Automated Malware Analysis Report for ttwJuxNsg0 - Generated by ...
-
Upload
khangminh22 -
Category
Documents
-
view
1 -
download
0
Transcript of Automated Malware Analysis Report for ttwJuxNsg0 - Generated by ...
ID: 544874Sample Name: ttwJuxNsg0Cookbook:defaultlinuxfilecookbook.jbsTime: 09:38:32Date: 24/12/2021Version: 34.0.0 Boulder Opal
2333333333444444445555566666667777777777778888
999999999999
1010
1010
1010101010
Table of Contents
Table of ContentsLinux Analysis Report ttwJuxNsg0
OverviewGeneral InformationDetectionSignaturesClassificationAnalysis Advice
General InformationProcess TreeYara Overview
Initial SampleMemory Dumps
Jbx Signature OverviewAV Detection:Networking:System Summary:Hooking and other Techniques for Hiding and Protection:Stealing of Sensitive Information:Remote Access Functionality:
Mitre Att&ck MatrixMalware ConfigurationBehavior GraphAntivirus, Machine Learning and Genetic Malware Detection
Initial SampleDropped FilesDomainsURLs
Domains and IPsContacted DomainsContacted IPsPublicRuntime Messages
Joe Sandbox View / ContextIPsDomainsASNJA3 FingerprintsDropped Files
Created / dropped FilesStatic File Info
GeneralStatic ELF Info
ELF headerSectionsProgram Segments
Network BehaviorNetwork Port DistributionTCP PacketsUDP PacketsDNS QueriesDNS Answers
System BehaviorAnalysis Process: ttwJuxNsg0 PID: 5217 Parent PID: 5109
GeneralFile Activities
File DeletedFile Read
Analysis Process: ttwJuxNsg0 PID: 5221 Parent PID: 5217General
Analysis Process: dash PID: 5261 Parent PID: 4332General
Analysis Process: rm PID: 5261 Parent PID: 4332GeneralFile Activities
File DeletedFile Read
Copyright Joe Security LLC 2021 Page 2 of 10
Linux Analysis Report ttwJuxNsg0
Overview
General Information
Sample Name:
ttwJuxNsg0
Analysis ID: 544874
MD5: ddbbde92defa76e…
SHA1: 82380be2072615…
SHA256: 2b344b3180ac1b…
Tags: 32 elf mips mirai
Infos:
Detection
MiraiMirai
Score: 80
Range: 0 - 100
Whitelisted: false
Signatures
Malicious sample detected (through
Malicious sample detected (through
Malicious sample detected (through
Malicious sample detected (through
Malicious sample detected (through
Malicious sample detected (through
Malicious sample detected (through Malicious sample detected (through ……
Antivirus / Scanner detection for sub
Antivirus / Scanner detection for sub
Antivirus / Scanner detection for sub
Antivirus / Scanner detection for sub
Antivirus / Scanner detection for sub
Antivirus / Scanner detection for sub
Antivirus / Scanner detection for subAntivirus / Scanner detection for sub……
Yara detected Mirai
Yara detected Mirai
Yara detected Mirai
Yara detected Mirai
Yara detected Mirai
Yara detected Mirai
Yara detected MiraiYara detected Mirai
Multi AV Scanner detection for subm
Multi AV Scanner detection for subm
Multi AV Scanner detection for subm
Multi AV Scanner detection for subm
Multi AV Scanner detection for subm
Multi AV Scanner detection for subm
Multi AV Scanner detection for submMulti AV Scanner detection for subm……
Sample deletes itself
Sample deletes itself
Sample deletes itself
Sample deletes itself
Sample deletes itself
Sample deletes itself
Sample deletes itselfSample deletes itself
Connects to many ports of the same
Connects to many ports of the same
Connects to many ports of the same
Connects to many ports of the same
Connects to many ports of the same
Connects to many ports of the same
Connects to many ports of the sameConnects to many ports of the same……
Yara signature match
Yara signature match
Yara signature match
Yara signature match
Yara signature match
Yara signature match
Yara signature matchYara signature match
Sample has stripped symbol table
Sample has stripped symbol table
Sample has stripped symbol table
Sample has stripped symbol table
Sample has stripped symbol table
Sample has stripped symbol table
Sample has stripped symbol tableSample has stripped symbol table
Uses the "uname" system call to qu
Uses the "uname" system call to qu
Uses the "uname" system call to qu
Uses the "uname" system call to qu
Uses the "uname" system call to qu
Uses the "uname" system call to qu
Uses the "uname" system call to quUses the "uname" system call to qu……
Tries to connect to HTTP servers, b
Tries to connect to HTTP servers, b
Tries to connect to HTTP servers, b
Tries to connect to HTTP servers, b
Tries to connect to HTTP servers, b
Tries to connect to HTTP servers, b
Tries to connect to HTTP servers, bTries to connect to HTTP servers, b……
Detected TCP or UDP traffic on non
Detected TCP or UDP traffic on non
Detected TCP or UDP traffic on non
Detected TCP or UDP traffic on non
Detected TCP or UDP traffic on non
Detected TCP or UDP traffic on non
Detected TCP or UDP traffic on nonDetected TCP or UDP traffic on non……
Executes the "rm" command used to
Executes the "rm" command used to
Executes the "rm" command used to
Executes the "rm" command used to
Executes the "rm" command used to
Executes the "rm" command used to
Executes the "rm" command used toExecutes the "rm" command used to……
Sample listens on a socket
Sample listens on a socket
Sample listens on a socket
Sample listens on a socket
Sample listens on a socket
Sample listens on a socket
Sample listens on a socketSample listens on a socket
Classification
Analysis Advice
Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures
All HTTP servers contacted by the sample do not answer. Likely the sample is an old dropper which does no longer work
Static ELF header machine description suggests that the sample might not execute correctly on this machine
General Information
Joe Sandbox Version: 34.0.0 Boulder Opal
Analysis ID: 544874
Start date: 24.12.2021
Start time: 09:38:32
Joe Sandbox Product: CloudBasic
Overall analysis duration: 0h 4m 53s
Hypervisor based Inspection enabled: false
Report type: light
Sample file name: ttwJuxNsg0
Cookbook file name: defaultlinuxfilecookbook.jbs
Analysis system description: Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode: default
Detection: MAL
Classification: mal80.troj.evad.lin@0/0@1/0
Ransomware
Spreading
Phishing
Banker
Trojan / Bot
Adware
Spyware
Exploiter
Evader
Miner
clean
clean
clean
clean
clean
clean
clean
suspicious
suspicious
suspicious
suspicious
suspicious
suspicious
suspicious
malicious
malicious
malicious
malicious
malicious
malicious
malicious
system is lnxubuntu20ttwJuxNsg0 (PID: 5217, Parent: 5109, MD5: 0083f1f0e77be34ad27f849842bbb00c) Arguments: /tmp/ttwJuxNsg0
ttwJuxNsg0 New Fork (PID: 5221, Parent: 5217)dash New Fork (PID: 5261, Parent: 4332)rm (PID: 5261, Parent: 4332, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.Djd7P6ez0F /tmp/tmp.UevdT7HuhA /tmp/tmp.eK7WYGffW2cleanup
Process Tree
Copyright Joe Security LLC 2021 Page 3 of 10
Jbx Signature Overview
• AV Detection
• Networking
• System Summary
• Persistence and Installation Behavior
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Stealing of Sensitive Information
• Remote Access Functionality
Click to jump to signature section
AV Detection:
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Networking:
Connects to many ports of the same IP (likely port scanning)
System Summary:
Malicious sample detected (through community Yara rule)
Hooking and other Techniques for Hiding and Protection:
Source Rule Description Author Strings
ttwJuxNsg0 Mirai_Botnet_Malware Detects Mirai Botnet Malware
Florian Roth 0xfdc0:$x1: POST /cdn-cgi/0xf5fc:$s1: LCOGQGPTGP
ttwJuxNsg0 MAL_ELF_LNX_Mirai_Oct10_2
Detects ELF malware Mirai related
Florian Roth 0xfdc0:$c01: 50 4F 53 54 20 2F 63 64 6E 2D 63 67 69 2F 00 00 20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 00 0D 0A 48 6F 73 74 3A
ttwJuxNsg0 JoeSecurity_Mirai_5 Yara detected Mirai
Joe Security
Source Rule Description Author Strings
5217.1.0000000087f48ae6.00000000cd82bb58.r-x.sdmp Mirai_Botnet_Malware Detects Mirai Botnet Malware
Florian Roth 0xfdc0:$x1: POST /cdn-cgi/0xf5fc:$s1: LCOGQGPTGP
5217.1.0000000087f48ae6.00000000cd82bb58.r-x.sdmp MAL_ELF_LNX_Mirai_Oct10_2
Detects ELF malware Mirai related
Florian Roth 0xfdc0:$c01: 50 4F 53 54 20 2F 63 64 6E 2D 63 67 69 2F 00 00 20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 00 0D 0A 48 6F 73 74 3A
5217.1.0000000087f48ae6.00000000cd82bb58.r-x.sdmp JoeSecurity_Mirai_5 Yara detected Mirai
Joe Security
Yara Overview
Initial Sample
Memory Dumps
Copyright Joe Security LLC 2021 Page 4 of 10
Sample deletes itself
Stealing of Sensitive Information:
Yara detected Mirai
Remote Access Functionality:
Yara detected Mirai
Mitre Att&ck Matrix
InitialAccess Execution Persistence
PrivilegeEscalation
DefenseEvasion
CredentialAccess Discovery
LateralMovement Collection Exfiltration
CommandandControl
NetworkEffects
RemoteServiceEffects Impact
ValidAccounts
WindowsManagementInstrumentation
PathInterception
PathInterception
FileDeletion 1 1
OSCredentialDumping
SecuritySoftwareDiscovery 1 1
RemoteServices
Data fromLocalSystem
ExfiltrationOver OtherNetworkMedium
EncryptedChannel 1
Eavesdrop onInsecureNetworkCommunication
RemotelyTrack DeviceWithoutAuthorization
ModifySystemPartition
DefaultAccounts
ScheduledTask/Job
Boot orLogonInitializationScripts
Boot orLogonInitializationScripts
Rootkit LSASSMemory
ApplicationWindowDiscovery
RemoteDesktopProtocol
Data fromRemovableMedia
ExfiltrationOverBluetooth
Non-StandardPort 1
Exploit SS7 toRedirect PhoneCalls/SMS
RemotelyWipe DataWithoutAuthorization
DeviceLockout
DomainAccounts
At (Linux) Logon Script(Windows)
LogonScript(Windows)
ObfuscatedFiles orInformation
SecurityAccountManager
Query Registry SMB/WindowsAdmin Shares
Data fromNetworkSharedDrive
AutomatedExfiltration
Non-ApplicationLayerProtocol 1
Exploit SS7 toTrack DeviceLocation
ObtainDeviceCloudBackups
DeleteDeviceData
LocalAccounts
At (Windows) Logon Script(Mac)
LogonScript(Mac)
BinaryPadding
NTDS SystemNetworkConfigurationDiscovery
DistributedComponentObject Model
InputCapture
ScheduledTransfer
ApplicationLayerProtocol 2
SIM CardSwap
CarrierBillingFraud
Malware Configuration
No configs have been found
Behavior Graph
Copyright Joe Security LLC 2021 Page 5 of 10
Behavior Graph
ID: 544874
Sample: ttwJuxNsg0
Startdate: 24/12/2021
Architecture: LINUX
Score: 80
91.200.103.249, 17692, 39606
COMBAHTONcombahtonGmbHDE
Germany
bot.medusabotnet.com 4 other IPs or domains
Malicious sample detected(through community Yara
rule)
Antivirus / Scannerdetection for submitted
sample
Multi AV Scanner detectionfor submitted file 2 other signatures
ttwJuxNsg0
started
dash
rm
started
Sample deletes itself
ttwJuxNsg0
started
Legend:
Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet
Hide Legend
Source Detection Scanner Label Link
ttwJuxNsg0 26% Virustotal Browse
ttwJuxNsg0 35% ReversingLabs Linux.Trojan.Mirai
ttwJuxNsg0 100% Avira LINUX/Mirai.bonb
No Antivirus matches
Source Detection Scanner Label Link
bot.medusabotnet.com 6% Virustotal Browse
No Antivirus matches
Antivirus, Machine Learning and Genetic Malware Detection
Initial Sample
Dropped Files
Domains
URLs
Domains and IPs
Contacted Domains
Copyright Joe Security LLC 2021 Page 6 of 10
Static File Info
General
Name IP Active Malicious Antivirus Detection Reputation
bot.medusabotnet.com 27.50.49.74 true true 6%, Virustotal, Browse unknown
IP Domain Country Flag ASN ASN Name Malicious
91.200.103.249 unknown Germany 30823 COMBAHTONcombahtonGmbHDE
true
34.249.145.219 unknown United States 16509 AMAZON-02US false
109.202.202.202 unknown Switzerland 13030 INIT7CH false
91.189.91.43 unknown United Kingdom 41231 CANONICAL-ASGB false
91.189.91.42 unknown United Kingdom 41231 CANONICAL-ASGB false
Command: /tmp/ttwJuxNsg0
Exit Code: 0
Exit Code Info:
Killed: False
Standard Output: 0x00000e9
Standard Error:
No context
No context
No context
No context
No context
No created / dropped files found
Contacted IPs
Public
Runtime Messages
Joe Sandbox View / Context
IPs
Domains
ASN
JA3 Fingerprints
Dropped Files
Created / dropped Files
Copyright Joe Security LLC 2021 Page 7 of 10
File type: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Entropy (8bit): 5.3235392584336845
TrID: ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name: ttwJuxNsg0
File size: 67848
MD5: ddbbde92defa76edae8059222a34b7da
SHA1: 82380be20726153f0dbe9188a0adc075e5ba885c
SHA256: 2b344b3180ac1b257a100a869e1630a4cb71e821c4ab6d00f2f14f6da233643d
SHA512: feb5f120c1001bd23553ca614cbc6f67575e8529ac107743dc638771193fdd28140bfbdee8a9be43320d2e931e2d635af7cbbba81d5dcfd0c3c210bb2b8efa1f
SSDEEP: 1536:Eyiwyri+ZBd1BVyQ4WCYg7ZUtzAZFSowbZnX7:ENHri+rdOYMZIzAZcowbZnX7
File Content Preview: .ELF.....................@.`...4...(.....4. ...(.............@[email protected]............................<...'......!'.......................<...'......!... ....'9... ......................<...'......!........'9.
General
ELF headerClass: ELF32
Data: 2's complement, big endian
Version: 1 (current)
Machine: MIPS R3000
Version Number: 0x1
Type: EXEC (Executable file)
OS/ABI: UNIX - System V
ABI Version: 0
Entry Point Address: 0x400260
Flags: 0x1007
ELF Header Size: 52
Program Header Offset: 52
Program Header Size: 32
Number of Program Headers: 3
Section Header Offset: 67368
Section Header Size: 40
Number of Section Headers: 12
Header String Table Index: 11
Name Type Address Offset Size EntSize FlagsFlagsDescription Link Info Align
NULL 0x0 0x0 0x0 0x0 0x0 0 0 0
.init PROGBITS 0x400094 0x94 0x8c 0x0 0x6 AX 0 0 4
.text PROGBITS 0x400120 0x120 0xf400 0x0 0x6 AX 0 0 16
.fini PROGBITS 0x40f520 0xf520 0x5c 0x0 0x6 AX 0 0 4
.rodata PROGBITS 0x40f580 0xf580 0xc50 0x0 0x2 A 0 0 16
.ctors PROGBITS 0x4501d4 0x101d4 0x8 0x0 0x3 WA 0 0 4
.dtors PROGBITS 0x4501dc 0x101dc 0x8 0x0 0x3 WA 0 0 4
.data PROGBITS 0x4501f0 0x101f0 0x1c8 0x0 0x3 WA 0 0 16
.got PROGBITS 0x4503c0 0x103c0 0x31c 0x4 0x10000003 WA 0 0 16
.sbss NOBITS 0x4506dc 0x106dc 0x18 0x0 0x10000003 WA 0 0 4
.bss NOBITS 0x450700 0x106dc 0x280 0x0 0x3 WA 0 0 16
.shstrtab STRTAB 0x0 0x106dc 0x49 0x0 0x0 0 0 1
Type Offset Virtual AddressPhysicalAddress File Size
MemorySize Entropy Flags
FlagsDescription Align Prog Interpreter Section Mappings
LOAD 0x0 0x400000 0x400000 0x101d0 0x101d0 3.4221 0x5 R E 0x10000 .init .text .fini .rodata
LOAD 0x101d4 0x4501d4 0x4501d4 0x508 0x7ac 1.8027 0x6 RW 0x10000 .ctors .dtors .data .got .sbss .bss
GNU_STACK 0x0 0x0 0x0 0x0 0x0 0.0000 0x7 RWE 0x4
Static ELF Info
Sections
Program Segments
Copyright Joe Security LLC 2021 Page 8 of 10
Network Port Distribution
Total Packets: 28
• 53 (DNS)
• 80 (HTTP)
• 443 (HTTPS)
• 17692 undefined
System Behavior
Network Behavior
Timestamp Source IP Dest IP Trans ID OP Code Name Type Class
Dec 24, 2021 09:39:17.045685053 CET 192.168.2.23 8.8.8.8 0xe067 Standard query (0)
bot.medusabotnet.com
A (IP address) IN (0x0001)
Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class
Dec 24, 2021 09:39:17.063324928 CET
8.8.8.8 192.168.2.23 0xe067 No error (0) bot.medusabotnet.com
27.50.49.74 A (IP address) IN (0x0001)
File ActivitiesFile Activities
Start time: 09:39:16
Start date: 24/12/2021
Path: /tmp/ttwJuxNsg0
Arguments: /tmp/ttwJuxNsg0
File size: 5777432 bytes
MD5 hash: 0083f1f0e77be34ad27f849842bbb00c
TCP Packets
UDP Packets
DNS Queries
DNS Answers
Analysis Process: ttwJuxNsg0 Analysis Process: ttwJuxNsg0 PID: 5217 PID: 5217 Parent PID: 5109Parent PID: 5109
General
File DeletedFile Deleted
File ReadFile Read
Copyright Joe Security LLC 2021 Page 9 of 10
Copyright Joe Security LLC 2021
Start time: 09:39:16
Start date: 24/12/2021
Path: /tmp/ttwJuxNsg0
Arguments: n/a
File size: 5777432 bytes
MD5 hash: 0083f1f0e77be34ad27f849842bbb00c
Start time: 09:40:38
Start date: 24/12/2021
Path: /usr/bin/dash
Arguments: n/a
File size: 129816 bytes
MD5 hash: 1e6b1c887c59a315edb7eb9a315fc84c
File ActivitiesFile Activities
Start time: 09:40:38
Start date: 24/12/2021
Path: /usr/bin/rm
Arguments: rm -f /tmp/tmp.Djd7P6ez0F /tmp/tmp.UevdT7HuhA /tmp/tmp.eK7WYGffW2
File size: 72056 bytes
MD5 hash: aa2b5496fdbfd88e38791ab81f90b95b
Analysis Process: ttwJuxNsg0 Analysis Process: ttwJuxNsg0 PID: 5221 PID: 5221 Parent PID: 5217Parent PID: 5217
General
Analysis Process: dash Analysis Process: dash PID: 5261 PID: 5261 Parent PID: 4332Parent PID: 4332
General
Analysis Process: rm Analysis Process: rm PID: 5261 PID: 5261 Parent PID: 4332Parent PID: 4332
General
File DeletedFile Deleted
File ReadFile Read
Copyright Joe Security LLC 2021 Page 10 of 10