Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

QuXveZg4s6.elf

ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, not stripped

initial sample

Details

Filetype:	ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, not stripped
Entropy:	6.020307213629908
Filename:	QuXveZg4s6.elf
Filesize:	109609
MD5:	5bc7d8c624b8dad3890cbf6f107cfb39
SHA1:	2892255490cc8b06bd01a00fc539e7fd750f4855
SHA256:	e23a23c96e3d35bebfe00dea0cb9491ff4d39ff1e137655abd18fd19118ab5a1
SHA512:	47461bf06ccac4d0814015fc4ab87f931269c17ebfe64b13b15006b570f1dd902b17b23c9ff620d54515068512c03db0d73084a7efc8d2888b5ce984fcd71eab
SSDEEP:	1536:D9eYQ+PZgdj+ctVJn2c3Wq8JQWwxTE6ZRZGZEFMtH4T+:Ze3625DecwA9tZMGMtB
Preview:	.ELF...........................4..U......4. ...(......................Gp..Gp..............Gp..Gp..Gp......rd..............G...G...G.................dt.Q.............................!..\|......$H...H.&)...$8!. \|...N.. .!..\|.......?.........J...../...@..`= .

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Opens /proc/net/* files useful for finding connected devices and routers	Spreading	Remote System Discovery
Sample and/or dropped files contains symbols with suspicious names	System Summary	Masquerading
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion
Yara signature match	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
URLs found in memory or binary data	Networking

/tmp/qemu-open.Gnv1WU (deleted)

ASCII text

dropped

Details

File:	/tmp/qemu-open.Gnv1WU (deleted)
Category:	dropped
Dump:	qemu-open.Gnv1WU (deleted).12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/QuXveZg4s6.elf
Type:	ASCII text
Entropy:	3.709552666863289
Encrypted:	false
Ssdeep:	6:iekrEcvwAsE5KlwSd4pzKaV6Lpms/a/1VCxGF:ur+m5MwSdIKaV6L1adVRF
Size:	230
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

/tmp/QuXveZg4s6.elf

URLs

Name

Malicious

91.92.240.85:23

Details

Name:	91.92.240.85:23
TargetID:	0
From Memory:	false
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol

http://91.92.240.85/bins.sh;

unknown

Domains

Name

Malicious

daisy.ubuntu.com

162.213.35.25

IPs

Domain

Country

Malicious

91.92.240.85

unknown

Bulgaria

Details

IP:	91.92.240.85
TargetID:	-1
Country:	Bulgaria
Countrycode:	BGR
ASN number:	34368
ASN name:	THEZONEBG
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
URLs found in memory or binary data	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7f5578fd5000

page read and write

7f5578f88000

page read and write

555cf05c7000

page read and write

555cf25e3000

page read and write

7f5578aef000

page read and write

7f5578fd5000

page read and write

7f5578f90000

page read and write

555cf25e3000

page read and write

555cf05cf000

page read and write

7f5578aef000

page read and write

7f548002d000

page execute and read and write

7ffd8acdf000

page read and write

7f5578f88000

page read and write

7f5480026000

page execute and read and write

7f557849e000

page read and write

555cf05c7000

page read and write

7ffd8add0000

page execute read

7f5480016000

page execute read

7ffd8add0000

page execute read

7f557872d000

page read and write

7f5578e5f000

page read and write

7ffd8acdf000

page read and write

7f5570000000

page read and write

7f5570021000

page read and write

7f5578e5f000

page read and write

555cf35fc000

page read and write

7f5480026000

page execute and read and write

7f548002e000

page read and write

7f5578f90000

page read and write

7f548002d000

page execute and read and write

555cf05cf000

page read and write

7f5570021000

page read and write

7f5578490000

page read and write

7f548002e000

page read and write

555cf0344000

page execute read

7f5480016000

page execute read

7f557872d000

page read and write

555cf25cd000

page execute and read and write

555cf0344000

page execute read

7f5577c8d000

page read and write

555cf35fc000

page read and write

7f5577c8d000

page read and write

7f5578b14000

page read and write

7f5570000000

page read and write

7f557849e000

page read and write

7f5578b14000

page read and write

7f5578490000

page read and write

555cf25cd000

page execute and read and write

There are 38 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
QuXveZg4s6.elf

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportQuXveZg4s6.elf

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
QuXveZg4s6.elf