Automated Malware Analysis Report for Veraport-G3 Amd64.Deb
Total Page:16
File Type:pdf, Size:1020Kb
ID: 154829 Sample Name: veraport- g3_amd64.deb Cookbook: defaultlinuxfilecookbook.jbs Time: 06:34:22 Date: 22/07/2019 Version: 26.0.0 Aquamarine Table of Contents Table of Contents 2 Analysis Report veraport-g3_amd64.deb 4 Overview 4 General Information 4 Detection 4 Classification 4 Mitre Att&ck Matrix 5 Signature Overview 5 Networking: 6 System Summary: 6 Persistence and Installation Behavior: 6 Malware Analysis System Evasion: 6 Runtime Messages 6 Behavior Graph 6 Yara Overview 7 Initial Sample 7 PCAP (Network Traffic) 7 Dropped Files 7 Joe Sandbox View / Context 7 IPs 7 Domains 8 ASN 8 JA3 Fingerprints 8 Dropped Files 8 Antivirus and Machine Learning Detection 9 Initial Sample 9 Dropped Files 9 Domains 9 URLs 9 Screenshots 9 Thumbnails 9 Startup 10 Created / dropped Files 10 Domains and IPs 12 Contacted Domains 12 URLs from Memory and Binaries 12 Contacted IPs 12 Public 13 Static File Info 13 General 13 Network Behavior 13 Network Port Distribution 13 TCP Packets 14 UDP Packets 14 DNS Queries 14 DNS Answers 14 HTTPS Packets 14 System Behavior 15 Analysis Process: gnome-software PID: 20860 Parent PID: 20139 15 General 15 File Activities 15 File Deleted 15 File Read 15 File Written 15 Directory Enumerated 15 Directory Created 15 Owner / Group Modified 15 Permission Modified 15 Analysis Process: gnome-software PID: 20891 Parent PID: 20860 15 General 15 Copyright Joe Security LLC 2019 Page 2 of 20 File Activities 15 Directory Enumerated 15 Analysis Process: dbus-launch PID: 20891 Parent PID: 20860 15 General 15 File Activities 16 File Read 16 Analysis Process: gnome-software PID: 20960 Parent PID: 20860 16 General 16 File Activities 16 Directory Enumerated 16 Analysis Process: dpkg-deb PID: 20960 Parent PID: 20860 16 General 16 File Activities 16 File Read 16 Directory Created 16 Directory Deleted 16 Analysis Process: dpkg-deb PID: 20962 Parent PID: 20960 16 General 16 File Activities 16 File Read 16 Analysis Process: dpkg-deb PID: 20963 Parent PID: 20960 17 General 17 File Activities 17 File Read 17 Analysis Process: dpkg-deb PID: 20964 Parent PID: 20960 17 General 17 Analysis Process: tar PID: 20964 Parent PID: 20960 17 General 17 File Activities 17 File Read 17 File Written 17 Directory Created 17 Owner / Group Modified 17 Permission Modified 17 Analysis Process: dpkg-deb PID: 20973 Parent PID: 20960 17 General 17 Analysis Process: rm PID: 20973 Parent PID: 20960 18 General 18 File Activities 18 File Deleted 18 File Read 18 Directory Enumerated 18 Analysis Process: gnome-software PID: 21033 Parent PID: 20860 18 General 18 File Activities 18 Directory Enumerated 18 Analysis Process: dpkg PID: 21033 Parent PID: 20860 18 General 18 File Activities 18 File Read 18 Directory Enumerated 18 Analysis Process: gnome-software PID: 21034 Parent PID: 20860 19 General 19 File Activities 19 Directory Enumerated 19 Analysis Process: dpkg PID: 21034 Parent PID: 20860 19 General 19 File Activities 19 File Read 19 Directory Enumerated 19 Analysis Process: systemd PID: 20931 Parent PID: 1 19 General 19 Analysis Process: fwupd PID: 20931 Parent PID: 1 19 General 19 File Activities 19 File Deleted 20 File Read 20 File Written 20 Directory Enumerated 20 Directory Created 20 Owner / Group Modified 20 Copyright Joe Security LLC 2019 Page 3 of 20 Analysis Report veraport-g3_amd64.deb Overview General Information Joe Sandbox Version: 26.0.0 Aquamarine Analysis ID: 154829 Start date: 22.07.2019 Start time: 06:34:22 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 7m 6s Hypervisor based Inspection enabled: false Report type: light Sample file name: veraport-g3_amd64.deb Cookbook file name: defaultlinuxfilecookbook.jbs Analysis system description: Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171) Detection: CLEAN Classification: clean3.linDEB@0/8@4/0 Detection Strategy Score Range Reporting Whitelisted Detection Threshold 3 0 - 100 false Classification Copyright Joe Security LLC 2019 Page 4 of 20 Ransomware Miner Spreading mmaallliiiccciiioouusss malicious Evader Phishing sssuusssppiiiccciiioouusss suspicious cccllleeaann clean Exploiter Banker Spyware Trojan / Bot Adware Mitre Att&ck Matrix Privilege Defense Credential Lateral Command and Initial Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Valid Accounts Command-Line Hidden Files Port Monitors Hidden Files Credential Security Application Data from Local Data Standard Interface 1 and and Dumping Software Deployment System Encrypted 1 Cryptographic Directories 1 Directories 1 Discovery 1 Software Protocol 1 Replication Service Port Monitors Accessibility File Deletion 1 Network Application Remote Data from Exfiltration Over Standard Non- Through Execution Features Sniffing Window Services Removable Other Network Application Removable Discovery Media Medium Layer Media Protocol 2 Drive-by Windows Accessibility Path Rootkit Input Query Registry Windows Data from Automated Standard Compromise Management Features Interception Capture Remote Network Shared Exfiltration Application Instrumentation Management Drive Layer Protocol 2 Signature Overview Copyright Joe Security LLC 2019 Page 5 of 20 • Networking • System Summary • Persistence and Installation Behavior • Malware Analysis System Evasion Click to jump to signature section Networking: Connects to IPs without corresponding DNS lookups Performs DNS lookups Urls found in memory or binary data Uses HTTPS System Summary: Sample contains strings that are potentially command strings Classification label Persistence and Installation Behavior: Creates hidden files and/or directories Executes the "rm" command used to delete files or directories Sample tries to set the executable flag Writes shell script file to disk with an unusual file extension Samples exit code indicates no error despite standard error output Malware Analysis System Evasion: Uses the "uname" system call to query kernel version information (possible evasion) Runtime Messages Command: xdg-open "/tmp/veraport-g3_amd64.deb" Exit Code: 0 Exit Code Info: Killed: False Standard Output: Standard Error: (gnome-software:20860): GsPlugin-WARNING **: could not lookup cached macaroon: Error calling StartServiceByName for org.freedesktop.secrets: Timeout was reached (gnome-software:20860): IBUS-WARNING **: The owner of /home/user/.config/ibus/bus is not root! Behavior Graph Copyright Joe Security LLC 2019 Page 6 of 20 Hide Legend Behavior Graph Legend: ID: 154829 Process Sample: veraport-g3_amd64.deb Startdate: 22/07/2019 Signature Architecture: LINUX Created File Score: 3 DNS/IP Info Is Dropped reviews.ubuntu.com Number of created Files 91.189.92.19, 443, 47156 91.189.94.244, 443, 47334, 47336 unknown started staIrste dm a licious United Kingdom unknown United Kingdom Internet systemd gnome-software fwupd started started started started gnome-software gnome-software gnome-software gnome-software dpkg-deb dbus-launch dpkg dpkg started started started started dpkg-deb dpkg-deb dpkg-deb dpkg-deb tar rm dropped dropped /tmp/dpkg-deb.aV8ZOc/prerm, POSIX /tmp/dpkg-deb.aV8ZOc/postinst, POSIX Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Joe Sandbox View / Context IPs Match Associated Sample Name / URL SHA 256 Detection Link Context 91.189.92.19 hostmc Get hash malicious Browse file.elf Get hash malicious Browse CKvfpSM1Au Get hash malicious Browse cmmyfa3 Get hash malicious Browse hmar6.jar Get hash malicious Browse khugepageds Get hash malicious Browse Copyright Joe Security LLC 2019 Page 7 of 20 Match Associated Sample Name / URL SHA 256 Detection Link Context bwmckudohs Get hash malicious Browse 23c98d48062eac1b5cce1e7294dba92f24ad535e0b16abb403 Get hash malicious Browse 70f84552bf8a58 e1subAxOoZ.elf Get hash malicious Browse sample23 Get hash malicious Browse 178.62.117.21/bash Get hash malicious Browse genesis.bin Get hash malicious Browse seasame Get hash malicious Browse apache2 Get hash malicious Browse test7777 Get hash malicious Browse sshd Get hash malicious Browse payload Get hash malicious Browse olazvs Get hash malicious Browse 2019-02-05 23-01-02.flv Get hash malicious Browse 2019-02-05 23-01-02.flv Get hash malicious Browse 91.189.94.244 sqlninja_0.2.6-r1-1raring0_all.deb Get hash malicious Browse Domains Match Associated Sample Name / URL SHA 256 Detection Link Context reviews.ubuntu.com sqlninja_0.2.6-r1-1raring0_all.deb Get hash malicious Browse 91.189.94.244 ASN Match Associated Sample Name / URL SHA 256 Detection Link Context unknown request.doc Get hash malicious Browse 192.168.0.44 FERK444259.doc Get hash malicious Browse 192.168.0.44 b392e93a5753601db564e6f2dc6a945aac3861bc31e2c1e5e7 Get hash malicious Browse 192.168.0.40 f3cd4e5bb150a4.js Setup.exe Get hash malicious Browse 192.168.0.40 base64.pdf Get hash malicious Browse 192.168.0.40 file.pdf Get hash malicious Browse 192.168.0.40 Spread sheet 2.pdf Get hash malicious Browse 192.168.0.40 request_08.30.doc Get hash malicious Browse 192.168.0.44 P_2038402.xlsx Get hash malicious Browse 192.168.0.44 48b1cf747a678641566cd1778777ca72.apk Get hash malicious Browse 192.168.0.22 seu nome na lista de favorecidos.exe Get hash malicious Browse 192.168.0.40 Adm_Boleto.via2.com Get hash malicious Browse 192.168.0.40 QuitacaoVotorantim345309.exe Get hash malicious Browse 192.168.0.40 pptxb.pdf Get hash malicious Browse 192.168.0.40 unknown request.doc Get hash malicious Browse 192.168.0.44 FERK444259.doc Get hash malicious Browse 192.168.0.44