ID: 446038 Sample Name: recovered_bin2 Cookbook: defaultlinuxfilecookbook.jbs Time: 18:09:20 Date: 08/07/2021 Version: 32.0.0 Black Diamond Table of Contents Table of Contents 2 Linux Analysis Report recovered_bin2 5 Overview 5 General Information 5 Detection 5 Signatures 5 Classification 5 General Information 5 Process Tree 5 Yara Overview 6 Jbx Signature Overview 6 AV Detection: 7 Bitcoin Miner: 7 Networking: 7 Data Obfuscation: 7 Persistence and Installation Behavior: 7 Hooking and other Techniques for Hiding and Protection: 7 Mitre Att&ck Matrix 7 Malware Configuration 8 Behavior Graph 8 Antivirus, Machine Learning and Genetic Malware Detection 8 Initial Sample 9 Dropped Files 9 Domains 9 URLs 9 Domains and IPs 9 Contacted Domains 9 Contacted URLs 9 URLs from Memory and Binaries 9 Contacted IPs 9 Public 9 Runtime Messages 12 Joe Sandbox View / Context 12 IPs 12 Domains 12 ASN 12 JA3 Fingerprints 12 Dropped Files 13 Created / dropped Files 13 Static File Info 14 General 14 Static ELF Info 15 ELF header 15 Program Segments 15 Network Behavior 15 TCP Packets 15 HTTP Request Dependency Graph 15 System Behavior 15 Analysis Process: recovered_bin2 PID: 4571 Parent PID: 4500 15 General 15 File Activities 16 File Deleted 16 File Read 16 File Written 16 Directory Enumerated 16 Directory Created 16 Permission Modified 16 Analysis Process: recovered_bin2 PID: 4590 Parent PID: 4571 16 General 16 Analysis Process: sh PID: 4590 Parent PID: 4571 16 General 16 File Activities 16 File Read 16 Analysis Process: sh PID: 4591 Parent PID: 4590 16 General 16 Analysis Process: netstat PID: 4591 Parent PID: 4590 17 General 17 File Activities 17 File Read 17 Directory Enumerated 17 Analysis Process: sh PID: 4592 Parent PID: 4590 17 General 17 Analysis Process: grep PID: 4592 Parent PID: 4590 17 General 17 File Activities 17 File Read 17 Analysis Process: sh PID: 4593 Parent PID: 4590 17 General 17 Analysis Process: awk PID: 4593 Parent PID: 4590 18 Copyright Joe Security LLC 2021 Page 2 of 28 General 18 File Activities 18 File Read 18 Analysis Process: sh PID: 4594 Parent PID: 4590 18 General 18 Analysis Process: awk PID: 4594 Parent PID: 4590 18 General 18 File Activities 18 File Read 18 Analysis Process: sh PID: 4595 Parent PID: 4590 18 General 18 Analysis Process: grep PID: 4595 Parent PID: 4590 19 General 19 File Activities 19 File Read 19 Analysis Process: sh PID: 4596 Parent PID: 4590 19 General 19 Analysis Process: xargs PID: 4596 Parent PID: 4590 19 General 19 File Activities 19 File Read 19 Directory Enumerated 19 Analysis Process: recovered_bin2 PID: 4655 Parent PID: 4571 19 General 19 Analysis Process: sh PID: 4655 Parent PID: 4571 20 General 20 File Activities 20 File Read 20 Analysis Process: sh PID: 4656 Parent PID: 4655 20 General 20 Analysis Process: netstat PID: 4656 Parent PID: 4655 20 General 20 File Activities 20 File Read 20 Directory Enumerated 20 Analysis Process: sh PID: 4657 Parent PID: 4655 20 General 20 Analysis Process: grep PID: 4657 Parent PID: 4655 21 General 21 File Activities 21 File Read 21 Analysis Process: sh PID: 4658 Parent PID: 4655 21 General 21 Analysis Process: awk PID: 4658 Parent PID: 4655 21 General 21 File Activities 21 File Read 21 Analysis Process: sh PID: 4659 Parent PID: 4655 21 General 21 Analysis Process: awk PID: 4659 Parent PID: 4655 21 General 22 File Activities 22 File Read 22 Analysis Process: sh PID: 4660 Parent PID: 4655 22 General 22 Analysis Process: grep PID: 4660 Parent PID: 4655 22 General 22 File Activities 22 File Read 22 Analysis Process: sh PID: 4661 Parent PID: 4655 22 General 22 Analysis Process: xargs PID: 4661 Parent PID: 4655 22 General 22 File Activities 23 File Read 23 Directory Enumerated 23 Analysis Process: recovered_bin2 PID: 4718 Parent PID: 4571 23 General 23 Analysis Process: kthreaddk PID: 4718 Parent PID: 4571 23 General 23 File Activities 23 File Read 23 Directory Enumerated 23 Analysis Process: kthreaddk PID: 4721 Parent PID: 4718 23 General 23 File Activities 23 File Read 23 File Written 23 Directory Enumerated 24 Analysis Process: kthreaddk PID: 4739 Parent PID: 4721 24 General 24 Analysis Process: sh PID: 4739 Parent PID: 4721 24 General 24 File Activities 24 File Read 24 Analysis Process: sh PID: 4740 Parent PID: 4739 24 General 24 Analysis Process: modprobe PID: 4740 Parent PID: 4739 24 General 24 File Activities 24 File Read 24 Directory Enumerated 25 Analysis Process: recovered_bin2 PID: 4733 Parent PID: 4571 25 General 25 Copyright Joe Security LLC 2021 Page 3 of 28 Analysis Process: sh PID: 4733 Parent PID: 4571 25 General 25 File Activities 25 File Read 25 Analysis Process: sh PID: 4734 Parent PID: 4733 25 General 25 Analysis Process: chattr PID: 4734 Parent PID: 4733 25 General 25 File Activities 25 File Read 25 Directory Enumerated 26 Analysis Process: sh PID: 4743 Parent PID: 4733 26 General 26 Analysis Process: chattr PID: 4743 Parent PID: 4733 26 General 26 File Activities 26 File Read 26 Analysis Process: sh PID: 4752 Parent PID: 4733 26 General 26 Analysis Process: chattr PID: 4752 Parent PID: 4733 26 General 26 File Activities 26 File Read 26 Directory Enumerated 27 Analysis Process: sh PID: 4756 Parent PID: 4733 27 General 27 Analysis Process: chattr PID: 4756 Parent PID: 4733 27 General 27 File Activities 27 File Read 27 Directory Enumerated 27 Analysis Process: recovered_bin2 PID: 4763 Parent PID: 4571 27 General 27 Analysis Process: sh PID: 4763 Parent PID: 4571 27 General 27 File Activities 27 File Read 28 Analysis Process: sh PID: 4766 Parent PID: 4763 28 General 28 Analysis Process: sh PID: 4767 Parent PID: 4763 28 General 28 Analysis Process: crontab PID: 4767 Parent PID: 4763 28 General 28 File Activities 28 File Read 28 File Written 28 File Moved 28 Permission Modified 28 Copyright Joe Security LLC 2021 Page 4 of 28 Linux Analysis Report recovered_bin2 Overview General Information Detection Signatures Classification Sample recovered_bin2 Name: Muullltttiii AAVV SSccaannnneerrr ddeettteecctttiiioonn fffoorrr ssuubbm… Analysis ID: 446038 SMSnnuooltrrrit tt A IIIDDVS SS acalalleenrrrttnt ffefoorrr r d nneeetttetwwcotoirrorkkn tt trrfraoafrffff fiisiccu ((b(eem...… MD5: 99cc0f1d0310922… DSDenetotteerctc ttIteDeddS S Satttrlrreaarttttuu fmor m nieiinntiiwinngog r pkpr rrtoortattoofcfcioco lll(e. Ransomware SHA1: 7d7cd6c71449bd… Miner Spreading DDrrerootpepscs t feffiiilldlee sSs itiinrna stsuumsspp miiicciiionouiunssg d dpiiirrreoectcotttoocrroriiieless SHA256: 03e3859f2109215… mmaallliiiccciiioouusss EDExrxoeepccusu tttfeeilses sttth hiene "s""ccurrrsoopnnittctaaiobbu""" scc oodmiremcataonnrddie ttstyy… malicious Evader Phishing Infos: sssuusssppiiiccciiioouusss suspicious MExaaennciiipuputuelllaastt tiitioohnne oo"cfff rddoeenvvtiaiiccbee"ss c iiinon m ///ddmeevavnd ty Maanniippuullaattiioonn ooff ddeevviicceess iinn //ddeevv cccllleeaann clean SMSaamnipplllueel addteeiollleenttt eeossf diiitttsesevelillfcffes in /dev Exploiter Banker SSaampplllee iidisse ppleaatceckksee idtds wewliifittthh UUPPXX Spyware Trojan / Bot SSaampplllee rrirsee aapddassc k///peprrdroo cwc///mithoo UuunPntttXss (((oofffttteenn uu… Adware SSaampplllee ttrtrreriiieaesds sttto o/ p ppreeorrrcss/iimissttto iiituttssneetllslfff u(uossfiiitnneggn ccu… Score: 92 Range: 0 - 100 WSarrrimiittteepssl e iiid dtereinenttstiiic ctaaolll pEEeLLrFFs i fsffiiiltlle eistss tettoolf musuuillnltttiiigpp lllece… Whitelisted: false DWDeerttiteteeccsttte eidde TTnCCticPPa olo rErr ULUFDD PfPil e tttrrsraa ftfffoffiiic cm oounnl t ninpoolenn… EDEnenutuemceteerrradat tteTesCs pPprr roocrc eeUssDssePess t rwwaiifitttfhhiciiin no ttnthh ene o """pnp… EExnxeuecmcuuettteerass t cecosom pmroacanendsdsse uusss wiiinnigtgh aian s sthheell llll" cpc… EExxeeccuuttteess ttcthhoeem """mggrrraeenppd""" s cc ouomsinmgaa ann dds huuessleel dcd… RERexeeaacddusst eCCsPP tUUh e iiin n"fffgoorrrrempaa" tttciiioonnm fffmrrrooamn d///pp urrrosocec d iiinn… General Information RReeaaddss CCPPUU iiinnfffoorrrmaatttiiioonn fffrrroom ///spsyryoss c iiin nin… Reads CPU information from /sys in Joe Sandbox Version: 32.0.0 Black Diamond RReeaaddss sCsyyPssUtttee min f ioiinnrfffmoorrramtiaoatnttiiio ofnrno fffmrrroo m/s y ttthsh eein … Analysis ID: 446038 RReemadoosvv esesys s ppterrroomtttee icnctttfiiioornnm fffrarrootimon fff iiiflllereossm the Start date: 08.07.2021 SRSaeampopllvleee csco opnnrtttoaatiiienncsst ioonnlll yyf r aoa m LLO fiAlAeDDs sseeggm… Start time: 18:09:20 SSaampplllee llcliiisostttneetnnassin oosn no ana l syso oacc kLkeeOtttAD segm Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 7m 11s SSaampplllee ttltrirrsiiieetessn tttsoo ossnee ttta ttt hhseeo ceekxxeeetccuutttaabblllee ffflll… Hypervisor based Inspection enabled: false USUsasemessp ttlthehe et r ""i"euusnn aatom seee""" t s styhyssettt eemxe ccaaullltlll a tttobo l eqq uufl… Report type: light WUsrrrieiittteses st h EEeLL "FFu nfffiiilalleemss etttoo" sddyiiisskktem call to qu Sample file name: recovered_bin2 Writes ELF files to disk Cookbook file name: defaultlinuxfilecookbook.jbs Analysis system description: Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171) Analysis Mode: default Detection: MAL Classification: mal92.troj.evad.mine.lin@0/5@0/0 Warnings: Show All Process Tree Copyright Joe Security LLC 2021 Page 5 of 28 system is lnxubuntu1 recovered_bin2 (PID: 4571, Parent: 4500, MD5: 99cc0f1d0310922619c5bf55967969fa) Arguments: /tmp/recovered_bin2 recovered_bin2 New Fork (PID: 4590, Parent: 4571) sh (PID: 4590, Parent: 4571, MD5: e02ea3c3450d44126c46d658fa9e654c)