Automated Malware Analysis Report for Anacron
Total Page:16
File Type:pdf, Size:1020Kb
ID: 202040 Sample Name: anacron Cookbook: defaultlinuxfilecookbook.jbs Time: 02:46:46 Date: 20/01/2020 Version: 28.0.0 Lapis Lazuli Table of Contents Table of Contents 2 Analysis Report anacron 5 Overview 5 General Information 5 Detection 5 Classification 5 Mitre Att&ck Matrix 6 Signature Overview 7 AV Detection: 7 Bitcoin Miner: 7 Networking: 7 System Summary: 7 Persistence and Installation Behavior: 7 Malware Analysis System Evasion: 7 Malware Configuration 8 Runtime Messages 8 Behavior Graph 8 Yara Overview 8 Initial Sample 8 PCAP (Network Traffic) 9 Dropped Files 9 Sigma Overview 9 Joe Sandbox View / Context 9 IPs 9 Domains 9 ASN 9 JA3 Fingerprints 10 Dropped Files 10 Antivirus, Machine Learning and Genetic Malware Detection 10 Initial Sample 10 Dropped Files 10 Domains 10 URLs 10 Startup 10 Created / dropped Files 11 Domains and IPs 12 Contacted Domains 12 URLs from Memory and Binaries 12 Contacted IPs 12 Public 13 Static File Info 13 General 13 Static ELF Info 13 ELF header 13 Sections 14 Program Segments 14 Dynamic Tags 14 Symbols 15 Network Behavior 15 Network Port Distribution 15 TCP Packets 15 UDP Packets 15 DNS Queries 15 DNS Answers 15 System Behavior 16 Analysis Process: anacron PID: 20758 Parent PID: 20706 16 General 16 File Activities 16 File Read 16 Copyright Joe Security LLC 2020 Page 2 of 23 Directory Enumerated 16 Analysis Process: anacron PID: 20759 Parent PID: 20758 16 General 16 Analysis Process: sh PID: 20759 Parent PID: 20758 16 General 16 File Activities 17 File Read 17 File Written 17 Analysis Process: sh PID: 20761 Parent PID: 20759 17 General 17 Analysis Process: rm PID: 20761 Parent PID: 20759 17 General 17 File Activities 17 File Deleted 17 File Read 17 Analysis Process: sh PID: 20764 Parent PID: 20759 17 General 17 Analysis Process: mkdir PID: 20764 Parent PID: 20759 17 General 18 File Activities 18 File Read 18 Directory Created 18 Analysis Process: sh PID: 20771 Parent PID: 20759 18 General 18 Analysis Process: chmod PID: 20771 Parent PID: 20759 18 General 18 File Activities 18 File Read 18 Directory Enumerated 18 Permission Modified 18 Analysis Process: anacron PID: 20780 Parent PID: 20758 18 General 18 File Activities 18 File Read 19 File Written 19 Analysis Process: upstart PID: 20811 Parent PID: 20139 19 General 19 Analysis Process: sh PID: 20811 Parent PID: 20139 19 General 19 File Activities 19 File Read 19 Analysis Process: sh PID: 20812 Parent PID: 20811 19 General 19 Analysis Process: date PID: 20812 Parent PID: 20811 19 General 19 File Activities 19 File Read 20 Analysis Process: sh PID: 20813 Parent PID: 20811 20 General 20 Analysis Process: apport-checkreports PID: 20813 Parent PID: 20811 20 General 20 File Activities 20 File Read 20 File Written 20 Directory Enumerated 20 Analysis Process: upstart PID: 20838 Parent PID: 20139 20 General 20 Analysis Process: sh PID: 20838 Parent PID: 20139 20 General 20 File Activities 21 File Read 21 Analysis Process: sh PID: 20839 Parent PID: 20838 21 General 21 Analysis Process: date PID: 20839 Parent PID: 20838 21 General 21 File Activities 21 File Read 21 Analysis Process: sh PID: 20855 Parent PID: 20838 21 General 21 Analysis Process: apport-gtk PID: 20855 Parent PID: 20838 21 General 21 File Activities 21 File Read 22 File Written 22 Copyright Joe Security LLC 2020 Page 3 of 23 Directory Enumerated 22 Analysis Process: upstart PID: 20868 Parent PID: 20139 22 General 22 Analysis Process: sh PID: 20868 Parent PID: 20139 22 General 22 File Activities 22 File Read 22 Analysis Process: sh PID: 20869 Parent PID: 20868 22 General 22 Analysis Process: date PID: 20869 Parent PID: 20868 22 General 22 File Activities 23 File Read 23 Analysis Process: sh PID: 20870 Parent PID: 20868 23 General 23 Analysis Process: apport-gtk PID: 20870 Parent PID: 20868 23 General 23 File Activities 23 File Read 23 Directory Enumerated 23 Copyright Joe Security LLC 2020 Page 4 of 23 Analysis Report anacron Overview General Information Joe Sandbox Version: 28.0.0 Lapis Lazuli Analysis ID: 202040 Start date: 20.01.2020 Start time: 02:46:46 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 3m 59s Hypervisor based Inspection enabled: false Report type: light Sample file name: anacron Cookbook file name: defaultlinuxfilecookbook.jbs Analysis system description: Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171) Detection: MAL Classification: mal76.troj.mine.lin@0/4@4/0 Warnings: Show All Detection Strategy Score Range Reporting Whitelisted Threat Detection Xmrig Threshold 76 0 - 100 false Classification Copyright Joe Security LLC 2020 Page 5 of 23 Ransomware Miner Spreading mmaallliiiccciiioouusss malicious Evader Phishing sssuusssppiiiccciiioouusss suspicious cccllleeaann clean Exploiter Banker Spyware Trojan / Bot Adware Mitre Att&ck Matrix Remote Initial Privilege Defense Credential Lateral Command Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration and Control Effects Effects Valid Command-Line Hidden Files Port Hidden Files Credential Security Application Data from Data Standard Non- Eavesdrop on Remotely Accounts Interface 1 and Monitors and Dumping Software Deployment Local Compressed Application Insecure Track Device Directories 1 Directories 1 Discovery 1 Software System Layer Network Without Protocol 1 Communication Authorization Replication Scripting 1 Port Monitors Accessibility File and Network File and Remote Data from Exfiltration Standard Exploit SS7 to Remotely Through Features Directory Sniffing Directory Services Removable Over Other Application Redirect Phone Wipe Data Removable Permissions Discovery 1 Media Network Layer Calls/SMS Without Media Modification 1 Medium Protocol 1 Authorization External Windows Accessibility Path Scripting 1 Input System Windows Data from Automated Custom Exploit SS7 to Obtain Remote Management Features Interception Capture Information Remote Network Exfiltration Cryptographic Track Device Device Services Instrumentation Discovery 3 Management Shared Protocol Location Cloud Drive Backups Drive-by Scheduled System DLL Search File Credentials System Logon Input Data Multiband SIM Card Compromise Task Firmware Order Deletion 1 in Files Network Scripts Capture Encrypted Communication Swap Hijacking Configuration Discovery Copyright Joe Security LLC 2020 Page 6 of 23 Signature Overview • AV Detection • Bitcoin Miner • Networking • System Summary • Persistence and Installation Behavior • Malware Analysis System Evasion Click to jump to signature section AV Detection: Antivirus detection for sample Multi AV Scanner detection for submitted file Bitcoin Miner: Yara detected Xmrig cryptocurrency miner Detected Stratum mining protocol Found strings related to Crypto-Mining Reads CPU information from /proc indicative of miner or evasive malware Reads CPU information from /sys indicative of miner or evasive malware Networking: Performs DNS lookups Urls found in memory or binary data System Summary: Sample contains strings that are potentially command strings Sample has stripped symbol table Classification label Persistence and Installation Behavior: Sample reads /proc/mounts (often used for finding a writable filesystem) Counts the number of processes currently running Creates hidden files and/or directories Executes commands using a shell command-line interpreter Executes the "chmod" command used to modify permissions Executes the "mkdir" command used to create folders Executes the "rm" command used to delete files or directories Reads system information from the proc file system Sample tries to set the executable flag Malware Analysis System Evasion: Reads CPU information from /proc indicative of miner or evasive malware Copyright Joe Security LLC 2020 Page 7 of 23 Reads CPU information from /sys indicative of miner or evasive malware Uses the "uname" system call to query kernel version information (possible evasion) Malware Configuration No configs have been found Runtime Messages Command: /tmp/anacron Exit Code: 0 Exit Code Info: Killed: False Standard Output: [2020-01-20 03:47:29.290] unable to open '/tmp/config.json'. Standard Error: Behavior Graph Hide Legend Legend: Process Signature Behavior Graph Created File ID: 202040 DNS/IP Info Sample: anacron Startdate: 20/01/2020 Architecture: LINUX Is Dropped Score: 76 Number of created Files Is malicious 45.9.148.125, 45164, 80 unknown debian-package.center Internet Netherlands started started started started Antivirus detection Multi AV Scanner detection Yara detected Xmrig 2 other signatures for sample for submitted file cryptocurrency miner upstart upstart upstart anacron sh sh sh Sample reads /proc/mounts (often used for finding started started started started started started started started a writable filesystem) anacron sh sh sh sh sh sh anacron sh date apport-checkreports date apport-gtk date apport-gtk started started started sh sh sh rm mkdir chmod Yara Overview Initial Sample Source Rule Description Author Strings Copyright Joe Security LLC 2020 Page 8 of 23 Source Rule Description Author Strings anacron JoeSecurity_Xmrig Yara detected Joe Security Xmrig cryptocurrency miner PCAP (Network Traffic) No yara matches Dropped Files No yara matches Sigma Overview No Sigma rule has matched Joe Sandbox View / Context IPs Match Associated Sample Name / URL SHA 256 Detection Link Context 45.9.148.125 cron Get hash malicious Browse cQLmNrun Get hash malicious Browse Domains Match Associated Sample Name / URL SHA 256 Detection Link Context