Edit tour

Linux Analysis Report
ZohoAssistURS

Overview

General Information

Sample name:	ZohoAssistURS
Analysis ID:	1583400
MD5:	0df479c4d1b61e1709f629ef324064e2
SHA1:	8fd958aaf4c7fd7ee7d9c308c3967746c0ce5c03
SHA256:	0250e5698ccd754c59a0ab1b08956fca1eab475ebf6fa4bae42ee4bc88554e42
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false

Signatures

Malicious sample detected (through community Yara rule)

Sample is packed with UPX

Deletes log files

ELF contains segments with high entropy indicating compressed/encrypted content

Executes the "rm" command used to delete files or directories

Queries the installed Ubuntu/CentOS release

Sample contains only a LOAD segment without any section mappings

Uses the "uname" system call to query kernel version information (possible evasion)

Yara signature match

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583400
Start date and time:	2025-01-02 16:39:46 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	ZohoAssistURS
Detection:	MAL
Classification:	mal52.evad.lin@0/2@0/0

Warnings

VT rate limit hit for: ZohoAssistURS

Runtime Messages

Command:	/tmp/ZohoAssistURS
PID:	6254
Exit Code:
Exit Code Info:
Killed:	True
Standard Output:
Standard Error:

Process Tree

system is lnxubuntu20

dash New Fork (PID: 6227, Parent: 4332)

rm (PID: 6227, Parent: 4332, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.O10wnoseVX /tmp/tmp.ARg99a7w6h /tmp/tmp.zOF6mVtUcG

dash New Fork (PID: 6228, Parent: 4332)

rm (PID: 6228, Parent: 4332, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.O10wnoseVX /tmp/tmp.ARg99a7w6h /tmp/tmp.zOF6mVtUcG

ZohoAssistURS (PID: 6254, Parent: 6156, MD5: 0df479c4d1b61e1709f629ef324064e2) Arguments: /tmp/ZohoAssistURS

ZohoAssistURS New Fork (PID: 6264, Parent: 6254)

arch (PID: 6264, Parent: 6254, MD5: cb1f8525113d165c00fd975fddaed437) Arguments: arch

ZohoAssistURS New Fork (PID: 6265, Parent: 6254)

lsb_release (PID: 6265, Parent: 6254, MD5: 69f442c3e33b5f9a66b722c29ad89435) Arguments: /usr/bin/lsb_release -is

ZohoAssistURS New Fork (PID: 6266, Parent: 6254)

lsb_release (PID: 6266, Parent: 6254, MD5: 69f442c3e33b5f9a66b722c29ad89435) Arguments: /usr/bin/lsb_release -ds

ZohoAssistURS New Fork (PID: 6267, Parent: 6254)

lsb_release (PID: 6267, Parent: 6254, MD5: 69f442c3e33b5f9a66b722c29ad89435) Arguments: /usr/bin/lsb_release -rs

ZohoAssistURS New Fork (PID: 6270, Parent: 6254)

arch (PID: 6270, Parent: 6254, MD5: cb1f8525113d165c00fd975fddaed437) Arguments: /usr/bin/arch

ZohoAssistURS New Fork (PID: 6274, Parent: 6254)

ZohoAssistURS New Fork (PID: 6296, Parent: 6254)

ZohoAssistURS New Fork (PID: 6299, Parent: 6254)

ZohoAssistURS New Fork (PID: 6306, Parent: 6254)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
ZohoAssistURS	Linux_Trojan_Generic_d8953ca0	unknown	unknown	0xf73cd:$a: 5B 9C 9C 9C 9C 5C 5D 5E 5F 9C 9C 9C 9C B1 B2 B3 B4 9C 9C 9C 9C

Memory Dumps

Source	Rule	Description	Author	Strings
6306.1.0000000008048000.00000000083ac000.r-x.sdmp	APT38_LDACLS_78736_45	Detects APT38-Lazarus Linux DACLS	Emanuele De Lucia	0x25a048:$pt: INTERNAL_SYSCALL_ERRNO (e, __err) != EDEADLK \|\| (kind != PTHREAD_MUTEX_ERRORCHECK_NP && kind != PTHREAD_MUTEX_RECURSIVE_NP) 0x25a128:$s2: PTHREAD_MUTEX_TYPE (mutex) == PTHREAD_MUTEX_ERRORCHECK_NP 0x2725f0:$s3: TLS generation counter wrapped! Please report as described in <https://bugs.launchpad.net/ubuntu/+source/glibc/+bugs>. 0x25a390:$s5: type == PTHREAD_MUTEX_ERRORCHECK_NP 0x273cb4:$s6: int_no <= (uintmax_t) (exponent < 0 ? (INTMAX_MAX - bits + 1) / 4 : (INTMAX_MAX - exponent - bits + 1) / 4) 0x260038:$s8: Unexpected error %d on netlink descriptor %d (address family %d) 0x25a3b4:$s9: __pthread_mutex_unlock_usercnt 0x273d20:$s10: dig_no > int_no && exponent <= 0 && exponent >= MIN_10_EXP - (DIG + 2) 0x25a428:$s11: previous_prio == -1 \|\| (previous_prio >= fifo_min_prio && previous_prio <= fifo_max_prio) 0x26007c:$s13: Unexpected netlink response of size %zd on descriptor %d (address family %d) 0x2717dc:$s14: %s: Symbol `%s' has different size in shared object, consider re-linking 0x271899:$s15: relocation processing: %s%s 0x2710f4:$s17: ELF load command address/offset not properly aligned 0x25da1c:$s18: !victim \|\| chunk_is_mmapped (mem2chunk (victim)) \|\| ar_ptr == arena_for_chunk (mem2chunk (victim)) 0x25a164:$s20: __pthread_mutex_lock_full
6254.1.0000000008048000.00000000083ac000.r-x.sdmp	APT38_LDACLS_78736_45	Detects APT38-Lazarus Linux DACLS	Emanuele De Lucia	0x25a048:$pt: INTERNAL_SYSCALL_ERRNO (e, __err) != EDEADLK \|\| (kind != PTHREAD_MUTEX_ERRORCHECK_NP && kind != PTHREAD_MUTEX_RECURSIVE_NP) 0x25a128:$s2: PTHREAD_MUTEX_TYPE (mutex) == PTHREAD_MUTEX_ERRORCHECK_NP 0x2725f0:$s3: TLS generation counter wrapped! Please report as described in <https://bugs.launchpad.net/ubuntu/+source/glibc/+bugs>. 0x25a390:$s5: type == PTHREAD_MUTEX_ERRORCHECK_NP 0x273cb4:$s6: int_no <= (uintmax_t) (exponent < 0 ? (INTMAX_MAX - bits + 1) / 4 : (INTMAX_MAX - exponent - bits + 1) / 4) 0x260038:$s8: Unexpected error %d on netlink descriptor %d (address family %d) 0x25a3b4:$s9: __pthread_mutex_unlock_usercnt 0x273d20:$s10: dig_no > int_no && exponent <= 0 && exponent >= MIN_10_EXP - (DIG + 2) 0x25a428:$s11: previous_prio == -1 \|\| (previous_prio >= fifo_min_prio && previous_prio <= fifo_max_prio) 0x26007c:$s13: Unexpected netlink response of size %zd on descriptor %d (address family %d) 0x2717dc:$s14: %s: Symbol `%s' has different size in shared object, consider re-linking 0x271899:$s15: relocation processing: %s%s 0x2710f4:$s17: ELF load command address/offset not properly aligned 0x25da1c:$s18: !victim \|\| chunk_is_mmapped (mem2chunk (victim)) \|\| ar_ptr == arena_for_chunk (mem2chunk (victim)) 0x25a164:$s20: __pthread_mutex_lock_full
6299.1.0000000008048000.00000000083ac000.r-x.sdmp	APT38_LDACLS_78736_45	Detects APT38-Lazarus Linux DACLS	Emanuele De Lucia	0x25a048:$pt: INTERNAL_SYSCALL_ERRNO (e, __err) != EDEADLK \|\| (kind != PTHREAD_MUTEX_ERRORCHECK_NP && kind != PTHREAD_MUTEX_RECURSIVE_NP) 0x25a128:$s2: PTHREAD_MUTEX_TYPE (mutex) == PTHREAD_MUTEX_ERRORCHECK_NP 0x2725f0:$s3: TLS generation counter wrapped! Please report as described in <https://bugs.launchpad.net/ubuntu/+source/glibc/+bugs>. 0x25a390:$s5: type == PTHREAD_MUTEX_ERRORCHECK_NP 0x273cb4:$s6: int_no <= (uintmax_t) (exponent < 0 ? (INTMAX_MAX - bits + 1) / 4 : (INTMAX_MAX - exponent - bits + 1) / 4) 0x260038:$s8: Unexpected error %d on netlink descriptor %d (address family %d) 0x25a3b4:$s9: __pthread_mutex_unlock_usercnt 0x273d20:$s10: dig_no > int_no && exponent <= 0 && exponent >= MIN_10_EXP - (DIG + 2) 0x25a428:$s11: previous_prio == -1 \|\| (previous_prio >= fifo_min_prio && previous_prio <= fifo_max_prio) 0x26007c:$s13: Unexpected netlink response of size %zd on descriptor %d (address family %d) 0x2717dc:$s14: %s: Symbol `%s' has different size in shared object, consider re-linking 0x271899:$s15: relocation processing: %s%s 0x2710f4:$s17: ELF load command address/offset not properly aligned 0x25da1c:$s18: !victim \|\| chunk_is_mmapped (mem2chunk (victim)) \|\| ar_ptr == arena_for_chunk (mem2chunk (victim)) 0x25a164:$s20: __pthread_mutex_lock_full
6274.1.0000000008048000.00000000083ac000.r-x.sdmp	APT38_LDACLS_78736_45	Detects APT38-Lazarus Linux DACLS	Emanuele De Lucia	0x25a048:$pt: INTERNAL_SYSCALL_ERRNO (e, __err) != EDEADLK \|\| (kind != PTHREAD_MUTEX_ERRORCHECK_NP && kind != PTHREAD_MUTEX_RECURSIVE_NP) 0x25a128:$s2: PTHREAD_MUTEX_TYPE (mutex) == PTHREAD_MUTEX_ERRORCHECK_NP 0x2725f0:$s3: TLS generation counter wrapped! Please report as described in <https://bugs.launchpad.net/ubuntu/+source/glibc/+bugs>. 0x25a390:$s5: type == PTHREAD_MUTEX_ERRORCHECK_NP 0x273cb4:$s6: int_no <= (uintmax_t) (exponent < 0 ? (INTMAX_MAX - bits + 1) / 4 : (INTMAX_MAX - exponent - bits + 1) / 4) 0x260038:$s8: Unexpected error %d on netlink descriptor %d (address family %d) 0x25a3b4:$s9: __pthread_mutex_unlock_usercnt 0x273d20:$s10: dig_no > int_no && exponent <= 0 && exponent >= MIN_10_EXP - (DIG + 2) 0x25a428:$s11: previous_prio == -1 \|\| (previous_prio >= fifo_min_prio && previous_prio <= fifo_max_prio) 0x26007c:$s13: Unexpected netlink response of size %zd on descriptor %d (address family %d) 0x2717dc:$s14: %s: Symbol `%s' has different size in shared object, consider re-linking 0x271899:$s15: relocation processing: %s%s 0x2710f4:$s17: ELF load command address/offset not properly aligned 0x25da1c:$s18: !victim \|\| chunk_is_mmapped (mem2chunk (victim)) \|\| ar_ptr == arena_for_chunk (mem2chunk (victim)) 0x25a164:$s20: __pthread_mutex_lock_full
6296.1.0000000008048000.00000000083ac000.r-x.sdmp	APT38_LDACLS_78736_45	Detects APT38-Lazarus Linux DACLS	Emanuele De Lucia	0x25a048:$pt: INTERNAL_SYSCALL_ERRNO (e, __err) != EDEADLK \|\| (kind != PTHREAD_MUTEX_ERRORCHECK_NP && kind != PTHREAD_MUTEX_RECURSIVE_NP) 0x25a128:$s2: PTHREAD_MUTEX_TYPE (mutex) == PTHREAD_MUTEX_ERRORCHECK_NP 0x2725f0:$s3: TLS generation counter wrapped! Please report as described in <https://bugs.launchpad.net/ubuntu/+source/glibc/+bugs>. 0x25a390:$s5: type == PTHREAD_MUTEX_ERRORCHECK_NP 0x273cb4:$s6: int_no <= (uintmax_t) (exponent < 0 ? (INTMAX_MAX - bits + 1) / 4 : (INTMAX_MAX - exponent - bits + 1) / 4) 0x260038:$s8: Unexpected error %d on netlink descriptor %d (address family %d) 0x25a3b4:$s9: __pthread_mutex_unlock_usercnt 0x273d20:$s10: dig_no > int_no && exponent <= 0 && exponent >= MIN_10_EXP - (DIG + 2) 0x25a428:$s11: previous_prio == -1 \|\| (previous_prio >= fifo_min_prio && previous_prio <= fifo_max_prio) 0x26007c:$s13: Unexpected netlink response of size %zd on descriptor %d (address family %d) 0x2717dc:$s14: %s: Symbol `%s' has different size in shared object, consider re-linking 0x271899:$s15: relocation processing: %s%s 0x2710f4:$s17: ELF load command address/offset not properly aligned 0x25da1c:$s18: !victim \|\| chunk_is_mmapped (mem2chunk (victim)) \|\| ar_ptr == arena_for_chunk (mem2chunk (victim)) 0x25a164:$s20: __pthread_mutex_lock_full

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: unknown	TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42

Source: ZohoAssistURS	String found in binary or memory: http://upx.sf.net
Source: ZohoAssistURS, 6254.1.0000000008048000.00000000083ac000.r-x.sdmp, ZohoAssistURS, 6274.1.0000000008048000.00000000083ac000.r-x.sdmp, ZohoAssistURS, 6296.1.0000000008048000.00000000083ac000.r-x.sdmp, ZohoAssistURS, 6299.1.0000000008048000.00000000083ac000.r-x.sdmp, ZohoAssistURS, 6306.1.0000000008048000.00000000083ac000.r-x.sdmp	String found in binary or memory: https://bugs.launchpad.net/ubuntu/
Source: ZohoAssistURS, 6254.1.0000000008048000.00000000083ac000.r-x.sdmp, ZohoAssistURS, 6274.1.0000000008048000.00000000083ac000.r-x.sdmp, ZohoAssistURS, 6296.1.0000000008048000.00000000083ac000.r-x.sdmp, ZohoAssistURS, 6299.1.0000000008048000.00000000083ac000.r-x.sdmp, ZohoAssistURS, 6306.1.0000000008048000.00000000083ac000.r-x.sdmp	String found in binary or memory: https://www.manageengine.com/remote-desktop-management/support.html
Source: ZohoAssistURS, 6254.1.0000000008048000.00000000083ac000.r-x.sdmp, ZohoAssistURS, 6274.1.0000000008048000.00000000083ac000.r-x.sdmp, ZohoAssistURS, 6296.1.0000000008048000.00000000083ac000.r-x.sdmp, ZohoAssistURS, 6299.1.0000000008048000.00000000083ac000.r-x.sdmp, ZohoAssistURS, 6306.1.0000000008048000.00000000083ac000.r-x.sdmp	String found in binary or memory: https://www.manageengine.com/remote-desktop-management/support.html.
Source: ZohoAssistURS, 6254.1.0000000008048000.00000000083ac000.r-x.sdmp, ZohoAssistURS, 6274.1.0000000008048000.00000000083ac000.r-x.sdmp, ZohoAssistURS, 6296.1.0000000008048000.00000000083ac000.r-x.sdmp, ZohoAssistURS, 6299.1.0000000008048000.00000000083ac000.r-x.sdmp, ZohoAssistURS, 6306.1.0000000008048000.00000000083ac000.r-x.sdmp	String found in binary or memory: https://www.zoho.com/assist/contact-us.html
Source: ZohoAssistURS, 6254.1.0000000008048000.00000000083ac000.r-x.sdmp, ZohoAssistURS, 6274.1.0000000008048000.00000000083ac000.r-x.sdmp, ZohoAssistURS, 6296.1.0000000008048000.00000000083ac000.r-x.sdmp, ZohoAssistURS, 6299.1.0000000008048000.00000000083ac000.r-x.sdmp, ZohoAssistURS, 6306.1.0000000008048000.00000000083ac000.r-x.sdmp	String found in binary or memory: https://www.zoho.com/assist/contact-us.html.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 33606
Source: unknown	Network traffic detected: HTTP traffic on port 33606 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: ZohoAssistURS, type: SAMPLE	Matched rule: Linux_Trojan_Generic_d8953ca0 Author: unknown
Source: 6306.1.0000000008048000.00000000083ac000.r-x.sdmp, type: MEMORY	Matched rule: Detects APT38-Lazarus Linux DACLS Author: Emanuele De Lucia
Source: 6254.1.0000000008048000.00000000083ac000.r-x.sdmp, type: MEMORY	Matched rule: Detects APT38-Lazarus Linux DACLS Author: Emanuele De Lucia
Source: 6299.1.0000000008048000.00000000083ac000.r-x.sdmp, type: MEMORY	Matched rule: Detects APT38-Lazarus Linux DACLS Author: Emanuele De Lucia
Source: 6274.1.0000000008048000.00000000083ac000.r-x.sdmp, type: MEMORY	Matched rule: Detects APT38-Lazarus Linux DACLS Author: Emanuele De Lucia
Source: 6296.1.0000000008048000.00000000083ac000.r-x.sdmp, type: MEMORY	Matched rule: Detects APT38-Lazarus Linux DACLS Author: Emanuele De Lucia

Source: LOAD without section mappings

Program segment: 0xc01000

Source: ZohoAssistURS, type: SAMPLE	Matched rule: Linux_Trojan_Generic_d8953ca0 reference_sample = 552753661c3cc7b3a4326721789808482a4591cb662bc813ee50d95f101a3501, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Generic, fingerprint = 16ab55f99be8ed2a47618978a335a8c68369563c0a4d0a7ff716b5d4c9e0785c, id = d8953ca0-f1f1-4d76-8c80-06f16998ba03, last_modified = 2022-01-26
Source: 6306.1.0000000008048000.00000000083ac000.r-x.sdmp, type: MEMORY	Matched rule: APT38_LDACLS_78736_45 author = Emanuele De Lucia, description = Detects APT38-Lazarus Linux DACLS, reference = https://blog.netlab.360.com/dacls-the-dual-platform-rat/, hash = ba5b781ebacac07c4b14f9430a23ca0442e294236bd8dd14d1f69c6661551db8
Source: 6254.1.0000000008048000.00000000083ac000.r-x.sdmp, type: MEMORY	Matched rule: APT38_LDACLS_78736_45 author = Emanuele De Lucia, description = Detects APT38-Lazarus Linux DACLS, reference = https://blog.netlab.360.com/dacls-the-dual-platform-rat/, hash = ba5b781ebacac07c4b14f9430a23ca0442e294236bd8dd14d1f69c6661551db8
Source: 6299.1.0000000008048000.00000000083ac000.r-x.sdmp, type: MEMORY	Matched rule: APT38_LDACLS_78736_45 author = Emanuele De Lucia, description = Detects APT38-Lazarus Linux DACLS, reference = https://blog.netlab.360.com/dacls-the-dual-platform-rat/, hash = ba5b781ebacac07c4b14f9430a23ca0442e294236bd8dd14d1f69c6661551db8
Source: 6274.1.0000000008048000.00000000083ac000.r-x.sdmp, type: MEMORY	Matched rule: APT38_LDACLS_78736_45 author = Emanuele De Lucia, description = Detects APT38-Lazarus Linux DACLS, reference = https://blog.netlab.360.com/dacls-the-dual-platform-rat/, hash = ba5b781ebacac07c4b14f9430a23ca0442e294236bd8dd14d1f69c6661551db8
Source: 6296.1.0000000008048000.00000000083ac000.r-x.sdmp, type: MEMORY	Matched rule: APT38_LDACLS_78736_45 author = Emanuele De Lucia, description = Detects APT38-Lazarus Linux DACLS, reference = https://blog.netlab.360.com/dacls-the-dual-platform-rat/, hash = ba5b781ebacac07c4b14f9430a23ca0442e294236bd8dd14d1f69c6661551db8

Source: classification engine

Classification label: mal52.evad.lin@0/2@0/0

Data Obfuscation

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.91 Copyright (C) 1996-2013 the UPX Team. All Rights Reserved. $

Source: /usr/bin/dash (PID: 6227)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.O10wnoseVX /tmp/tmp.ARg99a7w6h /tmp/tmp.zOF6mVtUcG			Jump to behavior
Source: /usr/bin/dash (PID: 6228)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.O10wnoseVX /tmp/tmp.ARg99a7w6h /tmp/tmp.zOF6mVtUcG			Jump to behavior

Source: /tmp/ZohoAssistURS (PID: 6254)

Log file created: /var/log/ZohoAssist/service.log

Jump to dropped file

Source: ZohoAssistURS

Submission file: segment LOAD with 7.9011 entropy (max. 8.0)

Source: /tmp/ZohoAssistURS (PID: 6254)

Truncated file: /var/log/ZohoAssist/service.log

Jump to behavior

Source: /tmp/ZohoAssistURS (PID: 6254)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/arch (PID: 6270)	Queries kernel information via 'uname':			Jump to behavior

Source: /tmp/ZohoAssistURS (PID: 6265)	Arguments: /usr/bin/lsb_release -> /usr/bin/lsb_release -is	Jump to behavior
Source: /tmp/ZohoAssistURS (PID: 6266)	Arguments: /usr/bin/lsb_release -> /usr/bin/lsb_release -ds	Jump to behavior
Source: /tmp/ZohoAssistURS (PID: 6267)	Arguments: /usr/bin/lsb_release -> /usr/bin/lsb_release -rs	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 Indicator Removal	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	11 Obfuscated Files or Information	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 File Deletion	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://www.zoho.com/assist/contact-us.html.	ZohoAssistURS, 6254.1.0000000008048000.00000000083ac000.r-x.sdmp, ZohoAssistURS, 6274.1.0000000008048000.00000000083ac000.r-x.sdmp, ZohoAssistURS, 6296.1.0000000008048000.00000000083ac000.r-x.sdmp, ZohoAssistURS, 6299.1.0000000008048000.00000000083ac000.r-x.sdmp, ZohoAssistURS, 6306.1.0000000008048000.00000000083ac000.r-x.sdmp	false	high
http://upx.sf.net	ZohoAssistURS	false	high
https://bugs.launchpad.net/ubuntu/	ZohoAssistURS, 6254.1.0000000008048000.00000000083ac000.r-x.sdmp, ZohoAssistURS, 6274.1.0000000008048000.00000000083ac000.r-x.sdmp, ZohoAssistURS, 6296.1.0000000008048000.00000000083ac000.r-x.sdmp, ZohoAssistURS, 6299.1.0000000008048000.00000000083ac000.r-x.sdmp, ZohoAssistURS, 6306.1.0000000008048000.00000000083ac000.r-x.sdmp	false	high
https://www.zoho.com/assist/contact-us.html	ZohoAssistURS, 6254.1.0000000008048000.00000000083ac000.r-x.sdmp, ZohoAssistURS, 6274.1.0000000008048000.00000000083ac000.r-x.sdmp, ZohoAssistURS, 6296.1.0000000008048000.00000000083ac000.r-x.sdmp, ZohoAssistURS, 6299.1.0000000008048000.00000000083ac000.r-x.sdmp, ZohoAssistURS, 6306.1.0000000008048000.00000000083ac000.r-x.sdmp	false	high
https://www.manageengine.com/remote-desktop-management/support.html.	ZohoAssistURS, 6254.1.0000000008048000.00000000083ac000.r-x.sdmp, ZohoAssistURS, 6274.1.0000000008048000.00000000083ac000.r-x.sdmp, ZohoAssistURS, 6296.1.0000000008048000.00000000083ac000.r-x.sdmp, ZohoAssistURS, 6299.1.0000000008048000.00000000083ac000.r-x.sdmp, ZohoAssistURS, 6306.1.0000000008048000.00000000083ac000.r-x.sdmp	false	high
https://www.manageengine.com/remote-desktop-management/support.html	ZohoAssistURS, 6254.1.0000000008048000.00000000083ac000.r-x.sdmp, ZohoAssistURS, 6274.1.0000000008048000.00000000083ac000.r-x.sdmp, ZohoAssistURS, 6296.1.0000000008048000.00000000083ac000.r-x.sdmp, ZohoAssistURS, 6299.1.0000000008048000.00000000083ac000.r-x.sdmp, ZohoAssistURS, 6306.1.0000000008048000.00000000083ac000.r-x.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
54.171.230.55	unknown	United States	16509	AMAZON-02US	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54.171.230.55	Aqua.mpsl.elf	Get hash	malicious	Unknown	Browse
	x86_64.elf	Get hash	malicious	Unknown	Browse
	socat.elf	Get hash	malicious	Unknown	Browse
	arm5.elf	Get hash	malicious	Unknown	Browse
	bot.mips.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse
	emips.elf	Get hash	malicious	Unknown	Browse
	i.elf	Get hash	malicious	Unknown	Browse
	.i.elf	Get hash	malicious	Unknown	Browse
	i.elf	Get hash	malicious	Unknown	Browse
	boatnet.arm.elf	Get hash	malicious	Mirai	Browse
109.202.202.202	kpLwzBouH4.elf	Get hash	malicious	Unknown	Browse	ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
91.189.91.43	.i.elf	Get hash	malicious	Unknown	Browse
	file-grey.elf	Get hash	malicious	Unknown	Browse
	Aqua.mips.elf	Get hash	malicious	Unknown	Browse
	Aqua.mpsl.elf	Get hash	malicious	Unknown	Browse
	DEMONS.mips.elf	Get hash	malicious	Unknown	Browse
	i.elf	Get hash	malicious	Unknown	Browse
	i.elf	Get hash	malicious	Unknown	Browse
	Hilix.arm5.elf	Get hash	malicious	Mirai	Browse
	i586.elf	Get hash	malicious	Unknown	Browse
	x86_64.elf	Get hash	malicious	Unknown	Browse
91.189.91.42	.i.elf	Get hash	malicious	Unknown	Browse
	file-grey.elf	Get hash	malicious	Unknown	Browse
	Aqua.mips.elf	Get hash	malicious	Unknown	Browse
	Aqua.mpsl.elf	Get hash	malicious	Unknown	Browse
	DEMONS.mips.elf	Get hash	malicious	Unknown	Browse
	i.elf	Get hash	malicious	Unknown	Browse
	i.elf	Get hash	malicious	Unknown	Browse
	Hilix.arm5.elf	Get hash	malicious	Mirai	Browse
	i586.elf	Get hash	malicious	Unknown	Browse
	x86_64.elf	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CANONICAL-ASGB	.i.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	file-grey.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	Aqua.mips.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	Aqua.mpsl.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	DEMONS.mips.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	DEMONS.arm5.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	DEMONS.arm7.elf	Get hash	malicious	Mirai	Browse	185.125.190.26
	i.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	i.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	Hilix.arm5.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
CANONICAL-ASGB	.i.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	file-grey.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	Aqua.mips.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	Aqua.mpsl.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	DEMONS.mips.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	DEMONS.arm5.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	DEMONS.arm7.elf	Get hash	malicious	Mirai	Browse	185.125.190.26
	i.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	i.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	Hilix.arm5.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
AMAZON-02US	https://klickskydd.skolverket.org/?url=https%3A%2F%2Fwww.gazeta.ru%2Fpolitics%2Fnews%2F2024%2F12%2F22%2F24684722.shtml&id=71de&rcpt=upplysningstjansten@skolverket.se&tss=1735469857&msgid=b53e7603-c5d3-11ef-8a2e-0050569b0508&html=1&h=ded85c63	Get hash	malicious	HTMLPhisher	Browse	52.17.153.181
	https://www.gazeta.ru/politics/news/2024/12/22/24684722.shtml	Get hash	malicious	HTMLPhisher	Browse	52.17.153.181
	https://www.gazeta.ru/politics/news/2024/12/22/24684854.shtml	Get hash	malicious	HTMLPhisher	Browse	54.73.51.224
	Aqua.mpsl.elf	Get hash	malicious	Unknown	Browse	54.171.230.55
	DEMONS.arm.elf	Get hash	malicious	Unknown	Browse	54.182.101.254
	DEMONS.x86.elf	Get hash	malicious	Unknown	Browse	54.104.203.155
	DEMONS.spc.elf	Get hash	malicious	Unknown	Browse	52.53.164.79
	https://www.ecorfan.org/	Get hash	malicious	Unknown	Browse	13.35.58.57
	NOTIFICATION_OF_DEPENDANTS_1.vbs	Get hash	malicious	Xmrig	Browse	52.222.214.68
INIT7CH	.i.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	file-grey.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	Aqua.mips.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	Aqua.mpsl.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	DEMONS.mips.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	i.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	i.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	Hilix.arm5.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	i586.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	x86_64.elf	Get hash	malicious	Unknown	Browse	109.202.202.202

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

/var/log/ZohoAssist/UpgraderTiming

Download File

Process:	/tmp/ZohoAssistURS
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	10
Entropy (8bit):	3.1219280948873624
Encrypted:	false
SSDEEP:	3:KVjcyRn:KeyR
MD5:	FEEEFA70AA9BDAEA69AE9C166540BB57
SHA1:	6752E55789E0D25E1527F189E3497AB9CF64809C
SHA-256:	A9C2D701F4E38E29D209C02C8C10627F4B7DA1B1590E74F35AC90B859575D63A
SHA-512:	ABCB6B7FC450A9E606FC6D742032E8F9FCA036EFEB92B8A8A7BC26E726B7679ED737284AC8791CC42802890F992088CEE3B5B6308C50B4836BF59516E7332609
Malicious:	false
Reputation:	low
Preview:	1607596234

/var/log/ZohoAssist/service.log

Download File

Process:	/tmp/ZohoAssistURS
File Type:	ASCII text
Category:	dropped
Size (bytes):	1790
Entropy (8bit):	5.027573391231259
Encrypted:	false
SSDEEP:	48:41A52L7OZ6c16calX6cqHd/DKHd/D9FpHd/DcHd/Dk:1MOZ313iX3qHd/DKHd/D3pHd/DcHd/Dk
MD5:	F990196A25B441D70E8B7635363BC10F
SHA1:	286FF69035BA1F8E967F1BC2ADE1548F4792B550
SHA-256:	5E892CA973EBE0426C44FC5A2FA7B896279D16E0C7DB44A03E6E3B93FC4A3835
SHA-512:	58B86FD73C2610F0FAB36775B152E937EB0D8EED3E3337E8AA95E955203A6208C804FF61A3B4452006EFC4D6C63C33AC48EBC795D7A958DEC9A391643D8024B8
Malicious:	false
Reputation:	low
Preview:	2025/01/02 09:40:29 ee790ed497803b55301cdb72afc5721a [[pausing service]].2025/01/02 09:40:29 [[-----------------------------------------Starting Service-------------------------------------------------------------]].2025/01/02 09:40:29 6e4d66204714abe7855368f75493b65d [[Started Urs Starter service]].2025/01/02 09:40:39 ee790ed497803b55301cdb72afc5721a [[resuming service]].2025/01/02 09:40:39 87941252b59a46d7a43b744f3678896b [[ error running command arch exit status 1]].2025/01/02 09:40:39 14723d4de332c0a066bc3d372a6f33a3 [[ system is type debian]].2025/01/02 09:40:40 14723d4de332c0a066bc3d372a6f33a3 [[ system architecture is x86_64]].2025/01/02 09:40:40 14723d4de332c0a066bc3d372a6f33a3 [[ system os is Ubuntu 20.04.2 LTS]].2025/01/02 09:40:46 6e4d66204714abe7855368f75493b65d [[ starting agent]].2025/01/02 09:40:46 18af6f8bebad2b161d9f5b7e00de5077 [[ error starting service fork/exec /usr/local/ZohoAssist/Service/ZohoAssistUnattended: no such file or directory]].2025/01/02 09:40:51 6e

Static File Info

General

File type:	ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, no section header
Entropy (8bit):	7.901105087845047
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 50.16% ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:	ZohoAssistURS
File size:	1'581'896 bytes
MD5:	0df479c4d1b61e1709f629ef324064e2
SHA1:	8fd958aaf4c7fd7ee7d9c308c3967746c0ce5c03
SHA256:	0250e5698ccd754c59a0ab1b08956fca1eab475ebf6fa4bae42ee4bc88554e42
SHA512:	aecd07e4c12aeb2c13743a78a385f9ed97975e3f585ac4531b93334c46fb0a54c09dd4ffd242008a053bc5e85e1176d58e6bf17f3c8207f3ef07d3ba050de47a
SSDEEP:	24576:uoa3dIRz7zgZN+U2RsfW0UE/Rh1Ztx+bEIFM40xdfD+HA7oZf7aBfFkYV/I:upwTuaufmEphMVTifDmlOBlVw
TLSH:	777533C30216459B7D278D6EDAD41F148FEA18B970CDCA40D8EC17CA767FA27848CB5A
File Content Preview:	.ELF.....................#..4...........4. ...(.....................!...!...............@...@.@.@.@...................T.UPX!4.......l.8.l.8............._{...ELF........6..o....4T.8/. ...(.'.&..Wyg.Y.F..36..'...o..?T?.T.:...f..........?....v........./.....

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Intel 80386
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - Linux
ABI Version:	0
Entry Point Address:	0xd823f8
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	2
Section Header Offset:	0
Section Header Size:	40
Number of Section Headers:	0
Header String Table Index:	0

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Prog Interpreter	Section Mappings
LOAD	0x0	0xc01000	0xc01000	0x181c21	0x181c21	7.9011	0x5	R E	0x1000
LOAD	0x240	0x840a240	0x840a240	0x0	0x0	0.0000	0x6	RW	0x1000

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2025 16:40:29.357422113 CET	443	33606	54.171.230.55	192.168.2.23
Jan 2, 2025 16:40:29.357878923 CET	33606	443	192.168.2.23	54.171.230.55
Jan 2, 2025 16:40:29.362658978 CET	443	33606	54.171.230.55	192.168.2.23
Jan 2, 2025 16:40:30.984124899 CET	43928	443	192.168.2.23	91.189.91.42
Jan 2, 2025 16:40:36.359353065 CET	42836	443	192.168.2.23	91.189.91.43
Jan 2, 2025 16:40:38.151196003 CET	42516	80	192.168.2.23	109.202.202.202
Jan 2, 2025 16:40:51.461272001 CET	43928	443	192.168.2.23	91.189.91.42
Jan 2, 2025 16:41:03.747481108 CET	42836	443	192.168.2.23	91.189.91.43
Jan 2, 2025 16:41:07.842890978 CET	42516	80	192.168.2.23	109.202.202.202
Jan 2, 2025 16:41:32.415482998 CET	43928	443	192.168.2.23	91.189.91.42

System Behavior

Analysis Process: dash PID: 6227, Parent PID: 4332

General

Start time (UTC):	15:40:28
Start date (UTC):	02/01/2025
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 6227, Parent PID: 4332

General

Start time (UTC):	15:40:28
Start date (UTC):	02/01/2025
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.O10wnoseVX /tmp/tmp.ARg99a7w6h /tmp/tmp.zOF6mVtUcG
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Chronological Activities

Analysis Process: dash PID: 6228, Parent PID: 4332

General

Start time (UTC):	15:40:28
Start date (UTC):	02/01/2025
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 6228, Parent PID: 4332

General

Start time (UTC):	15:40:28
Start date (UTC):	02/01/2025
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.O10wnoseVX /tmp/tmp.ARg99a7w6h /tmp/tmp.zOF6mVtUcG
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Chronological Activities

Analysis Process: ZohoAssistURS PID: 6254, Parent PID: 6156

General

Start time (UTC):	15:40:29
Start date (UTC):	02/01/2025
Path:	/tmp/ZohoAssistURS
Arguments:	/tmp/ZohoAssistURS
File size:	1581896 bytes
MD5 hash:	0df479c4d1b61e1709f629ef324064e2

Chronological Activities

Analysis Process: ZohoAssistURS PID: 6264, Parent PID: 6254

General

Start time (UTC):	15:40:39
Start date (UTC):	02/01/2025
Path:	/tmp/ZohoAssistURS
Arguments:	-
File size:	1581896 bytes
MD5 hash:	0df479c4d1b61e1709f629ef324064e2

Chronological Activities

Analysis Process: arch PID: 6264, Parent PID: 6254

General

Start time (UTC):	15:40:39
Start date (UTC):	02/01/2025
Path:	/usr/bin/arch
Arguments:	arch
File size:	39288 bytes
MD5 hash:	cb1f8525113d165c00fd975fddaed437

Chronological Activities

Analysis Process: ZohoAssistURS PID: 6265, Parent PID: 6254

General

Start time (UTC):	15:40:39
Start date (UTC):	02/01/2025
Path:	/tmp/ZohoAssistURS
Arguments:	-
File size:	1581896 bytes
MD5 hash:	0df479c4d1b61e1709f629ef324064e2

Chronological Activities

Analysis Process: lsb_release PID: 6265, Parent PID: 6254

General

Start time (UTC):	15:40:39
Start date (UTC):	02/01/2025
Path:	/usr/bin/lsb_release
Arguments:	/usr/bin/lsb_release -is
File size:	5490352 bytes
MD5 hash:	69f442c3e33b5f9a66b722c29ad89435

Chronological Activities

Analysis Process: ZohoAssistURS PID: 6266, Parent PID: 6254

General

Start time (UTC):	15:40:39
Start date (UTC):	02/01/2025
Path:	/tmp/ZohoAssistURS
Arguments:	-
File size:	1581896 bytes
MD5 hash:	0df479c4d1b61e1709f629ef324064e2

Chronological Activities

Analysis Process: lsb_release PID: 6266, Parent PID: 6254

General

Start time (UTC):	15:40:39
Start date (UTC):	02/01/2025
Path:	/usr/bin/lsb_release
Arguments:	/usr/bin/lsb_release -ds
File size:	5490352 bytes
MD5 hash:	69f442c3e33b5f9a66b722c29ad89435

Chronological Activities

Analysis Process: ZohoAssistURS PID: 6267, Parent PID: 6254

General

Start time (UTC):	15:40:39
Start date (UTC):	02/01/2025
Path:	/tmp/ZohoAssistURS
Arguments:	-
File size:	1581896 bytes
MD5 hash:	0df479c4d1b61e1709f629ef324064e2

Chronological Activities

Analysis Process: lsb_release PID: 6267, Parent PID: 6254

General

Start time (UTC):	15:40:39
Start date (UTC):	02/01/2025
Path:	/usr/bin/lsb_release
Arguments:	/usr/bin/lsb_release -rs
File size:	5490352 bytes
MD5 hash:	69f442c3e33b5f9a66b722c29ad89435

Chronological Activities

Analysis Process: ZohoAssistURS PID: 6270, Parent PID: 6254

General

Start time (UTC):	15:40:40
Start date (UTC):	02/01/2025
Path:	/tmp/ZohoAssistURS
Arguments:	-
File size:	1581896 bytes
MD5 hash:	0df479c4d1b61e1709f629ef324064e2

Chronological Activities

Analysis Process: arch PID: 6270, Parent PID: 6254

General

Start time (UTC):	15:40:40
Start date (UTC):	02/01/2025
Path:	/usr/bin/arch
Arguments:	/usr/bin/arch
File size:	39288 bytes
MD5 hash:	cb1f8525113d165c00fd975fddaed437

Chronological Activities

Analysis Process: ZohoAssistURS PID: 6274, Parent PID: 6254

General

Start time (UTC):	15:40:46
Start date (UTC):	02/01/2025
Path:	/tmp/ZohoAssistURS
Arguments:	-
File size:	1581896 bytes
MD5 hash:	0df479c4d1b61e1709f629ef324064e2

Chronological Activities

Analysis Process: ZohoAssistURS PID: 6296, Parent PID: 6254

General

Start time (UTC):	15:40:51
Start date (UTC):	02/01/2025
Path:	/tmp/ZohoAssistURS
Arguments:	-
File size:	1581896 bytes
MD5 hash:	0df479c4d1b61e1709f629ef324064e2

Chronological Activities

Analysis Process: ZohoAssistURS PID: 6299, Parent PID: 6254

General

Start time (UTC):	15:40:56
Start date (UTC):	02/01/2025
Path:	/tmp/ZohoAssistURS
Arguments:	-
File size:	1581896 bytes
MD5 hash:	0df479c4d1b61e1709f629ef324064e2

Chronological Activities

Analysis Process: ZohoAssistURS PID: 6306, Parent PID: 6254

General

Start time (UTC):	15:41:11
Start date (UTC):	02/01/2025
Path:	/tmp/ZohoAssistURS
Arguments:	-
File size:	1581896 bytes
MD5 hash:	0df479c4d1b61e1709f629ef324064e2

Description:	Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
Tactics:	Defense Evasion
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Deletion, File: File Metadata, File: File Modification, Firewall: Firewall Rule Modification, Network Traffic: Network Traffic Content, Process: OS API Execution, Process: Process Creation, Scheduled Job: Scheduled Job Modification, User Account: User Account Authentication, User Account: User Account Deletion, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, Google Workspace, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report ZohoAssistURS

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Initial Sample

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/var/log/ZohoAssist/UpgraderTiming

/var/log/ZohoAssist/service.log

Static File Info

General

Static ELF Info

ELF header

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: dash PID: 6227, Parent PID: 4332

General

Chronological Activities

Analysis Process: rm PID: 6227, Parent PID: 4332

General

Chronological Activities

Analysis Process: dash PID: 6228, Parent PID: 4332

General

Chronological Activities

Analysis Process: rm PID: 6228, Parent PID: 4332

General

Chronological Activities

Analysis Process: ZohoAssistURS PID: 6254, Parent PID: 6156

General

Chronological Activities

Analysis Process: ZohoAssistURS PID: 6264, Parent PID: 6254

General

Chronological Activities

Linux Analysis Report
ZohoAssistURS