Linux Analysis Report x-3.2-.Fourloko

Overview

General Information

Sample Name:	x-3.2-.Fourloko
Analysis ID:	551890
MD5:	b4ff1c112d63586c4599caa73eecc17d
SHA1:	4e224f266b818fbfa1d6aee5563b0e7b4cdc1fd9
SHA256:	66a1dbaee93b2e8b7f04c10ac1f4007115a114f73e76758c97aed09fdb02a051
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Contains symbols with names commonly found in malware

Opens /proc/net/* files useful for finding connected devices and routers

Machine Learning detection for sample

Sample contains strings that are user agent strings indicative of HTTP manipulation

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Detected TCP or UDP traffic on non-standard ports

Executes the "rm" command used to delete files or directories

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: x-3.2-.Fourloko	Virustotal: Detection: 54%			Perma Link
Source: x-3.2-.Fourloko	ReversingLabs: Detection: 58%

Machine Learning detection for sample

Source: x-3.2-.Fourloko

Joe Sandbox ML: detected

Spreading:

Opens /proc/net/* files useful for finding connected devices and routers

Source: /tmp/x-3.2-.Fourloko (PID: 5208)

Opens: /proc/net/route

Jump to behavior

Networking:

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:39244 -> 34.249.145.219:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.23:55080 -> 167.99.35.197:839

Source: unknown	Network traffic detected: HTTP traffic on port 39244 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 167.99.35.197
Source: unknown	TCP traffic detected without corresponding DNS query: 167.99.35.197
Source: unknown	TCP traffic detected without corresponding DNS query: 167.99.35.197
Source: unknown	TCP traffic detected without corresponding DNS query: 167.99.35.197
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 167.99.35.197
Source: unknown	TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown	TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown	TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 167.99.35.197
Source: unknown	TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown	TCP traffic detected without corresponding DNS query: 167.99.35.197
Source: unknown	TCP traffic detected without corresponding DNS query: 167.99.35.197
Source: unknown	TCP traffic detected without corresponding DNS query: 167.99.35.197
Source: unknown	TCP traffic detected without corresponding DNS query: 167.99.35.197
Source: unknown	TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown	TCP traffic detected without corresponding DNS query: 167.99.35.197
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 167.99.35.197
Source: unknown	TCP traffic detected without corresponding DNS query: 167.99.35.197
Source: unknown	TCP traffic detected without corresponding DNS query: 167.99.35.197
Source: unknown	TCP traffic detected without corresponding DNS query: 167.99.35.197
Source: unknown	TCP traffic detected without corresponding DNS query: 167.99.35.197
Source: unknown	TCP traffic detected without corresponding DNS query: 167.99.35.197
Source: unknown	TCP traffic detected without corresponding DNS query: 167.99.35.197
Source: unknown	TCP traffic detected without corresponding DNS query: 167.99.35.197
Source: unknown	TCP traffic detected without corresponding DNS query: 167.99.35.197
Source: unknown	TCP traffic detected without corresponding DNS query: 167.99.35.197
Source: unknown	TCP traffic detected without corresponding DNS query: 167.99.35.197
Source: unknown	TCP traffic detected without corresponding DNS query: 167.99.35.197
Source: unknown	TCP traffic detected without corresponding DNS query: 167.99.35.197
Source: unknown	TCP traffic detected without corresponding DNS query: 167.99.35.197
Source: unknown	TCP traffic detected without corresponding DNS query: 167.99.35.197
Source: unknown	TCP traffic detected without corresponding DNS query: 167.99.35.197
Source: unknown	TCP traffic detected without corresponding DNS query: 167.99.35.197
Source: unknown	TCP traffic detected without corresponding DNS query: 167.99.35.197
Source: unknown	TCP traffic detected without corresponding DNS query: 167.99.35.197
Source: unknown	TCP traffic detected without corresponding DNS query: 167.99.35.197
Source: unknown	TCP traffic detected without corresponding DNS query: 167.99.35.197
Source: unknown	TCP traffic detected without corresponding DNS query: 167.99.35.197
Source: unknown	TCP traffic detected without corresponding DNS query: 167.99.35.197
Source: unknown	TCP traffic detected without corresponding DNS query: 167.99.35.197
Source: unknown	TCP traffic detected without corresponding DNS query: 167.99.35.197
Source: unknown	TCP traffic detected without corresponding DNS query: 167.99.35.197
Source: unknown	TCP traffic detected without corresponding DNS query: 167.99.35.197

System Summary:

Contains symbols with names commonly found in malware

Source: ELF static info symbol of initial sample

Name: vseattack

Source: classification engine

Classification label: mal60.spre.linFOURLOKO@0/0@0/0

Source: ELF static info symbol of initial sample	FILE: libc/sysdeps/linux/i386/crt1.S
Source: ELF static info symbol of initial sample	FILE: libc/sysdeps/linux/i386/crti.S
Source: ELF static info symbol of initial sample	FILE: libc/sysdeps/linux/i386/crtn.S
Source: ELF static info symbol of initial sample	FILE: libc/sysdeps/linux/i386/mmap.S

Persistence and Installation Behavior:

Executes the "rm" command used to delete files or directories

Source: /usr/bin/dash (PID: 5249)

Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.0uSeSSakHx /tmp/tmp.6nBnwSFTMb /tmp/tmp.QdVuyoAuUg

Jump to behavior

Stealing of Sensitive Information:

Sample contains strings that are user agent strings indicative of HTTP manipulation

Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.71 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 5.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36

Screenshots

No Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
167.99.35.197	unknown	United States	14061	DIGITALOCEAN-ASNUS	false
34.249.145.219	unknown	United States	16509	AMAZON-02US	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

ID:	551890
Product:	CloudBasic
Start time:	17:02:07
Start date:	12.01.2022
Sample:	x-3.2-.Fourloko
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	b4ff1c112d63586c4599caa73eecc17d
SHA1:	4e224f266b818fbfa1d6aee5563b0e7b4cdc1fd9
SHA256:	66a1dbaee93b2e8b7f04c10ac1f4007115a114f73e76758c97aed09fdb02a051
Filetype:	ELF Executable and Linkable format (Linux) (4029/14) 50.16%

Linux Analysis Report x-3.2-.Fourloko

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Spreading:

Networking:

System Summary:

Persistence and Installation Behavior:

Stealing of Sensitive Information:

Screenshots

Network Map

Contacted Public IPs