Loading ...

Analysis Report


General Information

Joe Sandbox Version:22.0.0
Analysis ID:570655
Start time:15:10:49
Joe Sandbox Product:Cloud
Start date:31.05.2018
Overall analysis duration:0h 2m 30s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:ZocPSAcTvQ
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:CentOS Linux 7.4 x64 (Kernel 3.10.0-693, Firefox 52.6.0, Document Viewer 3.22.1)


Threshold600 - 100Report FP / FNmalicious


Signature Overview

Click to jump to signature section

AV Detection:

Antivirus detection for submitted fileShow sources
Source: ZocPSAcTvQAvira: Label: LINUX/VPNFilter.denpe


Urls found in memory or binary dataShow sources
Source: ZocPSAcTvQString found in binary or memory: http://
Source: ZocPSAcTvQString found in binary or memory: http://https:///proc/net/tcp
Source: ZocPSAcTvQString found in binary or memory: https://

Persistence and Installation Behavior:

Tries to open /proc/mtd (commonly found in embedded devices)Show sources
Source: /tmp/ZocPSAcTvQ (PID: 5457)File: /proc/mtd

System Summary:

Detected VPNFilter malwareShow sources
Source: /tmp/ZocPSAcTvQ (PID: 5457)File access: /var/run/msvf.pid
Sample has stripped symbol tableShow sources
Source: ELF static info symbol of initial sample.symtab present: no
Classification labelShow sources
Source: classification engineClassification label: mal60.troj.lin@0/0@0/0

Runtime Messages

Exit Code:
Exit Code Info:
Standard Output:Programm started
Initializing config structure...ok
Decrypting string's constants...Strings count 40:
s1; 14 byte:/dev/mtdblock0
s2; 4 byte:exec
s3; 4 byte:kill
s4; 63 byte:Mozilla/6.1 (compatible; MSIE 9.0; Windows NT 5.3; Trident/5.0)
s5; 2 byte:me
s6; 3 byte:pxs
s7; 2 byte:tr
s8; 3 byte:mds
s9; 79 byte:{'uq':'%s';'pv':'%s';'ad':'%s';'bv':'0.11.1a/%s';'nn':'%s';'tn':'%s';'on':'%d'}
s10; 43 byte:{'uq':'%s';'pv':'%s';'ad':'%s';'prep':'%s'}
s11; 10 byte:google.com
s12; 6 byte:seturl
s13; 10 byte:client.crt
s14; 10 byte:client.key
s15; 13 byte:client_ca.crt
s16; 8 byte:download
s17; 3 byte:all
s18; 6 byte:reboot
s19; 5 byte:proxy
s20; 4 byte:port
s21; 5 byte:delay
s22; 4 byte:copy
s23; 3 byte:tor
s24; 8 byte:msvf.pid
s25; 9 byte:/var/run/
s26; 5 byte:/var/
s27; 5 byte:/tmp/
s28; 32 byte:http://api.ipify.org?format=json
s29; 6 byte:px(%s)
s30; 9 byte:
s31; 4 byte:9050
s32; 8 byte:*file*:
s33; 18 byte:%s/file_%d_%d_.bin
s34; 15 byte:/proc/%d/status
s35; 13 byte:/proc/%d/stat
s36; 10 byte:/proc/stat
s37; 8 byte:artifice
s38; 85 byte:%lu %s %s %lu %lu %lu %lu %lu %lu %lu %lu %lu %lu %lu %lu %lu %lu %lu %lu %lu %lu %lu
s39; 5 byte:%s_%s
s40; 8 byte:%s?%s=%s
Names count 4:
n1; 15 byte:pPRXi686QNAPX86
n2; 4 byte:i686
n3; 39 byte:6b57dcnonk2edf5a.onion/bin32/update.php
n4; 39 byte:zuh3vcyskd4gipkm.onion/bin32/update.php
Start's accounts count 3:
a1; 14 byte:
a2; 13 byte:
a3; 13 byte:
Start's panels count 3:
a1; 39 byte:6b57dcnonk2edf5a.onion/bin32/update.php
a2; 39 byte:zuh3vcyskd4gipkm.onion/bin32/update.php
a3; 39 byte:tljmmy4vmkqbdof4.onion/bin32/update.php
Setup config...
Certs not found. Waiting tor module
Build id: pPRXi686QNAPX86
Setup programm name...OK(ZocPSAcTvQ)
Setup starter version...OK(0.0)
Set name for work directories...OK
Setup proxy address...OK
Setup panel address...OK(
Setup ip-address...OK(
Setup programm id...OK(px(08:00:27:03:ac:d2))
Setup nodename...OK(base64(centos-analyzer):Y2VudG9zLWFuYWx5emVy)
Creating work folders...ok
Start main cycle

-====================< New main iteration >==========================-
Creat request...OK
json_obj = {'uq':'px(08:00:27:03:ac:d2)';'pv':'pPRXi686QNAPX86';'ad':'';'bv':'0.11.1a/0.0';'nn':'Y2VudG9zLWFuYWx5emVy';'tn':'';'on':'1'}
Setup connection...
Setup connection to panel(1)
Setup tcp connection to
Change connection scheme
Setup connection to panel(1)
Setup ssl connection to
Setup ssl connection to
Setup ssl connection to
New proxy
Setup ssl connection to
Setup ssl connection to
Setup ssl connection to
New proxy
Setup ssl connection to
Setup ssl connection to
Setup ssl connection to
New proxy
Standard Error:

Behavior Graph

Hide Legend


  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 570655 Sample: ZocPSAcTvQ Startdate: 31/05/2018 Architecture: LINUX Score: 60 8 Antivirus detection for submitted file 2->8 5 ZocPSAcTvQ 2->5         started        process3 signatures4 10 Detected VPNFilter malware 5->10 12 Tries to open /proc/mtd (commonly found in embedded devices) 5->12

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Antivirus Detection

Initial Sample


Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches


No Antivirus matches


No Antivirus matches


  • system is lnxcentos1
  • ZocPSAcTvQ (PID: 5457, Parent: 5412, MD5: 4912aad5e79c78bc143e71633df9c17b)
  • cleanup

Created / dropped Files

No created / dropped files found

Contacted Domains/Contacted IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

Static File Info


File type:ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
Entropy (8bit):6.564340128987347
  • ELF Executable and Linkable format (Linux) (4029/14) 50.16%
  • ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:ZocPSAcTvQ
File size:304760
File Content Preview:.ELF....................h...4...p.......4. ...(.....................H...H.................... ... .......j..........Q.td............................U..S.......w....h........[]...$.............U......= $...t..1....$ .....$ ......u........t...$D.......... $

Static ELF Info

ELF header

Data:2's complement, little endian
Version:1 (current)
Machine:Intel 80386
Version Number:0x1
Type:EXEC (Executable file)
OS/ABI:UNIX - System V
ABI Version:0
Entry Point Address:0x8048168
ELF Header Size:52
Program Header Offset:52
Program Header Size:32
Number of Program Headers:3
Section Header Offset:304240
Section Header Size:40
Number of Section Headers:13
Header String Table Index:12


NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign

Program Segments

TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeFlagsFlags DescriptionAlignProg InterpreterSection Mappings
LOAD0x00x80480000x80480000x49c480x49c480x5R E0x1000.init .text .fini .rodata .eh_frame
LOAD0x4a0000x80920000x80920000x4180x16ac40x6RW 0x1000.ctors .dtors .jcr .got.plt .data .bss
GNU_STACK0x00x00x00x00x00x6RW 0x4

Network Behavior

No network behavior found

System Behavior


Start time:15:11:51
Start date:31/05/2018
File size:304760 bytes
MD5 hash:4912aad5e79c78bc143e71633df9c17b