Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

na.elf

ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, stripped

initial sample

Details

Filetype:	ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, stripped
Entropy:	6.227459641274716
Filename:	na.elf
Filesize:	107848
MD5:	eb766077322a0edfac6416865b473f52
SHA1:	27d8a03b9cb932e8a7e8512aeb1c6371f1a87278
SHA256:	52534ffb2db05d0e3e1adb61dcd8775310827d45768afa2461c13dc1a1d5ceb3
SHA512:	a3c6fd996f5f199b0a222f5eaaeae581f9d1b51f96e61ac7fdc242c49f3f1aeed8a7c98cb8ec5a21d9f870d88ebeebe7132b19b880512bbb6c59bec86be0fb90
SSDEEP:	3072:jvM33ZcLAEpUDJwjeDBkdpG1bAr5hIp4o:jv63DJme+rG1k5hbo
Preview:	.ELF...........................4.........4. ...(..........................................................j.........dt.Q.............................!..\|......$H...H.6E...$8!. \|...N.. .!..\|.......?..........h..../...@..\?........+../...A..$8...})......N..

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion
Yara signature match	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
URLs found in memory or binary data	Networking

/run/systemd/resolve/stub-resolv.conf

ASCII text

dropped

Details

File:	/run/systemd/resolve/stub-resolv.conf
Category:	dropped
Dump:	stub-resolv.conf.15.dr
ID:	dr_1
Target ID:	15
Process:	/tmp/na.elf
Type:	ASCII text
Entropy:	3.3918926446809334
Encrypted:	false
Ssdeep:	24:KaLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLn:KC
Size:	3762
Whitelisted:	false
Reputation:	moderate

Processes

Path

Cmdline

Malicious

/tmp/na.elf

URLs

Name

Malicious

http://www.baidu.com/search/spider.html)

unknown

http://www.billybobbot.com/crawler/)

unknown

http://fast.no/support/crawler.asp)

unknown

http://feedback.redkolibri.com/

unknown

http://www.baidu.com/search/spider.htm)

unknown

Domains

Name

Malicious

daisy.ubuntu.com

162.213.35.25

IPs

Domain

Country

Malicious

154.213.187.206

unknown

Seychelles

Details

IP:	154.213.187.206
TargetID:	-1
Country:	Seychelles
Countrycode:	SYC
ASN number:	22769
ASN name:	DDOSING-BGP-NETWORKUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7fa05801a000

page execute read

564218fe9000

page execute read

7fa14fa41000

page read and write

7fa14fa86000

page read and write

7fa148021000

page read and write

564219274000

page read and write

7fa14f5c5000

page read and write

7fa14fa39000

page read and write

7fa14f910000

page read and write

56421cf8c000

page read and write

7fa05802b000

page read and write

56421926c000

page read and write

7fa14e73e000

page read and write

7fa14f5a0000

page read and write

7fa14ef4f000

page read and write

7ffcb2301000

page read and write

7fa148000000

page read and write

7ffcb2326000

page execute read

7fa14ef41000

page read and write

7fa14f1de000

page read and write

7fa058031000

page read and write

56421b288000

page read and write

56421b272000

page execute and read and write

There are 13 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
na.elf

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportna.elf

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
na.elf