Edit tour

Linux Analysis Report
25jan. Required documents.lnk

Overview

General Information

Sample Name:	25jan. Required documents.lnk
Analysis ID:	794655
MD5:	42d501d938b5152accfb8541ccd302a5
SHA1:	476e42f9e316d44fbd4bf2371e2c8b5c0503eab5
SHA256:	1e6c697fe3b106fd43b6d7c96752a3618eaa04765e89bf8bc4b2e7cb8eb5034c
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Uses the "uname" system call to query kernel version information (possible evasion)

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Creates hidden files and/or directories

Classification

Analysis Advice

All HTTP servers contacted by the sample do not answer. The sample is likely an old dropper which does no longer work.

Non-zero exit code suggests an error during the execution. Lookup the error code for hints.

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	794655
Start date and time:	2023-01-30 19:54:03 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample file name:	25jan. Required documents.lnk
Detection:	MAL
Classification:	mal48.linLNK@0/0@0/0

Runtime Messages

Command:	xdg-open "/tmp/25jan. Required documents.lnk"
PID:	6234
Exit Code:	4
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:

Process Tree

system is lnxubuntu20

exo-open (PID: 6246, Parent: 6234, MD5: 60a307a6a6325e2034eb5cc56bff1abd) Arguments: exo-open "/tmp/25jan. Required documents.lnk"

cleanup

Yara Signatures

⊘No yara matches

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 25jan. Required documents.lnk

Virustotal: Detection: 8%

Perma Link

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43

Source: classification engine

Classification label: mal48.linLNK@0/0@0/0

Source: /usr/bin/exo-open (PID: 6246)

Directory: /root/.cache

Jump to behavior

Source: /usr/bin/exo-open (PID: 6246)

Queries kernel information via 'uname':

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 Hidden Files and Directories	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
25jan. Required documents.lnk	8%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
109.202.202.202	tltckqoZW6.elf	Get hash	malicious	Browse
	iVpgXsO6TJ.elf	Get hash	malicious	Browse
	ia2RlJsCVb.elf	Get hash	malicious	Browse
	3WwbD7M27o.elf	Get hash	malicious	Browse
	nbxtrUR7m9.elf	Get hash	malicious	Browse
	YqvwJsA6q9.elf	Get hash	malicious	Browse
	esOdAbjPM9.elf	Get hash	malicious	Browse
	ktPj6JE5Ci.elf	Get hash	malicious	Browse
	tiR314Dsku.elf	Get hash	malicious	Browse
	Rl141wwn1h.elf	Get hash	malicious	Browse
	yIJJ7D6oU4.elf	Get hash	malicious	Browse
	mbf2QOELNh.elf	Get hash	malicious	Browse
	oFCmK70wlE.elf	Get hash	malicious	Browse
	8INuVMs8Of.elf	Get hash	malicious	Browse
	cB5pPcm3CT.elf	Get hash	malicious	Browse
	ma844vEGhi.elf	Get hash	malicious	Browse
	2YdBZR5ZFn.elf	Get hash	malicious	Browse
	Zs6LduMS7k.elf	Get hash	malicious	Browse
	ZfbIwVQt4b.elf	Get hash	malicious	Browse
	http://195.133.40.73/bins/Paralysis.arm	Get hash	malicious	Browse
91.189.91.43	tltckqoZW6.elf	Get hash	malicious	Browse
	iVpgXsO6TJ.elf	Get hash	malicious	Browse
	ia2RlJsCVb.elf	Get hash	malicious	Browse
	3WwbD7M27o.elf	Get hash	malicious	Browse
	nbxtrUR7m9.elf	Get hash	malicious	Browse
	YqvwJsA6q9.elf	Get hash	malicious	Browse
	esOdAbjPM9.elf	Get hash	malicious	Browse
	ktPj6JE5Ci.elf	Get hash	malicious	Browse
	tiR314Dsku.elf	Get hash	malicious	Browse
	Rl141wwn1h.elf	Get hash	malicious	Browse
	yIJJ7D6oU4.elf	Get hash	malicious	Browse
	mbf2QOELNh.elf	Get hash	malicious	Browse
	oFCmK70wlE.elf	Get hash	malicious	Browse
	8INuVMs8Of.elf	Get hash	malicious	Browse
	cB5pPcm3CT.elf	Get hash	malicious	Browse
	ma844vEGhi.elf	Get hash	malicious	Browse
	2YdBZR5ZFn.elf	Get hash	malicious	Browse
	Zs6LduMS7k.elf	Get hash	malicious	Browse
	ZfbIwVQt4b.elf	Get hash	malicious	Browse
	http://195.133.40.73/bins/Paralysis.arm	Get hash	malicious	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CANONICAL-ASGB	tltckqoZW6.elf	Get hash	malicious	Browse	91.189.91.42
	iVpgXsO6TJ.elf	Get hash	malicious	Browse	91.189.91.42
	ia2RlJsCVb.elf	Get hash	malicious	Browse	91.189.91.42
	3WwbD7M27o.elf	Get hash	malicious	Browse	91.189.91.42
	nbxtrUR7m9.elf	Get hash	malicious	Browse	91.189.91.42
	YqvwJsA6q9.elf	Get hash	malicious	Browse	91.189.91.42
	esOdAbjPM9.elf	Get hash	malicious	Browse	91.189.91.42
	ktPj6JE5Ci.elf	Get hash	malicious	Browse	91.189.91.42
	tiR314Dsku.elf	Get hash	malicious	Browse	91.189.91.42
	Rl141wwn1h.elf	Get hash	malicious	Browse	91.189.91.42
	yIJJ7D6oU4.elf	Get hash	malicious	Browse	91.189.91.42
	mbf2QOELNh.elf	Get hash	malicious	Browse	91.189.91.42
	oFCmK70wlE.elf	Get hash	malicious	Browse	91.189.91.42
	8INuVMs8Of.elf	Get hash	malicious	Browse	91.189.91.42
	cB5pPcm3CT.elf	Get hash	malicious	Browse	91.189.91.42
	ma844vEGhi.elf	Get hash	malicious	Browse	91.189.91.42
	2YdBZR5ZFn.elf	Get hash	malicious	Browse	91.189.91.42
	Zs6LduMS7k.elf	Get hash	malicious	Browse	91.189.91.42
	ZfbIwVQt4b.elf	Get hash	malicious	Browse	91.189.91.42
	http://195.133.40.73/bins/Paralysis.arm	Get hash	malicious	Browse	91.189.91.42
INIT7CH	tltckqoZW6.elf	Get hash	malicious	Browse	109.202.202.202
	iVpgXsO6TJ.elf	Get hash	malicious	Browse	109.202.202.202
	ia2RlJsCVb.elf	Get hash	malicious	Browse	109.202.202.202
	3WwbD7M27o.elf	Get hash	malicious	Browse	109.202.202.202
	nbxtrUR7m9.elf	Get hash	malicious	Browse	109.202.202.202
	YqvwJsA6q9.elf	Get hash	malicious	Browse	109.202.202.202
	esOdAbjPM9.elf	Get hash	malicious	Browse	109.202.202.202
	ktPj6JE5Ci.elf	Get hash	malicious	Browse	109.202.202.202
	tiR314Dsku.elf	Get hash	malicious	Browse	109.202.202.202
	Rl141wwn1h.elf	Get hash	malicious	Browse	109.202.202.202
	yIJJ7D6oU4.elf	Get hash	malicious	Browse	109.202.202.202
	mbf2QOELNh.elf	Get hash	malicious	Browse	109.202.202.202
	oFCmK70wlE.elf	Get hash	malicious	Browse	109.202.202.202
	8INuVMs8Of.elf	Get hash	malicious	Browse	109.202.202.202
	cB5pPcm3CT.elf	Get hash	malicious	Browse	109.202.202.202
	ma844vEGhi.elf	Get hash	malicious	Browse	109.202.202.202
	2YdBZR5ZFn.elf	Get hash	malicious	Browse	109.202.202.202
	Zs6LduMS7k.elf	Get hash	malicious	Browse	109.202.202.202
	ZfbIwVQt4b.elf	Get hash	malicious	Browse	109.202.202.202
	http://195.133.40.73/bins/Paralysis.arm	Get hash	malicious	Browse	109.202.202.202

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Icon number=14, Archive, ctime=Sat Jul 16 12:18:48 2016, mtime=Sat Jul 16 12:18:48 2016, atime=Sat Jul 16 12:18:48 2016, length=232960, window=hide
Entropy (8bit):	4.469401886349938
TrID:	Windows Shortcut (20020/1) 100.00%
File name:	25jan. Required documents.lnk
File size:	1312
MD5:	42d501d938b5152accfb8541ccd302a5
SHA1:	476e42f9e316d44fbd4bf2371e2c8b5c0503eab5
SHA256:	1e6c697fe3b106fd43b6d7c96752a3618eaa04765e89bf8bc4b2e7cb8eb5034c
SHA512:	0ea012f85c749ccbb153766423c88d166eb186725b21ba1be442f3ac7d3290aa3356b80fefceff23dd010dd82e814bbd316f7e7b7a5d43e76c224c4e16f577e8
SSDEEP:	24:8vJ25BdHdaUCMbXUx+/fqiT0x4o0agFDTXD/Fom:80hH5h0OoATXjFo
TLSH:	C821870507FBA319F3B24E76043AE3458FA2F951FD63A72D5254A18C8860F08EC74B17
File Content Preview:	L..................F.... .......d.......d.......d...........................5....P.O. .:i.....+00.../C:\...................V.1...../Urk..Windows.@........H.0/Urk..........................u...W.i.n.d.o.w.s.....Z.1.....)V.>..System32..B........H.0)V.>......

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 30, 2023 19:54:54.408082008 CET	42836	443	192.168.2.23	91.189.91.43
Jan 30, 2023 19:54:54.668056011 CET	42516	80	192.168.2.23	109.202.202.202
Jan 30, 2023 19:55:09.767362118 CET	43928	443	192.168.2.23	91.189.91.42
Jan 30, 2023 19:55:20.006814003 CET	42836	443	192.168.2.23	91.189.91.43
Jan 30, 2023 19:55:24.102634907 CET	42516	80	192.168.2.23	109.202.202.202
Jan 30, 2023 19:55:50.725249052 CET	43928	443	192.168.2.23	91.189.91.42
Jan 30, 2023 19:56:11.204283953 CET	42836	443	192.168.2.23	91.189.91.43

System Behavior

Analysis Process: exo-open PID: 6246, Parent PID: 6234

General

Start time:	19:54:55
Start date:	30/01/2023
Path:	/usr/bin/exo-open
Arguments:	exo-open "/tmp/25jan. Required documents.lnk"
File size:	27264 bytes
MD5 hash:	60a307a6a6325e2034eb5cc56bff1abd

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report 25jan. Required documents.lnk

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Runtime Messages

Process Tree

Yara Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: exo-open PID: 6246, Parent PID: 6234

General

Chronological Activities

Linux Analysis Report
25jan. Required documents.lnk