Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

na.elf

ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped

initial sample

Details

Filetype:	ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
Entropy:	6.231060597366293
Filename:	na.elf
Filesize:	107720
MD5:	2f6e81608e66c2066ce9d66810044c04
SHA1:	ba8de076946be3d8c77121fadce5a48b91b321e6
SHA256:	d08456b4b38e284386c398ffae8cd86dd7396b0c3d886523c8cdc3cad237a0b5
SHA512:	868287e81768e5746248f15e951aa3cec3b2b4bca3467fa31c31b8d7a9ccc3ebfdbc270744b6d77cd54229f6ac15369bca121061155bbd09cb34b176f774155f
SSDEEP:	1536:6aNa+UF9BXOgRmxLd47XGFGrw0LVCDZrwOwM23TFbPR0prj9kvX5h2pJaKq:6Z9B+gc0GgM0uZOpbK1IX5h2pJ7q
Preview:	.ELF...a..........(.........4...........4. ...(..........................................................j..........Q.td..................................-...L."....P..........0@-.\P...0....S.0...P@...0... ....R......0...0...........0... ....R..... 0....S

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion
Yara signature match	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
URLs found in memory or binary data	Networking

/run/systemd/resolve/stub-resolv.conf

ASCII text

dropped

Details

File:	/run/systemd/resolve/stub-resolv.conf
Category:	dropped
Dump:	stub-resolv.conf.15.dr
ID:	dr_1
Target ID:	15
Process:	/tmp/na.elf
Type:	ASCII text
Entropy:	3.3918926446809334
Encrypted:	false
Ssdeep:	24:KaLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLn:KC
Size:	3762
Whitelisted:	false
Reputation:	moderate

Processes

Path

Cmdline

Malicious

/tmp/na.elf

URLs

Name

Malicious

http://www.baidu.com/search/spider.html)

unknown

http://www.billybobbot.com/crawler/)

unknown

http://fast.no/support/crawler.asp)

unknown

http://feedback.redkolibri.com/

unknown

http://www.baidu.com/search/spider.htm)

unknown

Domains

Name

Malicious

daisy.ubuntu.com

162.213.35.24

IPs

Domain

Country

Malicious

154.213.187.206

unknown

Seychelles

Details

IP:	154.213.187.206
TargetID:	-1
Country:	Seychelles
Countrycode:	SYC
ASN number:	22769
ASN name:	DDOSING-BGP-NETWORKUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7f5cf4030000

page execute read

7f5cf4030000

page execute read

7f5df4021000

page read and write

7f5dfb4a7000

page read and write

56050c968000

page read and write

56050e966000

page execute and read and write

7f5dfabc1000

page read and write

7f5df3fff000

page read and write

56050c95f000

page read and write

7f5dfa7cd000

page read and write

56050c968000

page read and write

56050e97d000

page read and write

7f5dfb510000

page read and write

7f5df3fff000

page read and write

7f5cf403f000

page read and write

7fff1fcb8000

page execute read

7f5cf4039000

page read and write

7f5df4021000

page read and write

7f5dfb19d000

page read and write

7f5dfb4cb000

page read and write

7f5dfae2c000

page read and write

56050e966000

page execute and read and write

7f5dfa85f000

page read and write

7f5dfb4a7000

page read and write

7fff1fc15000

page read and write

7f5cf4039000

page read and write

56050c70e000

page execute read

56050f79f000

page read and write

7f5dfae4f000

page read and write

7f5dfabc1000

page read and write

56050c70e000

page execute read

7f5dfae4f000

page read and write

56050f79f000

page read and write

7f5dfb37e000

page read and write

7f5dfb37e000

page read and write

7f5dfa7cd000

page read and write

7f5cf403f000

page read and write

7f5dfb19d000

page read and write

7f5dfafbb000

page read and write

7f5dfb510000

page read and write

7f5dfae2c000

page read and write

56050c95f000

page read and write

7f5df9fc5000

page read and write

7f5df9fc5000

page read and write

56050e97d000

page read and write

7f5dfb4cb000

page read and write

7fff1fc15000

page read and write

7f5dfa85f000

page read and write

7fff1fcb8000

page execute read

7f5dfafbb000

page read and write

There are 40 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
na.elf

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportna.elf

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
na.elf