Play interactive tourEdit tour
Linux Analysis Report VVrYWZ9mzZ
Overview
General Information
Sample Name: | VVrYWZ9mzZ |
Analysis ID: | 452446 |
MD5: | 28ae443f54fdb93adc756778ad76ef90 |
SHA1: | 61c196c94b176f71a5748e5910c9db9c03927e9e |
SHA256: | e00e03516a774d45197cbeac2e89b5d9a4df7849b6fd19e360ee72619ab6311d |
Tags: | 32armelfmirai |
Infos: |
Detection
Score: | 52 |
Range: | 0 - 100 |
Whitelisted: | false |
Signatures
Multi AV Scanner detection for submitted file
Sample is packed with UPX
Sample contains only a LOAD segment without any section mappings
Uses the "uname" system call to query kernel version information (possible evasion)
Classification
Analysis Advice |
---|
Non-zero exit code suggests an error during the execution. Lookup the error code for hints. |
Static ELF header machine description suggests that the sample might not execute correctly on this machine |
Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures |
General Information |
---|
Joe Sandbox Version: | 33.0.0 White Diamond |
Analysis ID: | 452446 |
Start date: | 22.07.2021 |
Start time: | 11:21:56 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 4m 6s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | VVrYWZ9mzZ |
Cookbook file name: | defaultlinuxfilecookbook.jbs |
Analysis system description: | Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171) |
Analysis Mode: | default |
Detection: | MAL |
Classification: | mal52.evad.lin@0/0@0/0 |
Process Tree |
---|
|
Yara Overview |
---|
No yara matches |
---|
Jbx Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: |
Source: | Program segment: |
Source: | Classification label: |
Data Obfuscation: |
---|
Sample is packed with UPX | Show sources |
Source: | String containing UPX found: | ||
Source: | String containing UPX found: | ||
Source: | String containing UPX found: |
Source: | Queries kernel information via 'uname': | Jump to behavior |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation | Path Interception | Path Interception | Obfuscated Files or Information1 | OS Credential Dumping | Security Software Discovery1 | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Data Obfuscation | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Malware Configuration |
---|
No configs have been found |
---|
Behavior Graph |
---|
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
26% | Virustotal | Browse | ||
33% | ReversingLabs | Linux.Trojan.Mirai |
Dropped Files |
---|
No Antivirus matches |
---|
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
No Antivirus matches |
---|
Domains and IPs |
---|
Contacted Domains |
---|
No contacted domains info |
---|
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
97.102.228.248 | unknown | United States | 33363 | BHN-33363US | false | |
112.46.77.51 | unknown | China | 140105 | CMNET-SNIDC-CN-APShaanxiMobileCommunicationCompanyLimit | false | |
223.100.19.169 | unknown | China | 56044 | CMNET-AS-LIAONINGChinaMobilecommunicationscorporationC | false | |
222.121.38.185 | unknown | Korea Republic of | 4766 | KIXS-AS-KRKoreaTelecomKR | false | |
117.175.152.205 | unknown | China | 9808 | CMNET-GDGuangdongMobileCommunicationCoLtdCN | false |
Runtime Messages |
---|
Command: | /tmp/VVrYWZ9mzZ |
Exit Code: | 127 |
Exit Code Info: | |
Killed: | False |
Standard Output: | |
Standard Error: |
Joe Sandbox View / Context |
---|
IPs |
---|
No context |
---|
Domains |
---|
No context |
---|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
BHN-33363US | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
CMNET-AS-LIAONINGChinaMobilecommunicationscorporationC | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
KIXS-AS-KRKoreaTelecomKR | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
No created / dropped files found |
---|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.917436227483886 |
TrID: |
|
File name: | VVrYWZ9mzZ |
File size: | 22132 |
MD5: | 28ae443f54fdb93adc756778ad76ef90 |
SHA1: | 61c196c94b176f71a5748e5910c9db9c03927e9e |
SHA256: | e00e03516a774d45197cbeac2e89b5d9a4df7849b6fd19e360ee72619ab6311d |
SHA512: | 889bf93b674a86fd49f4fd9e06959272d553930cb623914b4babfddba66d5fca1c3baa41eb36c6ff4125a583042a88d9f122c70b441dd543f73550321a23498b |
SSDEEP: | 384:YAmog4c6L5i4+stIW01vhQIE2TQKMpI8QwxZVFjfPnSb9khymdGUop5hX0:Ypoh/DxCvhdR4IjWVFbSKs3UozJ0 |
File Content Preview: | .ELF...a..........(.....P...4...........4. ...(......................T...T...............?..........................Q.td..............................CvUPX!........X...X.......q..........?.E.h;.}...^.......+P.f.qY@......}6N.h.......X...|.?..E(...p....h..] |
Static ELF Info |
---|
ELF header | |
---|---|
Class: | |
Data: | |
Version: | |
Machine: | |
Version Number: | |
Type: | |
OS/ABI: | |
ABI Version: | |
Entry Point Address: | |
Flags: | |
ELF Header Size: | |
Program Header Offset: | |
Program Header Size: | |
Number of Program Headers: | |
Section Header Offset: | |
Section Header Size: | |
Number of Section Headers: | |
Header String Table Index: |
Program Segments |
---|
Type | Offset | Virtual Address | Physical Address | File Size | Memory Size | Entropy | Flags | Flags Description | Align | Prog Interpreter | Section Mappings |
---|---|---|---|---|---|---|---|---|---|---|---|
LOAD | 0x0 | 0x8000 | 0x8000 | 0x54ff | 0x54ff | 4.0354 | 0x5 | R E | 0x8000 | ||
LOAD | 0x3fb0 | 0x1bfb0 | 0x1bfb0 | 0x0 | 0x0 | 0.0000 | 0x6 | RW | 0x8000 | ||
GNU_STACK | 0x0 | 0x0 | 0x0 | 0x0 | 0x0 | 0.0000 | 0x7 | RWE | 0x4 |
Network Behavior |
---|
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jul 22, 2021 11:22:31.587187052 CEST | 23 | 35736 | 97.102.228.248 | 192.168.2.20 |
Jul 22, 2021 11:22:31.587426901 CEST | 35736 | 23 | 192.168.2.20 | 97.102.228.248 |
Jul 22, 2021 11:22:33.290884018 CEST | 23 | 35430 | 198.190.127.107 | 192.168.2.20 |
Jul 22, 2021 11:22:33.361558914 CEST | 23 | 34726 | 112.46.77.51 | 192.168.2.20 |
Jul 22, 2021 11:22:33.362967968 CEST | 34726 | 23 | 192.168.2.20 | 112.46.77.51 |
Jul 22, 2021 11:22:45.267564058 CEST | 23 | 41218 | 222.121.38.185 | 192.168.2.20 |
Jul 22, 2021 11:22:45.267594099 CEST | 23 | 41218 | 222.121.38.185 | 192.168.2.20 |
Jul 22, 2021 11:22:45.267724991 CEST | 41218 | 23 | 192.168.2.20 | 222.121.38.185 |
Jul 22, 2021 11:22:45.267750978 CEST | 41218 | 23 | 192.168.2.20 | 222.121.38.185 |
Jul 22, 2021 11:22:49.510235071 CEST | 23 | 43022 | 142.11.15.29 | 192.168.2.20 |
Jul 22, 2021 11:22:52.448921919 CEST | 23 | 36548 | 223.100.19.169 | 192.168.2.20 |
Jul 22, 2021 11:22:52.449203014 CEST | 36548 | 23 | 192.168.2.20 | 223.100.19.169 |
Jul 22, 2021 11:23:50.923043966 CEST | 23 | 52060 | 117.175.152.205 | 192.168.2.20 |
Jul 22, 2021 11:23:50.923300028 CEST | 52060 | 23 | 192.168.2.20 | 117.175.152.205 |
System Behavior |
---|
General |
---|
Start time: | 11:22:28 |
Start date: | 22/07/2021 |
Path: | /tmp/VVrYWZ9mzZ |
Arguments: | /usr/bin/qemu-arm /tmp/VVrYWZ9mzZ |
File size: | 22132 bytes |
MD5 hash: | 28ae443f54fdb93adc756778ad76ef90 |