Linux Analysis Report
bash

Overview

General Information

Sample Name:	bash
Analysis ID:	635360
MD5:	e64c10e496d39e9d20786ff0df2f7d59
SHA1:	25d85c14f468ae6875c33934d57c12f1d3c3d8ce
SHA256:	a4ea9b6e8713da4804c10f4869208a1cada3122b906581358fc1bb2cce92ddca
Infos:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Opens /proc/net/* files useful for finding connected devices and routers

Machine Learning detection for sample

Sample contains symbols with suspicious names

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: bash

Avira: detected

Multi AV Scanner detection for submitted file

Source: bash	Virustotal: Detection: 63%			Perma Link
Source: bash	ReversingLabs: Detection: 75%

Machine Learning detection for sample

Source: bash

Joe Sandbox ML: detected

Spreading

Opens /proc/net/* files useful for finding connected devices and routers

Source: /tmp/bash (PID: 6227)

Opens: /proc/net/route

Jump to behavior

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2840333 ETPRO TROJAN ELF/BASHLITE Variant CnC Activity 192.168.2.23:57822 -> 45.95.55.12:23

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.55.12
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.55.12
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.55.12
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.55.12
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 2.2.2.2
Source: unknown	TCP traffic detected without corresponding DNS query: 3.3.3.3
Source: unknown	TCP traffic detected without corresponding DNS query: 4.4.4.4
Source: unknown	TCP traffic detected without corresponding DNS query: 6.6.6.6
Source: unknown	TCP traffic detected without corresponding DNS query: 5.5.5.5
Source: unknown	TCP traffic detected without corresponding DNS query: 7.7.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	TCP traffic detected without corresponding DNS query: 11.11.11.11
Source: unknown	TCP traffic detected without corresponding DNS query: 12.12.12.12
Source: unknown	TCP traffic detected without corresponding DNS query: 13.13.13.13
Source: unknown	TCP traffic detected without corresponding DNS query: 14.14.14.14
Source: unknown	TCP traffic detected without corresponding DNS query: 15.15.15.15
Source: unknown	TCP traffic detected without corresponding DNS query: 16.16.16.16
Source: unknown	TCP traffic detected without corresponding DNS query: 17.17.17.17
Source: unknown	TCP traffic detected without corresponding DNS query: 18.18.18.18
Source: unknown	TCP traffic detected without corresponding DNS query: 20.20.20.20
Source: unknown	TCP traffic detected without corresponding DNS query: 19.19.19.19
Source: unknown	TCP traffic detected without corresponding DNS query: 21.21.21.21
Source: unknown	TCP traffic detected without corresponding DNS query: 22.22.22.22
Source: unknown	TCP traffic detected without corresponding DNS query: 23.23.23.23
Source: unknown	TCP traffic detected without corresponding DNS query: 24.24.24.24
Source: unknown	TCP traffic detected without corresponding DNS query: 25.25.25.25
Source: unknown	TCP traffic detected without corresponding DNS query: 26.26.26.26
Source: unknown	TCP traffic detected without corresponding DNS query: 27.27.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 28.28.28.28
Source: unknown	TCP traffic detected without corresponding DNS query: 29.29.29.29
Source: unknown	TCP traffic detected without corresponding DNS query: 30.30.30.30
Source: unknown	TCP traffic detected without corresponding DNS query: 31.31.31.31
Source: unknown	TCP traffic detected without corresponding DNS query: 32.32.32.32
Source: unknown	TCP traffic detected without corresponding DNS query: 33.33.33.33
Source: unknown	TCP traffic detected without corresponding DNS query: 34.34.34.34
Source: unknown	TCP traffic detected without corresponding DNS query: 35.35.35.35
Source: unknown	TCP traffic detected without corresponding DNS query: 36.36.36.36
Source: unknown	TCP traffic detected without corresponding DNS query: 38.38.38.38
Source: unknown	TCP traffic detected without corresponding DNS query: 37.37.37.37
Source: unknown	TCP traffic detected without corresponding DNS query: 40.40.40.40
Source: unknown	TCP traffic detected without corresponding DNS query: 39.39.39.39
Source: unknown	TCP traffic detected without corresponding DNS query: 41.41.41.41
Source: unknown	TCP traffic detected without corresponding DNS query: 42.42.42.42
Source: unknown	TCP traffic detected without corresponding DNS query: 43.43.43.43
Source: unknown	TCP traffic detected without corresponding DNS query: 44.44.44.44
Source: unknown	TCP traffic detected without corresponding DNS query: 45.45.45.45
Source: unknown	TCP traffic detected without corresponding DNS query: 46.46.46.46

Source: bash

String found in binary or memory: http://45.95.55.12/bins.sh;

Sample contains symbols with suspicious names

Source: ELF static info symbol of initial sample	Name: passwords
Source: ELF static info symbol of initial sample	Name: usernames

Source: classification engine

Classification label: mal72.spre.lin@0/0@0/0

Source: ELF static info symbol of initial sample	FILE: libc/string/x86_64/memcpy.S
Source: ELF static info symbol of initial sample	FILE: libc/string/x86_64/mempcpy.S
Source: ELF static info symbol of initial sample	FILE: libc/string/x86_64/memset.S
Source: ELF static info symbol of initial sample	FILE: libc/string/x86_64/strcat.S
Source: ELF static info symbol of initial sample	FILE: libc/string/x86_64/strchr.S
Source: ELF static info symbol of initial sample	FILE: libc/string/x86_64/strcpy.S
Source: ELF static info symbol of initial sample	FILE: libc/string/x86_64/strlen.S
Source: ELF static info symbol of initial sample	FILE: libc/string/x86_64/strpbrk.S
Source: ELF static info symbol of initial sample	FILE: libc/string/x86_64/strspn.S
Source: ELF static info symbol of initial sample	FILE: libc/sysdeps/linux/x86_64/crt1.S
Source: ELF static info symbol of initial sample	FILE: libc/sysdeps/linux/x86_64/crti.S
Source: ELF static info symbol of initial sample	FILE: libc/sysdeps/linux/x86_64/crtn.S
Source: ELF static info symbol of initial sample	FILE: libc/sysdeps/linux/x86_64/vfork.S

Screenshots

No Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
109.109.109.109	unknown	Netherlands	30925	SPEEDXS-ASNL	false
192.177.189.95	unknown	United States	18779	EGIHOSTINGUS	false
194.130.207.176	unknown	United Kingdom	702	UUNETUS	false
155.202.56.76	unknown	United Kingdom	8698	NationwideBuildingSocietyGB	false
207.207.207.207	unknown	United States	10823	NETCARRIERUS	false
168.215.69.89	unknown	United States	10753	LVLT-10753US	false
191.127.204.173	unknown	Chile	7418	TELEFONICACHILESACL	false
122.122.122.122	unknown	Taiwan; Republic of China (ROC)	3462	HINETDataCommunicationBusinessGroupTW	false
118.165.19.39	unknown	Taiwan; Republic of China (ROC)	3462	HINETDataCommunicationBusinessGroupTW	false
155.90.193.199	unknown	United States	4010	DNIC-AS-04010US	false
129.64.167.173	unknown	United States	10561	BRANDEISUS	false
59.59.59.59	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
146.146.146.146	unknown	United States	197938	TRAVIANGAMESDE	false
220.220.220.220	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
110.110.110.110	unknown	China	38341	CNNIC-HCENET-APHEXIEInformationtechnologyCoLtdCN	false
181.116.219.225	unknown	Argentina	11664	TechtelLMDSComunicacionesInteractivasSAAR	false
138.73.176.182	unknown	Canada	611	NECN-1-611CA	false
8.8.8.8	unknown	United States	15169	GOOGLEUS	false
120.167.21.41	unknown	Indonesia	4761	INDOSAT-INP-APINDOSATInternetNetworkProviderID	false
72.72.72.72	unknown	United States	701	UUNETUS	false
158.158.158.158	unknown	Singapore	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
171.171.171.171	unknown	United States	9874	STARHUB-MOBILEStarHubLtdSG	false
188.235.89.109	unknown	Russian Federation	50498	LIPETSK-ASRU	false
91.27.104.73	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
152.199.53.73	unknown	United States	15133	EDGECASTUS	false
147.82.185.191	unknown	Saudi Arabia	1761	TDIR-CAPNETUS	false
183.183.183.183	unknown	Japan	45684	MIRAINETKyoceraCommunicationSystemsCoLtdJP	false
200.135.238.244	unknown	Brazil	10715	UniversidadeFederaldeSantaCatarinaBR	false
134.119.131.37	unknown	Germany	8972	GD-EMEA-DC-SXB1DE	false
168.153.165.71	unknown	Australia	2764	AAPTAAPTLimitedAU	false
50.50.50.50	unknown	United States	7011	FRONTIER-AND-CITIZENSUS	false
130.115.127.33	unknown	Netherlands	1103	SURFNET-NLSURFnetTheNetherlandsNL	false
174.221.75.95	unknown	United States	22394	CELLCOUS	false
119.54.157.163	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
137.72.175.181	unknown	United States	37440	Airtel-MW	false
145.80.183.189	unknown	Netherlands	1103	SURFNET-NLSURFnetTheNetherlandsNL	false
169.104.207.213	unknown	United States	37611	AfrihostZA	false
176.112.189.158	unknown	Slovakia (SLOVAK Republic)	58044	ASFREEZONASK	false
122.107.119.25	unknown	Australia	4804	MPX-ASMicroplexPTYLTDAU	false
135.120.132.38	unknown	United States	10455	LUCENT-CIOUS	false
139.124.136.42	unknown	France	2457	FR-RAIMU-2ReseaudecollectedesUniversitesdAixMarseill	false
248.233.245.151	unknown	Reserved	unknown	unknown	false
87.87.87.87	unknown	United Kingdom	4589	EASYNETEasynetGlobalServicesEU	false
170.217.71.91	unknown	United States	8103	STATE-OF-FLAUS	false
128.63.166.172	unknown	United States	13	DNIC-AS-00013US	false
37.37.37.37	unknown	Kuwait	42961	GPRS-ASZAINKW	false
199.246.100.120	unknown	Canada	23251	BFRCUS	false
164.100.177.146	unknown	India	4758	NICNET-VSNL-BOARDER-APNationalInformaticsCentreIN	false
192.239.93.113	unknown	United States	36143	IW-AWI-ASNUS	false
146.81.184.190	unknown	Finland	41648	RUUKKIFI	false
15.15.15.15	unknown	United States	13979	ATT-IPFRUS	false
219.219.219.219	unknown	China	4538	ERX-CERNET-BKBChinaEducationandResearchNetworkCenter	false
185.185.185.185	unknown	Netherlands	52165	BALTSPORT-ASRU	false
83.18.121.127	unknown	Poland	5617	TPNETPL	false
173.173.173.173	unknown	United States	11427	TWC-11427-TEXASUS	false
246.231.243.149	unknown	Reserved	unknown	unknown	false
92.27.130.136	unknown	United Kingdom	13285	OPALTELECOM-ASTalkTalkCommunicationsLimitedGB	false
243.228.240.146	unknown	Reserved	unknown	unknown	false
143.190.44.64	unknown	United States	17477	MCT-SYDNEYMacquarieTelecomAU	false
200.136.213.182	unknown	Brazil	52888	UNIVERSIDADEFEDERALDESAOCARLOSBR	false
203.188.200.106	unknown	Taiwan; Republic of China (ROC)	24506	YAHOO-TP2YAHOOTAIWANTW	false
106.42.119.88	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
206.191.203.109	unknown	United States	53340	FIBERHUBUS	false
139.74.177.183	unknown	Finland	1759	TSF-IP-CORETeliaFinlandOyjEU	false
222.222.222.222	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
250.235.247.153	unknown	Reserved	unknown	unknown	false
151.136.148.54	unknown	Germany	205881	MANDE	false
112.112.112.112	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
197.197.197.197	unknown	Egypt	36992	ETISALAT-MISREG	false
208.193.205.111	unknown	United States	701	UUNETUS	false
99.34.137.143	unknown	United States	7018	ATT-INTERNET4US	false
119.119.119.119	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
137.184.38.58	unknown	United States	11003	PANDGUS	false
217.217.217.217	unknown	Spain	12357	COMUNITELSPAINES	false
210.210.210.210	unknown	Korea Republic of	9756	CHEONANVITSSEN-AS-KRTbroadChungbuBroadcastingCoKR	false
71.71.71.71	unknown	United States	11426	TWC-11426-CAROLINASUS	false
107.107.107.107	unknown	United States	20057	ATT-MOBILITY-LLC-AS20057US	false
100.100.100.100	unknown	Reserved	701	UUNETUS	false
191.126.229.235	unknown	Chile	7418	TELEFONICACHILESACL	false
82.17.120.126	unknown	United Kingdom	5089	NTLGB	false
163.148.160.66	unknown	Japan	2907	SINET-ASResearchOrganizationofInformationandSystemsN	false
210.195.207.113	unknown	Malaysia	4788	TMNET-AS-APTMNetInternetServiceProviderMY	false
94.94.94.94	unknown	Italy	3269	ASN-IBSNAZIT	false
148.83.186.192	unknown	Norway	2116	ASN-CATCHCOMNO	false
149.84.187.193	unknown	United States	13513	ALFRED-UNIVERSITYUS	false
168.168.168.168	unknown	United States	38027	MOST-AS-APInformationCenterMinistryofSciandTechCN	false
190.237.91.111	unknown	Peru	6147	TelefonicadelPeruSAAPE	false
98.33.136.142	unknown	United States	7922	COMCAST-7922US	false
144.191.45.65	unknown	United States	19773	MOTOROLAUS	false
189.174.186.92	unknown	Mexico	8151	UninetSAdeCVMX	false
93.93.93.93	unknown	Russian Federation	34879	CCT-ASNGENIXRU	false
210.145.248.254	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
161.161.161.161	unknown	United States	263740	CorporacionLaceibanetsocietyHN	false
205.205.205.205	unknown	United States	701	UUNETUS	false
124.171.25.45	unknown	Australia	7545	TPG-INTERNET-APTPGTelecomLimitedAU	false
89.24.127.133	unknown	Czech Republic	5588	GTSCEGTSCentralEuropeAntelGermanyCZ	false
36.36.36.36	unknown	China	17962	TOPWAY-NETShenZhenTopwayVideoCommunicationCoLtdCN	false
73.73.73.73	unknown	United States	7922	COMCAST-7922US	false
112.47.150.156	unknown	China	9808	CMNET-GDGuangdongMobileCommunicationCoLtdCN	false
116.51.154.160	unknown	Singapore	17645	NTT-SG-APASN-NTTSINGAPOREPTELTDSG	false

ID:	635360
Product:	CloudBasic
Start time:	20:17:25
Start date:	27.05.2022
Sample:	bash
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	e64c10e496d39e9d20786ff0df2f7d59
SHA1:	25d85c14f468ae6875c33934d57c12f1d3c3d8ce
SHA256:	a4ea9b6e8713da4804c10f4869208a1cada3122b906581358fc1bb2cce92ddca
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Linux Analysis Report bash

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Spreading

Networking

System Summary

Screenshots

Network Map

Contacted Public IPs

Linux Analysis Report
bash