Search in progress...
Analysis Report
Overview
General Information |
|---|
| Joe Sandbox Version: | 22.0.0 |
| Analysis ID: | 570649 |
| Start time: | 15:04:55 |
| Joe Sandbox Product: | Cloud |
| Start date: | 31.05.2018 |
| Overall analysis duration: | 0h 1m 49s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Sample file name: | SYbGPGPJHy |
| Cookbook file name: | defaultlinuxfilecookbook.jbs |
| Analysis system description: | CentOS Linux 7.4 x64 (Kernel 3.10.0-693, Firefox 52.6.0, Document Viewer 3.22.1) |
| Detection: | MAL |
| Classification: | mal60.evad.troj.lin@0/0@0/0 |
Detection |
|---|
| Strategy | Score | Range | Reporting | Detection | |
|---|---|---|---|---|---|
| Threshold | 60 | 0 - 100 | Report FP / FN |  | |
Classification |
|---|
Signature Overview |
|---|
Click to jump to signature section
AV Detection: |   |
|---|
| Antivirus detection for submitted file | Show sources | ||
| Source: SYbGPGPJHy | Avira: | ||
Networking: | |
|---|
| Urls found in memory or binary data | Show sources | ||
| Source: SYbGPGPJHy | String found in binary or memory: | ||
| Source: SYbGPGPJHy | String found in binary or memory: | ||
| Source: SYbGPGPJHy | String found in binary or memory: | ||
Persistence and Installation Behavior: | |
|---|
| Sample reads /proc/mounts (often used for finding a writable filesystem) | Show sources | ||
| Source: /tmp/SYbGPGPJHy (PID: 5449) | File: | ||
| Tries to open /proc/mtd (commonly found in embedded devices) | Show sources | ||
| Source: /tmp/SYbGPGPJHy (PID: 5449) | File: | ||
System Summary: | |
|---|
| Sample has stripped symbol table | Show sources | ||
| Source: ELF static info symbol of initial sample | .symtab present: | ||
| Classification label | Show sources | ||
| Source: classification engine | Classification label: | ||
Hooking and other Techniques for Hiding and Protection: | |
|---|
| Sample deletes itself | Show sources | ||
| Source: /tmp/SYbGPGPJHy (PID: 5449) | File: | ||
Runtime Messages |
|---|
| Command: | /tmp/SYbGPGPJHy |
| Exit Code: | 0 |
| Exit Code Info: | |
| Killed: | False |
| Standard Output: | |
| Standard Error: |
Behavior Graph |
|---|
Is Dropped
Number of created Files
Is maliciousYara Overview |
|---|
Initial Sample |
|---|
| No yara matches |
|---|
PCAP (Network Traffic) |
|---|
| No yara matches |
|---|
Dropped Files |
|---|
| No yara matches |
|---|
Memory Dumps |
|---|
| No yara matches |
|---|
Unpacked PEs |
|---|
| No yara matches |
|---|
Antivirus Detection |
|---|
Initial Sample |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Avira | LINUX/VPNFilter.pudcs |
Dropped Files |
|---|
| No Antivirus matches |
|---|
Unpacked PE Files |
|---|
| No Antivirus matches |
|---|
Domains |
|---|
| No Antivirus matches |
|---|
URLs |
|---|
| No Antivirus matches |
|---|
Startup |
|---|
|
Created / dropped Files |
|---|
| No created / dropped files found |
|---|
Contacted Domains/Contacted IPs |
|---|
Contacted Domains |
|---|
| No contacted domains info |
|---|
Contacted IPs |
|---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
|---|
| IP | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|
| 23.23.114.123 | United States | 14618 | AMAZON-AES-AmazoncomIncUS | false |
Static File Info |
|---|
General | |
|---|---|
| File type: | |
| Entropy (8bit): | 6.550877035088508 |
| TrID: |
|
| File name: | SYbGPGPJHy |
| File size: | 296600 |
| MD5: | 87049e223dd922dc1d8180c83e2fde77 |
| SHA1: | 8a189f0c6a69efeaed1916860a0ff74e424563f6 |
| SHA256: | d6097e942dd0fdc1fb28ec1814780e6ecc169ec6d24f9954e71954eedbc4c70e |
| SHA512: | 0d6e0bbbd68af12c9c258d79d9d5286cac732d2f0bf77ce956bd8277b8656e30513df27e4df3369f0aa440402ecb7751a30cf9c830227abc4b7fda3dd9ce414c |
| File Content Preview: | .ELF....................h...4...........4. ...(......................}...}..........................8...d...........Q.td............................U..S.......w....h........[]...$.............U......=@....t..1....$......$.......u........t...$...........@. |
Static ELF Info |
|---|
ELF header | |
|---|---|
| Class: | |
| Data: | |
| Version: | |
| Machine: | |
| Version Number: | |
| Type: | |
| OS/ABI: | |
| ABI Version: | |
| Entry Point Address: | |
| Flags: | |
| ELF Header Size: | |
| Program Header Offset: | |
| Program Header Size: | |
| Number of Program Headers: | |
| Section Header Offset: | |
| Section Header Size: | |
| Number of Section Headers: | |
| Header String Table Index: | |
Sections |
|---|
| Name | Type | Address | Offset | Size | EntSize | Flags | Flags Description | Link | Info | Align |
|---|---|---|---|---|---|---|---|---|---|---|
| NULL | 0x0 | 0x0 | 0x0 | 0x0 | 0x0 | 0 | 0 | 0 | ||
| .init | PROGBITS | 0x8048094 | 0x94 | 0x1c | 0x0 | 0x6 | AX | 0 | 0 | 1 |
| .text | PROGBITS | 0x80480b0 | 0xb0 | 0x3eb24 | 0x0 | 0x6 | AX | 0 | 0 | 16 |
| .fini | PROGBITS | 0x8086bd4 | 0x3ebd4 | 0x17 | 0x0 | 0x6 | AX | 0 | 0 | 1 |
| .rodata | PROGBITS | 0x8086c00 | 0x3ec00 | 0x9102 | 0x0 | 0x2 | A | 0 | 0 | 32 |
| .eh_frame | PROGBITS | 0x808fd04 | 0x47d04 | 0x4 | 0x0 | 0x2 | A | 0 | 0 | 4 |
| .ctors | PROGBITS | 0x8090000 | 0x48000 | 0x8 | 0x0 | 0x3 | WA | 0 | 0 | 4 |
| .dtors | PROGBITS | 0x8090008 | 0x48008 | 0x8 | 0x0 | 0x3 | WA | 0 | 0 | 4 |
| .jcr | PROGBITS | 0x8090010 | 0x48010 | 0x4 | 0x0 | 0x3 | WA | 0 | 0 | 4 |
| .got.plt | PROGBITS | 0x8090014 | 0x48014 | 0xc | 0x4 | 0x3 | WA | 0 | 0 | 4 |
| .data | PROGBITS | 0x8090020 | 0x48020 | 0x418 | 0x0 | 0x3 | WA | 0 | 0 | 32 |
| .bss | NOBITS | 0x8090440 | 0x48438 | 0x18724 | 0x0 | 0x3 | WA | 0 | 0 | 32 |
| .shstrtab | STRTAB | 0x0 | 0x48438 | 0x56 | 0x0 | 0x0 | 0 | 0 | 1 |
Program Segments |
|---|
| Type | Offset | Virtual Address | Physical Address | File Size | Memory Size | Flags | Flags Description | Align | Prog Interpreter | Section Mappings |
|---|---|---|---|---|---|---|---|---|---|---|
| LOAD | 0x0 | 0x8048000 | 0x8048000 | 0x47d08 | 0x47d08 | 0x5 | R E | 0x1000 | .init .text .fini .rodata .eh_frame | |
| LOAD | 0x48000 | 0x8090000 | 0x8090000 | 0x438 | 0x18b64 | 0x6 | RW | 0x1000 | .ctors .dtors .jcr .got.plt .data .bss | |
| GNU_STACK | 0x0 | 0x0 | 0x0 | 0x0 | 0x0 | 0x6 | RW | 0x4 |
Network Behavior |
|---|
Network Port Distribution |
|---|
TCP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| May 31, 2018 15:08:39.873014927 CEST | 36366 | 80 | 192.168.1.101 | 23.23.114.123 |
| May 31, 2018 15:08:39.873183966 CEST | 80 | 36366 | 23.23.114.123 | 192.168.1.101 |
| May 31, 2018 15:08:39.873306990 CEST | 36366 | 80 | 192.168.1.101 | 23.23.114.123 |
System Behavior |
|---|
General |
|---|
| Start time: | 15:08:21 |
| Start date: | 31/05/2018 |
| Path: | /tmp/SYbGPGPJHy |
| Arguments: | /tmp/SYbGPGPJHy |
| File size: | 0 bytes |
| MD5 hash: | unknown |
General |
|---|
| Start time: | 15:08:21 |
| Start date: | 31/05/2018 |
| Path: | /tmp/SYbGPGPJHy |
| Arguments: | n/a |
| File size: | 0 bytes |
| MD5 hash: | unknown |