Linux Analysis Report
M5VGS77ZYY

ID:	626496
Product:	CloudBasic
Start time:	04:55:32
Start date:	14.05.2022
Sample:	M5VGS77ZYY
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	d415fdebf7bd931bee44ead0bd610670
SHA1:	d86d4995ba2709a3a99087c2ddae368d9ffc4a09
SHA256:	a24e8198dde3955f7b2007a8b9e25eefa1f1dc30ffaac3f0b31d650930c63c1c
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Name	Type	MD5	SHA1	SHA256

AV Detection

Source: M5VGS77ZYY

Virustotal: Detection: 50%

Perma Link

Networking

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 52222
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 52224
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 52226
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 52228
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 52230
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 52232
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 52236
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 52238
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 52242
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 52246
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51856
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51862
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51866
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51874
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51888
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51898
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51908
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51918
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51928
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51932

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Source: global traffic

TCP traffic: 192.168.2.23:39634 -> 198.98.54.25:1312

Source: /tmp/M5VGS77ZYY (PID: 6252)	Socket: 0.0.0.0::0			Jump to behavior
Source: /tmp/M5VGS77ZYY (PID: 6258)	Socket: 0.0.0.0::0			Jump to behavior

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 62.141.119.126
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 198.98.54.25
Source: unknown	TCP traffic detected without corresponding DNS query: 203.227.76.157
Source: unknown	TCP traffic detected without corresponding DNS query: 60.57.87.155
Source: unknown	TCP traffic detected without corresponding DNS query: 169.220.25.105
Source: unknown	TCP traffic detected without corresponding DNS query: 12.108.125.203
Source: unknown	TCP traffic detected without corresponding DNS query: 18.72.69.103
Source: unknown	TCP traffic detected without corresponding DNS query: 41.68.123.209
Source: unknown	TCP traffic detected without corresponding DNS query: 73.35.152.69
Source: unknown	TCP traffic detected without corresponding DNS query: 48.57.127.196
Source: unknown	TCP traffic detected without corresponding DNS query: 158.251.86.76
Source: unknown	TCP traffic detected without corresponding DNS query: 150.122.244.200
Source: unknown	TCP traffic detected without corresponding DNS query: 37.130.236.117
Source: unknown	TCP traffic detected without corresponding DNS query: 104.133.180.16
Source: unknown	TCP traffic detected without corresponding DNS query: 63.192.94.233
Source: unknown	TCP traffic detected without corresponding DNS query: 169.243.20.154
Source: unknown	TCP traffic detected without corresponding DNS query: 166.73.193.120
Source: unknown	TCP traffic detected without corresponding DNS query: 221.29.107.237
Source: unknown	TCP traffic detected without corresponding DNS query: 92.135.68.163
Source: unknown	TCP traffic detected without corresponding DNS query: 183.235.148.197
Source: unknown	TCP traffic detected without corresponding DNS query: 216.101.65.207
Source: unknown	TCP traffic detected without corresponding DNS query: 38.116.78.199
Source: unknown	TCP traffic detected without corresponding DNS query: 126.40.190.88
Source: unknown	TCP traffic detected without corresponding DNS query: 187.34.248.129
Source: unknown	TCP traffic detected without corresponding DNS query: 200.206.232.208
Source: unknown	TCP traffic detected without corresponding DNS query: 253.11.162.193
Source: unknown	TCP traffic detected without corresponding DNS query: 155.201.217.73
Source: unknown	TCP traffic detected without corresponding DNS query: 112.14.195.21
Source: unknown	TCP traffic detected without corresponding DNS query: 122.58.177.6
Source: unknown	TCP traffic detected without corresponding DNS query: 151.165.107.248
Source: unknown	TCP traffic detected without corresponding DNS query: 93.85.229.156
Source: unknown	TCP traffic detected without corresponding DNS query: 96.5.216.127
Source: unknown	TCP traffic detected without corresponding DNS query: 105.80.231.155
Source: unknown	TCP traffic detected without corresponding DNS query: 197.65.67.244
Source: unknown	TCP traffic detected without corresponding DNS query: 200.141.226.69
Source: unknown	TCP traffic detected without corresponding DNS query: 112.44.19.72
Source: unknown	TCP traffic detected without corresponding DNS query: 68.239.246.86
Source: unknown	TCP traffic detected without corresponding DNS query: 103.172.116.137
Source: unknown	TCP traffic detected without corresponding DNS query: 192.69.62.239
Source: unknown	TCP traffic detected without corresponding DNS query: 111.190.53.39
Source: unknown	TCP traffic detected without corresponding DNS query: 105.171.30.92
Source: unknown	TCP traffic detected without corresponding DNS query: 187.153.193.172
Source: unknown	TCP traffic detected without corresponding DNS query: 143.2.121.43
Source: unknown	TCP traffic detected without corresponding DNS query: 126.227.239.106
Source: unknown	TCP traffic detected without corresponding DNS query: 149.140.8.224
Source: unknown	TCP traffic detected without corresponding DNS query: 253.163.89.73
Source: unknown	TCP traffic detected without corresponding DNS query: 79.195.253.175
Source: unknown	TCP traffic detected without corresponding DNS query: 66.106.97.181

System Summary

Source: ELF static info symbol of initial sample

.symtab present: no

Source: /tmp/M5VGS77ZYY (PID: 6252)	SIGKILL sent: pid: 936, result: successful			Jump to behavior
Source: /tmp/M5VGS77ZYY (PID: 6258)	SIGKILL sent: pid: 936, result: successful			Jump to behavior

Source: classification engine

Classification label: mal60.troj.lin@0/0@0/0

Persistence and Installation Behavior

Source: /tmp/M5VGS77ZYY (PID: 6252)	File opened: /proc/491/fd			Jump to behavior
Source: /tmp/M5VGS77ZYY (PID: 6252)	File opened: /proc/793/fd			Jump to behavior
Source: /tmp/M5VGS77ZYY (PID: 6252)	File opened: /proc/772/fd			Jump to behavior
Source: /tmp/M5VGS77ZYY (PID: 6252)	File opened: /proc/796/fd			Jump to behavior
Source: /tmp/M5VGS77ZYY (PID: 6252)	File opened: /proc/774/fd			Jump to behavior
Source: /tmp/M5VGS77ZYY (PID: 6252)	File opened: /proc/797/fd			Jump to behavior
Source: /tmp/M5VGS77ZYY (PID: 6252)	File opened: /proc/777/fd			Jump to behavior
Source: /tmp/M5VGS77ZYY (PID: 6252)	File opened: /proc/799/fd			Jump to behavior
Source: /tmp/M5VGS77ZYY (PID: 6252)	File opened: /proc/658/fd			Jump to behavior
Source: /tmp/M5VGS77ZYY (PID: 6252)	File opened: /proc/912/fd			Jump to behavior
Source: /tmp/M5VGS77ZYY (PID: 6252)	File opened: /proc/759/fd			Jump to behavior
Source: /tmp/M5VGS77ZYY (PID: 6252)	File opened: /proc/936/fd			Jump to behavior
Source: /tmp/M5VGS77ZYY (PID: 6252)	File opened: /proc/918/fd			Jump to behavior
Source: /tmp/M5VGS77ZYY (PID: 6252)	File opened: /proc/1/fd			Jump to behavior
Source: /tmp/M5VGS77ZYY (PID: 6252)	File opened: /proc/761/fd			Jump to behavior
Source: /tmp/M5VGS77ZYY (PID: 6252)	File opened: /proc/785/fd			Jump to behavior
Source: /tmp/M5VGS77ZYY (PID: 6252)	File opened: /proc/884/fd			Jump to behavior
Source: /tmp/M5VGS77ZYY (PID: 6252)	File opened: /proc/720/fd			Jump to behavior
Source: /tmp/M5VGS77ZYY (PID: 6252)	File opened: /proc/721/fd			Jump to behavior
Source: /tmp/M5VGS77ZYY (PID: 6252)	File opened: /proc/788/fd			Jump to behavior
Source: /tmp/M5VGS77ZYY (PID: 6252)	File opened: /proc/789/fd			Jump to behavior
Source: /tmp/M5VGS77ZYY (PID: 6252)	File opened: /proc/800/fd			Jump to behavior
Source: /tmp/M5VGS77ZYY (PID: 6252)	File opened: /proc/801/fd			Jump to behavior
Source: /tmp/M5VGS77ZYY (PID: 6252)	File opened: /proc/847/fd			Jump to behavior
Source: /tmp/M5VGS77ZYY (PID: 6252)	File opened: /proc/904/fd			Jump to behavior
Source: /tmp/M5VGS77ZYY (PID: 6258)	File opened: /proc/491/fd			Jump to behavior
Source: /tmp/M5VGS77ZYY (PID: 6258)	File opened: /proc/793/fd			Jump to behavior
Source: /tmp/M5VGS77ZYY (PID: 6258)	File opened: /proc/772/fd			Jump to behavior
Source: /tmp/M5VGS77ZYY (PID: 6258)	File opened: /proc/796/fd			Jump to behavior
Source: /tmp/M5VGS77ZYY (PID: 6258)	File opened: /proc/774/fd			Jump to behavior
Source: /tmp/M5VGS77ZYY (PID: 6258)	File opened: /proc/797/fd			Jump to behavior
Source: /tmp/M5VGS77ZYY (PID: 6258)	File opened: /proc/777/fd			Jump to behavior
Source: /tmp/M5VGS77ZYY (PID: 6258)	File opened: /proc/799/fd			Jump to behavior
Source: /tmp/M5VGS77ZYY (PID: 6258)	File opened: /proc/658/fd			Jump to behavior
Source: /tmp/M5VGS77ZYY (PID: 6258)	File opened: /proc/912/fd			Jump to behavior
Source: /tmp/M5VGS77ZYY (PID: 6258)	File opened: /proc/759/fd			Jump to behavior
Source: /tmp/M5VGS77ZYY (PID: 6258)	File opened: /proc/936/fd			Jump to behavior
Source: /tmp/M5VGS77ZYY (PID: 6258)	File opened: /proc/918/fd			Jump to behavior
Source: /tmp/M5VGS77ZYY (PID: 6258)	File opened: /proc/1/fd			Jump to behavior
Source: /tmp/M5VGS77ZYY (PID: 6258)	File opened: /proc/761/fd			Jump to behavior
Source: /tmp/M5VGS77ZYY (PID: 6258)	File opened: /proc/785/fd			Jump to behavior
Source: /tmp/M5VGS77ZYY (PID: 6258)	File opened: /proc/884/fd			Jump to behavior
Source: /tmp/M5VGS77ZYY (PID: 6258)	File opened: /proc/720/fd			Jump to behavior
Source: /tmp/M5VGS77ZYY (PID: 6258)	File opened: /proc/721/fd			Jump to behavior
Source: /tmp/M5VGS77ZYY (PID: 6258)	File opened: /proc/788/fd			Jump to behavior
Source: /tmp/M5VGS77ZYY (PID: 6258)	File opened: /proc/789/fd			Jump to behavior
Source: /tmp/M5VGS77ZYY (PID: 6258)	File opened: /proc/800/fd			Jump to behavior
Source: /tmp/M5VGS77ZYY (PID: 6258)	File opened: /proc/801/fd			Jump to behavior
Source: /tmp/M5VGS77ZYY (PID: 6258)	File opened: /proc/847/fd			Jump to behavior
Source: /tmp/M5VGS77ZYY (PID: 6258)	File opened: /proc/904/fd			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 52222
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 52224
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 52226
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 52228
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 52230
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 52232
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 52236
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 52238
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 52242
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 52246
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51856
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51862
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51866
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51874
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51888
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51898
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51908
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51918
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51928
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51932

Malware Analysis System Evasion

Source: /tmp/M5VGS77ZYY (PID: 6250)

Queries kernel information via 'uname':

Jump to behavior

Source: M5VGS77ZYY, 6250.1.000000003cb3f590.00000000099936e7.rw-.sdmp, M5VGS77ZYY, 6252.1.000000003cb3f590.00000000099936e7.rw-.sdmp, M5VGS77ZYY, 6352.1.000000003cb3f590.00000000099936e7.rw-.sdmp, M5VGS77ZYY, 6365.1.000000003cb3f590.00000000099936e7.rw-.sdmp, M5VGS77ZYY, 6358.1.000000003cb3f590.00000000099936e7.rw-.sdmp, M5VGS77ZYY, 6253.1.000000003cb3f590.00000000099936e7.rw-.sdmp, M5VGS77ZYY, 6348.1.000000003cb3f590.00000000099936e7.rw-.sdmp, M5VGS77ZYY, 6259.1.000000003cb3f590.00000000099936e7.rw-.sdmp	Binary or memory string: SWEtAx86_64/usr/bin/qemu-m68k/tmp/M5VGS77ZYYSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/M5VGS77ZYY
Source: M5VGS77ZYY, 6250.1.00000000f99d94f6.000000002c545420.rw-.sdmp, M5VGS77ZYY, 6252.1.00000000f99d94f6.000000002c545420.rw-.sdmp, M5VGS77ZYY, 6352.1.00000000f99d94f6.000000002c545420.rw-.sdmp, M5VGS77ZYY, 6365.1.00000000f99d94f6.000000002c545420.rw-.sdmp, M5VGS77ZYY, 6358.1.00000000f99d94f6.000000002c545420.rw-.sdmp, M5VGS77ZYY, 6253.1.00000000f99d94f6.000000002c545420.rw-.sdmp, M5VGS77ZYY, 6348.1.00000000f99d94f6.000000002c545420.rw-.sdmp, M5VGS77ZYY, 6259.1.00000000f99d94f6.000000002c545420.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/m68k
Source: M5VGS77ZYY, 6250.1.000000003cb3f590.00000000099936e7.rw-.sdmp, M5VGS77ZYY, 6252.1.000000003cb3f590.00000000099936e7.rw-.sdmp, M5VGS77ZYY, 6352.1.000000003cb3f590.00000000099936e7.rw-.sdmp, M5VGS77ZYY, 6365.1.000000003cb3f590.00000000099936e7.rw-.sdmp, M5VGS77ZYY, 6358.1.000000003cb3f590.00000000099936e7.rw-.sdmp, M5VGS77ZYY, 6253.1.000000003cb3f590.00000000099936e7.rw-.sdmp, M5VGS77ZYY, 6348.1.000000003cb3f590.00000000099936e7.rw-.sdmp, M5VGS77ZYY, 6259.1.000000003cb3f590.00000000099936e7.rw-.sdmp	Binary or memory string: /usr/bin/qemu-m68k
Source: M5VGS77ZYY, 6250.1.00000000f99d94f6.000000002c545420.rw-.sdmp, M5VGS77ZYY, 6252.1.00000000f99d94f6.000000002c545420.rw-.sdmp, M5VGS77ZYY, 6352.1.00000000f99d94f6.000000002c545420.rw-.sdmp, M5VGS77ZYY, 6365.1.00000000f99d94f6.000000002c545420.rw-.sdmp, M5VGS77ZYY, 6358.1.00000000f99d94f6.000000002c545420.rw-.sdmp, M5VGS77ZYY, 6253.1.00000000f99d94f6.000000002c545420.rw-.sdmp, M5VGS77ZYY, 6348.1.00000000f99d94f6.000000002c545420.rw-.sdmp, M5VGS77ZYY, 6259.1.00000000f99d94f6.000000002c545420.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/m68k

Stealing of Sensitive Information

Source: Yara match

File source: dump.pcap, type: PCAP

Remote Access Functionality

Source: Yara match

File source: dump.pcap, type: PCAP