Loading ...

Play interactive tourEdit tour

Linux Analysis Report 7EUcDDmmRE

Overview

General Information

Sample Name:7EUcDDmmRE
Analysis ID:452455
MD5:ec4637f5d716f29fd464b15e1c499a5a
SHA1:b02af8052352d60b686b3224192f132be747e331
SHA256:737429af897437fc5315d8861d92502477a801bcd59526f10f30d78b96d88b0a
Tags:32armelfmirai
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false

Signatures

Multi AV Scanner detection for submitted file
Sample is packed with UPX
Sample contains only a LOAD segment without any section mappings
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Analysis Advice

Exit code information suggests that the sample terminated abnormally, try to lookup the sample's target architecture
Non-zero exit code suggests an error during the execution. Lookup the error code for hints.
Static ELF header machine description suggests that the sample might not execute correctly on this machine
Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures

General Information

Joe Sandbox Version:33.0.0 White Diamond
Analysis ID:452455
Start date:22.07.2021
Start time:11:36:52
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 5m 59s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:7EUcDDmmRE
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171)
Analysis Mode:default
Detection:MAL
Classification:mal52.evad.lin@0/2@0/0

Process Tree

  • system is lnxubuntu1
  • 7EUcDDmmRE (PID: 4588, Parent: 4518, MD5: ec4637f5d716f29fd464b15e1c499a5a) Arguments: /usr/bin/qemu-arm /tmp/7EUcDDmmRE
  • upstart New Fork (PID: 4607, Parent: 3310)
  • sh (PID: 4607, Parent: 3310, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -e /proc/self/fd/9
    • sh New Fork (PID: 4608, Parent: 4607)
    • date (PID: 4608, Parent: 4607, MD5: 54903b613f9019bfca9f5d28a4fff34e) Arguments: date
    • sh New Fork (PID: 4611, Parent: 4607)
    • apport-checkreports (PID: 4611, Parent: 4607, MD5: 1a7d84ebc34df04e55ca3723541f48c9) Arguments: /usr/bin/python3 /usr/share/apport/apport-checkreports --system
  • upstart New Fork (PID: 4634, Parent: 3310)
  • sh (PID: 4634, Parent: 3310, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -e /proc/self/fd/9
    • sh New Fork (PID: 4642, Parent: 4634)
    • date (PID: 4642, Parent: 4634, MD5: 54903b613f9019bfca9f5d28a4fff34e) Arguments: date
    • sh New Fork (PID: 4644, Parent: 4634)
    • apport-gtk (PID: 4644, Parent: 4634, MD5: ec58a49a30ef6a29406a204f28cc7d87) Arguments: /usr/bin/python3 /usr/share/apport/apport-gtk
  • upstart New Fork (PID: 4661, Parent: 3310)
  • sh (PID: 4661, Parent: 3310, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -e /proc/self/fd/9
    • sh New Fork (PID: 4662, Parent: 4661)
    • date (PID: 4662, Parent: 4661, MD5: 54903b613f9019bfca9f5d28a4fff34e) Arguments: date
    • sh New Fork (PID: 4663, Parent: 4661)
    • apport-gtk (PID: 4663, Parent: 4661, MD5: ec58a49a30ef6a29406a204f28cc7d87) Arguments: /usr/bin/python3 /usr/share/apport/apport-gtk
  • cleanup

Yara Overview

No yara matches

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: 7EUcDDmmREVirustotal: Detection: 41%Perma Link
Source: 7EUcDDmmREReversingLabs: Detection: 40%
Source: 7EUcDDmmREString found in binary or memory: http://upx.sf.net
Source: LOAD without section mappingsProgram segment: 0x8000
Source: classification engineClassification label: mal52.evad.lin@0/2@0/0

Data Obfuscation:

barindex
Sample is packed with UPXShow sources
Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sampleString containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $
Source: /tmp/7EUcDDmmRE (PID: 4588)Queries kernel information via 'uname': Jump to behavior
Source: /usr/share/apport/apport-gtk (PID: 4644)Queries kernel information via 'uname': Jump to behavior
Source: /usr/share/apport/apport-gtk (PID: 4663)Queries kernel information via 'uname': Jump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionObfuscated Files or Information1OS Credential DumpingSecurity Software Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 452455 Sample: 7EUcDDmmRE Startdate: 22/07/2021 Architecture: LINUX Score: 52 26 Multi AV Scanner detection for submitted file 2->26 28 Sample is packed with UPX 2->28 6 upstart sh 2->6         started        8 upstart sh 2->8         started        10 upstart sh 2->10         started        12 7EUcDDmmRE 2->12         started        process3 process4 14 sh date 6->14         started        16 sh apport-checkreports 6->16         started        18 sh date 8->18         started        20 sh apport-gtk 8->20         started        22 sh date 10->22         started        24 sh apport-gtk 10->24         started       

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
7EUcDDmmRE41%VirustotalBrowse
7EUcDDmmRE40%ReversingLabsLinux.Trojan.Mirai

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://upx.sf.net7EUcDDmmREfalse
    high

    Contacted IPs

    No contacted IP infos


    Runtime Messages

    Command:/tmp/7EUcDDmmRE
    Exit Code:139
    Exit Code Info:SIGSEGV (11) Segmentation fault invalid memory reference
    Killed:False
    Standard Output:

    Standard Error:qemu: uncaught target signal 11 (Segmentation fault) - core dumped

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASN

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    /var/crash/_usr_share_apport_apport-checkreports.1000.crash
    Process:/usr/share/apport/apport-checkreports
    File Type:ASCII text
    Category:dropped
    Size (bytes):14915
    Entropy (8bit):4.687533212555657
    Encrypted:false
    SSDEEP:96:G8ck5w+6bplfn4RPfnw4AsKaRdfbvD+HPeKS+muJLOuPWEc+PI9d4YXrM:G/ARPfnw4AsDR8PeD+m2PWEc+PILhbM
    MD5:32D9EBEF40AA72B72A288B28D4B4DDA2
    SHA1:5F6D01001F61456508137C5B08C4750118258D48
    SHA-256:AA4FF4D879538ED4B8615C1D6F3A6EE3918EF8C47E9C836907E0C817032550A6
    SHA-512:5D84FDED4D780128BADC42F9159074E763F53F59FE0AAFBDBD9C66F96A988FC6DA8361F74B5C7918D08340F822A4885BDD88BA772F27CB3D45FC10CB399148BB
    Malicious:false
    Reputation:low
    Preview: ProblemType: Crash.Date: Thu Jul 22 13:37:25 2021.ExecutablePath: /usr/share/apport/apport-checkreports.ExecutableTimestamp: 1514927430.InterpreterPath: /usr/bin/python3.5.ProcCmdline: /usr/bin/python3 /usr/share/apport/apport-checkreports --system.ProcCwd: /home/user.ProcEnviron:. LANGUAGE=en_US. PATH=(custom, user). XDG_RUNTIME_DIR=<set>. LANG=en_US.UTF-8. SHELL=/bin/bash.ProcMaps:. 00400000-007a9000 r-xp 00000000 fc:00 217 /usr/bin/python3.5. 009a9000-009ab000 r--p 003a9000 fc:00 217 /usr/bin/python3.5. 009ab000-00a42000 rw-p 003ab000 fc:00 217 /usr/bin/python3.5. 00a42000-00a73000 rw-p 00000000 00:00 0 . 00d47000-0109f000 rw-p 00000000 00:00 0 [heap]. 7fb3dfb6a000-7fb3dfceb000 rw-p 00000000 00:00 0 . 7fb3dfceb000-7fb3dfd02000 r-xp 00000000 fc:00 2382 /usr/lib/x86_64-linux-gnu/liblz4.so.1.7.1. 7fb3dfd02000-7fb3dff01000 ---p 00017000 fc:0
    /var/crash/_usr_share_apport_apport-gtk.1000.crash
    Process:/usr/share/apport/apport-gtk
    File Type:ASCII text
    Category:dropped
    Size (bytes):47094
    Entropy (8bit):4.4957982542122705
    Encrypted:false
    SSDEEP:768:Ki2/4/l/a/J/YYp1a72U7wn4IwxP4MBJ+Cge://l/a/J/bU7FIwxP4MBJ+Cge
    MD5:0213F864224D719E30773752FB0B2F7F
    SHA1:E68B244F8658B304A95C3CEB75A64C3E670252BF
    SHA-256:24B8DB0263CBF2D8B22C1E772221538A06BE5E1E39C38A9068771D44EBEE2B9C
    SHA-512:EB2D76C08BDCEE0DB116EA71CF2893B804D46CF1E2B8FE3224F6B5F07A9B65FC93CE190F342A192AA5CB9920FF2344511977C10B9B4C0A6406F53B577FA1FE57
    Malicious:false
    Reputation:low
    Preview: ProblemType: Crash.Date: Thu Jul 22 13:37:25 2021.ExecutablePath: /usr/share/apport/apport-gtk.ExecutableTimestamp: 1514927430.InterpreterPath: /usr/bin/python3.5.ProcCmdline: /usr/bin/python3 /usr/share/apport/apport-gtk.ProcCwd: /home/user.ProcEnviron:. LANGUAGE=en_US. PATH=(custom, user). XDG_RUNTIME_DIR=<set>. LANG=en_US.UTF-8. SHELL=/bin/bash.ProcMaps:. 00400000-007a9000 r-xp 00000000 fc:00 217 /usr/bin/python3.5. 009a9000-009ab000 r--p 003a9000 fc:00 217 /usr/bin/python3.5. 009ab000-00a42000 rw-p 003ab000 fc:00 217 /usr/bin/python3.5. 00a42000-00a73000 rw-p 00000000 00:00 0 . 01699000-01bba000 rw-p 00000000 00:00 0 [heap]. 7f1d0b594000-7f1d0b694000 rw-p 00000000 00:00 0 . 7f1d0b694000-7f1d0b6ab000 r-xp 00000000 fc:00 2382 /usr/lib/x86_64-linux-gnu/liblz4.so.1.7.1. 7f1d0b6ab000-7f1d0b8aa000 ---p 00017000 fc:00 2382

    Static File Info

    General

    File type:ELF 32-bit LSB executable, ARM, EABI4 version 1 (GNU/Linux), statically linked, stripped
    Entropy (8bit):7.94626883299982
    TrID:
    • ELF Executable and Linkable format (generic) (4004/1) 100.00%
    File name:7EUcDDmmRE
    File size:29464
    MD5:ec4637f5d716f29fd464b15e1c499a5a
    SHA1:b02af8052352d60b686b3224192f132be747e331
    SHA256:737429af897437fc5315d8861d92502477a801bcd59526f10f30d78b96d88b0a
    SHA512:378d232e9e4c5834bfb4ce7f9117d83a90f4fcc7abe3d98c58eed05622e54c78e4d71a4e68502e735f1301c1b4b31b9afa8be45004eb877ab4f5fd59bf69be27
    SSDEEP:768:vusHfRavjynNKnjFcZIhQzhKMXgj9q3UEL7v:HRwynNIOQQ1KMwiL7
    File Content Preview:.ELF..............(.........4...........4. ...(......................q...q...............'...'...'..................Q.td...............................OUPX!....................S..........?.E.h;....#..$..1)....tX....K.....E...%.FF..7.|.l]Z... ._......+.. .

    Static ELF Info

    ELF header

    Class:ELF32
    Data:2's complement, little endian
    Version:1 (current)
    Machine:ARM
    Version Number:0x1
    Type:EXEC (Executable file)
    OS/ABI:UNIX - Linux
    ABI Version:0
    Entry Point Address:0xe000
    Flags:0x4000002
    ELF Header Size:52
    Program Header Offset:52
    Program Header Size:32
    Number of Program Headers:3
    Section Header Offset:0
    Section Header Size:40
    Number of Section Headers:0
    Header String Table Index:0

    Program Segments

    TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
    LOAD0x00x80000x80000x71ed0x71ed4.02850x5R E0x8000
    LOAD0x27800x227800x227800x00x00.00000x6RW 0x8000
    GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

    Network Behavior

    No network behavior found

    System Behavior