Linux Analysis Report
zone.x86_64.elf

ID:	1546569
Product:	CloudBasic
Start time:	05:47:08
Start date:	01.11.2024
Sample:	zone.x86_64.elf
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	a37d645e921d2b4fcefc60b0dbec3ff7
SHA1:	0b8996c0ea01fb84ba3cfced6c0a731774cd2984
SHA256:	ac6cf9cb11f0bb979419e054da589b4f049e05db5bd650d6a3475f7b6f5c0fce
Filetype:	ELF Executable and Linkable format (Linux) (4029/14) 50.16%

Name	Type	MD5	SHA1	SHA256

Bitcoin Miner

Source: /usr/bin/uptime (PID: 6254)

Reads CPU info from /sys: /sys/devices/system/cpu/online

Jump to behavior

Networking

Source: /tmp/zone.x86_64.elf (PID: 6242)

Socket: [::]:14820

Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 38.60.221.177
Source: unknown	TCP traffic detected without corresponding DNS query: 38.60.221.177
Source: unknown	TCP traffic detected without corresponding DNS query: 38.60.221.177
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 38.60.221.177
Source: unknown	TCP traffic detected without corresponding DNS query: 38.60.221.177
Source: unknown	TCP traffic detected without corresponding DNS query: 38.60.221.177
Source: unknown	TCP traffic detected without corresponding DNS query: 38.60.221.177
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 38.60.221.177
Source: unknown	TCP traffic detected without corresponding DNS query: 38.60.221.177
Source: unknown	TCP traffic detected without corresponding DNS query: 38.60.221.177
Source: unknown	TCP traffic detected without corresponding DNS query: 38.60.221.177
Source: unknown	TCP traffic detected without corresponding DNS query: 38.60.221.177
Source: unknown	TCP traffic detected without corresponding DNS query: 38.60.221.177
Source: unknown	TCP traffic detected without corresponding DNS query: 38.60.221.177
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 38.60.221.177
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 38.60.221.177
Source: unknown	TCP traffic detected without corresponding DNS query: 38.60.221.177
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 38.60.221.177
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 38.60.221.177
Source: unknown	TCP traffic detected without corresponding DNS query: 38.60.221.177
Source: unknown	TCP traffic detected without corresponding DNS query: 38.60.221.177
Source: unknown	TCP traffic detected without corresponding DNS query: 38.60.221.177
Source: unknown	TCP traffic detected without corresponding DNS query: 38.60.221.177
Source: unknown	TCP traffic detected without corresponding DNS query: 38.60.221.177
Source: unknown	TCP traffic detected without corresponding DNS query: 38.60.221.177
Source: unknown	TCP traffic detected without corresponding DNS query: 38.60.221.177
Source: unknown	TCP traffic detected without corresponding DNS query: 38.60.221.177
Source: unknown	TCP traffic detected without corresponding DNS query: 38.60.221.177
Source: unknown	TCP traffic detected without corresponding DNS query: 38.60.221.177
Source: unknown	TCP traffic detected without corresponding DNS query: 38.60.221.177
Source: unknown	TCP traffic detected without corresponding DNS query: 38.60.221.177

Source: zone.x86_64.elf

String found in binary or memory: http://upx.sf.net

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary

Source: LOAD without section mappings

Program segment: 0x400000

Source: classification engine

Classification label: sus24.evad.linELF@0/0@0/0

Data Obfuscation

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 4.24 Copyright (C) 1996-2024 the UPX Team. All Rights Reserved. $

Persistence and Installation Behavior

Source: /tmp/zone.x86_64.elf (PID: 6254)

Shell command executed: /bin/bash -c uptime

Jump to behavior

Source: /usr/bin/bash (PID: 6257)	Grep executable: /usr/bin/grep -> grep ens160			Jump to behavior
Source: /usr/bin/bash (PID: 6262)	Grep executable: /usr/bin/grep -> grep ens160			Jump to behavior
Source: /usr/bin/bash (PID: 6307)	Grep executable: /usr/bin/grep -> grep ens160			Jump to behavior
Source: /usr/bin/bash (PID: 6311)	Grep executable: /usr/bin/grep -> grep ens160			Jump to behavior
Source: /usr/bin/bash (PID: 6344)	Grep executable: /usr/bin/grep -> grep ens160			Jump to behavior
Source: /usr/bin/bash (PID: 6348)	Grep executable: /usr/bin/grep -> grep ens160			Jump to behavior

Source: /tmp/zone.x86_64.elf (PID: 6238)	Reads from proc file: /proc/stat			Jump to behavior
Source: /tmp/zone.x86_64.elf (PID: 6242)	Reads from proc file: /proc/stat			Jump to behavior
Source: /tmp/zone.x86_64.elf (PID: 6242)	Reads from proc file: /proc/sys/net/core/somaxconn			Jump to behavior

Source: /usr/bin/bash (PID: 6258)	Awk executable: /usr/bin/awk -> awk "{print $2}"			Jump to behavior
Source: /usr/bin/bash (PID: 6263)	Awk executable: /usr/bin/awk -> awk "{print $10}"			Jump to behavior
Source: /usr/bin/bash (PID: 6308)	Awk executable: /usr/bin/awk -> awk "{print $2}"			Jump to behavior
Source: /usr/bin/bash (PID: 6312)	Awk executable: /usr/bin/awk -> awk "{print $10}"			Jump to behavior
Source: /usr/bin/bash (PID: 6345)	Awk executable: /usr/bin/awk -> awk "{print $2}"			Jump to behavior
Source: /usr/bin/bash (PID: 6349)	Awk executable: /usr/bin/awk -> awk "{print $10}"			Jump to behavior

Source: submitted sample

Stderr: 2024/10/31 23:48:01 timeout: 2m0s2024/10/31 23:48:01 [*] get job2024/10/31 23:48:01 timeout: 2m0s2024/10/31 23:48:01 timeout: 2m0s2024/10/31 23:48:01 timeout: 2m0s2024/10/31 23:48:01 timeout: 2m0s2024/10/31 23:48:01 timeout: 2m0s: exit code = 0

Hooking and other Techniques for Hiding and Protection

Source: zone.x86_64.elf	Submission file: segment LOAD with 7.8145 entropy (max. 8.0)
Source: zone.x86_64.elf	Submission file: segment LOAD with 7.9999 entropy (max. 8.0)

Malware Analysis System Evasion

Source: /usr/bin/uptime (PID: 6254)

Reads CPU info from /sys: /sys/devices/system/cpu/online

Jump to behavior

Source: /bin/bash (PID: 6254)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/bash (PID: 6255)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/bash (PID: 6259)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/bash (PID: 6305)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/bash (PID: 6309)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/bash (PID: 6342)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/bash (PID: 6346)	Queries kernel information via 'uname':			Jump to behavior