Linux Analysis Report
0rK5XxDyLK

ID:	626474
Product:	CloudBasic
Start time:	04:19:55
Start date:	14.05.2022
Sample:	0rK5XxDyLK
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	b440222d627a07ae7733f9e706b88902
SHA1:	63be0315c844d0a25b61caa609255d9375306acf
SHA256:	eae51f23834e02da2ca18bbf28d2327726fd50c18b4e2c2f4ff451fca58a69aa
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Name	Type	MD5	SHA1	SHA256

AV Detection

Source: 0rK5XxDyLK

Virustotal: Detection: 44%

Perma Link

Networking

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 42390
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 42396
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 42402
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 42410
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 42418
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 42424
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 42436
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 42442
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 42448
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 42456
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37008
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37020
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37022
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37028
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37036
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37060
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37068
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37074
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37080
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37088

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Source: global traffic

TCP traffic: 192.168.2.23:60988 -> 107.172.197.117:1312

Source: /tmp/0rK5XxDyLK (PID: 6227)	Socket: 0.0.0.0::0			Jump to behavior
Source: /tmp/0rK5XxDyLK (PID: 6233)	Socket: 0.0.0.0::0			Jump to behavior

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.197.117
Source: unknown	TCP traffic detected without corresponding DNS query: 81.99.115.167
Source: unknown	TCP traffic detected without corresponding DNS query: 111.124.232.167
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.193.167
Source: unknown	TCP traffic detected without corresponding DNS query: 251.173.250.165
Source: unknown	TCP traffic detected without corresponding DNS query: 254.39.248.169
Source: unknown	TCP traffic detected without corresponding DNS query: 109.160.177.53
Source: unknown	TCP traffic detected without corresponding DNS query: 112.152.227.246
Source: unknown	TCP traffic detected without corresponding DNS query: 76.130.198.29
Source: unknown	TCP traffic detected without corresponding DNS query: 183.53.132.169
Source: unknown	TCP traffic detected without corresponding DNS query: 255.40.246.136
Source: unknown	TCP traffic detected without corresponding DNS query: 65.26.163.51
Source: unknown	TCP traffic detected without corresponding DNS query: 160.182.138.243
Source: unknown	TCP traffic detected without corresponding DNS query: 67.4.135.36
Source: unknown	TCP traffic detected without corresponding DNS query: 58.181.70.78
Source: unknown	TCP traffic detected without corresponding DNS query: 251.243.178.220
Source: unknown	TCP traffic detected without corresponding DNS query: 112.72.198.244
Source: unknown	TCP traffic detected without corresponding DNS query: 1.163.131.166
Source: unknown	TCP traffic detected without corresponding DNS query: 181.187.232.143
Source: unknown	TCP traffic detected without corresponding DNS query: 32.6.162.94
Source: unknown	TCP traffic detected without corresponding DNS query: 70.34.79.129
Source: unknown	TCP traffic detected without corresponding DNS query: 202.248.37.93
Source: unknown	TCP traffic detected without corresponding DNS query: 97.177.195.190
Source: unknown	TCP traffic detected without corresponding DNS query: 174.238.240.206
Source: unknown	TCP traffic detected without corresponding DNS query: 209.155.34.189
Source: unknown	TCP traffic detected without corresponding DNS query: 99.130.137.175
Source: unknown	TCP traffic detected without corresponding DNS query: 34.9.14.83
Source: unknown	TCP traffic detected without corresponding DNS query: 73.36.212.122
Source: unknown	TCP traffic detected without corresponding DNS query: 206.73.3.124
Source: unknown	TCP traffic detected without corresponding DNS query: 109.195.207.87
Source: unknown	TCP traffic detected without corresponding DNS query: 171.232.4.86
Source: unknown	TCP traffic detected without corresponding DNS query: 150.200.195.225
Source: unknown	TCP traffic detected without corresponding DNS query: 16.159.66.220
Source: unknown	TCP traffic detected without corresponding DNS query: 17.61.75.30
Source: unknown	TCP traffic detected without corresponding DNS query: 166.169.246.208
Source: unknown	TCP traffic detected without corresponding DNS query: 116.204.209.141
Source: unknown	TCP traffic detected without corresponding DNS query: 58.99.168.232
Source: unknown	TCP traffic detected without corresponding DNS query: 73.62.112.234
Source: unknown	TCP traffic detected without corresponding DNS query: 205.163.247.5
Source: unknown	TCP traffic detected without corresponding DNS query: 253.55.45.116
Source: unknown	TCP traffic detected without corresponding DNS query: 86.167.29.112
Source: unknown	TCP traffic detected without corresponding DNS query: 4.92.5.202
Source: unknown	TCP traffic detected without corresponding DNS query: 34.52.200.159
Source: unknown	TCP traffic detected without corresponding DNS query: 113.137.31.26
Source: unknown	TCP traffic detected without corresponding DNS query: 188.108.158.175
Source: unknown	TCP traffic detected without corresponding DNS query: 192.52.0.173
Source: unknown	TCP traffic detected without corresponding DNS query: 195.113.216.20
Source: unknown	TCP traffic detected without corresponding DNS query: 71.124.102.220
Source: unknown	TCP traffic detected without corresponding DNS query: 37.199.215.135

Source: 0rK5XxDyLK

String found in binary or memory: http://upx.sf.net

System Summary

Source: LOAD without section mappings

Program segment: 0x8000

Source: 0rK5XxDyLK, type: SAMPLE

Matched rule: SUSP_ELF_LNX_UPX_Compressed_File date = 2018-12-12, author = Florian Roth, description = Detects a suspicious ELF binary with UPX compression, reference = Internal Research, score = 038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4

Source: /tmp/0rK5XxDyLK (PID: 6227)	SIGKILL sent: pid: 936, result: successful			Jump to behavior
Source: /tmp/0rK5XxDyLK (PID: 6233)	SIGKILL sent: pid: 936, result: successful			Jump to behavior

Source: classification engine

Classification label: mal64.troj.evad.lin@0/0@0/0

Data Obfuscation

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Persistence and Installation Behavior

Source: /tmp/0rK5XxDyLK (PID: 6233)	File opened: /proc/491/fd			Jump to behavior
Source: /tmp/0rK5XxDyLK (PID: 6233)	File opened: /proc/793/fd			Jump to behavior
Source: /tmp/0rK5XxDyLK (PID: 6233)	File opened: /proc/772/fd			Jump to behavior
Source: /tmp/0rK5XxDyLK (PID: 6233)	File opened: /proc/796/fd			Jump to behavior
Source: /tmp/0rK5XxDyLK (PID: 6233)	File opened: /proc/774/fd			Jump to behavior
Source: /tmp/0rK5XxDyLK (PID: 6233)	File opened: /proc/797/fd			Jump to behavior
Source: /tmp/0rK5XxDyLK (PID: 6233)	File opened: /proc/777/fd			Jump to behavior
Source: /tmp/0rK5XxDyLK (PID: 6233)	File opened: /proc/799/fd			Jump to behavior
Source: /tmp/0rK5XxDyLK (PID: 6233)	File opened: /proc/658/fd			Jump to behavior
Source: /tmp/0rK5XxDyLK (PID: 6233)	File opened: /proc/912/fd			Jump to behavior
Source: /tmp/0rK5XxDyLK (PID: 6233)	File opened: /proc/759/fd			Jump to behavior
Source: /tmp/0rK5XxDyLK (PID: 6233)	File opened: /proc/936/fd			Jump to behavior
Source: /tmp/0rK5XxDyLK (PID: 6233)	File opened: /proc/918/fd			Jump to behavior
Source: /tmp/0rK5XxDyLK (PID: 6233)	File opened: /proc/1/fd			Jump to behavior
Source: /tmp/0rK5XxDyLK (PID: 6233)	File opened: /proc/761/fd			Jump to behavior
Source: /tmp/0rK5XxDyLK (PID: 6233)	File opened: /proc/785/fd			Jump to behavior
Source: /tmp/0rK5XxDyLK (PID: 6233)	File opened: /proc/884/fd			Jump to behavior
Source: /tmp/0rK5XxDyLK (PID: 6233)	File opened: /proc/720/fd			Jump to behavior
Source: /tmp/0rK5XxDyLK (PID: 6233)	File opened: /proc/721/fd			Jump to behavior
Source: /tmp/0rK5XxDyLK (PID: 6233)	File opened: /proc/788/fd			Jump to behavior
Source: /tmp/0rK5XxDyLK (PID: 6233)	File opened: /proc/789/fd			Jump to behavior
Source: /tmp/0rK5XxDyLK (PID: 6233)	File opened: /proc/800/fd			Jump to behavior
Source: /tmp/0rK5XxDyLK (PID: 6233)	File opened: /proc/801/fd			Jump to behavior
Source: /tmp/0rK5XxDyLK (PID: 6233)	File opened: /proc/847/fd			Jump to behavior
Source: /tmp/0rK5XxDyLK (PID: 6233)	File opened: /proc/904/fd			Jump to behavior
Source: /tmp/0rK5XxDyLK (PID: 6227)	File opened: /proc/491/fd			Jump to behavior
Source: /tmp/0rK5XxDyLK (PID: 6227)	File opened: /proc/793/fd			Jump to behavior
Source: /tmp/0rK5XxDyLK (PID: 6227)	File opened: /proc/772/fd			Jump to behavior
Source: /tmp/0rK5XxDyLK (PID: 6227)	File opened: /proc/796/fd			Jump to behavior
Source: /tmp/0rK5XxDyLK (PID: 6227)	File opened: /proc/774/fd			Jump to behavior
Source: /tmp/0rK5XxDyLK (PID: 6227)	File opened: /proc/797/fd			Jump to behavior
Source: /tmp/0rK5XxDyLK (PID: 6227)	File opened: /proc/777/fd			Jump to behavior
Source: /tmp/0rK5XxDyLK (PID: 6227)	File opened: /proc/799/fd			Jump to behavior
Source: /tmp/0rK5XxDyLK (PID: 6227)	File opened: /proc/658/fd			Jump to behavior
Source: /tmp/0rK5XxDyLK (PID: 6227)	File opened: /proc/912/fd			Jump to behavior
Source: /tmp/0rK5XxDyLK (PID: 6227)	File opened: /proc/759/fd			Jump to behavior
Source: /tmp/0rK5XxDyLK (PID: 6227)	File opened: /proc/936/fd			Jump to behavior
Source: /tmp/0rK5XxDyLK (PID: 6227)	File opened: /proc/918/fd			Jump to behavior
Source: /tmp/0rK5XxDyLK (PID: 6227)	File opened: /proc/1/fd			Jump to behavior
Source: /tmp/0rK5XxDyLK (PID: 6227)	File opened: /proc/761/fd			Jump to behavior
Source: /tmp/0rK5XxDyLK (PID: 6227)	File opened: /proc/785/fd			Jump to behavior
Source: /tmp/0rK5XxDyLK (PID: 6227)	File opened: /proc/884/fd			Jump to behavior
Source: /tmp/0rK5XxDyLK (PID: 6227)	File opened: /proc/720/fd			Jump to behavior
Source: /tmp/0rK5XxDyLK (PID: 6227)	File opened: /proc/721/fd			Jump to behavior
Source: /tmp/0rK5XxDyLK (PID: 6227)	File opened: /proc/788/fd			Jump to behavior
Source: /tmp/0rK5XxDyLK (PID: 6227)	File opened: /proc/789/fd			Jump to behavior
Source: /tmp/0rK5XxDyLK (PID: 6227)	File opened: /proc/800/fd			Jump to behavior
Source: /tmp/0rK5XxDyLK (PID: 6227)	File opened: /proc/801/fd			Jump to behavior
Source: /tmp/0rK5XxDyLK (PID: 6227)	File opened: /proc/847/fd			Jump to behavior
Source: /tmp/0rK5XxDyLK (PID: 6227)	File opened: /proc/904/fd			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 42390
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 42396
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 42402
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 42410
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 42418
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 42424
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 42436
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 42442
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 42448
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 42456
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37008
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37020
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37022
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37028
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37036
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37060
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37068
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37074
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37080
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37088

Malware Analysis System Evasion

Source: /tmp/0rK5XxDyLK (PID: 6225)

Queries kernel information via 'uname':

Jump to behavior

Source: 0rK5XxDyLK, 6225.1.00000000d41d82df.00000000bfa2218c.rw-.sdmp, 0rK5XxDyLK, 6227.1.00000000d41d82df.00000000bfa2218c.rw-.sdmp, 0rK5XxDyLK, 6333.1.00000000d41d82df.00000000bfa2218c.rw-.sdmp, 0rK5XxDyLK, 6346.1.00000000d41d82df.00000000bfa2218c.rw-.sdmp, 0rK5XxDyLK, 6339.1.00000000d41d82df.00000000bfa2218c.rw-.sdmp, 0rK5XxDyLK, 6228.1.00000000d41d82df.00000000bfa2218c.rw-.sdmp, 0rK5XxDyLK, 6329.1.00000000d41d82df.00000000bfa2218c.rw-.sdmp, 0rK5XxDyLK, 6235.1.00000000d41d82df.00000000bfa2218c.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/0rK5XxDyLKSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/0rK5XxDyLK
Source: 0rK5XxDyLK, 6225.1.00000000950b7910.0000000057860fa8.rw-.sdmp, 0rK5XxDyLK, 6227.1.00000000950b7910.0000000057860fa8.rw-.sdmp, 0rK5XxDyLK, 6333.1.00000000950b7910.0000000057860fa8.rw-.sdmp, 0rK5XxDyLK, 6346.1.00000000950b7910.0000000057860fa8.rw-.sdmp, 0rK5XxDyLK, 6339.1.00000000950b7910.0000000057860fa8.rw-.sdmp, 0rK5XxDyLK, 6228.1.00000000950b7910.0000000057860fa8.rw-.sdmp, 0rK5XxDyLK, 6329.1.00000000950b7910.0000000057860fa8.rw-.sdmp, 0rK5XxDyLK, 6235.1.00000000950b7910.0000000057860fa8.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: 0rK5XxDyLK, 6225.1.00000000d41d82df.00000000bfa2218c.rw-.sdmp, 0rK5XxDyLK, 6227.1.00000000d41d82df.00000000bfa2218c.rw-.sdmp, 0rK5XxDyLK, 6333.1.00000000d41d82df.00000000bfa2218c.rw-.sdmp, 0rK5XxDyLK, 6346.1.00000000d41d82df.00000000bfa2218c.rw-.sdmp, 0rK5XxDyLK, 6339.1.00000000d41d82df.00000000bfa2218c.rw-.sdmp, 0rK5XxDyLK, 6228.1.00000000d41d82df.00000000bfa2218c.rw-.sdmp, 0rK5XxDyLK, 6329.1.00000000d41d82df.00000000bfa2218c.rw-.sdmp, 0rK5XxDyLK, 6235.1.00000000d41d82df.00000000bfa2218c.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm
Source: 0rK5XxDyLK, 6225.1.00000000950b7910.0000000057860fa8.rw-.sdmp, 0rK5XxDyLK, 6227.1.00000000950b7910.0000000057860fa8.rw-.sdmp, 0rK5XxDyLK, 6333.1.00000000950b7910.0000000057860fa8.rw-.sdmp, 0rK5XxDyLK, 6346.1.00000000950b7910.0000000057860fa8.rw-.sdmp, 0rK5XxDyLK, 6339.1.00000000950b7910.0000000057860fa8.rw-.sdmp, 0rK5XxDyLK, 6228.1.00000000950b7910.0000000057860fa8.rw-.sdmp, 0rK5XxDyLK, 6329.1.00000000950b7910.0000000057860fa8.rw-.sdmp, 0rK5XxDyLK, 6235.1.00000000950b7910.0000000057860fa8.rw-.sdmp	Binary or memory string: +V!/etc/qemu-binfmt/arm

Stealing of Sensitive Information

Source: Yara match

File source: dump.pcap, type: PCAP

Remote Access Functionality

Source: Yara match

File source: dump.pcap, type: PCAP