Joe Sandbox Cloud Pro Analysis Report

Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:22.0.0
Analysis ID:570647
Start time:15:03:11
Joe Sandbox Product:Cloud
Start date:31.05.2018
Overall analysis duration:0h 1m 53s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:G8ALAX2D6Q
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:CentOS Linux 7.4 x64 (Kernel 3.10.0-693, Firefox 52.6.0, Document Viewer 3.22.1)
Detection:MAL
Classification:mal64.troj.lin@0/5@1/0

Detection

StrategyScoreRangeReportingDetection
Threshold640 - 100Report FP / FNmalicious

Classification

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for submitted fileShow sources
Source: G8ALAX2D6QAvira: Label: LINUX/VPNFilter.2

Networking:

barindex
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /user/nikkireed11/library HTTP/1.1User-Agent: Mozilla/6.1 (compatible; MSIE 9.0; Windows NT 5.3; Trident/5.0)Host: photobucket.comAccept: */*
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: photobucket.com
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: HTTP/1.1 301 Moved PermanentlyDate: Thu, 31 May 2018 13:04:44 GMTServer: ApacheSet-Cookie: PHPSESSID=tgeq125oprhlaokqoh44eaa5n0; path=/; domain=.photobucket.comExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheSet-Cookie: pb_userid=ZTFjYzA0NzYzM2I4Zjc2NDZiMzg3ODBlYjA1MTQ2ZDUkYToxOntzOjc6InRyYWNraWQiO3M6MjU6IjE1Mjc3NzE4ODQuNDkzNzE4ODY2Mjc1MTYiO30%3D; expires=Tue, 18-Jun-2086 16:18:50 GMT; Max-Age=2147483646; path=/; domain=.photobucket.comLocation: http://s1268.photobucket.com/user/nikkireed11/libraryVary: Accept-EncodingTransfer-Encoding: chunkedContent-Type: text/htmlData Raw: 30 0d 0a 0d 0a Data Ascii: 0
Urls found in memory or binary dataShow sources
Source: G8ALAX2D6QString found in binary or memory: http://
Source: G8ALAX2D6QString found in binary or memory: http://api.ipify.org?format=json
Source: G8ALAX2D6QString found in binary or memory: http://api.ipify.org?format=json.
Source: G8ALAX2D6QString found in binary or memory: http://https://Locationlocation
Source: G8ALAX2D6QString found in binary or memory: https://

Persistence and Installation Behavior:

barindex
Sample tries to persist itself using cronShow sources
Source: /tmp/G8ALAX2D6Q (PID: 5458)File: /etc/config/crontab
Writes certificate files to diskShow sources
Source: /tmp/G8ALAX2D6Q (PID: 5457)CRT file created: /run/client_ca.crtJump to dropped file
Source: /tmp/G8ALAX2D6Q (PID: 5457)CRT file created: /run/client.crtJump to dropped file
Source: /tmp/G8ALAX2D6Q (PID: 5457)KEY file created: /run/client.keyJump to dropped file

Data Obfuscation:

barindex
Sample tries to access files in /etc/config/ (typical for OpenWRT routers)Show sources
Source: /tmp/G8ALAX2D6Q (PID: 5458)File: /etc/config/crontab
Source: /tmp/G8ALAX2D6Q (PID: 5458)File: /etc/config/crontab
PID-file does not contain an ASCII numberShow sources
Source: /tmp/G8ALAX2D6Q (PID: 5457)/run/msvf.pid: 0.3.9qa

System Summary:

barindex
Detected VPNFilter malwareShow sources
Source: /tmp/G8ALAX2D6Q (PID: 5457)File access: /var/run/msvf.pid
Sample has stripped symbol tableShow sources
Source: ELF static info symbol of initial sample.symtab present: no
Classification labelShow sources
Source: classification engineClassification label: mal64.troj.lin@0/5@1/0


Runtime Messages

Command:/tmp/G8ALAX2D6Q
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
Standard Error:

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 570647 Sample: G8ALAX2D6Q Startdate: 31/05/2018 Architecture: LINUX Score: 64 22 photobucket.com 209.17.68.100, 48274, 80 PHOTOBUCKET-PHOTOBUCKETCOMINCUS United States 2->22 24 Antivirus detection for submitted file 2->24 8 G8ALAX2D6Q 2->8         started        signatures3 process4 process5 10 G8ALAX2D6Q 8->10         started        file6 18 /run/msvf.pid, ASCII 10->18 dropped 26 Detected VPNFilter malware 10->26 14 G8ALAX2D6Q 10->14         started        signatures7 process8 file9 20 /etc/config/crontab, ASCII 14->20 dropped 28 Sample tries to access files in /etc/config/ (typical for OpenWRT routers) 14->28 30 Sample tries to persist itself using cron 14->30 signatures10

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
G8ALAX2D6Q100%AviraLINUX/VPNFilter.2

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Startup

  • system is lnxcentos1
  • G8ALAX2D6Q (PID: 5456, Parent: 5410, MD5: 5f358afee76f2a74b1a3443c6012b27b)
  • cleanup

Created / dropped Files

/etc/config/crontab
Process:/tmp/G8ALAX2D6Q
File Type:ASCII text
Size (bytes):28
Entropy (8bit):3.7368489059491363
Encrypted:false
MD5:D7EFC12F170A74043554D4ACDB81742B
SHA1:F45337256CD4D1BFA42C5208BA4625E74EE9E6C1
SHA-256:AE66D1B01482BD2C233C3A0F0FA2E8109E185CEDEE63361E1D70C1E4B6EB1990
SHA-512:DEE2C1C0349DE0A5EF6C3AD7273183FA1A9E57A9C3BDC13B4FCCDC783C6DCCBA2106587D7921D79EB2CB281E6023412C8522E3D5E4CC10114307F4895E559099
Malicious:true
Reputation:low
/run/client.crt
Process:/tmp/G8ALAX2D6Q
File Type:PEM certificate
Size (bytes):1899
Entropy (8bit):5.965013126160445
Encrypted:false
MD5:0DDF8C83FD85AECA53E724EF264232AD
SHA1:5D1F9B94DD30C0519E68263A1CA2326CEA843046
SHA-256:127AD41D34C54BC351BB145E7ED7EAB42C926C8E2C006EA4AA90DF7999CC24E1
SHA-512:8EAC6311E89A18B48BFA64852D529A41106CD10CB2864CF77ABAB9E4F952A8157773430FDBFC7B804E95B9A3A1013398E068DB7ABCCD3C7662BFEFE098CA342B
Malicious:false
Reputation:low
/run/client.key
Process:/tmp/G8ALAX2D6Q
File Type:ASCII text
Size (bytes):3276
Entropy (8bit):6.032573470234318
Encrypted:false
MD5:968933D82A8EC3995A807BAFE6E82393
SHA1:DE9C4F3CA94AC4B6567C0F52C3EF4F99D3B6B55D
SHA-256:CE928106D82DC4AC55895D0F2FA70953D8B9BB27AA0214C4D6CBA7AF108F7BE7
SHA-512:BE34C3DE84CC4ECB252D0BDAEBC9C05D10E3712384CED90F8AD2A4D136DB406B0D89F34411ED8CD3D5AF7D60366BEAB16E02CAC0D75BD59F88C2AEC0DD90F95B
Malicious:false
Reputation:low
/run/client_ca.crt
Process:/tmp/G8ALAX2D6Q
File Type:PEM certificate
Size (bytes):1899
Entropy (8bit):5.986670811979033
Encrypted:false
MD5:258C484846192767695641ECEE66C1C4
SHA1:4A45C9048F7A8380D2096E73688CE116180F59EE
SHA-256:5C1F705AB9E959DF3C51F9361FE34E2288AA50E1C5C16F927EA0CBF875466C16
SHA-512:D4926639E9A744C6B4D4CDC96ECAE6BAF03FDC4304AF666010ACC678F512D7B782D828812E1F52D6E7660CAB83153A2A4636CFAF4F4188B2BE24BF7EDD5EAD6E
Malicious:false
Reputation:low
/run/msvf.pid
Process:/tmp/G8ALAX2D6Q
File Type:ASCII text, with no line terminators
Size (bytes):7
Entropy (8bit):2.5216406363433186
Encrypted:false
MD5:E30B65CE778CD9B97B3A7F242944751A
SHA1:0F46F6BA194FD7CF93DFA92F814B8BCB5EA945AD
SHA-256:BA128481ED486FFD236641165C463AA556E14CE739585F8447BEE3C8FF1D8D61
SHA-512:81AFDC6033CEE4C8B713E842C2643ACC401817F179784BD6CD7706C5600C7DB28961DD0EEAB7321433A3D2592C030DDD517A299CB42C59B9A0786F0B477097DC
Malicious:true
Reputation:low

Contacted Domains/Contacted IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
photobucket.com209.17.68.100truefalsehigh

Contacted URLs

NameProcess
http://photobucket.com/user/nikkireed11/libraryunknown

Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public

IPCountryFlagASNASN NameMalicious
209.17.68.100United States
14173PHOTOBUCKET-PHOTOBUCKETCOMINCUSfalse

Static File Info

General

File type:ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
Entropy (8bit):6.596056353176078
TrID:
  • ELF Executable and Linkable format (Linux) (4029/14) 50.16%
  • ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:G8ALAX2D6Q
File size:291256
MD5:5f358afee76f2a74b1a3443c6012b27b
SHA1:4ac8d962c6072b77f157c5d6459b887a658d66d5
SHA256:0e0094d9bd396a6594da8e21911a3982cd737b445f591581560d766755097d92
SHA512:3954c3ce8d679cbe71073b1136d59645ebbf2bc804767e894f3b6c9ce236c463910703a5494658134a25665cbecc4842e8b221ffedd682ac47b1a44100add3c1
File Content Preview:.ELF....................h...4....o......4. ...(......................I...I...............P..........X....w..........Q.td............................U..S.......wO...h........[]...$.............U......=`....t..1....$......$.......u........t...$...........`.

Static ELF Info

ELF header

Class:ELF32
Data:2's complement, little endian
Version:1 (current)
Machine:Intel 80386
Version Number:0x1
Type:EXEC (Executable file)
OS/ABI:UNIX - System V
ABI Version:0
Entry Point Address:0x8048168
Flags:0x0
ELF Header Size:52
Program Header Offset:52
Program Header Size:32
Number of Program Headers:3
Section Header Offset:290736
Section Header Size:40
Number of Section Headers:13
Header String Table Index:12

Sections

NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
NULL0x00x00x00x00x0000
.initPROGBITS0x80480940x940x1c0x00x6AX001
.textPROGBITS0x80480b00xb00x3a7d40x00x6AX0016
.finiPROGBITS0x80828840x3a8840x170x00x6AX001
.rodataPROGBITS0x80828a00x3a8a00xa1020x00x2A0032
.eh_framePROGBITS0x808c9a40x449a40x40x00x2A004
.ctorsPROGBITS0x808d0000x450000x80x00x3WA004
.dtorsPROGBITS0x808d0080x450080x80x00x3WA004
.jcrPROGBITS0x808d0100x450100x40x00x3WA004
.got.pltPROGBITS0x808d0140x450140xc0x40x3WA004
.dataPROGBITS0x808d0200x450200x1f380x00x3WA0032
.bssNOBITS0x808ef600x46f580x58240x00x3WA0032
.shstrtabSTRTAB0x00x46f580x560x00x0001

Program Segments

TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeFlagsFlags DescriptionAlignProg InterpreterSection Mappings
LOAD0x00x80480000x80480000x449a80x449a80x5R E0x1000.init .text .fini .rodata .eh_frame
LOAD0x450000x808d0000x808d0000x1f580x77840x6RW 0x1000.ctors .dtors .jcr .got.plt .data .bss
GNU_STACK0x00x00x00x00x00x6RW 0x4

Network Behavior

Network Port Distribution

TCP Packets

TimestampSource PortDest PortSource IPDest IP
May 31, 2018 15:04:43.957227945 CEST3443653192.168.1.1018.8.8.8
May 31, 2018 15:04:44.039100885 CEST53344368.8.8.8192.168.1.101
May 31, 2018 15:04:44.040004969 CEST4827480192.168.1.101209.17.68.100
May 31, 2018 15:04:44.040065050 CEST8048274209.17.68.100192.168.1.101
May 31, 2018 15:04:44.040221930 CEST4827480192.168.1.101209.17.68.100
May 31, 2018 15:04:44.040450096 CEST4827480192.168.1.101209.17.68.100
May 31, 2018 15:04:44.040482998 CEST8048274209.17.68.100192.168.1.101
May 31, 2018 15:04:44.682279110 CEST8048274209.17.68.100192.168.1.101
May 31, 2018 15:04:44.682624102 CEST4827480192.168.1.101209.17.68.100

UDP Packets

TimestampSource PortDest PortSource IPDest IP
May 31, 2018 15:04:43.957227945 CEST3443653192.168.1.1018.8.8.8
May 31, 2018 15:04:44.039100885 CEST53344368.8.8.8192.168.1.101

DNS Queries

TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
May 31, 2018 15:04:43.957227945 CEST192.168.1.1018.8.8.80xe6dStandard query (0)photobucket.comA (IP address)IN (0x0001)

DNS Answers

TimestampSource IPDest IPTrans IDReplay CodeNameCNameAddressTypeClass
May 31, 2018 15:04:44.039100885 CEST8.8.8.8192.168.1.1010xe6dNo error (0)photobucket.com209.17.68.100A (IP address)IN (0x0001)

HTTP Request Dependency Graph

  • photobucket.com

HTTP Packets

Session IDSource IPSource PortDestination IPDestination Port
0192.168.1.10148274209.17.68.10080
TimestampkBytes transferredDirectionData
May 31, 2018 15:04:44.040450096 CEST0OUTGET /user/nikkireed11/library HTTP/1.1
User-Agent: Mozilla/6.1 (compatible; MSIE 9.0; Windows NT 5.3; Trident/5.0)
Host: photobucket.com
Accept: */*
May 31, 2018 15:04:44.682279110 CEST1INHTTP/1.1 301 Moved Permanently
Date: Thu, 31 May 2018 13:04:44 GMT
Server: Apache
Set-Cookie: PHPSESSID=tgeq125oprhlaokqoh44eaa5n0; path=/; domain=.photobucket.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: pb_userid=ZTFjYzA0NzYzM2I4Zjc2NDZiMzg3ODBlYjA1MTQ2ZDUkYToxOntzOjc6InRyYWNraWQiO3M6MjU6IjE1Mjc3NzE4ODQuNDkzNzE4ODY2Mjc1MTYiO30%3D; expires=Tue, 18-Jun-2086 16:18:50 GMT; Max-Age=2147483646; path=/; domain=.photobucket.com
Location: http://s1268.photobucket.com/user/nikkireed11/library
Vary: Accept-Encoding
Transfer-Encoding: chunked
Content-Type: text/html
Data Raw: 30 0d 0a 0d 0a
Data Ascii: 0


System Behavior

Analysis Process: G8ALAX2D6Q PID: 5456 Parent PID: 5410

General

Start time:15:04:13
Start date:31/05/2018
Path:/tmp/G8ALAX2D6Q
Arguments:/tmp/G8ALAX2D6Q
File size:291256 bytes
MD5 hash:5f358afee76f2a74b1a3443c6012b27b

Chronological Activities

Analysis Process: G8ALAX2D6Q PID: 5457 Parent PID: 5456

General

Start time:15:04:13
Start date:31/05/2018
Path:/tmp/G8ALAX2D6Q
Arguments:n/a
File size:291256 bytes
MD5 hash:5f358afee76f2a74b1a3443c6012b27b

Chronological Activities

Analysis Process: G8ALAX2D6Q PID: 5458 Parent PID: 5457

General

Start time:15:04:13
Start date:31/05/2018
Path:/tmp/G8ALAX2D6Q
Arguments:n/a
File size:291256 bytes
MD5 hash:5f358afee76f2a74b1a3443c6012b27b

Chronological Activities