Play interactive tour

Edit tour

Linux Analysis Report syst3md

Overview

General Information

Sample Name:	syst3md
Analysis ID:	438274
MD5:	5d33f7f4af840c8ee5a8fde96ef07495
SHA1:	732186c30bcc72f0a295284fc4593b200aa84779
SHA256:	efa9cf5ad8eb73556e34f2cbf4fb71df19e9956a4f0332a714bb6307395f3dcc
Infos:

Detection

Xmrig

Score:	72
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected Xmrig cryptocurrency miner

Found strings related to Crypto-Mining

Stdout / stderr contain strings indicative of a mining client

Sample has stripped symbol table

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Analysis Advice

Non-zero exit code suggests an error during the execution. Lookup the error code for hints.

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	438274
Start date:	22.06.2021
Start time:	11:16:55
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	syst3md
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171)
Analysis Mode:	default
Detection:	MAL
Classification:	mal72.mine.lin@0/0@0/0

Process Tree

system is lnxubuntu1

syst3md (PID: 4553, Parent: 4484, MD5: 5d33f7f4af840c8ee5a8fde96ef07495) Arguments: /tmp/syst3md

cleanup

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
syst3md	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
4553.1.0000000000400000.0000000000a62000.r-x.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: syst3md PID: 4553	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: syst3md

Avira: detected

Multi AV Scanner detection for submitted file

Show sources

Source: syst3md	Virustotal: Detection: 37%	Perma Link
Source: syst3md	Metadefender: Detection: 28%	Perma Link
Source: syst3md	ReversingLabs: Detection: 51%

Bitcoin Miner:

Yara detected Xmrig cryptocurrency miner

Show sources

Source: Yara match	File source: syst3md, type: SAMPLE
Source: Yara match	File source: 4553.1.0000000000400000.0000000000a62000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: syst3md PID: 4553, type: MEMORY

Found strings related to Crypto-Mining

Show sources

Source: syst3md, 4553.1.0000000000400000.0000000000a62000.r-x.sdmp	String found in binary or memory: stratum+ssl://
Source: syst3md, 4553.1.0000000000400000.0000000000a62000.r-x.sdmp	String found in binary or memory: cryptonight/0
Source: syst3md, 4553.1.0000000000400000.0000000000a62000.r-x.sdmp	String found in binary or memory: -o, --url=URL URL of mining server
Source: syst3md, 4553.1.0000000000400000.0000000000a62000.r-x.sdmp	String found in binary or memory: stratum+tcp://
Source: syst3md, 4553.1.0000000000400000.0000000000a62000.r-x.sdmp	String found in binary or memory: Usage: xmrig [OPTIONS]
Source: syst3md, 4553.1.0000000000400000.0000000000a62000.r-x.sdmp	String found in binary or memory: XMRig 6.3.2

Stdout / stderr contain strings indicative of a mining client

Show sources

Source: /tmp/syst3md

Stdout: xmrig

Source: syst3md, 4553.1.0000000000400000.0000000000a62000.r-x.sdmp	String found in binary or memory: http://www.gnu.org/software/libc/bugs.html
Source: syst3md, 4553.1.0000000000400000.0000000000a62000.r-x.sdmp	String found in binary or memory: https://gcc.gnu.org/bugsterminate
Source: syst3md, 4553.1.0000000000400000.0000000000a62000.r-x.sdmp	String found in binary or memory: https://xmrig.com/docs/algorithms
Source: syst3md, 4553.1.00007f0d5f706000.00007f0d5f707000.rw-.sdmp, syst3md, 4553.1.0000000000f0c000.0000000000f2f000.rw-.sdmp, syst3md, 4553.1.0000000000400000.0000000000a62000.r-x.sdmp	String found in binary or memory: https://xmrig.com/wizard
Source: syst3md, 4553.1.0000000000400000.0000000000a62000.r-x.sdmp	String found in binary or memory: https://xmrig.com/wizard%s

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal72.mine.lin@0/0@0/0

Source: /tmp/syst3md (PID: 4553)

Queries kernel information via 'uname':

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	OS Credential Dumping	Security Software Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
syst3md	38%	Virustotal		Browse
syst3md	31%	Metadefender		Browse
syst3md	52%	ReversingLabs	Linux.Coinminer.BitCoinMiner
syst3md	100%	Avira	LINUX/BitCoinMiner.ivhwt

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://xmrig.com/wizard	0%	URL Reputation	safe
https://xmrig.com/wizard	0%	URL Reputation	safe
https://xmrig.com/wizard	0%	URL Reputation	safe
https://xmrig.com/wizard	0%	URL Reputation	safe
https://xmrig.com/wizard%s	0%	URL Reputation	safe
https://xmrig.com/wizard%s	0%	URL Reputation	safe
https://xmrig.com/wizard%s	0%	URL Reputation	safe
https://xmrig.com/wizard%s	0%	URL Reputation	safe
https://xmrig.com/docs/algorithms	0%	URL Reputation	safe
https://xmrig.com/docs/algorithms	0%	URL Reputation	safe
https://xmrig.com/docs/algorithms	0%	URL Reputation	safe
https://xmrig.com/docs/algorithms	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.gnu.org/software/libc/bugs.html	syst3md, 4553.1.0000000000400000.0000000000a62000.r-x.sdmp	false		high
https://xmrig.com/wizard	syst3md, 4553.1.00007f0d5f706000.00007f0d5f707000.rw-.sdmp, syst3md, 4553.1.0000000000f0c000.0000000000f2f000.rw-.sdmp, syst3md, 4553.1.0000000000400000.0000000000a62000.r-x.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://gcc.gnu.org/bugsterminate	syst3md, 4553.1.0000000000400000.0000000000a62000.r-x.sdmp	false		high
https://xmrig.com/wizard%s	syst3md, 4553.1.0000000000400000.0000000000a62000.r-x.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://xmrig.com/docs/algorithms	syst3md, 4553.1.0000000000400000.0000000000a62000.r-x.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No contacted IP infos

Runtime Messages

Command:	/tmp/syst3md
Exit Code:	2
Exit Code Info:
Killed:	False
Standard Output:	[2021-06-22 13:17:29.284] unable to open '/tmp/config.json'. [2021-06-22 13:17:29.285] no valid configuration found; try https://xmrig.com/wizard
Standard Error:

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.18, BuildID[sha1]=abbd7cc45284dffd19b3e61e1f31b03e44addc00, stripped
Entropy (8bit):	6.400341977070569
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	syst3md
File size:	6960840
MD5:	5d33f7f4af840c8ee5a8fde96ef07495
SHA1:	732186c30bcc72f0a295284fc4593b200aa84779
SHA256:	efa9cf5ad8eb73556e34f2cbf4fb71df19e9956a4f0332a714bb6307395f3dcc
SHA512:	ce41cc41a16d3c687d7ad100d87144bf622e2071e528bd514bfefb38a95370770b05197dffc415351cea269902d07e2161cc9156570556c468a7cff7f95c7b12
SSDEEP:	98304:Yk/JyyJ/B+ga0px70IlOOiiOOO+OOO+OOOTxkxkxPpxNpxfGQvvANnUr+sdcJZ7V:Yk/syJZba5unAtLEyB6tpN/jO/N1s
File Content Preview:	.ELF..............>...... @.....@.......H/j.........@.8...@.......................@.......@.......f.......f....... .............`$f.....`$......`$..............xo........ .......................@.......@.....D.......D.......................`$f.....`$.....

Static ELF Info

ELF header
Class:	ELF64
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Advanced Micro Devices X86-64
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - Linux
ABI Version:	0
Entry Point Address:	0x4020a4
Flags:	0x0
ELF Header Size:	64
Program Header Offset:	64
Program Header Size:	56
Number of Program Headers:	6
Section Header Offset:	6958920
Section Header Size:	64
Number of Section Headers:	30
Header String Table Index:	29

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Info	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0	0
.note.ABI-tag	NOTE	0x400190	0x190	0x20	0x0	0x2	A	0	4
.note.gnu.build-id	NOTE	0x4001b0	0x1b0	0x24	0x0	0x2	A	0	4
.rela.plt	RELA	0x4001d8	0x1d8	0x1b0	0x18	0x42	AI	23	8
.init	PROGBITS	0x400388	0x388	0xe	0x0	0x6	AX	0	4
.plt	PROGBITS	0x4003a0	0x3a0	0x120	0x0	0x6	AX	0	16
.text	PROGBITS	0x4004c0	0x4c0	0x4d6cd4	0x0	0x6	AX	0	64
__libc_freeres_fn	PROGBITS	0x8d71a0	0x4d71a0	0x1c81	0x0	0x6	AX	0	16
__libc_thread_freeres_fn	PROGBITS	0x8d8e30	0x4d8e30	0x218	0x0	0x6	AX	0	16
.fini	PROGBITS	0x8d9048	0x4d9048	0x9	0x0	0x6	AX	0	4
.rodata	PROGBITS	0x8d9080	0x4d9080	0xde028	0x0	0x2	A	0	64
__libc_subfreeres	PROGBITS	0x9b70a8	0x5b70a8	0xa8	0x0	0x2	A	0	8
__libc_atexit	PROGBITS	0x9b7150	0x5b7150	0x8	0x0	0x2	A	0	8
__libc_thread_subfreeres	PROGBITS	0x9b7158	0x5b7158	0x10	0x0	0x2	A	0	8
.stapsdt.base	PROGBITS	0x9b7168	0x5b7168	0x1	0x0	0x2	A	0	1
.eh_frame	PROGBITS	0x9b7170	0x5b7170	0x9f464	0x0	0x2	A	0	8
.gcc_except_table	PROGBITS	0xa565d4	0x6565d4	0xb804	0x0	0x2	A	0	4
.tdata	PROGBITS	0xc62460	0x662460	0x28	0x0	0x403	WAT	0	16
.tbss	NOBITS	0xc62490	0x662488	0x58	0x0	0x403	WAT	0	16
.init_array	INIT_ARRAY	0xc62490	0x662490	0x1b0	0x8	0x3	WA	0	8
.fini_array	FINI_ARRAY	0xc62640	0x662640	0x18	0x8	0x3	WA	0	8
.data.rel.ro	PROGBITS	0xc62660	0x662660	0x338fc	0x0	0x3	WA	0	32
.got	PROGBITS	0xc95f60	0x695f60	0x88	0x8	0x3	WA	0	8
.got.plt	PROGBITS	0xc96000	0x696000	0xa8	0x8	0x3	WA	0	8
.data	PROGBITS	0xc960c0	0x6960c0	0xca48	0x0	0x3	WA	0	32
.bss	NOBITS	0xca2b40	0x6a2b08	0xa6850	0x0	0x3	WA	0	64
__libc_freeres_ptrs	NOBITS	0xd49390	0x6a2b08	0x48	0x0	0x3	WA	0	8
.comment	PROGBITS	0x0	0x6a2b08	0x59	0x1	0x30	MS	0	1
.note.stapsdt	NOTE	0x0	0x6a2b64	0x28c	0x0	0x0		0	4
.shstrtab	STRTAB	0x0	0x6a2df0	0x154	0x0	0x0		0	1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x400000	0x400000	0x661dd8	0x661dd8	3.9885	0x5	R E	0x200000	.note.ABI-tag .note.gnu.build-id .rela.plt .init .plt .text __libc_freeres_fn __libc_thread_freeres_fn .fini .rodata __libc_subfreeres __libc_atexit __libc_thread_subfreeres .stapsdt.base .eh_frame .gcc_except_table
LOAD	0x662460	0xc62460	0xc62460	0x406a8	0xe6f78	1.7258	0x6	RW	0x200000	.init_array .fini_array .data.rel.ro .got .got.plt .data .bss __libc_freeres_ptrs
NOTE	0x190	0x400190	0x400190	0x44	0x44	2.4413	0x4	R	0x4	.note.ABI-tag .note.gnu.build-id
TLS	0x662460	0xc62460	0xc62460	0x28	0x88	0.8173	0x4	R	0x10
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x10
GNU_RELRO	0x662460	0xc62460	0xc62460	0x33ba0	0x33ba0	1.5667	0x4	R	0x1	.init_array .fini_array .data.rel.ro .got

Network Behavior

No network behavior found

System Behavior

Analysis Process: syst3md PID: 4553 Parent PID: 4484

General

Start time:	11:17:29
Start date:	22/06/2021
Path:	/tmp/syst3md
Arguments:	/tmp/syst3md
File size:	6960840 bytes
MD5 hash:	5d33f7f4af840c8ee5a8fde96ef07495

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Linux Analysis Report syst3md

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Process Tree

Yara Overview

Initial Sample

Memory Dumps

Signature Overview

AV Detection:

Bitcoin Miner:

Networking:

System Summary:

Malware Analysis System Evasion:

Mitre Att&ck Matrix

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Runtime Messages

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

System Behavior

Analysis Process: syst3md PID: 4553 Parent PID: 4484

General

Chronological Activities