Analysis Report Mozi.m

Overview

General Information

Sample Name:	Mozi.m
Analysis ID:	337641
MD5:	59ce0baba11893f90527fc951ac69912
SHA1:	5857a7dd621c4c3ebb0b5a3bec915d409f70d39f
SHA256:	4293c1d8574dc87c58360d6bac3daa182f64f7785c9d41da5e0741d2b1817fc7

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Sample is packed with UPX

Sample contains only a LOAD segment without any section mappings

Uses the "uname" system call to query kernel version information (possible evasion)

Yara signature match

Classification

Signatures

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: Mozi.m

Avira: detected

Multi AV Scanner detection for submitted file

Source: Mozi.m	Virustotal: Detection: 57%			Perma Link
Source: Mozi.m	ReversingLabs: Detection: 65%

Source: Mozi.m

String found in binary or memory: http://upx.sf.net

System Summary:

Sample contains only a LOAD segment without any section mappings

Source: LOAD without section mappings

Program segment: 0x400000

Yara signature match

Source: Mozi.m, type: SAMPLE

Matched rule: SUSP_ELF_LNX_UPX_Compressed_File date = 2018-12-12, author = Florian Roth, description = Detects a suspicious ELF binary with UPX compression, reference = Internal Research, score = 038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4

Source: classification engine

Classification label: mal60.evad.linM@0/2@0/0

Data Obfuscation:

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.95 Copyright (C) 1996-2018 the UPX Team. All Rights Reserved. $

Malware Analysis System Evasion:

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/Mozi.m (PID: 4562)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/share/apport/apport-gtk (PID: 4618)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/share/apport/apport-gtk (PID: 4641)	Queries kernel information via 'uname':	Jump to behavior

Screenshots

No Screenshots

Network Map

No contacted IP infos

ID:	337641
Product:	CloudBasic
Start time:	00:45:57
Start date:	09.01.2021
Sample:	Mozi.m
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171)
Architecture:	LINUX
MD5:	59ce0baba11893f90527fc951ac69912
SHA1:	5857a7dd621c4c3ebb0b5a3bec915d409f70d39f
SHA256:	4293c1d8574dc87c58360d6bac3daa182f64f7785c9d41da5e0741d2b1817fc7
Filetype:	ELF Executable and Linkable format (Linux) (4029/14) 50.16%

Name	Type	MD5	SHA1	SHA256
/var/crash/_usr_share_apport_apport-checkreports.1000.crash	ASCII text	E33FF96345C09078D2C34698E54DB20E	D4173FAC622B564956EC584B3B1F3B04F58F93C6	BA04C8CD364737CE5A20454ABDF719F0333857B47777B18029846BED36C72D96
/var/crash/_usr_share_apport_apport-gtk.1000.crash	ASCII text	1D42EB982A5DA0526C3466D53C85368A	826061E42CE45136B609038CE73A6B7F34F2F2D4	8E8F7DF9BFDA98C7F10ACFBA013BF5A316B4094547D1531293E87D88B3AA9C0A

Analysis Report Mozi.m

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Networking:

System Summary:

Data Obfuscation:

Malware Analysis System Evasion:

Screenshots

Network Map