Linux Analysis Report Jqj1JC6iTV

ID:	534000
Product:	CloudBasic
Start time:	22:53:15
Start date:	04.12.2021
Sample:	Jqj1JC6iTV
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	a4be9d3e291e0b17f10de9f3fdb85ead
SHA1:	f1071e7aaa97f3cc3df87e4f3ec349838aef7dac
SHA256:	bef4824bfac12133bcaf1526af2bff02d486e7dc6975b3153b12730aacebaad3
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Name	Type	MD5	SHA1	SHA256

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: Jqj1JC6iTV

Avira: detected

Multi AV Scanner detection for submitted file

Source: Jqj1JC6iTV	Virustotal: Detection: 56%			Perma Link
Source: Jqj1JC6iTV	ReversingLabs: Detection: 60%

Spreading:

Opens /proc/net/* files useful for finding connected devices and routers

Source: /tmp/Jqj1JC6iTV (PID: 5223)

Opens: /proc/net/route

Jump to behavior

Networking:

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.23:35716 -> 96.8.118.142:888

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Connects to IPs without corresponding DNS lookups

Source: unknown	TCP traffic detected without corresponding DNS query: 96.8.118.142
Source: unknown	TCP traffic detected without corresponding DNS query: 96.8.118.142
Source: unknown	TCP traffic detected without corresponding DNS query: 96.8.118.142
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 96.8.118.142
Source: unknown	TCP traffic detected without corresponding DNS query: 96.8.118.142
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 96.8.118.142
Source: unknown	TCP traffic detected without corresponding DNS query: 96.8.118.142
Source: unknown	TCP traffic detected without corresponding DNS query: 96.8.118.142
Source: unknown	TCP traffic detected without corresponding DNS query: 96.8.118.142
Source: unknown	TCP traffic detected without corresponding DNS query: 96.8.118.142
Source: unknown	TCP traffic detected without corresponding DNS query: 96.8.118.142

System Summary:

Contains symbols with names commonly found in malware

Source: ELF static info symbol of initial sample

Name: vseattack

Classification label

Source: classification engine

Classification label: mal72.spre.troj.lin@0/0@0/0

Sample contains symbols with file path information

Source: ELF static info symbol of initial sample	FILE: libc/string/mips/memcpy.S
Source: ELF static info symbol of initial sample	FILE: libc/string/mips/memset.S
Source: ELF static info symbol of initial sample	FILE: libc/sysdeps/linux/mips/crt1.S
Source: ELF static info symbol of initial sample	FILE: libc/sysdeps/linux/mips/crti.S
Source: ELF static info symbol of initial sample	FILE: libc/sysdeps/linux/mips/crtn.S
Source: ELF static info symbol of initial sample	FILE: libc/sysdeps/linux/mips/pipe.S

Malware Analysis System Evasion:

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/Jqj1JC6iTV (PID: 5223)

Queries kernel information via 'uname':

Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: Jqj1JC6iTV, 5223.1.00000000f4be5f80.00000000b8e790cd.rw-.sdmp, Jqj1JC6iTV, 5225.1.00000000f4be5f80.00000000b8e790cd.rw-.sdmp, Jqj1JC6iTV, 5226.1.00000000f4be5f80.00000000b8e790cd.rw-.sdmp	Binary or memory string: TV!/etc/qemu-binfmt/mipsel
Source: Jqj1JC6iTV, 5223.1.00000000f4be5f80.00000000b8e790cd.rw-.sdmp, Jqj1JC6iTV, 5225.1.00000000f4be5f80.00000000b8e790cd.rw-.sdmp, Jqj1JC6iTV, 5226.1.00000000f4be5f80.00000000b8e790cd.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mipsel
Source: Jqj1JC6iTV, 5223.1.00000000584e6fdf.00000000c927f8c0.rw-.sdmp, Jqj1JC6iTV, 5225.1.00000000584e6fdf.00000000c927f8c0.rw-.sdmp, Jqj1JC6iTV, 5226.1.00000000584e6fdf.00000000c927f8c0.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-mipsel/tmp/Jqj1JC6iTVSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/Jqj1JC6iTV
Source: Jqj1JC6iTV, 5223.1.00000000584e6fdf.00000000c927f8c0.rw-.sdmp, Jqj1JC6iTV, 5225.1.00000000584e6fdf.00000000c927f8c0.rw-.sdmp, Jqj1JC6iTV, 5226.1.00000000584e6fdf.00000000c927f8c0.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mipsel

Stealing of Sensitive Information:

Yara detected Mirai

Source: Yara match	File source: Jqj1JC6iTV, type: SAMPLE
Source: Yara match	File source: 5226.1.00000000999a1750.00000000a6439f42.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5223.1.00000000999a1750.00000000a6439f42.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5225.1.00000000999a1750.00000000a6439f42.r-x.sdmp, type: MEMORY

Sample contains strings that are user agent strings indicative of HTTP manipulation

Source: Initial sample	User agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; pl) Opera 11.00
Source: Initial sample	User agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; en) Opera 11.00
Source: Initial sample	User agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; ja) Opera 11.00
Source: Initial sample	User agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; de) Opera 11.01
Source: Initial sample	User agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; fr) Opera 11.00
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0
Source: Initial sample	User agent string found: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H143 Safari/600.1.4
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11) AppleWebKit/601.1.56 (KHTML, like Gecko) Version/9.0 Safari/601.1.56
Source: Initial sample	User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/601.2.7 (KHTML, like Gecko) Version/9.0.1 Safari/601.2.7
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Source: Initial sample	User agent string found: Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51
Source: Initial sample	User agent string found: Opera/9.80 (X11; Linux i686; Ubuntu/14.10) Presto/2.12.388 Version/12.16
Source: Initial sample	User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Linux; Android 4.4.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.89 Mobile Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Linux; Android 4.4.3; HTC_0PCV2 Build/KTU84L) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36
Source: Initial sample	User agent string found: Mozilla/4.0 (compatible; MSIE 8.0; X11; Linux x86_64; pl) Opera 11.00
Source: Initial sample	User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:25.0) Gecko/20100101 Firefox/25.0
Source: Initial sample	User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:21.0) Gecko/20100101 Firefox/21.0
Source: Initial sample	User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Firefox/24.0
Source: Initial sample	User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10; rv:33.0) Gecko/20100101 Firefox/33.0

Remote Access Functionality:

Yara detected Mirai

Source: Yara match	File source: Jqj1JC6iTV, type: SAMPLE
Source: Yara match	File source: 5226.1.00000000999a1750.00000000a6439f42.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5223.1.00000000999a1750.00000000a6439f42.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5225.1.00000000999a1750.00000000a6439f42.r-x.sdmp, type: MEMORY