998870534845
    Encrypted:false
    SSDEEP:3:FtPa5wG0BMPWNLPgXseOBMky:XPa5wG+OQP4OBMV
    MD5:1395D405968C76307CBA75C5DDC9CA19
    SHA1:C36CEE03E5DF12FBFB57A5EBCEAE329B41AFA1F7
    SHA-256:33785027CEE82E878434593B532FE1DF25D46676379757272C1E15C9AADD3B1F
    SHA-512:09CAB8DFF495DA9ED715C94E9F24B0C5C40CF0BC8C1B0DEEFB90C54081020AD80AF51636ADCBA368980E2C69119697A65E2E4AC5B834E0F08F88AEA52EFDA257
    Malicious:false
    Reputation:moderate, very likely benign file
    Preview: ......_..+-(.I,*.M-K.+.M*.LIOU(.././(J....(...'...+..X..r......3...
    /tmp/tmp.Z3ICkFc8SF
    Process:/bin/cat
    File Type:ASCII text
    Category:dropped
    Size (bytes):141
    Entropy (8bit):3.7760909131289533
    Encrypted:false
    SSDEEP:3:PgWA0uU95y/1aF/g2FFXwyyVDoGeRqcOAvC:PgWl195y9aF/g2FFgfNepvK
    MD5:46261223A62EF65D03C70F15EE935267
    SHA1:E9102D8808BA6E171405F1830BD7C6B8179C9BF2
    SHA-256:DFECC8990014230F50FBAD269AD523A74D16CFB455065EC8D9041764D684C239
    SHA-512:380CFA479D6DB2361DCE6A52A516ECBA4D5CCE647299A87C3C3ED5887DB929C81A0F970097E6CF02C11440BCE87299D611B01CE56CF9AF09DCFBBA14249E9AF9
    Malicious:false
    Reputation:moderate, very likely benign file
    Preview: "/home/user/.cache/upstart/*.log" {. hourly. missingok. rotate 7. compress. notifempty. nocreate.}.
    /var/crash/_usr_share_apport_apport-checkreports.1000.crash
    Process:/usr/share/apport/apport-checkreports
    File Type:ASCII text
    Category:dropped
    Size (bytes):14915
    Entropy (8bit):4.705948069062219
    Encrypted:false
    SSDEEP:192:s7EgNTUgjDF0rHEngKIIeB3E4Xd6tR7sPIdhbm:EHF0YoEkV
    MD5:2A772BAFC88F5EBCA5F274D28CD97DDA
    SHA1:682305020D15633613CD6454198EBF2F1B86AF80
    SHA-256:00A1B083C79F819F2212E6E97DB3F1F257F97FA0463EA69533DEE0F505B9D90F
    SHA-512:3F3A7036B09C71B30ECABF3E8CC487D892CF879697B7E3D1DFA6E2E29DC233BA256F9E3B04A0B3007B08BAF101D5CEAE481B9A2D5C926C20EA37ED4064158EC3
    Malicious:false
    Reputation:low
    Preview: ProblemType: Crash.Date: Sun Nov 22 16:30:16 2020.ExecutablePath: /usr/share/apport/apport-checkreports.ExecutableTimestamp: 1514927430.InterpreterPath: /usr/bin/python3.5.ProcCmdline: /usr/bin/python3 /usr/share/apport/apport-checkreports --system.ProcCwd: /home/user.ProcEnviron:. LANGUAGE=en_US. PATH=(custom, user). XDG_RUNTIME_DIR=<set>. LANG=en_US.UTF-8. SHELL=/bin/bash.ProcMaps:. 00400000-007a9000 r-xp 00000000 fc:00 217 /usr/bin/python3.5. 009a9000-009ab000 r--p 003a9000 fc:00 217 /usr/bin/python3.5. 009ab000-00a42000 rw-p 003ab000 fc:00 217 /usr/bin/python3.5. 00a42000-00a73000 rw-p 00000000 00:00 0 . 010de000-01436000 rw-p 00000000 00:00 0 [heap]. 7f2946c13000-7f2946d94000 rw-p 00000000 00:00 0 . 7f2946d94000-7f2946dab000 r-xp 00000000 fc:00 2382 /usr/lib/x86_64-linux-gnu/liblz4.so.1.7.1. 7f2946dab000-7f2946faa000 ---p 00017000 fc:0
    /var/crash/_usr_share_apport_apport-gtk.1000.crash
    Process:/usr/share/apport/apport-gtk
    File Type:ASCII text
    Category:dropped
    Size (bytes):47094
    Entropy (8bit):4.502518000583029
    Encrypted:false
    SSDEEP:384:P5lzrfL2jNYxR1/z/d/d/GLSpgqVncPB+YiSLSAOfPQRqSio/aNMmWYE8G:rrT/z/d/d/bVcPUYiGio/aNMmWYY
    MD5:64E7DD2D9BF6A2704E28F4D1C71ABD85
    SHA1:0072FD7EEE4B1666C2FA5A8F2151AF62D0F22D13
    SHA-256:D459738CDF00E8B9B72F36288EB77EC62F1151A6E0BED4CB35F0654B04A44F8E
    SHA-512:EC745043552D419982B4B14F076D45DF6C82E30E5E5BA8C5BACFE89088993F33DDEA233A1D78C385DB0DD2087680CDBB14AFA771935DB15FE6A0F5DB877A9E9F
    Malicious:false
    Reputation:low
    Preview: ProblemType: Crash.Date: Sun Nov 22 16:30:17 2020.ExecutablePath: /usr/share/apport/apport-gtk.ExecutableTimestamp: 1514927430.InterpreterPath: /usr/bin/python3.5.ProcCmdline: /usr/bin/python3 /usr/share/apport/apport-gtk.ProcCwd: /home/user.ProcEnviron:. LANGUAGE=en_US. PATH=(custom, user). XDG_RUNTIME_DIR=<set>. LANG=en_US.UTF-8. SHELL=/bin/bash.ProcMaps:. 00400000-007a9000 r-xp 00000000 fc:00 217 /usr/bin/python3.5. 009a9000-009ab000 r--p 003a9000 fc:00 217 /usr/bin/python3.5. 009ab000-00a42000 rw-p 003ab000 fc:00 217 /usr/bin/python3.5. 00a42000-00a73000 rw-p 00000000 00:00 0 . 019c0000-01ee2000 rw-p 00000000 00:00 0 [heap]. 7f7b83940000-7f7b83a40000 rw-p 00000000 00:00 0 . 7f7b83a40000-7f7b83a57000 r-xp 00000000 fc:00 2382 /usr/lib/x86_64-linux-gnu/liblz4.so.1.7.1. 7f7b83a57000-7f7b83c56000 ---p 00017000 fc:00 2382

    Static File Info

    General

    File type:ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
    Entropy (8bit):7.813637944981102
    TrID:
    • ELF Executable and Linkable format (Linux) (4029/14) 50.16%
    • ELF Executable and Linkable format (generic) (4004/1) 49.84%
    File name:bin.sh.2
    File size:135472
    MD5:a73ddd6ec22462db955439f665cad4e6
    SHA1:ac6962542a4b23ac13bddff22f8df9aeb702ef12
    SHA256:b5cf68c7cb5bb2d21d60bf6654926f61566d95bfd7c9f9e182d032f1da5b4605
    SHA512:92a52f68a7324c4d5876e1f7e2cb87d14b8604b057ceee2e537815568faa96abf576a22111c5c976eff72ab9015f1261b2331d4b4d711f4e62c8eb403c2377aa
    SSDEEP:3072:2glZ3FtCKXhkmHtZ9TEKzjfj/WMngyIfsJ0F7xPtoM:2IIKXhZtL7jOTyIG87Xl
    File Content Preview:.ELF.....................B.x...4.........4. ...(.............@...@...........................C...C...................*.*UPX!.X.....................]....|.$..ELF..........@.`....4...p... ...(......<...@......[v......H...`.t/._...dt.Q.....].M........P......

    Static ELF Info

    ELF header

    Class:ELF32
    Data:2's complement, big endian
    Version:1 (current)
    Machine:MIPS R3000
    Version Number:0x1
    Type:EXEC (Executable file)
    OS/ABI:UNIX - System V
    ABI Version:0
    Entry Point Address:0x420578
    Flags:0x1007
    ELF Header Size:52
    Program Header Offset:52
    Program Header Size:32
    Number of Program Headers:2
    Section Header Offset:0
    Section Header Size:40
    Number of Section Headers:0
    Header String Table Index:0

    Program Segments

    TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeFlagsFlags DescriptionAlignProg InterpreterSection Mappings
    LOAD0x00x4000000x4000000x20fc20x20fc20x5R E0x10000
    LOAD0x00x4300000x4300000x00x91f180x6RW 0x10000

    Network Behavior

    No network behavior found

    System Behavior