Play interactive tour

Edit tour

Linux Analysis Report 1TnmkstVG8

Overview

General Information

Sample Name:	1TnmkstVG8
Analysis ID:	511513
MD5:	2f7ce4fdab3edd7aed014bd5a124c718
SHA1:	0b1e76fac74052db6e7a342cdba0f90622100093
SHA256:	6597350ca45adfe532bd93ffde9c92d98f2ed1ecedd4d7d73c6dd147b0b613a9
Tags:	32elfmiraisparc
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Sample has stripped symbol table

Uses the "uname" system call to query kernel version information (possible evasion)

Detected TCP or UDP traffic on non-standard ports

Executes the "rm" command used to delete files or directories

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might not execute correctly on this machine

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	511513
Start date:	29.10.2021
Start time:	08:49:09
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 52s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	1TnmkstVG8
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Detection:	MAL
Classification:	mal48.lin@0/1@0/0

Process Tree

system is lnxubuntu20

1TnmkstVG8 (PID: 5234, Parent: 5107, MD5: 7dc1c0e23cd5e102bb12e5c29403410e) Arguments: /tmp/1TnmkstVG8

1TnmkstVG8 New Fork (PID: 5236, Parent: 5234)

dash New Fork (PID: 5250, Parent: 4331)

cat (PID: 5250, Parent: 4331, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /tmp/tmp.gtT3aisjF5

dash New Fork (PID: 5251, Parent: 4331)

head (PID: 5251, Parent: 4331, MD5: fd96a67145172477dd57131396fc9608) Arguments: head -n 10

dash New Fork (PID: 5252, Parent: 4331)

tr (PID: 5252, Parent: 4331, MD5: fbd1402dd9f72d8ebfff00ce7c3a7bb5) Arguments: tr -d \\000-\\011\\013\\014\\016-\\037

dash New Fork (PID: 5253, Parent: 4331)

cut (PID: 5253, Parent: 4331, MD5: d8ed0ea8f22c0de0f8692d4d9f1759d3) Arguments: cut -c -80

dash New Fork (PID: 5254, Parent: 4331)

cat (PID: 5254, Parent: 4331, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /tmp/tmp.gtT3aisjF5

dash New Fork (PID: 5255, Parent: 4331)

head (PID: 5255, Parent: 4331, MD5: fd96a67145172477dd57131396fc9608) Arguments: head -n 10

dash New Fork (PID: 5256, Parent: 4331)

tr (PID: 5256, Parent: 4331, MD5: fbd1402dd9f72d8ebfff00ce7c3a7bb5) Arguments: tr -d \\000-\\011\\013\\014\\016-\\037

dash New Fork (PID: 5257, Parent: 4331)

cut (PID: 5257, Parent: 4331, MD5: d8ed0ea8f22c0de0f8692d4d9f1759d3) Arguments: cut -c -80

dash New Fork (PID: 5258, Parent: 4331)

rm (PID: 5258, Parent: 4331, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.gtT3aisjF5 /tmp/tmp.0HpvoUv25y /tmp/tmp.kZRxhtfsZX

cleanup

Yara Overview

No yara matches

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: 1TnmkstVG8	Virustotal: Detection: 21%			Perma Link
Source: 1TnmkstVG8	ReversingLabs: Detection: 15%

Source: unknown

HTTPS traffic detected: 34.249.145.219:443 -> 192.168.2.23:39244 version: TLS 1.2

Source: global traffic

TCP traffic: 192.168.2.23:56596 -> 45.95.169.120:455

Source: unknown	Network traffic detected: HTTP traffic on port 39244 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 39244
Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 189.57.206.167
Source: unknown	TCP traffic detected without corresponding DNS query: 189.57.206.167
Source: unknown	TCP traffic detected without corresponding DNS query: 37.80.245.107
Source: unknown	TCP traffic detected without corresponding DNS query: 37.80.245.107
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown	TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown	TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown	TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown	TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown	TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown	TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown	TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown	TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown	TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown	TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown	TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown	TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown	TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown	TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 46.244.112.164
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120

Source: motd-news.26.dr

String found in binary or memory: https://ubuntu.com/blog/microk8s-memory-optimisation

Source: unknown

HTTPS traffic detected: 34.249.145.219:443 -> 192.168.2.23:39244 version: TLS 1.2

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal48.lin@0/1@0/0

Source: 1TnmkstVG8

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Source: /usr/bin/dash (PID: 5258)

Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.gtT3aisjF5 /tmp/tmp.0HpvoUv25y /tmp/tmp.kZRxhtfsZX

Source: /tmp/1TnmkstVG8 (PID: 5234)

Queries kernel information via 'uname':

Source: 1TnmkstVG8, 5234.1.000000004a6d2c84.00000000a49abd7e.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/sparc
Source: 1TnmkstVG8, 5234.1.000000004a6d2c84.00000000a49abd7e.rw-.sdmp	Binary or memory string: V!/etc/qemu-binfmt/sparc
Source: 1TnmkstVG8, 5234.1.00000000580ce957.0000000071851ce0.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-sparc/tmp/1TnmkstVG8SUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/1TnmkstVG8
Source: 1TnmkstVG8, 5234.1.00000000580ce957.0000000071851ce0.rw-.sdmp	Binary or memory string: /usr/bin/qemu-sparc

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	File Deletion1	OS Credential Dumping	Security Software Discovery11	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
1TnmkstVG8	21%	Virustotal		Browse
1TnmkstVG8	16%	ReversingLabs	Linux.Trojan.Mirai

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ubuntu.com/blog/microk8s-memory-optimisation	motd-news.26.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
34.249.145.219	unknown	United States	16509	AMAZON-02US	false
45.95.169.120	unknown	Croatia (LOCAL Name: Hrvatska)	42864	GIGANET-HUGigaNetInternetServiceProviderCoHU	false
46.244.112.164	unknown	Netherlands	51088	A2BNL	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
189.57.206.167	unknown	Brazil	10429	TELEFONICABRASILSABR	false
37.80.245.107	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Runtime Messages

Command:	/tmp/1TnmkstVG8
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
34.249.145.219	gqqrsjn4g8	Get hash	malicious	Browse
	10CV2biW2d	Get hash	malicious	Browse
	r7bQAtiN68	Get hash	malicious	Browse
	3QM8LROaOk	Get hash	malicious	Browse
	75OHlqPaRY	Get hash	malicious	Browse
	0ZDPmKTgif	Get hash	malicious	Browse
	1qQcsK7dth	Get hash	malicious	Browse
	vCLbAS7aPb	Get hash	malicious	Browse
	yzui4gwsrF	Get hash	malicious	Browse
	072FZHiMhs	Get hash	malicious	Browse
	sjZlfrpuyc	Get hash	malicious	Browse
	cqhVIEs3Kr	Get hash	malicious	Browse
	khoE2I8yer	Get hash	malicious	Browse
	wvsEoQ0khP	Get hash	malicious	Browse
	o5WNbxsf8E	Get hash	malicious	Browse
	32	Get hash	malicious	Browse
	a-r.m-5.Sakura	Get hash	malicious	Browse
	NDYfrLSNFW	Get hash	malicious	Browse
	m-i.p-s.Sakura	Get hash	malicious	Browse
	6Qn1b9fB2C	Get hash	malicious	Browse
45.95.169.120	iksM5QEg2j	Get hash	malicious	Browse
109.202.202.202	iksM5QEg2j	Get hash	malicious	Browse
	lGJEkz80oe	Get hash	malicious	Browse
	roV7kGaVr1	Get hash	malicious	Browse
	SecuriteInfo.com.Linux.Siggen.4218.298.3210	Get hash	malicious	Browse
	uPOWBxniTA	Get hash	malicious	Browse
	qy5unieRgR	Get hash	malicious	Browse
	sAzPpn6mKZ	Get hash	malicious	Browse
	AxadDC89j9	Get hash	malicious	Browse
	ZErnXU2XR1	Get hash	malicious	Browse
	sTHJvS5LPJ	Get hash	malicious	Browse
	THzHjYQ4z6	Get hash	malicious	Browse
	jC0B6sMh1d	Get hash	malicious	Browse
	JoLmvC65B7	Get hash	malicious	Browse
	AOaKSm1cij	Get hash	malicious	Browse
	Mozi.a	Get hash	malicious	Browse
	ggbMKQDdG2	Get hash	malicious	Browse
	SecuriteInfo.com.Linux.Siggen.4218.31606.9155	Get hash	malicious	Browse
	AbriuSDkeL	Get hash	malicious	Browse
	xjmPNreY8I	Get hash	malicious	Browse
	u7kjf23xQc	Get hash	malicious	Browse
91.189.91.43	iksM5QEg2j	Get hash	malicious	Browse
	lGJEkz80oe	Get hash	malicious	Browse
	roV7kGaVr1	Get hash	malicious	Browse
	SecuriteInfo.com.Linux.Siggen.4218.298.3210	Get hash	malicious	Browse
	uPOWBxniTA	Get hash	malicious	Browse
	qy5unieRgR	Get hash	malicious	Browse
	sAzPpn6mKZ	Get hash	malicious	Browse
	AxadDC89j9	Get hash	malicious	Browse
	ZErnXU2XR1	Get hash	malicious	Browse
	sTHJvS5LPJ	Get hash	malicious	Browse
	THzHjYQ4z6	Get hash	malicious	Browse
	jC0B6sMh1d	Get hash	malicious	Browse
	JoLmvC65B7	Get hash	malicious	Browse
	AOaKSm1cij	Get hash	malicious	Browse
	Mozi.a	Get hash	malicious	Browse
	ggbMKQDdG2	Get hash	malicious	Browse
	SecuriteInfo.com.Linux.Siggen.4218.31606.9155	Get hash	malicious	Browse
	AbriuSDkeL	Get hash	malicious	Browse
	xjmPNreY8I	Get hash	malicious	Browse
	u7kjf23xQc	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
GIGANET-HUGigaNetInternetServiceProviderCoHU	iksM5QEg2j	Get hash	malicious	Browse	45.95.169.120
	RicwIfIHLK	Get hash	malicious	Browse	45.95.169.115
	aIY7AxjUMc	Get hash	malicious	Browse	45.95.169.115
	DtJmFQxtNC	Get hash	malicious	Browse	45.95.169.115
	Wm4CzOCmNY	Get hash	malicious	Browse	45.95.169.115
	vunWUzXJvC	Get hash	malicious	Browse	45.95.169.115
	52xhBHy9Wz	Get hash	malicious	Browse	45.95.169.115
	YGvwG0iCDE	Get hash	malicious	Browse	45.95.169.115
	dbd5O0RUTq	Get hash	malicious	Browse	45.95.169.115
	fHVDVj0pzO	Get hash	malicious	Browse	45.95.169.115
	eZPk7Fg5w7	Get hash	malicious	Browse	45.95.169.115
	ph5PjoFBpj	Get hash	malicious	Browse	45.95.169.115
	xugAk5haat	Get hash	malicious	Browse	45.95.169.115
	0jEbWQtzs0	Get hash	malicious	Browse	45.95.169.115
	8g3tc5SWwB	Get hash	malicious	Browse	92.52.211.220
	7okgnZjK06	Get hash	malicious	Browse	45.95.169.115
	D9efs9TYvN	Get hash	malicious	Browse	45.95.169.115
	LlE7nUUjmA	Get hash	malicious	Browse	45.95.169.115
	3HwsuWd7at	Get hash	malicious	Browse	45.95.169.115
	XOg0GKdALN	Get hash	malicious	Browse	45.95.169.115
A2BNL	jew.arm5	Get hash	malicious	Browse	46.244.107.145
	SecuriteInfo.com.Trojan.DownLoader41.25700.7371.exe	Get hash	malicious	Browse	46.235.44.240
	5zLdHcC6nh.exe	Get hash	malicious	Browse	46.235.40.105
	http://www.bagchusfotografie.nl/foto/laurentiusdag/me/app.html	Get hash	malicious	Browse	46.235.40.90
	ElectionInterference_1665557063.xls	Get hash	malicious	Browse	46.235.42.55
	ElectionInterference_1665557063.xls	Get hash	malicious	Browse	46.235.42.55
	ElectionInterference_1051451333.xls	Get hash	malicious	Browse	46.235.42.55
	ElectionInterference_1051451333.xls	Get hash	malicious	Browse	46.235.42.55
	https://abns.co.uk/	Get hash	malicious	Browse	46.235.40.90
	over.exe	Get hash	malicious	Browse	46.235.40.60
AMAZON-02US	shipping docs 07853 draft CI+PL_pdf.exe	Get hash	malicious	Browse	52.222.158.116
	Invoice- 876543456 Oil_Field_Swift_remmitance.doc	Get hash	malicious	Browse	52.216.88.211
	EE96DF216161F048EE9C50853B018F779D71BCE1498F2.exe	Get hash	malicious	Browse	52.95.169.4
	Order No00020212910.exe	Get hash	malicious	Browse	44.227.76.166
	rundll32.exe	Get hash	malicious	Browse	44.227.76.166
	eBPXhP7TLX.exe	Get hash	malicious	Browse	3.132.159.158
	96F34985E744EDAE462B513FD68856056C135078302D8.exe	Get hash	malicious	Browse	52.95.170.44
	HELP_DECRYPT.URL	Get hash	malicious	Browse	18.195.174.160
	f30dab44e1b3c177c002b35c5e9a933b79345c378dbf4.exe	Get hash	malicious	Browse	18.190.26.16
	setup_x86_x64_install.exe	Get hash	malicious	Browse	52.95.171.40
	WROO2_Invoice_Copy.vbs	Get hash	malicious	Browse	52.27.15.250
	#0012HSJMS.vbs	Get hash	malicious	Browse	52.27.15.250
	d7fEnxB3OT.xlsm	Get hash	malicious	Browse	18.159.149.5
	wTFR3LK4Mo	Get hash	malicious	Browse	108.158.116.92
	RFQ - 1100195199 - 1100190914.exe	Get hash	malicious	Browse	3.122.27.22
	Port_UETQYDYA_99381,pdf.exe	Get hash	malicious	Browse	75.2.26.18
	st2AAeCXsR	Get hash	malicious	Browse	18.241.247.247
	yZ7D7o1Z7p	Get hash	malicious	Browse	18.253.60.84
	bKHI9UT0D1	Get hash	malicious	Browse	18.139.219.90
	IMS211323.xlsx	Get hash	malicious	Browse	65.9.96.73

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
fb4726d465c5f28b84cd6d14cedd13a7	10CV2biW2d	Get hash	malicious	Browse	34.249.145.219
	r7bQAtiN68	Get hash	malicious	Browse	34.249.145.219
	86wbpLsr78	Get hash	malicious	Browse	34.249.145.219
	zYEw8iWwGB	Get hash	malicious	Browse	34.249.145.219
	3QM8LROaOk	Get hash	malicious	Browse	34.249.145.219
	75OHlqPaRY	Get hash	malicious	Browse	34.249.145.219
	S0QgabIiDO	Get hash	malicious	Browse	34.249.145.219
	vCLbAS7aPb	Get hash	malicious	Browse	34.249.145.219
	yzui4gwsrF	Get hash	malicious	Browse	34.249.145.219
	072FZHiMhs	Get hash	malicious	Browse	34.249.145.219
	sjZlfrpuyc	Get hash	malicious	Browse	34.249.145.219
	khoE2I8yer	Get hash	malicious	Browse	34.249.145.219
	wvsEoQ0khP	Get hash	malicious	Browse	34.249.145.219
	32	Get hash	malicious	Browse	34.249.145.219
	a-r.m-5.Sakura	Get hash	malicious	Browse	34.249.145.219
	NDYfrLSNFW	Get hash	malicious	Browse	34.249.145.219
	m-i.p-s.Sakura	Get hash	malicious	Browse	34.249.145.219
	6Qn1b9fB2C	Get hash	malicious	Browse	34.249.145.219
	ZSbDircdwC	Get hash	malicious	Browse	34.249.145.219
	s0bi9t	Get hash	malicious	Browse	34.249.145.219

Dropped Files

No context

Created / dropped Files

/var/cache/motd-news Download File
Process:	/usr/bin/cut
File Type:	ASCII text
Category:	dropped
Size (bytes):	191
Entropy (8bit):	4.515771857099866
Encrypted:	false
SSDEEP:	3:P2lnI+5MsqqzNLz+FRNScHUBfRau95++sZzR5woLB1Fh0VTGTl/X5kURn:OZ8uNLzDc0pR75+9Zz/woFmIT52URn
MD5:	DD514F892B5F93ED615D366E58AC58AF
SHA1:	BA75EDB3C2232CC260BC187F604DC8F25AA72C11
SHA-256:	F40D0DCE6E83DF74109FEF5E68E51CC255727783EEAE04C3E34677E23F7552CF
SHA-512:	9150BDE63F6C4850C5340D8877892B4D9BBF9EBDC98CDCF557A93FA304C1222CEE446418F5BE2ACCDBF38393778AFA5D4F3EDCB37A47BF57D3A4B2DEAD42A2D0
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	* Super-optimized for small spaces - read how we shrank the memory. footprint of MicroK8s to make it the smallest full K8s around... https://ubuntu.com/blog/microk8s-memory-optimisation.

Static File Info

General
File type:	ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.100479824147886
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	1TnmkstVG8
File size:	38344
MD5:	2f7ce4fdab3edd7aed014bd5a124c718
SHA1:	0b1e76fac74052db6e7a342cdba0f90622100093
SHA256:	6597350ca45adfe532bd93ffde9c92d98f2ed1ecedd4d7d73c6dd147b0b613a9
SHA512:	3ccfd7025235684ef7663b204620b372536a484a10695705a1e0cb6aaa9af6baddc9f4fb7889a6f34394f2223a15031e5312917b9491535a4e63d0bca6aac98c
SSDEEP:	384:scwxATYTY/41v0pvRFU+preqdBrF6wleRlJT0nJ2JMjP5:scwxAEM9RO+l8t4Nh
File Content Preview:	.ELF...........................4...8.....4. ...(..........................................................!.........dt.Q................................@..(....@..y................#.....c...`.....!..... ,..@.....".........`......$ ,.. ,..@...........`....

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	Sparc
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x101a4
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	37944
Section Header Size:	40
Number of Section Headers:	10
Header String Table Index:	9

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x10094	0x94	0x1c	0x0	0x6	AX	4
.text	PROGBITS	0x100b0	0xb0	0x7a1c	0x0	0x6	AX	4
.fini	PROGBITS	0x17acc	0x7acc	0x14	0x0	0x6	AX	4
.rodata	PROGBITS	0x17ae0	0x7ae0	0x530	0x0	0x2	A	8
.ctors	PROGBITS	0x28014	0x8014	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x2801c	0x801c	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x28028	0x8028	0x13d0	0x0	0x3	WA	8
.bss	NOBITS	0x293f8	0x93f8	0xdb0	0x0	0x3	WA	8
.shstrtab	STRTAB	0x0	0x93f8	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x10000	0x10000	0x8010	0x8010	3.5125	0x5	R E	0x10000	.init .text .fini .rodata
LOAD	0x8014	0x28014	0x28014	0x13e4	0x2194	1.7574	0x6	RW	0x10000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 29, 2021 08:49:51.233458042 CEST	56596	455	192.168.2.23	45.95.169.120
Oct 29, 2021 08:49:52.254165888 CEST	56596	455	192.168.2.23	45.95.169.120
Oct 29, 2021 08:49:53.470083952 CEST	42836	443	192.168.2.23	91.189.91.43
Oct 29, 2021 08:49:54.238035917 CEST	42516	80	192.168.2.23	109.202.202.202
Oct 29, 2021 08:49:54.270015955 CEST	56596	455	192.168.2.23	45.95.169.120
Oct 29, 2021 08:49:58.333842993 CEST	56596	455	192.168.2.23	45.95.169.120
Oct 29, 2021 08:50:02.579926014 CEST	23	45062	189.57.206.167	192.168.2.23
Oct 29, 2021 08:50:02.580113888 CEST	23	45062	189.57.206.167	192.168.2.23
Oct 29, 2021 08:50:02.580205917 CEST	45062	23	192.168.2.23	189.57.206.167
Oct 29, 2021 08:50:02.580256939 CEST	45062	23	192.168.2.23	189.57.206.167
Oct 29, 2021 08:50:03.311676979 CEST	23	47456	37.80.245.107	192.168.2.23
Oct 29, 2021 08:50:03.311985970 CEST	47456	23	192.168.2.23	37.80.245.107
Oct 29, 2021 08:50:03.319192886 CEST	23	47456	37.80.245.107	192.168.2.23
Oct 29, 2021 08:50:03.319333076 CEST	47456	23	192.168.2.23	37.80.245.107
Oct 29, 2021 08:50:06.525520086 CEST	56596	455	192.168.2.23	45.95.169.120
Oct 29, 2021 08:50:08.573417902 CEST	43928	443	192.168.2.23	91.189.91.42
Oct 29, 2021 08:50:16.160259962 CEST	39244	443	192.168.2.23	34.249.145.219
Oct 29, 2021 08:50:16.205056906 CEST	443	39244	34.249.145.219	192.168.2.23
Oct 29, 2021 08:50:16.205240965 CEST	39244	443	192.168.2.23	34.249.145.219
Oct 29, 2021 08:50:16.205849886 CEST	39244	443	192.168.2.23	34.249.145.219
Oct 29, 2021 08:50:16.249986887 CEST	443	39244	34.249.145.219	192.168.2.23
Oct 29, 2021 08:50:16.251286983 CEST	443	39244	34.249.145.219	192.168.2.23
Oct 29, 2021 08:50:16.251306057 CEST	443	39244	34.249.145.219	192.168.2.23
Oct 29, 2021 08:50:16.251370907 CEST	443	39244	34.249.145.219	192.168.2.23
Oct 29, 2021 08:50:16.251374006 CEST	39244	443	192.168.2.23	34.249.145.219
Oct 29, 2021 08:50:16.251384974 CEST	443	39244	34.249.145.219	192.168.2.23
Oct 29, 2021 08:50:16.251399994 CEST	39244	443	192.168.2.23	34.249.145.219
Oct 29, 2021 08:50:16.251410961 CEST	39244	443	192.168.2.23	34.249.145.219
Oct 29, 2021 08:50:16.251435041 CEST	39244	443	192.168.2.23	34.249.145.219
Oct 29, 2021 08:50:16.252171040 CEST	443	39244	34.249.145.219	192.168.2.23
Oct 29, 2021 08:50:16.252213955 CEST	39244	443	192.168.2.23	34.249.145.219
Oct 29, 2021 08:50:16.254503012 CEST	39244	443	192.168.2.23	34.249.145.219
Oct 29, 2021 08:50:16.299272060 CEST	443	39244	34.249.145.219	192.168.2.23
Oct 29, 2021 08:50:16.299439907 CEST	39244	443	192.168.2.23	34.249.145.219
Oct 29, 2021 08:50:16.299820900 CEST	39244	443	192.168.2.23	34.249.145.219
Oct 29, 2021 08:50:16.345458984 CEST	443	39244	34.249.145.219	192.168.2.23
Oct 29, 2021 08:50:16.345611095 CEST	39244	443	192.168.2.23	34.249.145.219
Oct 29, 2021 08:50:16.347381115 CEST	39244	443	192.168.2.23	34.249.145.219
Oct 29, 2021 08:50:16.393722057 CEST	443	39244	34.249.145.219	192.168.2.23
Oct 29, 2021 08:50:16.393734932 CEST	443	39244	34.249.145.219	192.168.2.23
Oct 29, 2021 08:50:16.393800020 CEST	39244	443	192.168.2.23	34.249.145.219
Oct 29, 2021 08:50:16.393822908 CEST	39244	443	192.168.2.23	34.249.145.219
Oct 29, 2021 08:50:20.860939026 CEST	42836	443	192.168.2.23	91.189.91.43
Oct 29, 2021 08:50:22.652750015 CEST	56596	455	192.168.2.23	45.95.169.120
Oct 29, 2021 08:50:24.956691027 CEST	42516	80	192.168.2.23	109.202.202.202
Oct 29, 2021 08:50:49.531693935 CEST	43928	443	192.168.2.23	91.189.91.42
Oct 29, 2021 08:50:55.675467014 CEST	56596	455	192.168.2.23	45.95.169.120
Oct 29, 2021 08:50:55.709491014 CEST	455	56596	45.95.169.120	192.168.2.23
Oct 29, 2021 08:50:55.710903883 CEST	56600	455	192.168.2.23	45.95.169.120
Oct 29, 2021 08:50:55.749160051 CEST	455	56600	45.95.169.120	192.168.2.23
Oct 29, 2021 08:50:55.749802113 CEST	56602	455	192.168.2.23	45.95.169.120
Oct 29, 2021 08:50:56.763346910 CEST	56602	455	192.168.2.23	45.95.169.120
Oct 29, 2021 08:50:57.466229916 CEST	23	45104	46.244.112.164	192.168.2.23
Oct 29, 2021 08:50:57.466480970 CEST	45104	23	192.168.2.23	46.244.112.164
Oct 29, 2021 08:50:58.779268980 CEST	56602	455	192.168.2.23	45.95.169.120
Oct 29, 2021 08:51:02.843082905 CEST	56602	455	192.168.2.23	45.95.169.120
Oct 29, 2021 08:51:11.034754992 CEST	56602	455	192.168.2.23	45.95.169.120
Oct 29, 2021 08:51:27.162185907 CEST	56602	455	192.168.2.23	45.95.169.120
Oct 29, 2021 08:51:27.195202112 CEST	455	56602	45.95.169.120	192.168.2.23
Oct 29, 2021 08:51:27.195672989 CEST	56606	455	192.168.2.23	45.95.169.120
Oct 29, 2021 08:51:27.229099989 CEST	455	56606	45.95.169.120	192.168.2.23
Oct 29, 2021 08:51:27.229629993 CEST	56608	455	192.168.2.23	45.95.169.120
Oct 29, 2021 08:51:27.262991905 CEST	455	56608	45.95.169.120	192.168.2.23
Oct 29, 2021 08:51:27.263380051 CEST	56610	455	192.168.2.23	45.95.169.120
Oct 29, 2021 08:51:27.296152115 CEST	455	56610	45.95.169.120	192.168.2.23

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Oct 29, 2021 08:50:16.252171040 CEST	34.249.145.219	443	192.168.2.23	39244	CN=motd.ubuntu.com CN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US	CN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Tue Sep 07 13:50:45 CEST 2021 Fri Sep 04 02:00:00 CEST 2020 Wed Jan 20 20:14:03 CET 2021	Mon Dec 06 12:50:44 CET 2021 Mon Sep 15 18:00:00 CEST 2025 Mon Sep 30 20:14:03 CEST 2024	771,4866-4867-4865-49196-49200-163-159-52393-52392-52394-49327-49325-49315-49311-49245-49249-49239-49235-49195-49199-162-158-49326-49324-49314-49310-49244-49248-49238-49234-49188-49192-107-106-49267-49271-196-195-49187-49191-103-64-49266-49270-190-189-49162-49172-57-56-136-135-49161-49171-51-50-69-68-157-49313-49309-49233-156-49312-49308-49232-61-192-60-186-53-132-47-65-255,0-11-10-35-22-23-13-43-45-51,29-23-30-25-24,0-1-2	fb4726d465c5f28b84cd6d14cedd13a7
					CN=R3, O=Let's Encrypt, C=US	CN=ISRG Root X1, O=Internet Security Research Group, C=US	Fri Sep 04 02:00:00 CEST 2020	Mon Sep 15 18:00:00 CEST 2025
					CN=ISRG Root X1, O=Internet Security Research Group, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Jan 20 20:14:03 CET 2021	Mon Sep 30 20:14:03 CEST 2024

System Behavior

Analysis Process: 1TnmkstVG8 PID: 5234 Parent PID: 5107

General

Start time:	08:49:50
Start date:	29/10/2021
Path:	/tmp/1TnmkstVG8
Arguments:	/tmp/1TnmkstVG8
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: 1TnmkstVG8 PID: 5236 Parent PID: 5234

General

Start time:	08:49:50
Start date:	29/10/2021
Path:	/tmp/1TnmkstVG8
Arguments:	n/a
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: dash PID: 5250 Parent PID: 4331

General

Start time:	08:50:15
Start date:	29/10/2021
Path:	/usr/bin/dash
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: cat PID: 5250 Parent PID: 4331

General

Start time:	08:50:15
Start date:	29/10/2021
Path:	/usr/bin/cat
Arguments:	cat /tmp/tmp.gtT3aisjF5
File size:	43416 bytes
MD5 hash:	7e9d213e404ad3bb82e4ebb2e1f2c1b3

Analysis Process: dash PID: 5251 Parent PID: 4331

General

Start time:	08:50:15
Start date:	29/10/2021
Path:	/usr/bin/dash
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: head PID: 5251 Parent PID: 4331

General

Start time:	08:50:15
Start date:	29/10/2021
Path:	/usr/bin/head
Arguments:	head -n 10
File size:	47480 bytes
MD5 hash:	fd96a67145172477dd57131396fc9608

Analysis Process: dash PID: 5252 Parent PID: 4331

General

Start time:	08:50:15
Start date:	29/10/2021
Path:	/usr/bin/dash
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: tr PID: 5252 Parent PID: 4331

General

Start time:	08:50:15
Start date:	29/10/2021
Path:	/usr/bin/tr
Arguments:	tr -d \\000-\\011\\013\\014\\016-\\037
File size:	51544 bytes
MD5 hash:	fbd1402dd9f72d8ebfff00ce7c3a7bb5

Analysis Process: dash PID: 5253 Parent PID: 4331

General

Start time:	08:50:15
Start date:	29/10/2021
Path:	/usr/bin/dash
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: cut PID: 5253 Parent PID: 4331

General

Start time:	08:50:15
Start date:	29/10/2021
Path:	/usr/bin/cut
Arguments:	cut -c -80
File size:	47480 bytes
MD5 hash:	d8ed0ea8f22c0de0f8692d4d9f1759d3

Analysis Process: dash PID: 5254 Parent PID: 4331

General

Start time:	08:50:15
Start date:	29/10/2021
Path:	/usr/bin/dash
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: cat PID: 5254 Parent PID: 4331

General

Start time:	08:50:15
Start date:	29/10/2021
Path:	/usr/bin/cat
Arguments:	cat /tmp/tmp.gtT3aisjF5
File size:	43416 bytes
MD5 hash:	7e9d213e404ad3bb82e4ebb2e1f2c1b3

Analysis Process: dash PID: 5255 Parent PID: 4331

General

Start time:	08:50:15
Start date:	29/10/2021
Path:	/usr/bin/dash
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: head PID: 5255 Parent PID: 4331

General

Start time:	08:50:15
Start date:	29/10/2021
Path:	/usr/bin/head
Arguments:	head -n 10
File size:	47480 bytes
MD5 hash:	fd96a67145172477dd57131396fc9608

Analysis Process: dash PID: 5256 Parent PID: 4331

General

Start time:	08:50:15
Start date:	29/10/2021
Path:	/usr/bin/dash
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: tr PID: 5256 Parent PID: 4331

General

Start time:	08:50:15
Start date:	29/10/2021
Path:	/usr/bin/tr
Arguments:	tr -d \\000-\\011\\013\\014\\016-\\037
File size:	51544 bytes
MD5 hash:	fbd1402dd9f72d8ebfff00ce7c3a7bb5

Analysis Process: dash PID: 5257 Parent PID: 4331

General

Start time:	08:50:15
Start date:	29/10/2021
Path:	/usr/bin/dash
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: cut PID: 5257 Parent PID: 4331

General

Start time:	08:50:15
Start date:	29/10/2021
Path:	/usr/bin/cut
Arguments:	cut -c -80
File size:	47480 bytes
MD5 hash:	d8ed0ea8f22c0de0f8692d4d9f1759d3

Analysis Process: dash PID: 5258 Parent PID: 4331

General

Start time:	08:50:15
Start date:	29/10/2021
Path:	/usr/bin/dash
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: rm PID: 5258 Parent PID: 4331

General

Start time:	08:50:15
Start date:	29/10/2021
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.gtT3aisjF5 /tmp/tmp.0HpvoUv25y /tmp/tmp.kZRxhtfsZX
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Linux Analysis Report 1TnmkstVG8

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Process Tree

Yara Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Persistence and Installation Behavior:

Malware Analysis System Evasion:

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Runtime Messages

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

HTTPS Packets

System Behavior

Analysis Process: 1TnmkstVG8 PID: 5234 Parent PID: 5107

General

Analysis Process: 1TnmkstVG8 PID: 5236 Parent PID: 5234

General

Analysis Process: dash PID: 5250 Parent PID: 4331

General

Analysis Process: cat PID: 5250 Parent PID: 4331

General

Analysis Process: dash PID: 5251 Parent PID: 4331

General

Analysis Process: head PID: 5251 Parent PID: 4331

General

Analysis Process: dash PID: 5252 Parent PID: 4331

General

Analysis Process: tr PID: 5252 Parent PID: 4331

General

Analysis Process: dash PID: 5253 Parent PID: 4331

General

Analysis Process: cut PID: 5253 Parent PID: 4331

General

Analysis Process: dash PID: 5254 Parent PID: 4331

General

Analysis Process: cat PID: 5254 Parent PID: 4331

General