Analysis Report i

Overview

General Information

Sample Name:	i
Analysis ID:	321474
MD5:	a73ddd6ec22462db955439f665cad4e6
SHA1:	ac6962542a4b23ac13bddff22f8df9aeb702ef12
SHA256:	b5cf68c7cb5bb2d21d60bf6654926f61566d95bfd7c9f9e182d032f1da5b4605

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Sample is packed with UPX

Creates hidden files and/or directories

Executes the "grep" command used to find patterns in files or piped streams

Executes the "mkdir" command used to create folders

Executes the "mktemp" command used to create a temporary unique file name

Executes the "rm" command used to delete files or directories

Executes the "sleep" command used to delay execution and potentially evade sandboxes

Sample contains only a LOAD segment without any section mappings

Uses the "uname" system call to query kernel version information (possible evasion)

Yara signature match

Classification

Signatures

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: i

Avira: detected

Multi AV Scanner detection for submitted file

Source: i	Virustotal: Detection: 61%	Perma Link
Source: i	Metadefender: Detection: 15%	Perma Link
Source: i	ReversingLabs: Detection: 58%

Source: i

String found in binary or memory: http://upx.sf.net

System Summary:

Sample contains only a LOAD segment without any section mappings

Source: LOAD without section mappings

Program segment: 0x400000

Yara signature match

Source: i, type: SAMPLE

Matched rule: SUSP_ELF_LNX_UPX_Compressed_File date = 2018-12-12, author = Florian Roth, description = Detects a suspicious ELF binary with UPX compression, reference = Internal Research, score = 038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4

Source: classification engine

Classification label: mal60.evad.lin@0/11@0/0

Data Obfuscation:

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.95 Copyright (C) 1996-2018 the UPX Team. All Rights Reserved. $

Persistence and Installation Behavior:

Creates hidden files and/or directories

Source: /bin/mkdir (PID: 3711)	Directory: .cache
Source: /bin/mkdir (PID: 3712)	Directory: .cache

Executes the "grep" command used to find patterns in files or piped streams

Source: /bin/egrep (PID: 3713)

Grep executable: /bin/grep -> grep -E [^[:print:]] /home/user/.cache/logrotate/status

Executes the "mkdir" command used to create folders

Source: /sbin/resolvconf (PID: 3674)	Mkdir executable: /bin/mkdir -> mkdir -p /run/resolvconf/interface
Source: /bin/dash (PID: 3711)	Mkdir executable: /bin/mkdir -> mkdir -p /home/user/.cache/logrotate
Source: /bin/dash (PID: 3712)	Mkdir executable: /bin/mkdir -> mkdir -p /home/user/.cache/upstart

Executes the "mktemp" command used to create a temporary unique file name

Source: /bin/dash (PID: 3715)

Mktemp executable: /bin/mktemp -> mktemp

Executes the "rm" command used to delete files or directories

Source: /bin/dash (PID: 3840)

Rm executable: /bin/rm -> rm -f /tmp/tmp.d54CkEbiVw

Malware Analysis System Evasion:

Executes the "sleep" command used to delay execution and potentially evade sandboxes

Source: /bin/dash (PID: 3195)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3230)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3263)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3281)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3315)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3342)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3374)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3407)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3432)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3457)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3552)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3622)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3648)	Sleep executable: /bin/sleep -> sleep 1

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/i (PID: 3482)	Queries kernel information via 'uname':
Source: /usr/share/apport/apport-gtk (PID: 3532)	Queries kernel information via 'uname':
Source: /usr/share/apport/apport-gtk (PID: 3579)	Queries kernel information via 'uname':

Screenshots

No Screenshots

Network Map

No contacted IP infos

ID:	321474
Product:	CloudBasic
Start time:	15:40:47
Start date:	22.11.2020
Sample:	i
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171)
Architecture:	LINUX
MD5:	a73ddd6ec22462db955439f665cad4e6
SHA1:	ac6962542a4b23ac13bddff22f8df9aeb702ef12
SHA256:	b5cf68c7cb5bb2d21d60bf6654926f61566d95bfd7c9f9e182d032f1da5b4605
Filetype:	ELF Executable and Linkable format (Linux) (4029/14) 50.16%

Name	Type	MD5	SHA1	SHA256
/home/user/.cache/logrotate/status.tmp	ASCII text	E834FBD4E7133101B91BBDB86D92EE4B	D6CEF16CF3986DB469A43503794A814B88F0C229	4D667654CF6955FAB1290616C5C3F34F78656C1499F0509CC4B5882CC724E69A
/home/user/.cache/upstart/dbus.log.1.gz	Sun Nov 22 14:40:52 2020, from Unix	F7D434449209A580CCAB65800AF42CDE	A2C05B5D8859F4CD2FC942FC83A4151356243483	B00A4566CCFEFE6A062B9B3D7CE3A734F5F16B60E2F7630501DD7722FA7B728C
/home/user/.cache/upstart/gnome-keyring-ssh.log.1.gz	Mon Jul 27 09:05:22 2020, from Unix	2B8D9549C00943FB9FFC73FD80E6AC1A	E6348E8BB25396F0542E7E74AE30AF03F48E237E	606AE477FACBE88A7BF8C1718AE0259E50487BB5F98B80F0E2895DD799BBE858
/home/user/.cache/upstart/gpg-agent.log.1.gz	Mon Jul 27 09:05:26 2020, from Unix	13A3054AF030A536BDA784F022481B4C	062CEC7C61E642887CE10970A7353066C4283DFD	0D9475D2511F0A2C555242326C2D4EB69E4456726BDDB84913B95EC59F8FDCF6
/home/user/.cache/upstart/ssh-agent.log.1.gz	Mon Jul 27 09:05:22 2020, from Unix	32CF70DC61DECD8DFBC64EB2F2529FAC	DAC70D15E4E11407299DC63AAA6774A2393C2316	5F46EF0AAB4AD28F5384537011EDB096F22592BE4EA83194C1A52A11ECAD51D5
/home/user/.cache/upstart/startxfce4.log.1.gz	Sun Nov 22 15:41:17 2020, from Unix	CCA8A4216E7E2572ED6C667BD34F12ED	6E44ADAFF251BBE1463C04C502F8471844F68BBB	D05AAAC162B5D605FB2EFDD3B30C01B461D68D0C4AD1BBDF3AB8042286C7A7E8
/home/user/.cache/upstart/update-notifier-release.log.1.gz	Mon Jul 27 09:05:22 2020, from Unix	6B9C8B79E6508C02BCACF1C11363D3BC	F450E69D5A258FCF4D89E7CDB1FBD7EEC5E19A77	735DFDFE533A05589BFDC9044627395F29312064CFBA09CCB60E010AEC692411
/home/user/.cache/upstart/upstart-event-bridge.log.1.gz	Mon Jul 27 09:05:22 2020, from Unix	1395D405968C76307CBA75C5DDC9CA19	C36CEE03E5DF12FBFB57A5EBCEAE329B41AFA1F7	33785027CEE82E878434593B532FE1DF25D46676379757272C1E15C9AADD3B1F
/tmp/tmp.d54CkEbiVw	ASCII text	46261223A62EF65D03C70F15EE935267	E9102D8808BA6E171405F1830BD7C6B8179C9BF2	DFECC8990014230F50FBAD269AD523A74D16CFB455065EC8D9041764D684C239
/var/crash/_usr_share_apport_apport-checkreports.1000.crash	ASCII text	37721ED2DA65464679FBFC9487F46687	74CBBCFB307759084261FA482B08562EBD30B936	84105540AAB974F2F675EAD2DD087F60FF197B5ED8CF1515541FF0C6BAD85F86
/var/crash/_usr_share_apport_apport-gtk.1000.crash	ASCII text	CD44385052AE289B22E22628D5084BF8	2F3A910CFF703B6F1F766BE925DE8303C92B1E45	C1665DE53FB2AB58ABA4F060AF6D714401419ECC894620272CD0D80D2199532D

Analysis Report i

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Malware Analysis System Evasion:

Screenshots

Network Map