Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

GIPlLTG4sS.elf

ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, not stripped

initial sample

Details

Filetype:	ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, not stripped
Entropy:	6.170733983850343
Filename:	GIPlLTG4sS.elf
Filesize:	134902
MD5:	58a9c7b2539b6a86f90f97520a227020
SHA1:	6d3ec0b4e9e497d9d47a88f3c2e8dab34defb235
SHA256:	6bfcc301bd2b4f9f08fa4534c1bc9883ba1a8ad7294281dd98ed287162048e50
SHA512:	92050f4499a87b4e60a951974ae9c61020acd31c4d8597d9a402eb5e1b137358c8901a90ffcd02ae6b5c599d5c906eaf24c21b6975b0e13bfc1479a729d49a9f
SSDEEP:	1536:6wOSvD2GpFQBhrqMd5BoGRQyGB/ND+36IzkzIEgWmLOh0nmJ2VNu:6LqyGpFjMJtRQho0ZLmLK0nE2VNu
Preview:	.ELF...........................4...D.....4. ...(.......................................................L..up...............$...$...$................dt.Q.............................!..\|......$H...H.Oa...$8!. \|...N.. .!..\|.......?.............../...@..`= .

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Opens /proc/net/* files useful for finding connected devices and routers	Spreading	Remote System Discovery
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
Yara signature match	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion

/tmp/qemu-open.tJfM5X (deleted)

ASCII text

dropped

Details

File:	/tmp/qemu-open.tJfM5X (deleted)
Category:	dropped
Dump:	qemu-open.tJfM5X (deleted).12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/GIPlLTG4sS.elf
Type:	ASCII text
Entropy:	3.709552666863289
Encrypted:	false
Ssdeep:	6:iekrEcvwAsE5KlwSd4pzKaV6Lpms/a/1VCxGF:ur+m5MwSdIKaV6L1adVRF
Size:	230
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

/tmp/GIPlLTG4sS.elf

Domains

Name

Malicious

daisy.ubuntu.com

162.213.35.25

IPs

Domain

Country

Malicious

64.23.184.217

unknown

United States

Details

IP:	64.23.184.217
TargetID:	-1
Country:	United States
Countrycode:	USA
ASN number:	3064
ASN name:	AFFINITY-FTLUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

185.125.190.26

unknown

United Kingdom

Details

IP:	185.125.190.26
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7fdb4c01b000

page execute read

7fdb4c01b000

page execute read

7fdb4c01b000

page execute read

7fdc42eee000

page read and write

7fdc4286a000

page read and write

55adb60ec000

page read and write

55adb410a000

page execute and read and write

7fdc3c000000

page read and write

7fff9bff2000

page execute read

55adb2104000

page read and write

7fdc433af000

page read and write

7fdc4336a000

page read and write

7fdb4c034000

page read and write

7fdb4c032000

page execute and read and write

7fdc42ec9000

page read and write

7fdb4c032000

page execute and read and write

7fdc42ec9000

page read and write

55adb210c000

page read and write

7fdc43362000

page read and write

7fdc3c021000

page read and write

7fdc43362000

page read and write

7fdc42eee000

page read and write

7fdc42878000

page read and write

55adb2104000

page read and write

7fdc433af000

page read and write

7fdc42ec9000

page read and write

55adb210c000

page read and write

7fdc42878000

page read and write

55adb4120000

page read and write

7fff9bf2e000

page read and write

55adb410a000

page execute and read and write

7fdb4c02b000

page execute and read and write

7fdc42b07000

page read and write

55adb1e81000

page execute read

7fff9bf2e000

page read and write

55adb410a000

page execute and read and write

7fdc4286a000

page read and write

55adb1e81000

page execute read

55adb1e81000

page execute read

7fdb4c034000

page read and write

7fdc42067000

page read and write

55adb4120000

page read and write

7fdc4336a000

page read and write

7fdc3c021000

page read and write

7fdb4c034000

page read and write

7fdc42b07000

page read and write

7fdc43239000

page read and write

7fdc4286a000

page read and write

7fdc4336a000

page read and write

55adb4120000

page read and write

7fdc43362000

page read and write

55adb60ec000

page read and write

7fdc43239000

page read and write

7fdb4c032000

page execute and read and write

55adb210c000

page read and write

7fdc42b07000

page read and write

7fdb4c02b000

page execute and read and write

7fdb4c02b000

page execute and read and write

7fdc3c000000

page read and write

7fdc3c021000

page read and write

7fdc42067000

page read and write

55adb60ec000

page read and write

7fdc42eee000

page read and write

7fdc42067000

page read and write

7fdc42878000

page read and write

7fdc43239000

page read and write

7fff9bff2000

page execute read

55adb2104000

page read and write

7fff9bff2000

page execute read

7fff9bf2e000

page read and write

7fdc433af000

page read and write

7fdc3c000000

page read and write

There are 62 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
GIPlLTG4sS.elf

Files

Processes

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportGIPlLTG4sS.elf

Files

Processes

Domains

IPs

Memdumps

IOC Report
GIPlLTG4sS.elf