Edit tour

Linux Analysis Report
qICLEK5VRO

Overview

General Information

Sample Name:	qICLEK5VRO
Analysis ID:	627364
MD5:	e94958fb5d8da1a7d544c06d4632c846
SHA1:	f66479adc6f036533919b6155a7e310cf4f07928
SHA256:	0ec1ae5752fd6770b25b0e51d83503cf758b5b84a1939dcca1eef4d9ad50b4a2
Tags:	32elfmirairenesas
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Sample deletes itself

Sample has stripped symbol table

Uses the "uname" system call to query kernel version information (possible evasion)

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Detected TCP or UDP traffic on non-standard ports

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might not execute correctly on this machine.

All HTTP servers contacted by the sample do not answer. The sample is likely an old dropper which does no longer work.

Non-zero exit code suggests an error during the execution. Lookup the error code for hints.

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	627364
Start date and time: 16/05/202213:58:12	2022-05-16 13:58:12 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	qICLEK5VRO
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Detection:	MAL
Classification:	mal52.evad.lin@0/0@0/0

Warnings

VT rate limit hit for: qICLEK5VRO

Runtime Messages

Command:	/tmp/qICLEK5VRO
PID:	6246
Exit Code:	1
Exit Code Info:
Killed:	False
Standard Output:	[[91mAbyssal[0m] established connection. Monitoring device.
Standard Error:

Process Tree

system is lnxubuntu20

qICLEK5VRO (PID: 6246, Parent: 6155, MD5: 8943e5f8f8c280467b4472c15ae93ba9) Arguments: /tmp/qICLEK5VRO

cleanup

Yara Signatures

⊘No yara matches

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: qICLEK5VRO

ReversingLabs: Detection: 39%

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: global traffic

TCP traffic: 192.168.2.23:43480 -> 103.136.41.110:6525

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 103.136.41.110
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal52.evad.lin@0/0@0/0

Hooking and other Techniques for Hiding and Protection

Sample deletes itself

Source: /tmp/qICLEK5VRO (PID: 6246)

File: /tmp/qICLEK5VRO

Jump to behavior

Source: /tmp/qICLEK5VRO (PID: 6246)

Queries kernel information via 'uname':

Jump to behavior

Source: qICLEK5VRO, 6246.1.00000000bbab0635.00000000cdb971d4.rw-.sdmp	Binary or memory string: /usr/bin/qemu-sh4
Source: qICLEK5VRO, 6246.1.000000003fae4da2.0000000033fabfd2.rw-.sdmp	Binary or memory string: U5!/etc/qemu-binfmt/sh4
Source: qICLEK5VRO, 6246.1.000000003fae4da2.0000000033fabfd2.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/sh4
Source: qICLEK5VRO, 6246.1.00000000bbab0635.00000000cdb971d4.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-sh4/tmp/qICLEK5VROSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/qICLEK5VRO

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 File Deletion	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
qICLEK5VRO	39%	ReversingLabs	Linux.Trojan.Mirai

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
103.136.41.110	unknown	India	139884	AGPL-AS-APApeironGlobalPvtLtdIN	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
103.136.41.110	qaE0C9rclb	Get hash	malicious	Browse
	PpcvaRE8wF	Get hash	malicious	Browse
	aPll2HI0vq	Get hash	malicious	Browse
	QQ7EA6NtnR	Get hash	malicious	Browse
	GXUKKZ7Qnf	Get hash	malicious	Browse
	tJ9TlGLj1K	Get hash	malicious	Browse
	ixOTaOEDIW	Get hash	malicious	Browse
	OCrSf4L4AH	Get hash	malicious	Browse
	HvIio1rY75	Get hash	malicious	Browse
	nQ9DQ8dyp9	Get hash	malicious	Browse
	fJoJrFsRDU	Get hash	malicious	Browse
	1U7K4ZoysU	Get hash	malicious	Browse
	2OudwAz06p	Get hash	malicious	Browse
	LmbPIbBJtG	Get hash	malicious	Browse
	muwVjbx43u	Get hash	malicious	Browse
	6mgPR0Wyq7	Get hash	malicious	Browse
	pLYNr2qjHV	Get hash	malicious	Browse
	bwUj1FMbJ6	Get hash	malicious	Browse
	wZwjwmeeGW	Get hash	malicious	Browse
	6zl1VArwOv	Get hash	malicious	Browse
109.202.202.202	qaE0C9rclb	Get hash	malicious	Browse
	fxlJlYCE4I	Get hash	malicious	Browse
	rW2vFLB6Jy	Get hash	malicious	Browse
	UnHAnaAW.arm5	Get hash	malicious	Browse
	n9eApCavgK	Get hash	malicious	Browse
	rrmc88FRmf	Get hash	malicious	Browse
	X66tU1iptI	Get hash	malicious	Browse
	lWfQlkujqz	Get hash	malicious	Browse
	X8hY1BGn3d	Get hash	malicious	Browse
	r5Ns1m235y	Get hash	malicious	Browse
	T6Sv400TfW	Get hash	malicious	Browse
	tUOen8R3jC	Get hash	malicious	Browse
	X2jhhXiaJf	Get hash	malicious	Browse
	SaIN1z8B7X	Get hash	malicious	Browse
	TSL33T.arm5	Get hash	malicious	Browse
	ZG9zarm7	Get hash	malicious	Browse
	ZG9zarm	Get hash	malicious	Browse
	wMZjd2tXuZ	Get hash	malicious	Browse
	Anti.arm5	Get hash	malicious	Browse
	lgvIcn4KKz	Get hash	malicious	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AGPL-AS-APApeironGlobalPvtLtdIN	qaE0C9rclb	Get hash	malicious	Browse	103.136.41.110
	EG4I1Przgq	Get hash	malicious	Browse	103.136.40.176
	j0Ee2pkXcH	Get hash	malicious	Browse	103.136.40.176
	1Ggdi0m8hf	Get hash	malicious	Browse	103.136.40.176
	PpcvaRE8wF	Get hash	malicious	Browse	103.136.41.110
	aPll2HI0vq	Get hash	malicious	Browse	103.136.41.110
	QQ7EA6NtnR	Get hash	malicious	Browse	103.136.41.110
	Iitoq5GM0G.exe	Get hash	malicious	Browse	103.136.40.167
	GXUKKZ7Qnf	Get hash	malicious	Browse	103.136.41.110
	tJ9TlGLj1K	Get hash	malicious	Browse	103.136.41.110
	ixOTaOEDIW	Get hash	malicious	Browse	103.136.41.110
	OCrSf4L4AH	Get hash	malicious	Browse	103.136.41.110
	HvIio1rY75	Get hash	malicious	Browse	103.136.41.110
	nQ9DQ8dyp9	Get hash	malicious	Browse	103.136.41.110
	fJoJrFsRDU	Get hash	malicious	Browse	103.136.41.110
	1U7K4ZoysU	Get hash	malicious	Browse	103.136.41.110
	2OudwAz06p	Get hash	malicious	Browse	103.136.41.110
	LmbPIbBJtG	Get hash	malicious	Browse	103.136.41.110
	muwVjbx43u	Get hash	malicious	Browse	103.136.41.110
	6mgPR0Wyq7	Get hash	malicious	Browse	103.136.41.110
INIT7CH	qaE0C9rclb	Get hash	malicious	Browse	109.202.202.202
	fxlJlYCE4I	Get hash	malicious	Browse	109.202.202.202
	rW2vFLB6Jy	Get hash	malicious	Browse	109.202.202.202
	UnHAnaAW.arm5	Get hash	malicious	Browse	109.202.202.202
	n9eApCavgK	Get hash	malicious	Browse	109.202.202.202
	rrmc88FRmf	Get hash	malicious	Browse	109.202.202.202
	X66tU1iptI	Get hash	malicious	Browse	109.202.202.202
	lWfQlkujqz	Get hash	malicious	Browse	109.202.202.202
	X8hY1BGn3d	Get hash	malicious	Browse	109.202.202.202
	r5Ns1m235y	Get hash	malicious	Browse	109.202.202.202
	T6Sv400TfW	Get hash	malicious	Browse	109.202.202.202
	tUOen8R3jC	Get hash	malicious	Browse	109.202.202.202
	X2jhhXiaJf	Get hash	malicious	Browse	109.202.202.202
	SaIN1z8B7X	Get hash	malicious	Browse	109.202.202.202
	TSL33T.arm5	Get hash	malicious	Browse	109.202.202.202
	ZG9zarm7	Get hash	malicious	Browse	109.202.202.202
	ZG9zarm	Get hash	malicious	Browse	109.202.202.202
	wMZjd2tXuZ	Get hash	malicious	Browse	109.202.202.202
	Anti.arm5	Get hash	malicious	Browse	109.202.202.202
	lgvIcn4KKz	Get hash	malicious	Browse	109.202.202.202

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.843964110789535
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	qICLEK5VRO
File size:	81308
MD5:	e94958fb5d8da1a7d544c06d4632c846
SHA1:	f66479adc6f036533919b6155a7e310cf4f07928
SHA256:	0ec1ae5752fd6770b25b0e51d83503cf758b5b84a1939dcca1eef4d9ad50b4a2
SHA512:	aaf1eb528111e34512a32c5fa99e5812069a1a3167c16b0dff82ba49e24921fc254cf1305f35bdd129b0ed4d000def35ab68f2ebb4d580309be539f635196648
SSDEEP:	1536:KVyy0IgITcOFkcwo82Kq6pkILtHhwxeK82WDyG9ECl9n8j96:OynQLD/6pkIxHhwxR8d9EOcE
TLSH:	B583AF72C16C6F2CD2044AB47961EF368753A40083AB6FF79999C7666443DACF6087F8
File Content Preview:	.ELF.....................@.4....<......4. ...(...............@...@..5...5...............5...5B..5B.....<..........Q.td............................././"O.n........#.@........#.@.....o&O.n...l..............................././.../.a"O.!...n...a.b("...q.

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	<unknown>
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x4001a0
Flags:	0x9
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	80908
Section Header Size:	40
Number of Section Headers:	10
Header String Table Index:	9

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x400094	0x94	0x30	0x0	0x6	AX	4
.text	PROGBITS	0x4000e0	0xe0	0x11400	0x0	0x6	AX	32
.fini	PROGBITS	0x4114e0	0x114e0	0x24	0x0	0x6	AX	4
.rodata	PROGBITS	0x411504	0x11504	0x2004	0x0	0x2	A	4
.ctors	PROGBITS	0x42350c	0x1350c	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x423514	0x13514	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x423520	0x13520	0x6ac	0x0	0x3	WA	4
.bss	NOBITS	0x423bcc	0x13bcc	0x237c	0x0	0x3	WA	4
.shstrtab	STRTAB	0x0	0x13bcc	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x400000	0x400000	0x13508	0x13508	4.8080	0x5	R E	0x10000	.init .text .fini .rodata
LOAD	0x1350c	0x42350c	0x42350c	0x6c0	0x2a3c	2.6753	0x6	RW	0x10000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 16, 2022 13:59:18.430448055 CEST	43928	443	192.168.2.23	91.189.91.42
May 16, 2022 13:59:28.670478106 CEST	42836	443	192.168.2.23	91.189.91.43
May 16, 2022 13:59:34.814235926 CEST	42516	80	192.168.2.23	109.202.202.202
May 16, 2022 13:59:59.390058041 CEST	43928	443	192.168.2.23	91.189.91.42
May 16, 2022 14:00:17.113245964 CEST	6525	43480	103.136.41.110	192.168.2.23
May 16, 2022 14:00:17.113445044 CEST	43480	6525	192.168.2.23	103.136.41.110
May 16, 2022 14:00:19.869844913 CEST	42836	443	192.168.2.23	91.189.91.43

System Behavior

Analysis Process: qICLEK5VRO PID: 6246, Parent PID: 6155

General

Start time:	13:59:06
Start date:	16/05/2022
Path:	/tmp/qICLEK5VRO
Arguments:	/tmp/qICLEK5VRO
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report qICLEK5VRO

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: qICLEK5VRO PID: 6246, Parent PID: 6155

General

Chronological Activities

Linux Analysis Report
qICLEK5VRO