Loading ...

Play interactive tourEdit tour

Linux Analysis Report zXL7Uv8mEG

Overview

General Information

Sample Name:zXL7Uv8mEG
Analysis ID:553481
MD5:98c967ef41edd42f56dcf25a1605150b
SHA1:3211d3c81ba1fe676ce970afd3d3735222f54fed
SHA256:fa70cb2fbce4c0202f4c0acf7b09b74d61f980fc6fbb9bca5896d64983db098e
Tags:32armelfmirai
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false

Signatures

Multi AV Scanner detection for submitted file
Sample is packed with UPX
Sample contains only a LOAD segment without any section mappings
Yara signature match
Uses the "uname" system call to query kernel version information (possible evasion)
Enumerates processes within the "proc" file system
Executes the "rm" command used to delete files or directories
Sample listens on a socket
Sample tries to kill a process (SIGKILL)

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures
Static ELF header machine description suggests that the sample might not execute correctly on this machine

General Information

Joe Sandbox Version:34.0.0 Boulder Opal
Analysis ID:553481
Start date:15.01.2022
Start time:00:52:22
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 17s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:zXL7Uv8mEG
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Detection:MAL
Classification:mal52.evad.lin@0/0@0/0

Process Tree

  • system is lnxubuntu20
  • dash New Fork (PID: 5304, Parent: 4331)
  • rm (PID: 5304, Parent: 4331, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.XeTLhZbQbn /tmp/tmp.Uma6QlImKT /tmp/tmp.AKJHFauVo4
  • cleanup

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
zXL7Uv8mEGSUSP_ELF_LNX_UPX_Compressed_FileDetects a suspicious ELF binary with UPX compressionFlorian Roth
  • 0x7c9c:$s1: PROT_EXEC|PROT_WRITE failed.
  • 0x7d0b:$s2: $Id: UPX
  • 0x7cbc:$s3: $Info: This file is packed with the UPX executable packer

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: zXL7Uv8mEGVirustotal: Detection: 37%Perma Link
Source: zXL7Uv8mEGReversingLabs: Detection: 34%
Source: /tmp/zXL7Uv8mEG (PID: 5262)Socket: 0.0.0.0::0Jump to behavior
Source: /tmp/zXL7Uv8mEG (PID: 5268)Socket: 0.0.0.0::0Jump to behavior
Source: zXL7Uv8mEGString found in binary or memory: http://upx.sf.net
Source: LOAD without section mappingsProgram segment: 0x8000
Source: zXL7Uv8mEG, type: SAMPLEMatched rule: SUSP_ELF_LNX_UPX_Compressed_File date = 2018-12-12, author = Florian Roth, description = Detects a suspicious ELF binary with UPX compression, reference = Internal Research, score = 038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4
Source: /tmp/zXL7Uv8mEG (PID: 5262)SIGKILL sent: pid: 936, result: successfulJump to behavior
Source: /tmp/zXL7Uv8mEG (PID: 5268)SIGKILL sent: pid: 936, result: successfulJump to behavior
Source: /tmp/zXL7Uv8mEG (PID: 5287)SIGKILL sent: pid: 5285, result: successfulJump to behavior
Source: /tmp/zXL7Uv8mEG (PID: 5326)SIGKILL sent: pid: 5324, result: successfulJump to behavior
Source: classification engineClassification label: mal52.evad.lin@0/0@0/0

Data Obfuscation:

barindex
Sample is packed with UPXShow sources
Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sampleString containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $
Source: /tmp/zXL7Uv8mEG (PID: 5262)File opened: /proc/491/fdJump to behavior
Source: /tmp/zXL7Uv8mEG (PID: 5262)File opened: /proc/793/fdJump to behavior
Source: /tmp/zXL7Uv8mEG (PID: 5262)File opened: /proc/772/fdJump to behavior
Source: /tmp/zXL7Uv8mEG (PID: 5262)File opened: /proc/796/fdJump to behavior
Source: /tmp/zXL7Uv8mEG (PID: 5262)File opened: /proc/774/fdJump to behavior
Source: /tmp/zXL7Uv8mEG (PID: 5262)File opened: /proc/797/fdJump to behavior
Source: /tmp/zXL7Uv8mEG (PID: 5262)File opened: /proc/777/fdJump to behavior
Source: /tmp/zXL7Uv8mEG (PID: 5262)File opened: /proc/799/fdJump to behavior
Source: /tmp/zXL7Uv8mEG (PID: 5262)File opened: /proc/658/fdJump to behavior
Source: /tmp/zXL7Uv8mEG (PID: 5262)File opened: /proc/912/fdJump to behavior
Source: /tmp/zXL7Uv8mEG (PID: 5262)File opened: /proc/759/fdJump to behavior
Source: /tmp/zXL7Uv8mEG (PID: 5262)File opened: /proc/936/fdJump to behavior
Source: /tmp/zXL7Uv8mEG (PID: 5262)File opened: /proc/918/fdJump to behavior
Source: /tmp/zXL7Uv8mEG (PID: 5262)File opened: /proc/1/fdJump to behavior
Source: /tmp/zXL7Uv8mEG (PID: 5262)File opened: /proc/761/fdJump to behavior
Source: /tmp/zXL7Uv8mEG (PID: 5262)File opened: /proc/785/fdJump to behavior
Source: /tmp/zXL7Uv8mEG (PID: 5262)File opened: /proc/884/fdJump to behavior
Source: /tmp/zXL7Uv8mEG (PID: 5262)File opened: /proc/720/fdJump to behavior
Source: /tmp/zXL7Uv8mEG (PID: 5262)File opened: /proc/721/fdJump to behavior
Source: /tmp/zXL7Uv8mEG (PID: 5262)File opened: /proc/788/fdJump to behavior
Source: /tmp/zXL7Uv8mEG (PID: 5262)File opened: /proc/789/fdJump to behavior
Source: /tmp/zXL7Uv8mEG (PID: 5262)File opened: /proc/800/fdJump to behavior
Source: /tmp/zXL7Uv8mEG (PID: 5262)File opened: /proc/801/fdJump to behavior
Source: /tmp/zXL7Uv8mEG (PID: 5262)File opened: /proc/847/fdJump to behavior
Source: /tmp/zXL7Uv8mEG (PID: 5262)File opened: /proc/904/fdJump to behavior
Source: /tmp/zXL7Uv8mEG (PID: 5268)File opened: /proc/491/fdJump to behavior
Source: /tmp/zXL7Uv8mEG (PID: 5268)File opened: /proc/793/fdJump to behavior
Source: /tmp/zXL7Uv8mEG (PID: 5268)File opened: /proc/772/fdJump to behavior
Source: /tmp/zXL7Uv8mEG (PID: 5268)File opened: /proc/796/fdJump to behavior
Source: /tmp/zXL7Uv8mEG (PID: 5268)File opened: /proc/774/fdJump to behavior
Source: /tmp/zXL7Uv8mEG (PID: 5268)File opened: /proc/797/fdJump to behavior
Source: /tmp/zXL7Uv8mEG (PID: 5268)File opened: /proc/777/fdJump to behavior
Source: /tmp/zXL7Uv8mEG (PID: 5268)File opened: /proc/799/fdJump to behavior
Source: /tmp/zXL7Uv8mEG (PID: 5268)File opened: /proc/658/fdJump to behavior
Source: /tmp/zXL7Uv8mEG (PID: 5268)File opened: /proc/912/fdJump to behavior
Source: /tmp/zXL7Uv8mEG (PID: 5268)File opened: /proc/759/fdJump to behavior
Source: /tmp/zXL7Uv8mEG (PID: 5268)File opened: /proc/936/fdJump to behavior
Source: /tmp/zXL7Uv8mEG (PID: 5268)File opened: /proc/918/fdJump to behavior
Source: /tmp/zXL7Uv8mEG (PID: 5268)File opened: /proc/1/fdJump to behavior
Source: /tmp/zXL7Uv8mEG (PID: 5268)File opened: /proc/761/fdJump to behavior
Source: /tmp/zXL7Uv8mEG (PID: 5268)File opened: /proc/785/fdJump to behavior
Source: /tmp/zXL7Uv8mEG (PID: 5268)File opened: /proc/884/fdJump to behavior
Source: /tmp/zXL7Uv8mEG (PID: 5268)File opened: /proc/720/fdJump to behavior
Source: /tmp/zXL7Uv8mEG (PID: 5268)File opened: /proc/721/fdJump to behavior
Source: /tmp/zXL7Uv8mEG (PID: 5268)File opened: /proc/788/fdJump to behavior
Source: /tmp/zXL7Uv8mEG (PID: 5268)File opened: /proc/789/fdJump to behavior
Source: /tmp/zXL7Uv8mEG (PID: 5268)File opened: /proc/800/fdJump to behavior
Source: /tmp/zXL7Uv8mEG (PID: 5268)File opened: /proc/801/fdJump to behavior
Source: /tmp/zXL7Uv8mEG (PID: 5268)File opened: /proc/847/fdJump to behavior
Source: /tmp/zXL7Uv8mEG (PID: 5268)File opened: /proc/904/fdJump to behavior
Source: /usr/bin/dash (PID: 5304)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.XeTLhZbQbn /tmp/tmp.Uma6QlImKT /tmp/tmp.AKJHFauVo4Jump to behavior
Source: /tmp/zXL7Uv8mEG (PID: 5260)Queries kernel information via 'uname': Jump to behavior
Source: zXL7Uv8mEG, 5260.1.00000000115f7a9c.00000000176ccf8d.rw-.sdmp, zXL7Uv8mEG, 5262.1.00000000115f7a9c.00000000176ccf8d.rw-.sdmp, zXL7Uv8mEG, 5383.1.00000000115f7a9c.00000000176ccf8d.rw-.sdmp, zXL7Uv8mEG, 5399.1.00000000115f7a9c.00000000176ccf8d.rw-.sdmp, zXL7Uv8mEG, 5391.1.00000000115f7a9c.00000000176ccf8d.rw-.sdmp, zXL7Uv8mEG, 5263.1.00000000115f7a9c.00000000176ccf8d.rw-.sdmp, zXL7Uv8mEG, 5382.1.00000000115f7a9c.00000000176ccf8d.rw-.sdmp, zXL7Uv8mEG, 5270.1.00000000115f7a9c.00000000176ccf8d.rw-.sdmp, zXL7Uv8mEG, 5285.1.00000000115f7a9c.00000000176ccf8d.rw-.sdmp, zXL7Uv8mEG, 5287.1.00000000115f7a9c.00000000176ccf8d.rw-.sdmp, zXL7Uv8mEG, 5324.1.00000000115f7a9c.00000000176ccf8d.rw-.sdmp, zXL7Uv8mEG, 5326.1.00000000115f7a9c.00000000176ccf8d.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/arm
Source: zXL7Uv8mEG, 5260.1.000000001eb594be.00000000ff524bb7.rw-.sdmp, zXL7Uv8mEG, 5262.1.000000001eb594be.00000000ff524bb7.rw-.sdmp, zXL7Uv8mEG, 5383.1.000000001eb594be.00000000ff524bb7.rw-.sdmp, zXL7Uv8mEG, 5399.1.000000001eb594be.00000000ff524bb7.rw-.sdmp, zXL7Uv8mEG, 5391.1.000000001eb594be.00000000ff524bb7.rw-.sdmp, zXL7Uv8mEG, 5263.1.000000001eb594be.00000000ff524bb7.rw-.sdmp, zXL7Uv8mEG, 5382.1.000000001eb594be.00000000ff524bb7.rw-.sdmp, zXL7Uv8mEG, 5270.1.000000001eb594be.00000000ff524bb7.rw-.sdmp, zXL7Uv8mEG, 5285.1.000000001eb594be.00000000ff524bb7.rw-.sdmp, zXL7Uv8mEG, 5287.1.000000001eb594be.00000000ff524bb7.rw-.sdmp, zXL7Uv8mEG, 5324.1.000000001eb594be.00000000ff524bb7.rw-.sdmp, zXL7Uv8mEG, 5326.1.000000001eb594be.00000000ff524bb7.rw-.sdmpBinary or memory string: _x86_64/usr/bin/qemu-arm/tmp/zXL7Uv8mEGSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/zXL7Uv8mEG
Source: zXL7Uv8mEG, 5260.1.00000000115f7a9c.00000000176ccf8d.rw-.sdmp, zXL7Uv8mEG, 5262.1.00000000115f7a9c.00000000176ccf8d.rw-.sdmp, zXL7Uv8mEG, 5383.1.00000000115f7a9c.00000000176ccf8d.rw-.sdmp, zXL7Uv8mEG, 5399.1.00000000115f7a9c.00000000176ccf8d.rw-.sdmp, zXL7Uv8mEG, 5391.1.00000000115f7a9c.00000000176ccf8d.rw-.sdmp, zXL7Uv8mEG, 5263.1.00000000115f7a9c.00000000176ccf8d.rw-.sdmp, zXL7Uv8mEG, 5382.1.00000000115f7a9c.00000000176ccf8d.rw-.sdmp, zXL7Uv8mEG, 5270.1.00000000115f7a9c.00000000176ccf8d.rw-.sdmp, zXL7Uv8mEG, 5285.1.00000000115f7a9c.00000000176ccf8d.rw-.sdmp, zXL7Uv8mEG, 5287.1.00000000115f7a9c.00000000176ccf8d.rw-.sdmp, zXL7Uv8mEG, 5324.1.00000000115f7a9c.00000000176ccf8d.rw-.sdmp, zXL7Uv8mEG, 5326.1.00000000115f7a9c.00000000176ccf8d.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
Source: zXL7Uv8mEG, 5260.1.000000001eb594be.00000000ff524bb7.rw-.sdmp, zXL7Uv8mEG, 5262.1.000000001eb594be.00000000ff524bb7.rw-.sdmp, zXL7Uv8mEG, 5383.1.000000001eb594be.00000000ff524bb7.rw-.sdmp, zXL7Uv8mEG, 5399.1.000000001eb594be.00000000ff524bb7.rw-.sdmp, zXL7Uv8mEG, 5391.1.000000001eb594be.00000000ff524bb7.rw-.sdmp, zXL7Uv8mEG, 5263.1.000000001eb594be.00000000ff524bb7.rw-.sdmp, zXL7Uv8mEG, 5382.1.000000001eb594be.00000000ff524bb7.rw-.sdmp, zXL7Uv8mEG, 5270.1.000000001eb594be.00000000ff524bb7.rw-.sdmp, zXL7Uv8mEG, 5285.1.000000001eb594be.00000000ff524bb7.rw-.sdmp, zXL7Uv8mEG, 5287.1.000000001eb594be.00000000ff524bb7.rw-.sdmp, zXL7Uv8mEG, 5324.1.000000001eb594be.00000000ff524bb7.rw-.sdmp, zXL7Uv8mEG, 5326.1.000000001eb594be.00000000ff524bb7.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionObfuscated Files or Information1OS Credential Dumping1Security Software Discovery11Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsFile Deletion1LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 553481 Sample: zXL7Uv8mEG Startdate: 15/01/2022 Architecture: LINUX Score: 52 49 Multi AV Scanner detection for submitted file 2->49 51 Sample is packed with UPX 2->51 9 zXL7Uv8mEG 2->9         started        11 dash rm 2->11         started        process3 process4 13 zXL7Uv8mEG 9->13         started        15 zXL7Uv8mEG 9->15         started        17 zXL7Uv8mEG 9->17         started        process5 19 zXL7Uv8mEG 13->19         started        21 zXL7Uv8mEG 13->21         started        23 zXL7Uv8mEG 13->23         started        29 2 other processes 13->29 25 zXL7Uv8mEG 15->25         started        27 zXL7Uv8mEG 15->27         started        process6 31 zXL7Uv8mEG 19->31         started        33 zXL7Uv8mEG 19->33         started        35 zXL7Uv8mEG 21->35         started        37 zXL7Uv8mEG 23->37         started        39 zXL7Uv8mEG 25->39         started        41 zXL7Uv8mEG 25->41         started        43 zXL7Uv8mEG 25->43         started        process7 45 zXL7Uv8mEG 39->45         started        47 zXL7Uv8mEG 39->47         started       

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
zXL7Uv8mEG38%VirustotalBrowse
zXL7Uv8mEG35%ReversingLabsLinux.Trojan.Mirai

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://upx.sf.netzXL7Uv8mEGfalse
    high

    Contacted IPs

    No contacted IP infos


    Runtime Messages

    Command:/tmp/zXL7Uv8mEG
    Exit Code:0
    Exit Code Info:
    Killed:False
    Standard Output:
    Connected To CNC
    Standard Error:

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASN

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:ELF 32-bit LSB executable, ARM, EABI4 version 1 (GNU/Linux), statically linked, stripped
    Entropy (8bit):7.9760203561170355
    TrID:
    • ELF Executable and Linkable format (generic) (4004/1) 100.00%
    File name:zXL7Uv8mEG
    File size:48692
    MD5:98c967ef41edd42f56dcf25a1605150b
    SHA1:3211d3c81ba1fe676ce970afd3d3735222f54fed
    SHA256:fa70cb2fbce4c0202f4c0acf7b09b74d61f980fc6fbb9bca5896d64983db098e
    SHA512:6001d77ed9e2b0cb74b52cd5f9fe11378531309651a3f535602a080f01d3d061a722944ad207322de060602c1351a1b5b6113fe753e1dcb8f406b44c1ac41050
    SSDEEP:768:4sPqoipZIESDhn1ily+MYp1yEttTENJRSF6xz9q3UEL0Ilr9YfAjptN/FBNuKrTd:3POdSDB1kyxS1yEttTiJRryLNSsptN/T
    File Content Preview:.ELF..............(.........4...........4. ...(.........................................0b..0b..0b..................Q.td...............................OUPX!....................i..........?.E.h;....#..$...o........(<.X.t..I..3...sd......T.=....._....O..".c

    Static ELF Info

    ELF header

    Class:ELF32
    Data:2's complement, little endian
    Version:1 (current)
    Machine:ARM
    Version Number:0x1
    Type:EXEC (Executable file)
    OS/ABI:UNIX - Linux
    ABI Version:0
    Entry Point Address:0xf1a8
    Flags:0x4000002
    ELF Header Size:52
    Program Header Offset:52
    Program Header Size:32
    Number of Program Headers:3
    Section Header Offset:0
    Section Header Size:40
    Number of Section Headers:0
    Header String Table Index:0

    Program Segments

    TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
    LOAD0x00x80000x80000x83950x83953.98820x5R E0x8000
    LOAD0x62300x262300x262300x00x00.00000x6RW 0x8000
    GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

    Network Behavior

    No network behavior found

    System Behavior