Automated Malware Analysis Report for 8V1qkqvk9c
Total Page:16
File Type:pdf, Size:1020Kb
ID: 453919 Sample Name: 8v1QKqvK9c Cookbook: defaultlinuxfilecookbook.jbs Time: 16:59:24 Date: 25/07/2021 Version: 33.0.0 White Diamond Table of Contents Table of Contents 2 Linux Analysis Report 8v1QKqvK9c 3 Overview 3 General Information 3 Detection 3 Signatures 3 Classification 3 Analysis Advice 3 General Information 3 Process Tree 3 Yara Overview 4 Initial Sample 4 PCAP (Network Traffic) 4 Jbx Signature Overview 4 AV Detection: 4 Networking: 4 Mitre Att&ck Matrix 4 Malware Configuration 4 Behavior Graph 4 Antivirus, Machine Learning and Genetic Malware Detection 5 Initial Sample 5 Dropped Files 5 Domains 5 URLs 5 Domains and IPs 5 Contacted Domains 5 Contacted IPs 6 Public 6 Runtime Messages 8 Joe Sandbox View / Context 8 IPs 8 Domains 8 ASN 8 JA3 Fingerprints 9 Dropped Files 9 Created / dropped Files 9 Static File Info 10 General 10 Static ELF Info 10 ELF header 10 Sections 10 Program Segments 10 Network Behavior 11 Network Port Distribution 11 TCP Packets 11 System Behavior 11 Analysis Process: 8v1QKqvK9c PID: 4596 Parent PID: 4518 11 General 11 File Activities 11 File Read 11 Analysis Process: 8v1QKqvK9c PID: 4603 Parent PID: 4596 11 General 11 Analysis Process: 8v1QKqvK9c PID: 4607 Parent PID: 4603 12 General 12 Copyright Joe Security LLC 2021 Page 2 of 12 Linux Analysis Report 8v1QKqvK9c Overview General Information Detection Signatures Classification Sample 8v1QKqvK9c Name: Muullltttiii AAVV SSccaannnneerrr ddeettteecctttiiioonn fffoorrr ssuubbm… Analysis ID: 453919 SMSnnuooltrrrit tt A IIIDDVS SS acalalleenrrrttnt ffefoorrr r d nneeetttetwwcotoirrorkkn tt trrfraoafrffff fiisiccu ((b(eem...… MD5: ce09b4798df15ac… YSYanarroraar t d dIeDetttSeec cattteleeddr t M foiiirrraa niiietwork traffic (e. YYaarraa ddeetteecctteedd Miirraaii Ransomware SHA1: 152d07b9de51bfe… Miner Spreading YYaarrraa ddeettteeccttteedd Miiirrraaiii SHA256: mmaallliiiccciiioouusss 3f807fcbb5e0d62… malicious Yara detected Mirai DYDeaetrtteaec cdttteedtde TcTCtCePdP oMorrri rUUaDiDPP tttrrraaffffffiiicc oonn nnoonn… Evader Phishing sssuusssppiiiccciiioouusss Tags: 32 elf mirai powerpc suspicious SDSaeamtepcplltlee d cc ooTnnCtttaPaiiin nossr sUstttrrDriiinnPgg stsr aiiinnffddiciiicc oaantttiiiv vneeo ono… cccllleeaann SSaamppllee ccoonnttaaiinnss ssttrriinnggss iinnddiiccaattiivvee oo… clean Infos: SSaampplllee ccoonntttaaiiinnss sstttrrriiinnggss iiinnddiiiccaatttiiivvee oo… Exploiter Banker SSaampplllee hchaoasns t sasttitrnrriiipspp pseetrddin ssgyysm inbbdooilllc tttaatbbivlllee o Spyware Trojan / Bot Adware Mirai SSaampplllee llhliiissatttsee nnsstsr ioopnnp eaad ss sooyccmkkeebtttol table Score: 72 USUsasemessp ttlthehe el i s"""utuennnaasm oeen""" assy ysssotttecemke tccaallllll tttoo qquu… Range: 0 - 100 Uses the "uname" system call to qu Whitelisted: false Analysis Advice Static ELF header machine description suggests that the sample might not execute correctly on this machine General Information Joe Sandbox Version: 33.0.0 White Diamond Analysis ID: 453919 Start date: 25.07.2021 Start time: 16:59:24 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 4m 24s Hypervisor based Inspection enabled: false Report type: light Sample file name: 8v1QKqvK9c Cookbook file name: defaultlinuxfilecookbook.jbs Analysis system description: Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171) Analysis Mode: default Detection: MAL Classification: mal72.troj.lin@0/0@0/0 Warnings: Show All Process Tree system is lnxubuntu1 8v1QKqvK9c (PID: 4596, Parent: 4518, MD5: ce09b4798df15ac3dee04303a71a5f6f) Arguments: /usr/bin/qemu-ppc /tmp/8v1QKqvK9c 8v1QKqvK9c New Fork (PID: 4603, Parent: 4596) 8v1QKqvK9c New Fork (PID: 4607, Parent: 4603) cleanup Copyright Joe Security LLC 2021 Page 3 of 12 Yara Overview Initial Sample Source Rule Description Author Strings 8v1QKqvK9c JoeSecurity_Mirai_8 Yara detected Mirai Joe Security PCAP (Network Traffic) Source Rule Description Author Strings dump.pcap JoeSecurity_Mirai_12 Yara detected Mirai Joe Security Jbx Signature Overview • AV Detection • Networking • System Summary • Malware Analysis System Evasion Click to jump to signature section AV Detection: Multi AV Scanner detection for submitted file Networking: Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) Mitre Att&ck Matrix Command Remote Initial Privilege Defense Credential Lateral and Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Effects Effects Impact Valid Windows Path Path Direct Brute Security Remote Data from Exfiltration Non- Eavesdrop on Remotely Modify Accounts Management Interception Interception Volume Force 1 Software Services Local Over Other Standard Insecure Track Device System Instrumentation Access Discovery 1 System Network Port 1 Network Without Partition Medium Communication Authorization Malware Configuration No configs have been found Behavior Graph Copyright Joe Security LLC 2021 Page 4 of 12 Behavior Graph Hide Legend Legend: Process Behavior Graph Signature ID: 453919 Created File Sample: 8v1QKqvK9c Startdate: 25/07/2021 DNS/IP Info Architecture: LINUX Is Dropped Score: 72 Number of created Files Is malicious 154.83.233.51, 23 84.168.174.107, 23 XIAOZHIYUN1-AS-APICIDCNETWORKUS DTAGInternetserviceprovideroperationsDE 98 other IPs or domains Internet Seychelles Germany started Snort IDS alert for network traffic (e.g. Multi AV Scanner detection Yara detected Mirai Yara detected Mirai based on Emerging Threat for submitted file rules) 8v1QKqvK9c started 8v1QKqvK9c started 8v1QKqvK9c Antivirus, Machine Learning and Genetic Malware Detection Initial Sample Source Detection Scanner Label Link 8v1QKqvK9c 27% Virustotal Browse Dropped Files No Antivirus matches Domains No Antivirus matches URLs No Antivirus matches Domains and IPs Contacted Domains No contacted domains info Copyright Joe Security LLC 2021 Page 5 of 12 Contacted IPs Public IP Domain Country Flag ASN ASN Name Malicious 176.23.157.7 unknown Denmark 3292 TDCTDCASDK false 99.47.140.24 unknown United States 7018 ATT-INTERNET4US false 137.117.248.33 unknown United States 8075 MICROSOFT-CORP-MSN- false AS-BLOCKUS 100.33.237.96 unknown United States 701 UUNETUS false 60.51.9.111 unknown Malaysia 4788 TMNET-AS- false APTMNetInternetServicePro viderMY 38.142.164.72 unknown United States 174 COGENT-174US false 170.255.163.14 unknown Belgium 5400 BTGB false 139.230.250.96 unknown Australia 7575 AARNET-AS- false APAustralianAcademicandR esearchNetworkAARNe 152.11.179.75 unknown United States 81 NCRENUS false 139.90.56.40 unknown Belgium 270 AS270US false 48.124.73.117 unknown United States 2686 ATGS-MMD-ASUS false 199.124.100.88 unknown United States 721 DNIC-ASBLK-00721- false 00726US 208.247.184.31 unknown United States 7029 WINDSTREAMUS false 86.195.155.100 unknown France 3215 FranceTelecom-OrangeFR false 51.137.112.31 unknown United Kingdom 8075 MICROSOFT-CORP-MSN- false AS-BLOCKUS 188.145.179.67 unknown Germany 12389 ROSTELECOM-ASRU false 48.160.15.19 unknown United States 2686 ATGS-MMD-ASUS false 152.244.50.122 unknown Brazil 26599 TELEFONICABRASILSABR false 135.75.72.47 unknown United States 18676 AVAYAUS false 41.3.237.94 unknown South Africa 29975 VODACOM-ZA false 48.240.11.79 unknown United States 2686 ATGS-MMD-ASUS false 25.247.37.26 unknown United Kingdom 199055 UKCLOUD-ASGB false 69.96.118.119 unknown United States 4261 BLUEGRASSNETUS false 82.210.58.16 unknown France 34177 CELESTE-ASCELESTE- false InternetservicesproviderFR 95.180.22.86 unknown Serbia 31042 SERBIA-BROADBAND- false ASSerbiaBroadBand- SrpskeKablovskemreze 85.112.35.31 unknown Russian Federation 12389 ROSTELECOM-ASRU false 160.7.82.76 unknown United States 210 WEST-NET-WESTUS false 105.46.184.68 unknown Egypt 37069 MOBINILEG false 124.154.82.14 unknown Japan 2514 INFOSPHERENTTPCComm false unicationsIncJP 93.196.14.33 unknown Germany 3320 DTAGInternetserviceprovider false operationsDE 153.241.132.65 unknown Japan 4713 OCNNTTCommunicationsCo false rporationJP 19.155.130.96 unknown United States 3 MIT-GATEWAYSUS false 62.175.114.94 unknown Spain 12357 COMUNITELSPAINES false 65.82.81.15 unknown United States 6389 BELLSOUTH-NET-BLKUS false 84.168.174.107 unknown Germany 3320 DTAGInternetserviceprovider true operationsDE 86.22.247.59 unknown United Kingdom 5089 NTLGB false 36.82.35.42 unknown Indonesia 7713 TELKOMNET-AS- false APPTTelekomunikasiIndone siaID 73.161.250.110 unknown United States 7922 COMCAST-7922US false 109.7.7.83 unknown France 15557 LDCOMNETFR false 27.48.182.22 unknown India 23772 ORTELNET- false ASMsOrtelCommunicationsL tdIN 212.74.121.117 unknown United Kingdom 9105 TISCALI- false UKTalkTalkCommunications LimitedGB 172.223.30.14 unknown United States 20115 CHARTER-20115US false 73.203.180.67 unknown United States 7922 COMCAST-7922US false 12.227.98.23 unknown United States 54448 GREENFIELD- false COMMUNICATIONSUS Copyright Joe Security LLC 2021 Page 6 of 12 IP Domain Country Flag ASN ASN Name Malicious 173.117.209.66 unknown United States 10507 SPCSUS false 52.195.213.62 unknown United States 16509 AMAZON-02US false 99.126.83.19 unknown United States 7018 ATT-INTERNET4US false 122.208.27.101 unknown Japan 17506 UCOMARTERIANetworksCo false rporationJP 220.21.127.94 unknown Japan 17676 GIGAINFRASoftbankBBCorp false JP 132.177.94.91 unknown United States 11745 USNHUS false 198.69.194.58 unknown United States 1239 SPRINTLINKUS false 83.49.169.98 unknown Spain 3352 TELEFONICA_DE_ESPANA false ES 222.119.255.75 unknown Korea Republic of