Linux Analysis Report
mozi.m

ID:	604041
Product:	CloudBasic
Start time:	16:15:35
Start date:	06.04.2022
Sample:	mozi.m
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	3849f30b51a5c49e8d1546960cc206c7
SHA1:	61c74136534b826059c63221a2373dc0613a47b7
SHA256:	f6c97b1e2ed02578ca1066c8235ba4f991e645f89012406c639dbccc6582eec8
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Name	Type	MD5	SHA1	SHA256

AV Detection

Source: mozi.m

Avira: detected

Source: mozi.m	Virustotal: Detection: 66%			Perma Link
Source: mozi.m	Metadefender: Detection: 48%			Perma Link
Source: mozi.m	ReversingLabs: Detection: 71%

Networking

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43

Source: mozi.m

String found in binary or memory: http://upx.sf.net

System Summary

Source: mozi.m, type: SAMPLE	Matched rule: SUSP_ELF_LNX_UPX_Compressed_File date = 2018-12-12, author = Florian Roth, description = Detects a suspicious ELF binary with UPX compression, reference = Internal Research, score = 038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4
Source: 5229.1.0000000006c36974.00000000324761c7.r-x.sdmp, type: MEMORY	Matched rule: SUSP_ELF_LNX_UPX_Compressed_File date = 2018-12-12, author = Florian Roth, description = Detects a suspicious ELF binary with UPX compression, reference = Internal Research, score = 038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4

Source: classification engine

Classification label: mal60.evad.linM@0/0@0/0

Data Obfuscation

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.95 Copyright (C) 1996-2018 the UPX Team. All Rights Reserved. $

Malware Analysis System Evasion

Source: /tmp/mozi.m (PID: 5229)

Queries kernel information via 'uname':

Jump to behavior

Source: mozi.m, 5229.1.00000000f0dd87b6.00000000b4e4a453.rw-.sdmp	Binary or memory string: W_x86_64/usr/bin/qemu-mipsel/tmp/mozi.mSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/mozi.m
Source: mozi.m, 5229.1.0000000079d3f21a.00000000a6782d36.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mipsel
Source: mozi.m, 5229.1.00000000f0dd87b6.00000000b4e4a453.rw-.sdmp	Binary or memory string: qemu: uncaught target signal 5 (Trace/breakpoint trap) - core dumped
Source: mozi.m, 5229.1.00000000f0dd87b6.00000000b4e4a453.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mipsel
Source: mozi.m, 5229.1.0000000079d3f21a.00000000a6782d36.rw-.sdmp	Binary or memory string: iU!/etc/qemu-binfmt/mipsel