Linux Analysis Report 7r4phwK4EY

Overview

General Information

Sample Name:	7r4phwK4EY
Analysis ID:	534001
MD5:	55a143ca8c7d1e9f511d313ff6009f43
SHA1:	1e9d9222e1c61471a213f7e2e6ee4aec9a3423f4
SHA256:	32d108e9f2885bb81fbcec251a4c01c0530b48a5c10eb25820807f8c3330e1aa
Tags:	32elfgafgytsparc
Infos:

Detection

Mirai

Score:	72
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Yara detected Mirai

Multi AV Scanner detection for submitted file

Contains symbols with names commonly found in malware

Opens /proc/net/* files useful for finding connected devices and routers

Sample contains strings that are user agent strings indicative of HTTP manipulation

Uses the "uname" system call to query kernel version information (possible evasion)

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Detected TCP or UDP traffic on non-standard ports

Classification

Signatures

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: 7r4phwK4EY

Avira: detected

Multi AV Scanner detection for submitted file

Source: 7r4phwK4EY	Virustotal: Detection: 61%			Perma Link
Source: 7r4phwK4EY	ReversingLabs: Detection: 60%

Spreading:

Opens /proc/net/* files useful for finding connected devices and routers

Source: /tmp/7r4phwK4EY (PID: 5219)

Opens: /proc/net/route

Jump to behavior

Networking:

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.23:35716 -> 96.8.118.142:888

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 39.153.251.53
Source: unknown	TCP traffic detected without corresponding DNS query: 39.153.251.53
Source: unknown	TCP traffic detected without corresponding DNS query: 39.153.251.53
Source: unknown	TCP traffic detected without corresponding DNS query: 96.8.118.142
Source: unknown	TCP traffic detected without corresponding DNS query: 96.8.118.142
Source: unknown	TCP traffic detected without corresponding DNS query: 39.153.251.53
Source: unknown	TCP traffic detected without corresponding DNS query: 39.153.251.53
Source: unknown	TCP traffic detected without corresponding DNS query: 39.153.251.53
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 96.8.118.142
Source: unknown	TCP traffic detected without corresponding DNS query: 96.8.118.142
Source: unknown	TCP traffic detected without corresponding DNS query: 96.8.118.142
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 218.23.170.240
Source: unknown	TCP traffic detected without corresponding DNS query: 218.23.170.240
Source: unknown	TCP traffic detected without corresponding DNS query: 218.23.170.240
Source: unknown	TCP traffic detected without corresponding DNS query: 218.23.170.240
Source: unknown	TCP traffic detected without corresponding DNS query: 218.23.170.240
Source: unknown	TCP traffic detected without corresponding DNS query: 218.23.170.240
Source: unknown	TCP traffic detected without corresponding DNS query: 68.180.106.147
Source: unknown	TCP traffic detected without corresponding DNS query: 68.180.106.147
Source: unknown	TCP traffic detected without corresponding DNS query: 39.153.251.53
Source: unknown	TCP traffic detected without corresponding DNS query: 39.153.251.53
Source: unknown	TCP traffic detected without corresponding DNS query: 39.153.251.53
Source: unknown	TCP traffic detected without corresponding DNS query: 96.8.118.142
Source: unknown	TCP traffic detected without corresponding DNS query: 96.8.118.142
Source: unknown	TCP traffic detected without corresponding DNS query: 170.39.121.65
Source: unknown	TCP traffic detected without corresponding DNS query: 170.39.121.65
Source: unknown	TCP traffic detected without corresponding DNS query: 123.22.50.195
Source: unknown	TCP traffic detected without corresponding DNS query: 123.22.50.195
Source: unknown	TCP traffic detected without corresponding DNS query: 211.138.12.155
Source: unknown	TCP traffic detected without corresponding DNS query: 211.138.12.155
Source: unknown	TCP traffic detected without corresponding DNS query: 211.138.12.155
Source: unknown	TCP traffic detected without corresponding DNS query: 211.138.12.155
Source: unknown	TCP traffic detected without corresponding DNS query: 211.138.12.155
Source: unknown	TCP traffic detected without corresponding DNS query: 211.138.12.155
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 14.231.93.121
Source: unknown	TCP traffic detected without corresponding DNS query: 14.231.93.121
Source: unknown	TCP traffic detected without corresponding DNS query: 211.138.12.155
Source: unknown	TCP traffic detected without corresponding DNS query: 211.138.12.155
Source: unknown	TCP traffic detected without corresponding DNS query: 211.138.12.155
Source: unknown	TCP traffic detected without corresponding DNS query: 211.138.12.155
Source: unknown	TCP traffic detected without corresponding DNS query: 211.138.12.155
Source: unknown	TCP traffic detected without corresponding DNS query: 211.138.12.155
Source: unknown	TCP traffic detected without corresponding DNS query: 207.170.200.34
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 204.29.87.251
Source: unknown	TCP traffic detected without corresponding DNS query: 204.29.87.251
Source: unknown	TCP traffic detected without corresponding DNS query: 207.170.200.34

System Summary:

Contains symbols with names commonly found in malware

Source: ELF static info symbol of initial sample

Name: vseattack

Source: classification engine

Classification label: mal72.spre.troj.lin@0/1@0/0

Source: ELF static info symbol of initial sample	FILE: libc/string/sparc/memchr.S
Source: ELF static info symbol of initial sample	FILE: libc/string/sparc/memcpy.S
Source: ELF static info symbol of initial sample	FILE: libc/string/sparc/memset.S
Source: ELF static info symbol of initial sample	FILE: libc/string/sparc/strchr.S
Source: ELF static info symbol of initial sample	FILE: libc/string/sparc/strcmp.S
Source: ELF static info symbol of initial sample	FILE: libc/string/sparc/strcpy.S
Source: ELF static info symbol of initial sample	FILE: libc/string/sparc/strlen.S
Source: ELF static info symbol of initial sample	FILE: libc/sysdeps/linux/sparc/crt1.S
Source: ELF static info symbol of initial sample	FILE: libc/sysdeps/linux/sparc/crti.S
Source: ELF static info symbol of initial sample	FILE: libc/sysdeps/linux/sparc/crtn.S
Source: ELF static info symbol of initial sample	FILE: libc/sysdeps/linux/sparc/fork.S
Source: ELF static info symbol of initial sample	FILE: libc/sysdeps/linux/sparc/rem.S
Source: ELF static info symbol of initial sample	FILE: libc/sysdeps/linux/sparc/udiv.S
Source: ELF static info symbol of initial sample	FILE: libc/sysdeps/linux/sparc/umul.S
Source: ELF static info symbol of initial sample	FILE: libc/sysdeps/linux/sparc/urem.S
Source: ELF static info symbol of initial sample	FILE: libc/sysdeps/linux/sparc/vfork.S

Malware Analysis System Evasion:

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/7r4phwK4EY (PID: 5219)

Queries kernel information via 'uname':

Jump to behavior

Source: 7r4phwK4EY, 5219.1.00000000afd90c06.000000009e9f162e.rw-.sdmp	Binary or memory string: bU/tmp/qemu-open.cnetFQ\
Source: 7r4phwK4EY, 5219.1.00000000332bb906.000000001584c815.rw-.sdmp, 7r4phwK4EY, 5222.1.00000000332bb906.000000001584c815.rw-.sdmp, 7r4phwK4EY, 5223.1.00000000332bb906.000000001584c815.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/sparc
Source: 7r4phwK4EY, 5219.1.00000000afd90c06.000000009e9f162e.rw-.sdmp, 7r4phwK4EY, 5222.1.00000000afd90c06.000000009e9f162e.rw-.sdmp, 7r4phwK4EY, 5223.1.00000000afd90c06.000000009e9f162e.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-sparc/tmp/7r4phwK4EYSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/7r4phwK4EY
Source: 7r4phwK4EY, 5219.1.00000000afd90c06.000000009e9f162e.rw-.sdmp	Binary or memory string: /tmp/qemu-open.cnetFQ
Source: 7r4phwK4EY, 5219.1.00000000332bb906.000000001584c815.rw-.sdmp, 7r4phwK4EY, 5222.1.00000000332bb906.000000001584c815.rw-.sdmp, 7r4phwK4EY, 5223.1.00000000332bb906.000000001584c815.rw-.sdmp	Binary or memory string: LcU!/etc/qemu-binfmt/sparc
Source: 7r4phwK4EY, 5219.1.00000000afd90c06.000000009e9f162e.rw-.sdmp, 7r4phwK4EY, 5222.1.00000000afd90c06.000000009e9f162e.rw-.sdmp, 7r4phwK4EY, 5223.1.00000000afd90c06.000000009e9f162e.rw-.sdmp	Binary or memory string: /usr/bin/qemu-sparc

Stealing of Sensitive Information:

Yara detected Mirai

Source: Yara match	File source: 7r4phwK4EY, type: SAMPLE
Source: Yara match	File source: 5222.1.000000002d672358.0000000056ce449d.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5223.1.000000002d672358.0000000056ce449d.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5219.1.000000002d672358.0000000056ce449d.r-x.sdmp, type: MEMORY

Sample contains strings that are user agent strings indicative of HTTP manipulation

Source: Initial sample	User agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; pl) Opera 11.00
Source: Initial sample	User agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; en) Opera 11.00
Source: Initial sample	User agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; ja) Opera 11.00
Source: Initial sample	User agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; de) Opera 11.01
Source: Initial sample	User agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; fr) Opera 11.00
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0
Source: Initial sample	User agent string found: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H143 Safari/600.1.4
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11) AppleWebKit/601.1.56 (KHTML, like Gecko) Version/9.0 Safari/601.1.56
Source: Initial sample	User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/601.2.7 (KHTML, like Gecko) Version/9.0.1 Safari/601.2.7
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Source: Initial sample	User agent string found: Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51
Source: Initial sample	User agent string found: Opera/9.80 (X11; Linux i686; Ubuntu/14.10) Presto/2.12.388 Version/12.16
Source: Initial sample	User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Linux; Android 4.4.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.89 Mobile Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Linux; Android 4.4.3; HTC_0PCV2 Build/KTU84L) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36
Source: Initial sample	User agent string found: Mozilla/4.0 (compatible; MSIE 8.0; X11; Linux x86_64; pl) Opera 11.00
Source: Initial sample	User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:25.0) Gecko/20100101 Firefox/25.0
Source: Initial sample	User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:21.0) Gecko/20100101 Firefox/21.0
Source: Initial sample	User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Firefox/24.0
Source: Initial sample	User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10; rv:33.0) Gecko/20100101 Firefox/33.0

Remote Access Functionality:

Yara detected Mirai

Source: Yara match	File source: 7r4phwK4EY, type: SAMPLE
Source: Yara match	File source: 5222.1.000000002d672358.0000000056ce449d.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5223.1.000000002d672358.0000000056ce449d.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5219.1.000000002d672358.0000000056ce449d.r-x.sdmp, type: MEMORY

Screenshots

No Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
37.112.203.140	unknown	Russian Federation	50544	KRSK-ASRU	false
218.23.170.240	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
68.180.106.147	unknown	United States	23473	PAVLOVMEDIAUS	false
123.22.50.195	unknown	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	false
149.62.33.230	unknown	Moldova Republic of	205124	AS_TELEHOST_COLOMD	false
170.39.121.65	unknown	Reserved	139776	PETRONAS-BHD-AS-APPetroliamNasionalBerhadMY	false
41.60.254.245	unknown	Mauritius	30844	LIQUID-ASGB	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
39.153.251.53	unknown	China	9808	CMNET-GDGuangdongMobileCommunicationCoLtdCN	false
177.101.125.251	unknown	Brazil	28343	UnifiqueTelecomunicacoesSABR	false
151.247.234.89	unknown	Iran (ISLAMIC Republic Of)	31549	RASANAIR	false
204.29.87.251	unknown	United States	3464	ASC-NETUS	false
96.8.118.142	unknown	United States	36352	AS-COLOCROSSINGUS	false
14.231.93.121	unknown	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	false
207.170.200.34	unknown	United States	3549	LVLT-3549US	false
211.138.12.155	unknown	China	24547	CMNET-V4HEBEI-AS-APHebeiMobileCommunicationCompanyLimit	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
192.24.49.93	unknown	Canada	393632	NORTHFRONTENACTELCA	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

ID:	534001
Product:	CloudBasic
Start time:	22:57:39
Start date:	04.12.2021
Sample:	7r4phwK4EY
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	55a143ca8c7d1e9f511d313ff6009f43
SHA1:	1e9d9222e1c61471a213f7e2e6ee4aec9a3423f4
SHA256:	32d108e9f2885bb81fbcec251a4c01c0530b48a5c10eb25820807f8c3330e1aa
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Linux Analysis Report 7r4phwK4EY

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Spreading:

Networking:

System Summary:

Malware Analysis System Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Network Map

Contacted Public IPs