Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
ijxeqyXNc4

Overview

General Information

Sample name:ijxeqyXNc4
renamed because original name is a hash value
Original sample name:15412d1a6b7f79fad45bcd32cf82f9d651d9ccca082f98a0cca3ad5335284e45
Analysis ID:3760041
MD5:8138f1af1dc51cde924aa2360f12d650
SHA1:74b1da190d670fa4c207afb0fbca4d7df701538a
SHA256:15412d1a6b7f79fad45bcd32cf82f9d651d9ccca082f98a0cca3ad5335284e45
Infos:

Detection

Dinodas RAT
Score:76
Range:0 - 100
Whitelisted:false

Signatures

Snort IDS alert for network traffic
Yara detected Dinodas RAT
Executes itself again with its parent PID as an argument (indicative of hampering debugging)
Executes the "dmidecode" command for reading DMI BIOS info like hardware or serial numbers (indicative of machine fingerprinting or VM-detection)
Executes the "getconf" command for querying system configuration variables
Sample tries to persist itself using System V runlevels
Sample tries to set files in /etc globally writable
Contains symbols related to standard C library sleeps (sometimes used to evade sandboxing)
Creates hidden files and/or directories
Creates hidden files without content (potentially used as a mutex)
Executes commands using a shell command-line interpreter
Executes the "chmod" command used to modify permissions
Executes the "ifconfig" command used to gather network information
Reads system version information
Reads the 'hosts' file potentially containing internal network hosts
Sample contains strings that are potentially command strings
Sample has stripped symbol table
Sample tries to set the executable flag
Sets full permissions to files and/or directories
Uses the "uname" system call to query kernel version information (possible evasion)
Writes INI config files to disk
Writes shell script file to disk with an unusual file extension

Classification

Joe Sandbox version:
Analysis ID:3760041
Start date and time:2024-04-10 11:12:52 +02:00
Joe Sandbox product:Cloud
Overall analysis duration:0h 9m 7s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:Linux - Ubuntu 22 - sleep detection and extension with SSL inspection.jbs
Analysis system description:Ubuntu Linux 22.04 x64 (Kernel 5.15.0-94, Firefox 124.0.2, Atril Document Viewer 1.26.0, LibreOffice 7.3.7.2, OpenJDK 17.0.10)
Analysis Mode:default
Sample name:ijxeqyXNc4
renamed because original name is a hash value
Original Sample Name:15412d1a6b7f79fad45bcd32cf82f9d651d9ccca082f98a0cca3ad5335284e45
Detection:MAL
Classification:mal76.troj.evad.lin@0/3@1/0
Cookbook Comments:
  • Analysis time extended to 240s due to sleep detection in submitted sample
Command:/tmp/ijxeqyXNc4
PID:5431
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:

Standard Error:
  • system is lnxubuntu22
  • ijxeqyXNc4 (PID: 5431, Parent: 5377, MD5: 8138f1af1dc51cde924aa2360f12d650) Arguments: /tmp/ijxeqyXNc4
    • ijxeqyXNc4 New Fork (PID: 5432, Parent: 5431)
      • sh (PID: 5433, Parent: 5432, MD5: 7409ae3f7b10e059ee70d9079c94b097) Arguments: sh -c "cat /proc/version"
        • sh New Fork (PID: 5434, Parent: 5433)
        • cat (PID: 5434, Parent: 5433, MD5: bad083817ee6cf28643668a67fce3f4e) Arguments: cat /proc/version
      • sh (PID: 5435, Parent: 5432, MD5: 7409ae3f7b10e059ee70d9079c94b097) Arguments: sh -c "cat /etc/lsb-release"
        • sh New Fork (PID: 5436, Parent: 5435)
        • cat (PID: 5436, Parent: 5435, MD5: bad083817ee6cf28643668a67fce3f4e) Arguments: cat /etc/lsb-release
      • sh (PID: 5437, Parent: 5432, MD5: 7409ae3f7b10e059ee70d9079c94b097) Arguments: sh -c "ln -s /lib/systemd/system/rc.local.service /etc/systemd/system/"
        • sh New Fork (PID: 5438, Parent: 5437)
        • ln (PID: 5438, Parent: 5437, MD5: 85642a6e6b43fa5b4177f69df37f3ba3) Arguments: ln -s /lib/systemd/system/rc.local.service /etc/systemd/system/
      • sh (PID: 5439, Parent: 5432, MD5: 7409ae3f7b10e059ee70d9079c94b097) Arguments: sh -c "chmod 777 /etc/rc.local"
        • sh New Fork (PID: 5440, Parent: 5439)
        • chmod (PID: 5440, Parent: 5439, MD5: a3c9079943bd39eee11caecec425e36e) Arguments: chmod 777 /etc/rc.local
      • sh (PID: 5441, Parent: 5432, MD5: 7409ae3f7b10e059ee70d9079c94b097) Arguments: sh -c "/tmp/ijxeqyXNc4 d 5432"
        • sh New Fork (PID: 5442, Parent: 5441)
        • ijxeqyXNc4 (PID: 5442, Parent: 5441, MD5: 8138f1af1dc51cde924aa2360f12d650) Arguments: /tmp/ijxeqyXNc4 d 5432
          • sh (PID: 5443, Parent: 5442, MD5: 7409ae3f7b10e059ee70d9079c94b097) Arguments: sh -c ifconfig
            • sh New Fork (PID: 5444, Parent: 5443)
            • ifconfig (PID: 5444, Parent: 5443, MD5: 53aa4bb01899b4d5020230af1a3d5e8b) Arguments: ifconfig
          • sh (PID: 5445, Parent: 5442, MD5: 7409ae3f7b10e059ee70d9079c94b097) Arguments: sh -c dmidecode
            • sh New Fork (PID: 5446, Parent: 5445)
            • dmidecode (PID: 5446, Parent: 5445, MD5: f030dde9ad21d7fa298fae2a2286a1c7) Arguments: dmidecode
          • sh (PID: 5447, Parent: 5442, MD5: 7409ae3f7b10e059ee70d9079c94b097) Arguments: sh -c "cat /etc/issue"
            • sh New Fork (PID: 5448, Parent: 5447)
            • cat (PID: 5448, Parent: 5447, MD5: bad083817ee6cf28643668a67fce3f4e) Arguments: cat /etc/issue
          • sh (PID: 5449, Parent: 5442, MD5: 7409ae3f7b10e059ee70d9079c94b097) Arguments: sh -c "getconf LONG_BIT"
            • sh New Fork (PID: 5450, Parent: 5449)
            • getconf (PID: 5450, Parent: 5449, MD5: 419753c9d341f1e7aa8451dea9441fd9) Arguments: getconf LONG_BIT
  • cleanup
SourceRuleDescriptionAuthorStrings
ijxeqyXNc4JoeSecurity_DinodasRAT_1Yara detected Dinodas RATJoe Security
    SourceRuleDescriptionAuthorStrings
    5431.1.0000000000400000.000000000043f000.r-x.sdmpJoeSecurity_DinodasRAT_1Yara detected Dinodas RATJoe Security
      Timestamp:04/10/24-11:16:51.500898
      SID:2051839
      Source Port:41687
      Destination Port:443
      Protocol:UDP
      Classtype:A Network Trojan was detected
      Timestamp:04/10/24-11:17:22.705256
      SID:2051868
      Source Port:45210
      Destination Port:443
      Protocol:UDP
      Classtype:A Network Trojan was detected
      Timestamp:04/10/24-11:15:49.341725
      SID:2051868
      Source Port:45342
      Destination Port:443
      Protocol:UDP
      Classtype:A Network Trojan was detected
      Timestamp:04/10/24-11:17:22.705256
      SID:2051839
      Source Port:45210
      Destination Port:443
      Protocol:UDP
      Classtype:A Network Trojan was detected
      Timestamp:04/10/24-11:17:53.785050
      SID:2051839
      Source Port:38251
      Destination Port:443
      Protocol:UDP
      Classtype:A Network Trojan was detected
      Timestamp:04/10/24-11:15:18.245782
      SID:2051839
      Source Port:38278
      Destination Port:443
      Protocol:UDP
      Classtype:A Network Trojan was detected
      Timestamp:04/10/24-11:14:27.079270
      SID:2051867
      Source Port:43079
      Destination Port:53
      Protocol:UDP
      Classtype:A Network Trojan was detected
      Timestamp:04/10/24-11:14:27.079270
      SID:2051846
      Source Port:43079
      Destination Port:53
      Protocol:UDP
      Classtype:A Network Trojan was detected
      Timestamp:04/10/24-11:15:49.341725
      SID:2051839
      Source Port:45342
      Destination Port:443
      Protocol:UDP
      Classtype:A Network Trojan was detected
      Timestamp:04/10/24-11:15:18.245782
      SID:2051868
      Source Port:38278
      Destination Port:443
      Protocol:UDP
      Classtype:A Network Trojan was detected
      Timestamp:04/10/24-11:14:47.166945
      SID:2051868
      Source Port:55268
      Destination Port:443
      Protocol:UDP
      Classtype:A Network Trojan was detected
      Timestamp:04/10/24-11:16:20.415578
      SID:2051839
      Source Port:50490
      Destination Port:443
      Protocol:UDP
      Classtype:A Network Trojan was detected
      Timestamp:04/10/24-11:18:25.105451
      SID:2051839
      Source Port:34962
      Destination Port:443
      Protocol:UDP
      Classtype:A Network Trojan was detected
      Timestamp:04/10/24-11:17:53.785050
      SID:2051868
      Source Port:38251
      Destination Port:443
      Protocol:UDP
      Classtype:A Network Trojan was detected
      Timestamp:04/10/24-11:14:27.079270
      SID:2051837
      Source Port:43079
      Destination Port:53
      Protocol:UDP
      Classtype:A Network Trojan was detected
      Timestamp:04/10/24-11:14:47.166945
      SID:2051839
      Source Port:55268
      Destination Port:443
      Protocol:UDP
      Classtype:A Network Trojan was detected
      Timestamp:04/10/24-11:18:25.105451
      SID:2051868
      Source Port:34962
      Destination Port:443
      Protocol:UDP
      Classtype:A Network Trojan was detected
      Timestamp:04/10/24-11:16:20.415578
      SID:2051868
      Source Port:50490
      Destination Port:443
      Protocol:UDP
      Classtype:A Network Trojan was detected
      Timestamp:04/10/24-11:16:51.500898
      SID:2051868
      Source Port:41687
      Destination Port:443
      Protocol:UDP
      Classtype:A Network Trojan was detected

      Click to jump to signature section

      Show All Signature Results

      Networking

      barindex
      Source: TrafficSnort IDS: 2051867 ET TROJAN Dinodas RAT CnC Domain in DNS Lookup (update .centos-yum .com) 192.168.2.126:43079 -> 1.1.1.1:53
      Source: TrafficSnort IDS: 2051846 ET TROJAN DNS Query to Earth Krahang APT Domain (update .centos-yum .com) 192.168.2.126:43079 -> 1.1.1.1:53
      Source: TrafficSnort IDS: 2051837 ET TROJAN DinodasRAT Related CnC Domain in DNS Lookup (update .centos-yum .com) 192.168.2.126:43079 -> 1.1.1.1:53
      Source: TrafficSnort IDS: 2051868 ET TROJAN Linux/Dinodas RAT CnC Checkin - UDP 192.168.2.126:55268 -> 91.195.240.94:443
      Source: TrafficSnort IDS: 2051839 ET TROJAN Suspected DinodasRAT Related Activity (UDP) 192.168.2.126:55268 -> 91.195.240.94:443
      Source: TrafficSnort IDS: 2051868 ET TROJAN Linux/Dinodas RAT CnC Checkin - UDP 192.168.2.126:38278 -> 91.195.240.94:443
      Source: TrafficSnort IDS: 2051839 ET TROJAN Suspected DinodasRAT Related Activity (UDP) 192.168.2.126:38278 -> 91.195.240.94:443
      Source: TrafficSnort IDS: 2051868 ET TROJAN Linux/Dinodas RAT CnC Checkin - UDP 192.168.2.126:45342 -> 91.195.240.94:443
      Source: TrafficSnort IDS: 2051839 ET TROJAN Suspected DinodasRAT Related Activity (UDP) 192.168.2.126:45342 -> 91.195.240.94:443
      Source: TrafficSnort IDS: 2051868 ET TROJAN Linux/Dinodas RAT CnC Checkin - UDP 192.168.2.126:50490 -> 91.195.240.94:443
      Source: TrafficSnort IDS: 2051839 ET TROJAN Suspected DinodasRAT Related Activity (UDP) 192.168.2.126:50490 -> 91.195.240.94:443
      Source: TrafficSnort IDS: 2051868 ET TROJAN Linux/Dinodas RAT CnC Checkin - UDP 192.168.2.126:41687 -> 91.195.240.94:443
      Source: TrafficSnort IDS: 2051839 ET TROJAN Suspected DinodasRAT Related Activity (UDP) 192.168.2.126:41687 -> 91.195.240.94:443
      Source: TrafficSnort IDS: 2051868 ET TROJAN Linux/Dinodas RAT CnC Checkin - UDP 192.168.2.126:45210 -> 91.195.240.94:443
      Source: TrafficSnort IDS: 2051839 ET TROJAN Suspected DinodasRAT Related Activity (UDP) 192.168.2.126:45210 -> 91.195.240.94:443
      Source: TrafficSnort IDS: 2051868 ET TROJAN Linux/Dinodas RAT CnC Checkin - UDP 192.168.2.126:38251 -> 91.195.240.94:443
      Source: TrafficSnort IDS: 2051839 ET TROJAN Suspected DinodasRAT Related Activity (UDP) 192.168.2.126:38251 -> 91.195.240.94:443
      Source: TrafficSnort IDS: 2051868 ET TROJAN Linux/Dinodas RAT CnC Checkin - UDP 192.168.2.126:34962 -> 91.195.240.94:443
      Source: TrafficSnort IDS: 2051839 ET TROJAN Suspected DinodasRAT Related Activity (UDP) 192.168.2.126:34962 -> 91.195.240.94:443
      Source: /tmp/ijxeqyXNc4 (PID: 5442)Reads hosts file: /etc/hostsJump to behavior
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownDNS traffic detected: queries for: update.centos-yum.com
      Source: Initial samplePotential command found: cat /etc/redhat-release
      Source: Initial samplePotential command found: cat /etc/issue
      Source: Initial samplePotential command found: cat /etc/redhat-releasecat /etc/issue\n\lifconfigHWaddrip alink/ether dmidecodeLinux_%s_%s_%u_V10imei%s%s%s210/0001
      Source: Initial samplePotential command found: cat /proc/version
      Source: Initial samplePotential command found: cat /etc/lsb-release
      Source: ELF static info symbol of initial sample.symtab present: no
      Source: classification engineClassification label: mal76.troj.evad.lin@0/3@1/0

      Persistence and Installation Behavior

      barindex
      Source: /tmp/ijxeqyXNc4 (PID: 5432)File: /etc/rc.localJump to behavior
      Source: /usr/bin/chmod (PID: 5440)File: /etc/rc.local (bits: - usr: rwx grp: rwx all: rwx)Jump to behavior
      Source: /tmp/ijxeqyXNc4 (PID: 5431)File: /tmp/.ijxeqyXNc4.muJump to behavior
      Source: /tmp/ijxeqyXNc4 (PID: 5431)Directory: /tmp/.ijxeqyXNc4.muJump to behavior
      Source: /tmp/ijxeqyXNc4 (PID: 5442)File: /tmp/.ijxeqyXNc4d.muJump to behavior
      Source: /tmp/ijxeqyXNc4 (PID: 5442)Directory: /tmp/.ijxeqyXNc4d.muJump to behavior
      Source: /tmp/ijxeqyXNc4 (PID: 5442)Directory: /tmp/.netc.iniJump to behavior
      Source: /tmp/ijxeqyXNc4 (PID: 5442)File: /tmp/.netc.iniJump to behavior
      Source: /tmp/ijxeqyXNc4 (PID: 5442)Directory: /tmp/.netc.iniJump to behavior
      Source: /tmp/ijxeqyXNc4 (PID: 5431)Empty hidden file: /tmp/.ijxeqyXNc4.muJump to behavior
      Source: /tmp/ijxeqyXNc4 (PID: 5442)Empty hidden file: /tmp/.ijxeqyXNc4d.muJump to behavior
      Source: /tmp/ijxeqyXNc4 (PID: 5433)Shell command executed: sh -c "cat /proc/version"Jump to behavior
      Source: /tmp/ijxeqyXNc4 (PID: 5435)Shell command executed: sh -c "cat /etc/lsb-release"Jump to behavior
      Source: /tmp/ijxeqyXNc4 (PID: 5437)Shell command executed: sh -c "ln -s /lib/systemd/system/rc.local.service /etc/systemd/system/"Jump to behavior
      Source: /tmp/ijxeqyXNc4 (PID: 5439)Shell command executed: sh -c "chmod 777 /etc/rc.local"Jump to behavior
      Source: /tmp/ijxeqyXNc4 (PID: 5441)Shell command executed: sh -c "/tmp/ijxeqyXNc4 d 5432"Jump to behavior
      Source: /tmp/ijxeqyXNc4 (PID: 5443)Shell command executed: sh -c ifconfigJump to behavior
      Source: /tmp/ijxeqyXNc4 (PID: 5445)Shell command executed: sh -c dmidecodeJump to behavior
      Source: /tmp/ijxeqyXNc4 (PID: 5447)Shell command executed: sh -c "cat /etc/issue"Jump to behavior
      Source: /tmp/ijxeqyXNc4 (PID: 5449)Shell command executed: sh -c "getconf LONG_BIT"Jump to behavior
      Source: /bin/sh (PID: 5440)Chmod executable: /usr/bin/chmod -> chmod 777 /etc/rc.localJump to behavior
      Source: /usr/bin/cat (PID: 5434)Reads version info: /proc/versionJump to behavior
      Source: /usr/bin/cat (PID: 5448)Reads version info: /etc/issueJump to behavior
      Source: /usr/bin/chmod (PID: 5440)File: /etc/rc.local (bits: - usr: rwx grp: rwx all: rwx)Jump to behavior
      Source: /bin/sh (PID: 5440)Chmod executable with 777: /usr/bin/chmod -> chmod 777 /etc/rc.localJump to behavior
      Source: /tmp/ijxeqyXNc4 (PID: 5442)INI config file created: /tmp/.netc.iniJump to dropped file
      Source: /tmp/ijxeqyXNc4 (PID: 5432)Writes shell script file to disk with an unusual file extension: /etc/rc.localJump to dropped file

      Hooking and other Techniques for Hiding and Protection

      barindex
      Source: /bin/sh (PID: 5446)Dmidecode executable: /usr/sbin/dmidecode dmidecodeJump to behavior
      Source: ELF symbol in initial sampleSymbol name: sleep
      Source: ELF symbol in initial sampleSymbol name: usleep
      Source: /usr/sbin/ifconfig (PID: 5444)Queries kernel information via 'uname': Jump to behavior

      Anti Debugging

      barindex
      Source: /tmp/ijxeqyXNc4 (PID: 5441)Process with PPID: /bin/sh -> sh -c "/tmp/ijxeqyXNc4 d 5432"Jump to behavior

      Language, Device and Operating System Detection

      barindex
      Source: /bin/sh (PID: 5446)Dmidecode executable: /usr/sbin/dmidecode dmidecodeJump to behavior
      Source: /bin/sh (PID: 5450)Getconf executable: /usr/bin/getconf getconf LONG_BITJump to behavior

      Stealing of Sensitive Information

      barindex
      Source: Yara matchFile source: ijxeqyXNc4, type: SAMPLE
      Source: Yara matchFile source: 5431.1.0000000000400000.000000000043f000.r-x.sdmp, type: MEMORY
      Source: /bin/sh (PID: 5444)Ifconfig executable: /usr/sbin/ifconfig -> ifconfigJump to behavior

      Remote Access Functionality

      barindex
      Source: Yara matchFile source: ijxeqyXNc4, type: SAMPLE
      Source: Yara matchFile source: 5431.1.0000000000400000.000000000043f000.r-x.sdmp, type: MEMORY
      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity Information1
      Scripting
      Valid Accounts1
      Command and Scripting Interpreter
      1
      Scripting
      Path Interception1
      Masquerading
      OS Credential Dumping1
      Security Software Discovery
      Remote ServicesData from Local System1
      Non-Application Layer Protocol
      Exfiltration Over Other Network Medium1
      Data Manipulation
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
      Hide Artifacts
      LSASS Memory1
      Virtualization/Sandbox Evasion
      Remote Desktop ProtocolData from Removable Media1
      Application Layer Protocol
      Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
      File and Directory Permissions Modification
      Security Account Manager1
      System Network Configuration Discovery
      SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
      Virtualization/Sandbox Evasion
      NTDS1
      File and Directory Discovery
      Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      Hidden Files and Directories
      LSA Secrets21
      System Information Discovery
      SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      No configs have been found
      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Number of created Files
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 3760041 Sample: ijxeqyXNc4 Startdate: 10/04/2024 Architecture: LINUX Score: 76 56 update.centos-yum.com 91.195.240.94, 443 SEDO-ASDE Germany 2->56 60 Snort IDS alert for network traffic 2->60 62 Yara detected Dinodas RAT 2->62 11 ijxeqyXNc4 2->11         started        signatures3 process4 process5 13 ijxeqyXNc4 11->13         started        file6 54 /etc/rc.local, Bourne-Again 13->54 dropped 70 Sample tries to persist itself using System V runlevels 13->70 17 ijxeqyXNc4 sh 13->17         started        20 ijxeqyXNc4 sh 13->20         started        22 ijxeqyXNc4 sh 13->22         started        24 2 other processes 13->24 signatures7 process8 signatures9 58 Executes itself again with its parent PID as an argument (indicative of hampering debugging) 17->58 26 sh ijxeqyXNc4 17->26         started        28 sh chmod 20->28         started        31 sh cat 22->31         started        33 sh cat 24->33         started        35 sh ln 24->35         started        process10 signatures11 37 ijxeqyXNc4 sh