Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

XooIXdKFaW.elf

ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, not stripped

initial sample

Details

Filetype:	ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, not stripped
Entropy:	6.032237507193388
Filename:	XooIXdKFaW.elf
Filesize:	108843
MD5:	a2d6ea004185b5c917f8d85022a873d1
SHA1:	5848c8973c05fae8c8dfb2ed6eb84f937311e79f
SHA256:	3562c112569ce1760704e57618a2b5dd793d118b6815cc3e6b42783ee8d7f0fa
SHA512:	2ecc2077c4b08e88b84a0cf6ab7ab7166cd8a9a32e825cd647b987657a51e9d8da98e8cb3e2c74b0a65a982b78202eff17ad21f9c32a02ffd3d14faef8b5bef1
SSDEEP:	3072:t2W1Zq5dzYqlSQeqacWucW0JcWcB5cXGouOmBpmOws7HB9:t2Wnq5JSQeqacWucW0JcWcBubuJb7v
Preview:	.ELF.......................D...4..Y......4. ...(......................K...K....... .......K...k...k.......gd...... .dt.Q............................NV..a....da.../.N^NuNV..J9..n.f>"y..k. QJ.g.X.#...k.N."y..k. QJ.f.A.....J.g.Hy..k.N.X.......n.N^NuNV..N^NuN

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Opens /proc/net/* files useful for finding connected devices and routers	Spreading	Remote System Discovery
Sample and/or dropped files contains symbols with suspicious names	System Summary	Masquerading
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion
Yara signature match	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
URLs found in memory or binary data	Networking

/tmp/qemu-open.4EuFNk (deleted)

ASCII text

dropped

Details

File:	/tmp/qemu-open.4EuFNk (deleted)
Category:	dropped
Dump:	qemu-open.4EuFNk (deleted).12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/XooIXdKFaW.elf
Type:	ASCII text
Entropy:	3.709552666863289
Encrypted:	false
Ssdeep:	6:iekrEcvwAsE5KlwSd4pzKaV6Lpms/a/1VCxGF:ur+m5MwSdIKaV6L1adVRF
Size:	230
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

/tmp/XooIXdKFaW.elf

URLs

Name

Malicious

91.92.240.85:23

Details

Name:	91.92.240.85:23
TargetID:	0
From Memory:	false
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol

http://91.92.240.85/bins.sh;

unknown

Domains

Name

Malicious

daisy.ubuntu.com

162.213.35.24

IPs

Domain

Country

Malicious

91.92.240.85

unknown

Bulgaria

Details

IP:	91.92.240.85
TargetID:	-1
Country:	Bulgaria
Countrycode:	BGR
ASN number:	34368
ASN name:	THEZONEBG
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
URLs found in memory or binary data	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

56067dece000

page read and write

7f04938cb000

page read and write

7ffd64150000

page read and write

7f048c021000

page read and write

7f048c021000

page read and write

7ffd64150000

page read and write

7f0493d6c000

page read and write

7f0493c3b000

page read and write

7f04938f0000

page read and write

56067a403000

page read and write

7f040c01f000

page read and write

56067c4a0000

page read and write

56067dece000

page read and write

7f0493509000

page read and write

56067c4a0000

page read and write

56067a40b000

page read and write

7f0493509000

page read and write

56067c409000

page execute and read and write

7ffd641ee000

page execute read

7f040c016000

page execute read

7f04938cb000

page read and write

7f040c018000

page read and write

7f040c016000

page execute read

56067c409000

page execute and read and write

7f049327a000

page read and write

7f049326c000

page read and write

56067a1d1000

page execute read

7f040c01f000

page read and write

7f0493d64000

page read and write

7f048c000000

page read and write

7f0493db1000

page read and write

7f040c018000

page read and write

7f0493db1000

page read and write

7f0492a69000

page read and write

7f0493d64000

page read and write

7f0492a69000

page read and write

7f048c000000

page read and write

7f04938f0000

page read and write

7f049326c000

page read and write

7f049327a000

page read and write

56067a40b000

page read and write

56067a403000

page read and write

56067a1d1000

page execute read

7ffd641ee000

page execute read

7f0493c3b000

page read and write

7f0493d6c000

page read and write

There are 36 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
XooIXdKFaW.elf

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportXooIXdKFaW.elf

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
XooIXdKFaW.elf