Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

s0OthAxkuM.elf

ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, not stripped

initial sample

Details

Filetype:	ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, not stripped
Entropy:	6.142289714673083
Filename:	s0OthAxkuM.elf
Filesize:	135609
MD5:	f69e0d406a7c759169baaa059720edd4
SHA1:	685e4b6b15146c5ccef2ffd3602c30180d6b3e8e
SHA256:	de95008e1a69329b540fa5f42b9f327634cdeb32d03f6b27573adbde84952061
SHA512:	66f96d8f3f84dfca9f17c713f500bd065070576e1b19ece5076c3f2039c8526ad4206d647fe8c1abf31d959415c8b9a51adec1b631c64bebb1844c88fb36c4e1
SSDEEP:	3072:3v/xY5MqJdV3QeuacWjcW0JcWcBUsbWAxpk5k78tHZ2mm2s0UzZ6l0Nu:3+ldVQeuacWjcW0JcWcBzbWkWG78t52O
Preview:	.ELF.......................D...4.........4. ...(.......................^...^...... ........`...`...`...<..jd...... .dt.Q............................NV..a....da...]\N^NuNV..J9....f>"y...\| QJ.g.X.#....\|N."y...\| QJ.f.A.....J.g.Hy...`N.X.........N^NuNV..N^NuN

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Opens /proc/net/* files useful for finding connected devices and routers	Spreading	Remote System Discovery
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion
Yara signature match	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery

/tmp/qemu-open.PBbP0K (deleted)

ASCII text

dropped

Details

File:	/tmp/qemu-open.PBbP0K (deleted)
Category:	dropped
Dump:	qemu-open.PBbP0K (deleted).12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/s0OthAxkuM.elf
Type:	ASCII text
Entropy:	3.709552666863289
Encrypted:	false
Ssdeep:	6:iekrEcvwAsE5KlwSd4pzKaV6Lpms/a/1VCxGF:ur+m5MwSdIKaV6L1adVRF
Size:	230
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

/tmp/s0OthAxkuM.elf

/usr/bin/dash

/usr/bin/rm

rm -f /tmp/tmp.p3RgJauZEP /tmp/tmp.bAhgN5J8zq /tmp/tmp.1TdM82QiHF

/usr/bin/dash

/usr/bin/rm

rm -f /tmp/tmp.p3RgJauZEP /tmp/tmp.bAhgN5J8zq /tmp/tmp.1TdM82QiHF

IPs

Domain

Country

Malicious

176.123.4.187

unknown

Moldova Republic of

Details

IP:	176.123.4.187
TargetID:	-1
Country:	Moldova Republic of
Countrycode:	MDA
ASN number:	200019
ASN name:	ALEXHOSTMD
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

54.171.230.55

unknown

United States

Details

IP:	54.171.230.55
TargetID:	-1
Country:	United States
Countrycode:	USA
ASN number:	16509
ASN name:	AMAZON-02US
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

109.202.202.202

unknown

Switzerland

Details

IP:	109.202.202.202
TargetID:	-1
Country:	Switzerland
Countrycode:	CHE
ASN number:	13030
ASN name:	INIT7CH
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.43

unknown

United Kingdom

Details

IP:	91.189.91.43
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.42

unknown

United Kingdom

Details

IP:	91.189.91.42
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7f070001c000

page execute read

7f070001c000

page execute read

7f070001c000

page execute read

557073409000

page read and write

7f0785bd2000

page read and write

557070495000

page read and write

557072493000

page execute and read and write

7f0785bd2000

page read and write

7f0786da4000

page read and write

7f07863e3000

page read and write

7f07863e3000

page read and write

557070495000

page read and write

55707048d000

page read and write

7f0786ed5000

page read and write

7f0780000000

page read and write

7f0786672000

page read and write

7f07863d5000

page read and write

7ffc9c7a1000

page execute read

55707048d000

page read and write

7ffc9c66c000

page read and write

7f07863d5000

page read and write

55707048d000

page read and write

7f0786ed5000

page read and write

7f0786ecd000

page read and write

7f0786f1a000

page read and write

7f0780021000

page read and write

7f0700025000

page read and write

7ffc9c7a1000

page execute read

7f0780000000

page read and write

7f0700025000

page read and write

557072493000

page execute and read and write

7f070001e000

page read and write

7f0786ecd000

page read and write

7f07863d5000

page read and write

55707252a000

page read and write

557073409000

page read and write

7f0786672000

page read and write

7f0786f1a000

page read and write

557070495000

page read and write

557073409000

page read and write

55707252a000

page read and write

7f0700025000

page read and write

7f07863e3000

page read and write

55707025b000

page execute read

55707025b000

page execute read

7f0786da4000

page read and write

55707252a000

page read and write

7f0786da4000

page read and write

7f0785bd2000

page read and write

7f0780000000

page read and write

7ffc9c66c000

page read and write

7f0780021000

page read and write

7f070001e000

page read and write

7f0786672000

page read and write

7f0786ecd000

page read and write

7f0786f1a000

page read and write

7f0786a34000

page read and write

7f0786a59000

page read and write

55707025b000

page execute read

7f0780021000

page read and write

7ffc9c66c000

page read and write

557072493000

page execute and read and write

7f0786a59000

page read and write

7f0786a34000

page read and write

7f0786a59000

page read and write

7ffc9c7a1000

page execute read

7f0786a34000

page read and write

7f070001e000

page read and write

7f0786ed5000

page read and write

There are 59 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
s0OthAxkuM.elf

Files

Processes

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reports0OthAxkuM.elf

Files

Processes

IPs

Memdumps

IOC Report
s0OthAxkuM.elf