Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Linux Analysis Report VVrYWZ9mzZ

Overview

General Information

Sample Name:VVrYWZ9mzZ
Analysis ID:452446
MD5:28ae443f54fdb93adc756778ad76ef90
SHA1:61c196c94b176f71a5748e5910c9db9c03927e9e
SHA256:e00e03516a774d45197cbeac2e89b5d9a4df7849b6fd19e360ee72619ab6311d
Tags:32armelfmirai
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false

Signatures

Multi AV Scanner detection for submitted file
Sample is packed with UPX
Sample contains only a LOAD segment without any section mappings
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Analysis Advice

Non-zero exit code suggests an error during the execution. Lookup the error code for hints.
Static ELF header machine description suggests that the sample might not execute correctly on this machine
Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures

General Information

Joe Sandbox Version:33.0.0 White Diamond
Analysis ID:452446
Start date:22.07.2021
Start time:11:21:56
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 6s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:VVrYWZ9mzZ
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171)
Analysis Mode:default
Detection:MAL
Classification:mal52.evad.lin@0/0@0/0

Process Tree

  • system is lnxubuntu1
  • VVrYWZ9mzZ (PID: 4594, Parent: 4519, MD5: 28ae443f54fdb93adc756778ad76ef90) Arguments: /usr/bin/qemu-arm /tmp/VVrYWZ9mzZ
  • cleanup

Yara Overview

No yara matches

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: VVrYWZ9mzZVirustotal: Detection: 26%Perma Link
Source: VVrYWZ9mzZReversingLabs: Detection: 33%
Source: unknownTCP traffic detected without corresponding DNS query: 97.102.228.248
Source: unknownTCP traffic detected without corresponding DNS query: 112.46.77.51
Source: unknownTCP traffic detected without corresponding DNS query: 222.121.38.185
Source: unknownTCP traffic detected without corresponding DNS query: 222.121.38.185
Source: unknownTCP traffic detected without corresponding DNS query: 223.100.19.169
Source: unknownTCP traffic detected without corresponding DNS query: 117.175.152.205
Source: VVrYWZ9mzZString found in binary or memory: http://upx.sf.net
Source: LOAD without section mappingsProgram segment: 0x8000
Source: classification engineClassification label: mal52.evad.lin@0/0@0/0

Data Obfuscation:

barindex
Sample is packed with UPXShow sources
Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sampleString containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $
Source: /tmp/VVrYWZ9mzZ (PID: 4594)Queries kernel information via 'uname': Jump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionObfuscated Files or Information1OS Credential DumpingSecurity Software Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
VVrYWZ9mzZ26%VirustotalBrowse
VVrYWZ9mzZ33%ReversingLabsLinux.Trojan.Mirai

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://upx.sf.netVVrYWZ9mzZfalse
    		high

    Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public

    IPDomainCountryFlagASNASN NameMalicious
    97.102.228.248
    		unknownUnited States
    		33363BHN-33363USfalse
    112.46.77.51
    		unknownChina
    		140105CMNET-SNIDC-CN-APShaanxiMobileCommunicationCompanyLimitfalse
    223.100.19.169
    		unknownChina
    		56044CMNET-AS-LIAONINGChinaMobilecommunicationscorporationCfalse
    222.121.38.185
    		unknownKorea Republic of
    		4766KIXS-AS-KRKoreaTelecomKRfalse
    117.175.152.205
    		unknownChina
    		9808CMNET-GDGuangdongMobileCommunicationCoLtdCNfalse


    Runtime Messages

    Command:/tmp/VVrYWZ9mzZ
    Exit Code:127
    Exit Code Info:
    Killed:False
    Standard Output:

    Standard Error:

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASN

    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
    BHN-33363USsDwNKSpuhBGet hashmaliciousBrowse
    • 72.31.223.26
    C4PozjQdGEGet hashmaliciousBrowse
    • 72.187.13.255
    MD5OxTSc6iGet hashmaliciousBrowse
    • 68.204.245.64
    AUFFFNSdKyGet hashmaliciousBrowse
    • 68.205.212.145
    yZEHOt8K7XGet hashmaliciousBrowse
    • 68.204.182.199
    ehn0f1d63MGet hashmaliciousBrowse
    • 72.40.237.94
    v6clgzEGCbGet hashmaliciousBrowse
    • 24.73.130.42
    dFwIxBbz2dGet hashmaliciousBrowse
    • 97.103.226.137
    FawDB415Y0Get hashmaliciousBrowse
    • 97.102.236.202
    395d6gwkWKGet hashmaliciousBrowse
    • 71.43.252.141
    Xlojlgo2gbGet hashmaliciousBrowse
    • 65.32.66.174
    b8oaj84zgzGet hashmaliciousBrowse
    • 97.79.111.176
    Z7bNxhhS7yGet hashmaliciousBrowse
    • 97.103.226.166
    AT9n7Bk0yEGet hashmaliciousBrowse
    • 68.207.139.146
    PX7gd73hY6Get hashmaliciousBrowse
    • 72.187.36.79
    khGshuibcrGet hashmaliciousBrowse
    • 173.169.182.6
    qiJTsutSGdGet hashmaliciousBrowse
    • 173.169.63.242
    Rb5g620InpGet hashmaliciousBrowse
    • 35.139.26.91
    DpuO7oic9y.exeGet hashmaliciousBrowse
    • 142.196.118.143
    boI88C399w.exeGet hashmaliciousBrowse
    • 50.91.114.38
    CMNET-AS-LIAONINGChinaMobilecommunicationscorporationCVk3A1yJJMgGet hashmaliciousBrowse
    • 112.42.114.1
    jEbpttXKCaGet hashmaliciousBrowse
    • 36.137.134.204
    Vs7Vm7J1TRGet hashmaliciousBrowse
    • 39.135.127.180
    Af1Fnq4I4GGet hashmaliciousBrowse
    • 36.132.150.41
    AT9n7Bk0yEGet hashmaliciousBrowse
    • 112.41.179.126
    Rb5g620InpGet hashmaliciousBrowse
    • 39.153.45.252
    wEcncyxrEeGet hashmaliciousBrowse
    • 36.128.104.41
    oHqMFmPndx.exeGet hashmaliciousBrowse
    • 39.152.130.11
    KIXS-AS-KRKoreaTelecomKRRzBo7FFhaMGet hashmaliciousBrowse
    • 110.71.105.232
    d8dgn3wGJLGet hashmaliciousBrowse
    • 175.252.45.55
    s54l0GKMh9Get hashmaliciousBrowse
    • 183.105.180.39
    z0FwvGSnDFGet hashmaliciousBrowse
    • 121.134.140.247
    D1dU3jQ1IIGet hashmaliciousBrowse
    • 218.158.241.237
    RsEvjI1iTt.exeGet hashmaliciousBrowse
    • 121.136.102.4
    A7X93JRxhpGet hashmaliciousBrowse
    • 125.137.150.28
    8ZJ0cPowTyGet hashmaliciousBrowse
    • 119.215.188.3
    92CRMNlBq8Get hashmaliciousBrowse
    • 183.126.251.85
    XuQRPW44hiGet hashmaliciousBrowse
    • 121.170.47.64
    Taf5zLti30Get hashmaliciousBrowse
    • 175.198.110.50
    5qpsqg7U0GGet hashmaliciousBrowse
    • 175.239.252.125
    U5q75RGCmQGet hashmaliciousBrowse
    • 222.96.223.234
    oEF7GAiRIgGet hashmaliciousBrowse
    • 121.145.187.107
    GEso3CniSkGet hashmaliciousBrowse
    • 121.177.185.16
    BTNNG17tlhGet hashmaliciousBrowse
    • 121.152.147.6
    bPAMfuy9oaGet hashmaliciousBrowse
    • 121.177.185.53
    apep.mipsGet hashmaliciousBrowse
    • 121.170.84.41
    CefN2XNyFiGet hashmaliciousBrowse
    • 119.193.74.164
    7OAzOUL9cdGet hashmaliciousBrowse
    • 118.41.209.66

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
    Entropy (8bit):7.917436227483886
    TrID:
    • ELF Executable and Linkable format (generic) (4004/1) 100.00%
    File name:VVrYWZ9mzZ
    File size:22132
    MD5:28ae443f54fdb93adc756778ad76ef90
    SHA1:61c196c94b176f71a5748e5910c9db9c03927e9e
    SHA256:e00e03516a774d45197cbeac2e89b5d9a4df7849b6fd19e360ee72619ab6311d
    SHA512:889bf93b674a86fd49f4fd9e06959272d553930cb623914b4babfddba66d5fca1c3baa41eb36c6ff4125a583042a88d9f122c70b441dd543f73550321a23498b
    SSDEEP:384:YAmog4c6L5i4+stIW01vhQIE2TQKMpI8QwxZVFjfPnSb9khymdGUop5hX0:Ypoh/DxCvhdR4IjWVFbSKs3UozJ0
    File Content Preview:.ELF...a..........(.....P...4...........4. ...(......................T...T...............?..........................Q.td..............................CvUPX!........X...X.......q..........?.E.h;.}...^.......+P.f.qY@......}6N.h.......X...|.?..E(...p....h..]

    Static ELF Info

    ELF header

    Class:ELF32
    Data:2's complement, little endian
    Version:1 (current)
    Machine:ARM
    Version Number:0x1
    Type:EXEC (Executable file)
    OS/ABI:ARM - ABI
    ABI Version:0
    Entry Point Address:0xc350
    Flags:0x2
    ELF Header Size:52
    Program Header Offset:52
    Program Header Size:32
    Number of Program Headers:3
    Section Header Offset:0
    Section Header Size:40
    Number of Section Headers:0
    Header String Table Index:0

    Program Segments

    TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
    LOAD0x00x80000x80000x54ff0x54ff4.03540x5R E0x8000
    LOAD0x3fb00x1bfb00x1bfb00x00x00.00000x6RW 0x8000
    GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

    Network Behavior

    Network Port Distribution

    TCP Packets

    TimestampSource PortDest PortSource IPDest IP
    Jul 22, 2021 11:22:31.587187052 CEST233573697.102.228.248192.168.2.20
    Jul 22, 2021 11:22:31.587426901 CEST3573623192.168.2.2097.102.228.248
    Jul 22, 2021 11:22:33.290884018 CEST2335430198.190.127.107192.168.2.20
    Jul 22, 2021 11:22:33.361558914 CEST2334726112.46.77.51192.168.2.20
    Jul 22, 2021 11:22:33.362967968 CEST3472623192.168.2.20112.46.77.51
    Jul 22, 2021 11:22:45.267564058 CEST2341218222.121.38.185192.168.2.20
    Jul 22, 2021 11:22:45.267594099 CEST2341218222.121.38.185192.168.2.20
    Jul 22, 2021 11:22:45.267724991 CEST4121823192.168.2.20222.121.38.185
    Jul 22, 2021 11:22:45.267750978 CEST4121823192.168.2.20222.121.38.185
    Jul 22, 2021 11:22:49.510235071 CEST2343022142.11.15.29192.168.2.20
    Jul 22, 2021 11:22:52.448921919 CEST2336548223.100.19.169192.168.2.20
    Jul 22, 2021 11:22:52.449203014 CEST3654823192.168.2.20223.100.19.169
    Jul 22, 2021 11:23:50.923043966 CEST2352060117.175.152.205192.168.2.20
    Jul 22, 2021 11:23:50.923300028 CEST5206023192.168.2.20117.175.152.205

    System Behavior

    Analysis Process: VVrYWZ9mzZ PID: 4594 Parent PID: 4519

    General

    Start time:11:22:28
    Start date:22/07/2021
    Path:/tmp/VVrYWZ9mzZ
    Arguments:/usr/bin/qemu-arm /tmp/VVrYWZ9mzZ
    File size:22132 bytes
    MD5 hash:28ae443f54fdb93adc756778ad76ef90

    Chronological Activities