Linux Analysis Report 4wA5neDGrq

ID:	510749
Product:	CloudBasic
Start time:	08:02:15
Start date:	28.10.2021
Sample:	4wA5neDGrq
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	00d772fea556f873bef2ce8e1b0cbb78
SHA1:	4bf5cde6a09bca30565f42e9ef02168aae0cde20
SHA256:	22f50f9e41244e3ff07a7c175242d03e3d7e5c53eeafeb2cf2b5f05a48ecff72
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Name	Type	MD5	SHA1	SHA256
/var/cache/motd-news	ASCII text	DD514F892B5F93ED615D366E58AC58AF	BA75EDB3C2232CC260BC187F604DC8F25AA72C11	F40D0DCE6E83DF74109FEF5E68E51CC255727783EEAE04C3E34677E23F7552CF

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: 4wA5neDGrq

Avira: detected

Multi AV Scanner detection for submitted file

Source: 4wA5neDGrq	Virustotal: Detection: 59%			Perma Link
Source: 4wA5neDGrq	ReversingLabs: Detection: 61%

Networking:

URLs found in memory or binary data

Source: motd-news.15.dr

String found in binary or memory: https://ubuntu.com/blog/microk8s-memory-optimisation

System Summary:

Sample contains symbols with file path information

Source: ELF static info symbol of initial sample	FILE: /home/landley/work/ab7/build/temp-armv6l/gcc-core/gcc/config/arm/lib1funcs.asm
Source: ELF static info symbol of initial sample	FILE: /home/landley/work/ab7/build/temp-armv6l/gcc-core/gcc/config/arm/lib1funcs.asm
Source: ELF static info symbol of initial sample	FILE: /home/landley/work/ab7/build/temp-armv6l/gcc-core/gcc/config/arm/lib1funcs.asm
Source: ELF static info symbol of initial sample	FILE: /home/landley/work/ab7/build/temp-armv6l/gcc-core/gcc/config/arm/lib1funcs.asm
Source: ELF static info symbol of initial sample	FILE: /home/landley/work/ab7/build/temp-armv6l/gcc-core/gcc/config/arm/lib1funcs.asm
Source: ELF static info symbol of initial sample	FILE: /home/landley/work/ab7/build/temp-armv6l/gcc-core/gcc/config/arm/lib1funcs.asm
Source: ELF static info symbol of initial sample	FILE: /home/landley/work/ab7/build/temp-armv6l/gcc-core/gcc/config/arm/lib1funcs.asm

Classification label

Source: classification engine

Classification label: mal56.lin@0/1@0/0

Found detection on Joe Sandbox Cloud Basic with higher score

Source: 4wA5neDGrq

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Persistence and Installation Behavior:

Executes the "rm" command used to delete files or directories

Source: /usr/bin/dash (PID: 5212)

Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.USJYxzaCuE /tmp/tmp.T3hUP4mjcM /tmp/tmp.wRaDNMdR2W

Jump to behavior

Malware Analysis System Evasion:

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/4wA5neDGrq (PID: 5263)

Queries kernel information via 'uname':

Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: 4wA5neDGrq, 5263.1.00000000cc99f7b8.0000000039f489a9.rw-.sdmp	Binary or memory string: O}x86_64/usr/bin/qemu-arm/tmp/4wA5neDGrqSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/4wA5neDGrq
Source: 4wA5neDGrq, 5263.1.00000000e42f88d3.0000000003b9e0e5.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: 4wA5neDGrq, 5263.1.00000000e42f88d3.0000000003b9e0e5.rw-.sdmp	Binary or memory string: V!/etc/qemu-binfmt/arm
Source: 4wA5neDGrq, 5263.1.00000000cc99f7b8.0000000039f489a9.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm