Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

dlr.arm7.elf

ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, stripped

initial sample

Details

Filetype:	ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, stripped
Entropy:	4.801842234738437
Filename:	dlr.arm7.elf
Filesize:	1500
MD5:	b3647c424fd81544eede91b8e8182836
SHA1:	155f514429c4de561025dda90024270b6adb3c62
SHA256:	addff0d258036b04083416578c0da6cb7a4ed10c1bb343f5d19b505d1c20f68f
SHA512:	f86a4df3ed229ecbafd7c740c48003d50d28e5ce229889791be2248eab451340851bcd8e5c54facd87b5e05e6436fb50008d625d520139e459d7f66e6c97342d
SSDEEP:	24:uAd9KGpa7Urz/jlfoZMAXK1hH9Vev3gRGaJ9i9BBuLlgCk9gD10yd:uA9KGpa7UrLZo0I+J+Bu5kE10yd
Preview:	.ELF..............(.........4...........4. ...(.....................l...l...............l...l...l.......................l...l...l...................Q.td.........................................8...<...4...........(.."...#...../...-.......M................

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion
Writes ELF files to disk	Persistence and Installation Behavior
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery

/tmp/byte

ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, with debug_info, not stripped

dropped

Details

File:	/tmp/byte
Category:	dropped
Dump:	byte.12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/dlr.arm7.elf
Type:	ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, with debug_info, not stripped
Entropy:	6.017026154297146
Encrypted:	false
Ssdeep:	3072:ZuxucGNj1tc4ag5gJGW4f5XK7eLuvII4qYuNzEM/9Od4Wt:sxucGRs4ag5UGWW5MeyvPYuNYM/9Od4+
Size:	161981
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Yara detected Mirai	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Okiru	Stealing of Sensitive Information, Remote Access Functionality
Writes ELF files to disk	Persistence and Installation Behavior

Processes

Path

Cmdline

Malicious

/tmp/dlr.arm7.elf

IPs

Domain

Country

Malicious

154.216.20.69

unknown

Seychelles

Details

IP:	154.216.20.69
TargetID:	-1
Country:	Seychelles
Countrycode:	SYC
ASN number:	135357
ASN name:	SKHT-ASShenzhenKatherineHengTechnologyInformationCo
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7fc3deeb6000

page read and write

56085bd4c000

page read and write

56085dd53000

page execute and read and write

7fc3de83a000

page read and write

7fc3de24a000

page read and write

7fc3de1b8000

page read and write

7fc3de9a6000

page read and write

7fc3de5ac000

page read and write

56085bd55000

page read and write

56085bafb000

page execute read

7fc3dee92000

page read and write

7fc3d8021000

page read and write

7fc3d7fff000

page read and write

56085eb65000

page read and write

7fc3dd9b0000

page read and write

7fc2d8020000

page read and write

7ffd1dd9d000

page execute read

7fc3ded69000

page read and write

7fc3de817000

page read and write

7fc2d8018000

page execute read

7fc3deefb000

page read and write

56085dd6a000

page read and write

7fc3deb88000

page read and write

7ffd1dd67000

page read and write

There are 14 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
dlr.arm7.elf

Files

Processes

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportdlr.arm7.elf

Files

Processes

IPs

Memdumps

IOC Report
dlr.arm7.elf