Edit tour

Linux Analysis Report
socat

Overview

General Information

Sample name:socat
Analysis ID:1653510
MD5:702aedbf38c1ee6af51862a7988456ff
SHA1:190082382787c2eb99d175210f1ce20b51d95708
SHA256:dc5853ef949bcdc092f61544ae9b7c87b003cdc8d7fc0641b09f8414b2607e25
Infos:

Detection

Score:48
Range:0 - 100

Signatures

Malicious sample detected (through community Yara rule)
Executes the "rm" command used to delete files or directories
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1653510
Start date and time:2025-04-01 11:04:58 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 10m 17s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:socat
Detection:MAL
Classification:mal48.lin@0/0@2/0
Cookbook Comments:
  • Analysis time extended to 480s due to sleep detection in submitted sample
Command:/tmp/socat
PID:5479
Exit Code:127
Exit Code Info:
Killed:False
Standard Output:

Standard Error:/tmp/socat: error while loading shared libraries: libssl.so.3: cannot open shared object file: No such file or directory
  • system is lnxubuntu20
  • socat (PID: 5479, Parent: 5404, MD5: 702aedbf38c1ee6af51862a7988456ff) Arguments: /tmp/socat
  • dash New Fork (PID: 5543, Parent: 3632)
  • rm (PID: 5543, Parent: 3632, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.FUmv6IINKK /tmp/tmp.vQOoUDuwgu /tmp/tmp.RqTtrnclvJ
  • dash New Fork (PID: 5544, Parent: 3632)
  • rm (PID: 5544, Parent: 3632, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.FUmv6IINKK /tmp/tmp.vQOoUDuwgu /tmp/tmp.RqTtrnclvJ
  • cleanup
SourceRuleDescriptionAuthorStrings
socathacktool_socat_stringsDetects socatSekoia.io
  • 0x3d12e:$: [options] <bi-address> <bi-address>
  • 0x44ecc:$: version %s on %s
  • 0x453df:$: version %s on %s
  • 0x3d9c8:$: socat_signal():
  • 0x3d9f0:$: socat_signal():
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results
Source: unknownTCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknownTCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknownTCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknownTCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
Source: socatString found in binary or memory: http://www.openssl.org/)
Source: socatString found in binary or memory: http://www.openssl.org/)socat
Source: unknownNetwork traffic detected: HTTP traffic on port 34590 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 37910
Source: unknownNetwork traffic detected: HTTP traffic on port 37910 -> 443

System Summary

barindex
Source: socat, type: SAMPLEMatched rule: Detects socat Author: Sekoia.io
Source: socat, type: SAMPLEMatched rule: hacktool_socat_strings author = Sekoia.io, description = Detects socat, creation_date = 2023-12-08, classification = TLP:CLEAR, version = 1.0, id = 7c7e4085-39b2-445e-a9ff-52f21936e714
Source: classification engineClassification label: mal48.lin@0/0@2/0
Source: /usr/bin/dash (PID: 5543)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.FUmv6IINKK /tmp/tmp.vQOoUDuwgu /tmp/tmp.RqTtrnclvJJump to behavior
Source: /usr/bin/dash (PID: 5544)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.FUmv6IINKK /tmp/tmp.vQOoUDuwgu /tmp/tmp.RqTtrnclvJJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
File Deletion
OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local System1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive2
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
No configs have been found
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1653510 Sample: socat Startdate: 01/04/2025 Architecture: LINUX Score: 48 12 54.171.230.55, 37910, 443 AMAZON-02US United States 2->12 14 54.217.10.153, 443 AMAZON-02US United States 2->14 16 daisy.ubuntu.com 2->16 18 Malicious sample detected (through community Yara rule) 2->18 6 dash rm 2->6         started        8 dash rm 2->8         started        10 socat 2->10         started        signatures3 process4
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
daisy.ubuntu.com
162.213.35.24
truefalse
    high
    NameSourceMaliciousAntivirus DetectionReputation
    http://www.openssl.org/)socatfalse
      high
      http://www.openssl.org/)socatsocatfalse
        high
        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs
        IPDomainCountryFlagASNASN NameMalicious
        54.171.230.55
        unknownUnited States
        16509AMAZON-02USfalse
        54.217.10.153
        unknownUnited States
        16509AMAZON-02USfalse
        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        54.171.230.55na.elfGet hashmaliciousPrometeiBrowse
          killua.arm5.elfGet hashmaliciousUnknownBrowse
            ub8ehJSePAfc9FYqZIT6.mips.elfGet hashmaliciousUnknownBrowse
              na.elfGet hashmaliciousPrometeiBrowse
                eehah4.elfGet hashmaliciousUnknownBrowse
                  sshd.elfGet hashmaliciousUnknownBrowse
                    na.elfGet hashmaliciousPrometeiBrowse
                      na.elfGet hashmaliciousPrometeiBrowse
                        na.elfGet hashmaliciousPrometeiBrowse
                          na.elfGet hashmaliciousPrometeiBrowse
                            54.217.10.153na.elfGet hashmaliciousPrometeiBrowse
                              na.elfGet hashmaliciousPrometeiBrowse
                                Execution.i586.elfGet hashmaliciousGafgyt, MiraiBrowse
                                  havoc.spc.elfGet hashmaliciousMirai, OkiruBrowse
                                    na.elfGet hashmaliciousPrometeiBrowse
                                      na.elfGet hashmaliciousPrometeiBrowse
                                        boatnet.arm.elfGet hashmaliciousMiraiBrowse
                                          ppc.elfGet hashmaliciousUnknownBrowse
                                            mips.elfGet hashmaliciousMiraiBrowse
                                              mpsl.elfGet hashmaliciousMiraiBrowse
                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                daisy.ubuntu.comkillua.x86_64.elfGet hashmaliciousUnknownBrowse
                                                • 162.213.35.25
                                                killua.mipsel.elfGet hashmaliciousUnknownBrowse
                                                • 162.213.35.25
                                                killua.arm6.elfGet hashmaliciousUnknownBrowse
                                                • 162.213.35.24
                                                killua.arm4.elfGet hashmaliciousUnknownBrowse
                                                • 162.213.35.25
                                                killua.mips.elfGet hashmaliciousUnknownBrowse
                                                • 162.213.35.24
                                                miraint.ppc.elfGet hashmaliciousMiraiBrowse
                                                • 162.213.35.25
                                                miraint.armhf.elfGet hashmaliciousMiraiBrowse
                                                • 162.213.35.24
                                                miraint.sh4.elfGet hashmaliciousMiraiBrowse
                                                • 162.213.35.24
                                                miraint.arm64.elfGet hashmaliciousMiraiBrowse
                                                • 162.213.35.24
                                                mirai.arm64.elfGet hashmaliciousMiraiBrowse
                                                • 162.213.35.24
                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                AMAZON-02USna.elfGet hashmaliciousPrometeiBrowse
                                                • 13.213.51.196
                                                na.elfGet hashmaliciousPrometeiBrowse
                                                • 34.243.160.129
                                                na.elfGet hashmaliciousPrometeiBrowse
                                                • 34.249.145.219
                                                https://click.pstmrk.it/3s/zyn.free.hr%2F/uXHt/uV68AQ/AQ/0077beba-9050-4a8e-b7ce-7b048a1b6ed6/2/GPgWu-krWIGet hashmaliciousUnknownBrowse
                                                • 3.146.16.147
                                                na.elfGet hashmaliciousPrometeiBrowse
                                                • 13.213.51.196
                                                na.elfGet hashmaliciousPrometeiBrowse
                                                • 13.213.51.196
                                                eoIIBcxUj3.exeGet hashmaliciousFormBookBrowse
                                                • 13.248.213.45
                                                na.elfGet hashmaliciousPrometeiBrowse
                                                • 34.249.145.219
                                                .i.elfGet hashmaliciousUnknownBrowse
                                                • 34.249.145.219
                                                na.elfGet hashmaliciousPrometeiBrowse
                                                • 34.249.145.219
                                                AMAZON-02USna.elfGet hashmaliciousPrometeiBrowse
                                                • 13.213.51.196
                                                na.elfGet hashmaliciousPrometeiBrowse
                                                • 34.243.160.129
                                                na.elfGet hashmaliciousPrometeiBrowse
                                                • 34.249.145.219
                                                https://click.pstmrk.it/3s/zyn.free.hr%2F/uXHt/uV68AQ/AQ/0077beba-9050-4a8e-b7ce-7b048a1b6ed6/2/GPgWu-krWIGet hashmaliciousUnknownBrowse
                                                • 3.146.16.147
                                                na.elfGet hashmaliciousPrometeiBrowse
                                                • 13.213.51.196
                                                na.elfGet hashmaliciousPrometeiBrowse
                                                • 13.213.51.196
                                                eoIIBcxUj3.exeGet hashmaliciousFormBookBrowse
                                                • 13.248.213.45
                                                na.elfGet hashmaliciousPrometeiBrowse
                                                • 34.249.145.219
                                                .i.elfGet hashmaliciousUnknownBrowse
                                                • 34.249.145.219
                                                na.elfGet hashmaliciousPrometeiBrowse
                                                • 34.249.145.219
                                                No context
                                                No context
                                                No created / dropped files found
                                                File type:ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 4.4.0, BuildID[sha1]=9407035b1e395a5ddc290090cb29e457beb77381, stripped
                                                Entropy (8bit):5.87378740269209
                                                TrID:
                                                • ELF Executable and Linkable format (Linux) (4029/14) 49.77%
                                                • ELF Executable and Linkable format (generic) (4004/1) 49.46%
                                                • Lumena CEL bitmap (63/63) 0.78%
                                                File name:socat
                                                File size:380'328 bytes
                                                MD5:702aedbf38c1ee6af51862a7988456ff
                                                SHA1:190082382787c2eb99d175210f1ce20b51d95708
                                                SHA256:dc5853ef949bcdc092f61544ae9b7c87b003cdc8d7fc0641b09f8414b2607e25
                                                SHA512:40b675272660b30ef076f6a47601deb26165f49ef14b5a8825a34e2b35ba70583f6152396f3491f997164b2b577ae93176b828367edbb524e211aebf0db19066
                                                SSDEEP:6144:V9SFMi4OWEoiQykMg3/iO6rHTqkw3FPsq+rmq:V9Numfo3qkwVPsq+rm
                                                TLSH:C6844B05DA72287CD586C0344B7B82727630F8FD9322766FBB8D9A303DA5DE4562DB21
                                                File Content Preview:.ELF..............>.....p.......@...................@.8...@.............@.......@.......@........................................................................................................................J.......J.......................P.......P.....

                                                Download Network PCAP: filteredfull

                                                • Total Packets: 7
                                                • 443 (HTTPS)
                                                • 53 (DNS)
                                                TimestampSource PortDest PortSource IPDest IP
                                                Apr 1, 2025 11:05:37.419249058 CEST34590443192.168.2.1454.217.10.153
                                                Apr 1, 2025 11:06:05.896596909 CEST37910443192.168.2.1454.171.230.55
                                                Apr 1, 2025 11:06:05.896641970 CEST4433791054.171.230.55192.168.2.14
                                                Apr 1, 2025 11:06:05.896770000 CEST37910443192.168.2.1454.171.230.55
                                                Apr 1, 2025 11:06:05.898641109 CEST37910443192.168.2.1454.171.230.55
                                                Apr 1, 2025 11:06:05.898657084 CEST4433791054.171.230.55192.168.2.14
                                                Apr 1, 2025 11:07:05.906291008 CEST37910443192.168.2.1454.171.230.55
                                                Apr 1, 2025 11:07:05.952276945 CEST4433791054.171.230.55192.168.2.14
                                                TimestampSource PortDest PortSource IPDest IP
                                                Apr 1, 2025 11:08:23.845063925 CEST6071753192.168.2.141.1.1.1
                                                Apr 1, 2025 11:08:23.845208883 CEST4711453192.168.2.141.1.1.1
                                                Apr 1, 2025 11:08:23.929605007 CEST53471141.1.1.1192.168.2.14
                                                Apr 1, 2025 11:08:23.929632902 CEST53607171.1.1.1192.168.2.14
                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                Apr 1, 2025 11:08:23.845063925 CEST192.168.2.141.1.1.10x9da2Standard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
                                                Apr 1, 2025 11:08:23.845208883 CEST192.168.2.141.1.1.10xf676Standard query (0)daisy.ubuntu.com28IN (0x0001)false
                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                Apr 1, 2025 11:08:23.929632902 CEST1.1.1.1192.168.2.140x9da2No error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false
                                                Apr 1, 2025 11:08:23.929632902 CEST1.1.1.1192.168.2.140x9da2No error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false

                                                System Behavior

                                                Start time (UTC):09:05:37
                                                Start date (UTC):01/04/2025
                                                Path:/tmp/socat
                                                Arguments:/tmp/socat
                                                File size:380328 bytes
                                                MD5 hash:702aedbf38c1ee6af51862a7988456ff

                                                Start time (UTC):09:07:05
                                                Start date (UTC):01/04/2025
                                                Path:/usr/bin/dash
                                                Arguments:-
                                                File size:129816 bytes
                                                MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                Start time (UTC):09:07:05
                                                Start date (UTC):01/04/2025
                                                Path:/usr/bin/rm
                                                Arguments:rm -f /tmp/tmp.FUmv6IINKK /tmp/tmp.vQOoUDuwgu /tmp/tmp.RqTtrnclvJ
                                                File size:72056 bytes
                                                MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b

                                                Start time (UTC):09:07:05
                                                Start date (UTC):01/04/2025
                                                Path:/usr/bin/dash
                                                Arguments:-
                                                File size:129816 bytes
                                                MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                Start time (UTC):09:07:05
                                                Start date (UTC):01/04/2025
                                                Path:/usr/bin/rm
                                                Arguments:rm -f /tmp/tmp.FUmv6IINKK /tmp/tmp.vQOoUDuwgu /tmp/tmp.RqTtrnclvJ
                                                File size:72056 bytes
                                                MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b