Linux Analysis Report VVrYWZ9mzZ

Overview

General Information

Sample Name:	VVrYWZ9mzZ
Analysis ID:	452446
MD5:	28ae443f54fdb93adc756778ad76ef90
SHA1:	61c196c94b176f71a5748e5910c9db9c03927e9e
SHA256:	e00e03516a774d45197cbeac2e89b5d9a4df7849b6fd19e360ee72619ab6311d
Tags:	32armelfmirai
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Sample is packed with UPX

Sample contains only a LOAD segment without any section mappings

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: VVrYWZ9mzZ	Virustotal: Detection: 26%			Perma Link
Source: VVrYWZ9mzZ	ReversingLabs: Detection: 33%

Source: unknown	TCP traffic detected without corresponding DNS query: 97.102.228.248
Source: unknown	TCP traffic detected without corresponding DNS query: 112.46.77.51
Source: unknown	TCP traffic detected without corresponding DNS query: 222.121.38.185
Source: unknown	TCP traffic detected without corresponding DNS query: 222.121.38.185
Source: unknown	TCP traffic detected without corresponding DNS query: 223.100.19.169
Source: unknown	TCP traffic detected without corresponding DNS query: 117.175.152.205

Source: VVrYWZ9mzZ

String found in binary or memory: http://upx.sf.net

System Summary:

Sample contains only a LOAD segment without any section mappings

Source: LOAD without section mappings

Program segment: 0x8000

Source: classification engine

Classification label: mal52.evad.lin@0/0@0/0

Data Obfuscation:

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Malware Analysis System Evasion:

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/VVrYWZ9mzZ (PID: 4594)

Queries kernel information via 'uname':

Jump to behavior

Screenshots

No Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
97.102.228.248	unknown	United States	33363	BHN-33363US	false
112.46.77.51	unknown	China	140105	CMNET-SNIDC-CN-APShaanxiMobileCommunicationCompanyLimit	false
223.100.19.169	unknown	China	56044	CMNET-AS-LIAONINGChinaMobilecommunicationscorporationC	false
222.121.38.185	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
117.175.152.205	unknown	China	9808	CMNET-GDGuangdongMobileCommunicationCoLtdCN	false

ID:	452446
Product:	CloudBasic
Start time:	11:21:56
Start date:	22.07.2021
Sample:	VVrYWZ9mzZ
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171)
Architecture:	LINUX
MD5:	28ae443f54fdb93adc756778ad76ef90
SHA1:	61c196c94b176f71a5748e5910c9db9c03927e9e
SHA256:	e00e03516a774d45197cbeac2e89b5d9a4df7849b6fd19e360ee72619ab6311d
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Linux Analysis Report VVrYWZ9mzZ

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Networking:

System Summary:

Data Obfuscation:

Malware Analysis System Evasion:

Screenshots

Network Map

Contacted Public IPs