Analysis Report
Overview
General Information |
---|
Joe Sandbox Version: | 22.0.0 |
Analysis ID: | 570647 |
Start time: | 15:03:11 |
Joe Sandbox Product: | Cloud |
Start date: | 31.05.2018 |
Overall analysis duration: | 0h 1m 53s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | G8ALAX2D6Q |
Cookbook file name: | defaultlinuxfilecookbook.jbs |
Analysis system description: | CentOS Linux 7.4 x64 (Kernel 3.10.0-693, Firefox 52.6.0, Document Viewer 3.22.1) |
Detection: | MAL |
Classification: | mal64.troj.lin@0/5@1/0 |
Detection |
---|
Strategy | Score | Range | Reporting | Detection | |
---|---|---|---|---|---|
Threshold | 64 | 0 - 100 | Report FP / FN |
Classification |
---|
Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Antivirus detection for submitted file | Show sources |
Source: G8ALAX2D6Q | Avira: |
Networking: |
---|
Downloads files from webservers via HTTP | Show sources |
Source: global traffic | HTTP traffic detected: |
Performs DNS lookups | Show sources |
Source: unknown | DNS traffic detected: |
Posts data to webserver | Show sources |
Source: unknown | HTTP traffic detected: |
Urls found in memory or binary data | Show sources |
Source: G8ALAX2D6Q | String found in binary or memory: | ||
Source: G8ALAX2D6Q | String found in binary or memory: | ||
Source: G8ALAX2D6Q | String found in binary or memory: | ||
Source: G8ALAX2D6Q | String found in binary or memory: | ||
Source: G8ALAX2D6Q | String found in binary or memory: |
Persistence and Installation Behavior: |
---|
Sample tries to persist itself using cron | Show sources |
Source: /tmp/G8ALAX2D6Q (PID: 5458) | File: |
Writes certificate files to disk | Show sources |
Source: /tmp/G8ALAX2D6Q (PID: 5457) | CRT file created: | Jump to dropped file | ||
Source: /tmp/G8ALAX2D6Q (PID: 5457) | CRT file created: | Jump to dropped file | ||
Source: /tmp/G8ALAX2D6Q (PID: 5457) | KEY file created: | Jump to dropped file |
Data Obfuscation: |
---|
Sample tries to access files in /etc/config/ (typical for OpenWRT routers) | Show sources |
Source: /tmp/G8ALAX2D6Q (PID: 5458) | File: | ||
Source: /tmp/G8ALAX2D6Q (PID: 5458) | File: |
PID-file does not contain an ASCII number | Show sources |
Source: /tmp/G8ALAX2D6Q (PID: 5457) | /run/msvf.pid: |
System Summary: |
---|
Detected VPNFilter malware | Show sources |
Source: /tmp/G8ALAX2D6Q (PID: 5457) | File access: |
Sample has stripped symbol table | Show sources |
Source: ELF static info symbol of initial sample | .symtab present: |
Classification label | Show sources |
Source: classification engine | Classification label: |
Runtime Messages |
---|
Command: | /tmp/G8ALAX2D6Q |
Exit Code: | 0 |
Exit Code Info: | |
Killed: | False |
Standard Output: | |
Standard Error: |
Behavior Graph |
---|
Yara Overview |
---|
Initial Sample |
---|
No yara matches |
---|
PCAP (Network Traffic) |
---|
No yara matches |
---|
Dropped Files |
---|
No yara matches |
---|
Memory Dumps |
---|
No yara matches |
---|
Unpacked PEs |
---|
No yara matches |
---|
Antivirus Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Avira | LINUX/VPNFilter.2 |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
No Antivirus matches |
---|
Startup |
---|
|
Created / dropped Files |
---|
Process: | /tmp/G8ALAX2D6Q |
File Type: | |
Size (bytes): | 28 |
Entropy (8bit): | 3.7368489059491363 |
Encrypted: | false |
MD5: | D7EFC12F170A74043554D4ACDB81742B |
SHA1: | F45337256CD4D1BFA42C5208BA4625E74EE9E6C1 |
SHA-256: | AE66D1B01482BD2C233C3A0F0FA2E8109E185CEDEE63361E1D70C1E4B6EB1990 |
SHA-512: | DEE2C1C0349DE0A5EF6C3AD7273183FA1A9E57A9C3BDC13B4FCCDC783C6DCCBA2106587D7921D79EB2CB281E6023412C8522E3D5E4CC10114307F4895E559099 |
Malicious: | true |
Reputation: | low |
Process: | /tmp/G8ALAX2D6Q |
File Type: | |
Size (bytes): | 1899 |
Entropy (8bit): | 5.965013126160445 |
Encrypted: | false |
MD5: | 0DDF8C83FD85AECA53E724EF264232AD |
SHA1: | 5D1F9B94DD30C0519E68263A1CA2326CEA843046 |
SHA-256: | 127AD41D34C54BC351BB145E7ED7EAB42C926C8E2C006EA4AA90DF7999CC24E1 |
SHA-512: | 8EAC6311E89A18B48BFA64852D529A41106CD10CB2864CF77ABAB9E4F952A8157773430FDBFC7B804E95B9A3A1013398E068DB7ABCCD3C7662BFEFE098CA342B |
Malicious: | false |
Reputation: | low |
Process: | /tmp/G8ALAX2D6Q |
File Type: | |
Size (bytes): | 3276 |
Entropy (8bit): | 6.032573470234318 |
Encrypted: | false |
MD5: | 968933D82A8EC3995A807BAFE6E82393 |
SHA1: | DE9C4F3CA94AC4B6567C0F52C3EF4F99D3B6B55D |
SHA-256: | CE928106D82DC4AC55895D0F2FA70953D8B9BB27AA0214C4D6CBA7AF108F7BE7 |
SHA-512: | BE34C3DE84CC4ECB252D0BDAEBC9C05D10E3712384CED90F8AD2A4D136DB406B0D89F34411ED8CD3D5AF7D60366BEAB16E02CAC0D75BD59F88C2AEC0DD90F95B |
Malicious: | false |
Reputation: | low |
Process: | /tmp/G8ALAX2D6Q |
File Type: | |
Size (bytes): | 1899 |
Entropy (8bit): | 5.986670811979033 |
Encrypted: | false |
MD5: | 258C484846192767695641ECEE66C1C4 |
SHA1: | 4A45C9048F7A8380D2096E73688CE116180F59EE |
SHA-256: | 5C1F705AB9E959DF3C51F9361FE34E2288AA50E1C5C16F927EA0CBF875466C16 |
SHA-512: | D4926639E9A744C6B4D4CDC96ECAE6BAF03FDC4304AF666010ACC678F512D7B782D828812E1F52D6E7660CAB83153A2A4636CFAF4F4188B2BE24BF7EDD5EAD6E |
Malicious: | false |
Reputation: | low |
Process: | /tmp/G8ALAX2D6Q |
File Type: | |
Size (bytes): | 7 |
Entropy (8bit): | 2.5216406363433186 |
Encrypted: | false |
MD5: | E30B65CE778CD9B97B3A7F242944751A |
SHA1: | 0F46F6BA194FD7CF93DFA92F814B8BCB5EA945AD |
SHA-256: | BA128481ED486FFD236641165C463AA556E14CE739585F8447BEE3C8FF1D8D61 |
SHA-512: | 81AFDC6033CEE4C8B713E842C2643ACC401817F179784BD6CD7706C5600C7DB28961DD0EEAB7321433A3D2592C030DDD517A299CB42C59B9A0786F0B477097DC |
Malicious: | true |
Reputation: | low |
Contacted Domains/Contacted IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
photobucket.com | 209.17.68.100 | true | false | high |
Contacted URLs |
---|
Name | Process |
---|---|
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|
209.17.68.100 | United States | 14173 | PHOTOBUCKET-PHOTOBUCKETCOMINCUS | false |
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 6.596056353176078 |
TrID: |
|
File name: | G8ALAX2D6Q |
File size: | 291256 |
MD5: | 5f358afee76f2a74b1a3443c6012b27b |
SHA1: | 4ac8d962c6072b77f157c5d6459b887a658d66d5 |
SHA256: | 0e0094d9bd396a6594da8e21911a3982cd737b445f591581560d766755097d92 |
SHA512: | 3954c3ce8d679cbe71073b1136d59645ebbf2bc804767e894f3b6c9ce236c463910703a5494658134a25665cbecc4842e8b221ffedd682ac47b1a44100add3c1 |
File Content Preview: | .ELF....................h...4....o......4. ...(......................I...I...............P..........X....w..........Q.td............................U..S.......wO...h........[]...$.............U......=`....t..1....$......$.......u........t...$...........`. |
Static ELF Info |
---|
ELF header | |
---|---|
Class: | |
Data: | |
Version: | |
Machine: | |
Version Number: | |
Type: | |
OS/ABI: | |
ABI Version: | |
Entry Point Address: | |
Flags: | |
ELF Header Size: | |
Program Header Offset: | |
Program Header Size: | |
Number of Program Headers: | |
Section Header Offset: | |
Section Header Size: | |
Number of Section Headers: | |
Header String Table Index: |
Sections |
---|
Name | Type | Address | Offset | Size | EntSize | Flags | Flags Description | Link | Info | Align |
---|---|---|---|---|---|---|---|---|---|---|
NULL | 0x0 | 0x0 | 0x0 | 0x0 | 0x0 | 0 | 0 | 0 | ||
.init | PROGBITS | 0x8048094 | 0x94 | 0x1c | 0x0 | 0x6 | AX | 0 | 0 | 1 |
.text | PROGBITS | 0x80480b0 | 0xb0 | 0x3a7d4 | 0x0 | 0x6 | AX | 0 | 0 | 16 |
.fini | PROGBITS | 0x8082884 | 0x3a884 | 0x17 | 0x0 | 0x6 | AX | 0 | 0 | 1 |
.rodata | PROGBITS | 0x80828a0 | 0x3a8a0 | 0xa102 | 0x0 | 0x2 | A | 0 | 0 | 32 |
.eh_frame | PROGBITS | 0x808c9a4 | 0x449a4 | 0x4 | 0x0 | 0x2 | A | 0 | 0 | 4 |
.ctors | PROGBITS | 0x808d000 | 0x45000 | 0x8 | 0x0 | 0x3 | WA | 0 | 0 | 4 |
.dtors | PROGBITS | 0x808d008 | 0x45008 | 0x8 | 0x0 | 0x3 | WA | 0 | 0 | 4 |
.jcr | PROGBITS | 0x808d010 | 0x45010 | 0x4 | 0x0 | 0x3 | WA | 0 | 0 | 4 |
.got.plt | PROGBITS | 0x808d014 | 0x45014 | 0xc | 0x4 | 0x3 | WA | 0 | 0 | 4 |
.data | PROGBITS | 0x808d020 | 0x45020 | 0x1f38 | 0x0 | 0x3 | WA | 0 | 0 | 32 |
.bss | NOBITS | 0x808ef60 | 0x46f58 | 0x5824 | 0x0 | 0x3 | WA | 0 | 0 | 32 |
.shstrtab | STRTAB | 0x0 | 0x46f58 | 0x56 | 0x0 | 0x0 | 0 | 0 | 1 |
Program Segments |
---|
Type | Offset | Virtual Address | Physical Address | File Size | Memory Size | Flags | Flags Description | Align | Prog Interpreter | Section Mappings |
---|---|---|---|---|---|---|---|---|---|---|
LOAD | 0x0 | 0x8048000 | 0x8048000 | 0x449a8 | 0x449a8 | 0x5 | R E | 0x1000 | .init .text .fini .rodata .eh_frame | |
LOAD | 0x45000 | 0x808d000 | 0x808d000 | 0x1f58 | 0x7784 | 0x6 | RW | 0x1000 | .ctors .dtors .jcr .got.plt .data .bss | |
GNU_STACK | 0x0 | 0x0 | 0x0 | 0x0 | 0x0 | 0x6 | RW | 0x4 |
Network Behavior |
---|
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
May 31, 2018 15:04:43.957227945 CEST | 34436 | 53 | 192.168.1.101 | 8.8.8.8 |
May 31, 2018 15:04:44.039100885 CEST | 53 | 34436 | 8.8.8.8 | 192.168.1.101 |
May 31, 2018 15:04:44.040004969 CEST | 48274 | 80 | 192.168.1.101 | 209.17.68.100 |
May 31, 2018 15:04:44.040065050 CEST | 80 | 48274 | 209.17.68.100 | 192.168.1.101 |
May 31, 2018 15:04:44.040221930 CEST | 48274 | 80 | 192.168.1.101 | 209.17.68.100 |
May 31, 2018 15:04:44.040450096 CEST | 48274 | 80 | 192.168.1.101 | 209.17.68.100 |
May 31, 2018 15:04:44.040482998 CEST | 80 | 48274 | 209.17.68.100 | 192.168.1.101 |
May 31, 2018 15:04:44.682279110 CEST | 80 | 48274 | 209.17.68.100 | 192.168.1.101 |
May 31, 2018 15:04:44.682624102 CEST | 48274 | 80 | 192.168.1.101 | 209.17.68.100 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
May 31, 2018 15:04:43.957227945 CEST | 34436 | 53 | 192.168.1.101 | 8.8.8.8 |
May 31, 2018 15:04:44.039100885 CEST | 53 | 34436 | 8.8.8.8 | 192.168.1.101 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
May 31, 2018 15:04:43.957227945 CEST | 192.168.1.101 | 8.8.8.8 | 0xe6d | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Replay Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
May 31, 2018 15:04:44.039100885 CEST | 8.8.8.8 | 192.168.1.101 | 0xe6d | No error (0) | 209.17.68.100 | A (IP address) | IN (0x0001) |
HTTP Request Dependency Graph |
---|
|
HTTP Packets |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port |
---|---|---|---|---|
0 | 192.168.1.101 | 48274 | 209.17.68.100 | 80 |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
May 31, 2018 15:04:44.040450096 CEST | 0 | OUT | |
May 31, 2018 15:04:44.682279110 CEST | 1 | IN |
System Behavior |
---|
General |
---|
Start time: | 15:04:13 |
Start date: | 31/05/2018 |
Path: | /tmp/G8ALAX2D6Q |
Arguments: | /tmp/G8ALAX2D6Q |
File size: | 291256 bytes |
MD5 hash: | 5f358afee76f2a74b1a3443c6012b27b |
General |
---|
Start time: | 15:04:13 |
Start date: | 31/05/2018 |
Path: | /tmp/G8ALAX2D6Q |
Arguments: | n/a |
File size: | 291256 bytes |
MD5 hash: | 5f358afee76f2a74b1a3443c6012b27b |
General |
---|
Start time: | 15:04:13 |
Start date: | 31/05/2018 |
Path: | /tmp/G8ALAX2D6Q |
Arguments: | n/a |
File size: | 291256 bytes |
MD5 hash: | 5f358afee76f2a74b1a3443c6012b27b |