Loading ...

Play interactive tourEdit tour

Linux Analysis Report bin.sh

Overview

General Information

Sample Name:bin.sh
Analysis ID:551039
MD5:a73ddd6ec22462db955439f665cad4e6
SHA1:ac6962542a4b23ac13bddff22f8df9aeb702ef12
SHA256:b5cf68c7cb5bb2d21d60bf6654926f61566d95bfd7c9f9e182d032f1da5b4605
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Sample is packed with UPX
Sample contains only a LOAD segment without any section mappings
Yara signature match
Uses the "uname" system call to query kernel version information (possible evasion)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures
All HTTP servers contacted by the sample do not answer. Likely the sample is an old dropper which does no longer work
Non-zero exit code suggests an error during the execution. Lookup the error code for hints.
Static ELF header machine description suggests that the sample might not execute correctly on this machine

General Information

Joe Sandbox Version:34.0.0 Boulder Opal
Analysis ID:551039
Start date:11.01.2022
Start time:18:58:52
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 5m 9s
Hypervisor based Inspection enabled:false
Report type:light
Sample file name:bin.sh
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Detection:MAL
Classification:mal60.evad.linSH@0/0@0/0
Warnings:
Show All
  • VT rate limit hit for: bin.sh

Process Tree

  • system is lnxubuntu20
  • bin.sh (PID: 5223, Parent: 5120, MD5: 0083f1f0e77be34ad27f849842bbb00c) Arguments: /tmp/bin.sh
  • cleanup

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
bin.shSUSP_ELF_LNX_UPX_Compressed_FileDetects a suspicious ELF binary with UPX compressionFlorian Roth
  • 0x206f8:$s1: PROT_EXEC|PROT_WRITE failed.
  • 0x20767:$s2: $Id: UPX
  • 0x20718:$s3: $Info: This file is packed with the UPX executable packer

Memory Dumps

SourceRuleDescriptionAuthorStrings
5223.1.00000000b8716a1c.00000000a1a19d0b.r-x.sdmpSUSP_ELF_LNX_UPX_Compressed_FileDetects a suspicious ELF binary with UPX compressionFlorian Roth
  • 0x206f8:$s1: PROT_EXEC|PROT_WRITE failed.
  • 0x20767:$s2: $Id: UPX
  • 0x20718:$s3: $Info: This file is packed with the UPX executable packer

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus / Scanner detection for submitted sampleShow sources
Source: bin.shAvira: detected
Multi AV Scanner detection for submitted fileShow sources
Source: bin.shMetadefender: Detection: 18%Perma Link
Source: bin.shReversingLabs: Detection: 78%
Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: bin.shString found in binary or memory: http://upx.sf.net
Source: LOAD without section mappingsProgram segment: 0x400000
Source: bin.sh, type: SAMPLEMatched rule: SUSP_ELF_LNX_UPX_Compressed_File date = 2018-12-12, author = Florian Roth, description = Detects a suspicious ELF binary with UPX compression, reference = Internal Research, score = 038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4
Source: 5223.1.00000000b8716a1c.00000000a1a19d0b.r-x.sdmp, type: MEMORYMatched rule: SUSP_ELF_LNX_UPX_Compressed_File date = 2018-12-12, author = Florian Roth, description = Detects a suspicious ELF binary with UPX compression, reference = Internal Research, score = 038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4
Source: classification engineClassification label: mal60.evad.linSH@0/0@0/0

Data Obfuscation:

barindex
Sample is packed with UPXShow sources
Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sampleString containing UPX found: $Id: UPX 3.95 Copyright (C) 1996-2018 the UPX Team. All Rights Reserved. $
Source: /tmp/bin.sh (PID: 5223)Queries kernel information via 'uname':
Source: bin.sh, 5223.1.00000000d4a45a57.00000000c8ab71bb.rw-.sdmpBinary or memory string: 6Mx86_64/usr/bin/qemu-mips/tmp/bin.shSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/bin.sh
Source: bin.sh, 5223.1.000000008a8f7ef3.000000000141f8af.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/mips
Source: bin.sh, 5223.1.000000008a8f7ef3.000000000141f8af.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/mips
Source: bin.sh, 5223.1.00000000d4a45a57.00000000c8ab71bb.rw-.sdmpBinary or memory string: /usr/bin/qemu-mips
Source: bin.sh, 5223.1.00000000d4a45a57.00000000c8ab71bb.rw-.sdmpBinary or memory string: qemu: uncaught target signal 5 (Trace/breakpoint trap) - core dumped

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionObfuscated Files or Information1OS Credential DumpingSecurity Software Discovery11Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
bin.sh18%MetadefenderBrowse
bin.sh79%ReversingLabsLinux.Trojan.Mirai
bin.sh100%AviraLINUX/Mirai.ccjqy

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://upx.sf.netbin.shfalse
    high

    Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public

    IPDomainCountryFlagASNASN NameMalicious
    109.202.202.202
    unknownSwitzerland
    13030INIT7CHfalse
    91.189.91.43
    unknownUnited Kingdom
    41231CANONICAL-ASGBfalse
    91.189.91.42
    unknownUnited Kingdom
    41231CANONICAL-ASGBfalse


    Runtime Messages

    Command:/tmp/bin.sh
    Exit Code:133
    Exit Code Info:
    Killed:False
    Standard Output:

    Standard Error:qemu: uncaught target signal 5 (Trace/breakpoint trap) - core dumped

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASN

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
    Entropy (8bit):7.813637944981102
    TrID:
    • ELF Executable and Linkable format (Linux) (4029/14) 50.16%
    • ELF Executable and Linkable format (generic) (4004/1) 49.84%
    File name:bin.sh
    File size:135472
    MD5:a73ddd6ec22462db955439f665cad4e6
    SHA1:ac6962542a4b23ac13bddff22f8df9aeb702ef12
    SHA256:b5cf68c7cb5bb2d21d60bf6654926f61566d95bfd7c9f9e182d032f1da5b4605
    SHA512:92a52f68a7324c4d5876e1f7e2cb87d14b8604b057ceee2e537815568faa96abf576a22111c5c976eff72ab9015f1261b2331d4b4d711f4e62c8eb403c2377aa
    SSDEEP:3072:2glZ3FtCKXhkmHtZ9TEKzjfj/WMngyIfsJ0F7xPtoM:2IIKXhZtL7jOTyIG87Xl
    File Content Preview:.ELF.....................B.x...4.........4. ...(.............@...@...........................C...C...................*.*UPX!.X.....................]....|.$..ELF..........@.`....4...p... ...(......<...@......[v......H...`.t/._...dt.Q.....].M........P......

    Static ELF Info

    ELF header

    Class:ELF32
    Data:2's complement, big endian
    Version:1 (current)
    Machine:MIPS R3000
    Version Number:0x1
    Type:EXEC (Executable file)
    OS/ABI:UNIX - System V
    ABI Version:0
    Entry Point Address:0x420578
    Flags:0x1007
    ELF Header Size:52
    Program Header Offset:52
    Program Header Size:32
    Number of Program Headers:2
    Section Header Offset:0
    Section Header Size:40
    Number of Section Headers:0
    Header String Table Index:0

    Program Segments

    TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
    LOAD0x00x4000000x4000000x20fc20x20fc24.44990x5R E0x10000
    LOAD0x00x4300000x4300000x00x91f180.00000x6RW 0x10000

    Network Behavior

    Network Port Distribution

    TCP Packets

    TimestampSource PortDest PortSource IPDest IP
    Jan 11, 2022 18:59:38.816874027 CET42836443192.168.2.2391.189.91.43
    Jan 11, 2022 18:59:39.073887110 CET4251680192.168.2.23109.202.202.202
    Jan 11, 2022 18:59:54.176369905 CET43928443192.168.2.2391.189.91.42
    Jan 11, 2022 19:00:04.416064024 CET42836443192.168.2.2391.189.91.43
    Jan 11, 2022 19:00:08.511899948 CET4251680192.168.2.23109.202.202.202
    Jan 11, 2022 19:00:35.134944916 CET43928443192.168.2.2391.189.91.42
    Jan 11, 2022 19:00:55.614240885 CET42836443192.168.2.2391.189.91.43

    System Behavior

    General

    Start time:18:59:38
    Start date:11/01/2022
    Path:/tmp/bin.sh
    Arguments:/tmp/bin.sh
    File size:5777432 bytes
    MD5 hash:0083f1f0e77be34ad27f849842bbb00c