Analysis Report nsu

ID:	324350
Product:	CloudBasic
Start time:	13:26:59
Start date:	29.11.2020
Sample:	nsu
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171)
Architecture:	LINUX
MD5:	856d3c4cd13172355643638458e72f39
SHA1:	8f8a112aecddc2fbef07f989dca48862b70b0628
SHA256:	b1047a2a9faf9e080c8cc8422fdb2ec4fd087963b597378903d2ebb8f24372dd
Filetype:	ELF Executable and Linkable format (Linux) (4029/14) 50.16%

Name	Type	MD5	SHA1	SHA256
/home/user/.cache/logrotate/status.tmp	ASCII text	57089C03CDB6823AB0096C266AE9165F	32ECE44A2A0214658524F52401098A7C4C1022D0	FEF0A79D3CE40FB68E1CAB2B3FC6F275785CF0666A6A004CEE97514B6C810AB5
/home/user/.cache/upstart/dbus.log.1.gz	Sun Nov 29 12:27:04 2020, from Unix	5D34DDBA137C2FA72088BC59597862AC	9976302C26C6BFFAD842E8E16D5DEC6C7A2314DD	C30FD9B3A06FA8AB93117A05BA9EECAB9A87881ED1F4A09CC0C3232552D862C8
/home/user/.cache/upstart/gnome-keyring-ssh.log.1.gz	Mon Jul 27 09:05:22 2020, from Unix	2B8D9549C00943FB9FFC73FD80E6AC1A	E6348E8BB25396F0542E7E74AE30AF03F48E237E	606AE477FACBE88A7BF8C1718AE0259E50487BB5F98B80F0E2895DD799BBE858
/home/user/.cache/upstart/gpg-agent.log.1.gz	Mon Jul 27 09:05:26 2020, from Unix	13A3054AF030A536BDA784F022481B4C	062CEC7C61E642887CE10970A7353066C4283DFD	0D9475D2511F0A2C555242326C2D4EB69E4456726BDDB84913B95EC59F8FDCF6
/home/user/.cache/upstart/ssh-agent.log.1.gz	Mon Jul 27 09:05:22 2020, from Unix	32CF70DC61DECD8DFBC64EB2F2529FAC	DAC70D15E4E11407299DC63AAA6774A2393C2316	5F46EF0AAB4AD28F5384537011EDB096F22592BE4EA83194C1A52A11ECAD51D5
/home/user/.cache/upstart/startxfce4.log.1.gz	Sun Nov 29 13:27:28 2020, from Unix	0737129F9674C51BAEC2B763ACD3532C	D41FC542AB57C920E0FC717217B6CA66CB12C1AE	5445A97F93B0EE0371E2EC361D5F33328CE6FC931F2ECB98EAD41AEAAF79D68D
/home/user/.cache/upstart/update-notifier-release.log.1.gz	Mon Jul 27 09:05:22 2020, from Unix	6B9C8B79E6508C02BCACF1C11363D3BC	F450E69D5A258FCF4D89E7CDB1FBD7EEC5E19A77	735DFDFE533A05589BFDC9044627395F29312064CFBA09CCB60E010AEC692411
/home/user/.cache/upstart/upstart-event-bridge.log.1.gz	Mon Jul 27 09:05:22 2020, from Unix	1395D405968C76307CBA75C5DDC9CA19	C36CEE03E5DF12FBFB57A5EBCEAE329B41AFA1F7	33785027CEE82E878434593B532FE1DF25D46676379757272C1E15C9AADD3B1F
/tmp/tmp.zmF3WJPRCX	ASCII text	46261223A62EF65D03C70F15EE935267	E9102D8808BA6E171405F1830BD7C6B8179C9BF2	DFECC8990014230F50FBAD269AD523A74D16CFB455065EC8D9041764D684C239

System Summary:

Sample contains strings that are potentially command strings

Source: Initial sample	Potential command found: status == __codecvt_partial
Source: Initial sample	Potential command found: status == __codecvt_partial_IO_wfile_underflowwfileops.c,ccs=fcts.tomb_nsteps == 1_IO_new_file_fopenfcts.towc_nsteps == 1TRIM_THRESHOLD_MMAP_THRESHOLD_MMAP_MAX_TOP_PAD_malloc: top chunk is corrupt
Source: Initial sample	Potential command found: status == __GCONV_OK || status == __GCONV_EMPTY_INPUT || status == __GCONV_ILLEGAL_INPUT || status == __GCONV_INCOMPLETE_INPUT || status == __GCONV_FULL_OUTPUT
Source: Initial sample	Potential command found: file too short
Source: Initial sample	Potential command found: find library=%s; searching

Sample has stripped symbol table

Source: ELF static info symbol of initial sample

.symtab present: no

Classification label

Source: classification engine

Classification label: clean4.lin@0/9@0/0

Persistence and Installation Behavior:

Creates hidden files and/or directories

Source: /bin/mkdir (PID: 3652)	Directory: .cache
Source: /bin/mkdir (PID: 3653)	Directory: .cache

Executes the "grep" command used to find patterns in files or piped streams

Source: /bin/egrep (PID: 3654)

Grep executable: /bin/grep -> grep -E [^[:print:]] /home/user/.cache/logrotate/status

Executes the "mkdir" command used to create folders

Source: /sbin/resolvconf (PID: 3613)	Mkdir executable: /bin/mkdir -> mkdir -p /run/resolvconf/interface
Source: /bin/dash (PID: 3652)	Mkdir executable: /bin/mkdir -> mkdir -p /home/user/.cache/logrotate
Source: /bin/dash (PID: 3653)	Mkdir executable: /bin/mkdir -> mkdir -p /home/user/.cache/upstart

Executes the "mktemp" command used to create a temporary unique file name

Source: /bin/dash (PID: 3689)

Mktemp executable: /bin/mktemp -> mktemp

Executes the "rm" command used to delete files or directories

Source: /bin/dash (PID: 3787)

Rm executable: /bin/rm -> rm -f /tmp/tmp.zmF3WJPRCX

Malware Analysis System Evasion:

Executes the "sleep" command used to delay execution and potentially evade sandboxes

Source: /bin/dash (PID: 3198)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3221)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3258)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3277)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3306)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3338)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3370)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3403)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3427)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3454)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3492)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3535)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3558)	Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3576)	Sleep executable: /bin/sleep -> sleep 1

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/nsu (PID: 3479)

Queries kernel information via 'uname':