Automated Malware Analysis Report for ttwJuxNsg0 - Generated by ...

ID: 544874Sample Name: ttwJuxNsg0Cookbook:defaultlinuxfilecookbook.jbsTime: 09:38:32Date: 24/12/2021Version: 34.0.0 Boulder Opal

2333333333444444445555566666667777777777778888

999999999999

1010

1010

1010101010

Table of Contents

Table of ContentsLinux Analysis Report ttwJuxNsg0

OverviewGeneral InformationDetectionSignaturesClassificationAnalysis Advice

General InformationProcess TreeYara Overview

Initial SampleMemory Dumps

Jbx Signature OverviewAV Detection:Networking:System Summary:Hooking and other Techniques for Hiding and Protection:Stealing of Sensitive Information:Remote Access Functionality:

Mitre Att&ck MatrixMalware ConfigurationBehavior GraphAntivirus, Machine Learning and Genetic Malware Detection

Initial SampleDropped FilesDomainsURLs

Domains and IPsContacted DomainsContacted IPsPublicRuntime Messages

Joe Sandbox View / ContextIPsDomainsASNJA3 FingerprintsDropped Files

Created / dropped FilesStatic File Info

GeneralStatic ELF Info

ELF headerSectionsProgram Segments

Network BehaviorNetwork Port DistributionTCP PacketsUDP PacketsDNS QueriesDNS Answers

System BehaviorAnalysis Process: ttwJuxNsg0 PID: 5217 Parent PID: 5109

GeneralFile Activities

File DeletedFile Read

Analysis Process: ttwJuxNsg0 PID: 5221 Parent PID: 5217General

Analysis Process: dash PID: 5261 Parent PID: 4332General

Analysis Process: rm PID: 5261 Parent PID: 4332GeneralFile Activities

File DeletedFile Read

Copyright Joe Security LLC 2021 of 10

Linux Analysis Report ttwJuxNsg0

Overview

General Information

Sample Name:

ttwJuxNsg0

Analysis ID: 544874

MD5: ddbbde92defa76e…

SHA1: 82380be2072615…

SHA256: 2b344b3180ac1b…

Tags: 32 elf mips mirai

Infos:

Detection

MiraiMirai

Score: 80

Range: 0 - 100

Whitelisted: false

Signatures

Malicious sample detected (through






Malicious sample detected (through Malicious sample detected (through ……

Antivirus / Scanner detection for sub






Antivirus / Scanner detection for subAntivirus / Scanner detection for sub……

Yara detected Mirai

Yara detected Mirai

Yara detected Mirai

Yara detected Mirai

Yara detected Mirai

Yara detected Mirai

Yara detected MiraiYara detected Mirai

Multi AV Scanner detection for subm






Multi AV Scanner detection for submMulti AV Scanner detection for subm……

Sample deletes itself






Sample deletes itselfSample deletes itself

Connects to many ports of the same






Connects to many ports of the sameConnects to many ports of the same……

Yara signature match






Yara signature matchYara signature match

Sample has stripped symbol table






Sample has stripped symbol tableSample has stripped symbol table

Uses the "uname" system call to qu






Uses the "uname" system call to quUses the "uname" system call to qu……

Tries to connect to HTTP servers, b






Tries to connect to HTTP servers, bTries to connect to HTTP servers, b……

Detected TCP or UDP traffic on non






Detected TCP or UDP traffic on nonDetected TCP or UDP traffic on non……

Executes the "rm" command used to






Executes the "rm" command used toExecutes the "rm" command used to……

Sample listens on a socket






Sample listens on a socketSample listens on a socket

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures

All HTTP servers contacted by the sample do not answer. Likely the sample is an old dropper which does no longer work

Static ELF header machine description suggests that the sample might not execute correctly on this machine

General Information

Joe Sandbox Version: 34.0.0 Boulder Opal

Analysis ID: 544874

Start date: 24.12.2021

Start time: 09:38:32

Joe Sandbox Product: CloudBasic

Overall analysis duration: 0h 4m 53s

Hypervisor based Inspection enabled: false

Report type: light

Sample file name: ttwJuxNsg0

Cookbook file name: defaultlinuxfilecookbook.jbs

Analysis system description: Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)

Analysis Mode: default

Detection: MAL

Classification: mal80.troj.evad.lin@0/0@1/0

Ransomware

Spreading

Phishing

Banker

Trojan / Bot

Adware

Spyware

Exploiter

Evader

Miner

clean

clean

clean

clean

clean

clean

clean

suspicious

suspicious

suspicious

suspicious

suspicious

suspicious

suspicious

malicious

malicious

malicious

malicious

malicious

malicious

malicious

system is lnxubuntu20ttwJuxNsg0 (PID: 5217, Parent: 5109, MD5: 0083f1f0e77be34ad27f849842bbb00c) Arguments: /tmp/ttwJuxNsg0

ttwJuxNsg0 New Fork (PID: 5221, Parent: 5217)dash New Fork (PID: 5261, Parent: 4332)rm (PID: 5261, Parent: 4332, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.Djd7P6ez0F /tmp/tmp.UevdT7HuhA /tmp/tmp.eK7WYGffW2cleanup

Process Tree


Jbx Signature Overview

• AV Detection

• Networking

• System Summary

• Persistence and Installation Behavior

• Hooking and other Techniques for Hiding and Protection

• Malware Analysis System Evasion

• Stealing of Sensitive Information

• Remote Access Functionality

Click to jump to signature section

AV Detection:

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Networking:

Connects to many ports of the same IP (likely port scanning)

System Summary:

Malicious sample detected (through community Yara rule)

Hooking and other Techniques for Hiding and Protection:

Source Rule Description Author Strings

ttwJuxNsg0 Mirai_Botnet_Malware Detects Mirai Botnet Malware

Florian Roth 0xfdc0:$x1: POST /cdn-cgi/0xf5fc:$s1: LCOGQGPTGP

ttwJuxNsg0 MAL_ELF_LNX_Mirai_Oct10_2

Detects ELF malware Mirai related

Florian Roth 0xfdc0:$c01: 50 4F 53 54 20 2F 63 64 6E 2D 63 67 69 2F 00 00 20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 00 0D 0A 48 6F 73 74 3A

ttwJuxNsg0 JoeSecurity_Mirai_5 Yara detected Mirai

Joe Security

Source Rule Description Author Strings

5217.1.0000000087f48ae6.00000000cd82bb58.r-x.sdmp Mirai_Botnet_Malware Detects Mirai Botnet Malware

Florian Roth 0xfdc0:$x1: POST /cdn-cgi/0xf5fc:$s1: LCOGQGPTGP

5217.1.0000000087f48ae6.00000000cd82bb58.r-x.sdmp MAL_ELF_LNX_Mirai_Oct10_2

Detects ELF malware Mirai related

Florian Roth 0xfdc0:$c01: 50 4F 53 54 20 2F 63 64 6E 2D 63 67 69 2F 00 00 20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 00 0D 0A 48 6F 73 74 3A

5217.1.0000000087f48ae6.00000000cd82bb58.r-x.sdmp JoeSecurity_Mirai_5 Yara detected Mirai

Joe Security

Yara Overview

Initial Sample

Memory Dumps



Stealing of Sensitive Information:

Yara detected Mirai

Remote Access Functionality:

Yara detected Mirai

Mitre Att&ck Matrix

InitialAccess Execution Persistence

PrivilegeEscalation

DefenseEvasion

CredentialAccess Discovery

LateralMovement Collection Exfiltration

CommandandControl

NetworkEffects

RemoteServiceEffects Impact

ValidAccounts

WindowsManagementInstrumentation

PathInterception

PathInterception

FileDeletion 1 1

OSCredentialDumping

SecuritySoftwareDiscovery 1 1

RemoteServices

Data fromLocalSystem

ExfiltrationOver OtherNetworkMedium

EncryptedChannel 1

Eavesdrop onInsecureNetworkCommunication

RemotelyTrack DeviceWithoutAuthorization

ModifySystemPartition

DefaultAccounts

ScheduledTask/Job

Boot orLogonInitializationScripts

Boot orLogonInitializationScripts

Rootkit LSASSMemory

ApplicationWindowDiscovery

RemoteDesktopProtocol

Data fromRemovableMedia

ExfiltrationOverBluetooth

Non-StandardPort 1

Exploit SS7 toRedirect PhoneCalls/SMS

RemotelyWipe DataWithoutAuthorization

DeviceLockout

DomainAccounts

At (Linux) Logon Script(Windows)

LogonScript(Windows)

ObfuscatedFiles orInformation

SecurityAccountManager

Query Registry SMB/WindowsAdmin Shares

Data fromNetworkSharedDrive

AutomatedExfiltration

Non-ApplicationLayerProtocol 1

Exploit SS7 toTrack DeviceLocation

ObtainDeviceCloudBackups

DeleteDeviceData

LocalAccounts

At (Windows) Logon Script(Mac)

LogonScript(Mac)

BinaryPadding

NTDS SystemNetworkConfigurationDiscovery

DistributedComponentObject Model

InputCapture

ScheduledTransfer

ApplicationLayerProtocol 2

SIM CardSwap

CarrierBillingFraud

Malware Configuration

No configs have been found

Behavior Graph


Behavior Graph

ID: 544874

Sample: ttwJuxNsg0

Startdate: 24/12/2021

Architecture: LINUX

Score: 80

91.200.103.249, 17692, 39606

COMBAHTONcombahtonGmbHDE

Germany

bot.medusabotnet.com 4 other IPs or domains

Malicious sample detected(through community Yara

rule)

Antivirus / Scannerdetection for submitted

sample

Multi AV Scanner detectionfor submitted file 2 other signatures

ttwJuxNsg0

started

dash

rm

started


ttwJuxNsg0

started

Legend:

Process

Signature

Created File

DNS/IP Info

Is Dropped

Number of created Files

Is malicious

Internet

Hide Legend

Source Detection Scanner Label Link

ttwJuxNsg0 26% Virustotal Browse

ttwJuxNsg0 35% ReversingLabs Linux.Trojan.Mirai

ttwJuxNsg0 100% Avira LINUX/Mirai.bonb

No Antivirus matches

Source Detection Scanner Label Link

bot.medusabotnet.com 6% Virustotal Browse

No Antivirus matches

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains


https://www.virustotal.com/gui/file/2b344b3180ac1b257a100a869e1630a4cb71e821c4ab6d00f2f14f6da233643d/detection/f-2b344b3180ac1b257a100a869e1630a4cb71e821c4ab6d00f2f14f6da233643d-1640289003

https://www.virustotal.com/gui/url/d3f5664454ea407af274ac92061a7f04df32ff046f99e1b99444b4b5c6f67295/detection/u-d3f5664454ea407af274ac92061a7f04df32ff046f99e1b99444b4b5c6f67295-1639483918

Static File Info

General

Name IP Active Malicious Antivirus Detection Reputation

bot.medusabotnet.com 27.50.49.74 true true 6%, Virustotal, Browse unknown

IP Domain Country Flag ASN ASN Name Malicious

91.200.103.249 unknown Germany 30823 COMBAHTONcombahtonGmbHDE

true

34.249.145.219 unknown United States 16509 AMAZON-02US false

109.202.202.202 unknown Switzerland 13030 INIT7CH false

91.189.91.43 unknown United Kingdom 41231 CANONICAL-ASGB false

91.189.91.42 unknown United Kingdom 41231 CANONICAL-ASGB false

Command: /tmp/ttwJuxNsg0

Exit Code: 0

Exit Code Info:

Killed: False

Standard Output: 0x00000e9

Standard Error:

No context

No context

No context

No context

No context

No created / dropped files found

Contacted IPs

Public

Runtime Messages

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files


https://www.virustotal.com/gui/url/d3f5664454ea407af274ac92061a7f04df32ff046f99e1b99444b4b5c6f67295/detection/u-d3f5664454ea407af274ac92061a7f04df32ff046f99e1b99444b4b5c6f67295-1639483918

File type: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped

Entropy (8bit): 5.3235392584336845

TrID: ELF Executable and Linkable format (generic) (4004/1) 100.00%

File name: ttwJuxNsg0

File size: 67848

MD5: ddbbde92defa76edae8059222a34b7da

SHA1: 82380be20726153f0dbe9188a0adc075e5ba885c

SHA256: 2b344b3180ac1b257a100a869e1630a4cb71e821c4ab6d00f2f14f6da233643d

SHA512: feb5f120c1001bd23553ca614cbc6f67575e8529ac107743dc638771193fdd28140bfbdee8a9be43320d2e931e2d635af7cbbba81d5dcfd0c3c210bb2b8efa1f

SSDEEP: 1536:Eyiwyri+ZBd1BVyQ4WCYg7ZUtzAZFSowbZnX7:ENHri+rdOYMZIzAZcowbZnX7

File Content Preview: .ELF.....................@.`...4...(.....4. ...(.............@[email protected]............................<...'......!'.......................<...'......!... ....'9... ......................<...'......!........'9.

General

ELF headerClass: ELF32

Data: 2's complement, big endian

Version: 1 (current)

Machine: MIPS R3000

Version Number: 0x1

Type: EXEC (Executable file)

OS/ABI: UNIX - System V

ABI Version: 0

Entry Point Address: 0x400260

Flags: 0x1007

ELF Header Size: 52

Program Header Offset: 52

Program Header Size: 32

Number of Program Headers: 3

Section Header Offset: 67368

Section Header Size: 40

Number of Section Headers: 12

Header String Table Index: 11

Name Type Address Offset Size EntSize FlagsFlagsDescription Link Info Align

NULL 0x0 0x0 0x0 0x0 0x0 0 0 0

.init PROGBITS 0x400094 0x94 0x8c 0x0 0x6 AX 0 0 4

.text PROGBITS 0x400120 0x120 0xf400 0x0 0x6 AX 0 0 16

.fini PROGBITS 0x40f520 0xf520 0x5c 0x0 0x6 AX 0 0 4

.rodata PROGBITS 0x40f580 0xf580 0xc50 0x0 0x2 A 0 0 16

.ctors PROGBITS 0x4501d4 0x101d4 0x8 0x0 0x3 WA 0 0 4

.dtors PROGBITS 0x4501dc 0x101dc 0x8 0x0 0x3 WA 0 0 4

.data PROGBITS 0x4501f0 0x101f0 0x1c8 0x0 0x3 WA 0 0 16

.got PROGBITS 0x4503c0 0x103c0 0x31c 0x4 0x10000003 WA 0 0 16

.sbss NOBITS 0x4506dc 0x106dc 0x18 0x0 0x10000003 WA 0 0 4

.bss NOBITS 0x450700 0x106dc 0x280 0x0 0x3 WA 0 0 16

.shstrtab STRTAB 0x0 0x106dc 0x49 0x0 0x0 0 0 1

Type Offset Virtual AddressPhysicalAddress File Size

MemorySize Entropy Flags

FlagsDescription Align Prog Interpreter Section Mappings

LOAD 0x0 0x400000 0x400000 0x101d0 0x101d0 3.4221 0x5 R E 0x10000 .init .text .fini .rodata

LOAD 0x101d4 0x4501d4 0x4501d4 0x508 0x7ac 1.8027 0x6 RW 0x10000 .ctors .dtors .data .got .sbss .bss

GNU_STACK 0x0 0x0 0x0 0x0 0x0 0.0000 0x7 RWE 0x4

Static ELF Info

Sections

Program Segments


Network Port Distribution

Total Packets: 28

• 53 (DNS)

• 80 (HTTP)

• 443 (HTTPS)

• 17692 undefined

System Behavior

Network Behavior

Timestamp Source IP Dest IP Trans ID OP Code Name Type Class

Dec 24, 2021 09:39:17.045685053 CET 192.168.2.23 8.8.8.8 0xe067 Standard query (0)

bot.medusabotnet.com

A (IP address) IN (0x0001)

Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class

Dec 24, 2021 09:39:17.063324928 CET

8.8.8.8 192.168.2.23 0xe067 No error (0) bot.medusabotnet.com

27.50.49.74 A (IP address) IN (0x0001)

File ActivitiesFile Activities


Start date: 24/12/2021

Path: /tmp/ttwJuxNsg0

Arguments: /tmp/ttwJuxNsg0

File size: 5777432 bytes

MD5 hash: 0083f1f0e77be34ad27f849842bbb00c

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Analysis Process: ttwJuxNsg0 Analysis Process: ttwJuxNsg0 PID: 5217 PID: 5217 Parent PID: 5109Parent PID: 5109

General

File DeletedFile Deleted

File ReadFile Read


Copyright Joe Security LLC 2021



Path: /tmp/ttwJuxNsg0

Arguments: n/a


MD5 hash: 0083f1f0e77be34ad27f849842bbb00c



Path: /usr/bin/dash

Arguments: n/a


MD5 hash: 1e6b1c887c59a315edb7eb9a315fc84c

File ActivitiesFile Activities



Path: /usr/bin/rm

Arguments: rm -f /tmp/tmp.Djd7P6ez0F /tmp/tmp.UevdT7HuhA /tmp/tmp.eK7WYGffW2


MD5 hash: aa2b5496fdbfd88e38791ab81f90b95b

Analysis Process: ttwJuxNsg0 Analysis Process: ttwJuxNsg0 PID: 5221 PID: 5221 Parent PID: 5217Parent PID: 5217

General

Analysis Process: dash Analysis Process: dash PID: 5261 PID: 5261 Parent PID: 4332Parent PID: 4332

General

Analysis Process: rm Analysis Process: rm PID: 5261 PID: 5261 Parent PID: 4332Parent PID: 4332

General

File DeletedFile Deleted

File ReadFile Read


http://www.joesecurity.org

Automated Malware Analysis Report for ttwJuxNsg0 - Generated by ...

Documents

Transcript of Automated Malware Analysis Report for ttwJuxNsg0 - Generated by ...