Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Linux Analysis Report UnHAnaAW.arm5

Overview

General Information

Sample Name:UnHAnaAW.arm5
Analysis ID:553497
MD5:1ab9ba9183a1cfc793e53d95c053a94f
SHA1:0f89abb2535540236747f7509c00e7730805132b
SHA256:0e96c432e77949a73df5b0b52a741ce1d10e74aa5b2e70f7345dfd577d07a96c
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false

Signatures

Multi AV Scanner detection for submitted file
Uses the "uname" system call to query kernel version information (possible evasion)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Sample has stripped symbol table

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures
All HTTP servers contacted by the sample do not answer. Likely the sample is an old dropper which does no longer work
Non-zero exit code suggests an error during the execution. Lookup the error code for hints.
Static ELF header machine description suggests that the sample might not execute correctly on this machine

General Information

Joe Sandbox Version:34.0.0 Boulder Opal
Analysis ID:553497
Start date:15.01.2022
Start time:02:55:11
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 44s
Hypervisor based Inspection enabled:false
Report type:light
Sample file name:UnHAnaAW.arm5
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Detection:MAL
Classification:mal48.linARM5@0/0@0/0

Process Tree

  • system is lnxubuntu20
  • UnHAnaAW.arm5 (PID: 5200, Parent: 5114, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/UnHAnaAW.arm5
  • cleanup

Yara Overview

No yara matches

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: UnHAnaAW.arm5ReversingLabs: Detection: 48%
Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 207.188.71.177
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 41.180.144.215
Source: unknownTCP traffic detected without corresponding DNS query: 121.131.157.253
Source: unknownTCP traffic detected without corresponding DNS query: 207.134.109.11
Source: unknownTCP traffic detected without corresponding DNS query: 197.234.233.181
Source: ELF static info symbol of initial sample.symtab present: no
Source: classification engineClassification label: mal48.linARM5@0/0@0/0
Source: /tmp/UnHAnaAW.arm5 (PID: 5200)Queries kernel information via 'uname':
Source: UnHAnaAW.arm5, 5200.1.00000000f4b54758.00000000cb93636f.rw-.sdmpBinary or memory string: qemu: %s: %s
Source: UnHAnaAW.arm5, 5200.1.00000000f4b54758.00000000cb93636f.rw-.sdmpBinary or memory string: leqemu: %s: %s
Source: UnHAnaAW.arm5, 5200.1.0000000091dc3d8c.0000000048b8234f.rw-.sdmpBinary or memory string: 4Vrg.qemu.gdb.arm.sys.regs">
Source: UnHAnaAW.arm5, 5200.1.00000000f4b54758.00000000cb93636f.rw-.sdmpBinary or memory string: 9E{x86_64/usr/bin/qemu-arm/tmp/UnHAnaAW.arm5SUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/UnHAnaAW.arm5
Source: UnHAnaAW.arm5, 5200.1.0000000091dc3d8c.0000000048b8234f.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
Source: UnHAnaAW.arm5, 5200.1.00000000f4b54758.00000000cb93636f.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm
Source: UnHAnaAW.arm5, 5200.1.0000000091dc3d8c.0000000048b8234f.rw-.sdmpBinary or memory string: rg.qemu.gdb.arm.sys.regs">
Source: UnHAnaAW.arm5, 5200.1.0000000091dc3d8c.0000000048b8234f.rw-.sdmpBinary or memory string: 4V!/etc/qemu-binfmt/arm

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential DumpingSecurity Software Discovery11Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
UnHAnaAW.arm549%ReversingLabsLinux.Trojan.Mirai

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public

IPDomainCountryFlagASNASN NameMalicious
207.188.71.177
unknownCanada
11342PATHWAYCAfalse
109.202.202.202
unknownSwitzerland
13030INIT7CHfalse
207.134.109.11
unknownCanada
852ASN852CAfalse
197.234.233.181
unknownSouth Africa
37546MIA-TELECOMsZAfalse
41.180.144.215
unknownSouth Africa
36916X-DSL-NET1ZAfalse
91.189.91.43
unknownUnited Kingdom
41231CANONICAL-ASGBfalse
121.131.157.253
unknownKorea Republic of
4766KIXS-AS-KRKoreaTelecomKRfalse
91.189.91.42
unknownUnited Kingdom
41231CANONICAL-ASGBfalse


Runtime Messages

Command:/tmp/UnHAnaAW.arm5
Exit Code:255
Exit Code Info:
Killed:False
Standard Output:

Standard Error:/lib/ld-uClibc.so.0: No such file or directory

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:ELF 32-bit LSB executable, ARM, version 1 (ARM), dynamically linked, interpreter /lib/ld-uClibc.so.0, stripped
Entropy (8bit):5.94982589822901
TrID:
  • ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:UnHAnaAW.arm5
File size:66800
MD5:1ab9ba9183a1cfc793e53d95c053a94f
SHA1:0f89abb2535540236747f7509c00e7730805132b
SHA256:0e96c432e77949a73df5b0b52a741ce1d10e74aa5b2e70f7345dfd577d07a96c
SHA512:005a5516047e719e70278945aec4a17cd0ba536551e89251d466dd513c3aa5ac4977a1565cc751baa224fee267aa6481f9dce5463260c8f8eede07243952e569
SSDEEP:1536:8nv4uuJp2KtGn9bJlRwl5aSXPACkA60erlTny4N6Fnydoh+WFy7BKeK:8n4l+BT3MpyahpSY
File Content Preview:.ELF...a..........(.........4... .......4. ...(.........4...4...4...................................................................4...4...............................H...........................................Q.td............................/lib/ld-uCl

Static ELF Info

ELF header

Class:ELF32
Data:2's complement, little endian
Version:1 (current)
Machine:ARM
Version Number:0x1
Type:EXEC (Executable file)
OS/ABI:ARM - ABI
ABI Version:0
Entry Point Address:0x8ee8
Flags:0x2
ELF Header Size:52
Program Header Offset:52
Program Header Size:32
Number of Program Headers:6
Section Header Offset:66080
Section Header Size:40
Number of Section Headers:18
Header String Table Index:17

Sections

NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
NULL0x00x00x00x00x0000
.interpPROGBITS0x80f40xf40x140x00x2A001
.hashHASH0x81080x1080x22c0x40x2A304
.dynsymDYNSYM0x83340x3340x4600x100x2A414
.dynstrSTRTAB0x87940x7940x2370x00x2A001
.rel.pltREL0x89cc0x9cc0x1a00x80x2A374
.initPROGBITS0x8b6c0xb6c0x180x00x6AX004
.pltPROGBITS0x8b840xb840x2840x40x6AX004
.textPROGBITS0x8e080xe080xe6e80x00x6AX004
.finiPROGBITS0x174f00xf4f00x140x00x6AX004
.rodataPROGBITS0x175040xf5040xa300x00x2A004
.ctorsPROGBITS0x180000x100000x80x00x3WA004
.dtorsPROGBITS0x180080x100080x80x00x3WA004
.dynamicDYNAMIC0x180140x100140x980x80x3WA404
.gotPROGBITS0x180ac0x100ac0xdc0x40x3WA004
.dataPROGBITS0x181880x101880x240x00x3WA004
.bssNOBITS0x181ac0x101ac0x19c0x00x3WA004
.shstrtabSTRTAB0x00x101ac0x730x00x0001

Program Segments

TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
PHDR0x340x80340x80340xc00xc01.45210x5R E0x4
INTERP0xf40x80f40x80f40x140x143.68420x4R 0x1/lib/ld-uClibc.so.0.interp
LOAD0x00x80000x80000xff340xff343.10020x5R E0x8000.interp .hash .dynsym .dynstr .rel.plt .init .plt .text .fini .rodata
LOAD0x100000x180000x180000x1ac0x3481.03350x6RW 0x8000.ctors .dtors .dynamic .got .data .bss
DYNAMIC0x100140x180140x180140x980x981.40010x6RW 0x4.dynamic
GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

Dynamic Tags

TypeMetaValueTag
DT_NEEDEDsharedliblibc.so.00x1
DT_INITvalue0x8b6c0xc
DT_FINIvalue0x174f00xd
DT_HASHvalue0x81080x4
DT_STRTABvalue0x87940x5
DT_SYMTABvalue0x83340x6
DT_STRSZbytes5670xa
DT_SYMENTbytes160xb
DT_DEBUGvalue0x00x15
DT_PLTGOTvalue0x180ac0x3
DT_PLTRELSZbytes4160x2
DT_PLTRELpltrelDT_REL0x14
DT_JMPRELvalue0x89cc0x17
DT_NULLvalue0x00x0

Symbols

NameVersion Info NameVersion Info File NameSection NameValueSizeSymbol TypeSymbol BindSymbol VisibilityNdx
.dynsym0x00NOTYPE<unknown>DEFAULTSHN_UNDEF
__aeabi_idiv0.dynsym0x174b04FUNC<unknown>DEFAULT8
__aeabi_ldiv0.dynsym0x174b04FUNC<unknown>DEFAULT8
__aeabi_uidiv.dynsym0x171f00FUNC<unknown>DEFAULT8
__aeabi_uidivmod.dynsym0x172e824FUNC<unknown>DEFAULT8
__bss_end__.dynsym0x183480NOTYPE<unknown>DEFAULTSHN_ABS
__bss_start.dynsym0x181ac0NOTYPE<unknown>DEFAULTSHN_ABS
__bss_start__.dynsym0x181ac0NOTYPE<unknown>DEFAULTSHN_ABS
__data_start.dynsym0x181880NOTYPE<unknown>DEFAULT17
__div0.dynsym0x174b04FUNC<unknown>DEFAULT8
__end__.dynsym0x183480NOTYPE<unknown>DEFAULTSHN_ABS
__errno_location.dynsym0x8d7832FUNC<unknown>DEFAULTSHN_UNDEF
__modsi3.dynsym0x173cc228FUNC<unknown>DEFAULT8
__uClibc_main.dynsym0x8d30488FUNC<unknown>DEFAULTSHN_UNDEF
__udivsi3.dynsym0x171f0248FUNC<unknown>DEFAULT8
__umodsi3.dynsym0x17300204FUNC<unknown>DEFAULT8
_bss_end__.dynsym0x183480NOTYPE<unknown>DEFAULTSHN_ABS
_edata.dynsym0x181ac0NOTYPE<unknown>DEFAULTSHN_ABS
_end.dynsym0x183480NOTYPE<unknown>DEFAULTSHN_ABS
_start.dynsym0x8ee880FUNC<unknown>DEFAULT8
abort.dynsym0x8c70352FUNC<unknown>DEFAULTSHN_UNDEF
accept.dynsym0x8c7c44FUNC<unknown>DEFAULTSHN_UNDEF
atoi.dynsym0x8d9012FUNC<unknown>DEFAULTSHN_UNDEF
bind.dynsym0x8cac44FUNC<unknown>DEFAULTSHN_UNDEF
calloc.dynsym0x8c8888FUNC<unknown>DEFAULTSHN_UNDEF
clock.dynsym0x8da852FUNC<unknown>DEFAULTSHN_UNDEF
close.dynsym0x8dd844FUNC<unknown>DEFAULTSHN_UNDEF
closedir.dynsym0x8dc0196FUNC<unknown>DEFAULTSHN_UNDEF
connect.dynsym0x8bbc44FUNC<unknown>DEFAULTSHN_UNDEF
exit.dynsym0x8d84172FUNC<unknown>DEFAULTSHN_UNDEF
fcntl.dynsym0x8dcc116FUNC<unknown>DEFAULTSHN_UNDEF
fork.dynsym0x8d2444FUNC<unknown>DEFAULTSHN_UNDEF
free.dynsym0x8de4288FUNC<unknown>DEFAULTSHN_UNDEF
getpid.dynsym0x8be044FUNC<unknown>DEFAULTSHN_UNDEF
getppid.dynsym0x8d4844FUNC<unknown>DEFAULTSHN_UNDEF
getsockname.dynsym0x8dfc44FUNC<unknown>DEFAULTSHN_UNDEF
getsockopt.dynsym0x8d6c48FUNC<unknown>DEFAULTSHN_UNDEF
inet_addr.dynsym0x8cb836FUNC<unknown>DEFAULTSHN_UNDEF
ioctl.dynsym0x8ba480FUNC<unknown>DEFAULTSHN_UNDEF
kill.dynsym0x8ca044FUNC<unknown>DEFAULTSHN_UNDEF
listen.dynsym0x8d1844FUNC<unknown>DEFAULTSHN_UNDEF
malloc.dynsym0x8c10400FUNC<unknown>DEFAULTSHN_UNDEF
memcpy.dynsym0x8bf84FUNC<unknown>DEFAULTSHN_UNDEF
memmove.dynsym0x8bd44FUNC<unknown>DEFAULTSHN_UNDEF
memset.dynsym0x8d3c156FUNC<unknown>DEFAULTSHN_UNDEF
open.dynsym0x8d9c92FUNC<unknown>DEFAULTSHN_UNDEF
opendir.dynsym0x8d60264FUNC<unknown>DEFAULTSHN_UNDEF
prctl.dynsym0x8bec48FUNC<unknown>DEFAULTSHN_UNDEF
rand.dynsym0x8cd04FUNC<unknown>DEFAULTSHN_UNDEF
read.dynsym0x8ce844FUNC<unknown>DEFAULTSHN_UNDEF
readdir.dynsym0x8c4c224FUNC<unknown>DEFAULTSHN_UNDEF
readlink.dynsym0x8c0444FUNC<unknown>DEFAULTSHN_UNDEF
realloc.dynsym0x8d0c312FUNC<unknown>DEFAULTSHN_UNDEF
recv.dynsym0x8bb044FUNC<unknown>DEFAULTSHN_UNDEF
recvfrom.dynsym0x8c2852FUNC<unknown>DEFAULTSHN_UNDEF
select.dynsym0x8c4048FUNC<unknown>DEFAULTSHN_UNDEF
send.dynsym0x8c6444FUNC<unknown>DEFAULTSHN_UNDEF
sendto.dynsym0x8d0052FUNC<unknown>DEFAULTSHN_UNDEF
setsid.dynsym0x8db444FUNC<unknown>DEFAULTSHN_UNDEF
setsockopt.dynsym0x8cc448FUNC<unknown>DEFAULTSHN_UNDEF
sigaddset.dynsym0x8c5848FUNC<unknown>DEFAULTSHN_UNDEF
sigemptyset.dynsym0x8bc824FUNC<unknown>DEFAULTSHN_UNDEF
signal.dynsym0x8cdc200FUNC<unknown>DEFAULTSHN_UNDEF
sigprocmask.dynsym0x8df084FUNC<unknown>DEFAULTSHN_UNDEF
sleep.dynsym0x8c1c420FUNC<unknown>DEFAULTSHN_UNDEF
socket.dynsym0x8c3444FUNC<unknown>DEFAULTSHN_UNDEF
strcpy.dynsym0x8b9828FUNC<unknown>DEFAULTSHN_UNDEF
time.dynsym0x8d5444FUNC<unknown>DEFAULTSHN_UNDEF
unlink.dynsym0x8cf444FUNC<unknown>DEFAULTSHN_UNDEF
write.dynsym0x8c9444FUNC<unknown>DEFAULTSHN_UNDEF

Network Behavior

Network Port Distribution

TCP Packets

TimestampSource PortDest PortSource IPDest IP
Jan 15, 2022 02:55:55.373650074 CET42836443192.168.2.2391.189.91.43
Jan 15, 2022 02:55:56.141745090 CET4251680192.168.2.23109.202.202.202
Jan 15, 2022 02:56:10.733303070 CET43928443192.168.2.2391.189.91.42
Jan 15, 2022 02:56:20.973169088 CET42836443192.168.2.2391.189.91.43
Jan 15, 2022 02:56:27.116913080 CET4251680192.168.2.23109.202.202.202
Jan 15, 2022 02:56:51.692408085 CET43928443192.168.2.2391.189.91.42
Jan 15, 2022 02:57:04.024414062 CET2344290207.188.71.177192.168.2.23
Jan 15, 2022 02:57:04.024648905 CET4429023192.168.2.23207.188.71.177
Jan 15, 2022 02:57:12.171782017 CET42836443192.168.2.2391.189.91.43
Jan 15, 2022 02:57:26.954755068 CET233512641.180.144.215192.168.2.23
Jan 15, 2022 02:57:26.955086946 CET3512623192.168.2.2341.180.144.215
Jan 15, 2022 02:57:43.307955980 CET2335442121.131.157.253192.168.2.23
Jan 15, 2022 02:57:43.308226109 CET3544223192.168.2.23121.131.157.253
Jan 15, 2022 02:57:45.925338984 CET2355338207.134.109.11192.168.2.23
Jan 15, 2022 02:57:45.925700903 CET5533823192.168.2.23207.134.109.11
Jan 15, 2022 02:57:53.478125095 CET2343018197.234.233.181192.168.2.23
Jan 15, 2022 02:57:53.478414059 CET4301823192.168.2.23197.234.233.181

System Behavior

Analysis Process: UnHAnaAW.arm5 PID: 5200 Parent PID: 5114

General

Start time:02:55:49
Start date:15/01/2022
Path:/tmp/UnHAnaAW.arm5
Arguments:/tmp/UnHAnaAW.arm5
File size:4956856 bytes
MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1