Edit tour

Linux Analysis Report
fonts-util

Overview

General Information

Sample name:	fonts-util
Analysis ID:	1413854
MD5:	59d3ad70fb3d22a689fd59a9d3c7767e
SHA1:	985a3cba597f00ff9037d93e411e2f3d45b2b1c7
SHA256:	678a67351a8caecb478c9d783bb4dbe666df16c9fca628b2355be0fc6bc348d9
Infos:

Detection

Score:	88
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Drops files in suspicious directories

Executes the "crontab" command typically for achieving persistence

Sample is packed with UPX

Sample tries to persist itself using .desktop files

Sample tries to persist itself using /etc/profile

Sample tries to persist itself using cron

Detected TCP or UDP traffic on non-standard ports

ELF contains segments with high entropy indicating compressed/encrypted content

Executes commands using a shell command-line interpreter

Reads CPU information from /sys indicative of miner or evasive malware

Reads system information from the proc file system

Sample contains only a LOAD segment without any section mappings

Sample listens on a socket

Uses the "uname" system call to query kernel version information (possible evasion)

Writes shell script file to disk with an unusual file extension

Yara signature match

Classification

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1413854
Start date and time:	2024-03-22 07:50:52 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 88.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171)
Analysis Mode:	default
Sample name:	fonts-util
Detection:	MAL
Classification:	mal88.spre.troj.evad.lin@0/8@0/0

Warnings

Connection to analysis system has been lost, crash info: Unknown

Process Tree

system is lnxubuntu1

fonts-util (PID: 4721, Parent: 4645, MD5: 59d3ad70fb3d22a689fd59a9d3c7767e) Arguments: /tmp/fonts-util

fonts-util New Fork (PID: 4736, Parent: 4721)

sh (PID: 4736, Parent: 4721, MD5: unknown) Arguments: /bin/sh -c "crontab tmp"

sh New Fork (PID: 4740, Parent: 4736)

crontab (PID: 4740, Parent: 4736, MD5: ff68fd30f0037fd7e9c1fdf5a035f739) Arguments: crontab tmp

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
fonts-util	Linux_Trojan_Generic_d8953ca0	unknown	unknown	0x55db7a:$a: 5B 9C 9C 9C 9C 5C 5D 5E 5F 9C 9C 9C 9C B1 B2 B3 B4 9C 9C 9C 9C

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: fonts-util

Avira: detected

Multi AV Scanner detection for submitted file

Source: fonts-util	ReversingLabs: Detection: 50%
Source: fonts-util	Virustotal: Detection: 46%			Perma Link

Source: /tmp/fonts-util (PID: 4721)

Reads CPU info from /sys: /sys/devices/system/cpu/online

Jump to behavior

Source: unknown

HTTPS traffic detected: 86.59.21.38:443 -> 192.168.2.20:47180 version: TLS 1.2

Source: global traffic

TCP traffic: 192.168.2.20:39498 -> 185.100.86.182:8080

Source: /tmp/fonts-util (PID: 4721)	Socket: 127.0.0.1::41332			Jump to behavior
Source: /tmp/fonts-util (PID: 4721)	Socket: 127.0.0.1::35353			Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 51.254.147.57
Source: unknown	TCP traffic detected without corresponding DNS query: 51.254.147.57
Source: unknown	TCP traffic detected without corresponding DNS query: 51.254.147.57
Source: unknown	TCP traffic detected without corresponding DNS query: 178.33.183.251
Source: unknown	TCP traffic detected without corresponding DNS query: 178.33.183.251
Source: unknown	TCP traffic detected without corresponding DNS query: 178.33.183.251
Source: unknown	TCP traffic detected without corresponding DNS query: 154.35.175.225
Source: unknown	TCP traffic detected without corresponding DNS query: 154.35.175.225
Source: unknown	TCP traffic detected without corresponding DNS query: 154.35.175.225
Source: unknown	TCP traffic detected without corresponding DNS query: 86.59.21.38
Source: unknown	TCP traffic detected without corresponding DNS query: 185.100.86.182
Source: unknown	TCP traffic detected without corresponding DNS query: 86.59.21.38
Source: unknown	TCP traffic detected without corresponding DNS query: 86.59.21.38
Source: unknown	TCP traffic detected without corresponding DNS query: 185.100.86.182
Source: unknown	TCP traffic detected without corresponding DNS query: 86.59.21.38
Source: unknown	TCP traffic detected without corresponding DNS query: 86.59.21.38
Source: unknown	TCP traffic detected without corresponding DNS query: 86.59.21.38

Source: fonts-util

String found in binary or memory: http://upx.sf.net

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 39214
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 47180
Source: unknown	Network traffic detected: HTTP traffic on port 47180 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 43828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 43828
Source: unknown	Network traffic detected: HTTP traffic on port 39214 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 48932 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 48932

Source: unknown

HTTPS traffic detected: 86.59.21.38:443 -> 192.168.2.20:47180 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: fonts-util, type: SAMPLE

Matched rule: Linux_Trojan_Generic_d8953ca0 Author: unknown

Source: LOAD without section mappings

Program segment: 0x400000

Source: fonts-util, type: SAMPLE

Matched rule: Linux_Trojan_Generic_d8953ca0 reference_sample = 552753661c3cc7b3a4326721789808482a4591cb662bc813ee50d95f101a3501, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Generic, fingerprint = 16ab55f99be8ed2a47618978a335a8c68369563c0a4d0a7ff716b5d4c9e0785c, id = d8953ca0-f1f1-4d76-8c80-06f16998ba03, last_modified = 2022-01-26

Source: classification engine

Classification label: mal88.spre.troj.evad.lin@0/8@0/0

Data Obfuscation

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.95 Copyright (C) 1996-2018 the UPX Team. All Rights Reserved. $

Persistence and Installation Behavior

Executes the "crontab" command typically for achieving persistence

Source: /bin/sh (PID: 4740)

Crontab executable: /usr/bin/crontab -> crontab tmp

Jump to behavior

Sample tries to persist itself using .desktop files

Source: /tmp/fonts-util (PID: 4721)

File: /etc/xdg/autostart/jGRm2z8VOi6AboRUsrf1PQ.desktop

Jump to behavior

Sample tries to persist itself using /etc/profile

Source: /tmp/fonts-util (PID: 4721)

File: /etc/profile.d/wVxQ6Sr30zRK_aaYNuLZXA.sh

Jump to behavior

Sample tries to persist itself using cron

Source: /usr/bin/crontab (PID: 4740)

File: /var/spool/cron/crontabs/tmp.d9Ec6Y

Jump to behavior

Source: /tmp/fonts-util (PID: 4736)

Shell command executed: /bin/sh -c "crontab tmp"

Jump to behavior

Source: /tmp/fonts-util (PID: 4721)

Reads from proc file: /proc/meminfo

Jump to behavior

Source: /tmp/fonts-util (PID: 4721)

Writes shell script file to disk with an unusual file extension: /etc/init.d/FP4-eJJ2IQDYXqwePMOkYg

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Drops files in suspicious directories

Source: /tmp/fonts-util (PID: 4721)

File: /etc/init.d/FP4-eJJ2IQDYXqwePMOkYg

Jump to dropped file

Source: fonts-util

Submission file: segment LOAD with 7.8994 entropy (max. 8.0)

Source: /tmp/fonts-util (PID: 4721)

Reads CPU info from /sys: /sys/devices/system/cpu/online

Jump to behavior

Source: /tmp/fonts-util (PID: 4721)

Queries kernel information via 'uname':

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	2 Scheduled Task/Job	1 Unix Shell Configuration Modification	1 Unix Shell Configuration Modification	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Scheduled Task/Job	2 Scheduled Task/Job	11 Obfuscated Files or Information	LSASS Memory	2 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Scripting	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
fonts-util	50%	ReversingLabs	Linux.Trojan.Torat
fonts-util	47%	Virustotal		Browse
fonts-util	100%	Avira	LINUX/AVA.Torat.uqvfp

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	fonts-util	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
51.254.147.57	unknown	France	16276	OVHFR	false
86.59.21.38	unknown	Austria	8437	UTA-ASAT	false
178.33.183.251	unknown	France	16276	OVHFR	false
154.35.175.225	unknown	United States	14987	RETHEMHOSTINGUS	false
185.100.86.182	unknown	Romania	200651	FLOKINETSC	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
51.254.147.57	demande de prix.exe	Get hash	malicious	Unknown	Browse
86.59.21.38	6K1uYM85lS.exe	Get hash	malicious	Phorpiex	Browse	86.59.21.38/tor/status-vote/current/consensus.z
	oGO7Hy4YCH.exe	Get hash	malicious	SystemBC	Browse	86.59.21.38/tor/status-vote/current/consensus
	p9CvI6kq7d.exe	Get hash	malicious	SystemBC	Browse	86.59.21.38/tor/status-vote/current/consensus
	SPXp2YHDFz.exe	Get hash	malicious	Unknown	Browse	86.59.21.38/tor/server/fp/33d6a3a8bd977723fd4c053151f78d852ac62775
	SPXp2YHDFz.exe	Get hash	malicious	Unknown	Browse	86.59.21.38/tor/status-vote/current/consensus
	ILI1MGzcig.exe	Get hash	malicious	Unknown	Browse	86.59.21.38/tor/server/fp/b31d89823fcaac31d3e2127ce5eca2628a6c1ae1
	http://86.59.21.38/tor/status-vote/current/consensus	Get hash	malicious	Unknown	Browse	86.59.21.38/tor/status-vote/current/consensus
	qO7zg5QKAX.exe	Get hash	malicious	Unknown	Browse	86.59.21.38/tor/status-vote/current/consensus
	PsNZLytUyV.exe	Get hash	malicious	SystemBC	Browse	86.59.21.38/tor/status-vote/current/consensus
	KJN55hQKh2.exe	Get hash	malicious	Phorpiex Xmrig	Browse	86.59.21.38/tor/status-vote/current/consensus.z
178.33.183.251	OShRqF6jNV.exe	Get hash	malicious	Glupteba, LummaC Stealer, SmokeLoader, Stealc, SystemBC, Xmrig	Browse
	IIBXMzS0zN.exe	Get hash	malicious	Glupteba, SmokeLoader, Socks5Systemz, Stealc, Xmrig	Browse
	SLtb3T91Li.exe	Get hash	malicious	Unknown	Browse
	NBHEkIKDCr.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Socks5Systemz	Browse
	SaLY22oLht.exe	Get hash	malicious	Unknown	Browse
	g5oo6DQ4pd.exe	Get hash	malicious	Unknown	Browse
	25hBQ7XDkh.exe	Get hash	malicious	BitRAT Xmrig	Browse
154.35.175.225	lwRhzjuYIg.exe	Get hash	malicious	Unknown	Browse	154.35.175.225/tor/status-vote/current/consensus
	qO7zg5QKAX.exe	Get hash	malicious	Unknown	Browse	154.35.175.225/tor/status-vote/current/consensus
	tgduMePOh0.exe	Get hash	malicious	Kronos	Browse	154.35.175.225/tor/status-vote/current/consensus
	Cx1HKT0xhO.exe	Get hash	malicious	Kronos	Browse	154.35.175.225/tor/status-vote/current/consensus
	ac1khvFT2V.exe	Get hash	malicious	Unknown	Browse	154.35.175.225/tor/status-vote/current/consensus
	97238623.exe	Get hash	malicious	Unknown	Browse	154.35.175.225/tor/status-vote/current/consensus.z
	6d0000.exe	Get hash	malicious	Kronos	Browse	154.35.175.225/tor/status-vote/current/consensus
	osiris.exe	Get hash	malicious	Unknown	Browse	154.35.175.225/tor/status-vote/current/consensus
	6729001591617.exe	Get hash	malicious	Kronos	Browse	154.35.175.225/tor/status-vote/current/consensus

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
RETHEMHOSTINGUS	myt7Asbdtb.elf	Get hash	malicious	Mirai	Browse	154.35.8.222
	5m6jbTvemR.elf	Get hash	malicious	Mirai	Browse	149.9.143.172
	NX9ITZc5iJ.elf	Get hash	malicious	Mirai	Browse	149.9.143.194
	906o5yr1NE.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, SmokeLoader, Stealc, Xmrig	Browse	154.35.175.225
	KWwpSm0Cec.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, Mars Stealer, SmokeLoader, Stealc, Vidar	Browse	154.35.175.225
	7leZRNBofA.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, SmokeLoader, Socks5Systemz, Stealc	Browse	154.35.175.225
	Q87z4TcuF1.elf	Get hash	malicious	Mirai	Browse	149.9.143.161
	1AIemYSAZy.exe	Get hash	malicious	Glupteba, LummaC Stealer, SmokeLoader, Stealc	Browse	154.35.175.225
	y9o3Fy6gL2.exe	Get hash	malicious	Glupteba, LummaC Stealer, SmokeLoader, Stealc	Browse	154.35.175.225
	MCYq2AqNU0.exe	Get hash	malicious	Glupteba, LummaC Stealer, SmokeLoader, Stealc, Xmrig	Browse	154.35.175.225
UTA-ASAT	AFWaD3vnqR.elf	Get hash	malicious	Mirai, Gafgyt	Browse	178.114.204.51
	fIupB48xS0.elf	Get hash	malicious	Gafgyt, Mirai	Browse	178.114.204.64
	AMjH2Tev6H.elf	Get hash	malicious	Mirai, Gafgyt	Browse	178.114.204.87
	7yboxvX8mm.elf	Get hash	malicious	Unknown	Browse	213.235.199.112
	e8el6hrK3B.elf	Get hash	malicious	Mirai, Moobot	Browse	78.142.187.242
	7vMi37TpMO.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, Mars Stealer, SmokeLoader, Socks5Systemz, Stealc	Browse	86.59.21.38
	906o5yr1NE.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, SmokeLoader, Stealc, Xmrig	Browse	86.59.21.38
	BWV4hz5GdR.exe	Get hash	malicious	Glupteba, LummaC Stealer, SmokeLoader, Stealc, Xmrig	Browse	86.59.21.38
	Le3TP5iwHa.elf	Get hash	malicious	Mirai	Browse	213.235.199.122
	7leZRNBofA.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, SmokeLoader, Socks5Systemz, Stealc	Browse	86.59.21.38
OVHFR	file.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Glupteba, SmokeLoader, Vidar, Xehook Stealer	Browse	51.91.30.159
	h08xdwuTfW.elf	Get hash	malicious	Unknown	Browse	149.60.92.110
	https://safemarkxxcs.xyz/	Get hash	malicious	Unknown	Browse	149.56.240.128
	SecuriteInfo.com.ELF.Mirai-CQT.14568.18780.elf	Get hash	malicious	Mirai	Browse	51.68.213.73
	K7HXpfSHdt.elf	Get hash	malicious	Mirai, Moobot	Browse	92.222.76.186
	czKL48x7uW.elf	Get hash	malicious	Unknown	Browse	51.178.34.89
	Qpp5L1vHC0.elf	Get hash	malicious	Unknown	Browse	87.98.255.2
	oTgDN8j9n0.elf	Get hash	malicious	Mirai, Moobot	Browse	51.91.63.119
	PADD8toZVX.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, Mars Stealer	Browse	51.91.30.159
	MT5Um6Ykrl.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, Mars Stealer	Browse	51.91.30.159
OVHFR	file.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Glupteba, SmokeLoader, Vidar, Xehook Stealer	Browse	51.91.30.159
	h08xdwuTfW.elf	Get hash	malicious	Unknown	Browse	149.60.92.110
	https://safemarkxxcs.xyz/	Get hash	malicious	Unknown	Browse	149.56.240.128
	SecuriteInfo.com.ELF.Mirai-CQT.14568.18780.elf	Get hash	malicious	Mirai	Browse	51.68.213.73
	K7HXpfSHdt.elf	Get hash	malicious	Mirai, Moobot	Browse	92.222.76.186
	czKL48x7uW.elf	Get hash	malicious	Unknown	Browse	51.178.34.89
	Qpp5L1vHC0.elf	Get hash	malicious	Unknown	Browse	87.98.255.2
	oTgDN8j9n0.elf	Get hash	malicious	Mirai, Moobot	Browse	51.91.63.119
	PADD8toZVX.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, Mars Stealer	Browse	51.91.30.159
	MT5Um6Ykrl.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, Mars Stealer	Browse	51.91.30.159

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
83d60721ecc423892660e275acc4dffd	cups-utils-helper	Get hash	malicious	Unknown	Browse	86.59.21.38
	LIRR4A0xzv.exe	Get hash	malicious	Amadey, Glupteba, LummaC Stealer, Mars Stealer, SmokeLoader, Socks5Systemz, Stealc	Browse	86.59.21.38
	SecuriteInfo.com.Win32.RansomX-gen.4067.126.exe	Get hash	malicious	LummaC, Amadey, Glupteba, LummaC Stealer, Mars Stealer, RedLine, SmokeLoader	Browse	86.59.21.38
	m5EyzJ7S8S.exe	Get hash	malicious	Amadey, Glupteba, LummaC Stealer, Mars Stealer, SmokeLoader, Stealc, Vidar	Browse	86.59.21.38
	7vMi37TpMO.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, Mars Stealer, SmokeLoader, Socks5Systemz, Stealc	Browse	86.59.21.38
	906o5yr1NE.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, SmokeLoader, Stealc, Xmrig	Browse	86.59.21.38
	lxGAurRKvR.exe	Get hash	malicious	Glupteba, LummaC Stealer, SmokeLoader, Stealc, Xmrig	Browse	86.59.21.38
	PjgTyZiVh0.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, SmokeLoader, Socks5Systemz, Stealc, Xmrig	Browse	86.59.21.38
	xZnG1FFx7L.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, Mars Stealer, SmokeLoader, Socks5Systemz, Stealc	Browse	86.59.21.38
	KWwpSm0Cec.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, Mars Stealer, SmokeLoader, Stealc, Vidar	Browse	86.59.21.38

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
/etc/init.d/FP4-eJJ2IQDYXqwePMOkYg	cups-utils-helper	Get hash	malicious	Unknown	Browse

Created / dropped Files

/etc/init.d/FP4-eJJ2IQDYXqwePMOkYg

Download File

Process:	/tmp/fonts-util
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	42
Entropy (8bit):	3.7486135551678705
Encrypted:	false
SSDEEP:	3:TKH4vLUE94EL/dN:h5940P
MD5:	02A905C33A02337544FA06A9A148FE9C
SHA1:	BAE92D6C54494D38F73F334F882F653928410A3B
SHA-256:	F9D374F7B98F60666577073CAF76BF78B408FDC8D5B9DB4D912511C2DF8EA539
SHA-512:	5334360FAD9F5EF2E9BD73CB597C4C4660173753AC806041875575AE695454D68B32BCD39C906AFDFC254AAD758F1758C9428810710264FA8F841848A7574570
Malicious:	true
Joe Sandbox View:	Filename: cups-utils-helper, Detection: malicious, Browse
Reputation:	low
Preview:	#!/bin/sh./home/james/.cache/libssh/libssh

/etc/profile.d/wVxQ6Sr30zRK_aaYNuLZXA.sh

Download File

Process:	/tmp/fonts-util
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	3.500807235905091
Encrypted:	false
SSDEEP:	3:N9UE94EL/dN:N3940P
MD5:	E06AF2AA42E96A4D1DCBE3A055507CFB
SHA1:	E7C695B141891A705A6BE0CC28766B5D5F590550
SHA-256:	328EF7EBF754D78F8BDB46F9F0C92CDF1B432E6EB7F9BF026D70468FF01A05E7
SHA-512:	7E3EDACBA4AD6A15A0B7687D3D00CB69E2F590FF5F5DEE401D6075F3602E3C53F731315EF72705CF24FAFFD0BCB229C419AEEA23CC3AD5811B22280AC984843D
Malicious:	true
Reputation:	low
Preview:	/home/james/.cache/libssh/libssh

/etc/xdg/autostart/jGRm2z8VOi6AboRUsrf1PQ.desktop

Download File

Process:	/tmp/fonts-util
File Type:	ASCII text
Category:	dropped
Size (bytes):	113
Entropy (8bit):	5.110014698271632
Encrypted:	false
SSDEEP:	3:agfERMQ/VhLPVYjN7E94EL/dMYODM:agfm9YO940dsM
MD5:	5AC7FA551A93382D8DAD848ADE2227A3
SHA1:	2263C7A78E1191AB78AF563AD22FDBE8A2DCB6E0
SHA-256:	19C839163062BCF5E02DBF63F1FDBC1BF5CDE7BE9EF694E09CA94B8F44AE7EBB
SHA-512:	7FBA0FCC87CA5B57E23813C33F74D4405DA1A5E09EF0AF33533020375D88BF00DAD7885F0735B56A98D002E760C6BB812544FB276ED6C68E14D586D421F507DF
Malicious:	true
Reputation:	low
Preview:	[Desktop Entry].Type=Application.Name=gUjoqpSQFC1m5ACvwY919w.Exec=/home/james/.cache/libssh/libssh.Terminal=false

/tmp/250425431/control-port-084384417.tmp

Download File

Process:	/tmp/fonts-util
File Type:	ASCII text
Category:	dropped
Size (bytes):	42
Entropy (8bit):	3.6537567082870006
Encrypted:	false
SSDEEP:	3:n8Yf8Yv:nfv
MD5:	4E67DCA64C06C6D6B4C93D259BACFF8D
SHA1:	2CAF4DAC2AEB842FD554FC59E6BBA1611907054E
SHA-256:	9690356FB7942076F8AA3E8CD4E237D567FA6455ABE58AF2A295E3A2F639E9D4
SHA-512:	6C16EC063C5F5C09E430716EF3513BA10E94D84449F66EEAC2977BA97E9410A1D54B03654B03D39EB12EE686F8723D2A704370B0F5EA4E5CD076B63D4A156690
Malicious:	false
Reputation:	low
Preview:	PORT=127.0.0.1:41332.PORT=127.0.0.1:41332.

/tmp/250425431/control_auth_cookie.tmp

Download File

Process:	/tmp/fonts-util
File Type:	data
Category:	dropped
Size (bytes):	32
Entropy (8bit):	4.875
Encrypted:	false
SSDEEP:	3:hLTVyg:hLTVyg
MD5:	88671B02FAB2F6D90C7878B84E982C4E
SHA1:	E8F76BEB8C978A29AD91BB264654E848F758DC16
SHA-256:	5CA79A8776F5BCA858EF7FF815206150C28175670F5D72F3D43B8477C53B355D
SHA-512:	F75918642BF9BCE0C7F016EBD3102887A0704D998337BBE398F3CF8151174DA37B90A99F9BED129DE89264353BC790947342FA2D0F13E08402137C28D8640C05
Malicious:	false
Reputation:	low
Preview:	#W......'.3F,u....z.<.0..,..J{.

/tmp/250425431/state.tmp

Download File

Process:	/tmp/fonts-util
File Type:	ASCII text
Category:	dropped
Size (bytes):	215
Entropy (8bit):	4.85275225991053
Encrypted:	false
SSDEEP:	6:SbdWwxXjDmDnXr87+QkvwR/c0debWa8k4At:bwxXjDmTr87HkvwNdwN
MD5:	CC41C7FE024D9E80A1D9D22713335AB1
SHA1:	0B97E7C89DF33ADB15D54BF339394E4B2B4CE0F7
SHA-256:	D8F886D22292CCFE5FAC6325B43AE1194FB85273BC162AA757FC1611D57C1B4B
SHA-512:	31354DCA7547A26B24503CFF8D1C8F5BC4F0554DD1D16941D2D1CBFBEDACA581476E931AD398FA254286560C24C60C6C6ADC710018C662866F1D08D49DD3008B
Malicious:	false
Reputation:	low
Preview:	# Tor state file last generated on 2024-03-22 07:51:28 local time.# Other times below are in UTC.# You do not need to edit this file...TorVersion Tor 0.3.5.7 (git-9beb085c10562a25).LastWritten 2024-03-22 06:51:28.

/tmp/tmp

Download File

Process:	/tmp/fonts-util
File Type:	data
Category:	dropped
Size (bytes):	120
Entropy (8bit):	4.548423184917586
Encrypted:	false
SSDEEP:	3:SH3HSE94EL/dyE2+hkk3ilp6:SH3X940VZ5ilp6
MD5:	6F49519FC54A458360AB8F269B5F8FF4
SHA1:	52651EBAEEF13DB78F454B06E77CC80D64AA2844
SHA-256:	19F4486E0D10A987B47135F118827A2B2E2B9E7ED3BCA2A4AB3604E347442A93
SHA-512:	A25284C6465FB4BD3DA7231394D147033647EABF1A58859CE45EA253AD2E724F9C94C00EF37A64BDE29A8CCD1931D66888FD620102962EF7814012C36D1A5C9F
Malicious:	false
Reputation:	low
Preview:	@reboot /home/james/.cache/libssh/libssh9.&.~.[.#.....X...a..\|.lKR....s.)u..Zd..........................................

/var/spool/cron/crontabs/tmp.d9Ec6Y

Download File

Process:	/usr/bin/crontab
File Type:	ASCII text
Category:	dropped
Size (bytes):	217
Entropy (8bit):	5.147330687790285
Encrypted:	false
SSDEEP:	6:SUrpqoqQjEOP1KUSDJOBFQZ0DV4r6vZHGMQ5UYLtCFt3HYX940P:8Qjnt8ZgEMeHLUHYXG0P
MD5:	8FD7D34F5C52BE0230ED3B240E4F74E3
SHA1:	EE8B0D89022B324B246892965A3BB111A3BDA72F
SHA-256:	FE8C13103FE322E9DD8B7235374E50217B5D901DBA6502DFA8125C270BD4F9B6
SHA-512:	FA440541B09F8F289C0B903C3079358E65940838BD0ABF5D2EC0909734813A316A2C3EB194FAEB7DF91EEA5230B8D4995DC0D957120D058B057A714E9D899522
Malicious:	true
Reputation:	low
Preview:	# DO NOT EDIT THIS FILE - edit the master and reinstall..# (tmp installed on Fri Mar 22 07:51:28 2024).# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $).@reboot /home/james/.cache/libssh/libssh

Static File Info

General

File type:	ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, no section header
Entropy (8bit):	7.899424338699907
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 50.16% ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:	fonts-util
File size:	7'405'548 bytes
MD5:	59d3ad70fb3d22a689fd59a9d3c7767e
SHA1:	985a3cba597f00ff9037d93e411e2f3d45b2b1c7
SHA256:	678a67351a8caecb478c9d783bb4dbe666df16c9fca628b2355be0fc6bc348d9
SHA512:	87764dcb36d1f69bf6eb62ae6be34566b5f89af040a78bdfb4a3d8225468968d3f75b65aaf40d6399488378f9920e251846e01a03a2bb6329361ce39ba0a3b80
SSDEEP:	196608:fHvjsWNIJXSSBBuvKZu4+c5OdyTeymKxjtJr:fH4WNyXfREwiKxj/
TLSH:	C77633E54A0127DBEDCE293DDF6A6DA453145415C8F8E08F3F0A1A5593BBFD2B082E12
File Content Preview:	.ELF..............>.............@...................@.8...@.......................@.......@.....".p.....".p.....................................................................Q.td....................................................(%@CUPX!<........t/..t/

Static ELF Info

ELF header
Class:	ELF64
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Advanced Micro Devices X86-64
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - Linux
ABI Version:	0
Entry Point Address:	0xb0f2f0
Flags:	0x0
ELF Header Size:	64
Program Header Offset:	64
Program Header Size:	56
Number of Program Headers:	3
Section Header Offset:	0
Section Header Size:	64
Number of Section Headers:	0
Header String Table Index:	0

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align
LOAD	0x0	0x400000	0x400000	0x70fc22	0x70fc22	7.8994	0x5	R E	0x1000
LOAD	0x0	0xb10000	0xb10000	0x0	0xc2f010	0.0000	0x6	RW	0x1000
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x10

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 22, 2024 07:51:29.187438965 CET	43828	443	192.168.2.20	51.254.147.57
Mar 22, 2024 07:51:29.187500954 CET	443	43828	51.254.147.57	192.168.2.20
Mar 22, 2024 07:51:29.187696934 CET	43828	443	192.168.2.20	51.254.147.57
Mar 22, 2024 07:51:29.188503981 CET	43828	443	192.168.2.20	51.254.147.57
Mar 22, 2024 07:51:29.188517094 CET	443	43828	51.254.147.57	192.168.2.20
Mar 22, 2024 07:51:30.188112020 CET	39214	443	192.168.2.20	178.33.183.251
Mar 22, 2024 07:51:30.188157082 CET	443	39214	178.33.183.251	192.168.2.20
Mar 22, 2024 07:51:30.188246965 CET	39214	443	192.168.2.20	178.33.183.251
Mar 22, 2024 07:51:30.188744068 CET	39214	443	192.168.2.20	178.33.183.251
Mar 22, 2024 07:51:30.188757896 CET	443	39214	178.33.183.251	192.168.2.20
Mar 22, 2024 07:51:32.195544004 CET	48932	443	192.168.2.20	154.35.175.225
Mar 22, 2024 07:51:32.195595026 CET	443	48932	154.35.175.225	192.168.2.20
Mar 22, 2024 07:51:32.195689917 CET	48932	443	192.168.2.20	154.35.175.225
Mar 22, 2024 07:51:32.195993900 CET	48932	443	192.168.2.20	154.35.175.225
Mar 22, 2024 07:51:32.196007967 CET	443	48932	154.35.175.225	192.168.2.20
Mar 22, 2024 07:51:47.731770039 CET	443	48932	154.35.175.225	192.168.2.20
Mar 22, 2024 07:51:47.732642889 CET	47180	443	192.168.2.20	86.59.21.38
Mar 22, 2024 07:51:47.732649088 CET	39498	8080	192.168.2.20	185.100.86.182
Mar 22, 2024 07:51:47.732676029 CET	443	47180	86.59.21.38	192.168.2.20
Mar 22, 2024 07:51:47.732865095 CET	47180	443	192.168.2.20	86.59.21.38
Mar 22, 2024 07:51:47.733432055 CET	47180	443	192.168.2.20	86.59.21.38
Mar 22, 2024 07:51:47.733444929 CET	443	47180	86.59.21.38	192.168.2.20
Mar 22, 2024 07:51:48.730884075 CET	39498	8080	192.168.2.20	185.100.86.182
Mar 22, 2024 07:51:48.866251945 CET	443	47180	86.59.21.38	192.168.2.20
Mar 22, 2024 07:51:48.866486073 CET	47180	443	192.168.2.20	86.59.21.38
Mar 22, 2024 07:51:48.869275093 CET	47180	443	192.168.2.20	86.59.21.38
Mar 22, 2024 07:51:48.869283915 CET	443	47180	86.59.21.38	192.168.2.20
Mar 22, 2024 07:51:48.869671106 CET	443	47180	86.59.21.38	192.168.2.20
Mar 22, 2024 07:51:48.871006012 CET	47180	443	192.168.2.20	86.59.21.38
Mar 22, 2024 07:51:48.916229963 CET	443	47180	86.59.21.38	192.168.2.20
Mar 22, 2024 07:53:40.288450956 CET	443	39214	178.33.183.251	192.168.2.20
Mar 22, 2024 07:53:40.288470030 CET	443	43828	51.254.147.57	192.168.2.20

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Mar 22, 2024 07:51:48.956561089 CET	176.222.126.51	192.168.2.20	d004	(Host unreachable)	Destination Unreachable
Mar 22, 2024 07:51:48.956583023 CET	176.222.126.51	192.168.2.20	d004	(Host unreachable)	Destination Unreachable

System Behavior

Analysis Process: fonts-util PID: 4721, Parent PID: 4645

General

Start time (UTC):	06:51:28
Start date (UTC):	22/03/2024
Path:	/tmp/fonts-util
Arguments:	/tmp/fonts-util
File size:	7405548 bytes
MD5 hash:	59d3ad70fb3d22a689fd59a9d3c7767e

Chronological Activities

Analysis Process: fonts-util PID: 4736, Parent PID: 4721

General

Start time (UTC):	06:51:28
Start date (UTC):	22/03/2024
Path:	/tmp/fonts-util
Arguments:	-
File size:	7405548 bytes
MD5 hash:	59d3ad70fb3d22a689fd59a9d3c7767e

Chronological Activities

Analysis Process: sh PID: 4736, Parent PID: 4721

General

Start time (UTC):	06:51:28
Start date (UTC):	22/03/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "crontab tmp"
File size:	0 bytes
MD5 hash:	unknown

Chronological Activities

Analysis Process: sh PID: 4740, Parent PID: 4736

General

Start time (UTC):	06:51:28
Start date (UTC):	22/03/2024
Path:	/bin/sh
Arguments:	-
File size:	0 bytes
MD5 hash:	unknown

Chronological Activities

Analysis Process: crontab PID: 4740, Parent PID: 4736

General

Start time (UTC):	06:51:28
Start date (UTC):	22/03/2024
Path:	/usr/bin/crontab
Arguments:	crontab tmp
File size:	36080 bytes
MD5 hash:	ff68fd30f0037fd7e9c1fdf5a035f739

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User Unix Shell s execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system ( `/etc` ) and the user’s home directory ( `~/` ) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user’s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Creation, File: File Modification, Process: Process Creation
Platforms:	Linux, macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report fonts-util

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Process Tree

Yara Signatures

Initial Sample

Snort Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/etc/init.d/FP4-eJJ2IQDYXqwePMOkYg

/etc/profile.d/wVxQ6Sr30zRK_aaYNuLZXA.sh

/etc/xdg/autostart/jGRm2z8VOi6AboRUsrf1PQ.desktop

/tmp/250425431/control-port-084384417.tmp

/tmp/250425431/control_auth_cookie.tmp

/tmp/250425431/state.tmp

/tmp/tmp

/var/spool/cron/crontabs/tmp.d9Ec6Y

Static File Info

General

Static ELF Info

ELF header

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

ICMP Packets

System Behavior

Analysis Process: fonts-util PID: 4721, Parent PID: 4645

General

Chronological Activities

Analysis Process: fonts-util PID: 4736, Parent PID: 4721

General

Chronological Activities

Analysis Process: sh PID: 4736, Parent PID: 4721

General

Chronological Activities

Analysis Process: sh PID: 4740, Parent PID: 4736

General

Chronological Activities

Analysis Process: crontab PID: 4740, Parent PID: 4736

Linux Analysis Report
fonts-util