Edit tour

Linux Analysis Report
MDcooUySCg

Overview

General Information

Sample Name:	MDcooUySCg
Analysis ID:	614314
MD5:	3801a926ee836b6907d2d13723693d2d
SHA1:	cdf39434bb78871e839312e600b6fe40dc782a1f
SHA256:	d42bcb0fca6d93ce4c9a78e5393f7e5949c7398ac598f7c55b76120739eac544
Infos:

Detection

REvil

Score:	64
Range:	0 - 100
Whitelisted:	false

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected REvil Linux Ransomware

Classification

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	614314
Start date and time: 23/04/202209:48:15	2022-04-23 09:48:15 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	MDcooUySCg
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171)
Analysis Mode:	default
Detection:	MAL
Classification:	mal64.rans.lin@0/0@0/0

Runtime Messages

Command:	/tmp/MDcooUySCg
PID:	6811
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	Revix 1.2a Usage example: elf.exe --path /vmfs/ --threads 5 --silent (-s) use for not stoping VMs mode !!!BY DEFAULT THIS SOFTWARE USES 50 THREADS!!!
Standard Error:

Process Tree

system is lnxubuntu1

MDcooUySCg (PID: 6811, Parent: 6745, MD5: 3801a926ee836b6907d2d13723693d2d) Arguments: /tmp/MDcooUySCg

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
MDcooUySCg	JoeSecurity_REvilLinux	Yara detected REvil Linux Ransomware	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
6811.1.0000000000400000.0000000000415000.r-x.sdmp	JoeSecurity_REvilLinux	Yara detected REvil Linux Ransomware	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 6811.1.0000000000616000.000000000061b000.rw-.sdmp

Malware Configuration Extractor: REvil {"pk": "4nONu4GmajfjefjrnvkrnvkdsnchfkvnkfjnvnHf40RvBhHclpampcsKyZMxfSelgMmZE/nI=", "pid": "$2a$12$D3Wk4d.cy0e0EiVqDPJe1.06OMR3duoMRIH78i7XFXbSkCLHuLoMG", "sub": "8639", "dbg": false, "et": 0, "nbody": "LS0tPT09IFdlbGNvbWUuIEFnYWluLiA9PT0tLS0KClstXSBXaGF0cyBIYXBwZW4/IFstXQoKWW91ciBmaWxlcyBhcmUgZW5jcnlwdGVkLCBhbmQgY3VycmVudGx5IHVuYXZhaWxhYmxlLiBZb3UgY2FuIGNoZWNrIGl0OiBhbGwgZmlsZXMgb24geW91ciBzeXN0ZW0gaGFzIGV4dGVuc2lvbiB7RVhUfS4KQnkgdGhlIHdheSwgZXZlcnl0aGluZyBpcyBwb3NzaWJsZSB0byByZWNvdmVyIChyZXN0b3JlKSwgYnV0IHlvdSBuZWVkIHRvIGZvbGxvdyBvdXIgaW5zdHJ1Y3Rpb25zLiBPdGhlcndpc2UsIHlvdSBjYW50IHJldHVybiB5b3VyIGRhdGEgKE5FVkVSKS4KClstXSBXaGF0IGd1YXJhbnRlZXM/IFstXQoKSXRzIGp1c3QgYSBidXNpbmVzcy4gV2UgYWJzb2x1dGVseSBkbyBub3QgY2FyZSBhYm91dCB5b3UgYW5kIHlvdXIgZGVhbHMsIGV4Y2VwdCBnZXR0aW5nIGJlbmVmaXRzLiBJZiB3ZSBkbyBub3QgZG8gb3VyIHdvcmsgYW5kIGxpYWJpbGl0aWVzIC0gbm9ib2R5IHdpbGwgbm90IGNvb3BlcmF0ZSB3aXRoIHVzLiBJdHMgbm90IGluIG91ciBpbnRlcmVzdHMuClRvIGNoZWNrIHRoZSBhYmlsaXR5IG9mIHJldHVybmluZyBmaWxlcywgWW91IHNob3VsZCBnbyB0byBvdXIgd2Vic2l0ZS4gVGhlcmUgeW91IGNhbiBkZWNyeXB0IG9uZSBmaWxlIGZvciBmcmVlLiBUaGF0IGlzIG91ciBndWFyYW50ZWUuCklmIHlvdSB3aWxsIG5vdCBjb29wZXJhdGUgd2l0aCBvdXIgc2VydmljZSAtIGZvciB1cywgaXRzIGRvZXMgbm90IG1hdHRlci4gQnV0IHlvdSB3aWxsIGxvc2UgeW91ciB0aW1lIGFuZCBkYXRhLCBjYXVzZSBqdXN0IHdlIGhhdmUgdGhlIHByaXZhdGUga2V5LiBJbiBwcmFjdGljZSAtIHRpbWUgaXMgbXVjaCBtb3JlIHZhbHVhYmxlIHRoYW4gbW9uZXkuCgpbK10gSG93IHRvIGdldCBhY2Nlc3Mgb24gd2Vic2l0ZT8gWytdCgpVc2luZyBhIFRPUiBicm93c2VyIQogIDEpIERvd25sb2FkIGFuZCBpbnN0YWxsIFRPUiBicm93c2VyIGZyb20gdGhpcyBzaXRlOiBodHRwczovL3RvcnByb2plY3Qub3JnLwogIDIpIE9wZW4gb3VyIHdlYnNpdGU6IGh0dHA6Ly9hcGxlYnp1NDd3Z2F6YXBkcWtzNnZyY3Y2emNuanBwa2J4YnI2d2tldGY1Nm5mNmFxMm5teW95ZC5vbmlvbi97VUlEfQoKV2FybmluZzogc2Vjb25kYXJ5IHdlYnNpdGUgY2FuIGJlIGJsb2NrZWQsIHRoYXRzIHdoeSBmaXJzdCB2YXJpYW50IG11Y2ggYmV0dGVyIGFuZCBtb3JlIGF2YWlsYWJsZS4KCldoZW4geW91IG9wZW4gb3VyIHdlYnNpdGUsIHB1dCB0aGUgZm9sbG93aW5nIGRhdGEgaW4gdGhlIGlucHV0IGZvcm06CktleToKCgp7S0VZfQoKCi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tCgohISEgREFOR0VSICEhIQpET04nVCB0cnkgdG8gY2hhbmdlIGZpbGVzIGJ5IHlvdXJzZWxmLCBET04nVCB1c2UgYW55IHRoaXJkIHBhcnR5IHNvZnR3YXJlIGZvciByZXN0b3JpbmcgeW91ciBkYXRhIG9yIGFudGl2aXJ1cyBzb2x1dGlvbnMgLSBpdHMgbWF5IGVudGFpbCBkYW1hZ2Ugb2YgdGhlIHByaXZhdGUga2V5IGFuZCwgYXMgcmVzdWx0LCBUaGUgTG9zcyBhbGwgZGF0YS4KISEhICEhISAhISEKT05FIE1PUkUgVElNRTogSXRzIGluIHlvdXIgaW50ZXJlc3RzIHRvIGdldCB5b3VyIGZpbGVzIGJhY2suIEZyb20gb3VyIHNpZGUsIHdlICh0aGUgYmVzdCBzcGVjaWFsaXN0cykgbWFrZSBldmVyeXRoaW5nIGZvciByZXN0b3JpbmcsIGJ1dCBwbGVhc2Ugc2hvdWxkIG5vdCBpbnRlcmZlcmUuCiEhISAhISEgISEhAA==", "nname": "{EXT}-readme.txt", "rdmcnt": 0, "ext": ".vemar"}

Multi AV Scanner detection for submitted file

Source: MDcooUySCg	Virustotal: Detection: 22%			Perma Link
Source: MDcooUySCg	ReversingLabs: Detection: 42%

Spam, unwanted Advertisements and Ransom Demands

Yara detected REvil Linux Ransomware

Source: Yara match	File source: MDcooUySCg, type: SAMPLE
Source: Yara match	File source: 6811.1.0000000000400000.0000000000415000.r-x.sdmp, type: MEMORY

Source: classification engine

Classification label: mal64.rans.lin@0/0@0/0

{"pk": "4nONu4GmajfjefjrnvkrnvkdsnchfkvnkfjnvnHf40RvBhHclpampcsKyZMxfSelgMmZE/nI=", "pid": "$2a$12$D3Wk4d.cy0e0EiVqDPJe1.06OMR3duoMRIH78i7XFXbSkCLHuLoMG", "sub": "8639", "dbg": false, "et": 0, "nbody": "LS0tPT09IFdlbGNvbWUuIEFnYWluLiA9PT0tLS0KClstXSBXaGF0cyBIYXBwZW4/IFstXQoKWW91ciBmaWxlcyBhcmUgZW5jcnlwdGVkLCBhbmQgY3VycmVudGx5IHVuYXZhaWxhYmxlLiBZb3UgY2FuIGNoZWNrIGl0OiBhbGwgZmlsZXMgb24geW91ciBzeXN0ZW0gaGFzIGV4dGVuc2lvbiB7RVhUfS4KQnkgdGhlIHdheSwgZXZlcnl0aGluZyBpcyBwb3NzaWJsZSB0byByZWNvdmVyIChyZXN0b3JlKSwgYnV0IHlvdSBuZWVkIHRvIGZvbGxvdyBvdXIgaW5zdHJ1Y3Rpb25zLiBPdGhlcndpc2UsIHlvdSBjYW50IHJldHVybiB5b3VyIGRhdGEgKE5FVkVSKS4KClstXSBXaGF0IGd1YXJhbnRlZXM/IFstXQoKSXRzIGp1c3QgYSBidXNpbmVzcy4gV2UgYWJzb2x1dGVseSBkbyBub3QgY2FyZSBhYm91dCB5b3UgYW5kIHlvdXIgZGVhbHMsIGV4Y2VwdCBnZXR0aW5nIGJlbmVmaXRzLiBJZiB3ZSBkbyBub3QgZG8gb3VyIHdvcmsgYW5kIGxpYWJpbGl0aWVzIC0gbm9ib2R5IHdpbGwgbm90IGNvb3BlcmF0ZSB3aXRoIHVzLiBJdHMgbm90IGluIG91ciBpbnRlcmVzdHMuClRvIGNoZWNrIHRoZSBhYmlsaXR5IG9mIHJldHVybmluZyBmaWxlcywgWW91IHNob3VsZCBnbyB0byBvdXIgd2Vic2l0ZS4gVGhlcmUgeW91IGNhbiBkZWNyeXB0IG9uZSBmaWxlIGZvciBmcmVlLiBUaGF0IGlzIG91ciBndWFyYW50ZWUuCklmIHlvdSB3aWxsIG5vdCBjb29wZXJhdGUgd2l0aCBvdXIgc2VydmljZSAtIGZvciB1cywgaXRzIGRvZXMgbm90IG1hdHRlci4gQnV0IHlvdSB3aWxsIGxvc2UgeW91ciB0aW1lIGFuZCBkYXRhLCBjYXVzZSBqdXN0IHdlIGhhdmUgdGhlIHByaXZhdGUga2V5LiBJbiBwcmFjdGljZSAtIHRpbWUgaXMgbXVjaCBtb3JlIHZhbHVhYmxlIHRoYW4gbW9uZXkuCgpbK10gSG93IHRvIGdldCBhY2Nlc3Mgb24gd2Vic2l0ZT8gWytdCgpVc2luZyBhIFRPUiBicm93c2VyIQogIDEpIERvd25sb2FkIGFuZCBpbnN0YWxsIFRPUiBicm93c2VyIGZyb20gdGhpcyBzaXRlOiBodHRwczovL3RvcnByb2plY3Qub3JnLwogIDIpIE9wZW4gb3VyIHdlYnNpdGU6IGh0dHA6Ly9hcGxlYnp1NDd3Z2F6YXBkcWtzNnZyY3Y2emNuanBwa2J4YnI2d2tldGY1Nm5mNmFxMm5teW95ZC5vbmlvbi97VUlEfQoKV2FybmluZzogc2Vjb25kYXJ5IHdlYnNpdGUgY2FuIGJlIGJsb2NrZWQsIHRoYXRzIHdoeSBmaXJzdCB2YXJpYW50IG11Y2ggYmV0dGVyIGFuZCBtb3JlIGF2YWlsYWJsZS4KCldoZW4geW91IG9wZW4gb3VyIHdlYnNpdGUsIHB1dCB0aGUgZm9sbG93aW5nIGRhdGEgaW4gdGhlIGlucHV0IGZvcm06CktleToKCgp7S0VZfQoKCi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tCgohISEgREFOR0VSICEhIQpET04nVCB0cnkgdG8gY2hhbmdlIGZpbGVzIGJ5IHlvdXJzZWxmLCBET04nVCB1c2UgYW55IHRoaXJkIHBhcnR5IHNvZnR3YXJlIGZvciByZXN0b3JpbmcgeW91ciBkYXRhIG9yIGFudGl2aXJ1cyBzb2x1dGlvbnMgLSBpdHMgbWF5IGVudGFpbCBkYW1hZ2Ugb2YgdGhlIHByaXZhdGUga2V5IGFuZCwgYXMgcmVzdWx0LCBUaGUgTG9zcyBhbGwgZGF0YS4KISEhICEhISAhISEKT05FIE1PUkUgVElNRTogSXRzIGluIHlvdXIgaW50ZXJlc3RzIHRvIGdldCB5b3VyIGZpbGVzIGJhY2suIEZyb20gb3VyIHNpZGUsIHdlICh0aGUgYmVzdCBzcGVjaWFsaXN0cykgbWFrZSBldmVyeXRoaW5nIGZvciByZXN0b3JpbmcsIGJ1dCBwbGVhc2Ugc2hvdWxkIG5vdCBpbnRlcmZlcmUuCiEhISAhISEgISEhAA==", "nname": "{EXT}-readme.txt", "rdmcnt": 0, "ext": ".vemar"}

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
MDcooUySCg	23%	Virustotal		Browse
MDcooUySCg	42%	ReversingLabs	Linux.Trojan.Multiverze

File type:	ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, stripped
Entropy (8bit):	5.667902292324163
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 49.77% ELF Executable and Linkable format (generic) (4004/1) 49.46% Lumena CEL bitmap (63/63) 0.78%
File name:	MDcooUySCg
File size:	109366
MD5:	3801a926ee836b6907d2d13723693d2d
SHA1:	cdf39434bb78871e839312e600b6fe40dc782a1f
SHA256:	d42bcb0fca6d93ce4c9a78e5393f7e5949c7398ac598f7c55b76120739eac544
SHA512:	ec312353aa521e39be7f86fe350daf663f793b3ca43d5223cb0acf091ea45f2770125a62c73ec1dec52666c3b3048ea355522347773a894a14840a19f8b762bc
SSDEEP:	3072:LQ7b+XdBHttsNgggwgggwgggwgggwgggYSYVP:mZFlVP
TLSH:	12B32AF7E6B551ECC676F33925CF7CFBE0A0707815B6240E6B86391D23249890D6623A
File Content Preview:	.ELF..............>.....P.@.....@...................@.8...@.............@.......@.@.....@.@.....................................8.......8.@.....8.@...............................................@.......@......O.......O........ ..............].......]a....

Network Behavior

⊘No network behavior found

System Behavior

Analysis Process: MDcooUySCg PID: 6811, Parent PID: 6745

General

Start time:	09:48:50
Start date:	23/04/2022
Path:	/tmp/MDcooUySCg
Arguments:	/tmp/MDcooUySCg
File size:	109366 bytes
MD5 hash:	3801a926ee836b6907d2d13723693d2d

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report MDcooUySCg

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Yara Signatures

Initial Sample

Memory Dumps

Joe Sandbox Signatures

AV Detection

Spam, unwanted Advertisements and Ransom Demands

System Summary

Mitre Att&ck Matrix

Malware Configuration

Threatname: REvil

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Network Behavior

System Behavior

Analysis Process: MDcooUySCg PID: 6811, Parent PID: 6745

General

Chronological Activities

Linux Analysis Report
MDcooUySCg