Linux Analysis Report 1TnmkstVG8

Overview

General Information

Sample Name: 1TnmkstVG8
Analysis ID: 511513
MD5: 2f7ce4fdab3edd7aed014bd5a124c718
SHA1: 0b1e76fac74052db6e7a342cdba0f90622100093
SHA256: 6597350ca45adfe532bd93ffde9c92d98f2ed1ecedd4d7d73c6dd147b0b613a9
Tags: 32elfmiraisparc
Infos:

Detection

Score: 48
Range: 0 - 100
Whitelisted: false

Signatures

Multi AV Scanner detection for submitted file
Sample has stripped symbol table
Uses the "uname" system call to query kernel version information (possible evasion)
Detected TCP or UDP traffic on non-standard ports
Executes the "rm" command used to delete files or directories

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: 1TnmkstVG8 Virustotal: Detection: 21% Perma Link
Source: 1TnmkstVG8 ReversingLabs: Detection: 15%
Source: unknown HTTPS traffic detected: 34.249.145.219:443 -> 192.168.2.23:39244 version: TLS 1.2

Networking:

barindex
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.23:56596 -> 45.95.169.120:455
Source: unknown Network traffic detected: HTTP traffic on port 39244 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 39244
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown TCP traffic detected without corresponding DNS query: 189.57.206.167
Source: unknown TCP traffic detected without corresponding DNS query: 189.57.206.167
Source: unknown TCP traffic detected without corresponding DNS query: 37.80.245.107
Source: unknown TCP traffic detected without corresponding DNS query: 37.80.245.107
Source: unknown TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown TCP traffic detected without corresponding DNS query: 46.244.112.164
Source: unknown TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: motd-news.26.dr String found in binary or memory: https://ubuntu.com/blog/microk8s-memory-optimisation
Source: unknown HTTPS traffic detected: 34.249.145.219:443 -> 192.168.2.23:39244 version: TLS 1.2

System Summary:

barindex
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Source: classification engine Classification label: mal48.lin@0/1@0/0
Source: 1TnmkstVG8 Joe Sandbox Cloud Basic: Detection: clean Score: 0 Perma Link

Persistence and Installation Behavior:

barindex
Executes the "rm" command used to delete files or directories
Source: /usr/bin/dash (PID: 5258) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.gtT3aisjF5 /tmp/tmp.0HpvoUv25y /tmp/tmp.kZRxhtfsZX Jump to behavior

Malware Analysis System Evasion:

barindex
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/1TnmkstVG8 (PID: 5234) Queries kernel information via 'uname': Jump to behavior
Source: 1TnmkstVG8, 5234.1.000000004a6d2c84.00000000a49abd7e.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/sparc
Source: 1TnmkstVG8, 5234.1.000000004a6d2c84.00000000a49abd7e.rw-.sdmp Binary or memory string: V!/etc/qemu-binfmt/sparc
Source: 1TnmkstVG8, 5234.1.00000000580ce957.0000000071851ce0.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-sparc/tmp/1TnmkstVG8SUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/1TnmkstVG8
Source: 1TnmkstVG8, 5234.1.00000000580ce957.0000000071851ce0.rw-.sdmp Binary or memory string: /usr/bin/qemu-sparc

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
34.249.145.219
 unknown United States
16509 AMAZON-02US false
45.95.169.120
 unknown Croatia (LOCAL Name: Hrvatska)
42864 GIGANET-HUGigaNetInternetServiceProviderCoHU false
46.244.112.164
 unknown Netherlands
51088 A2BNL false
109.202.202.202
 unknown Switzerland
13030 INIT7CH false
189.57.206.167
 unknown Brazil
10429 TELEFONICABRASILSABR false
37.80.245.107
 unknown Germany
3320 DTAGInternetserviceprovideroperationsDE false
91.189.91.43
 unknown United Kingdom
41231 CANONICAL-ASGB false
91.189.91.42
 unknown United Kingdom
41231 CANONICAL-ASGB false