Linux Analysis Report J26H423OMJ

Overview

General Information

Sample Name: J26H423OMJ
Analysis ID: 553489
MD5: 3414deab25b875eed0b15208810ed1ce
SHA1: 80b311c6750599af1f89471ee858fbdbfd98d7d1
SHA256: 95cd08fe8edd5ee21183808360baff9d3603fc7195dff78db1bf6b4e3085ca7a
Tags: 32elfmiraipowerpc
Infos:

Detection

Score: 52
Range: 0 - 100
Whitelisted: false

Signatures

Multi AV Scanner detection for submitted file
Sample is packed with UPX
Uses the "uname" system call to query kernel version information (possible evasion)
Sample contains only a LOAD segment without any section mappings
Enumerates processes within the "proc" file system
Sample listens on a socket
Sample tries to kill a process (SIGKILL)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: J26H423OMJ Virustotal: Detection: 36% Perma Link
Source: J26H423OMJ ReversingLabs: Detection: 34%

Networking:

barindex
Sample listens on a socket
Source: /tmp/J26H423OMJ (PID: 5226) Socket: 0.0.0.0::0 Jump to behavior
Source: /tmp/J26H423OMJ (PID: 5231) Socket: 0.0.0.0::0 Jump to behavior
Source: J26H423OMJ String found in binary or memory: http://upx.sf.net

System Summary:

barindex
Sample contains only a LOAD segment without any section mappings
Source: LOAD without section mappings Program segment: 0x100000
Sample tries to kill a process (SIGKILL)
Source: /tmp/J26H423OMJ (PID: 5226) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: /tmp/J26H423OMJ (PID: 5231) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: /tmp/J26H423OMJ (PID: 5242) SIGKILL sent: pid: 5240, result: successful Jump to behavior
Source: classification engine Classification label: mal52.evad.lin@0/0@0/0

Data Obfuscation:

barindex
Sample is packed with UPX
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Persistence and Installation Behavior:

barindex
Enumerates processes within the "proc" file system
Source: /tmp/J26H423OMJ (PID: 5231) File opened: /proc/491/fd Jump to behavior
Source: /tmp/J26H423OMJ (PID: 5231) File opened: /proc/793/fd Jump to behavior
Source: /tmp/J26H423OMJ (PID: 5231) File opened: /proc/772/fd Jump to behavior
Source: /tmp/J26H423OMJ (PID: 5231) File opened: /proc/796/fd Jump to behavior
Source: /tmp/J26H423OMJ (PID: 5231) File opened: /proc/774/fd Jump to behavior
Source: /tmp/J26H423OMJ (PID: 5231) File opened: /proc/797/fd Jump to behavior
Source: /tmp/J26H423OMJ (PID: 5231) File opened: /proc/777/fd Jump to behavior
Source: /tmp/J26H423OMJ (PID: 5231) File opened: /proc/799/fd Jump to behavior
Source: /tmp/J26H423OMJ (PID: 5231) File opened: /proc/658/fd Jump to behavior
Source: /tmp/J26H423OMJ (PID: 5231) File opened: /proc/912/fd Jump to behavior
Source: /tmp/J26H423OMJ (PID: 5231) File opened: /proc/759/fd Jump to behavior
Source: /tmp/J26H423OMJ (PID: 5231) File opened: /proc/936/fd Jump to behavior
Source: /tmp/J26H423OMJ (PID: 5231) File opened: /proc/918/fd Jump to behavior
Source: /tmp/J26H423OMJ (PID: 5231) File opened: /proc/1/fd Jump to behavior
Source: /tmp/J26H423OMJ (PID: 5231) File opened: /proc/761/fd Jump to behavior
Source: /tmp/J26H423OMJ (PID: 5231) File opened: /proc/785/fd Jump to behavior
Source: /tmp/J26H423OMJ (PID: 5231) File opened: /proc/884/fd Jump to behavior
Source: /tmp/J26H423OMJ (PID: 5231) File opened: /proc/720/fd Jump to behavior
Source: /tmp/J26H423OMJ (PID: 5231) File opened: /proc/721/fd Jump to behavior
Source: /tmp/J26H423OMJ (PID: 5231) File opened: /proc/788/fd Jump to behavior
Source: /tmp/J26H423OMJ (PID: 5231) File opened: /proc/789/fd Jump to behavior
Source: /tmp/J26H423OMJ (PID: 5231) File opened: /proc/800/fd Jump to behavior
Source: /tmp/J26H423OMJ (PID: 5231) File opened: /proc/801/fd Jump to behavior
Source: /tmp/J26H423OMJ (PID: 5231) File opened: /proc/847/fd Jump to behavior
Source: /tmp/J26H423OMJ (PID: 5231) File opened: /proc/904/fd Jump to behavior
Source: /tmp/J26H423OMJ (PID: 5226) File opened: /proc/491/fd Jump to behavior
Source: /tmp/J26H423OMJ (PID: 5226) File opened: /proc/793/fd Jump to behavior
Source: /tmp/J26H423OMJ (PID: 5226) File opened: /proc/772/fd Jump to behavior
Source: /tmp/J26H423OMJ (PID: 5226) File opened: /proc/796/fd Jump to behavior
Source: /tmp/J26H423OMJ (PID: 5226) File opened: /proc/774/fd Jump to behavior
Source: /tmp/J26H423OMJ (PID: 5226) File opened: /proc/797/fd Jump to behavior
Source: /tmp/J26H423OMJ (PID: 5226) File opened: /proc/777/fd Jump to behavior
Source: /tmp/J26H423OMJ (PID: 5226) File opened: /proc/799/fd Jump to behavior
Source: /tmp/J26H423OMJ (PID: 5226) File opened: /proc/658/fd Jump to behavior
Source: /tmp/J26H423OMJ (PID: 5226) File opened: /proc/912/fd Jump to behavior
Source: /tmp/J26H423OMJ (PID: 5226) File opened: /proc/759/fd Jump to behavior
Source: /tmp/J26H423OMJ (PID: 5226) File opened: /proc/936/fd Jump to behavior
Source: /tmp/J26H423OMJ (PID: 5226) File opened: /proc/918/fd Jump to behavior
Source: /tmp/J26H423OMJ (PID: 5226) File opened: /proc/1/fd Jump to behavior
Source: /tmp/J26H423OMJ (PID: 5226) File opened: /proc/761/fd Jump to behavior
Source: /tmp/J26H423OMJ (PID: 5226) File opened: /proc/785/fd Jump to behavior
Source: /tmp/J26H423OMJ (PID: 5226) File opened: /proc/884/fd Jump to behavior
Source: /tmp/J26H423OMJ (PID: 5226) File opened: /proc/720/fd Jump to behavior
Source: /tmp/J26H423OMJ (PID: 5226) File opened: /proc/721/fd Jump to behavior
Source: /tmp/J26H423OMJ (PID: 5226) File opened: /proc/788/fd Jump to behavior
Source: /tmp/J26H423OMJ (PID: 5226) File opened: /proc/789/fd Jump to behavior
Source: /tmp/J26H423OMJ (PID: 5226) File opened: /proc/800/fd Jump to behavior
Source: /tmp/J26H423OMJ (PID: 5226) File opened: /proc/801/fd Jump to behavior
Source: /tmp/J26H423OMJ (PID: 5226) File opened: /proc/847/fd Jump to behavior
Source: /tmp/J26H423OMJ (PID: 5226) File opened: /proc/904/fd Jump to behavior

Malware Analysis System Evasion:

barindex
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/J26H423OMJ (PID: 5224) Queries kernel information via 'uname': Jump to behavior
Source: J26H423OMJ, 5224.1.00000000b7edd68d.00000000602b0247.rw-.sdmp, J26H423OMJ, 5240.1.00000000b7edd68d.00000000602b0247.rw-.sdmp, J26H423OMJ, 5242.1.00000000b7edd68d.00000000602b0247.rw-.sdmp Binary or memory string: !/etc/qemu-binfmt/ppc11!hotpluggableq
Source: J26H423OMJ, 5226.1.00000000b7edd68d.00000000602b0247.rw-.sdmp, J26H423OMJ, 5340.1.00000000b7edd68d.00000000602b0247.rw-.sdmp, J26H423OMJ, 5358.1.00000000b7edd68d.00000000602b0247.rw-.sdmp, J26H423OMJ, 5348.1.00000000b7edd68d.00000000602b0247.rw-.sdmp, J26H423OMJ, 5227.1.00000000b7edd68d.00000000602b0247.rw-.sdmp, J26H423OMJ, 5345.1.00000000b7edd68d.00000000602b0247.rw-.sdmp, J26H423OMJ, 5234.1.00000000b7edd68d.00000000602b0247.rw-.sdmp Binary or memory string: !/etc/qemu-binfmt/ppc1
Source: J26H423OMJ, 5224.1.00000000b7edd68d.00000000602b0247.rw-.sdmp, J26H423OMJ, 5226.1.00000000b7edd68d.00000000602b0247.rw-.sdmp, J26H423OMJ, 5340.1.00000000b7edd68d.00000000602b0247.rw-.sdmp, J26H423OMJ, 5358.1.00000000b7edd68d.00000000602b0247.rw-.sdmp, J26H423OMJ, 5348.1.00000000b7edd68d.00000000602b0247.rw-.sdmp, J26H423OMJ, 5227.1.00000000b7edd68d.00000000602b0247.rw-.sdmp, J26H423OMJ, 5345.1.00000000b7edd68d.00000000602b0247.rw-.sdmp, J26H423OMJ, 5234.1.00000000b7edd68d.00000000602b0247.rw-.sdmp, J26H423OMJ, 5240.1.00000000b7edd68d.00000000602b0247.rw-.sdmp, J26H423OMJ, 5242.1.00000000b7edd68d.00000000602b0247.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/ppc
Source: J26H423OMJ, 5224.1.000000008c0f408b.00000000efb73240.rw-.sdmp, J26H423OMJ, 5226.1.000000008c0f408b.00000000efb73240.rw-.sdmp, J26H423OMJ, 5340.1.000000008c0f408b.00000000efb73240.rw-.sdmp, J26H423OMJ, 5358.1.000000008c0f408b.00000000efb73240.rw-.sdmp, J26H423OMJ, 5348.1.000000008c0f408b.00000000efb73240.rw-.sdmp, J26H423OMJ, 5227.1.000000008c0f408b.00000000efb73240.rw-.sdmp, J26H423OMJ, 5345.1.000000008c0f408b.00000000efb73240.rw-.sdmp, J26H423OMJ, 5234.1.000000008c0f408b.00000000efb73240.rw-.sdmp, J26H423OMJ, 5240.1.000000008c0f408b.00000000efb73240.rw-.sdmp, J26H423OMJ, 5242.1.000000008c0f408b.00000000efb73240.rw-.sdmp Binary or memory string: /usr/bin/qemu-ppc
Source: J26H423OMJ, 5224.1.000000008c0f408b.00000000efb73240.rw-.sdmp, J26H423OMJ, 5226.1.000000008c0f408b.00000000efb73240.rw-.sdmp, J26H423OMJ, 5340.1.000000008c0f408b.00000000efb73240.rw-.sdmp, J26H423OMJ, 5358.1.000000008c0f408b.00000000efb73240.rw-.sdmp, J26H423OMJ, 5348.1.000000008c0f408b.00000000efb73240.rw-.sdmp, J26H423OMJ, 5227.1.000000008c0f408b.00000000efb73240.rw-.sdmp, J26H423OMJ, 5345.1.000000008c0f408b.00000000efb73240.rw-.sdmp, J26H423OMJ, 5234.1.000000008c0f408b.00000000efb73240.rw-.sdmp, J26H423OMJ, 5240.1.000000008c0f408b.00000000efb73240.rw-.sdmp, J26H423OMJ, 5242.1.000000008c0f408b.00000000efb73240.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-ppc/tmp/J26H423OMJSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/J26H423OMJ

No Screenshots

No contacted IP infos