Automated Malware Analysis Report for Busybox

Home , BusyBox, Dmesg, Script (Unix)

ID: 170338 Sample Name: busybox Cookbook: defaultlinuxfilecookbook.jbs Time: 11:03:41 Date: 04/09/2019 Version: 26.0.0 Aquamarine Table of Contents

Table of Contents 2 Analysis Report busybox 3 Overview 3 General Information 3 Detection 3 Classification 3 Mitre Att&ck Matrix 4 Signature Overview 4 Networking: 5 System Summary: 5 Malware Analysis System Evasion: 5 Runtime Messages 5 Behavior Graph 6 Yara Overview 7 Initial Sample 7 PCAP (Network Traffic) 7 Dropped Files 7 Joe Sandbox View / Context 7 IPs 7 Domains 8 ASN 8 JA3 Fingerprints 8 Dropped Files 8 Antivirus, Machine Learning and Genetic Malware Detection 8 Initial Sample 8 Dropped Files 8 Domains 8 URLs 8 Startup 9 Created / dropped Files 9 Domains and IPs 9 Contacted Domains 9 URLs from Memory and Binaries 9 Contacted IPs 9 Public 9 Static File Info 9 General 10 Static ELF Info 10 ELF header 10 Sections 10 Program Segments 11 Network Behavior 11 TCP Packets 11 System Behavior 11 Analysis Process: busybox PID: 20760 Parent PID: 20706 11 General 11

Overview

General Information

Joe Sandbox Version: 26.0.0 Aquamarine Analysis ID: 170338 Start date: 04.09.2019 Start time: 11:03:41 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 4m 3s Hypervisor based Inspection enabled: false Report type: light Sample file name: busybox Cookbook file name: defaultlinuxfilecookbook.jbs Analysis system description: Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171) Detection: CLEAN Classification: clean2.lin@0/0@0/0

Detection

Strategy Score Range Reporting Whitelisted Detection

Threshold 2 0 - 100 false

Classification

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Mitre Att&ck Matrix

Privilege Defense Credential Lateral Command and Initial Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Valid Accounts Command-Line Winlogon Port Monitors File System Credential Security Application Data from Local Data Standard Interface 1 Helper DLL Logical Offsets Dumping Software Deployment System Encrypted 1 Cryptographic Discovery 1 Software Protocol 1 Replication Service Port Monitors Accessibility Binary Padding Network Application Remote Services Data from Exfiltration Over Standard Non- Through Execution Features Sniffing Window Removable Other Network Application Layer Removable Discovery Media Medium Protocol 1 Media Drive-by Windows Accessibility Path Rootkit Input Query Registry Windows Data from Automated Standard Compromise Management Features Interception Capture Remote Network Shared Exfiltration Application Layer Instrumentation Management Drive Protocol 1

Signature Overview

Click to jump to signature section

Networking:

Connects to IPs without corresponding DNS lookups

Urls found in memory or binary data

Uses HTTPS

System Summary:

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample contains strings that are potentially command strings

Sample has stripped symbol table

Classification label

Malware Analysis System Evasion:

Uses the "uname" system call to query kernel version information (possible evasion)

Runtime Messages

Command: /tmp/busybox Exit Code: 0 Exit Code Info: Killed: False

Copyright Joe Security LLC 2019 Page 5 of 11 Standard Output: BusyBox v1.27.2 (Ubuntu 1:1.27.2-2ubuntu3.2) multi-call binary. BusyBox is copyrighted by many authors between 1998-2015. Licensed under GPLv2. See source distribution for detailed copyright notices.

Usage: busybox [function [arguments]...] or: busybox --list[-full] or: busybox --install [-s] [DIR] or: function [arguments]...

BusyBox is a multi-call binary that combines many common Unix utilities into a single executable. The shell in this build is configured to run built-in utilities without $PATH search. You don't need to install a link to busybox for each utility. To run external program; use full path (/sbin/ip instead of ip).

Currently defined functions: [; [[; acpid; adjtimex; ar; arp; arping; ash; awk; basename; blkdiscard; blockdev; brctl; bunzip2; bzcat; bzip2; cal; cat; chgrp; chmod; chown; chpasswd; chroot; chvt; clear; cmp; cp; cpio; crond; crontab; cttyhack; cut; date; dc; dd; deallocvt; depmod; devmem; df; diff; dirname; dmesg; dnsdomainname; dos2unix; dpkg; dpkg-deb; du; dumpkmap; dumpleases; echo; ed; egrep; env; expand; expr; factor; fallocate; false; fatattr; fdisk; fgrep; find; fold; free; freeramdisk; fsfreeze; fstrim; ftpget; ftpput; getopt; getty; grep; groups; gunzip; gzip; halt; head; hexdump; hostid; hostname; httpd; hwclock; i2cdetect; i2cdump; i2cget; i2cset; id; ifconfig; ifdown; ifup; init; insmod; ionice; ip; ipcalc; ipneigh; kill; killall; klogd; last; less; link; linux32; linux64; linuxrc; ln; loadfont; loadkmap; logger; login; logname; logread; losetup; ls; lsmod; lsscsi; lzcat; lzma; lzop; md5sum; mdev; microcom; mkdir; mkdosfs; mke2fs; mkfifo; mknod; mkpasswd; mkswap; mktemp; modinfo; modprobe; more; mount; mt; mv; nameif; nc; netstat; nl; nproc; nsenter; nslookup; od; openvt; partprobe; passwd; paste; patch; pidof; ping; ping6; pivot_root; poweroff; printf; ps; pwd; rdate; readlink; realpath; reboot; renice; reset; rev; rm; rmdir; rmmod; route; rpm; rpm2cpio; run-parts; sed; seq; setkeycodes; setpriv; setsid; sh; sha1sum; sha256sum; sha512sum; shred; shuf; sleep; sort; ssl_client; start-stop-daemon; stat; static-sh; strings; stty; su; sulogin; svc; swapoff; swapon; switch_root; sync; sysctl; syslogd; tac; tail; tar; taskset; tee; telnet; telnetd; test; tftp; time; timeout; top; touch; tr; traceroute; traceroute6; true; truncate; tty; tunctl; ubirename; udhcpc; udhcpd; uevent; umount; uname; uncompress; unexpand; uniq; unix2dos; unlink; unlzma; unshare; unxz; unzip; uptime; usleep; uudecode; uuencode; vconfig; vi; w; watch; watchdog; wc; wget; which; who; whoami; xargs; xxd; xz; xzcat; yes; zcat Standard Error:

Behavior Graph

Copyright Joe Security LLC 2019 Page 6 of 11 Hide Legend Legend: Process Signature Created File DNS/IP Info Is Dropped Behavior Graph Number of created Files ID: 170338 Is malicious Sample: busybox Internet Startdate: 04/09/2019 Architecture: LINUX Score: 2

91.189.92.41, 443, 58830 unknown started United Kingdom

busybox

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Joe Sandbox View / Context

IPs

Match Associated Sample Name / URL SHA 256 Detection Link Context 91.189.92.41 Ytw3Nb0oMZ.bin Get hash malicious Browse mirai.x86 Get hash malicious Browse 178.128.161.173/Pemex.sh Get hash malicious Browse 86ac68e5b09d1c4b157193bb6cb34007_shentsize.elf Get hash malicious Browse 86ac68e5b09d1c4b157193bb6cb34007_shentsize.elf Get hash malicious Browse 173.208.186.54/g.txt Get hash malicious Browse Copyright Joe Security LLC 2019 Page 7 of 11 Match Associated Sample Name / URL SHA 256 Detection Link Context zmcat.txt Get hash malicious Browse 81.6.42.123/a_thk.sh Get hash malicious Browse 63250ebdf69c4bf280c3b8cc82600a75 Get hash malicious Browse akdlsj.sh Get hash malicious Browse f4cdc407 Get hash malicious Browse a.sh Get hash malicious Browse 4Zcb1GzjZE Get hash malicious Browse sqlninja_0.2.6-r1-1raring0_all.deb Get hash malicious Browse 8x868 Get hash malicious Browse 31.13.195.251/ECHO/ECHOBOT.mips Get hash malicious Browse cron Get hash malicious Browse zSvWo Get hash malicious Browse x86_64 Get hash malicious Browse KzFtsE2yzc.bin Get hash malicious Browse

Domains

No context

ASN

Match Associated Sample Name / URL SHA 256 Detection Link Context unknown request.doc Get hash malicious Browse 192.168.0.44 FERK444259.doc Get hash malicious Browse 192.168.0.44 b392e93a5753601db564e6f2dc6a945aac3861bc31e2c1e5e7 Get hash malicious Browse 192.168.0.40 f3cd4e5bb150a4.js Setup.exe Get hash malicious Browse 192.168.0.40 base64.pdf Get hash malicious Browse 192.168.0.40 file.pdf Get hash malicious Browse 192.168.0.40 Spread sheet 2.pdf Get hash malicious Browse 192.168.0.40 request_08.30.doc Get hash malicious Browse 192.168.0.44 P_2038402.xlsx Get hash malicious Browse 192.168.0.44 48b1cf747a678641566cd1778777ca72.apk Get hash malicious Browse 192.168.0.22 seu nome na lista de favorecidos.exe Get hash malicious Browse 192.168.0.40 Adm_Boleto.via2.com Get hash malicious Browse 192.168.0.40 QuitacaoVotorantim345309.exe Get hash malicious Browse 192.168.0.40 pptxb.pdf Get hash malicious Browse 192.168.0.40

JA3 Fingerprints

No context

Dropped Files

No context

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source Detection Scanner Label Link busybox 0% virustotal Browse

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Startup

system is lnxubuntu1 busybox (PID: 20760, Parent: 20706, MD5: fb228ea7b9b953f66576b9653acb64a8) Arguments: /tmp/busybox cleanup

Created / dropped Files

No created / dropped files found

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Contacted IPs

No. of IPs < 25%

25% < No. of IPs < 50% 50% < No. of IPs < 75%

75% < No. of IPs

Public

IP Country Flag ASN ASN Name Malicious 91.189.92.41 United Kingdom 41231 unknown false

Static File Info

Copyright Joe Security LLC 2019 Page 9 of 11 General File type: ELF 64-bit LSB executable, x86-64, version 1 (GNU/ Linux), statically linked, for GNU/Linux 3.2.0, Bu ildID[sha1]=4da2c17557aa874a0ddb321eb9dd 6fd1218d3145, stripped Entropy (8bit): 6.512273054654377 TrID: ELF Executable and Linkable format (generic) (4004/1) 53.36% Java Script embedded in Visual Basic Script (3500/0) 46.64% File name: busybox File size: 2062296 MD5: fb228ea7b9b953f66576b9653acb64a8 SHA1: d38e97c47373ac1496230e0765b99e68050d952a SHA256: 4fedf825de7934ba5b9208ad91080f5f9f12b727f47fb5ebb 780a2ff4c2b65f9 SHA512: c04250808954d27657166f2c87197e4c323aca16fd32d9f dba26baee6537b1cf98e6595081d90dddfb018979ec06f9 b8439909e2225a2da236d2bf5be4703218 SSDEEP: 49152:0IxrCM8R1Y9hqV0b8gLbhg7PKTA3yeSILgkR:n8 IHPdhgrKUTSI File Content Preview: .ELF...... >...... @.....@...... Xp...... @.8...@...... @...... @....._...... _...... 0...... 0.~.....0.~ ...... @...... @.....D...... D...... 0...... 0.~....

Static ELF Info

ELF header Class: ELF64 Data: 2's complement, little endian Version: 1 (current) Machine: Advanced Micro Devices X86-64 Version Number: 0x1 Type: EXEC (Executable file) OS/ABI: UNIX - Linux ABI Version: 0 Entry Point Address: 0x400ca0 Flags: 0x0 ELF Header Size: 64 Program Header Offset: 64 Program Header Size: 56 Number of Program Headers: 6 Section Header Offset: 2060376 Section Header Size: 64 Number of Section Headers: 30 Header String Table Index: 29

Sections

Flags Name Type Address Offset Size EntSize Flags Description Link Info Align NULL 0x0 0x0 0x0 0x0 0x0 0 0 0 .note.ABI-tag NOTE 0x400190 0x190 0x20 0x0 0x2 A 0 0 4 .note.gnu.build-id NOTE 0x4001b0 0x1b0 0x24 0x0 0x2 A 0 0 4 .rela.plt RELA 0x4001d8 0x1d8 0x3c0 0x18 0x42 AI 0 19 8 .init PROGBITS 0x400598 0x598 0x17 0x0 0x6 AX 0 0 4 .plt PROGBITS 0x4005b0 0x5b0 0x140 0x0 0x6 AX 0 0 8 .text PROGBITS 0x4006f0 0x6f0 0x19b108 0x0 0x6 AX 0 0 16 __libc_freeres_fn PROGBITS 0x59b800 0x19b800 0x1a32 0x0 0x6 AX 0 0 16 __libc_thread_freeres_fn PROGBITS 0x59d240 0x19d240 0x1292 0x0 0x6 AX 0 0 16 .fini PROGBITS 0x59e4d4 0x19e4d4 0x9 0x0 0x6 AX 0 0 4 .rodata PROGBITS 0x59e4e0 0x19e4e0 0x38ff7 0x0 0x2 A 0 0 32 .stapsdt.base PROGBITS 0x5d74d7 0x1d74d7 0x1 0x0 0x2 A 0 0 1 .eh_frame PROGBITS 0x5d74d8 0x1d74d8 0x14d38 0x0 0x2 A 0 0 8 .gcc_except_table PROGBITS 0x5ec210 0x1ec210 0x24f 0x0 0x2 A 0 0 1 .tdata PROGBITS 0x7ecb30 0x1ecb30 0x30 0x0 0x403 WAT 0 0 8 .tbss NOBITS 0x7ecb60 0x1ecb60 0x62 0x0 0x403 WAT 0 0 8 .init_array INIT_ARRAY 0x7ecb60 0x1ecb60 0x10 0x8 0x3 WA 0 0 8

Copyright Joe Security LLC 2019 Page 10 of 11 Flags Name Type Address Offset Size EntSize Flags Description Link Info Align .fini_array FINI_ARRAY 0x7ecb70 0x1ecb70 0x10 0x8 0x3 WA 0 0 8 .data.rel.ro PROGBITS 0x7ecb80 0x1ecb80 0x61e8 0x0 0x3 WA 0 0 32 .got PROGBITS 0x7f2d68 0x1f2d68 0x290 0x8 0x3 WA 0 0 8 .data PROGBITS 0x7f3000 0x1f3000 0x1eb6 0x0 0x3 WA 0 0 32 __libc_subfreeres PROGBITS 0x7f4eb8 0x1f4eb8 0xc8 0x0 0x3 WA 0 0 8 __libc_IO_vtables PROGBITS 0x7f4f80 0x1f4f80 0x9a8 0x0 0x3 WA 0 0 32 __libc_atexit PROGBITS 0x7f5928 0x1f5928 0x8 0x0 0x3 WA 0 0 8 __libc_thread_subfreeres PROGBITS 0x7f5930 0x1f5930 0x18 0x0 0x3 WA 0 0 8 .bss NOBITS 0x7f5960 0x1f5948 0x3ae8 0x0 0x3 WA 0 0 32 __libc_freeres_ptrs NOBITS 0x7f9448 0x1f5948 0x70 0x0 0x3 WA 0 0 8 .note.stapsdt NOTE 0x0 0x1f5948 0x1574 0x0 0x0 0 0 4 .gnu_debuglink PROGBITS 0x0 0x1f6ebc 0x34 0x0 0x0 0 0 4 .shstrtab STRTAB 0x0 0x1f6ef0 0x163 0x0 0x0 0 0 1

Program Segments

Physical Flags Type Offset Virtual Address Address File Size Memory Size Flags Description Align Prog Interpreter Section Mappings LOAD 0x0 0x400000 0x400000 0x1ec45f 0x1ec45f 0x5 R E 0x200000 .note.ABI-tag .note.gnu.build-id .rela.plt .init .plt .text __libc_freeres_fn __libc_thread_freeres_fn .fini .rodata .stapsdt.base .eh_frame .gcc_except_table LOAD 0x1ecb30 0x7ecb30 0x7ecb30 0x8e18 0xc988 0x6 RW 0x200000 .init_array .fini_array .data.rel.ro .got .data __libc_subfreeres __libc_IO_vtables __libc_atexit __libc_thread_subfreeres .bss __libc_freeres_ptrs NOTE 0x190 0x400190 0x400190 0x44 0x44 0x4 R 0x4 .note.ABI-tag .note.gnu.build-id 0x1ecb30 0x7ecb30 0x7ecb30 0x30 0x92 0x4 R 0x8 GNU_STACK 0x0 0x0 0x0 0x0 0x0 0x6 RW 0x10 GNU_RELRO 0x1ecb30 0x7ecb30 0x7ecb30 0x64d0 0x64d0 0x4 R 0x1 .init_array .fini_array .data.rel.ro .got

Network Behavior

TCP Packets

System Behavior

Analysis Process: busybox PID: 20760 Parent PID: 20706

General

Start time: 11:14:07 Start date: 04/09/2019 Path: /tmp/busybox Arguments: /tmp/busybox File size: 2062296 bytes MD5 hash: fb228ea7b9b953f66576b9653acb64a8