Analysis Report
Overview
General Information |
---|
Joe Sandbox Version: | 22.0.0 |
Analysis ID: | 570649 |
Start time: | 15:04:55 |
Joe Sandbox Product: | Cloud |
Start date: | 31.05.2018 |
Overall analysis duration: | 0h 1m 49s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | SYbGPGPJHy |
Cookbook file name: | defaultlinuxfilecookbook.jbs |
Analysis system description: | CentOS Linux 7.4 x64 (Kernel 3.10.0-693, Firefox 52.6.0, Document Viewer 3.22.1) |
Detection: | MAL |
Classification: | mal60.evad.troj.lin@0/0@0/0 |
Detection |
---|
Strategy | Score | Range | Reporting | Detection | |
---|---|---|---|---|---|
Threshold | 60 | 0 - 100 | Report FP / FN |
Classification |
---|
Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Antivirus detection for submitted file | Show sources |
Source: SYbGPGPJHy | Avira: |
Networking: |
---|
Urls found in memory or binary data | Show sources |
Source: SYbGPGPJHy | String found in binary or memory: | ||
Source: SYbGPGPJHy | String found in binary or memory: | ||
Source: SYbGPGPJHy | String found in binary or memory: |
Persistence and Installation Behavior: |
---|
Sample reads /proc/mounts (often used for finding a writable filesystem) | Show sources |
Source: /tmp/SYbGPGPJHy (PID: 5449) | File: |
Tries to open /proc/mtd (commonly found in embedded devices) | Show sources |
Source: /tmp/SYbGPGPJHy (PID: 5449) | File: |
System Summary: |
---|
Sample has stripped symbol table | Show sources |
Source: ELF static info symbol of initial sample | .symtab present: |
Classification label | Show sources |
Source: classification engine | Classification label: |
Hooking and other Techniques for Hiding and Protection: |
---|
Sample deletes itself | Show sources |
Source: /tmp/SYbGPGPJHy (PID: 5449) | File: |
Runtime Messages |
---|
Command: | /tmp/SYbGPGPJHy |
Exit Code: | 0 |
Exit Code Info: | |
Killed: | False |
Standard Output: | |
Standard Error: |
Behavior Graph |
---|
Yara Overview |
---|
Initial Sample |
---|
No yara matches |
---|
PCAP (Network Traffic) |
---|
No yara matches |
---|
Dropped Files |
---|
No yara matches |
---|
Memory Dumps |
---|
No yara matches |
---|
Unpacked PEs |
---|
No yara matches |
---|
Antivirus Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Avira | LINUX/VPNFilter.pudcs |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
No Antivirus matches |
---|
Startup |
---|
|
Created / dropped Files |
---|
No created / dropped files found |
---|
Contacted Domains/Contacted IPs |
---|
Contacted Domains |
---|
No contacted domains info |
---|
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|
23.23.114.123 | United States | 14618 | AMAZON-AES-AmazoncomIncUS | false |
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 6.550877035088508 |
TrID: |
|
File name: | SYbGPGPJHy |
File size: | 296600 |
MD5: | 87049e223dd922dc1d8180c83e2fde77 |
SHA1: | 8a189f0c6a69efeaed1916860a0ff74e424563f6 |
SHA256: | d6097e942dd0fdc1fb28ec1814780e6ecc169ec6d24f9954e71954eedbc4c70e |
SHA512: | 0d6e0bbbd68af12c9c258d79d9d5286cac732d2f0bf77ce956bd8277b8656e30513df27e4df3369f0aa440402ecb7751a30cf9c830227abc4b7fda3dd9ce414c |
File Content Preview: | .ELF....................h...4...........4. ...(......................}...}..........................8...d...........Q.td............................U..S.......w....h........[]...$.............U......=@....t..1....$......$.......u........t...$...........@. |
Static ELF Info |
---|
ELF header | |
---|---|
Class: | |
Data: | |
Version: | |
Machine: | |
Version Number: | |
Type: | |
OS/ABI: | |
ABI Version: | |
Entry Point Address: | |
Flags: | |
ELF Header Size: | |
Program Header Offset: | |
Program Header Size: | |
Number of Program Headers: | |
Section Header Offset: | |
Section Header Size: | |
Number of Section Headers: | |
Header String Table Index: |
Sections |
---|
Name | Type | Address | Offset | Size | EntSize | Flags | Flags Description | Link | Info | Align |
---|---|---|---|---|---|---|---|---|---|---|
NULL | 0x0 | 0x0 | 0x0 | 0x0 | 0x0 | 0 | 0 | 0 | ||
.init | PROGBITS | 0x8048094 | 0x94 | 0x1c | 0x0 | 0x6 | AX | 0 | 0 | 1 |
.text | PROGBITS | 0x80480b0 | 0xb0 | 0x3eb24 | 0x0 | 0x6 | AX | 0 | 0 | 16 |
.fini | PROGBITS | 0x8086bd4 | 0x3ebd4 | 0x17 | 0x0 | 0x6 | AX | 0 | 0 | 1 |
.rodata | PROGBITS | 0x8086c00 | 0x3ec00 | 0x9102 | 0x0 | 0x2 | A | 0 | 0 | 32 |
.eh_frame | PROGBITS | 0x808fd04 | 0x47d04 | 0x4 | 0x0 | 0x2 | A | 0 | 0 | 4 |
.ctors | PROGBITS | 0x8090000 | 0x48000 | 0x8 | 0x0 | 0x3 | WA | 0 | 0 | 4 |
.dtors | PROGBITS | 0x8090008 | 0x48008 | 0x8 | 0x0 | 0x3 | WA | 0 | 0 | 4 |
.jcr | PROGBITS | 0x8090010 | 0x48010 | 0x4 | 0x0 | 0x3 | WA | 0 | 0 | 4 |
.got.plt | PROGBITS | 0x8090014 | 0x48014 | 0xc | 0x4 | 0x3 | WA | 0 | 0 | 4 |
.data | PROGBITS | 0x8090020 | 0x48020 | 0x418 | 0x0 | 0x3 | WA | 0 | 0 | 32 |
.bss | NOBITS | 0x8090440 | 0x48438 | 0x18724 | 0x0 | 0x3 | WA | 0 | 0 | 32 |
.shstrtab | STRTAB | 0x0 | 0x48438 | 0x56 | 0x0 | 0x0 | 0 | 0 | 1 |
Program Segments |
---|
Type | Offset | Virtual Address | Physical Address | File Size | Memory Size | Flags | Flags Description | Align | Prog Interpreter | Section Mappings |
---|---|---|---|---|---|---|---|---|---|---|
LOAD | 0x0 | 0x8048000 | 0x8048000 | 0x47d08 | 0x47d08 | 0x5 | R E | 0x1000 | .init .text .fini .rodata .eh_frame | |
LOAD | 0x48000 | 0x8090000 | 0x8090000 | 0x438 | 0x18b64 | 0x6 | RW | 0x1000 | .ctors .dtors .jcr .got.plt .data .bss | |
GNU_STACK | 0x0 | 0x0 | 0x0 | 0x0 | 0x0 | 0x6 | RW | 0x4 |
Network Behavior |
---|
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
May 31, 2018 15:08:39.873014927 CEST | 36366 | 80 | 192.168.1.101 | 23.23.114.123 |
May 31, 2018 15:08:39.873183966 CEST | 80 | 36366 | 23.23.114.123 | 192.168.1.101 |
May 31, 2018 15:08:39.873306990 CEST | 36366 | 80 | 192.168.1.101 | 23.23.114.123 |
System Behavior |
---|
General |
---|
Start time: | 15:08:21 |
Start date: | 31/05/2018 |
Path: | /tmp/SYbGPGPJHy |
Arguments: | /tmp/SYbGPGPJHy |
File size: | 0 bytes |
MD5 hash: | unknown |
General |
---|
Start time: | 15:08:21 |
Start date: | 31/05/2018 |
Path: | /tmp/SYbGPGPJHy |
Arguments: | n/a |
File size: | 0 bytes |
MD5 hash: | unknown |