Linux Analysis Report
sshd

Overview

General Information

Sample Name:	sshd
Analysis ID:	635357
MD5:	e4a6305453071029694a1f941133261a
SHA1:	da4be5db609d644f7468756f20996c8fe7a17d6e
SHA256:	87f9284961cbd6155b2dd0ce1c241b54f186a036e97ead7d091353c44afeb0ce
Infos:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Uses known network protocols on non-standard ports

Opens /proc/net/* files useful for finding connected devices and routers

Sample contains symbols with suspicious names

Uses the "uname" system call to query kernel version information (possible evasion)

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: sshd

Avira: detected

Multi AV Scanner detection for submitted file

Source: sshd

Virustotal: Detection: 63%

Perma Link

Spreading

Opens /proc/net/* files useful for finding connected devices and routers

Source: /tmp/sshd (PID: 6230)

Opens: /proc/net/route

Jump to behavior

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2840333 ETPRO TROJAN ELF/BASHLITE Variant CnC Activity 192.168.2.23:57822 -> 45.95.55.12:23

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39654
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 33268

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.55.12
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.55.12
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.55.12
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.55.12
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.55.12
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 2.2.2.2
Source: unknown	TCP traffic detected without corresponding DNS query: 3.3.3.3
Source: unknown	TCP traffic detected without corresponding DNS query: 4.4.4.4
Source: unknown	TCP traffic detected without corresponding DNS query: 5.5.5.5
Source: unknown	TCP traffic detected without corresponding DNS query: 6.6.6.6
Source: unknown	TCP traffic detected without corresponding DNS query: 7.7.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	TCP traffic detected without corresponding DNS query: 11.11.11.11
Source: unknown	TCP traffic detected without corresponding DNS query: 12.12.12.12
Source: unknown	TCP traffic detected without corresponding DNS query: 13.13.13.13
Source: unknown	TCP traffic detected without corresponding DNS query: 14.14.14.14
Source: unknown	TCP traffic detected without corresponding DNS query: 15.15.15.15
Source: unknown	TCP traffic detected without corresponding DNS query: 16.16.16.16
Source: unknown	TCP traffic detected without corresponding DNS query: 17.17.17.17
Source: unknown	TCP traffic detected without corresponding DNS query: 18.18.18.18
Source: unknown	TCP traffic detected without corresponding DNS query: 19.19.19.19
Source: unknown	TCP traffic detected without corresponding DNS query: 20.20.20.20
Source: unknown	TCP traffic detected without corresponding DNS query: 21.21.21.21
Source: unknown	TCP traffic detected without corresponding DNS query: 22.22.22.22
Source: unknown	TCP traffic detected without corresponding DNS query: 23.23.23.23
Source: unknown	TCP traffic detected without corresponding DNS query: 24.24.24.24
Source: unknown	TCP traffic detected without corresponding DNS query: 25.25.25.25
Source: unknown	TCP traffic detected without corresponding DNS query: 26.26.26.26
Source: unknown	TCP traffic detected without corresponding DNS query: 27.27.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 28.28.28.28
Source: unknown	TCP traffic detected without corresponding DNS query: 29.29.29.29
Source: unknown	TCP traffic detected without corresponding DNS query: 30.30.30.30
Source: unknown	TCP traffic detected without corresponding DNS query: 31.31.31.31
Source: unknown	TCP traffic detected without corresponding DNS query: 32.32.32.32
Source: unknown	TCP traffic detected without corresponding DNS query: 33.33.33.33
Source: unknown	TCP traffic detected without corresponding DNS query: 34.34.34.34
Source: unknown	TCP traffic detected without corresponding DNS query: 35.35.35.35
Source: unknown	TCP traffic detected without corresponding DNS query: 36.36.36.36
Source: unknown	TCP traffic detected without corresponding DNS query: 37.37.37.37
Source: unknown	TCP traffic detected without corresponding DNS query: 38.38.38.38
Source: unknown	TCP traffic detected without corresponding DNS query: 39.39.39.39
Source: unknown	TCP traffic detected without corresponding DNS query: 40.40.40.40
Source: unknown	TCP traffic detected without corresponding DNS query: 41.41.41.41
Source: unknown	TCP traffic detected without corresponding DNS query: 42.42.42.42
Source: unknown	TCP traffic detected without corresponding DNS query: 43.43.43.43
Source: unknown	TCP traffic detected without corresponding DNS query: 44.44.44.44
Source: unknown	TCP traffic detected without corresponding DNS query: 45.45.45.45
Source: unknown	TCP traffic detected without corresponding DNS query: 46.46.46.46

Source: sshd

String found in binary or memory: http://45.95.55.12/bins.sh;

Sample contains symbols with suspicious names

Source: ELF static info symbol of initial sample	Name: passwords
Source: ELF static info symbol of initial sample	Name: usernames

Source: classification engine

Classification label: mal72.spre.troj.lin@0/0@0/0

Source: ELF static info symbol of initial sample	FILE: libc/string/mips/memcpy.S
Source: ELF static info symbol of initial sample	FILE: libc/string/mips/memset.S
Source: ELF static info symbol of initial sample	FILE: libc/sysdeps/linux/mips/crt1.S
Source: ELF static info symbol of initial sample	FILE: libc/sysdeps/linux/mips/crti.S
Source: ELF static info symbol of initial sample	FILE: libc/sysdeps/linux/mips/crtn.S
Source: ELF static info symbol of initial sample	FILE: libc/sysdeps/linux/mips/pipe.S

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39654
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 33268

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/sshd (PID: 6230)

Queries kernel information via 'uname':

Jump to behavior

Source: sshd, 6230.1.00000000793b1a2b.0000000011876d7e.rw-.sdmp, sshd, 6232.1.00000000793b1a2b.0000000011876d7e.rw-.sdmp, sshd, 6293.1.00000000793b1a2b.0000000011876d7e.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mipsel
Source: sshd, 6230.1.00000000e33a4a40.0000000048fb67c3.rw-.sdmp, sshd, 6232.1.00000000e33a4a40.0000000048fb67c3.rw-.sdmp, sshd, 6293.1.00000000e33a4a40.0000000048fb67c3.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-mipsel/tmp/sshdSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/sshd
Source: sshd, 6230.1.00000000793b1a2b.0000000011876d7e.rw-.sdmp, sshd, 6232.1.00000000793b1a2b.0000000011876d7e.rw-.sdmp, sshd, 6293.1.00000000793b1a2b.0000000011876d7e.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/mipsel
Source: sshd, 6230.1.00000000e33a4a40.0000000048fb67c3.rw-.sdmp, sshd, 6232.1.00000000e33a4a40.0000000048fb67c3.rw-.sdmp, sshd, 6293.1.00000000e33a4a40.0000000048fb67c3.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mipsel

Screenshots

No Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
212.109.143.174	unknown	Poland	9103	ZIELMAN-EDU-ASMetropolitanNetworkZielMANPL	false
34.4.132.10	unknown	United States	2686	ATGS-MMD-ASUS	false
84.144.134.123	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
142.88.192.148	unknown	Canada	5769	VIDEOTRONCA	false
130.103.132.143	unknown	United States	24436	UQ-AS-APUniversityofQueenslandAU	false
96.73.46.36	unknown	United States	7922	COMCAST-7922US	false
203.100.134.165	unknown	Japan	24436	UQ-AS-APUniversityofQueenslandAU	false
134.194.184.173	unknown	United States	289	DNIC-AS-00289US	false
85.189.136.135	unknown	United Kingdom	8190	MDNXGB	false
110.110.110.110	unknown	China	38341	CNNIC-HCENET-APHEXIEInformationtechnologyCoLtdCN	false
72.72.72.72	unknown	United States	701	UUNETUS	false
215.70.148.135	unknown	United States	385	AFCONC-BLOCK1-ASUS	false
157.201.154.215	unknown	United States	33281	BRIGHAM-YOUNG-UNIVERSITY-IDAHOUS	false
158.158.158.158	unknown	Singapore	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
102.63.169.138	unknown	Egypt	36992	ETISALAT-MISREG	false
216.123.198.94	unknown	Canada	852	ASN852CA	false
206.211.198.86	unknown	United States	19472	CAROLLO-ENGINEERSUS	false
167.163.213.252	unknown	United States	59447	SAYFANETTR	false
34.117.52.99	unknown	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
209.64.142.129	unknown	United States	13581	SOFTWAREHOUSEUS	false
179.156.153.224	unknown	Brazil	28573	CLAROSABR	false
183.183.183.183	unknown	Japan	45684	MIRAINETKyoceraCommunicationSystemsCoLtdJP	false
41.122.38.133	unknown	South Africa	16637	MTNNS-ASZA	false
100.197.122.131	unknown	United States	21928	T-MOBILE-AS21928US	false
125.136.122.133	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
160.184.214.125	unknown	South Africa	36903	MT-MPLSMA	false
198.209.195.206	unknown	United States	2572	MORENETUS	false
96.177.93.188	unknown	United States	7922	COMCAST-7922US	false
149.75.80.77	unknown	United States	6079	RCN-ASUS	false
197.195.226.225	unknown	Egypt	36992	ETISALAT-MISREG	false
109.169.159.148	unknown	Russian Federation	12389	ROSTELECOM-ASRU	false
98.188.153.209	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	false
99.203.150.149	unknown	United States	10507	SPCSUS	false
180.92.153.208	unknown	Pakistan	55714	APNIC-FIBERLINK-PKFiberlinkPvtLtdPK	false
151.6.84.71	unknown	Italy	1267	ASN-WINDTREIUNETEU	false
155.132.105.95	unknown	France	37532	ZAMRENZM	false
170.168.199.198	unknown	United States	11685	HNBCOL-ASUS	false
210.139.131.133	unknown	Japan	2527	SO-NETSo-netEntertainmentCorporationJP	false
51.55.73.148	unknown	United Kingdom	31655	ASN-GAMMATELECOMGB	false
203.65.124.87	unknown	Taiwan; Republic of China (ROC)	4782	GSNETDataCommunicationBusinessGroupTW	false
128.25.59.90	unknown	United States	786	JANETJiscServicesLimitedGB	false
171.161.208.217	unknown	United States	10794	BANKAMERICAUS	false
202.94.116.132	unknown	Singapore	703	UUNETUS	false
76.180.127.126	unknown	United States	11351	TWC-11351-NORTHEASTUS	false
159.192.132.57	unknown	Thailand	131090	CAT-IDC-4BYTENET-AS-APCATTELECOMPublicCompanyLtdCATT	false
126.138.221.212	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
148.59.177.82	unknown	United States	36236	NETACTUATEUS	false
154.124.203.89	unknown	Senegal	8346	SONATEL-ASAutonomousSystemEU	false
99.109.185.216	unknown	United States	7018	ATT-INTERNET4US	false
68.143.95.49	unknown	United States	7029	WINDSTREAMUS	false
146.154.161.81	unknown	United States	270	AS270US	false
101.54.46.149	unknown	China	4847	CNIX-APChinaNetworksInter-ExchangeCN	false
193.200.246.195	unknown	unknown	8793	THINXXDE	false
109.82.111.122	unknown	Saudi Arabia	34400	ASN-ETTIHADETISALATSA	false
131.206.158.112	unknown	Japan	2907	SINET-ASResearchOrganizationofInformationandSystemsN	false
111.43.178.149	unknown	China	132525	CMNET-HEILONGJIANG-CNHeiLongJiangMobileCommunicationComp	false
67.185.131.125	unknown	United States	7922	COMCAST-7922US	false
107.4.38.69	unknown	United States	7922	COMCAST-7922US	false
202.192.239.248	unknown	China	4538	ERX-CERNET-BKBChinaEducationandResearchNetworkCenter	false
43.41.80.127	unknown	Japan	4249	LILLY-ASUS	false
98.59.151.193	unknown	United States	7922	COMCAST-7922US	false
112.89.86.157	unknown	China	17816	CHINA169-GZChinaUnicomIPnetworkChina169Guangdongprovi	false
133.73.132.54	unknown	Japan	2907	SINET-ASResearchOrganizationofInformationandSystemsN	false
251.177.182.179	unknown	Reserved	unknown	unknown	false
163.184.90.172	unknown	United States	72	SCHLUMBERGER-ASUS	false
217.217.217.217	unknown	Spain	12357	COMUNITELSPAINES	false
193.67.62.148	unknown	Netherlands	1661	ANS-ATLANTAUS	false
251.228.201.191	unknown	Reserved	unknown	unknown	false
92.62.141.27	unknown	Lithuania	15440	BALTNETACustomersASLT	false
209.71.130.93	unknown	United States	46800	INFOLOGCORPUS	false
124.84.169.195	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
63.138.90.44	unknown	United States	7029	WINDSTREAMUS	false
104.128.158.69	unknown	Canada	393653	WIZ1CA	false
253.193.252.174	unknown	Reserved	unknown	unknown	false
109.156.97.175	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	false
252.157.168.216	unknown	Reserved	unknown	unknown	false
171.91.58.66	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
108.102.112.161	unknown	United States	10507	SPCSUS	false
75.185.107.128	unknown	United States	10796	TWC-10796-MIDWESTUS	false
99.103.154.190	unknown	United States	7018	ATT-INTERNET4US	false
132.139.185.134	unknown	United States	306	DNIC-ASBLK-00306-00371US	false
63.24.116.158	unknown	United States	701	UUNETUS	false
140.113.181.152	unknown	Taiwan; Republic of China (ROC)	9916	NCTU-TWNationalChiaoTungUniversityTW	false
192.186.196.245	unknown	United States	26496	AS-26496-GO-DADDY-COM-LLCUS	false
105.113.120.40	unknown	Nigeria	36873	VNL1-ASNG	false
63.61.100.147	unknown	United States	701	UUNETUS	false
61.174.135.61	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
138.157.79.99	unknown	United States	1540	DNIC-ASBLK-01534-01546US	false
249.200.215.203	unknown	Reserved	unknown	unknown	false
54.52.83.82	unknown	United States	14618	AMAZON-AESUS	false
198.132.128.141	unknown	United States	292	ESNET-WESTUS	false
140.230.195.251	unknown	Canada	8111	DALUNIVCA	false
176.201.210.102	unknown	Italy	16232	ASN-TIMServiceProviderIT	false
191.103.78.187	unknown	Honduras	23383	METROREDSADECVHN	false
254.166.141.250	unknown	Reserved	unknown	unknown	false
196.51.129.116	unknown	South Africa	37518	FIBERGRIDSC	false
204.150.254.210	unknown	United States	701	UUNETUS	false
106.106.205.99	unknown	Taiwan; Republic of China (ROC)	4780	SEEDNETDigitalUnitedIncTW	false
84.61.58.129	unknown	Germany	3209	VODANETInternationalIP-BackboneofVodafoneDE	false
151.202.160.141	unknown	United States	701	UUNETUS	false

ID:	635357
Product:	CloudBasic
Start time:	20:06:14
Start date:	27.05.2022
Sample:	sshd
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	e4a6305453071029694a1f941133261a
SHA1:	da4be5db609d644f7468756f20996c8fe7a17d6e
SHA256:	87f9284961cbd6155b2dd0ce1c241b54f186a036e97ead7d091353c44afeb0ce
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Linux Analysis Report
sshd

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Spreading

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Screenshots

Network Map

Contacted Public IPs

Linux Analysis Report sshd

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Spreading

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Screenshots

Network Map

Contacted Public IPs

Linux Analysis Report
sshd