Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

HuuyISbqrL

ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.18, BuildID[sha1]=307edfa923d9ff7e3793ec8771ab90f5343cb21e, stripped

initial sample

Details

Filetype:	ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.18, BuildID[sha1]=307edfa923d9ff7e3793ec8771ab90f5343cb21e, stripped
Entropy:	6.3900726950490805
Filename:	HuuyISbqrL
Filesize:	1315556
MD5:	f29045435920698fbbe67b121e7bfe79
SHA1:	22b027d1bef58216b0d73ddb755aac259711aa33
SHA256:	a07cd4589f01b49d0c349d73a6da0eec0e8c28c82b31bd637b2ee7ff612ad39b
SHA512:	f225da6d66d4a46b91e6a56eff35699c31d0e0789d70d31df4e6ce93e1e5b3fdbc1d43c5f5c5ec1b099477f24750bd2e189bd9da998174e6d9ad498d5131d3b8
SSDEEP:	24576:8kUpotcUSzgtPLdOEG0V0JRzFB3ywyUZ1N2AhNdhBjh+hnPlVVW0Mk7t69Kx/ti8:MoKXwZOK0TFBCwy8P2AhNdhBjh+hnPlP
Preview:	.ELF........................4...........4. ...(.....................................................................................D...D...............................L...........Q.td........................................GNU............................

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Sample tries to persist itself using System V runlevels	Persistence and Installation Behavior	At (Linux)
Sample tries to persist itself using cron	Persistence and Installation Behavior
Drops files in suspicious directories	Hooking and other Techniques for Hiding and Protection	Masquerading
Sample deletes itself	Hooking and other Techniques for Hiding and Protection	File Deletion
Drops invisible ELF files	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Machine Learning detection for sample	AV Detection
Writes ELF files to disk	Persistence and Installation Behavior
Reads CPU information from /sys indicative of miner or evasive malware	Bitcoin Miner, Malware Analysis System Evasion
Yara signature match	System Summary
Writes shell script files to disk	Persistence and Installation Behavior
Reads system information from the proc file system	Persistence and Installation Behavior	System Information Discovery
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Writes shell script file to disk with an unusual file extension	Persistence and Installation Behavior
Found detection on Joe Sandbox Cloud Basic with higher score	System Summary
URLs found in memory or binary data	Networking

/etc/cron.hourly/cron.sh

POSIX shell script, ASCII text executable

dropped

Details

File:	/etc/cron.hourly/cron.sh
Category:	dropped
Dump:	cron.sh.12.dr
ID:	dr_2
Target ID:	12
Process:	/tmp/HuuyISbqrL
Type:	POSIX shell script, ASCII text executable
Entropy:	4.756432444291805
Encrypted:	false
Ssdeep:	6:htiy4Mrm9lVNy28XbCVP270gJdUiynrgns:RjwVNfGbWPirSR
Size:	223
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Sample tries to persist itself using cron	Persistence and Installation Behavior	At (Linux)
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Writes shell script files to disk	Persistence and Installation Behavior	Scripting

/etc/init.d/.chinaz{1636583395

POSIX shell script, ASCII text executable

dropped

Details

File:	/etc/init.d/.chinaz{1636583395
Category:	dropped
Dump:	.chinaz{16365833950.12.dr
ID:	dr_1
Target ID:	12
Process:	/tmp/HuuyISbqrL
Type:	POSIX shell script, ASCII text executable
Entropy:	5.348173954768942
Encrypted:	false
Ssdeep:	6:hUtoFdU9uMw2tBjnsKheJjU5tBNZBE21YJvmNeMwh2L5tBjR1DzRIjutrBk6MzEm:6tw2tpmjctbZBEMO12L5tp7zujutrazL
Size:	355
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Drops files in suspicious directories	Hooking and other Techniques for Hiding and Protection	Masquerading
Machine Learning detection for dropped file	AV Detection
Sample tries to persist itself using System V runlevels	Persistence and Installation Behavior	At (Linux)
Writes shell script file to disk with an unusual file extension	Persistence and Installation Behavior

/tmp/.chinaz{1636583395

ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.18, BuildID[sha1]=307edfa923d9ff7e3793ec8771ab90f5343cb21e, stripped

dropped

Details

File:	/tmp/.chinaz{1636583395
Category:	dropped
Dump:	.chinaz{1636583395.12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/HuuyISbqrL
Type:	ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.18, BuildID[sha1]=307edfa923d9ff7e3793ec8771ab90f5343cb21e, stripped
Entropy:	6.3900726950490805
Encrypted:	false
Ssdeep:	24576:8kUpotcUSzgtPLdOEG0V0JRzFB3ywyUZ1N2AhNdhBjh+hnPlVVW0Mk7t69Kx/ti8:MoKXwZOK0TFBCwy8P2AhNdhBjh+hnPlP
Size:	1315556
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Drops invisible ELF files	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Writes ELF files to disk	Persistence and Installation Behavior

/memfd:snapd-env-generator (deleted)

ASCII text

dropped

Details

File:	/memfd:snapd-env-generator (deleted)
Category:	dropped
Dump:	memfd_snapd-env-generator (deleted).58.dr
ID:	dr_4
Target ID:	58
Process:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
Type:	ASCII text
Entropy:	3.7627880354948586
Encrypted:	false
Ssdeep:	3:+M4VMPQnMLmPQ9JEcwwbn:+M4m4MixcZb
Size:	76
Whitelisted:	false
Reputation:	moderate

Processes

Path

Cmdline

Malicious

/tmp/HuuyISbqrL

n/a

/tmp/HuuyISbqrL

n/a

/tmp/HuuyISbqrL

n/a

/tmp/HuuyISbqrL

n/a

/tmp/HuuyISbqrL

n/a

/tmp/HuuyISbqrL

n/a

/usr/sbin/update-rc.d

update-rc.d HuuyISbqrL remove

/usr/sbin/update-rc.d

n/a

/usr/bin/systemctl

systemctl daemon-reload

/tmp/HuuyISbqrL

n/a

/tmp/HuuyISbqrL

n/a

/tmp/HuuyISbqrL

n/a

/tmp/HuuyISbqrL

n/a

/usr/sbin/update-rc.d

update-rc.d .chinaz{1636583395 defaults

/usr/sbin/update-rc.d

n/a

/usr/bin/systemctl

systemctl daemon-reload

/tmp/HuuyISbqrL

n/a

/bin/sh

sh -c "sed -i '/\\/etc\\/cron.hourly\\/cron.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/cron.sh' >> /etc/crontab"

/bin/sh

n/a

/usr/bin/sed

sed -i /\\/etc\\/cron.hourly\\/cron.sh/d /etc/crontab

/tmp/HuuyISbqrL

n/a

/bin/sh

sh -c "rm -rf /etc/resolv.conf"

/bin/sh

n/a

/usr/bin/rm

rm -rf /etc/resolv.conf

/tmp/HuuyISbqrL

n/a

/bin/sh

sh -c whoami

/bin/sh

n/a

/usr/bin/whoami

whoami

/tmp/HuuyISbqrL

n/a

/bin/sh

sh -c "iptables --flush"

/bin/sh

n/a

/usr/sbin/iptables

iptables --flush

/tmp/HuuyISbqrL

n/a

/bin/sh

sh -c whoami

/bin/sh

n/a

/usr/bin/whoami

whoami

/tmp/HuuyISbqrL

n/a

/bin/sh

sh -c "touch /home/root/ConfigDatecz"

/bin/sh

n/a

/usr/bin/touch

touch /home/root/ConfigDatecz

/tmp/HuuyISbqrL

n/a

/bin/sh

sh -c "iptables -A OUTPUT -p tcp --dport 0 -j DROP"

/bin/sh

n/a

/usr/sbin/iptables

iptables -A OUTPUT -p tcp --dport 0 -j DROP

/usr/lib/systemd/systemd

n/a

/usr/lib/systemd/system-environment-generators/snapd-env-generator

/usr/lib/systemd/systemd

n/a

/usr/lib/systemd/system-environment-generators/snapd-env-generator

There are 39 hidden processes, click here to show them.

URLs

Name

Malicious

http://www.gnu.org/software/libc/bugs.html

unknown

Details

Name:	http://www.gnu.org/software/libc/bugs.html
TargetID:	21065
From Memory:	true
Source:	HuuyISbqrL, 5249.1.000000001a887bdc.00000000078f03a4.r-x.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

109.202.202.202

unknown

Switzerland

Details

IP:	109.202.202.202
TargetID:	-1
Country:	Switzerland
Countrycode:	CHE
ASN number:	13030
ASN name:	INIT7CH
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.43

unknown

United Kingdom

Details

IP:	91.189.91.43
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.42

unknown

United Kingdom

Details

IP:	91.189.91.42
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report

Files

Processes

URLs

IPs