Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report 05p4kVOZ5q

Overview

General Information

Sample Name:05p4kVOZ5q
Analysis ID:397471
MD5:fbe51695e97a45dc61967dc3241a37dc
SHA1:1ed14334b5b71783cd6ec14b8a704fe48e600cf0
SHA256:2e4506802aedea2e6d53910dfb296323be6620ac08c4b799a879eace5923a7b6
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Sample is packed with UPX
Sample contains only a LOAD segment without any section mappings
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

Startup

  • system is lnxubuntu1
  • 05p4kVOZ5q (PID: 4558, Parent: 4498, MD5: fbe51695e97a45dc61967dc3241a37dc) Arguments: /usr/bin/qemu-mips /tmp/05p4kVOZ5q
  • upstart New Fork (PID: 4577, Parent: 3310)
  • sh (PID: 4577, Parent: 3310, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -e /proc/self/fd/9
    • sh New Fork (PID: 4578, Parent: 4577)
    • date (PID: 4578, Parent: 4577, MD5: 54903b613f9019bfca9f5d28a4fff34e) Arguments: date
    • sh New Fork (PID: 4579, Parent: 4577)
    • apport-checkreports (PID: 4579, Parent: 4577, MD5: 1a7d84ebc34df04e55ca3723541f48c9) Arguments: /usr/bin/python3 /usr/share/apport/apport-checkreports --system
  • upstart New Fork (PID: 4604, Parent: 3310)
  • sh (PID: 4604, Parent: 3310, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -e /proc/self/fd/9
    • sh New Fork (PID: 4605, Parent: 4604)
    • date (PID: 4605, Parent: 4604, MD5: 54903b613f9019bfca9f5d28a4fff34e) Arguments: date
    • sh New Fork (PID: 4614, Parent: 4604)
    • apport-gtk (PID: 4614, Parent: 4604, MD5: ec58a49a30ef6a29406a204f28cc7d87) Arguments: /usr/bin/python3 /usr/share/apport/apport-gtk
  • upstart New Fork (PID: 4631, Parent: 3310)
  • sh (PID: 4631, Parent: 3310, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -e /proc/self/fd/9
    • sh New Fork (PID: 4632, Parent: 4631)
    • date (PID: 4632, Parent: 4631, MD5: 54903b613f9019bfca9f5d28a4fff34e) Arguments: date
    • sh New Fork (PID: 4633, Parent: 4631)
    • apport-gtk (PID: 4633, Parent: 4631, MD5: ec58a49a30ef6a29406a204f28cc7d87) Arguments: /usr/bin/python3 /usr/share/apport/apport-gtk
  • cleanup

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
05p4kVOZ5qSUSP_ELF_LNX_UPX_Compressed_FileDetects a suspicious ELF binary with UPX compressionFlorian Roth
  • 0x1fce8:$s1: PROT_EXEC|PROT_WRITE failed.
  • 0x1fd57:$s2: $Id: UPX
  • 0x1fd08:$s3: $Info: This file is packed with the UPX executable packer

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus / Scanner detection for submitted sampleShow sources
Source: 05p4kVOZ5qAvira: detected
Multi AV Scanner detection for submitted fileShow sources
Source: 05p4kVOZ5qVirustotal: Detection: 59%Perma Link
Source: 05p4kVOZ5qMetadefender: Detection: 39%Perma Link
Source: 05p4kVOZ5qReversingLabs: Detection: 66%
Source: 05p4kVOZ5qString found in binary or memory: http://upx.sf.net
Source: LOAD without section mappingsProgram segment: 0x400000
Source: 05p4kVOZ5q, type: SAMPLEMatched rule: SUSP_ELF_LNX_UPX_Compressed_File date = 2018-12-12, author = Florian Roth, description = Detects a suspicious ELF binary with UPX compression, reference = Internal Research, score = 038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4
Source: classification engineClassification label: mal60.evad.lin@0/2@0/0

Data Obfuscation:

barindex
Sample is packed with UPXShow sources
Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sampleString containing UPX found: $Id: UPX 3.95 Copyright (C) 1996-2018 the UPX Team. All Rights Reserved. $
Source: /tmp/05p4kVOZ5q (PID: 4558)Queries kernel information via 'uname': Jump to behavior
Source: /usr/share/apport/apport-gtk (PID: 4614)Queries kernel information via 'uname': Jump to behavior
Source: /usr/share/apport/apport-gtk (PID: 4633)Queries kernel information via 'uname': Jump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionObfuscated Files or Information1OS Credential DumpingSecurity Software Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 397471 Sample: 05p4kVOZ5q Startdate: 25/04/2021 Architecture: LINUX Score: 60 26 Antivirus / Scanner detection for submitted sample 2->26 28 Multi AV Scanner detection for submitted file 2->28 30 Sample is packed with UPX 2->30 6 upstart sh 2->6         started        8 upstart sh 2->8         started        10 upstart sh 2->10         started        12 05p4kVOZ5q 2->12         started        process3 process4 14 sh date 6->14         started        16 sh apport-checkreports 6->16         started        18 sh date 8->18         started        20 sh apport-gtk 8->20         started        22 sh date 10->22         started        24 sh apport-gtk 10->24         started       

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
05p4kVOZ5q59%VirustotalBrowse
05p4kVOZ5q42%MetadefenderBrowse
05p4kVOZ5q67%ReversingLabsLinux.Trojan.Mirai
05p4kVOZ5q100%AviraLINUX/Mirai.souoo

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://upx.sf.net05p4kVOZ5qfalse
    		high

    Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox Version:31.0.0 Emerald
    Analysis ID:397471
    Start date:25.04.2021
    Start time:21:19:34
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 4m 29s
    Hypervisor based Inspection enabled:false
    Report type:full
    Sample file name:05p4kVOZ5q
    Cookbook file name:defaultlinuxfilecookbook.jbs
    Analysis system description:Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171)
    Analysis Mode:default
    Detection:MAL
    Classification:mal60.evad.lin@0/2@0/0


    Runtime Messages

    Command:/tmp/05p4kVOZ5q
    Exit Code:133
    Exit Code Info:
    Killed:False
    Standard Output:

    Standard Error:qemu: uncaught target signal 5 (Trace/breakpoint trap) - core dumped

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASN

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    /var/crash/_usr_share_apport_apport-checkreports.1000.crash
    Process:/usr/share/apport/apport-checkreports
    File Type:ASCII text
    Category:dropped
    Size (bytes):14915
    Entropy (8bit):4.618006894114143
    Encrypted:false
    SSDEEP:96:wKPRoNUTw87floxrolndVkpprfL06s6xDJB4b4NGmOmvPVTocXWuhEU8FDRoMPIM:wINoxrol6rTOv4PxNE3RtPIRhbM
    MD5:05ED42C34176C5691594970D77745279
    SHA1:EEF54928D4DB6BB1A63425943D0ECE4708C754F4
    SHA-256:E5F018701F6DE721EE81E820C9AAAF0A03D5C11EE49D88CBA322A34FF9661C79
    SHA-512:E46284862059101A4620968877A3555FC6B7ECF2D513183BCAC47CA584F696E23619A2D71CE899AA2342459A660D267725DAC814351FA906E265086E43138626
    Malicious:false
    Reputation:low
    Preview: ProblemType: Crash.Date: Sun Apr 25 23:20:04 2021.ExecutablePath: /usr/share/apport/apport-checkreports.ExecutableTimestamp: 1514927430.InterpreterPath: /usr/bin/python3.5.ProcCmdline: /usr/bin/python3 /usr/share/apport/apport-checkreports --system.ProcCwd: /home/user.ProcEnviron:. LANGUAGE=en_US. PATH=(custom, user). XDG_RUNTIME_DIR=<set>. LANG=en_US.UTF-8. SHELL=/bin/bash.ProcMaps:. 00400000-007a9000 r-xp 00000000 fc:00 217 /usr/bin/python3.5. 009a9000-009ab000 r--p 003a9000 fc:00 217 /usr/bin/python3.5. 009ab000-00a42000 rw-p 003ab000 fc:00 217 /usr/bin/python3.5. 00a42000-00a73000 rw-p 00000000 00:00 0 . 00b3c000-00e98000 rw-p 00000000 00:00 0 [heap]. 7fc0067a1000-7fc006922000 rw-p 00000000 00:00 0 . 7fc006922000-7fc006939000 r-xp 00000000 fc:00 2382 /usr/lib/x86_64-linux-gnu/liblz4.so.1.7.1. 7fc006939000-7fc006b38000 ---p 00017000 fc:0
    /var/crash/_usr_share_apport_apport-gtk.1000.crash
    Process:/usr/share/apport/apport-gtk
    File Type:ASCII text
    Category:dropped
    Size (bytes):47094
    Entropy (8bit):4.516228048997024
    Encrypted:false
    SSDEEP:384:RQ9C45OFxeiyAyZJc/e/h/l/n9sXLrpB7vO0pcnI+YmN3xpyhAwV5qRyUewETVs:Rz/e/h/l/gLrpn+YRAwV5WyUew5
    MD5:08710DD6AE07674CD115C421C353970C
    SHA1:462593A17CCDCAEE4EC667849BE79C2A0C37C6FC
    SHA-256:679E16B573F20A5294E3092583D03DBB3B80D5D1806594BBDB24FFE2E09C9120
    SHA-512:50090A9E15BF5B1C46E7DECE5B16CF17F6B6ECBFEC09AB11F31AE177F7D9772468BD82D1AF6ACBC470D729DB383A60CC62465ACFFDBA56C753CBD95261E6A496
    Malicious:false
    Reputation:low
    Preview: ProblemType: Crash.Date: Sun Apr 25 23:20:04 2021.ExecutablePath: /usr/share/apport/apport-gtk.ExecutableTimestamp: 1514927430.InterpreterPath: /usr/bin/python3.5.ProcCmdline: /usr/bin/python3 /usr/share/apport/apport-gtk.ProcCwd: /home/user.ProcEnviron:. LANGUAGE=en_US. PATH=(custom, user). XDG_RUNTIME_DIR=<set>. LANG=en_US.UTF-8. SHELL=/bin/bash.ProcMaps:. 00400000-007a9000 r-xp 00000000 fc:00 217 /usr/bin/python3.5. 009a9000-009ab000 r--p 003a9000 fc:00 217 /usr/bin/python3.5. 009ab000-00a42000 rw-p 003ab000 fc:00 217 /usr/bin/python3.5. 00a42000-00a73000 rw-p 00000000 00:00 0 . 00de3000-01304000 rw-p 00000000 00:00 0 [heap]. 7f6e44262000-7f6e44362000 rw-p 00000000 00:00 0 . 7f6e44362000-7f6e44379000 r-xp 00000000 fc:00 2382 /usr/lib/x86_64-linux-gnu/liblz4.so.1.7.1. 7f6e44379000-7f6e44578000 ---p 00017000 fc:00 2382

    Static File Info

    General

    File type:ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
    Entropy (8bit):7.813753507680382
    TrID:
    • ELF Executable and Linkable format (Linux) (4029/14) 50.16%
    • ELF Executable and Linkable format (generic) (4004/1) 49.84%
    File name:05p4kVOZ5q
    File size:132876
    MD5:fbe51695e97a45dc61967dc3241a37dc
    SHA1:1ed14334b5b71783cd6ec14b8a704fe48e600cf0
    SHA256:2e4506802aedea2e6d53910dfb296323be6620ac08c4b799a879eace5923a7b6
    SHA512:c35eab56ba59beb2ec2b362e4d1aae734fadc2d9db1d720439337dcade13ec9c7b68da9d03821efc7277abaf9bace342ff35593373e04c67327d5f7db460ad8a
    SSDEEP:3072:/TNVO/QJHZcfFj4rwLQGTNO5VZLwHm7vuQTpZUyY6cot:7O/QJHZweEL/NOjCHm7FZZncI
    File Content Preview:.ELF.....................A.h...4.........4. ...(.............@...@...........................C...C...................*.*UPX!.X.....................\....|.$..ELF..........@.`....4..^h... ...(......<...@......ll.....H.W.`.t.d....dt.Q.....].M............6...

    Static ELF Info

    ELF header

    Class:ELF32
    Data:2's complement, big endian
    Version:1 (current)
    Machine:MIPS R3000
    Version Number:0x1
    Type:EXEC (Executable file)
    OS/ABI:UNIX - System V
    ABI Version:0
    Entry Point Address:0x41fb68
    Flags:0x1007
    ELF Header Size:52
    Program Header Offset:52
    Program Header Size:32
    Number of Program Headers:2
    Section Header Offset:0
    Section Header Size:40
    Number of Section Headers:0
    Header String Table Index:0

    Program Segments

    TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeFlagsFlags DescriptionAlignProg InterpreterSection Mappings
    LOAD0x00x4000000x4000000x205b20x205b20x5R E0x10000
    LOAD0x00x4300000x4300000x00x8ac180x6RW 0x10000

    Network Behavior

    No network behavior found

    System Behavior

    Analysis Process: 05p4kVOZ5q PID: 4558 Parent PID: 4498

    General

    Start time:21:20:04
    Start date:25/04/2021
    Path:/tmp/05p4kVOZ5q
    Arguments:/usr/bin/qemu-mips /tmp/05p4kVOZ5q
    File size:132876 bytes
    MD5 hash:fbe51695e97a45dc61967dc3241a37dc

    Chronological Activities

    Analysis Process: upstart PID: 4577 Parent PID: 3310

    General

    Start time:21:20:04
    Start date:25/04/2021
    Path:/sbin/upstart
    Arguments:n/a
    File size:0 bytes
    MD5 hash:00000000000000000000000000000000

    Chronological Activities

    Analysis Process: sh PID: 4577 Parent PID: 3310

    General

    Start time:21:20:04
    Start date:25/04/2021
    Path:/bin/sh
    Arguments:/bin/sh -e /proc/self/fd/9
    File size:4 bytes
    MD5 hash:e02ea3c3450d44126c46d658fa9e654c

    Chronological Activities

    Analysis Process: sh PID: 4578 Parent PID: 4577

    General

    Start time:21:20:04
    Start date:25/04/2021
    Path:/bin/sh
    Arguments:n/a
    File size:4 bytes
    MD5 hash:e02ea3c3450d44126c46d658fa9e654c

    Chronological Activities

    Analysis Process: date PID: 4578 Parent PID: 4577

    General

    Start time:21:20:04
    Start date:25/04/2021
    Path:/bin/date
    Arguments:date
    File size:68464 bytes
    MD5 hash:54903b613f9019bfca9f5d28a4fff34e

    Chronological Activities

    Analysis Process: sh PID: 4579 Parent PID: 4577

    General

    Start time:21:20:04
    Start date:25/04/2021
    Path:/bin/sh
    Arguments:n/a
    File size:4 bytes
    MD5 hash:e02ea3c3450d44126c46d658fa9e654c

    Chronological Activities

    Analysis Process: apport-checkreports PID: 4579 Parent PID: 4577

    General

    Start time:21:20:04
    Start date:25/04/2021
    Path:/usr/share/apport/apport-checkreports
    Arguments:/usr/bin/python3 /usr/share/apport/apport-checkreports --system
    File size:1269 bytes
    MD5 hash:1a7d84ebc34df04e55ca3723541f48c9

    Chronological Activities

    Analysis Process: upstart PID: 4604 Parent PID: 3310

    General

    Start time:21:20:04
    Start date:25/04/2021
    Path:/sbin/upstart
    Arguments:n/a
    File size:0 bytes
    MD5 hash:00000000000000000000000000000000

    Chronological Activities

    Analysis Process: sh PID: 4604 Parent PID: 3310

    General

    Start time:21:20:04
    Start date:25/04/2021
    Path:/bin/sh
    Arguments:/bin/sh -e /proc/self/fd/9
    File size:4 bytes
    MD5 hash:e02ea3c3450d44126c46d658fa9e654c

    Chronological Activities

    Analysis Process: sh PID: 4605 Parent PID: 4604

    General

    Start time:21:20:04
    Start date:25/04/2021
    Path:/bin/sh
    Arguments:n/a
    File size:4 bytes
    MD5 hash:e02ea3c3450d44126c46d658fa9e654c

    Chronological Activities

    Analysis Process: date PID: 4605 Parent PID: 4604

    General

    Start time:21:20:04
    Start date:25/04/2021
    Path:/bin/date
    Arguments:date
    File size:68464 bytes
    MD5 hash:54903b613f9019bfca9f5d28a4fff34e

    Chronological Activities

    Analysis Process: sh PID: 4614 Parent PID: 4604

    General

    Start time:21:20:04
    Start date:25/04/2021
    Path:/bin/sh
    Arguments:n/a
    File size:4 bytes
    MD5 hash:e02ea3c3450d44126c46d658fa9e654c

    Chronological Activities

    Analysis Process: apport-gtk PID: 4614 Parent PID: 4604

    General

    Start time:21:20:04
    Start date:25/04/2021
    Path:/usr/share/apport/apport-gtk
    Arguments:/usr/bin/python3 /usr/share/apport/apport-gtk
    File size:23806 bytes
    MD5 hash:ec58a49a30ef6a29406a204f28cc7d87

    Chronological Activities

    Analysis Process: upstart PID: 4631 Parent PID: 3310

    General

    Start time:21:20:05
    Start date:25/04/2021
    Path:/sbin/upstart
    Arguments:n/a
    File size:0 bytes
    MD5 hash:00000000000000000000000000000000

    Chronological Activities

    Analysis Process: sh PID: 4631 Parent PID: 3310

    General

    Start time:21:20:05
    Start date:25/04/2021
    Path:/bin/sh
    Arguments:/bin/sh -e /proc/self/fd/9
    File size:4 bytes
    MD5 hash:e02ea3c3450d44126c46d658fa9e654c

    Chronological Activities

    Analysis Process: sh PID: 4632 Parent PID: 4631

    General

    Start time:21:20:05
    Start date:25/04/2021
    Path:/bin/sh
    Arguments:n/a
    File size:4 bytes
    MD5 hash:e02ea3c3450d44126c46d658fa9e654c

    Chronological Activities

    Analysis Process: date PID: 4632 Parent PID: 4631

    General

    Start time:21:20:05
    Start date:25/04/2021
    Path:/bin/date
    Arguments:date
    File size:68464 bytes
    MD5 hash:54903b613f9019bfca9f5d28a4fff34e

    Chronological Activities

    Analysis Process: sh PID: 4633 Parent PID: 4631

    General

    Start time:21:20:05
    Start date:25/04/2021
    Path:/bin/sh
    Arguments:n/a
    File size:4 bytes
    MD5 hash:e02ea3c3450d44126c46d658fa9e654c

    Chronological Activities

    Analysis Process: apport-gtk PID: 4633 Parent PID: 4631

    General

    Start time:21:20:05
    Start date:25/04/2021
    Path:/usr/share/apport/apport-gtk
    Arguments:/usr/bin/python3 /usr/share/apport/apport-gtk
    File size:23806 bytes
    MD5 hash:ec58a49a30ef6a29406a204f28cc7d87

    Chronological Activities