Analysis Report Mozi.m

Overview

General Information

Sample Name:	Mozi.m
Analysis ID:	384609
MD5:	fbe51695e97a45dc61967dc3241a37dc
SHA1:	1ed14334b5b71783cd6ec14b8a704fe48e600cf0
SHA256:	2e4506802aedea2e6d53910dfb296323be6620ac08c4b799a879eace5923a7b6
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Sample is packed with UPX

Sample contains only a LOAD segment without any section mappings

Uses the "uname" system call to query kernel version information (possible evasion)

Yara signature match

Classification

Signatures

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: Mozi.m

Avira: detected

Multi AV Scanner detection for submitted file

Source: Mozi.m	Virustotal: Detection: 58%	Perma Link
Source: Mozi.m	Metadefender: Detection: 39%	Perma Link
Source: Mozi.m	ReversingLabs: Detection: 66%

Source: Mozi.m

String found in binary or memory: http://upx.sf.net

System Summary:

Sample contains only a LOAD segment without any section mappings

Source: LOAD without section mappings

Program segment: 0x400000

Yara signature match

Source: Mozi.m, type: SAMPLE

Matched rule: SUSP_ELF_LNX_UPX_Compressed_File date = 2018-12-12, author = Florian Roth, description = Detects a suspicious ELF binary with UPX compression, reference = Internal Research, score = 038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4

Source: classification engine

Classification label: mal60.evad.linM@0/2@0/0

Data Obfuscation:

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.95 Copyright (C) 1996-2018 the UPX Team. All Rights Reserved. $

Malware Analysis System Evasion:

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/Mozi.m (PID: 4581)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/share/apport/apport-gtk (PID: 4627)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/share/apport/apport-gtk (PID: 4655)	Queries kernel information via 'uname':	Jump to behavior

Screenshots

No Screenshots

Network Map

No contacted IP infos

ID:	384609
Product:	CloudBasic
Start time:	14:30:34
Start date:	09.04.2021
Sample:	Mozi.m
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171)
Architecture:	LINUX
MD5:	fbe51695e97a45dc61967dc3241a37dc
SHA1:	1ed14334b5b71783cd6ec14b8a704fe48e600cf0
SHA256:	2e4506802aedea2e6d53910dfb296323be6620ac08c4b799a879eace5923a7b6
Filetype:	ELF Executable and Linkable format (Linux) (4029/14) 50.16%

Name	Type	MD5	SHA1	SHA256
/var/crash/_usr_share_apport_apport-checkreports.1000.crash	ASCII text	A34A2946F7A3A056EB218AA265B867E8	2BA920A691FA0754C789039714A7A34894551E83	144823131B1D8BFCF5E44D1A9921EE1B6D00A9C9DC2D3F653227566C33F2B192
/var/crash/_usr_share_apport_apport-gtk.1000.crash	ASCII text	2A68E710E17B3E374226B54BFFDF8227	B2FCCD7B82F5299796A55C33956AEF65206CD6A3	3114009B0AD73EFA8CB19B753216335CD7BAB944D5EF8BCBF89EDD42C62FCADA

Analysis Report Mozi.m

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Networking:

System Summary:

Data Obfuscation:

Malware Analysis System Evasion:

Screenshots

Network Map