ID: 449257 Sample Name: env-helper.sh Cookbook: defaultlinuxfilecookbook.jbs Time: 13:23:17 Date: 15/07/2021 Version: 33.0.0 White Diamond Table of Contents

Table of Contents 2 Linux Analysis Report env-helper.sh 3 Overview 3 General Information 3 Detection 3 Signatures 3 Classification 3 General Information 3 Process Tree 3 Yara Overview 3 Jbx Signature Overview 3 Mitre Att&ck Matrix 4 Malware Configuration 4 Behavior Graph 4 Antivirus, Machine Learning and Genetic Malware Detection 5 Initial Sample 5 Dropped Files 5 Domains 5 URLs 5 Domains and IPs 5 Contacted Domains 5 Contacted IPs 5 Runtime Messages 6 Joe Sandbox View / Context 6 IPs 6 Domains 6 ASN 6 JA3 Fingerprints 6 Dropped Files 6 Created / dropped Files 6 Static File Info 6 General 6 Network Behavior 7 System Behavior 7 Analysis Process: bash PID: 4597 Parent PID: 4519 7 General 7 File Activities 7 File Read 7

Copyright Joe Security LLC 2021 Page 2 of 7 Linux Analysis Report env-helper.sh

Overview

General Information Detection Signatures Classification

Sample env-helper.sh Name: SSaampplllee ccoonntttaaiiinnss sstttrrriiinnggss ttthhaattt aarrree ppoottt…

Analysis ID: 449257 USUsasemessp ttlthehe ec "o""uunnntaaimnsee ""s" tssryiynssgtttesem th cacata llallll rtttoeo qpquou…t MD5: 7ea975593bc4ab… Uses the "uname" system call to qu

Ransomware SHA1: e8a358762d62b1… Miner Spreading SHA256: b1cfa80fc43bef0… mmaallliiiccciiioouusss malicious

Evader Phishing Infos: sssuusssppiiiccciiioouusss suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Score: 1 Range: 0 - 100 Whitelisted: false

General Information

Joe Sandbox Version: 33.0.0 White Diamond Analysis ID: 449257 Start date: 15.07.2021 Start time: 13:23:17 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 3m 58s Hypervisor based Inspection enabled: false Report type: light Sample file name: env-helper.sh Cookbook file name: defaultlinuxfilecookbook.jbs Analysis system description: Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171) Analysis Mode: default Detection: CLEAN Classification: clean1.linSH@0/0@0/0

Process Tree

system is lnxubuntu1 bash (PID: 4597, Parent: 4519, MD5: 5e666695cf08d1638bb85684e30185ee) Arguments: /bin/bash /tmp/env-helper.sh cleanup

Yara Overview

No yara matches

Jbx Signature Overview

Copyright Joe Security LLC 2021 Page 3 of 7 • System Summary • Malware Analysis System Evasion

Click to jump to signature section

There are no malicious signatures, click here to show all signatures .

Mitre Att&ck Matrix

Remote Initial Privilege Defense Credential Lateral Command Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration and Control Effects Effects Impact Valid Command Path Path Direct OS Security Remote Data from Exfiltration Data Eavesdrop on Remotely Modify Accounts and Scripting Interception Interception Volume Credential Software Services Local Over Other Obfuscation Insecure Track Device System Interpreter 1 Access Dumping Discovery 1 System Network Network Without Partition Medium Communication Authorization

Malware Configuration

No configs have been found

Behavior Graph

Copyright Joe Security LLC 2021 Page 4 of 7 Hide Legend Legend: Process Behavior Graph Signature Created File ID: 449257 DNS/IP Info Is Dropped Sample: env-helper.sh Number of created Files Is malicious Startdate: 15/07/2021 Internet Architecture: LINUX Score: 1

started

bash

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

Copyright Joe Security LLC 2021 Page 5 of 7 Runtime Messages

Command: bash "/tmp/env-helper.sh" Exit Code: 0 Exit Code Info: Killed: False Standard Output: Standard Error:

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General File type: Bourne-Again shell script, ASCII text executable Entropy (8bit): 5.196333957726443 TrID: Linux/UNIX shell script (7007/1) 100.00% File name: env-helper.sh File size: 3071 MD5: 7ea975593bc4abf51efda27605b67357 SHA1: e8a358762d62b1ef89b6f284bfb96ed146693bdd SHA256: b1cfa80fc43bef074517c0c05afc63620331f688bff54d0e5 766f9f0ab47697a SHA512: 86e058238b5616e99f4fa3f29a941a70418931e3ef60c8e 91aba24cd0efc37c11962669de382fdc40560bcf877916b b896c7fa27d827b7c6fef60ae5b595d214 SSDEEP: 48:94HaVF4QwSDJAIJAYrKqNfdHc+DK1JsLnnzVSzdx HczdxHz2zdxHkzdiM3TKBK:9NVF4QwSDJAIJAYrKqNf d8+DKvsbnE72

Copyright Joe Security LLC 2021 Page 6 of 7 General File Content Preview: #!/bin/bash.#This script is supposed for EP without scre ens and webcamshots.function copyAndCreateNeccess aryFromOld() {. echo $passw | sudo -S mkdir -p $DOC KER_COMPOSE_DIRECTORY/app/application/configs. echo $passw | sudo -S chown -R yaware:yaware $DOC K

Network Behavior

No network behavior found

System Behavior

Analysis Process: bash PID: 4597 Parent PID: 4519

General

Start time: 13:23:49 Start date: 15/07/2021 Path: /bin/bash Arguments: /bin/bash /tmp/env-helper.sh File size: 1037528 bytes MD5 hash: 5e666695cf08d1638bb85684e30185ee

File Activities

File Read

Copyright Joe Security LLC 2021

Copyright Joe Security LLC 2021 Page 7 of 7