ID: 449257 Sample Name: env-helper.sh Cookbook: defaultlinuxfilecookbook.jbs Time: 13:23:17 Date: 15/07/2021 Version: 33.0.0 White Diamond Table of Contents
Table of Contents 2 Linux Analysis Report env-helper.sh 3 Overview 3 General Information 3 Detection 3 Signatures 3 Classification 3 General Information 3 Process Tree 3 Yara Overview 3 Jbx Signature Overview 3 Mitre Att&ck Matrix 4 Malware Configuration 4 Behavior Graph 4 Antivirus, Machine Learning and Genetic Malware Detection 5 Initial Sample 5 Dropped Files 5 Domains 5 URLs 5 Domains and IPs 5 Contacted Domains 5 Contacted IPs 5 Runtime Messages 6 Joe Sandbox View / Context 6 IPs 6 Domains 6 ASN 6 JA3 Fingerprints 6 Dropped Files 6 Created / dropped Files 6 Static File Info 6 General 6 Network Behavior 7 System Behavior 7 Analysis Process: bash PID: 4597 Parent PID: 4519 7 General 7 File Activities 7 File Read 7
Copyright Joe Security LLC 2021 Page 2 of 7 Linux Analysis Report env-helper.sh
Overview
General Information Detection Signatures Classification
Sample env-helper.sh Name: SSaampplllee ccoonntttaaiiinnss sstttrrriiinnggss ttthhaattt aarrree ppoottt…
Analysis ID: 449257 USUsasemessp ttlthehe ec "o""uunnntaaimnsee ""s" tssryiynssgtttesem th cacata llallll rtttoeo qpquou…t MD5: 7ea975593bc4ab… Uses the "uname" system call to qu
Ransomware SHA1: e8a358762d62b1… Miner Spreading SHA256: b1cfa80fc43bef0… mmaallliiiccciiioouusss malicious
Evader Phishing Infos: sssuusssppiiiccciiioouusss suspicious
cccllleeaann
clean
Exploiter Banker
Spyware Trojan / Bot
Adware
Score: 1 Range: 0 - 100 Whitelisted: false
General Information
Joe Sandbox Version: 33.0.0 White Diamond Analysis ID: 449257 Start date: 15.07.2021 Start time: 13:23:17 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 3m 58s Hypervisor based Inspection enabled: false Report type: light Sample file name: env-helper.sh Cookbook file name: defaultlinuxfilecookbook.jbs Analysis system description: Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171) Analysis Mode: default Detection: CLEAN Classification: clean1.linSH@0/0@0/0
Process Tree
system is lnxubuntu1 bash (PID: 4597, Parent: 4519, MD5: 5e666695cf08d1638bb85684e30185ee) Arguments: /bin/bash /tmp/env-helper.sh cleanup
Yara Overview
No yara matches
Jbx Signature Overview
Copyright Joe Security LLC 2021 Page 3 of 7 • System Summary • Malware Analysis System Evasion
Click to jump to signature section
There are no malicious signatures, click here to show all signatures .
Mitre Att&ck Matrix
Remote Initial Privilege Defense Credential Lateral Command Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration and Control Effects Effects Impact Valid Command Path Path Direct OS Security Remote Data from Exfiltration Data Eavesdrop on Remotely Modify Accounts and Scripting Interception Interception Volume Credential Software Services Local Over Other Obfuscation Insecure Track Device System Interpreter 1 Access Dumping Discovery 1 System Network Network Without Partition Medium Communication Authorization
Malware Configuration
No configs have been found
Behavior Graph
Copyright Joe Security LLC 2021 Page 4 of 7 Hide Legend Legend: Process Behavior Graph Signature Created File ID: 449257 DNS/IP Info Is Dropped Sample: env-helper.sh Number of created Files Is malicious Startdate: 15/07/2021 Internet Architecture: LINUX Score: 1
started
bash
Antivirus, Machine Learning and Genetic Malware Detection
Initial Sample
No Antivirus matches
Dropped Files
No Antivirus matches
Domains
No Antivirus matches
URLs
No Antivirus matches
Domains and IPs
Contacted Domains
No contacted domains info
Contacted IPs
No contacted IP infos
Copyright Joe Security LLC 2021 Page 5 of 7 Runtime Messages
Command: bash "/tmp/env-helper.sh" Exit Code: 0 Exit Code Info: Killed: False Standard Output: Standard Error:
Joe Sandbox View / Context
IPs
No context
Domains
No context
ASN
No context
JA3 Fingerprints
No context
Dropped Files
No context
Created / dropped Files
No created / dropped files found
Static File Info
General File type: Bourne-Again shell script, ASCII text executable Entropy (8bit): 5.196333957726443 TrID: Linux/UNIX shell script (7007/1) 100.00% File name: env-helper.sh File size: 3071 MD5: 7ea975593bc4abf51efda27605b67357 SHA1: e8a358762d62b1ef89b6f284bfb96ed146693bdd SHA256: b1cfa80fc43bef074517c0c05afc63620331f688bff54d0e5 766f9f0ab47697a SHA512: 86e058238b5616e99f4fa3f29a941a70418931e3ef60c8e 91aba24cd0efc37c11962669de382fdc40560bcf877916b b896c7fa27d827b7c6fef60ae5b595d214 SSDEEP: 48:94HaVF4QwSDJAIJAYrKqNfdHc+DK1JsLnnzVSzdx HczdxHz2zdxHkzdiM3TKBK:9NVF4QwSDJAIJAYrKqNf d8+DKvsbnE72
Copyright Joe Security LLC 2021 Page 6 of 7 General File Content Preview: #!/bin/bash.#This script is supposed for EP without scre ens and webcamshots.function copyAndCreateNeccess aryFromOld() {. echo $passw | sudo -S mkdir -p $DOC KER_COMPOSE_DIRECTORY/app/application/configs. echo $passw | sudo -S chown -R yaware:yaware $DOC K
Network Behavior
No network behavior found
System Behavior
Analysis Process: bash PID: 4597 Parent PID: 4519
General
Start time: 13:23:49 Start date: 15/07/2021 Path: /bin/bash Arguments: /bin/bash /tmp/env-helper.sh File size: 1037528 bytes MD5 hash: 5e666695cf08d1638bb85684e30185ee
File Activities
File Read
Copyright Joe Security LLC 2021
Copyright Joe Security LLC 2021 Page 7 of 7