Analysis Report

Overview

General Information

Joe Sandbox Version:	22.0.0
Analysis ID:	570655
Start time:	15:10:49
Joe Sandbox Product:	Cloud
Start date:	31.05.2018
Overall analysis duration:	0h 2m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	ZocPSAcTvQ
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	CentOS Linux 7.4 x64 (Kernel 3.10.0-693, Firefox 52.6.0, Document Viewer 3.22.1)
Detection:	MAL
Classification:	mal60.troj.lin@0/0@0/0

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	60	0 - 100	Report FP / FN

Classification

Signature Overview

Click to jump to signature section

AV Detection:

Antivirus detection for submitted file

Show sources

Source: ZocPSAcTvQ

Avira: Label: LINUX/VPNFilter.denpe

Networking:

Urls found in memory or binary data

Show sources

Source: ZocPSAcTvQ	String found in binary or memory: http://
Source: ZocPSAcTvQ	String found in binary or memory: http://https:///proc/net/tcp
Source: ZocPSAcTvQ	String found in binary or memory: https://

Persistence and Installation Behavior:

Tries to open /proc/mtd (commonly found in embedded devices)

Show sources

Source: /tmp/ZocPSAcTvQ (PID: 5457)

File: /proc/mtd

System Summary:

Detected VPNFilter malware

Show sources

Source: /tmp/ZocPSAcTvQ (PID: 5457)

File access: /var/run/msvf.pid

Sample has stripped symbol table

Show sources

Source: ELF static info symbol of initial sample

.symtab present: no

Classification label

Show sources

Source: classification engine

Classification label: mal60.troj.lin@0/0@0/0

Runtime Messages

Command:	/tmp/ZocPSAcTvQ
Exit Code:
Exit Code Info:
Killed:	True
Standard Output:	Programm started Initializing config structure...ok Decrypting string's constants...Strings count 40: s1; 14 byte:/dev/mtdblock0 s2; 4 byte:exec s3; 4 byte:kill s4; 63 byte:Mozilla/6.1 (compatible; MSIE 9.0; Windows NT 5.3; Trident/5.0) s5; 2 byte:me s6; 3 byte:pxs s7; 2 byte:tr s8; 3 byte:mds s9; 79 byte:{'uq':'%s';'pv':'%s';'ad':'%s';'bv':'0.11.1a/%s';'nn':'%s';'tn':'%s';'on':'%d'} s10; 43 byte:{'uq':'%s';'pv':'%s';'ad':'%s';'prep':'%s'} s11; 10 byte:google.com s12; 6 byte:seturl s13; 10 byte:client.crt s14; 10 byte:client.key s15; 13 byte:client_ca.crt s16; 8 byte:download s17; 3 byte:all s18; 6 byte:reboot s19; 5 byte:proxy s20; 4 byte:port s21; 5 byte:delay s22; 4 byte:copy s23; 3 byte:tor s24; 8 byte:msvf.pid s25; 9 byte:/var/run/ s26; 5 byte:/var/ s27; 5 byte:/tmp/ s28; 32 byte:http://api.ipify.org?format=json s29; 6 byte:px(%s) s30; 9 byte:127.0.0.1 s31; 4 byte:9050 s32; 8 byte:file: s33; 18 byte:%s/file_%d_%d_.bin s34; 15 byte:/proc/%d/status s35; 13 byte:/proc/%d/stat s36; 10 byte:/proc/stat s37; 8 byte:artifice s38; 85 byte:%lu %s %s %lu %lu %lu %lu %lu %lu %lu %lu %lu %lu %lu %lu %lu %lu %lu %lu %lu %lu %lu s39; 5 byte:%s_%s s40; 8 byte:%s?%s=%s Names count 4: n1; 15 byte:pPRXi686QNAPX86 n2; 4 byte:i686 n3; 39 byte:6b57dcnonk2edf5a.onion/bin32/update.php n4; 39 byte:zuh3vcyskd4gipkm.onion/bin32/update.php Start's accounts count 3: a1; 14 byte:91.121.109.209 a2; 13 byte:217.12.202.40 a3; 13 byte:94.242.222.68 Start's panels count 3: a1; 39 byte:6b57dcnonk2edf5a.onion/bin32/update.php a2; 39 byte:zuh3vcyskd4gipkm.onion/bin32/update.php a3; 39 byte:tljmmy4vmkqbdof4.onion/bin32/update.php ok Setup config... Certs not found. Waiting tor module Build id: pPRXi686QNAPX86 Setup programm name...OK(ZocPSAcTvQ) Setup starter version...OK(0.0) Set name for work directories...OK Setup proxy address...OK Setup panel address...OK(91.121.109.209:8443) Setup ip-address...OK(197.231.221.211) Setup programm id...OK(px(08:00:27:03:ac:d2)) Setup nodename...OK(base64(centos-analyzer):Y2VudG9zLWFuYWx5emVy) ok Creating work folders...ok Start main cycle -====================< New main iteration >==========================- Creat request...OK json_obj = {'uq':'px(08:00:27:03:ac:d2)';'pv':'pPRXi686QNAPX86';'ad':'197.231.221.211';'bv':'0.11.1a/0.0';'nn':'Y2VudG9zLWFuYWx5emVy';'tn':'';'on':'1'} Setup connection... Setup connection to panel(1) Setup tcp connection to 127.0.0.1:9050...fail Change connection scheme Setup connection to panel(1) Setup ssl connection to 91.121.109.209...fail Setup ssl connection to 91.121.109.209...fail Setup ssl connection to 91.121.109.209...fail New proxy 217.12.202.40 Setup ssl connection to 217.12.202.40...fail Setup ssl connection to 217.12.202.40...fail Setup ssl connection to 217.12.202.40...fail New proxy 94.242.222.68 Setup ssl connection to 94.242.222.68...fail Setup ssl connection to 94.242.222.68...fail Setup ssl connection to 94.242.222.68...fail New proxy 91.121.109.209
Standard Error:

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Antivirus Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ZocPSAcTvQ	100%	Avira	LINUX/VPNFilter.denpe

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Startup

system is lnxcentos1

ZocPSAcTvQ (PID: 5457, Parent: 5412, MD5: 4912aad5e79c78bc143e71633df9c17b)

cleanup

Created / dropped Files

No created / dropped files found

Contacted Domains/Contacted IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

Static File Info

General
File type:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.564340128987347
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 50.16% ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:	ZocPSAcTvQ
File size:	304760
MD5:	4912aad5e79c78bc143e71633df9c17b
SHA1:	4abb20f92c04e1118e356936f36359620e998de7
SHA256:	9683b04123d7e9fe4c8c26c69b09c2233f7e1440f828837422ce330040782d17
SHA512:	63000534554fb34e425aff38603e728890155fb1b49d81728cc423e574b9c27ab81b93ac6006d51f912a0b7a3c5f34fdf0c9a092438f1098441d1595649dd520
File Content Preview:	.ELF....................h...4...p.......4. ...(.....................H...H.................... ... .......j..........Q.td............................U..S.......w....h........[]...$.............U......= $...t..1....$ .....$ ......u........t...$D.......... $

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Intel 80386
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x8048168
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	304240
Section Header Size:	40
Number of Section Headers:	13
Header String Table Index:	12

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x8048094	0x94	0x1c	0x0	0x6	AX	1
.text	PROGBITS	0x80480b0	0xb0	0x3faf4	0x0	0x6	AX	16
.fini	PROGBITS	0x8087ba4	0x3fba4	0x17	0x0	0x6	AX	1
.rodata	PROGBITS	0x8087bc0	0x3fbc0	0xa082	0x0	0x2	A	32
.eh_frame	PROGBITS	0x8091c44	0x49c44	0x4	0x0	0x2	A	4
.ctors	PROGBITS	0x8092000	0x4a000	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x8092008	0x4a008	0x8	0x0	0x3	WA	4
.jcr	PROGBITS	0x8092010	0x4a010	0x4	0x0	0x3	WA	4
.got.plt	PROGBITS	0x8092014	0x4a014	0xc	0x4	0x3	WA	4
.data	PROGBITS	0x8092020	0x4a020	0x3f8	0x0	0x3	WA	32
.bss	NOBITS	0x8092420	0x4a418	0x166a4	0x0	0x3	WA	32
.shstrtab	STRTAB	0x0	0x4a418	0x56	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x8048000	0x8048000	0x49c48	0x49c48	0x5	R E	0x1000	.init .text .fini .rodata .eh_frame
LOAD	0x4a000	0x8092000	0x8092000	0x418	0x16ac4	0x6	RW	0x1000	.ctors .dtors .jcr .got.plt .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0x6	RW	0x4

Network Behavior

No network behavior found

System Behavior

Analysis Process: ZocPSAcTvQ PID: 5457 Parent PID: 5412

General

Start time:	15:11:51
Start date:	31/05/2018
Path:	/tmp/ZocPSAcTvQ
Arguments:	/tmp/ZocPSAcTvQ
File size:	304760 bytes
MD5 hash:	4912aad5e79c78bc143e71633df9c17b

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report

Overview

General Information

Detection

Classification

Signature Overview

AV Detection:

Networking:

Persistence and Installation Behavior:

System Summary:

Runtime Messages

Behavior Graph

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Antivirus Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Startup

Created / dropped Files

Contacted Domains/Contacted IPs

Contacted Domains

Contacted IPs

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

System Behavior

Analysis Process: ZocPSAcTvQ PID: 5457 Parent PID: 5412

General

Chronological Activities