Analysis Report Mozi.m

Overview

General Information

Sample Name:	Mozi.m
Analysis ID:	323091
MD5:	fbe51695e97a45dc61967dc3241a37dc
SHA1:	1ed14334b5b71783cd6ec14b8a704fe48e600cf0
SHA256:	2e4506802aedea2e6d53910dfb296323be6620ac08c4b799a879eace5923a7b6

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Sample is packed with UPX

Creates hidden files and/or directories

Executes the "grep" command used to find patterns in files or piped streams

Executes the "mkdir" command used to create folders

Executes the "mktemp" command used to create a temporary unique file name

Executes the "rm" command used to delete files or directories

Executes the "sleep" command used to delay execution and potentially evade sandboxes

Sample contains only a LOAD segment without any section mappings

Uses the "uname" system call to query kernel version information (possible evasion)

Yara signature match

Classification

Signatures

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: Mozi.m

Avira: detected

Multi AV Scanner detection for submitted file

Source: Mozi.m	Virustotal: Detection: 62%	Perma Link
Source: Mozi.m	Metadefender: Detection: 39%	Perma Link
Source: Mozi.m	ReversingLabs: Detection: 58%

Source: Mozi.m

String found in binary or memory: http://upx.sf.net

System Summary:

Sample contains only a LOAD segment without any section mappings

Source: LOAD without section mappings

Program segment: 0x400000

Yara signature match

Source: Mozi.m, type: SAMPLE

Matched rule: SUSP_ELF_LNX_UPX_Compressed_File date = 2018-12-12, author = Florian Roth, description = Detects a suspicious ELF binary with UPX compression, reference = Internal Research, score = 038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4

Source: classification engine

Classification label: mal60.evad.linM@0/11@0/0

Data Obfuscation:

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.95 Copyright (C) 1996-2018 the UPX Team. All Rights Reserved. $

Persistence and Installation Behavior:

Creates hidden files and/or directories

Source: /bin/mkdir (PID: 3734)	Directory: .cache
Source: /bin/mkdir (PID: 3735)	Directory: .cache

Executes the "grep" command used to find patterns in files or piped streams

Source: /bin/egrep (PID: 3737)

Grep executable: /bin/grep -> grep -E [^[:print:]] /home/user/.cache/logrotate/status

Executes the "mkdir" command used to create folders

Source: /sbin/resolvconf (PID: 3685)	Mkdir executable: /bin/mkdir -> mkdir -p /run/resolvconf/interface
Source: /bin/dash (PID: 3734)	Mkdir executable: /bin/mkdir -> mkdir -p /home/user/.cache/logrotate
Source: /bin/dash (PID: 3735)	Mkdir executable: /bin/mkdir -> mkdir -p /home/user/.cache/upstart

Executes the "mktemp" command used to create a temporary unique file name

Source: /bin/dash (PID: 3785)

Mktemp executable: /bin/mktemp -> mktemp

Executes the "rm" command used to delete files or directories

Source: /bin/dash (PID: 3871)

Rm executable: /bin/rm -> rm -f /tmp/tmp.krni3EbUJS

Malware Analysis System Evasion:

Executes the "sleep" command used to delay execution and potentially evade sandboxes

Source: /bin/dash (PID: 3198)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3220)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3248)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3278)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3304)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3346)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3372)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3401)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3416)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3456)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3574)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3602)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3630)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3663)	Sleep executable: /bin/sleep -> sleep 1

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/Mozi.m (PID: 3472)	Queries kernel information via 'uname':
Source: /usr/share/apport/apport-gtk (PID: 3527)	Queries kernel information via 'uname':
Source: /usr/share/apport/apport-gtk (PID: 3546)	Queries kernel information via 'uname':

Screenshots

No Screenshots

Network Map

No contacted IP infos

ID:	323091
Product:	CloudBasic
Start time:	10:19:59
Start date:	26.11.2020
Sample:	Mozi.m
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171)
Architecture:	LINUX
MD5:	fbe51695e97a45dc61967dc3241a37dc
SHA1:	1ed14334b5b71783cd6ec14b8a704fe48e600cf0
SHA256:	2e4506802aedea2e6d53910dfb296323be6620ac08c4b799a879eace5923a7b6
Filetype:	ELF Executable and Linkable format (Linux) (4029/14) 50.16%

Name	Type	MD5	SHA1	SHA256
/home/user/.cache/logrotate/status.tmp	ASCII text	70B6484DEC8D48F9661CDFFF1E336700	4F542473AF66E6F700B7D10BAB17554A911898AE	0708166FBC346B7BFB4DCE7643B6E2B79E38FF4AED39BEE077C0A8C25A47DB24
/home/user/.cache/upstart/dbus.log.1.gz	Thu Nov 26 09:20:04 2020, from Unix	8D140284503EE0CB68F2DDEFE438E1CC	2D7978E5943C27F8D46AB7BFCF9E1A3FA77AE623	A0430C64515E15D89DEF76DAE5FDEBB07B6F4A7E6BA23E59F2ECB62BA397EC00
/home/user/.cache/upstart/gnome-keyring-ssh.log.1.gz	Mon Jul 27 09:05:22 2020, from Unix	2B8D9549C00943FB9FFC73FD80E6AC1A	E6348E8BB25396F0542E7E74AE30AF03F48E237E	606AE477FACBE88A7BF8C1718AE0259E50487BB5F98B80F0E2895DD799BBE858
/home/user/.cache/upstart/gpg-agent.log.1.gz	Mon Jul 27 09:05:26 2020, from Unix	13A3054AF030A536BDA784F022481B4C	062CEC7C61E642887CE10970A7353066C4283DFD	0D9475D2511F0A2C555242326C2D4EB69E4456726BDDB84913B95EC59F8FDCF6
/home/user/.cache/upstart/ssh-agent.log.1.gz	Mon Jul 27 09:05:22 2020, from Unix	32CF70DC61DECD8DFBC64EB2F2529FAC	DAC70D15E4E11407299DC63AAA6774A2393C2316	5F46EF0AAB4AD28F5384537011EDB096F22592BE4EA83194C1A52A11ECAD51D5
/home/user/.cache/upstart/startxfce4.log.1.gz	Thu Nov 26 10:20:28 2020, from Unix	1616762E572B166004B19A4132E6FD69	F2121F5A2784A362A18EEBD61A8C8BBC97A54B28	8B82466F1F45A8A46A9F1308D399DA1ED66D8E37566DA268B081277F306A6DA0
/home/user/.cache/upstart/update-notifier-release.log.1.gz	Mon Jul 27 09:05:22 2020, from Unix	6B9C8B79E6508C02BCACF1C11363D3BC	F450E69D5A258FCF4D89E7CDB1FBD7EEC5E19A77	735DFDFE533A05589BFDC9044627395F29312064CFBA09CCB60E010AEC692411
/home/user/.cache/upstart/upstart-event-bridge.log.1.gz	Mon Jul 27 09:05:22 2020, from Unix	1395D405968C76307CBA75C5DDC9CA19	C36CEE03E5DF12FBFB57A5EBCEAE329B41AFA1F7	33785027CEE82E878434593B532FE1DF25D46676379757272C1E15C9AADD3B1F
/tmp/tmp.krni3EbUJS	ASCII text	46261223A62EF65D03C70F15EE935267	E9102D8808BA6E171405F1830BD7C6B8179C9BF2	DFECC8990014230F50FBAD269AD523A74D16CFB455065EC8D9041764D684C239
/var/crash/_usr_share_apport_apport-checkreports.1000.crash	ASCII text	D87E3CEF148E96E369CBBFB92740737D	7E7E166F26541F695FB5BD00B49EA751784F1910	0CB7934CADF4D31781B1CDE3A3122DB36D4BE3CF4181DED66A736C750E248B90
/var/crash/_usr_share_apport_apport-gtk.1000.crash	ASCII text	DB041CAB433D7C346A0F1E43AD66A1A1	1299AAF824842E39650F51A58B02B9ABF054E8D1	C71743402153E39E193538283D62E7FE49C51C7FD4EF3EF62116011A5949BBCE

Analysis Report Mozi.m

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Malware Analysis System Evasion:

Screenshots

Network Map