Play interactive tourEdit tour
Linux Analysis Report fVNp9NC9l9
Overview
General Information
Sample Name: | fVNp9NC9l9 |
Analysis ID: | 491760 |
MD5: | 3ad11448f98fc08e6c1107c4327ab97f |
SHA1: | 9c0d1819f9b9292119560e21b8d2ff4c2f66316d |
SHA256: | 40b4a8e91427b81ee97fb43a56edce02dce93f88a6c55ad698c50693fb069f6b |
Tags: | 32elfintel |
Infos: |
Detection
Mirai
Score: | 60 |
Range: | 0 - 100 |
Whitelisted: | false |
Signatures
Multi AV Scanner detection for submitted file
Yara detected Mirai
Opens /proc/net/* files useful for finding connected devices and routers
Sample contains only a LOAD segment without any section mappings
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Detected TCP or UDP traffic on non-standard ports
Classification
Analysis Advice |
---|
All HTTP servers contacted by the sample do not answer. Likely the sample is an old dropper which does no longer work |
General Information |
---|
Joe Sandbox Version: | 33.0.0 White Diamond |
Analysis ID: | 491760 |
Start date: | 27.09.2021 |
Start time: | 21:33:29 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 6m 19s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | fVNp9NC9l9 |
Cookbook file name: | defaultlinuxfilecookbook.jbs |
Analysis system description: | Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11) |
Analysis Mode: | default |
Detection: | MAL |
Classification: | mal60.spre.troj.lin@0/0@0/0 |
Process Tree |
---|
|
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Mirai_8 | Yara detected Mirai | Joe Security | ||
JoeSecurity_Mirai_8 | Yara detected Mirai | Joe Security |
Jbx Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Spreading: |
---|
Opens /proc/net/* files useful for finding connected devices and routers | Show sources |
Source: | Opens: | Jump to behavior |
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: |
Source: | TCP traffic: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | Program segment: |
Source: | Classification label: |
Stealing of Sensitive Information: |
---|
Yara detected Mirai | Show sources |
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality: |
---|
Yara detected Mirai | Show sources |
Source: | File source: | ||
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation | Path Interception | Path Interception | Direct Volume Access | OS Credential Dumping | Remote System Discovery1 | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Rootkit | LSASS Memory | Application Window Discovery | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Non-Standard Port1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Application Layer Protocol1 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Malware Configuration |
---|
No configs have been found |
---|
Behavior Graph |
---|
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
28% | Virustotal | Browse | ||
46% | ReversingLabs | Linux.Trojan.Gafgyt |
Dropped Files |
---|
No Antivirus matches |
---|
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
No Antivirus matches |
---|
Domains and IPs |
---|
Contacted Domains |
---|
No contacted domains info |
---|
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
45.142.182.126 | unknown | Germany | 207959 | XSSERVERNL | false | |
109.202.202.202 | unknown | Switzerland | 13030 | INIT7CH | false | |
91.189.91.43 | unknown | United Kingdom | 41231 | CANONICAL-ASGB | false | |
91.189.91.42 | unknown | United Kingdom | 41231 | CANONICAL-ASGB | false |
Runtime Messages |
---|
Command: | /tmp/fVNp9NC9l9 |
Exit Code: | 0 |
Exit Code Info: | |
Killed: | False |
Standard Output: | |
Standard Error: |
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
45.142.182.126 | Get hash | malicious | Browse | ||
109.202.202.202 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
91.189.91.43 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
91.189.91.42 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse |
Domains |
---|
No context |
---|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
CANONICAL-ASGB | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
INIT7CH | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
XSSERVERNL | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
No created / dropped files found |
---|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.9515207570063025 |
TrID: |
|
File name: | fVNp9NC9l9 |
File size: | 34108 |
MD5: | 3ad11448f98fc08e6c1107c4327ab97f |
SHA1: | 9c0d1819f9b9292119560e21b8d2ff4c2f66316d |
SHA256: | 40b4a8e91427b81ee97fb43a56edce02dce93f88a6c55ad698c50693fb069f6b |
SHA512: | ff879410a10cf41d7e6e36a53f03144bf86430e4da7f8601db78b370cb37e8a223aa2c415da1f526eaaf3ad412bcccadaff49ea8e399ba2cf5d91545c507e070 |
SSDEEP: | 768:eyIuM3Lc1tCjtmSPI6QfSxDBY1T0B1Ki9VVDkekKnnbcuyD7UryqK:Rm3Lc/Cjfya9BYV81Ki9HASnouy8mqK |
File Content Preview: | .ELF....................P...4...........4. ...(.....................D...D................................)..........Q.td.............................4.IYTS..........T...T......U..........?..k.I/.j....\.d*nlz.ed..8.H........{....Ax..m.....M..w.f1...F.$v.C. |
Static ELF Info |
---|
ELF header | |
---|---|
Class: | |
Data: | |
Version: | |
Machine: | |
Version Number: | |
Type: | |
OS/ABI: | |
ABI Version: | |
Entry Point Address: | |
Flags: | |
ELF Header Size: | |
Program Header Offset: | |
Program Header Size: | |
Number of Program Headers: | |
Section Header Offset: | |
Section Header Size: | |
Number of Section Headers: | |
Header String Table Index: |
Program Segments |
---|
Type | Offset | Virtual Address | Physical Address | File Size | Memory Size | Entropy | Flags | Flags Description | Align | Prog Interpreter | Section Mappings |
---|---|---|---|---|---|---|---|---|---|---|---|
LOAD | 0x0 | 0x8048000 | 0x8048000 | 0x8444 | 0x8444 | 4.0868 | 0x5 | R E | 0x1000 | ||
LOAD | 0x0 | 0x8051000 | 0x8051000 | 0x0 | 0x129e4 | 0.0000 | 0x6 | RW | 0x1000 | ||
GNU_STACK | 0x0 | 0x0 | 0x0 | 0x0 | 0x0 | 0.0000 | 0x6 | RW | 0x4 |
Network Behavior |
---|
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 27, 2021 21:34:11.307121038 CEST | 49078 | 666 | 192.168.2.23 | 45.142.182.126 |
Sep 27, 2021 21:34:11.336841106 CEST | 666 | 49078 | 45.142.182.126 | 192.168.2.23 |
Sep 27, 2021 21:34:11.337037086 CEST | 49078 | 666 | 192.168.2.23 | 45.142.182.126 |
Sep 27, 2021 21:34:11.337081909 CEST | 49078 | 666 | 192.168.2.23 | 45.142.182.126 |
Sep 27, 2021 21:34:11.368654966 CEST | 666 | 49078 | 45.142.182.126 | 192.168.2.23 |
Sep 27, 2021 21:34:12.886091948 CEST | 42836 | 443 | 192.168.2.23 | 91.189.91.43 |
Sep 27, 2021 21:34:13.654074907 CEST | 42516 | 80 | 192.168.2.23 | 109.202.202.202 |
Sep 27, 2021 21:34:28.244738102 CEST | 43928 | 443 | 192.168.2.23 | 91.189.91.42 |
Sep 27, 2021 21:34:38.483761072 CEST | 42836 | 443 | 192.168.2.23 | 91.189.91.43 |
Sep 27, 2021 21:34:44.627091885 CEST | 42516 | 80 | 192.168.2.23 | 109.202.202.202 |
Sep 27, 2021 21:34:53.205741882 CEST | 666 | 49078 | 45.142.182.126 | 192.168.2.23 |
Sep 27, 2021 21:34:53.205972910 CEST | 49078 | 666 | 192.168.2.23 | 45.142.182.126 |
Sep 27, 2021 21:34:53.235960960 CEST | 666 | 49078 | 45.142.182.126 | 192.168.2.23 |
Sep 27, 2021 21:34:53.236119986 CEST | 49078 | 666 | 192.168.2.23 | 45.142.182.126 |
Sep 27, 2021 21:35:09.200719118 CEST | 43928 | 443 | 192.168.2.23 | 91.189.91.42 |
Sep 27, 2021 21:35:29.678694010 CEST | 42836 | 443 | 192.168.2.23 | 91.189.91.43 |
Sep 27, 2021 21:35:53.210470915 CEST | 666 | 49078 | 45.142.182.126 | 192.168.2.23 |
Sep 27, 2021 21:35:53.210639000 CEST | 49078 | 666 | 192.168.2.23 | 45.142.182.126 |
Sep 27, 2021 21:35:53.240113974 CEST | 666 | 49078 | 45.142.182.126 | 192.168.2.23 |
Sep 27, 2021 21:35:53.240251064 CEST | 49078 | 666 | 192.168.2.23 | 45.142.182.126 |
Sep 27, 2021 21:36:53.214468956 CEST | 666 | 49078 | 45.142.182.126 | 192.168.2.23 |
Sep 27, 2021 21:36:53.214574099 CEST | 49078 | 666 | 192.168.2.23 | 45.142.182.126 |
Sep 27, 2021 21:36:53.243738890 CEST | 666 | 49078 | 45.142.182.126 | 192.168.2.23 |
Sep 27, 2021 21:36:53.243804932 CEST | 49078 | 666 | 192.168.2.23 | 45.142.182.126 |
System Behavior |
---|
General |
---|
Start time: | 21:34:09 |
Start date: | 27/09/2021 |
Path: | /tmp/fVNp9NC9l9 |
Arguments: | /tmp/fVNp9NC9l9 |
File size: | 34108 bytes |
MD5 hash: | 3ad11448f98fc08e6c1107c4327ab97f |
General |
---|
Start time: | 21:34:10 |
Start date: | 27/09/2021 |
Path: | /tmp/fVNp9NC9l9 |
Arguments: | n/a |
File size: | 34108 bytes |
MD5 hash: | 3ad11448f98fc08e6c1107c4327ab97f |
General |
---|
Start time: | 21:34:10 |
Start date: | 27/09/2021 |
Path: | /tmp/fVNp9NC9l9 |
Arguments: | n/a |
File size: | 34108 bytes |
MD5 hash: | 3ad11448f98fc08e6c1107c4327ab97f |