Linux Analysis Report oZ1FoDBdOx

ID:	510744
Product:	CloudBasic
Start time:	07:50:59
Start date:	28.10.2021
Sample:	oZ1FoDBdOx
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	28893f786914b612e5c94013373ffd9b
SHA1:	5f123978f2b5354d7004c1b362de7231c65b11c8
SHA256:	41a9c832ca44e83c24b1bbbccdcc5a5b832a0446020f0d7a30ef4c90a73534fc
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Name	Type	MD5	SHA1	SHA256

AV Detection:

Multi AV Scanner detection for submitted file

Source: oZ1FoDBdOx	Virustotal: Detection: 57%			Perma Link
Source: oZ1FoDBdOx	ReversingLabs: Detection: 57%

System Summary:

Sample contains symbols with file path information

Source: ELF static info symbol of initial sample	FILE: /home/firmware/build/temp-sh4/gcc-core/gcc/config/sh/lib1funcs.asm
Source: ELF static info symbol of initial sample	FILE: /home/firmware/build/temp-sh4/gcc-core/gcc/config/sh/lib1funcs.asm
Source: ELF static info symbol of initial sample	FILE: /home/firmware/build/temp-sh4/gcc-core/gcc/config/sh/lib1funcs.asm
Source: ELF static info symbol of initial sample	FILE: libc/string/sh/sh4/memcpy.S
Source: ELF static info symbol of initial sample	FILE: libc/sysdeps/linux/sh/crt1.S
Source: ELF static info symbol of initial sample	FILE: libc/sysdeps/linux/sh/crti.S
Source: ELF static info symbol of initial sample	FILE: libc/sysdeps/linux/sh/crtn.S
Source: ELF static info symbol of initial sample	FILE: libc/sysdeps/linux/sh/vfork.S

Classification label

Source: classification engine

Classification label: mal48.lin@0/0@0/0

Found detection on Joe Sandbox Cloud Basic with higher score

Source: oZ1FoDBdOx

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Malware Analysis System Evasion:

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/oZ1FoDBdOx (PID: 5297)

Queries kernel information via 'uname':

Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: oZ1FoDBdOx, 5297.1.00000000a6705690.0000000068b1c85c.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-sh4/tmp/oZ1FoDBdOxSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/oZ1FoDBdOx
Source: oZ1FoDBdOx, 5297.1.00000000a6705690.0000000068b1c85c.rw-.sdmp	Binary or memory string: /usr/bin/qemu-sh4
Source: oZ1FoDBdOx, 5297.1.000000006166b501.00000000c51bd2cb.rw-.sdmp	Binary or memory string: U5!/etc/qemu-binfmt/sh4
Source: oZ1FoDBdOx, 5297.1.000000006166b501.00000000c51bd2cb.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/sh4