IOC Report
aarch64.elf

Files

File Path

Type

Category

Malicious

aarch64.elf

ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), for GNU/Linux 3.2.0, BuildID[sha1]=a5bdb209387e06cba305d4d5db76c52b7cb6ea26, dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, no section header

initial sample

/tmp/file3unzfn

ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880

dropped

/tmp/file4Fy7Jd

ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880

dropped

/tmp/file8SeDcK

ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880

dropped

/tmp/fileAhzouC

ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880

dropped

/tmp/fileEJ1YHm

ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880

dropped

/tmp/fileFyLkXt

ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880

dropped

/tmp/fileH8WeMN

ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880

dropped

/tmp/fileHrjhlr

ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880

dropped

/tmp/fileI3e44j

ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880

dropped

/tmp/fileJh0LZs

ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880

dropped

/tmp/fileK3KBC0

ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880

dropped

/tmp/fileL9uCJw

ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880

dropped

/tmp/fileLKzJ69

ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880

dropped

/tmp/filePSqv2D

ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880

dropped

/tmp/fileRk9HVm

ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880

dropped

/tmp/fileS1TPeL

ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880

dropped

/tmp/fileSv5sYL

ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880

dropped

/tmp/fileVcsatJ

ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880

dropped

/tmp/fileYj3Od9

ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880

dropped

/tmp/filebHGuS9

ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880

dropped

/tmp/filecNf1cR

ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880

dropped

/tmp/filefeqQnR

ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880

dropped

/tmp/filehGga1T

ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880

dropped

/tmp/filehLNBcR

ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880

dropped

/tmp/filekiqVZx

ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880

dropped

/tmp/filelQzal6

ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880

dropped

/tmp/fileokK3kt

ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880

dropped

/tmp/filepy4g6w

ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880

dropped

/tmp/filesFsnIh

ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880

dropped

/tmp/filesnf6n9

ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880

dropped

/tmp/fileufE8BW

ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880

dropped

/tmp/fileutPfDq

ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880

dropped

/tmp/filevQYMqb

ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880

dropped

/tmp/fileyKcg50

ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880

dropped

/tmp/fileyVgJK1

ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880

dropped

/tmp/fileyfZXVP

ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880

dropped

/tmp/filezmeGW5

ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880

dropped

/tmp/filezpLQSZ

ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880

dropped

/tmp/filenxowZz

ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880

dropped

/tmp/filewURL35

ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880

dropped

There are 31 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

/tmp/aarch64.elf

/tmp/aarch64.elf

/tmp/aarch64.elf

-

/tmp/filenxowZz

/tmp/aarch64.elf

/tmp/filenxowZz

-

/tmp/filefeqQnR

/tmp/aarch64.elf

/tmp/filefeqQnR

-

/tmp/fileyVgJK1

/tmp/aarch64.elf

/tmp/fileyVgJK1

-

/tmp/fileokK3kt

/tmp/aarch64.elf

/tmp/fileokK3kt

-

/tmp/filebHGuS9

/tmp/aarch64.elf

/tmp/filebHGuS9

-

/tmp/filekiqVZx

/tmp/aarch64.elf

/tmp/filekiqVZx

-

/tmp/file8SeDcK

/tmp/aarch64.elf

/tmp/file8SeDcK

-

/tmp/fileK3KBC0

/tmp/aarch64.elf

/tmp/fileK3KBC0

-

/tmp/filePSqv2D

/tmp/aarch64.elf

/tmp/filePSqv2D

-

/tmp/filehLNBcR

/tmp/aarch64.elf

/tmp/filehLNBcR

-

/tmp/filezmeGW5

/tmp/aarch64.elf

/tmp/filezmeGW5

-

/tmp/filesFsnIh

/tmp/aarch64.elf

/tmp/filesFsnIh

-

/tmp/fileFyLkXt

/tmp/aarch64.elf

/tmp/fileFyLkXt

-

/tmp/fileufE8BW

/tmp/aarch64.elf

/tmp/fileufE8BW

-

/tmp/file4Fy7Jd

/tmp/aarch64.elf

/tmp/file4Fy7Jd

-

/tmp/fileutPfDq

/tmp/aarch64.elf

/tmp/fileutPfDq

-

/tmp/filecNf1cR

/tmp/aarch64.elf

/tmp/filecNf1cR

-

/tmp/fileEJ1YHm

/tmp/aarch64.elf

/tmp/fileEJ1YHm

-

/tmp/filepy4g6w

/tmp/aarch64.elf

/tmp/filepy4g6w

-

/tmp/filehGga1T

/tmp/aarch64.elf

/tmp/filehGga1T

-

/tmp/fileLKzJ69

/tmp/aarch64.elf

/tmp/fileLKzJ69

-

/tmp/fileHrjhlr

/tmp/aarch64.elf

/tmp/fileHrjhlr

-

/tmp/filevQYMqb

/tmp/aarch64.elf

/tmp/filevQYMqb

-

/tmp/fileJh0LZs

/tmp/aarch64.elf

/tmp/fileJh0LZs

-

/tmp/fileSv5sYL

/tmp/aarch64.elf

/tmp/fileSv5sYL

-

/tmp/filesnf6n9

/tmp/aarch64.elf

/tmp/filesnf6n9

-

/tmp/fileS1TPeL

/tmp/aarch64.elf

/tmp/fileS1TPeL

-

/tmp/filezpLQSZ

/tmp/aarch64.elf

/tmp/filezpLQSZ

-

/tmp/fileRk9HVm

/tmp/aarch64.elf

/tmp/fileRk9HVm

-

/tmp/fileAhzouC

/tmp/aarch64.elf

/tmp/fileAhzouC

-

/tmp/fileyKcg50

/tmp/aarch64.elf

/tmp/fileyKcg50

-

/tmp/fileL9uCJw

/tmp/aarch64.elf

/tmp/fileL9uCJw

-

/tmp/fileVcsatJ

/tmp/aarch64.elf

/tmp/fileVcsatJ

-

/tmp/filelQzal6

/tmp/aarch64.elf

/tmp/filelQzal6

-

/tmp/fileI3e44j

/tmp/aarch64.elf

/tmp/fileI3e44j

-

/tmp/fileH8WeMN

/tmp/aarch64.elf

/tmp/fileH8WeMN

-

/tmp/fileYj3Od9

/tmp/aarch64.elf

/tmp/fileYj3Od9

-

/tmp/file3unzfn

/tmp/aarch64.elf

/tmp/file3unzfn

-

/tmp/fileyfZXVP

/tmp/aarch64.elf

There are 69 hidden processes, click here to show them.

URLs

Name

IP

Malicious

https://www.gnu.org/software/coreutils/

unknown

https://gnu.org/licenses/gpl.html

unknown

https://wiki.xiph.org/MIME_Types_and_File_Extensions

unknown

http://cf0.pw/0/etc/cron.hourly/0

unknown

https://www.gnu.org/gethelp/

unknown

https://www.gnu.org/software/coreutils/Report

unknown

https://translationproject.org/team/

unknown

https://wiki.xiph.org/MIME_Types_and_File_Extensions.oga

unknown

https://wiki.xiph.org/MIME_Types_and_File_Extensions.ogv

unknown

IPs

IP

Domain

Country

Malicious

109.202.202.202

unknown

Switzerland

Details

IP:	109.202.202.202
TargetID:	-1
Country:	Switzerland
Countrycode:	CHE
ASN number:	13030
ASN name:	INIT7CH
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.43

unknown

United Kingdom

Details

IP:	91.189.91.43
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.42

unknown

United Kingdom

Details

IP:	91.189.91.42
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

55d716540000

page read and write

7ffd6b16c000

page read and write

7ffd6b1e0000

page execute read

7f179e3bd000

page read and write

7f179e402000

page read and write

55d716be9000

page read and write

Details

Name:	6221.1.000055d716b7a000.000055d716be9000.rw-.sdmp
TargetID:	12
Dumpstage:	process exit
Protect:	page read and write
Base address:	55d716be9000
Size:	454656

Signature Hits	Behavior Group	Mitre Attack
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
URLs found in memory or binary data	Networking

7f179e1c9000

page read and write

Details

Name:	6221.1.00007f179df71000.00007f179e1c9000.rw-.sdmp
TargetID:	12
Dumpstage:	process exit
Protect:	page read and write
Base address:	7f179e1c9000
Size:	2457600

Signature Hits	Behavior Group	Mitre Attack
Malicious sample detected (through community Yara rule)	System Summary
Yara signature match	System Summary

55d71633f000

page execute read

Details

Name:	6221.1.000055d71633d000.000055d71633f000.r-x.sdmp
TargetID:	12
Dumpstage:	process exit
Protect:	page execute read
Base address:	55d71633f000
Size:	8192

Signature Hits	Behavior Group	Mitre Attack
Malicious sample detected (through community Yara rule)	System Summary
Yara signature match	System Summary