Linux Analysis Report
ftp

Overview

General Information

Sample Name:	ftp
Analysis ID:	635349
MD5:	de4287d3d34ef4007b3324db376be7bf
SHA1:	28d24ea33e17190cdd8769960bc48b68a59df8b4
SHA256:	68afe620877b71aa6b93ae6529f0b9bc52d5b28fb8c1c3487cfb9c3c94f05d52
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Snort IDS alert for network traffic

Opens /proc/net/* files useful for finding connected devices and routers

Machine Learning detection for sample

Sample contains symbols with suspicious names

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: ftp

Avira: detected

Machine Learning detection for sample

Source: ftp

Joe Sandbox ML: detected

Spreading

Opens /proc/net/* files useful for finding connected devices and routers

Source: /tmp/ftp (PID: 6231)

Opens: /proc/net/route

Jump to behavior

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2840333 ETPRO TROJAN ELF/BASHLITE Variant CnC Activity 192.168.2.23:57822 -> 45.95.55.12:23

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: ftp

String found in binary or memory: http://45.95.55.12/bins.sh;

Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.55.12
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.55.12
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.55.12
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.55.12
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 2.2.2.2
Source: unknown	TCP traffic detected without corresponding DNS query: 3.3.3.3
Source: unknown	TCP traffic detected without corresponding DNS query: 4.4.4.4
Source: unknown	TCP traffic detected without corresponding DNS query: 5.5.5.5
Source: unknown	TCP traffic detected without corresponding DNS query: 6.6.6.6
Source: unknown	TCP traffic detected without corresponding DNS query: 7.7.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	TCP traffic detected without corresponding DNS query: 11.11.11.11
Source: unknown	TCP traffic detected without corresponding DNS query: 12.12.12.12
Source: unknown	TCP traffic detected without corresponding DNS query: 13.13.13.13
Source: unknown	TCP traffic detected without corresponding DNS query: 14.14.14.14
Source: unknown	TCP traffic detected without corresponding DNS query: 15.15.15.15
Source: unknown	TCP traffic detected without corresponding DNS query: 16.16.16.16
Source: unknown	TCP traffic detected without corresponding DNS query: 18.18.18.18
Source: unknown	TCP traffic detected without corresponding DNS query: 17.17.17.17
Source: unknown	TCP traffic detected without corresponding DNS query: 20.20.20.20
Source: unknown	TCP traffic detected without corresponding DNS query: 21.21.21.21
Source: unknown	TCP traffic detected without corresponding DNS query: 22.22.22.22
Source: unknown	TCP traffic detected without corresponding DNS query: 23.23.23.23
Source: unknown	TCP traffic detected without corresponding DNS query: 24.24.24.24
Source: unknown	TCP traffic detected without corresponding DNS query: 19.19.19.19
Source: unknown	TCP traffic detected without corresponding DNS query: 25.25.25.25
Source: unknown	TCP traffic detected without corresponding DNS query: 27.27.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 26.26.26.26
Source: unknown	TCP traffic detected without corresponding DNS query: 28.28.28.28
Source: unknown	TCP traffic detected without corresponding DNS query: 29.29.29.29
Source: unknown	TCP traffic detected without corresponding DNS query: 30.30.30.30
Source: unknown	TCP traffic detected without corresponding DNS query: 31.31.31.31
Source: unknown	TCP traffic detected without corresponding DNS query: 32.32.32.32
Source: unknown	TCP traffic detected without corresponding DNS query: 33.33.33.33
Source: unknown	TCP traffic detected without corresponding DNS query: 34.34.34.34
Source: unknown	TCP traffic detected without corresponding DNS query: 35.35.35.35
Source: unknown	TCP traffic detected without corresponding DNS query: 36.36.36.36
Source: unknown	TCP traffic detected without corresponding DNS query: 37.37.37.37
Source: unknown	TCP traffic detected without corresponding DNS query: 38.38.38.38
Source: unknown	TCP traffic detected without corresponding DNS query: 39.39.39.39
Source: unknown	TCP traffic detected without corresponding DNS query: 40.40.40.40
Source: unknown	TCP traffic detected without corresponding DNS query: 41.41.41.41
Source: unknown	TCP traffic detected without corresponding DNS query: 42.42.42.42
Source: unknown	TCP traffic detected without corresponding DNS query: 43.43.43.43
Source: unknown	TCP traffic detected without corresponding DNS query: 44.44.44.44
Source: unknown	TCP traffic detected without corresponding DNS query: 45.45.45.45
Source: unknown	TCP traffic detected without corresponding DNS query: 46.46.46.46
Source: unknown	TCP traffic detected without corresponding DNS query: 47.47.47.47
Source: unknown	TCP traffic detected without corresponding DNS query: 48.48.48.48

Sample contains symbols with suspicious names

Source: ELF static info symbol of initial sample	Name: passwords
Source: ELF static info symbol of initial sample	Name: usernames

Source: ELF static info symbol of initial sample	FILE: libc/sysdeps/linux/i386/crt1.S
Source: ELF static info symbol of initial sample	FILE: libc/sysdeps/linux/i386/crti.S
Source: ELF static info symbol of initial sample	FILE: libc/sysdeps/linux/i386/crtn.S
Source: ELF static info symbol of initial sample	FILE: libc/sysdeps/linux/i386/mmap.S
Source: ELF static info symbol of initial sample	FILE: libc/sysdeps/linux/i386/vfork.S

Source: classification engine

Classification label: mal64.spre.lin@0/0@0/0

Screenshots

No Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
219.204.143.164	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
170.218.132.197	unknown	United States	11740	PROGRESSIVE-ASUS	false
104.77.51.189	unknown	United States	16625	AKAMAI-ASUS	false
111.96.140.127	unknown	Japan	2516	KDDIKDDICORPORATIONJP	false
48.181.47.70	unknown	United States	2686	ATGS-MMD-ASUS	false
167.153.85.177	unknown	United States	22252	AS22252US	false
191.208.247.217	unknown	Brazil	26599	TELEFONICABRASILSABR	false
31.27.18.75	unknown	Italy	30722	VODAFONE-IT-ASNIT	false
204.101.228.161	unknown	Canada	577	BACOMCA	false
116.97.25.84	unknown	Viet Nam	7552	VIETEL-AS-APViettelGroupVN	false
110.110.110.110	unknown	China	38341	CNNIC-HCENET-APHEXIEInformationtechnologyCoLtdCN	false
184.132.167.220	unknown	United States	5778	CENTURYLINK-LEGACY-EMBARQ-RCMTUS	false
57.35.167.101	unknown	Belgium	2686	ATGS-MMD-ASUS	false
72.72.72.72	unknown	United States	701	UUNETUS	false
37.72.126.109	unknown	Poland	38987	OST-ASPL	false
158.158.158.158	unknown	Singapore	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
180.131.110.64	unknown	Japan	10013	FBDCFreeBitCoLtdJP	false
95.166.80.91	unknown	Denmark	3292	TDCTDCASDK	false
176.127.106.60	unknown	Switzerland	3303	SWISSCOMSwisscomSwitzerlandLtdCH	false
132.61.151.142	unknown	United States	427	AFCONC-BLOCK1-ASUS	false
143.121.253.187	unknown	Netherlands	1103	SURFNET-NLSURFnetTheNetherlandsNL	false
183.183.183.183	unknown	Japan	45684	MIRAINETKyoceraCommunicationSystemsCoLtdJP	false
134.50.98.150	unknown	United States	11252	ISU-NET-ASUS	false
91.69.201.135	unknown	France	15557	LDCOMNETFR	false
179.135.154.163	unknown	Brazil	26599	TELEFONICABRASILSABR	false
162.195.179.131	unknown	United States	7018	ATT-INTERNET4US	false
140.125.169.156	unknown	Taiwan; Republic of China (ROC)	38847	NCHU-AS-TWNationalChungHsingUniversityTW	false
121.114.181.81	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
75.100.111.91	unknown	United States	4181	TDS-ASUS	false
253.210.183.242	unknown	Reserved	unknown	unknown	false
90.75.119.106	unknown	France	12479	UNI2-ASES	false
193.248.231.232	unknown	France	3215	FranceTelecom-OrangeFR	false
52.167.29.39	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
190.151.198.182	unknown	Colombia	13489	EPMTelecomunicacionesSAESPCO	false
215.163.198.251	unknown	United States	721	DNIC-ASBLK-00721-00726US	false
197.154.127.186	unknown	Ethiopia	37133	airtel-tz-asTZ	false
143.128.67.88	unknown	South Africa	2018	TENET-1ZA	false
186.139.159.174	unknown	Argentina	10318	TelecomArgentinaSAAR	false
99.112.149.123	unknown	United States	7018	ATT-INTERNET4US	false
162.96.159.162	unknown	United States	33274	ASN-FAIRVIEWHEALTHSERVICESUS	false
126.33.18.137	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
126.82.101.110	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
101.94.74.117	unknown	China	4812	CHINANET-SH-APChinaTelecomGroupCN	false
118.169.202.178	unknown	Taiwan; Republic of China (ROC)	3462	HINETDataCommunicationBusinessGroupTW	false
57.141.104.49	unknown	Belgium	2686	ATGS-MMD-ASUS	false
155.136.64.123	unknown	United Kingdom	21054	RBSG-UK-ASEdinburghGB	false
137.88.67.21	unknown	United States	14977	STATE-OF-WYOMING-ASNUS	false
82.148.131.62	unknown	Norway	16175	SIGNALNO	false
19.70.103.79	unknown	United States	3	MIT-GATEWAYSUS	false
118.111.178.78	unknown	Japan	2518	BIGLOBEBIGLOBEIncJP	false
170.121.251.172	unknown	United States	17190	WMATAUS	false
114.80.136.38	unknown	China	4812	CHINANET-SH-APChinaTelecomGroupCN	false
153.101.136.189	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
115.248.114.137	unknown	India	18101	RELIANCE-COMMUNICATIONS-INRelianceCommunicationsLtdDAKC	false
211.167.99.73	unknown	China	9812	CNNIC-CN-COLNETOrientalCableNetworkCoLtdCN	false
107.62.181.48	unknown	United States	16567	NETRIX-16567US	false
183.77.94.78	unknown	Japan	4685	ASAHI-NETAsahiNetJP	false
18.126.122.135	unknown	United States	3	MIT-GATEWAYSUS	false
123.37.121.46	unknown	Korea Republic of	6619	SAMSUNGSDS-AS-KRSamsungSDSIncKR	false
166.94.177.134	unknown	United States	3926	FFX-CNTYUS	false
170.236.219.150	unknown	Switzerland	11685	HNBCOL-ASUS	false
49.28.93.44	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
59.117.96.89	unknown	Taiwan; Republic of China (ROC)	3462	HINETDataCommunicationBusinessGroupTW	false
173.83.113.116	unknown	United States	46606	UNIFIEDLAYER-AS-1US	false
215.144.234.225	unknown	United States	721	DNIC-ASBLK-00721-00726US	false
154.51.178.111	unknown	United States	174	COGENT-174US	false
117.113.104.161	unknown	China	4847	CNIX-APChinaNetworksInter-ExchangeCN	false
129.23.40.24	unknown	United States	32666	CWRU-AS-1US	false
163.77.161.86	unknown	France	17816	CHINA169-GZChinaUnicomIPnetworkChina169Guangdongprovi	false
217.217.217.217	unknown	Spain	12357	COMUNITELSPAINES	false
76.141.173.214	unknown	United States	7922	COMCAST-7922US	false
141.203.166.125	unknown	Austria	6720	MAGWIENAT	false
146.56.86.89	unknown	Japan	7160	NETDYNAMICSUS	false
59.177.69.121	unknown	India	17813	MTNL-APMahanagarTelephoneNigamLimitedIN	false
195.156.203.187	unknown	Finland	1759	TSF-IP-CORETeliaFinlandOyjEU	false
36.125.148.29	unknown	China	4847	CNIX-APChinaNetworksInter-ExchangeCN	false
79.145.128.59	unknown	Spain	3352	TELEFONICA_DE_ESPANAES	false
92.88.79.136	unknown	France	15557	LDCOMNETFR	false
137.114.114.122	unknown	United States	1767	ILIGHT-NETUS	false
166.123.96.155	unknown	United States	6360	UNIVHAWAIIUS	false
206.151.251.108	unknown	United States	3561	CENTURYLINK-LEGACY-SAVVISUS	false
221.177.196.205	unknown	China	9808	CMNET-GDGuangdongMobileCommunicationCoLtdCN	false
151.217.200.131	unknown	unknown	11003	PANDGUS	false
196.171.226.114	unknown	Togo	24691	TOGOTEL-ASTogoTelecomTogoTG	false
149.162.199.173	unknown	United States	87	INDIANA-ASUS	false
171.229.208.201	unknown	Viet Nam	7552	VIETEL-AS-APViettelGroupVN	false
136.65.155.146	unknown	United States	60311	ONEFMCH	false
49.147.68.127	unknown	Philippines	9299	IPG-AS-APPhilippineLongDistanceTelephoneCompanyPH	false
81.146.66.151	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	false
192.89.216.149	unknown	Finland	1759	TSF-IP-CORETeliaFinlandOyjEU	false
94.125.49.16	unknown	Russian Federation	8749	REDCOM-ASRedcomKhabarovskRussiaRU	false
183.105.85.205	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
23.19.10.67	unknown	United States	395954	LEASEWEB-USA-LAX-11US	false
161.222.164.137	unknown	United States	33217	SCHNEIDERUS	false
183.169.101.193	unknown	China	4538	ERX-CERNET-BKBChinaEducationandResearchNetworkCenter	false
144.92.71.149	unknown	United States	59	WISC-MADISON-ASUS	false
100.16.64.116	unknown	United States	701	UUNETUS	false
79.153.124.60	unknown	Spain	3352	TELEFONICA_DE_ESPANAES	false
208.240.175.216	unknown	United States	4208	THE-ISERV-COMPANYUS	false
174.119.219.76	unknown	Canada	812	ROGERS-COMMUNICATIONSCA	false

ID:	635349
Product:	CloudBasic
Start time:	19:50:28
Start date:	27.05.2022
Sample:	ftp
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	de4287d3d34ef4007b3324db376be7bf
SHA1:	28d24ea33e17190cdd8769960bc48b68a59df8b4
SHA256:	68afe620877b71aa6b93ae6529f0b9bc52d5b28fb8c1c3487cfb9c3c94f05d52
Filetype:	ELF Executable and Linkable format (Linux) (4029/14) 50.16%

Linux Analysis Report ftp

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Spreading

Networking

System Summary

Screenshots

Network Map

Contacted Public IPs

Linux Analysis Report
ftp