ID: 194469 Sample Name: cron Cookbook: defaultlinuxfilecookbook.jbs Time: 23:57:38 Date: 08/12/2019 Version: 28.0.0 Lapis Lazuli Table of Contents

Table of Contents 2 Analysis Report cron 4 Overview 4 General Information 4 Detection 4 Classification 4 Mitre Att&ck Matrix 5 Signature Overview 5 AV Detection: 6 Bitcoin Miner: 6 Networking: 6 System Summary: 6 Persistence and Installation Behavior: 6 Malware Analysis System Evasion: 6 Malware Configuration 6 Runtime Messages 7 Behavior Graph 7 Yara Overview 7 Initial Sample 7 PCAP (Network Traffic) 7 Dropped Files 7 Sigma Overview 8 Joe Sandbox View / Context 8 IPs 8 Domains 8 ASN 8 JA3 Fingerprints 8 Dropped Files 8 Antivirus, Machine Learning and Genetic Malware Detection 8 Initial Sample 8 Dropped Files 9 Domains 9 URLs 9 Startup 9 Created / dropped Files 9 Domains and IPs 9 Contacted Domains 9 URLs from Memory and Binaries 9 Contacted IPs 9 Public 10 Static File Info 10 General 10 Static ELF Info 10 ELF header 10 Sections 11 Program Segments 11 Dynamic Tags 11 Symbols 12 Network Behavior 12 Network Port Distribution 12 TCP Packets 12 UDP Packets 12 DNS Queries 12 DNS Answers 13 System Behavior 13 Analysis Process: cron PID: 20759 Parent PID: 20706 13 General 13 File Activities 13 File Read 13 Copyright Joe Security LLC 2019 Page 2 of 13 Directory Enumerated 13 Analysis Process: cron PID: 20760 Parent PID: 20759 13 General 13 File Activities 13 File Read 13

Copyright Joe Security LLC 2019 Page 3 of 13 Analysis Report cron

Overview

General Information

Joe Sandbox Version: 28.0.0 Lapis Lazuli Analysis ID: 194469 Start date: 08.12.2019 Start time: 23:57:38 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 6m 10s Hypervisor based Inspection enabled: false Report type: light Sample file name: cron Cookbook file name: defaultlinuxfilecookbook.jbs Analysis system description: Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171) Detection: MAL Classification: mal76.troj.mine.lin@0/0@4/0 Warnings: Show All

Detection

Strategy Score Range Reporting Whitelisted Threat Detection

Xmrig Threshold 76 0 - 100 false

Classification

Copyright Joe Security LLC 2019 Page 4 of 13 Ransomware

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Mitre Att&ck Matrix

Post- Without Adversary Adversary Initial Privilege Defense Credential Lateral Command Device Device Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration and Control Impact Access Access Valid Command-Line Winlogon Port File Credential Security Application Data from Data Standard Data Accounts Interface 1 Helper DLL Monitors System Dumping Software Deployment Local Compressed Non- Destruction Logical Discovery 1 Software System Application Offsets Layer Protocol 1 Replication Service Port Accessibility Binary Network File and Remote Data from Exfiltration Standard Data Through Execution Monitors Features Padding Sniffing Directory Services Removable Over Other Application Encrypted Removable Discovery 1 Media Network Layer for Impact Media Medium Protocol 1 External Windows Accessibility Path Rootkit Input System Windows Data from Automated Custom Disk Remote Management Features Interception Capture Information Remote Network Exfiltration Cryptographic Structure Services Instrumentation Discovery 3 Management Shared Protocol Wipe Drive

Signature Overview

Copyright Joe Security LLC 2019 Page 5 of 13 • AV Detection • Bitcoin Miner • Networking • System Summary • Persistence and Installation Behavior • Malware Analysis System Evasion

Click to jump to signature section

AV Detection:

Antivirus detection for sample

Multi AV Scanner detection for submitted file

Bitcoin Miner:

Yara detected Xmrig cryptocurrency miner

Detected Stratum mining protocol

Found strings related to Crypto-Mining

Reads CPU information from /proc indicative of miner or evasive malware

Reads CPU information from /sys indicative of miner or evasive malware

Networking:

Performs DNS lookups

Urls found in memory or binary data

System Summary:

Sample contains strings that are potentially command strings

Sample has stripped symbol table

Classification label

Persistence and Installation Behavior:

Sample reads /proc/mounts (often used for finding a writable filesystem)

Reads system information from the proc file system

Malware Analysis System Evasion:

Reads CPU information from /proc indicative of miner or evasive malware

Reads CPU information from /sys indicative of miner or evasive malware

Uses the "uname" system call to query kernel version information (possible evasion)

Malware Configuration

No configs have been found

Copyright Joe Security LLC 2019 Page 6 of 13 Runtime Messages

Command: /tmp/cron Exit Code: 0 Exit Code Info: Killed: False Standard Output: [2019-12-09 00:58:23.620] unable to open '/tmp/config.json'. Standard Error:

Behavior Graph

Hide Legend Legend: Behavior Graph Process ID: 194469 Signature Sample: cron Startdate: 08/12/2019 Created File Architecture: LINUX DNS/IP Info Score: 76 Is Dropped

Number of created Files

Is malicious 45.9.148.125, 45164, 80 Internet unknown debian-package.center Netherlands

started

Antivirus detection Multi AV Scanner detection Yara detected Xmrig 2 other signatures for sample for submitted file cryptocurrency miner

cron

Sample reads /proc/mounts (often used for finding started a writable filesystem)

cron

Yara Overview

Initial Sample

Source Rule Description Author Strings cron JoeSecurity_Xmrig Yara detected Joe Security Xmrig cryptocurrency miner

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Copyright Joe Security LLC 2019 Page 7 of 13 Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

Match Associated Sample Name / URL SHA 256 Detection Link Context 45.9.148.125 cQLmNrun Get hash malicious Browse

Domains

No context

ASN

Match Associated Sample Name / URL SHA 256 Detection Link Context unknown Get hash malicious Browse 199.115.112.67 cdnus.filesupdatehead.com/ofr/Famofama/01_07_19/Famofa ma_pages.zip 27.69.242.187 Get hash malicious Browse 159.148.17 2.231

www2.formatta.com/download/fillersetup.exe Get hash malicious Browse 40.84.144.206 vij.exe Get hash malicious Browse 139.28.39.70 SAMPLE.exe Get hash malicious Browse 127.0.0.1 cron Get hash malicious Browse 45.9.148.129 ze99HWZnJK.exe Get hash malicious Browse 52.97.183.194 https://kbelectricals.co.in/varujy3/ox07-svj-94 Get hash malicious Browse 103.28.36.212 solarsistem.net/doc/8me4x/* Get hash malicious Browse 162.241.24.173 lakewin.org/wp-admin/j19x/* Get hash malicious Browse 162.241.24.26 vanguardesigns.com/akbadminton/0412/* Get hash malicious Browse 162.241.24.179 nowotnik.com/nqrgo8/cy3a6/' Get hash malicious Browse 50.87.253.50 ngiveu.com/hcy5u/icv4/* Get hash malicious Browse 49.235.41.178 Sidify Music Converter.exe Get hash malicious Browse 104.26.5.204 MdecService.apk Get hash malicious Browse 216.58.201.106 SAMPLE.exe Get hash malicious Browse 127.0.0.1 bit.ly/2DomIvZ Get hash malicious Browse 104.17.236.50 782357810619658324.doc Get hash malicious Browse 50.87.253.53 etsmaleye.com/setup/protected-zone/test- Get hash malicious Browse 66.147.244.50 warehouse/v7pgehn-vy8ssvw0390/ https://iranglass.co/5rxyfoqpzc3/zcCvaR/ Get hash malicious Browse 93.115.151.36

JA3 Fingerprints

No context

Dropped Files

No context

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Copyright Joe Security LLC 2019 Page 8 of 13 Source Detection Scanner Label Link cron 41% Virustotal Browse cron 18% Metadefender Browse cron 100% Avira LINUX/BitCoinMiner.wkfyp

Dropped Files

No Antivirus matches

Domains

Source Detection Scanner Label Link debian-package.center 0% Virustotal Browse

URLs

Source Detection Scanner Label Link https://xmrig.com/docs/algorithms 0% Avira URL Cloud safe

Startup

system is lnxubuntu1 cron (PID: 20759, Parent: 20706, MD5: 0bdbb47336d7a9332886a80267e892e1) Arguments: /tmp/cron cron New Fork (PID: 20760, Parent: 20759) cleanup

Created / dropped Files

No created / dropped files found

Domains and IPs

Contacted Domains

Name IP Active Malicious Antivirus Detection Reputation debian-package.center 45.9.148.129 true false 0%, Virustotal, Browse unknown

URLs from Memory and Binaries

Contacted IPs

Copyright Joe Security LLC 2019 Page 9 of 13 No. of IPs < 25%

25% < No. of IPs < 50% 50% < No. of IPs < 75%

75% < No. of IPs

Public

IP Country Flag ASN ASN Name Malicious 45.9.148.125 Netherlands 49447 unknown true

Static File Info

General

File type: ELF 64-bit LSB shared object, x86-64, version 1 (S YSV), dynamically linked, stripped Entropy (8bit): 6.340019841487885 TrID: ELF Executable and Linkable format (Linux) (4029/14) 49.77% ELF Executable and Linkable format (generic) (4004/1) 49.46% Lumena CEL bitmap (63/63) 0.78% File name: cron File size: 2269000 MD5: 0bdbb47336d7a9332886a80267e892e1 SHA1: 19414ad5800a2a5eec01da79d5de54bfd2a46c0d SHA256: 70e8ab8b9aeb9ad887a8281876d1ca3845f66308d992fbb 0619737be21d93cdf SHA512: efafefb0f88856cfd124510ad4c907b9f5c31414d2e02e37 8023792e2aaac17bb4efc037d98fccb461645c61d37b0a3 58e37c0d2ead8ef663e10c56d25ec4b65 SSDEEP: 49152:hMW2UNoG3YwFW/////////0HL6bqgkfL+y9pObHf YagWyedY/MVS0p0spVyYwAFB:SU1YwFW/////////Fb/Y XWddY/MVS0iX File Content Preview: .ELF...... >...... @...... "...... @.8...@...... g...... g...... p...... p...... p...... X_...... X_...... ! ...... "....

Static ELF Info

ELF header Class: ELF64 Data: 2's complement, little endian Version: 1 (current)

Copyright Joe Security LLC 2019 Page 10 of 13 ELF header Machine: Advanced Micro Devices X86-64 Version Number: 0x1 Type: DYN (Shared object file) OS/ABI: UNIX - System V ABI Version: 0 Entry Point Address: 0x19fbd Flags: 0x0 ELF Header Size: 64 Program Header Offset: 64 Program Header Size: 56 Number of Program Headers: 9 Section Header Offset: 2267400 Section Header Size: 64 Number of Section Headers: 25 Header String Table Index: 24

Sections

Flags Name Type Address Offset Size EntSize Flags Description Link Info Align NULL 0x0 0x0 0x0 0x0 0x0 0 0 0 .gnu.hash GNU_HASH 0x238 0x238 0x1c 0x0 0x2 A 2 0 8 .dynsym DYNSYM 0x258 0x258 0x18 0x18 0x2 A 3 1 8 .dynstr STRTAB 0x270 0x270 0x1 0x0 0x2 A 0 0 1 .rela.dyn RELA 0x278 0x278 0x16488 0x18 0x2 A 2 0 8 .init PROGBITS 0x17000 0x17000 0xd 0x0 0x6 AX 0 0 1 .plt PROGBITS 0x17010 0x17010 0x80 0x10 0x6 AX 0 0 16 .text PROGBITS 0x170c0 0x170c0 0x1a17ec 0x0 0x6 AX 0 0 64 .fini PROGBITS 0x1b88ac 0x1b88ac 0x8 0x0 0x6 AX 0 0 1 .rodata PROGBITS 0x1b9000 0x1b9000 0x1b9d0 0x0 0x2 A 0 0 32 .eh_frame_hdr PROGBITS 0x1d49d0 0x1d49d0 0xb60c 0x0 0x2 A 0 0 4 .eh_frame PROGBITS 0x1dffe0 0x1dffe0 0x3a1c0 0x0 0x2 A 0 0 8 .gcc_except_table PROGBITS 0x21a1a0 0x21a1a0 0x4db8 0x0 0x2 A 0 0 4 .tbss NOBITS 0x2207f8 0x21f7f8 0x10 0x0 0x403 WAT 0 0 8 .init_array INIT_ARRAY 0x2207f8 0x21f7f8 0xf0 0x8 0x3 WA 0 0 8 .fini_array FINI_ARRAY 0x2208e8 0x21f8e8 0x18 0x8 0x3 WA 0 0 8 .ctors PROGBITS 0x220900 0x21f900 0x10 0x0 0x3 WA 0 0 8 .dtors PROGBITS 0x220910 0x21f910 0x10 0x0 0x3 WA 0 0 8 .data.rel.ro PROGBITS 0x220920 0x21f920 0x9310 0x0 0x3 WA 0 0 32 .dynamic DYNAMIC 0x229c30 0x228c30 0x190 0x10 0x3 WA 3 0 8 .got PROGBITS 0x229dc0 0x228dc0 0x230 0x8 0x3 WA 0 0 8 .data PROGBITS 0x22a000 0x229000 0x818 0x0 0x3 WA 0 0 32 .bss NOBITS 0x22a840 0x229818 0xc908 0x0 0x3 WA 0 0 64 .comment PROGBITS 0x0 0x229818 0x1a 0x1 0x30 MS 0 0 1 .shstrtab STRTAB 0x0 0x229832 0xd3 0x0 0x0 0 0 1

Program Segments

Physical Flags Type Offset Virtual Address Address File Size Memory Size Flags Description Align Prog Interpreter Section Mappings LOAD 0x0 0x0 0x0 0x16700 0x16700 0x4 R 0x1000 .gnu.hash .dynsym .dynstr .rela.dyn LOAD 0x17000 0x17000 0x17000 0x1a18b4 0x1a18b4 0x5 R E 0x1000 .init .plt .text .fini LOAD 0x1b9000 0x1b9000 0x1b9000 0x65f58 0x65f58 0x4 R 0x1000 .rodata .eh_frame_hdr .eh_frame .gcc_except_table LOAD 0x21f7f8 0x2207f8 0x2207f8 0xa020 0x16950 0x6 RW 0x1000 .init_array .fini_array .ctors .dtors .data.rel.ro .dynamic .got .data .bss DYNAMIC 0x228c30 0x229c30 0x229c30 0x190 0x190 0x6 RW 0x8 .dynamic TLS 0x21f7f8 0x2207f8 0x2207f8 0x0 0x10 0x4 R 0x8 GNU_EH_FRAME 0x1d49d0 0x1d49d0 0x1d49d0 0xb60c 0xb60c 0x4 R 0x4 .eh_frame_hdr GNU_STACK 0x0 0x0 0x0 0x0 0x0 0x6 RW 0x10 GNU_RELRO 0x21f7f8 0x2207f8 0x2207f8 0x9808 0x9808 0x4 R 0x1 .init_array .fini_array .ctors .dtors .data.rel.ro .dynamic .got

Dynamic Tags

Copyright Joe Security LLC 2019 Page 11 of 13 Type Meta Value Tag DT_SYMBOLIC value 0x0 0x10 DT_INIT value 0x17000 0xc DT_FINI value 0x1b88ac 0xd DT_INIT_ARRAY value 0x2207f8 0x19 DT_INIT_ARRAYSZ bytes 240 0x1b DT_FINI_ARRAY value 0x2208e8 0x1a DT_FINI_ARRAYSZ bytes 24 0x1c DT_GNU_HASH value 0x238 0x6ffffef5 DT_STRTAB value 0x270 0x5 DT_SYMTAB value 0x258 0x6 DT_STRSZ bytes 1 0xa DT_SYMENT bytes 24 0xb DT_DEBUG value 0x0 0x15 DT_PLTGOT value 0x229dc0 0x3 DT_RELA value 0x278 0x7 DT_RELASZ bytes 91272 0x8 DT_RELAENT bytes 24 0x9 DT_BIND_NOW value 0x0 0x18 DT_FLAGS_1 value 0x8000001 0x6ffffffb DT_RELACOUNT value 3803 0x6ffffff9 DT_NULL value 0x0 0x0

Symbols

Version Info Version Info File Symbol Name Name Name Section Name Value Size Symbol Type Symbol Bind Visibility Ndx .dynsym 0x0 0 NOTYPE DEFAULT SHN_UNDEF

Network Behavior

Network Port Distribution

Total Packets: 19 • 53 (DNS) • 80 (HTTP)

TCP Packets

UDP Packets

DNS Queries

Timestamp Source IP Dest IP Trans ID OP Code Name Type Class Dec 8, 2019 23:58:24.830738068 CET 192.168.2.20 8.8.8.8 0xc549 Standard query debian-pac A (IP address) IN (0x0001) (0) kage.center Dec 8, 2019 23:58:24.830944061 CET 192.168.2.20 8.8.4.4 0xc549 Standard query debian-pac A (IP address) IN (0x0001) (0) kage.center Dec 8, 2019 23:58:24.831003904 CET 192.168.2.20 8.8.8.8 0xc628 Standard query debian-pac 28 IN (0x0001) (0) kage.center

Copyright Joe Security LLC 2019 Page 12 of 13 Timestamp Source IP Dest IP Trans ID OP Code Name Type Class Dec 8, 2019 23:58:24.831051111 CET 192.168.2.20 8.8.4.4 0xc628 Standard query debian-pac 28 IN (0x0001) (0) kage.center

DNS Answers

Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class Dec 8, 2019 8.8.8.8 192.168.2.20 0xc549 No error (0) debian-pac 45.9.148.129 A (IP address) IN (0x0001) 23:58:24.856201887 kage.center CET Dec 8, 2019 8.8.8.8 192.168.2.20 0xc549 No error (0) debian-pac 45.9.148.125 A (IP address) IN (0x0001) 23:58:24.856201887 kage.center CET Dec 8, 2019 8.8.4.4 192.168.2.20 0xc549 No error (0) debian-pac 45.9.148.129 A (IP address) IN (0x0001) 23:58:24.856265068 kage.center CET Dec 8, 2019 8.8.4.4 192.168.2.20 0xc549 No error (0) debian-pac 45.9.148.125 A (IP address) IN (0x0001) 23:58:24.856265068 kage.center CET

System Behavior

Analysis Process: cron PID: 20759 Parent PID: 20706

General

Start time: 23:58:23 Start date: 08/12/2019 Path: /tmp/cron Arguments: /tmp/cron File size: 2269000 bytes MD5 hash: 0bdbb47336d7a9332886a80267e892e1

File Activities

File Read

Directory Enumerated

Analysis Process: cron PID: 20760 Parent PID: 20759

General

Start time: 23:58:23 Start date: 08/12/2019 Path: /tmp/cron Arguments: n/a File size: 2269000 bytes MD5 hash: 0bdbb47336d7a9332886a80267e892e1

File Activities

File Read

Copyright Joe Security LLC 2019

Copyright Joe Security LLC 2019 Page 13 of 13