Loading ...

Play interactive tourEdit tour

Linux Analysis Report OisIh0q3Gw

Overview

General Information

Sample Name:OisIh0q3Gw
Analysis ID:553484
MD5:011afa25945a1bfa6c8397da5116ea79
SHA1:b02c0da3cecab99eae0aac2beb18e43fd73ec8f7
SHA256:db4e62a9609a515112f043e3ece5998c66d6eb8d5d3766719defb143cfffe31e
Tags:32elfmirairenesas
Infos:

Most interesting Screenshot:

Detection

Score:52
Range:0 - 100
Whitelisted:false

Signatures

Multi AV Scanner detection for submitted file
Sample tries to kill multiple processes (SIGKILL)
Uses the "uname" system call to query kernel version information (possible evasion)
Enumerates processes within the "proc" file system
Executes the "rm" command used to delete files or directories
Sample listens on a socket
Sample tries to kill a process (SIGKILL)
Sample has stripped symbol table

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might not execute correctly on this machine

General Information

Joe Sandbox Version:34.0.0 Boulder Opal
Analysis ID:553484
Start date:15.01.2022
Start time:01:07:10
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 24s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:OisIh0q3Gw
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Detection:MAL
Classification:mal52.spre.lin@0/1@0/0

Process Tree

  • system is lnxubuntu20
  • dash New Fork (PID: 5239, Parent: 4331)
  • cat (PID: 5239, Parent: 4331, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /tmp/tmp.44aCm1an2s
  • dash New Fork (PID: 5240, Parent: 4331)
  • head (PID: 5240, Parent: 4331, MD5: fd96a67145172477dd57131396fc9608) Arguments: head -n 10
  • dash New Fork (PID: 5241, Parent: 4331)
  • tr (PID: 5241, Parent: 4331, MD5: fbd1402dd9f72d8ebfff00ce7c3a7bb5) Arguments: tr -d \\000-\\011\\013\\014\\016-\\037
  • dash New Fork (PID: 5242, Parent: 4331)
  • cut (PID: 5242, Parent: 4331, MD5: d8ed0ea8f22c0de0f8692d4d9f1759d3) Arguments: cut -c -80
  • dash New Fork (PID: 5243, Parent: 4331)
  • cat (PID: 5243, Parent: 4331, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /tmp/tmp.44aCm1an2s
  • dash New Fork (PID: 5244, Parent: 4331)
  • head (PID: 5244, Parent: 4331, MD5: fd96a67145172477dd57131396fc9608) Arguments: head -n 10
  • dash New Fork (PID: 5245, Parent: 4331)
  • tr (PID: 5245, Parent: 4331, MD5: fbd1402dd9f72d8ebfff00ce7c3a7bb5) Arguments: tr -d \\000-\\011\\013\\014\\016-\\037
  • dash New Fork (PID: 5246, Parent: 4331)
  • cut (PID: 5246, Parent: 4331, MD5: d8ed0ea8f22c0de0f8692d4d9f1759d3) Arguments: cut -c -80
  • dash New Fork (PID: 5247, Parent: 4331)
  • rm (PID: 5247, Parent: 4331, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.44aCm1an2s /tmp/tmp.MG72tyDHko /tmp/tmp.Y5mAFBQOFz
  • cleanup

Yara Overview

No yara matches

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: OisIh0q3GwVirustotal: Detection: 54%Perma Link
Source: OisIh0q3GwReversingLabs: Detection: 62%
Source: /tmp/OisIh0q3Gw (PID: 5221)Socket: 0.0.0.0::0Jump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5221)Socket: 0.0.0.0::53413Jump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5221)Socket: 0.0.0.0::80Jump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)Socket: 0.0.0.0::0Jump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)Socket: 0.0.0.0::53413Jump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)Socket: 0.0.0.0::80Jump to behavior
Source: motd-news.31.drString found in binary or memory: https://ubuntu.com/blog/microk8s-memory-optimisation

System Summary:

barindex
Sample tries to kill multiple processes (SIGKILL)Show sources
Source: /tmp/OisIh0q3Gw (PID: 5221)SIGKILL sent: pid: 936, result: successfulJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)SIGKILL sent: pid: 936, result: successfulJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)SIGKILL sent: pid: 720, result: successfulJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)SIGKILL sent: pid: 759, result: successfulJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)SIGKILL sent: pid: 788, result: successfulJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)SIGKILL sent: pid: 800, result: successfulJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)SIGKILL sent: pid: 847, result: successfulJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)SIGKILL sent: pid: 884, result: successfulJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)SIGKILL sent: pid: 1334, result: successfulJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)SIGKILL sent: pid: 1335, result: successfulJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)SIGKILL sent: pid: 1860, result: successfulJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)SIGKILL sent: pid: 1872, result: successfulJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)SIGKILL sent: pid: 2096, result: successfulJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)SIGKILL sent: pid: 2097, result: successfulJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)SIGKILL sent: pid: 2102, result: successfulJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)SIGKILL sent: pid: 2180, result: successfulJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)SIGKILL sent: pid: 2208, result: successfulJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)SIGKILL sent: pid: 2275, result: successfulJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)SIGKILL sent: pid: 2281, result: successfulJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)SIGKILL sent: pid: 2285, result: successfulJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)SIGKILL sent: pid: 2289, result: successfulJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)SIGKILL sent: pid: 2294, result: successfulJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)SIGKILL sent: pid: 5221, result: successfulJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)SIGKILL sent: pid: 5230, result: successfulJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5333)SIGKILL sent: pid: 5331, result: successfulJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5359)SIGKILL sent: pid: 5357, result: successfulJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5221)SIGKILL sent: pid: 936, result: successfulJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)SIGKILL sent: pid: 936, result: successfulJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)SIGKILL sent: pid: 720, result: successfulJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)SIGKILL sent: pid: 759, result: successfulJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)SIGKILL sent: pid: 788, result: successfulJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)SIGKILL sent: pid: 800, result: successfulJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)SIGKILL sent: pid: 847, result: successfulJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)SIGKILL sent: pid: 884, result: successfulJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)SIGKILL sent: pid: 1334, result: successfulJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)SIGKILL sent: pid: 1335, result: successfulJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)SIGKILL sent: pid: 1860, result: successfulJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)SIGKILL sent: pid: 1872, result: successfulJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)SIGKILL sent: pid: 2096, result: successfulJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)SIGKILL sent: pid: 2097, result: successfulJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)SIGKILL sent: pid: 2102, result: successfulJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)SIGKILL sent: pid: 2180, result: successfulJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)SIGKILL sent: pid: 2208, result: successfulJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)SIGKILL sent: pid: 2275, result: successfulJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)SIGKILL sent: pid: 2281, result: successfulJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)SIGKILL sent: pid: 2285, result: successfulJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)SIGKILL sent: pid: 2289, result: successfulJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)SIGKILL sent: pid: 2294, result: successfulJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)SIGKILL sent: pid: 5221, result: successfulJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)SIGKILL sent: pid: 5230, result: successfulJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5333)SIGKILL sent: pid: 5331, result: successfulJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5359)SIGKILL sent: pid: 5357, result: successfulJump to behavior
Source: ELF static info symbol of initial sample.symtab present: no
Source: classification engineClassification label: mal52.spre.lin@0/1@0/0
Source: /tmp/OisIh0q3Gw (PID: 5221)File opened: /proc/491/fdJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5221)File opened: /proc/793/fdJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5221)File opened: /proc/772/fdJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5221)File opened: /proc/796/fdJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5221)File opened: /proc/774/fdJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5221)File opened: /proc/797/fdJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5221)File opened: /proc/777/fdJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5221)File opened: /proc/799/fdJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5221)File opened: /proc/658/fdJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5221)File opened: /proc/912/fdJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5221)File opened: /proc/759/fdJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5221)File opened: /proc/936/fdJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5221)File opened: /proc/918/fdJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5221)File opened: /proc/1/fdJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5221)File opened: /proc/761/fdJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5221)File opened: /proc/785/fdJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5221)File opened: /proc/884/fdJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5221)File opened: /proc/720/fdJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5221)File opened: /proc/721/fdJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5221)File opened: /proc/788/fdJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5221)File opened: /proc/789/fdJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5221)File opened: /proc/800/fdJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5221)File opened: /proc/801/fdJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5221)File opened: /proc/847/fdJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5221)File opened: /proc/904/fdJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/5144/exeJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/5146/exeJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/1582/exeJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/2033/exeJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/2275/exeJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/3088/exeJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/1612/exeJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/1579/exeJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/1699/exeJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/1335/exeJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/1698/exeJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/2028/exeJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/1334/exeJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/1576/exeJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/2302/exeJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/3236/exeJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/2025/exeJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/2146/exeJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/910/exeJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/912/fdJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/912/exeJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/912/fdJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/759/fdJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/759/exeJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/759/fdJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/517/exeJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/2307/exeJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/918/fdJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/918/exeJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/918/fdJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/5030/exeJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/4460/exeJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/4461/exeJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/1594/exeJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/2285/exeJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/2281/exeJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/1349/exeJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/1/fdJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/1/fdJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/1623/exeJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/761/fdJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/761/exeJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/761/fdJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/1622/exeJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/884/fdJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/884/exeJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/884/fdJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/1983/exeJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/2038/exeJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/1344/exeJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/1465/exeJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/1586/exeJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/1860/exeJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/1463/exeJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/2156/exeJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/800/fdJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/800/exeJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/800/fdJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/801/fdJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/801/exeJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/801/fdJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/1629/exeJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/4458/exeJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/4459/exeJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/1627/exeJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/1900/exeJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/3021/exeJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/491/fdJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/491/exeJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/491/fdJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/2294/exeJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/2050/exeJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/1877/exeJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/772/fdJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/772/exeJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/772/fdJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/1633/exeJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/1599/exeJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/1632/exeJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/774/fdJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/774/exeJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5226)File opened: /proc/774/fdJump to behavior
Source: /usr/bin/dash (PID: 5247)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.44aCm1an2s /tmp/tmp.MG72tyDHko /tmp/tmp.Y5mAFBQOFzJump to behavior
Source: /tmp/OisIh0q3Gw (PID: 5219)Queries kernel information via 'uname': Jump to behavior
Source: OisIh0q3Gw, 5367.1.0000000096d9f178.00000000bcdc5fcc.rw-.sdmpBinary or memory string: (V/sh4/0 /proc/491/fd/69!/proc/777/fd/22/sh4/pro1/proc/2242/exe/sh4/0!/proc/491/fd/70!/proc/777/fd/19/sh4/pro1/usr/bin/vmtoolsdh4/0!/proc/491/fd/71!/proc/777/fd/18/sh4/pro1@5-
Source: OisIh0q3Gw, 5219.1.00000000bba3d767.0000000096d9f178.rw-.sdmp, OisIh0q3Gw, 5221.1.00000000bba3d767.0000000096d9f178.rw-.sdmp, OisIh0q3Gw, 5222.1.00000000bba3d767.0000000096d9f178.rw-.sdmp, OisIh0q3Gw, 5367.1.00000000bba3d767.0000000096d9f178.rw-.sdmp, OisIh0q3Gw, 5228.1.00000000bba3d767.0000000096d9f178.rw-.sdmp, OisIh0q3Gw, 5230.1.00000000bba3d767.0000000096d9f178.rw-.sdmp, OisIh0q3Gw, 5331.1.00000000bba3d767.0000000096d9f178.rw-.sdmp, OisIh0q3Gw, 5333.1.00000000bba3d767.0000000096d9f178.rw-.sdmp, OisIh0q3Gw, 5357.1.00000000bba3d767.0000000096d9f178.rw-.sdmp, OisIh0q3Gw, 5359.1.00000000bba3d767.0000000096d9f178.rw-.sdmpBinary or memory string: (V5!/etc/qemu-binfmt/sh4
Source: OisIh0q3Gw, 5219.1.00000000052645ab.000000000c2048ea.rw-.sdmp, OisIh0q3Gw, 5221.1.00000000052645ab.000000000c2048ea.rw-.sdmp, OisIh0q3Gw, 5222.1.00000000052645ab.000000000c2048ea.rw-.sdmp, OisIh0q3Gw, 5367.1.00000000052645ab.000000000c2048ea.rw-.sdmp, OisIh0q3Gw, 5367.1.0000000096d9f178.00000000bcdc5fcc.rw-.sdmp, OisIh0q3Gw, 5228.1.00000000052645ab.000000000c2048ea.rw-.sdmp, OisIh0q3Gw, 5230.1.00000000052645ab.000000000c2048ea.rw-.sdmp, OisIh0q3Gw, 5331.1.00000000052645ab.000000000c2048ea.rw-.sdmp, OisIh0q3Gw, 5333.1.00000000052645ab.000000000c2048ea.rw-.sdmp, OisIh0q3Gw, 5357.1.00000000052645ab.000000000c2048ea.rw-.sdmp, OisIh0q3Gw, 5359.1.00000000052645ab.000000000c2048ea.rw-.sdmpBinary or memory string: /usr/bin/qemu-sh4
Source: OisIh0q3Gw, 5367.1.0000000096d9f178.00000000bcdc5fcc.rw-.sdmpBinary or memory string: /usr/bin/vmtoolsd
Source: OisIh0q3Gw, 5367.1.0000000096d9f178.00000000bcdc5fcc.rw-.sdmpBinary or memory string: (V/sh4/ro10 /usr/bin/qemu-sh4!/proc/797/fd/331@
Source: OisIh0q3Gw, 5219.1.00000000bba3d767.0000000096d9f178.rw-.sdmp, OisIh0q3Gw, 5221.1.00000000bba3d767.0000000096d9f178.rw-.sdmp, OisIh0q3Gw, 5222.1.00000000bba3d767.0000000096d9f178.rw-.sdmp, OisIh0q3Gw, 5367.1.00000000bba3d767.0000000096d9f178.rw-.sdmp, OisIh0q3Gw, 5228.1.00000000bba3d767.0000000096d9f178.rw-.sdmp, OisIh0q3Gw, 5230.1.00000000bba3d767.0000000096d9f178.rw-.sdmp, OisIh0q3Gw, 5331.1.00000000bba3d767.0000000096d9f178.rw-.sdmp, OisIh0q3Gw, 5333.1.00000000bba3d767.0000000096d9f178.rw-.sdmp, OisIh0q3Gw, 5357.1.00000000bba3d767.0000000096d9f178.rw-.sdmp, OisIh0q3Gw, 5359.1.00000000bba3d767.0000000096d9f178.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/sh4
Source: OisIh0q3Gw, 5219.1.00000000052645ab.000000000c2048ea.rw-.sdmp, OisIh0q3Gw, 5221.1.00000000052645ab.000000000c2048ea.rw-.sdmp, OisIh0q3Gw, 5222.1.00000000052645ab.000000000c2048ea.rw-.sdmp, OisIh0q3Gw, 5367.1.00000000052645ab.000000000c2048ea.rw-.sdmp, OisIh0q3Gw, 5228.1.00000000052645ab.000000000c2048ea.rw-.sdmp, OisIh0q3Gw, 5230.1.00000000052645ab.000000000c2048ea.rw-.sdmp, OisIh0q3Gw, 5331.1.00000000052645ab.000000000c2048ea.rw-.sdmp, OisIh0q3Gw, 5333.1.00000000052645ab.000000000c2048ea.rw-.sdmp, OisIh0q3Gw, 5357.1.00000000052645ab.000000000c2048ea.rw-.sdmp, OisIh0q3Gw, 5359.1.00000000052645ab.000000000c2048ea.rw-.sdmpBinary or memory string: a*x86_64/usr/bin/qemu-sh4/tmp/OisIh0q3GwSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/OisIh0q3Gw

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionFile Deletion1OS Credential Dumping1Security Software Discovery11Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 553484 Sample: OisIh0q3Gw Startdate: 15/01/2022 Architecture: LINUX Score: 52 48 Multi AV Scanner detection for submitted file 2->48 9 OisIh0q3Gw 2->9         started        11 dash cat 2->11         started        13 dash tr 2->13         started        15 7 other processes 2->15 process3 process4 17 OisIh0q3Gw 9->17         started        19 OisIh0q3Gw 9->19         started        22 OisIh0q3Gw 9->22         started        signatures5 24 OisIh0q3Gw 17->24         started        27 OisIh0q3Gw 17->27         started        29 OisIh0q3Gw 17->29         started        31 3 other processes 17->31 50 Sample tries to kill multiple processes (SIGKILL) 19->50 process6 signatures7 54 Sample tries to kill multiple processes (SIGKILL) 24->54 33 OisIh0q3Gw 24->33         started        35 OisIh0q3Gw 24->35         started        37 OisIh0q3Gw 24->37         started        39 OisIh0q3Gw 27->39         started        42 OisIh0q3Gw 29->42         started        44 OisIh0q3Gw 31->44         started        process8 signatures9 46 OisIh0q3Gw 33->46         started        52 Sample tries to kill multiple processes (SIGKILL) 39->52 process10

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
OisIh0q3Gw54%VirustotalBrowse
OisIh0q3Gw63%ReversingLabsLinux.Trojan.Mirai

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://ubuntu.com/blog/microk8s-memory-optimisationmotd-news.31.drfalse
    high

    Contacted IPs

    No contacted IP infos


    Runtime Messages

    Command:/tmp/OisIh0q3Gw
    Exit Code:0
    Exit Code Info:
    Killed:False
    Standard Output:
    Connected To CNC
    Standard Error:

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASN

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    /var/cache/motd-news
    Process:/usr/bin/cut
    File Type:ASCII text
    Category:dropped
    Size (bytes):191
    Entropy (8bit):4.515771857099866
    Encrypted:false
    SSDEEP:3:P2lnI+5MsqqzNLz+FRNScHUBfRau95++sZzR5woLB1Fh0VTGTl/X5kURn:OZ8uNLzDc0pR75+9Zz/woFmIT52URn
    MD5:DD514F892B5F93ED615D366E58AC58AF
    SHA1:BA75EDB3C2232CC260BC187F604DC8F25AA72C11
    SHA-256:F40D0DCE6E83DF74109FEF5E68E51CC255727783EEAE04C3E34677E23F7552CF
    SHA-512:9150BDE63F6C4850C5340D8877892B4D9BBF9EBDC98CDCF557A93FA304C1222CEE446418F5BE2ACCDBF38393778AFA5D4F3EDCB37A47BF57D3A4B2DEAD42A2D0
    Malicious:false
    Reputation:moderate, very likely benign file
    Preview: * Super-optimized for small spaces - read how we shrank the memory. footprint of MicroK8s to make it the smallest full K8s around... https://ubuntu.com/blog/microk8s-memory-optimisation.

    Static File Info

    General

    File type:ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
    Entropy (8bit):6.766934735024449
    TrID:
    • ELF Executable and Linkable format (generic) (4004/1) 100.00%
    File name:OisIh0q3Gw
    File size:51584
    MD5:011afa25945a1bfa6c8397da5116ea79
    SHA1:b02c0da3cecab99eae0aac2beb18e43fd73ec8f7
    SHA256:db4e62a9609a515112f043e3ece5998c66d6eb8d5d3766719defb143cfffe31e
    SHA512:a8af466d32fe169a9a3f763473c52e855d8bfab86a6883d71761e62d5808e7e7b646a1503d24ae9413b4da8e287b81e0295821b1ee5e3110e9aa4c179635536d
    SSDEEP:768:jaixFwtLSYAagMo0ebfELdv0X3pyWfs3I9ICJUU/qMCqKomQRCvl:jaQFwtOGtv0XJfs3kICJt/qMF/RCvl
    File Content Preview:.ELF..............*.......@.4...........4. ...(...............@...@.<...<...............@...@.A.@.A.p...............Q.td............................././"O.n........#.*@........#.*@,....o&O.n...l..............................././.../.a"O.!...n...a.b("...q.

    Static ELF Info

    ELF header

    Class:ELF32
    Data:2's complement, little endian
    Version:1 (current)
    Machine:<unknown>
    Version Number:0x1
    Type:EXEC (Executable file)
    OS/ABI:UNIX - System V
    ABI Version:0
    Entry Point Address:0x4001a0
    Flags:0x9
    ELF Header Size:52
    Program Header Offset:52
    Program Header Size:32
    Number of Program Headers:3
    Section Header Offset:51184
    Section Header Size:40
    Number of Section Headers:10
    Header String Table Index:9

    Sections

    NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
    NULL0x00x00x00x00x0000
    .initPROGBITS0x4000940x940x300x00x6AX004
    .textPROGBITS0x4000e00xe00xbf400x00x6AX0032
    .finiPROGBITS0x40c0200xc0200x240x00x6AX004
    .rodataPROGBITS0x40c0440xc0440x5f80x00x2A004
    .ctorsPROGBITS0x41c6400xc6400x80x00x3WA004
    .dtorsPROGBITS0x41c6480xc6480x80x00x3WA004
    .dataPROGBITS0x41c6540xc6540x15c0x00x3WA004
    .bssNOBITS0x41c7b00xc7b00x2800x00x3WA004
    .shstrtabSTRTAB0x00xc7b00x3e0x00x0001

    Program Segments

    TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
    LOAD0x00x4000000x4000000xc63c0xc63c4.62950x5R E0x10000.init .text .fini .rodata
    LOAD0xc6400x41c6400x41c6400x1700x3f00.43020x6RW 0x10000.ctors .dtors .data .bss
    GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

    Network Behavior

    No network behavior found

    System Behavior