Play interactive tourEdit tour
Linux Analysis Report syst3md
Overview
General Information
Sample Name: | syst3md |
Analysis ID: | 438274 |
MD5: | 5d33f7f4af840c8ee5a8fde96ef07495 |
SHA1: | 732186c30bcc72f0a295284fc4593b200aa84779 |
SHA256: | efa9cf5ad8eb73556e34f2cbf4fb71df19e9956a4f0332a714bb6307395f3dcc |
Infos: |
Detection
Xmrig
Score: | 72 |
Range: | 0 - 100 |
Whitelisted: | false |
Signatures
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Xmrig cryptocurrency miner
Found strings related to Crypto-Mining
Stdout / stderr contain strings indicative of a mining client
Sample has stripped symbol table
Uses the "uname" system call to query kernel version information (possible evasion)
Classification
Analysis Advice |
---|
Non-zero exit code suggests an error during the execution. Lookup the error code for hints. |
General Information |
---|
Joe Sandbox Version: | 32.0.0 Black Diamond |
Analysis ID: | 438274 |
Start date: | 22.06.2021 |
Start time: | 11:16:55 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 4m 21s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | syst3md |
Cookbook file name: | defaultlinuxfilecookbook.jbs |
Analysis system description: | Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171) |
Analysis Mode: | default |
Detection: | MAL |
Classification: | mal72.mine.lin@0/0@0/0 |
Process Tree |
---|
|
Yara Overview |
---|
Initial Sample |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security |
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security |
Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Antivirus / Scanner detection for submitted sample | Show sources |
Source: | Avira: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | Metadefender: | Perma Link | ||
Source: | ReversingLabs: |
Bitcoin Miner: |
---|
Yara detected Xmrig cryptocurrency miner | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Found strings related to Crypto-Mining | Show sources |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Stdout / stderr contain strings indicative of a mining client | Show sources |
Source: | Stdout: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | .symtab present: |
Source: | Classification label: |
Source: | Queries kernel information via 'uname': | Jump to behavior |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation | Path Interception | Path Interception | Direct Volume Access | OS Credential Dumping | Security Software Discovery1 | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Data Obfuscation | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Behavior Graph |
---|
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
38% | Virustotal | Browse | ||
31% | Metadefender | Browse | ||
52% | ReversingLabs | Linux.Coinminer.BitCoinMiner | ||
100% | Avira | LINUX/BitCoinMiner.ivhwt |
Dropped Files |
---|
No Antivirus matches |
---|
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe |
Domains and IPs |
---|
Contacted Domains |
---|
No contacted domains info |
---|
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown |
Contacted IPs |
---|
No contacted IP infos |
---|
Runtime Messages |
---|
Command: | /tmp/syst3md |
Exit Code: | 2 |
Exit Code Info: | |
Killed: | False |
Standard Output: | [2021-06-22 13:17:29.284] unable to open '/tmp/config.json'. [2021-06-22 13:17:29.285] no valid configuration found; try https://xmrig.com/wizard |
Standard Error: |
Joe Sandbox View / Context |
---|
Created / dropped Files |
---|
No created / dropped files found |
---|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 6.400341977070569 |
TrID: |
|
File name: | syst3md |
File size: | 6960840 |
MD5: | 5d33f7f4af840c8ee5a8fde96ef07495 |
SHA1: | 732186c30bcc72f0a295284fc4593b200aa84779 |
SHA256: | efa9cf5ad8eb73556e34f2cbf4fb71df19e9956a4f0332a714bb6307395f3dcc |
SHA512: | ce41cc41a16d3c687d7ad100d87144bf622e2071e528bd514bfefb38a95370770b05197dffc415351cea269902d07e2161cc9156570556c468a7cff7f95c7b12 |
SSDEEP: | 98304:Yk/JyyJ/B+ga0px70IlOOiiOOO+OOO+OOOTxkxkxPpxNpxfGQvvANnUr+sdcJZ7V:Yk/syJZba5unAtLEyB6tpN/jO/N1s |
File Content Preview: | .ELF..............>...... @.....@.......H/j.........@.8...@.......................@.......@.......f.......f....... .............`$f.....`$......`$..............xo........ .......................@.......@.....D.......D.......................`$f.....`$..... |
Static ELF Info |
---|
ELF header | |
---|---|
Class: | |
Data: | |
Version: | |
Machine: | |
Version Number: | |
Type: | |
OS/ABI: | |
ABI Version: | |
Entry Point Address: | |
Flags: | |
ELF Header Size: | |
Program Header Offset: | |
Program Header Size: | |
Number of Program Headers: | |
Section Header Offset: | |
Section Header Size: | |
Number of Section Headers: | |
Header String Table Index: |
Sections |
---|
Name | Type | Address | Offset | Size | EntSize | Flags | Flags Description | Link | Info | Align |
---|---|---|---|---|---|---|---|---|---|---|
NULL | 0x0 | 0x0 | 0x0 | 0x0 | 0x0 | 0 | 0 | 0 | ||
.note.ABI-tag | NOTE | 0x400190 | 0x190 | 0x20 | 0x0 | 0x2 | A | 0 | 0 | 4 |
.note.gnu.build-id | NOTE | 0x4001b0 | 0x1b0 | 0x24 | 0x0 | 0x2 | A | 0 | 0 | 4 |
.rela.plt | RELA | 0x4001d8 | 0x1d8 | 0x1b0 | 0x18 | 0x42 | AI | 0 | 23 | 8 |
.init | PROGBITS | 0x400388 | 0x388 | 0xe | 0x0 | 0x6 | AX | 0 | 0 | 4 |
.plt | PROGBITS | 0x4003a0 | 0x3a0 | 0x120 | 0x0 | 0x6 | AX | 0 | 0 | 16 |
.text | PROGBITS | 0x4004c0 | 0x4c0 | 0x4d6cd4 | 0x0 | 0x6 | AX | 0 | 0 | 64 |
__libc_freeres_fn | PROGBITS | 0x8d71a0 | 0x4d71a0 | 0x1c81 | 0x0 | 0x6 | AX | 0 | 0 | 16 |
__libc_thread_freeres_fn | PROGBITS | 0x8d8e30 | 0x4d8e30 | 0x218 | 0x0 | 0x6 | AX | 0 | 0 | 16 |
.fini | PROGBITS | 0x8d9048 | 0x4d9048 | 0x9 | 0x0 | 0x6 | AX | 0 | 0 | 4 |
.rodata | PROGBITS | 0x8d9080 | 0x4d9080 | 0xde028 | 0x0 | 0x2 | A | 0 | 0 | 64 |
__libc_subfreeres | PROGBITS | 0x9b70a8 | 0x5b70a8 | 0xa8 | 0x0 | 0x2 | A | 0 | 0 | 8 |
__libc_atexit | PROGBITS | 0x9b7150 | 0x5b7150 | 0x8 | 0x0 | 0x2 | A | 0 | 0 | 8 |
__libc_thread_subfreeres | PROGBITS | 0x9b7158 | 0x5b7158 | 0x10 | 0x0 | 0x2 | A | 0 | 0 | 8 |
.stapsdt.base | PROGBITS | 0x9b7168 | 0x5b7168 | 0x1 | 0x0 | 0x2 | A | 0 | 0 | 1 |
.eh_frame | PROGBITS | 0x9b7170 | 0x5b7170 | 0x9f464 | 0x0 | 0x2 | A | 0 | 0 | 8 |
.gcc_except_table | PROGBITS | 0xa565d4 | 0x6565d4 | 0xb804 | 0x0 | 0x2 | A | 0 | 0 | 4 |
.tdata | PROGBITS | 0xc62460 | 0x662460 | 0x28 | 0x0 | 0x403 | WAT | 0 | 0 | 16 |
.tbss | NOBITS | 0xc62490 | 0x662488 | 0x58 | 0x0 | 0x403 | WAT | 0 | 0 | 16 |
.init_array | INIT_ARRAY | 0xc62490 | 0x662490 | 0x1b0 | 0x8 | 0x3 | WA | 0 | 0 | 8 |
.fini_array | FINI_ARRAY | 0xc62640 | 0x662640 | 0x18 | 0x8 | 0x3 | WA | 0 | 0 | 8 |
.data.rel.ro | PROGBITS | 0xc62660 | 0x662660 | 0x338fc | 0x0 | 0x3 | WA | 0 | 0 | 32 |
.got | PROGBITS | 0xc95f60 | 0x695f60 | 0x88 | 0x8 | 0x3 | WA | 0 | 0 | 8 |
.got.plt | PROGBITS | 0xc96000 | 0x696000 | 0xa8 | 0x8 | 0x3 | WA | 0 | 0 | 8 |
.data | PROGBITS | 0xc960c0 | 0x6960c0 | 0xca48 | 0x0 | 0x3 | WA | 0 | 0 | 32 |
.bss | NOBITS | 0xca2b40 | 0x6a2b08 | 0xa6850 | 0x0 | 0x3 | WA | 0 | 0 | 64 |
__libc_freeres_ptrs | NOBITS | 0xd49390 | 0x6a2b08 | 0x48 | 0x0 | 0x3 | WA | 0 | 0 | 8 |
.comment | PROGBITS | 0x0 | 0x6a2b08 | 0x59 | 0x1 | 0x30 | MS | 0 | 0 | 1 |
.note.stapsdt | NOTE | 0x0 | 0x6a2b64 | 0x28c | 0x0 | 0x0 | 0 | 0 | 4 | |
.shstrtab | STRTAB | 0x0 | 0x6a2df0 | 0x154 | 0x0 | 0x0 | 0 | 0 | 1 |
Program Segments |
---|
Type | Offset | Virtual Address | Physical Address | File Size | Memory Size | Entropy | Flags | Flags Description | Align | Prog Interpreter | Section Mappings |
---|---|---|---|---|---|---|---|---|---|---|---|
LOAD | 0x0 | 0x400000 | 0x400000 | 0x661dd8 | 0x661dd8 | 3.9885 | 0x5 | R E | 0x200000 | .note.ABI-tag .note.gnu.build-id .rela.plt .init .plt .text __libc_freeres_fn __libc_thread_freeres_fn .fini .rodata __libc_subfreeres __libc_atexit __libc_thread_subfreeres .stapsdt.base .eh_frame .gcc_except_table | |
LOAD | 0x662460 | 0xc62460 | 0xc62460 | 0x406a8 | 0xe6f78 | 1.7258 | 0x6 | RW | 0x200000 | .init_array .fini_array .data.rel.ro .got .got.plt .data .bss __libc_freeres_ptrs | |
NOTE | 0x190 | 0x400190 | 0x400190 | 0x44 | 0x44 | 2.4413 | 0x4 | R | 0x4 | .note.ABI-tag .note.gnu.build-id | |
TLS | 0x662460 | 0xc62460 | 0xc62460 | 0x28 | 0x88 | 0.8173 | 0x4 | R | 0x10 | ||
GNU_STACK | 0x0 | 0x0 | 0x0 | 0x0 | 0x0 | 0.0000 | 0x6 | RW | 0x10 | ||
GNU_RELRO | 0x662460 | 0xc62460 | 0xc62460 | 0x33ba0 | 0x33ba0 | 1.5667 | 0x4 | R | 0x1 | .init_array .fini_array .data.rel.ro .got |
Network Behavior |
---|
No network behavior found |
---|
System Behavior |
---|
General |
---|
Start time: | 11:17:29 |
Start date: | 22/06/2021 |
Path: | /tmp/syst3md |
Arguments: | /tmp/syst3md |
File size: | 6960840 bytes |
MD5 hash: | 5d33f7f4af840c8ee5a8fde96ef07495 |