Automated Malware Analysis Report for Cron
Total Page:16
File Type:pdf, Size:1020Kb
ID: 202041 Sample Name: cron Cookbook: defaultlinuxfilecookbook.jbs Time: 02:54:41 Date: 20/01/2020 Version: 28.0.0 Lapis Lazuli Table of Contents Table of Contents 2 Analysis Report cron 4 Overview 4 General Information 4 Detection 4 Classification 4 Mitre Att&ck Matrix 5 Signature Overview 6 AV Detection: 6 Bitcoin Miner: 6 Networking: 6 System Summary: 6 Persistence and Installation Behavior: 6 Malware Analysis System Evasion: 6 Malware Configuration 7 Runtime Messages 7 Behavior Graph 7 Yara Overview 7 Initial Sample 7 PCAP (Network Traffic) 8 Dropped Files 8 Sigma Overview 8 Joe Sandbox View / Context 8 IPs 8 Domains 8 ASN 8 JA3 Fingerprints 9 Dropped Files 9 Antivirus, Machine Learning and Genetic Malware Detection 9 Initial Sample 9 Dropped Files 9 Domains 9 URLs 9 Startup 9 Created / dropped Files 10 Domains and IPs 10 Contacted Domains 10 URLs from Memory and Binaries 10 Contacted IPs 10 Public 11 Static File Info 11 General 11 Static ELF Info 11 ELF header 11 Sections 12 Program Segments 12 Dynamic Tags 12 Symbols 13 Network Behavior 13 Network Port Distribution 13 TCP Packets 13 UDP Packets 13 DNS Queries 13 DNS Answers 14 System Behavior 14 Analysis Process: cron PID: 20755 Parent PID: 20706 14 General 14 File Activities 14 File Read 14 Copyright Joe Security LLC 2020 Page 2 of 17 Directory Enumerated 14 Analysis Process: cron PID: 20758 Parent PID: 20755 14 General 14 Analysis Process: sh PID: 20758 Parent PID: 20755 14 General 15 File Activities 15 File Read 15 File Written 15 Analysis Process: sh PID: 20760 Parent PID: 20758 15 General 15 Analysis Process: rm PID: 20760 Parent PID: 20758 15 General 15 File Activities 15 File Deleted 15 File Read 15 Analysis Process: sh PID: 20762 Parent PID: 20758 15 General 15 Analysis Process: mkdir PID: 20762 Parent PID: 20758 16 General 16 File Activities 16 File Read 16 Directory Created 16 Analysis Process: sh PID: 20768 Parent PID: 20758 16 General 16 Analysis Process: chmod PID: 20768 Parent PID: 20758 16 General 16 File Activities 16 File Read 16 Directory Enumerated 16 Permission Modified 16 Analysis Process: cron PID: 20772 Parent PID: 20755 16 General 16 File Activities 17 File Read 17 File Written 17 Copyright Joe Security LLC 2020 Page 3 of 17 Analysis Report cron Overview General Information Joe Sandbox Version: 28.0.0 Lapis Lazuli Analysis ID: 202041 Start date: 20.01.2020 Start time: 02:54:41 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 6m 7s Hypervisor based Inspection enabled: false Report type: light Sample file name: cron Cookbook file name: defaultlinuxfilecookbook.jbs Analysis system description: Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171) Detection: MAL Classification: mal76.troj.mine.lin@0/2@4/0 Warnings: Show All Detection Strategy Score Range Reporting Whitelisted Threat Detection Xmrig Threshold 76 0 - 100 false Classification Copyright Joe Security LLC 2020 Page 4 of 17 Ransomware Miner Spreading mmaallliiiccciiioouusss malicious Evader Phishing sssuusssppiiiccciiioouusss suspicious cccllleeaann clean Exploiter Banker Spyware Trojan / Bot Adware Mitre Att&ck Matrix Remote Initial Privilege Defense Credential Lateral Command Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration and Control Effects Effects Valid Command-Line Hidden Files Port Hidden Files Credential Security Application Data from Data Standard Non- Eavesdrop on Remotely Accounts Interface 1 and Monitors and Dumping Software Deployment Local Compressed Application Insecure Track Device Directories 1 Directories 1 Discovery 1 Software System Layer Network Without Protocol 1 Communication Authorization Replication Scripting 1 Port Monitors Accessibility File and Network File and Remote Data from Exfiltration Standard Exploit SS7 to Remotely Through Features Directory Sniffing Directory Services Removable Over Other Application Redirect Phone Wipe Data Removable Permissions Discovery 1 Media Network Layer Calls/SMS Without Media Modification 1 Medium Protocol 1 Authorization External Windows Accessibility Path Scripting 1 Input System Windows Data from Automated Custom Exploit SS7 to Obtain Remote Management Features Interception Capture Information Remote Network Exfiltration Cryptographic Track Device Device Services Instrumentation Discovery 3 Management Shared Protocol Location Cloud Drive Backups Drive-by Scheduled System DLL Search File Credentials System Logon Input Data Multiband SIM Card Compromise Task Firmware Order Deletion 1 in Files Network Scripts Capture Encrypted Communication Swap Hijacking Configuration Discovery Copyright Joe Security LLC 2020 Page 5 of 17 Signature Overview • AV Detection • Bitcoin Miner • Networking • System Summary • Persistence and Installation Behavior • Malware Analysis System Evasion Click to jump to signature section AV Detection: Antivirus detection for sample Multi AV Scanner detection for submitted file Bitcoin Miner: Yara detected Xmrig cryptocurrency miner Detected Stratum mining protocol Found strings related to Crypto-Mining Reads CPU information from /proc indicative of miner or evasive malware Reads CPU information from /sys indicative of miner or evasive malware Networking: Performs DNS lookups Urls found in memory or binary data System Summary: Sample contains strings that are potentially command strings Sample has stripped symbol table Classification label Persistence and Installation Behavior: Sample reads /proc/mounts (often used for finding a writable filesystem) Counts the number of processes currently running Creates hidden files and/or directories Executes commands using a shell command-line interpreter Executes the "chmod" command used to modify permissions Executes the "mkdir" command used to create folders Executes the "rm" command used to delete files or directories Reads system information from the proc file system Sample tries to set the executable flag Malware Analysis System Evasion: Reads CPU information from /proc indicative of miner or evasive malware Copyright Joe Security LLC 2020 Page 6 of 17 Reads CPU information from /sys indicative of miner or evasive malware Uses the "uname" system call to query kernel version information (possible evasion) Malware Configuration No configs have been found Runtime Messages Command: /tmp/cron Exit Code: 0 Exit Code Info: Killed: False Standard Output: [2020-01-20 03:55:23.995] unable to open '/tmp/config.json'. Standard Error: Behavior Graph Hide Legend Behavior Graph Legend: ID: 202041 Sample: cron Process Startdate: 20/01/2020 Signature Architecture: LINUX Score: 76 Created File DNS/IP Info Is Dropped 45.9.148.125, 45164, 80 Number of created Files unknown debian-package.center Netherlands Is malicious started Internet Antivirus detection Multi AV Scanner detection Yara detected Xmrig 2 other signatures for sample for submitted file cryptocurrency miner cron Sample reads /proc/mounts (often used for finding started started a writable filesystem) cron cron sh started started started sh sh sh rm mkdir chmod Yara Overview Initial Sample Source Rule Description Author Strings Copyright Joe Security LLC 2020 Page 7 of 17 Source Rule Description Author Strings cron JoeSecurity_Xmrig Yara detected Joe Security Xmrig cryptocurrency miner PCAP (Network Traffic) No yara matches Dropped Files No yara matches Sigma Overview No Sigma rule has matched Joe Sandbox View / Context IPs Match Associated Sample Name / URL SHA 256 Detection Link Context 45.9.148.125 anacron Get hash malicious Browse cron Get hash malicious Browse cQLmNrun Get hash malicious Browse Domains Match Associated Sample Name / URL SHA 256 Detection Link Context debian-package.center anacron Get hash malicious Browse 45.9.148.117 cron Get hash malicious Browse 45.9.148.129 cron Get hash malicious Browse 45.9.148.129 ASN Match Associated Sample Name / URL SHA 256 Detection Link Context unknown anacron Get hash malicious Browse 45.9.148.125 testfile Get hash malicious Browse 91.189.92.20 Launcher.apk Get hash malicious Browse 216.58.201.99 5.45.79.15/input/?mark=20200116- Get hash malicious Browse 185.211.246.22 wentontravel.com/cuz&tpl=XXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&engke y=delonghi%20portafilter%20size 5.45.79.15/input/?mark=20200116- Get hash malicious Browse 185.211.246.22 wentontravel.com/cuz&tpl=XXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&engke y=delonghi portafilter size Project2.doc Get hash malicious Browse 51.15.6.128 https://top4top.io/downloadf-11687unj01-rar.html Get hash malicious Browse 54.38.152.27 www.ltyuye.com/wp-admin/rrktd1y-1v-75/ Get hash malicious Browse 23.235.217.105 txfc58.com/wordpress/m2utbn-3ft4c-07947/ Get hash malicious Browse 185.216.11 3.122 instructions 01 18 2020.doc Get hash malicious Browse 23.235.217.105 instructions 01 18 2020.doc Get hash malicious Browse 217.160.5.123 PO987889-JAN-20-20-Order_Quote,pdf.exe Get hash malicious Browse 172.217.23.193 koadic_test_online_9997_rundll.vbs Get hash malicious Browse 79.137.36.9 www.searchnewtabs.com/download Get hash malicious Browse 52.206.61.22 91.92.66.124/..j/ Get hash malicious Browse 91.92.66.124 Copyright Joe Security LLC 2020 Page 8 of 17 Match Associated Sample Name / URL SHA 256 Detection Link Context https://gcc01.safelinks.protection.outlook.com/? Get hash malicious Browse 209.197.3.24 url=https%3A%2F%2Fsway.office.com%2FUN0jHy70XUb7BI Xa%3Fref%3DLink&data=02%7C01%7Cjh.jackson%40trade.g ov%7Cc3e4a0c456a7407e91f408d79a641704%7Ca1d183f26c