Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Okami.ppc.elf

ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, not stripped

initial sample

Details

Filetype:	ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, not stripped
Entropy:	6.044055886555948
Filename:	Okami.ppc.elf
Filesize:	94074
MD5:	c35c73017ae00e2b4968cf6fc7232447
SHA1:	4bc61720d41b5f89921359c466151f42ca1b86b9
SHA256:	f489b1dee4cb4f39ec00288a911c0e8193083acbe7f4c973f4baa3165855ce14
SHA512:	7233367923533fbd68c956280414722c48e1c80fcd5edc7f8bab37f5a594b7861ed03804c01524b83025e92dc18a1e6cbc2bd609559d8ecd0049e9d7c81c4f93
SSDEEP:	1536:9a8ZDXWE3jen6IbRnu7GygoblchOSDz5hXkyFyhZlQ0k0yD2PJojyKn:4+rMn1pu7GyFKZz5hXkyFyZlQ0k0yD2G
Preview:	.ELF...........................4.. ......4. ...(.......................,...,..............................g.........dt.Q.............................!..\|......$H...H......$8!. \|...N.. .!..\|.......?.............../...@..\?........+../...A..$8...})......N..

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
Yara signature match	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
Sample and/or dropped files contains symbols with file path information	System Summary
URLs found in memory or binary data	Networking

/run/systemd/resolve/stub-resolv.conf

ASCII text

dropped

Details

File:	/run/systemd/resolve/stub-resolv.conf
Category:	dropped
Dump:	stub-resolv.conf.15.dr
ID:	dr_0
Target ID:	15
Process:	/tmp/Okami.ppc.elf
Type:	ASCII text
Entropy:	3.3918926446809334
Encrypted:	false
Ssdeep:	3:KkZRAkd:KaAu
Size:	38
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

/tmp/Okami.ppc.elf

URLs

Name

Malicious

http://www.billybobbot.com/crawler/)

unknown

Details

Name:	http://www.billybobbot.com/crawler/)
TargetID:	12
From Memory:	true
Current Path:	/tmp/Okami.ppc.elf
Source:	Okami.ppc.elf

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
URLs found in memory or binary data	Networking

http://www.baidu.com/search/spider.html)

unknown

http://fast.no/support/crawler.asp)

unknown

http://feedback.redkolibri.com/

unknown

http://www.baidu.com/search/spider.htm)

unknown

Domains

Name

Malicious

daisy.ubuntu.com

162.213.35.24

IPs

Domain

Country

Malicious

93.123.85.246

unknown

Bulgaria

Details

IP:	93.123.85.246
TargetID:	-1
Country:	Bulgaria
Countrycode:	BGR
ASN number:	43561
ASN name:	NET1-ASBG
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7f05a4012000

page execute read

7f05a4012000

page execute read

7f05a4012000

page execute read

7f0699742000

page read and write

7f069935b000

page read and write

7fff2a0d2000

page execute read

7f05a4023000

page read and write

7f06988bb000

page read and write

7f06988bb000

page read and write

557588eda000

page read and write

557588c4f000

page execute read

55758aeee000

page read and write

7f05a4029000

page read and write

7f06990cc000

page read and write

55758aeee000

page read and write

7f0699bb6000

page read and write

7f0699a8d000

page read and write

55758aed8000

page execute and read and write

7f069971d000

page read and write

55758b6d1000

page read and write

7f06990be000

page read and write

55758b6d1000

page read and write

557588c4f000

page execute read

7fff2a067000

page read and write

557588c4f000

page execute read

7f06990be000

page read and write

55758aed8000

page execute and read and write

7f0694021000

page read and write

7f0699bb6000

page read and write

55758aeee000

page read and write

7f05a4029000

page read and write

7fff2a0d2000

page execute read

557588eda000

page read and write

7f06990be000

page read and write

7f05a4029000

page read and write

7f06988bb000

page read and write

7f0694021000

page read and write

7f0699a8d000

page read and write

7f0699a8d000

page read and write

55758b6d1000

page read and write

7fff2a067000

page read and write

7f0699c03000

page read and write

557588ed2000

page read and write

7f0699bbe000

page read and write

55758b6b0000

page read and write

7f0694000000

page read and write

7f0699bb6000

page read and write

7f0699742000

page read and write

7f0694021000

page read and write

7f0699c03000

page read and write

7f0699bbe000

page read and write

7fff2a067000

page read and write

7f06990cc000

page read and write

7f069971d000

page read and write

557588ed2000

page read and write

7f0699742000

page read and write

55758aed8000

page execute and read and write

557588ed2000

page read and write

7f0699c03000

page read and write

7f06990cc000

page read and write

7f0694000000

page read and write

7fff2a0d2000

page execute read

7f0699bbe000

page read and write

7f05a4023000

page read and write

7f069935b000

page read and write

557588eda000

page read and write

7f069935b000

page read and write

7f069971d000

page read and write

7f05a4023000

page read and write

55758b6b0000

page read and write

7f0694000000

page read and write

There are 61 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Okami.ppc.elf

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportOkami.ppc.elf

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
Okami.ppc.elf