Play interactive tourEdit tour
Analysis Report bin.sh.1
Overview
General Information
Sample Name: | bin.sh.1 |
Analysis ID: | 327181 |
MD5: | a73ddd6ec22462db955439f665cad4e6 |
SHA1: | ac6962542a4b23ac13bddff22f8df9aeb702ef12 |
SHA256: | b5cf68c7cb5bb2d21d60bf6654926f61566d95bfd7c9f9e182d032f1da5b4605 |
Detection
Score: | 60 |
Range: | 0 - 100 |
Whitelisted: | false |
Signatures
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Sample is packed with UPX
Sample contains only a LOAD segment without any section mappings
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match
Classification
Startup |
---|
|
Yara Overview |
---|
Initial Sample |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
SUSP_ELF_LNX_UPX_Compressed_File | Detects a suspicious ELF binary with UPX compression | Florian Roth |
|
Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Antivirus / Scanner detection for submitted sample | Show sources |
Source: | Avira: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | Metadefender: | Perma Link | ||
Source: | ReversingLabs: |
Source: | String found in binary or memory: |
Source: | Program segment: |
Source: | Matched rule: |
Source: | Classification label: |
Data Obfuscation: |
---|
Sample is packed with UPX | Show sources |
Source: | String containing UPX found: | ||
Source: | String containing UPX found: | ||
Source: | String containing UPX found: |
Source: | Queries kernel information via 'uname': | ||
Source: | Queries kernel information via 'uname': | ||
Source: | Queries kernel information via 'uname': |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation | Path Interception | Path Interception | Obfuscated Files or Information1 | OS Credential Dumping | Security Software Discovery1 | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Data Obfuscation | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Behavior Graph |
---|
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
64% | Virustotal | Browse | ||
18% | Metadefender | Browse | ||
59% | ReversingLabs | Linux.Trojan.Mirai | ||
100% | Avira | LINUX/Mirai.ccjqy |
Dropped Files |
---|
No Antivirus matches |
---|
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
No Antivirus matches |
---|
Domains and IPs |
---|
Contacted Domains |
---|
No contacted domains info |
---|
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high |
Contacted IPs |
---|
No contacted IP infos |
---|
General Information |
---|
Joe Sandbox Version: | 31.0.0 Red Diamond |
Analysis ID: | 327181 |
Start date: | 05.12.2020 |
Start time: | 00:10:39 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 4m 4s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | bin.sh.1 |
Cookbook file name: | defaultlinuxfilecookbook.jbs |
Analysis system description: | Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171) |
Detection: | MAL |
Classification: | mal60.evad.lin1@0/2@0/0 |
Runtime Messages |
---|
Command: | /tmp/bin.sh.1 |
Exit Code: | 133 |
Exit Code Info: | |
Killed: | False |
Standard Output: | |
Standard Error: | qemu: uncaught target signal 5 (Trace/breakpoint trap) - core dumped |
Joe Sandbox View / Context |
---|
Created / dropped Files |
---|
Process: | /usr/share/apport/apport-checkreports |
File Type: | |
Category: | dropped |
Size (bytes): | 14915 |
Entropy (8bit): | 4.688033282283168 |
Encrypted: | false |
SSDEEP: | 192:4aXr+sr+ev0wEpGyT1LT4oHuupkpKmUEfIPI2hbM:Zr+sr+evJO1LT4oDW6EQ4 |
MD5: | 235DBFF95A59A846E5373C3B1C66E608 |
SHA1: | F13A343E6225DCA43D5C1B93AFE4CDA51DEB42E7 |
SHA-256: | 210509C9580F04055A9B8868C5C2E5FFE4EC0E22D7236A666B6B36B8552E1AC9 |
SHA-512: | 1E9D5BD02DF001A81EB6340FC265CBB22C47E6CEF96C0237B75957432EEEB158A27F678445411EFAF1E12861ACA0BAF582F11852938407F44DCCC4ECA50D2A49 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | /usr/share/apport/apport-gtk |
File Type: | |
Category: | dropped |
Size (bytes): | 47094 |
Entropy (8bit): | 4.5120674077760246 |
Encrypted: | false |
SSDEEP: | 384:7jcknsSSR4Fo3D/Z/g/5/7LneCArrLLzdSs1eOPz/zAcI+P+dzJNqAVbET7:PM/Z/g/5/+CArNSs1e8+dzJNqAVbo |
MD5: | 999C5A9227F2288110CC8791816D4CD2 |
SHA1: | F4525B7814BA6AEEC36401125D54635CA1617B6F |
SHA-256: | A744B50BE7DF0F41AECDD66DEF80A973412331C19AFD55F3D6A34E6F814F6CDA |
SHA-512: | 7EA59F41817DB36C6CB5567808B7D5E1351B0EA9564D2C029EDE2B10CC9B1A6A122C95C291204E23C8B2AD28AF71F8F727B361C6382FA801493947EA15DF690E |
Malicious: | false |
Reputation: | low |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.813637944981102 |
TrID: |
|
File name: | bin.sh.1 |
File size: | 135472 |
MD5: | a73ddd6ec22462db955439f665cad4e6 |
SHA1: | ac6962542a4b23ac13bddff22f8df9aeb702ef12 |
SHA256: | b5cf68c7cb5bb2d21d60bf6654926f61566d95bfd7c9f9e182d032f1da5b4605 |
SHA512: | 92a52f68a7324c4d5876e1f7e2cb87d14b8604b057ceee2e537815568faa96abf576a22111c5c976eff72ab9015f1261b2331d4b4d711f4e62c8eb403c2377aa |
SSDEEP: | 3072:2glZ3FtCKXhkmHtZ9TEKzjfj/WMngyIfsJ0F7xPtoM:2IIKXhZtL7jOTyIG87Xl |
File Content Preview: | .ELF.....................B.x...4.........4. ...(.............@...@...........................C...C...................*.*UPX!.X.....................]....|.$..ELF..........@.`....4...p... ...(......<...@......[v......H...`.t/._...dt.Q.....].M........P...... |
Static ELF Info |
---|
ELF header | |
---|---|
Class: | |
Data: | |
Version: | |
Machine: | |
Version Number: | |
Type: | |
OS/ABI: | |
ABI Version: | |
Entry Point Address: | |
Flags: | |
ELF Header Size: | |
Program Header Offset: | |
Program Header Size: | |
Number of Program Headers: | |
Section Header Offset: | |
Section Header Size: | |
Number of Section Headers: | |
Header String Table Index: |
Program Segments |
---|
Type | Offset | Virtual Address | Physical Address | File Size | Memory Size | Flags | Flags Description | Align | Prog Interpreter | Section Mappings |
---|---|---|---|---|---|---|---|---|---|---|
LOAD | 0x0 | 0x400000 | 0x400000 | 0x20fc2 | 0x20fc2 | 0x5 | R E | 0x10000 | ||
LOAD | 0x0 | 0x430000 | 0x430000 | 0x0 | 0x91f18 | 0x6 | RW | 0x10000 |
Network Behavior |
---|
No network behavior found |
---|
System Behavior |
---|
General |
---|
Start time: | 00:11:08 |
Start date: | 05/12/2020 |
Path: | /tmp/bin.sh.1 |
Arguments: | /usr/bin/qemu-mips /tmp/bin.sh.1 |
File size: | 135472 bytes |
MD5 hash: | a73ddd6ec22462db955439f665cad4e6 |
General |
---|
Start time: | 00:11:08 |
Start date: | 05/12/2020 |
Path: | /sbin/upstart |
Arguments: | n/a |
File size: | 0 bytes |
MD5 hash: | 00000000000000000000000000000000 |
General |
---|
Start time: | 00:11:08 |
Start date: | 05/12/2020 |
Path: | /bin/sh |
Arguments: | /bin/sh -e /proc/self/fd/9 |
File size: | 4 bytes |
MD5 hash: | e02ea3c3450d44126c46d658fa9e654c |
General |
---|
Start time: | 00:11:08 |
Start date: | 05/12/2020 |
Path: | /bin/sh |
Arguments: | n/a |
File size: | 4 bytes |
MD5 hash: | e02ea3c3450d44126c46d658fa9e654c |
General |
---|
Start time: | 00:11:08 |
Start date: | 05/12/2020 |
Path: | /bin/date |
Arguments: | date |
File size: | 68464 bytes |
MD5 hash: | 54903b613f9019bfca9f5d28a4fff34e |
General |
---|
Start time: | 00:11:08 |
Start date: | 05/12/2020 |
Path: | /bin/sh |
Arguments: | n/a |
File size: | 4 bytes |
MD5 hash: | e02ea3c3450d44126c46d658fa9e654c |
General |
---|
Start time: | 00:11:08 |
Start date: | 05/12/2020 |
Path: | /usr/share/apport/apport-checkreports |
Arguments: | /usr/bin/python3 /usr/share/apport/apport-checkreports --system |
File size: | 1269 bytes |
MD5 hash: | 1a7d84ebc34df04e55ca3723541f48c9 |
General |
---|
Start time: | 00:11:08 |
Start date: | 05/12/2020 |
Path: | /sbin/upstart |
Arguments: | n/a |
File size: | 0 bytes |
MD5 hash: | 00000000000000000000000000000000 |
General |
---|
Start time: | 00:11:08 |
Start date: | 05/12/2020 |
Path: | /bin/sh |
Arguments: | /bin/sh -e /proc/self/fd/9 |
File size: | 4 bytes |
MD5 hash: | e02ea3c3450d44126c46d658fa9e654c |
General |
---|
Start time: | 00:11:08 |
Start date: | 05/12/2020 |
Path: | /bin/sh |
Arguments: | n/a |
File size: | 4 bytes |
MD5 hash: | e02ea3c3450d44126c46d658fa9e654c |
General |
---|
Start time: | 00:11:08 |
Start date: | 05/12/2020 |
Path: | /bin/date |
Arguments: | date |
File size: | 68464 bytes |
MD5 hash: | 54903b613f9019bfca9f5d28a4fff34e |
General |
---|
Start time: | 00:11:08 |
Start date: | 05/12/2020 |
Path: | /bin/sh |
Arguments: | n/a |
File size: | 4 bytes |
MD5 hash: | e02ea3c3450d44126c46d658fa9e654c |
General |
---|
Start time: | 00:11:08 |
Start date: | 05/12/2020 |
Path: | /usr/share/apport/apport-gtk |
Arguments: | /usr/bin/python3 /usr/share/apport/apport-gtk |
File size: | 23806 bytes |
MD5 hash: | ec58a49a30ef6a29406a204f28cc7d87 |
General |
---|
Start time: | 00:11:08 |
Start date: | 05/12/2020 |
Path: | /sbin/upstart |
Arguments: | n/a |
File size: | 0 bytes |
MD5 hash: | 00000000000000000000000000000000 |
General |
---|
Start time: | 00:11:08 |
Start date: | 05/12/2020 |
Path: | /bin/sh |
Arguments: | /bin/sh -e /proc/self/fd/9 |
File size: | 4 bytes |
MD5 hash: | e02ea3c3450d44126c46d658fa9e654c |
General |
---|
Start time: | 00:11:08 |
Start date: | 05/12/2020 |
Path: | /bin/sh |
Arguments: | n/a |
File size: | 4 bytes |
MD5 hash: | e02ea3c3450d44126c46d658fa9e654c |
General |
---|
Start time: | 00:11:08 |
Start date: | 05/12/2020 |
Path: | /bin/date |
Arguments: | date |
File size: | 68464 bytes |
MD5 hash: | 54903b613f9019bfca9f5d28a4fff34e |
General |
---|
Start time: | 00:11:08 |
Start date: | 05/12/2020 |
Path: | /bin/sh |
Arguments: | n/a |
File size: | 4 bytes |
MD5 hash: | e02ea3c3450d44126c46d658fa9e654c |
General |
---|
Start time: | 00:11:08 |
Start date: | 05/12/2020 |
Path: | /usr/share/apport/apport-gtk |
Arguments: | /usr/bin/python3 /usr/share/apport/apport-gtk |
File size: | 23806 bytes |
MD5 hash: | ec58a49a30ef6a29406a204f28cc7d87 |