Linux Analysis Report 32112

ID:	480576
Product:	CloudBasic
Start time:	16:08:12
Start date:	09.09.2021
Sample:	32112
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	93170b256335fc31063134e74cc6687b
SHA1:	86ec6e9e30b90587cca43d2b96aa3b744fbe4e8e
SHA256:	8ea420d9aa341ba23cdea0ac03951bce866c933ba297268bc7db8a01ce8e9b8e
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Name	Type	MD5	SHA1	SHA256
/usr/lib/libdsx.so	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=5374b5558386b815e69cc1838a6052cc9b4746f3, stripped	1D4D7819B104D638947F331A88403D2B	12B731D805F0C26F91FFD950669C213D5E809904	96493303BA8BA364A8DA6B77FBB9F04D0F170CBECBC6BBACCA616161BD0F0008
/usr/lib/libseconf/.backup_ld.so	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=5374b5558386b815e69cc1838a6052cc9b4746f3, stripped	1D4D7819B104D638947F331A88403D2B	12B731D805F0C26F91FFD950669C213D5E809904	96493303BA8BA364A8DA6B77FBB9F04D0F170CBECBC6BBACCA616161BD0F0008
/usr/lib/libseconf/.l	ASCII text	C91DC24488A11BFE24C81F2CDE6B87F5	5C0919B7DE6A70961579FCB78A3803E6839CA6A6	C6E041CF4907FB7C7786A9BEC9AB8FDBBF02E49638039E77828BCA42564358EB
/usr/lib/libseconf/libdl.so	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=c3abd2310ed75217445c76805f7e05f36406e179, not stripped	6167664DFE14186B50649CC9EDDC7A00	6A30EBCC8540A2B99393AB2F75EB4604C65B11C0	EC7462C3F4A87430EB19D16CFD775C173F4BA60D2F43697743DB991C3D1C3067

Networking:

URLs found in memory or binary data

Source: 32112, 3513.1.00000000a0bbd638.000000007c673470.r-x.sdmp	String found in binary or memory: http://www.gnu.org/software/libc/bugs.html
Source: libdsx.so.26.dr	String found in binary or memory: https://bugs.launchpad.net/ubuntu/

System Summary:

Classification label

Source: classification engine

Classification label: mal48.evad.lin@0/5@0/0

Persistence and Installation Behavior:

Writes identical ELF files to multiple locations

Source: /usr/bin/cp (PID: 3517)	File with SHA-256 96493303BA8BA364A8DA6B77FBB9F04D0F170CBECBC6BBACCA616161BD0F0008 written: /usr/lib/libseconf/.backup_ld.so			Jump to dropped file
Source: /usr/bin/cp (PID: 3521)	File with SHA-256 96493303BA8BA364A8DA6B77FBB9F04D0F170CBECBC6BBACCA616161BD0F0008 written: /usr/lib/libdsx.so			Jump to dropped file

Writes ELF files to disk

Source: /tmp/32112 (PID: 3513)	File written: /usr/lib/libseconf/libdl.so			Jump to dropped file
Source: /usr/bin/cp (PID: 3517)	File written: /usr/lib/libseconf/.backup_ld.so			Jump to dropped file
Source: /usr/bin/cp (PID: 3521)	File written: /usr/lib/libdsx.so			Jump to dropped file

Executes commands using a shell command-line interpreter

Source: /tmp/32112 (PID: 3514)	Shell command executed: sh -c "mkdir /lib/libseconf"			Jump to behavior
Source: /tmp/32112 (PID: 3516)	Shell command executed: sh -c "cp /lib/x86_64-linux-gnu/ld-2.31.so /lib/libseconf/.backup_ld.so"			Jump to behavior
Source: /tmp/32112 (PID: 3518)	Shell command executed: sh -c "ls -l /lib64/ld-linux-x86-64.so.2"			Jump to behavior
Source: /tmp/32112 (PID: 3520)	Shell command executed: sh -c "cp -p /lib/x86_64-linux-gnu/ld-2.31.so /lib/libdsx.so"			Jump to behavior
Source: /tmp/32112 (PID: 3522)	Shell command executed: sh -c "mv /lib/libdsx.so /lib/x86_64-linux-gnu/ld-2.31.so"			Jump to behavior

Executes the "mkdir" command used to create folders

Source: /bin/sh (PID: 3515)

Mkdir executable: /usr/bin/mkdir -> mkdir /lib/libseconf

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Drops invisible ELF files

Source: /usr/bin/cp (PID: 3517)

ELF file: /usr/lib/libseconf/.backup_ld.so

Jump to dropped file

Malware Analysis System Evasion:

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/32112 (PID: 3513)

Queries kernel information via 'uname':

Jump to behavior