Linux Analysis Report HuuyISbqrL

Overview

General Information

Sample Name: HuuyISbqrL
Analysis ID: 519576
MD5: f29045435920698fbbe67b121e7bfe79
SHA1: 22b027d1bef58216b0d73ddb755aac259711aa33
SHA256: a07cd4589f01b49d0c349d73a6da0eec0e8c28c82b31bd637b2ee7ff612ad39b
Tags: 32elfintel
Infos:

Detection

Score: 84
Range: 0 - 100
Whitelisted: false

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sample tries to persist itself using System V runlevels
Machine Learning detection for dropped file
Sample tries to persist itself using cron
Drops files in suspicious directories
Sample deletes itself
Drops invisible ELF files
Machine Learning detection for sample
Writes ELF files to disk
Reads CPU information from /sys indicative of miner or evasive malware
Yara signature match
Writes shell script files to disk
Reads system information from the proc file system
Uses the "uname" system call to query kernel version information (possible evasion)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Sample has stripped symbol table
Executes commands using a shell command-line interpreter
Executes the "rm" command used to delete files or directories
Executes the "touch" command used to create files or modify time stamps
Writes shell script file to disk with an unusual file extension

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: HuuyISbqrL Virustotal: Detection: 54% Perma Link
Source: HuuyISbqrL ReversingLabs: Detection: 73%
Machine Learning detection for dropped file
Source: /etc/init.d/.chinaz{1636583395 Joe Sandbox ML: detected
Machine Learning detection for sample
Source: HuuyISbqrL Joe Sandbox ML: detected

Bitcoin Miner:

barindex
Reads CPU information from /sys indicative of miner or evasive malware
Source: /tmp/HuuyISbqrL (PID: 5251) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior

Networking:

barindex
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: HuuyISbqrL, 5249.1.000000001a887bdc.00000000078f03a4.r-x.sdmp String found in binary or memory: http://www.gnu.org/software/libc/bugs.html

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: HuuyISbqrL, type: SAMPLE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 5254.1.000000001a887bdc.00000000078f03a4.r-x.sdmp, type: MEMORY Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 5260.1.000000001a887bdc.00000000078f03a4.r-x.sdmp, type: MEMORY Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 5250.1.000000001a887bdc.00000000078f03a4.r-x.sdmp, type: MEMORY Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 5259.1.000000001a887bdc.00000000078f03a4.r-x.sdmp, type: MEMORY Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 5256.1.000000001a887bdc.00000000078f03a4.r-x.sdmp, type: MEMORY Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 5249.1.000000001a887bdc.00000000078f03a4.r-x.sdmp, type: MEMORY Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 5258.1.000000001a887bdc.00000000078f03a4.r-x.sdmp, type: MEMORY Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 5251.1.000000001a887bdc.00000000078f03a4.r-x.sdmp, type: MEMORY Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 5255.1.000000001a887bdc.00000000078f03a4.r-x.sdmp, type: MEMORY Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: /etc/init.d/.chinaz{1636583395, type: DROPPED Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Yara signature match
Source: HuuyISbqrL, type: SAMPLE Matched rule: CN_disclosed_20180208_lsls date = 2018-02-08, hash1 = 94c6a92984df9ed255f4c644261b01c4e255acbe32ddfd0debe38b558f29a6c9, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5254.1.000000001a887bdc.00000000078f03a4.r-x.sdmp, type: MEMORY Matched rule: CN_disclosed_20180208_lsls date = 2018-02-08, hash1 = 94c6a92984df9ed255f4c644261b01c4e255acbe32ddfd0debe38b558f29a6c9, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5260.1.000000001a887bdc.00000000078f03a4.r-x.sdmp, type: MEMORY Matched rule: CN_disclosed_20180208_lsls date = 2018-02-08, hash1 = 94c6a92984df9ed255f4c644261b01c4e255acbe32ddfd0debe38b558f29a6c9, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5250.1.000000001a887bdc.00000000078f03a4.r-x.sdmp, type: MEMORY Matched rule: CN_disclosed_20180208_lsls date = 2018-02-08, hash1 = 94c6a92984df9ed255f4c644261b01c4e255acbe32ddfd0debe38b558f29a6c9, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5259.1.000000001a887bdc.00000000078f03a4.r-x.sdmp, type: MEMORY Matched rule: CN_disclosed_20180208_lsls date = 2018-02-08, hash1 = 94c6a92984df9ed255f4c644261b01c4e255acbe32ddfd0debe38b558f29a6c9, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5256.1.000000001a887bdc.00000000078f03a4.r-x.sdmp, type: MEMORY Matched rule: CN_disclosed_20180208_lsls date = 2018-02-08, hash1 = 94c6a92984df9ed255f4c644261b01c4e255acbe32ddfd0debe38b558f29a6c9, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5249.1.000000001a887bdc.00000000078f03a4.r-x.sdmp, type: MEMORY Matched rule: CN_disclosed_20180208_lsls date = 2018-02-08, hash1 = 94c6a92984df9ed255f4c644261b01c4e255acbe32ddfd0debe38b558f29a6c9, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5258.1.000000001a887bdc.00000000078f03a4.r-x.sdmp, type: MEMORY Matched rule: CN_disclosed_20180208_lsls date = 2018-02-08, hash1 = 94c6a92984df9ed255f4c644261b01c4e255acbe32ddfd0debe38b558f29a6c9, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5251.1.000000001a887bdc.00000000078f03a4.r-x.sdmp, type: MEMORY Matched rule: CN_disclosed_20180208_lsls date = 2018-02-08, hash1 = 94c6a92984df9ed255f4c644261b01c4e255acbe32ddfd0debe38b558f29a6c9, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5255.1.000000001a887bdc.00000000078f03a4.r-x.sdmp, type: MEMORY Matched rule: CN_disclosed_20180208_lsls date = 2018-02-08, hash1 = 94c6a92984df9ed255f4c644261b01c4e255acbe32ddfd0debe38b558f29a6c9, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: /etc/init.d/.chinaz{1636583395, type: DROPPED Matched rule: CN_disclosed_20180208_lsls date = 2018-02-08, hash1 = 94c6a92984df9ed255f4c644261b01c4e255acbe32ddfd0debe38b558f29a6c9, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Source: HuuyISbqrL Joe Sandbox Cloud Basic: Detection: clean Score: 0 Perma Link
Source: classification engine Classification label: mal84.troj.evad.lin@0/5@0/0

Persistence and Installation Behavior:

barindex
Sample tries to persist itself using System V runlevels
Source: /tmp/HuuyISbqrL (PID: 5251) File: /etc/rc1.d/S90.chinaz{1636583395 -> /etc/init.d/.chinaz{1636583395 Jump to behavior
Source: /tmp/HuuyISbqrL (PID: 5251) File: /etc/rc2.d/S90.chinaz{1636583395 -> /etc/init.d/.chinaz{1636583395 Jump to behavior
Source: /tmp/HuuyISbqrL (PID: 5251) File: /etc/rc3.d/S90.chinaz{1636583395 -> /etc/init.d/.chinaz{1636583395 Jump to behavior
Source: /tmp/HuuyISbqrL (PID: 5251) File: /etc/rc4.d/S90.chinaz{1636583395 -> /etc/init.d/.chinaz{1636583395 Jump to behavior
Source: /tmp/HuuyISbqrL (PID: 5251) File: /etc/rc5.d/S90.chinaz{1636583395 -> /etc/init.d/.chinaz{1636583395 Jump to behavior
Source: /tmp/HuuyISbqrL (PID: 5251) File: /etc/rc.d/rc1.d/S90.chinaz{1636583395 -> /etc/init.d/.chinaz{1636583395 Jump to behavior
Source: /tmp/HuuyISbqrL (PID: 5251) File: /etc/rc.d/rc2.d/S90.chinaz{1636583395 -> /etc/init.d/.chinaz{1636583395 Jump to behavior
Source: /tmp/HuuyISbqrL (PID: 5251) File: /etc/rc.d/rc3.d/S90.chinaz{1636583395 -> /etc/init.d/.chinaz{1636583395 Jump to behavior
Source: /tmp/HuuyISbqrL (PID: 5251) File: /etc/rc.d/rc4.d/S90.chinaz{1636583395 -> /etc/init.d/.chinaz{1636583395 Jump to behavior
Source: /tmp/HuuyISbqrL (PID: 5251) File: /etc/rc.d/rc5.d/S90.chinaz{1636583395 -> /etc/init.d/.chinaz{1636583395 Jump to behavior
Source: /usr/sbin/update-rc.d (PID: 5261) File: /etc/rc1.d/S01.chinaz{1636583395 -> ../init.d/.chinaz{1636583395 Jump to behavior
Source: /usr/sbin/update-rc.d (PID: 5261) File: /etc/rc2.d/S01.chinaz{1636583395 -> ../init.d/.chinaz{1636583395 Jump to behavior
Source: /usr/sbin/update-rc.d (PID: 5261) File: /etc/rc3.d/S01.chinaz{1636583395 -> ../init.d/.chinaz{1636583395 Jump to behavior
Source: /usr/sbin/update-rc.d (PID: 5261) File: /etc/rc4.d/S01.chinaz{1636583395 -> ../init.d/.chinaz{1636583395 Jump to behavior
Source: /usr/sbin/update-rc.d (PID: 5261) File: /etc/rc5.d/S01.chinaz{1636583395 -> ../init.d/.chinaz{1636583395 Jump to behavior
Sample tries to persist itself using cron
Source: /tmp/HuuyISbqrL (PID: 5251) File: /etc/cron.hourly/cron.sh Jump to behavior
Source: /usr/bin/sed (PID: 5263) File: /etc/crontab Jump to behavior
Writes ELF files to disk
Source: /tmp/HuuyISbqrL (PID: 5251) File written: /tmp/.chinaz{1636583395 Jump to dropped file
Writes shell script files to disk
Source: /tmp/HuuyISbqrL (PID: 5251) Shell script file created: /etc/cron.hourly/cron.sh Jump to dropped file
Reads system information from the proc file system
Source: /tmp/HuuyISbqrL (PID: 5251) Reads from proc file: /proc/meminfo Jump to behavior
Executes commands using a shell command-line interpreter
Source: /tmp/HuuyISbqrL (PID: 5262) Shell command executed: sh -c "sed -i '/\\/etc\\/cron.hourly\\/cron.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/cron.sh' >> /etc/crontab" Jump to behavior
Source: /tmp/HuuyISbqrL (PID: 5265) Shell command executed: sh -c "rm -rf /etc/resolv.conf" Jump to behavior
Source: /tmp/HuuyISbqrL (PID: 5270) Shell command executed: sh -c whoami Jump to behavior
Source: /tmp/HuuyISbqrL (PID: 5271) Shell command executed: sh -c "iptables --flush" Jump to behavior
Source: /tmp/HuuyISbqrL (PID: 5272) Shell command executed: sh -c whoami Jump to behavior
Source: /tmp/HuuyISbqrL (PID: 5281) Shell command executed: sh -c "touch /home/root/ConfigDatecz" Jump to behavior
Source: /tmp/HuuyISbqrL (PID: 5283) Shell command executed: sh -c "iptables -A OUTPUT -p tcp --dport 0 -j DROP" Jump to behavior
Executes the "rm" command used to delete files or directories
Source: /bin/sh (PID: 5266) Rm executable: /usr/bin/rm -> rm -rf /etc/resolv.conf Jump to behavior
Executes the "touch" command used to create files or modify time stamps
Source: /bin/sh (PID: 5284) Touch executable: /usr/bin/touch -> touch /home/root/ConfigDatecz Jump to behavior
Writes shell script file to disk with an unusual file extension
Source: /tmp/HuuyISbqrL (PID: 5251) Writes shell script file to disk with an unusual file extension: /etc/init.d/.chinaz{1636583395 Jump to dropped file
Source: /bin/sh (PID: 5263) Sed executable: /usr/bin/sed -> sed -i /\\/etc\\/cron.hourly\\/cron.sh/d /etc/crontab Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Drops files in suspicious directories
Source: /tmp/HuuyISbqrL (PID: 5251) File: /etc/init.d/.chinaz{1636583395 Jump to dropped file
Sample deletes itself
Source: /tmp/HuuyISbqrL (PID: 5251) File: /tmp/HuuyISbqrL Jump to behavior
Drops invisible ELF files
Source: /tmp/HuuyISbqrL (PID: 5251) ELF file: /tmp/.chinaz{1636583395 Jump to dropped file

Malware Analysis System Evasion:

barindex
Reads CPU information from /sys indicative of miner or evasive malware
Source: /tmp/HuuyISbqrL (PID: 5251) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/HuuyISbqrL (PID: 5249) Queries kernel information via 'uname': Jump to behavior
Source: /tmp/HuuyISbqrL (PID: 5251) Queries kernel information via 'uname': Jump to behavior
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs