Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

r0tEgU8WOn.elf

ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, stripped

initial sample

Details

Filetype:	ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, stripped
Entropy:	6.349509841190828
Filename:	r0tEgU8WOn.elf
Filesize:	78264
MD5:	9ca55c5faa77de7b3d529e14968c02cb
SHA1:	2fc516e2fe883b81dca94102f9f9873cc0b2c85a
SHA256:	2ddee56033ff0a6f2aa485e73c7425596c22e13b1894f19ffdf66cf5868c6e6d
SHA512:	503d612b4c5a711a0841653cbc1f9dd8682a75d11aaedea0c58e3ae8fe778ef2b3f0e9fb1ac23f79d7874095b1d7924dabf2830b116eb4c5853a46d9e3e04c19
SSDEEP:	1536:ThkQnXOAY0f1jfv4x2W8D9XktNrvmoivznxRcx1tshO:TbOAY0lnS2xUrvRQs14O
Preview:	.ELF.......................D...4..0(.....4. ...(......................,8..,8...... .......,<..L<..L<......&....... .dt.Q............................NV..a....da.....N^NuNV..J9..O.f>"y..LT QJ.g.X.#...LTN."y..LT QJ.f.A.....J.g.Hy..,8N.X.......O.N^NuNV..N^NuN

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Sample deletes itself	Hooking and other Techniques for Hiding and Protection	File Deletion
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
Yara signature match	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion

/tmp/qemu-open.TEb6aZ (deleted)

data

dropped

Details

File:	/tmp/qemu-open.TEb6aZ (deleted)
Category:	dropped
Dump:	qemu-open.TEb6aZ (deleted).12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/r0tEgU8WOn.elf
Type:	data
Entropy:	4.348394345536403
Encrypted:	false
Ssdeep:	3:TgFa3AJ5L8HJN:TgraJN
Size:	30
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

/tmp/r0tEgU8WOn.elf

Domains

Name

Malicious

raw.qxej27mv7hud1uk03kj438ggzby0v7a8mgwwnmky2n9vn1tmcn1qpm8kax84ymn.ru

45.131.111.98

Details

Name:	raw.qxej27mv7hud1uk03kj438ggzby0v7a8mgwwnmky2n9vn1tmcn1qpm8kax84ymn.ru
IP:	45.131.111.98
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Queries the IP of a very long domain name	Networking	Application Layer Protocol
Sends malformed DNS queries	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

raw.qxej27mv7hud1uk03kj438ggzby0v7a8mgwwnmky2n9vn1tmcn1qpm8kax84ymn.ru. [malformed]

unknown

Details

Name:	raw.qxej27mv7hud1uk03kj438ggzby0v7a8mgwwnmky2n9vn1tmcn1qpm8kax84ymn.ru. [malformed]
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Queries the IP of a very long domain name	Networking	Application Layer Protocol
Sends malformed DNS queries	Networking
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

45.131.111.98

raw.qxej27mv7hud1uk03kj438ggzby0v7a8mgwwnmky2n9vn1tmcn1qpm8kax84ymn.ru

Germany

Details

IP:	45.131.111.98
TargetID:	-1
Country:	Germany
Countrycode:	DEU
ASN number:	398373
ASN name:	SERVERDESTROYERSUS
Private:	false
Domain:	raw.qxej27mv7hud1uk03kj438ggzby0v7a8mgwwnmky2n9vn1tmcn1qpm8kax84ymn.ru

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

185.125.190.26

unknown

United Kingdom

Details

IP:	185.125.190.26
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7efb94014000

page execute read

7efc1955c000

page read and write

7efc18a72000

page read and write

7efb9401a000

page read and write

55a889152000

page execute and read and write

7efc14021000

page read and write

7efc195a9000

page read and write

7efc14000000

page read and write

7efc190e8000

page read and write

7efc18a64000

page read and write

55a88b263000

page read and write

7ffeeebee000

page execute read

7efb94016000

page read and write

55a8891e9000

page read and write

55a88714c000

page read and write

7efc18261000

page read and write

7ffeeebe8000

page read and write

55a886f1a000

page execute read

7efc190c3000

page read and write

7efc19564000

page read and write

7efc18d01000

page read and write

7efc19433000

page read and write

55a887154000

page read and write

There are 13 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
r0tEgU8WOn.elf

Files

Processes

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportr0tEgU8WOn.elf

Files

Processes

Domains

IPs

Memdumps

IOC Report
r0tEgU8WOn.elf