Edit tour

Linux Analysis Report
pict.jpg

Overview

General Information

Sample name:	pict.jpg
Analysis ID:	1523488
MD5:	c2c7e9be6e780a56601e686998bbf93c
SHA1:	c026533f36e6fccde39239cf4a1df926fbff0ff9
SHA256:	384d513d6c0706d93c56426e893b4582fe9861dc223ccce2f74c53d57ff2b7ce
Infos:

Detection

Score:	1
Range:	0 - 100
Whitelisted:	false

Signatures

Creates hidden files and/or directories

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1523488
Start date and time:	2024-10-01 17:02:14 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 88.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171)
Analysis Mode:	default
Sample name:	pict.jpg
Detection:	CLEAN
Classification:	clean1.linJPG@0/0@0/0
Cookbook Comments:	Internet access has been disabled

Warnings

VT rate limit hit for: pict.jpg

Runtime Messages

Command:	xdg-open "/tmp/pict.jpg"
PID:	4758
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:

Process Tree

system is lnxubuntu1

exo-open (PID: 4819, Parent: 4758, MD5: 39c5fa78f1cb3d950b9944f784018d3a) Arguments: exo-open /tmp/pict.jpg

exo-open New Fork (PID: 4827, Parent: 4819)

dbus-launch (PID: 4827, Parent: 4819, MD5: e4a469f27d130d783c21ce9c1c4456c3) Arguments: dbus-launch --autolaunch=11ced2f07072c6ae389b731c5cc84014 --binary-syntax --close-stderr

exo-open New Fork (PID: 4844, Parent: 4819)

exo-open New Fork (PID: 4845, Parent: 4844)

ristretto (PID: 4845, Parent: 1656, MD5: 15778690113a3fdfd05834ed1877e667) Arguments: ristretto /tmp/pict.jpg

ristretto New Fork (PID: 4862, Parent: 4845)

dbus-launch (PID: 4862, Parent: 4845, MD5: e4a469f27d130d783c21ce9c1c4456c3) Arguments: dbus-launch --autolaunch 11ced2f07072c6ae389b731c5cc84014 --binary-syntax --close-stderr

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: classification engine

Classification label: clean1.linJPG@0/0@0/0

Source: /usr/bin/exo-open (PID: 4819)	Directory: /home/james/.Xauthority	Jump to behavior
Source: /usr/bin/exo-open (PID: 4819)	Directory: /home/james/.cache	Jump to behavior
Source: /usr/bin/dbus-launch (PID: 4827)	Directory: /home/james/.Xauthority	Jump to behavior
Source: /usr/bin/ristretto (PID: 4845)	Directory: /home/james/.Xauthority	Jump to behavior
Source: /usr/bin/ristretto (PID: 4845)	Directory: /home/james/.Xdefaults-ubuntu	Jump to behavior
Source: /usr/bin/ristretto (PID: 4845)	Directory: /tmp/.X0-lock	Jump to behavior
Source: /usr/bin/ristretto (PID: 4845)	Directory: /tmp/.hidden	Jump to behavior
Source: /usr/bin/ristretto (PID: 4845)	Directory: /tmp/.xfsm-ICE-TWMPB2	Jump to behavior
Source: /usr/bin/ristretto (PID: 4845)	Directory: /home/james/.cache	Jump to behavior
Source: /usr/bin/ristretto (PID: 4845)	Directory: /home/james/.local	Jump to behavior
Source: /usr/bin/ristretto (PID: 4845)	Directory: /home/james/.config	Jump to behavior
Source: /usr/bin/dbus-launch (PID: 4862)	Directory: /home/james/.Xauthority	Jump to behavior

Source: /usr/bin/exo-open (PID: 4819)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/dbus-launch (PID: 4827)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/ristretto (PID: 4845)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/dbus-launch (PID: 4862)	Queries kernel information via 'uname':	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 Hidden Files and Directories	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

⊘No contacted IP infos

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PNG image data, 525 x 180, 8-bit/color RGBA, non-interlaced
Entropy (8bit):	7.858296627628926
TrID:	Portable Network Graphics (16016/1) 100.00%
File name:	pict.jpg
File size:	10'077 bytes
MD5:	c2c7e9be6e780a56601e686998bbf93c
SHA1:	c026533f36e6fccde39239cf4a1df926fbff0ff9
SHA256:	384d513d6c0706d93c56426e893b4582fe9861dc223ccce2f74c53d57ff2b7ce
SHA512:	d13e9fa1897147f8c170e289830e5b78f6c2c0db07e4fc282383cef8fea2508e60bdd0cd152e6385c8d9d850a8ee5d9873942f113f9945b1daa395e057d11407
SSDEEP:	192:oRlRgaV+FCBMvTgaoiNB8OUw9J9253Q0IlDXJ5pHL5P4iTvc+rO:ozgawj99SNQR97pHt4EQ
TLSH:	8C229EF5B3C93B9BE5A01593708F94AC5FABE1223DA073A886D0F1DAF5A048354D4C62
File Content Preview:	.PNG........IHDR..............B....'$IDATx....k.u..._.KK.T..b"..).@...A........b*..."]........KA.B)...8...'...&..$....2JMs......-.w{>..KZ.u...z"....E.....8....q.../... _...@..#..\|.G..."....E.....8....q.../... _...@..#..\|.G..."....E.....8....q.../... _...@

Network Behavior

⊘No network behavior found

System Behavior

Analysis Process: exo-open PID: 4819, Parent PID: 4758

General

Start time (UTC):	15:02:49
Start date (UTC):	01/10/2024
Path:	/usr/bin/exo-open
Arguments:	exo-open /tmp/pict.jpg
File size:	22856 bytes
MD5 hash:	39c5fa78f1cb3d950b9944f784018d3a

Chronological Activities

Analysis Process: exo-open PID: 4827, Parent PID: 4819

General

Start time (UTC):	15:02:49
Start date (UTC):	01/10/2024
Path:	/usr/bin/exo-open
Arguments:	-
File size:	22856 bytes
MD5 hash:	39c5fa78f1cb3d950b9944f784018d3a

Chronological Activities

Analysis Process: dbus-launch PID: 4827, Parent PID: 4819

General

Start time (UTC):	15:02:49
Start date (UTC):	01/10/2024
Path:	/usr/bin/dbus-launch
Arguments:	dbus-launch --autolaunch=11ced2f07072c6ae389b731c5cc84014 --binary-syntax --close-stderr
File size:	26616 bytes
MD5 hash:	e4a469f27d130d783c21ce9c1c4456c3

Chronological Activities

Analysis Process: exo-open PID: 4844, Parent PID: 4819

General

Start time (UTC):	15:02:49
Start date (UTC):	01/10/2024
Path:	/usr/bin/exo-open
Arguments:	-
File size:	22856 bytes
MD5 hash:	39c5fa78f1cb3d950b9944f784018d3a

Chronological Activities

Analysis Process: exo-open PID: 4845, Parent PID: 4844

General

Start time (UTC):	15:02:49
Start date (UTC):	01/10/2024
Path:	/usr/bin/exo-open
Arguments:	-
File size:	22856 bytes
MD5 hash:	39c5fa78f1cb3d950b9944f784018d3a

Chronological Activities

Analysis Process: ristretto PID: 4845, Parent PID: 1656

General

Start time (UTC):	15:02:49
Start date (UTC):	01/10/2024
Path:	/usr/bin/ristretto
Arguments:	ristretto /tmp/pict.jpg
File size:	225576 bytes
MD5 hash:	15778690113a3fdfd05834ed1877e667

Chronological Activities

Analysis Process: ristretto PID: 4862, Parent PID: 4845

General

Start time (UTC):	15:02:49
Start date (UTC):	01/10/2024
Path:	/usr/bin/ristretto
Arguments:	-
File size:	225576 bytes
MD5 hash:	15778690113a3fdfd05834ed1877e667

Chronological Activities

Analysis Process: dbus-launch PID: 4862, Parent PID: 4845

General

Start time (UTC):	15:02:49
Start date (UTC):	01/10/2024
Path:	/usr/bin/dbus-launch
Arguments:	dbus-launch --autolaunch 11ced2f07072c6ae389b731c5cc84014 --binary-syntax --close-stderr
File size:	26616 bytes
MD5 hash:	e4a469f27d130d783c21ce9c1c4456c3

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report pict.jpg

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Network Behavior

System Behavior

Analysis Process: exo-open PID: 4819, Parent PID: 4758

General

Chronological Activities

Analysis Process: exo-open PID: 4827, Parent PID: 4819

General

Chronological Activities

Analysis Process: dbus-launch PID: 4827, Parent PID: 4819

General

Chronological Activities

Analysis Process: exo-open PID: 4844, Parent PID: 4819

General

Chronological Activities

Analysis Process: exo-open PID: 4845, Parent PID: 4844

General

Chronological Activities

Analysis Process: ristretto PID: 4845, Parent PID: 1656

General

Chronological Activities

Analysis Process: ristretto PID: 4862, Parent PID: 4845

General

Chronological Activities

Analysis Process: dbus-launch PID: 4862, Parent PID: 4845

General

Chronological Activities

Linux Analysis Report
pict.jpg