Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Okami.m68k.elf

ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, not stripped

initial sample

Details

Filetype:	ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, not stripped
Entropy:	6.103450233774202
Filename:	Okami.m68k.elf
Filesize:	98107
MD5:	73918db227a2f4b44010e578ddd8d494
SHA1:	9effb3045d582124832085442d1741bdc2074416
SHA256:	67cdf3da7b337bbb50c4f212ccd11289f2d812f0d99718111063d8ec46fe4cf0
SHA512:	902ab34f4f7fce97590b9ef97419b8ae91177dfcc31f601a11e88df60bf44deab5c6e75779b17508941628a5d1f6c9cc29033f96ed15799861ef67d3eb92d983
SSDEEP:	1536:hZubYDIJ8FLAYd4bV2vgUrOhfAJGhxyyVE0J3YO5YLf4SmMk0yD2PKqjyun:hbDI8P4Rk6OGhxyyVE0J3YOuzPmMk0yK
Preview:	.ELF.......................D...4.........4. ...(.......................,...,...... ........,..>,..>,...\|..g....... .dt.Q............................NV..a....da.....N^NuNV..J9..B.f>"y..>D QJ.g.X.#...>DN."y..>D QJ.f.A.....J.g.Hy...(N.X.......B.N^NuNV..N^NuN

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
Yara signature match	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
Sample and/or dropped files contains symbols with file path information	System Summary
URLs found in memory or binary data	Networking

/run/systemd/resolve/stub-resolv.conf

ASCII text

dropped

Details

File:	/run/systemd/resolve/stub-resolv.conf
Category:	dropped
Dump:	stub-resolv.conf.15.dr
ID:	dr_0
Target ID:	15
Process:	/tmp/Okami.m68k.elf
Type:	ASCII text
Entropy:	3.3918926446809334
Encrypted:	false
Ssdeep:	3:KkZRAkd:KaAu
Size:	38
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

/tmp/Okami.m68k.elf

URLs

Name

Malicious

http://www.billybobbot.com/crawler/)

unknown

Details

Name:	http://www.billybobbot.com/crawler/)
TargetID:	12
From Memory:	true
Current Path:	/tmp/Okami.m68k.elf
Source:	Okami.m68k.elf

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
URLs found in memory or binary data	Networking

http://www.baidu.com/search/spider.html)

unknown

http://fast.no/support/crawler.asp)

unknown

http://feedback.redkolibri.com/

unknown

http://www.baidu.com/search/spider.htm)

unknown

Domains

Name

Malicious

daisy.ubuntu.com

162.213.35.25

IPs

Domain

Country

Malicious

93.123.85.246

unknown

Bulgaria

Details

IP:	93.123.85.246
TargetID:	-1
Country:	Bulgaria
Countrycode:	BGR
ASN number:	43561
ASN name:	NET1-ASBG
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7ff59c013000

page execute read

7ff59c013000

page execute read

7ff59c013000

page execute read

55b40091d000

page read and write

7ff59c016000

page read and write

55b40291b000

page execute and read and write

7ff6213c5000

page read and write

55b40440e000

page read and write

55b40291b000

page execute and read and write

7fff538e8000

page execute read

7ff620f2c000

page read and write

7ff61c021000

page read and write

7ff61c000000

page read and write

55b400915000

page read and write

7fff538e8000

page execute read

55b400915000

page read and write

7ff620f51000

page read and write

55b4006e3000

page execute read

7ff621412000

page read and write

7ff6208cd000

page read and write

7ff59c016000

page read and write

7ff61c021000

page read and write

7ff6213c5000

page read and write

7ff621412000

page read and write

7ff6213cd000

page read and write

7ff620b6a000

page read and write

55b40440e000

page read and write

7ff620f2c000

page read and write

7ff61c000000

page read and write

7ff62129c000

page read and write

7ff620b6a000

page read and write

7ff620f51000

page read and write

7ff61c000000

page read and write

55b40440e000

page read and write

7fff538d3000

page read and write

55b4029b2000

page read and write

7ff6200ca000

page read and write

7ff6208db000

page read and write

7ff6208cd000

page read and write

55b40091d000

page read and write

55b4006e3000

page execute read

7ff6213c5000

page read and write

7ff6208cd000

page read and write

55b4029b2000

page read and write

7ff59c01c000

page read and write

55b4006e3000

page execute read

7ff61c021000

page read and write

7fff538d3000

page read and write

7ff6208db000

page read and write

7ff59c01c000

page read and write

55b40291b000

page execute and read and write

7ff6200ca000

page read and write

7ff6208db000

page read and write

7ff6213cd000

page read and write

55b4029b2000

page read and write

7ff620b6a000

page read and write

7ff59c016000

page read and write

55b40091d000

page read and write

7fff538d3000

page read and write

7ff6200ca000

page read and write

7ff62129c000

page read and write

55b400915000

page read and write

7ff620f2c000

page read and write

7fff538e8000

page execute read

7ff621412000

page read and write

7ff59c01c000

page read and write

7ff62129c000

page read and write

7ff6213cd000

page read and write

7ff620f51000

page read and write

There are 59 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Okami.m68k.elf

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportOkami.m68k.elf

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
Okami.m68k.elf