Linux Analysis Report UnHAnaAW.arm5

Overview

General Information

Sample Name:	UnHAnaAW.arm5
Analysis ID:	553497
MD5:	1ab9ba9183a1cfc793e53d95c053a94f
SHA1:	0f89abb2535540236747f7509c00e7730805132b
SHA256:	0e96c432e77949a73df5b0b52a741ce1d10e74aa5b2e70f7345dfd577d07a96c
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Uses the "uname" system call to query kernel version information (possible evasion)

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Sample has stripped symbol table

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: UnHAnaAW.arm5

ReversingLabs: Detection: 48%

Networking:

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 207.188.71.177
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 41.180.144.215
Source: unknown	TCP traffic detected without corresponding DNS query: 121.131.157.253
Source: unknown	TCP traffic detected without corresponding DNS query: 207.134.109.11
Source: unknown	TCP traffic detected without corresponding DNS query: 197.234.233.181

System Summary:

Sample has stripped symbol table

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal48.linARM5@0/0@0/0

Malware Analysis System Evasion:

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/UnHAnaAW.arm5 (PID: 5200)

Queries kernel information via 'uname':

Jump to behavior

Source: UnHAnaAW.arm5, 5200.1.00000000f4b54758.00000000cb93636f.rw-.sdmp	Binary or memory string: qemu: %s: %s
Source: UnHAnaAW.arm5, 5200.1.00000000f4b54758.00000000cb93636f.rw-.sdmp	Binary or memory string: leqemu: %s: %s
Source: UnHAnaAW.arm5, 5200.1.0000000091dc3d8c.0000000048b8234f.rw-.sdmp	Binary or memory string: 4Vrg.qemu.gdb.arm.sys.regs">
Source: UnHAnaAW.arm5, 5200.1.00000000f4b54758.00000000cb93636f.rw-.sdmp	Binary or memory string: 9E{x86_64/usr/bin/qemu-arm/tmp/UnHAnaAW.arm5SUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/UnHAnaAW.arm5
Source: UnHAnaAW.arm5, 5200.1.0000000091dc3d8c.0000000048b8234f.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: UnHAnaAW.arm5, 5200.1.00000000f4b54758.00000000cb93636f.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm
Source: UnHAnaAW.arm5, 5200.1.0000000091dc3d8c.0000000048b8234f.rw-.sdmp	Binary or memory string: rg.qemu.gdb.arm.sys.regs">
Source: UnHAnaAW.arm5, 5200.1.0000000091dc3d8c.0000000048b8234f.rw-.sdmp	Binary or memory string: 4V!/etc/qemu-binfmt/arm

Screenshots

No Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
207.188.71.177	unknown	Canada	11342	PATHWAYCA	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
207.134.109.11	unknown	Canada	852	ASN852CA	false
197.234.233.181	unknown	South Africa	37546	MIA-TELECOMsZA	false
41.180.144.215	unknown	South Africa	36916	X-DSL-NET1ZA	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
121.131.157.253	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

ID:	553497
Product:	CloudBasic
Start time:	02:55:11
Start date:	15.01.2022
Sample:	UnHAnaAW.arm5
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	1ab9ba9183a1cfc793e53d95c053a94f
SHA1:	0f89abb2535540236747f7509c00e7730805132b
SHA256:	0e96c432e77949a73df5b0b52a741ce1d10e74aa5b2e70f7345dfd577d07a96c
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Linux Analysis Report UnHAnaAW.arm5

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Networking:

System Summary:

Malware Analysis System Evasion:

Screenshots

Network Map

Contacted Public IPs