Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

na.elf

ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, no section header

initial sample

Details

Filetype:	ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, no section header
Entropy:	7.93655941091709
Filename:	na.elf
Filesize:	826008
MD5:	8ec928a5e02d8af1d373e34b185cc331
SHA1:	404e9caac5aea11a9d338d12f29bef72d640b063
SHA256:	2b3e64c2cfdd2bce87362e9fed7b8d7074d1e4c08abeb750ea63570d48d73b7d
SHA512:	0b5e725d5ac86a0a16ffe449f4ed963c915011ca5333f0d8b3fcbe96436ee40a199fb4add0d8a1999dbb8d735be30b3c6aa4ac70afec52a99e236fedb2a83ce2
SSDEEP:	12288:EuwNR44JOibwv9+rtzxSE9Ov4iOhMK9GyTzOPXs9uCrlrkbhokvRCg5:EPNzJOiE+zxlOg5M2GynduCrlWCg5
Preview:	.ELF..............>.......I.....@...................@.8...@.......................@.......@....................... .......................O.......O....................... .....P...UPX!.........('..('..................ELF.......>.....@.w7......''8.......).

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
ELF contains segments with high entropy indicating compressed/encrypted content	Hooking and other Techniques for Hiding and Protection	Obfuscated Files or Information
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Reads CPU information from /proc indicative of miner or evasive malware	Bitcoin Miner, Malware Analysis System Evasion	System Information Discovery
Reads CPU information from /sys indicative of miner or evasive malware	Bitcoin Miner, Malware Analysis System Evasion
Reads system information from the proc file system	Persistence and Installation Behavior
Reads the 'hosts' file potentially containing internal network hosts	Networking	File and Directory Discovery
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
URLs found in memory or binary data	Networking

/tmp/nul

ASCII text

dropped

Details

File:	/tmp/nul
Category:	dropped
Dump:	nul.36.dr
ID:	dr_5
Target ID:	36
Process:	/usr/bin/sed
Type:	ASCII text
Entropy:	4.2170704991443975
Encrypted:	false
Ssdeep:	3:buwzecKHRssQGTRRt:buo4xfQORt
Size:	66
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

/tmp/na.elf

/bin/sh

sh -c "sed -i -e '/exit/d' /etc/rc.local>nul 2>nul"

/bin/sh

/usr/bin/sed

sed -i -e /exit/d /etc/rc.local

/tmp/na.elf

/bin/sh

sh -c "sed -i -e '/^\r\n|\r|\n$/d' /etc/rc.local>nul 2>nul"

/bin/sh

/usr/bin/sed

sed -i -e /^||$/d /etc/rc.local

/tmp/na.elf

/bin/sh

sh -c "sed -i -e '/na.elf reboot/d' /etc/rc.local>nul 2>nul"

/bin/sh

/usr/bin/sed

sed -i -e "/na.elf reboot/d" /etc/rc.local

/tmp/na.elf

/bin/sh

sh -c "sed -i -e '2 i/tmp/na.elf reboot' /etc/rc.local>nul 2>nul"

/bin/sh

/usr/bin/sed

sed -i -e "2 i/tmp/na.elf reboot" /etc/rc.local

/tmp/na.elf

/bin/sh

sh -c "sed -i -e '2 i/tmp/na.elf reboot start' /etc/rc.d/rc.local>nul 2>nul"

/bin/sh

/usr/bin/sed

sed -i -e "2 i/tmp/na.elf reboot start" /etc/rc.d/rc.local

/tmp/na.elf

/bin/sh

sh -c "sed -i -e '2 i/tmp/na.elf reboot start' /etc/init.d/boot.local>nul 2>nul"

/bin/sh

/usr/bin/sed

sed -i -e "2 i/tmp/na.elf reboot start" /etc/init.d/boot.local

/tmp/na.elf

/bin/sh

sh -c "rm -rf nul"

/bin/sh

/usr/bin/rm

rm -rf nul

/tmp/na.elf

/bin/sh

sh -c "rm -rf nul 2"

/bin/sh

/usr/bin/rm

rm -rf nul 2

/tmp/na.elf

There are 24 hidden processes, click here to show them.

URLs

Name

Malicious

http://upx.sf.net

unknown

Details

Name:	http://upx.sf.net
TargetID:	12
From Memory:	true
Current Path:	/tmp/na.elf
Source:	na.elf

Signature Hits	Behavior Group	Mitre Attack
Sample is packed with UPX	Data Obfuscation	Obfuscated Files or Information
URLs found in memory or binary data	Networking

https://bugs.launchpad.net/ubuntu/

unknown

Domains

Name

Malicious

mhacker.cc

unknown

IPs

Domain

Country

Malicious

116.205.177.132

unknown

China

Details

IP:	116.205.177.132
TargetID:	-1
Country:	China
Countrycode:	CHN
ASN number:	4766
ASN name:	KIXS-AS-KRKoreaTelecomKR
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

109.202.202.202

unknown

Switzerland

Details

IP:	109.202.202.202
TargetID:	-1
Country:	Switzerland
Countrycode:	CHE
ASN number:	13030
ASN name:	INIT7CH
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.43

unknown

United Kingdom

Details

IP:	91.189.91.43
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.42

unknown

United Kingdom

Details

IP:	91.189.91.42
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7ffe358c2000

page execute read

5ae000

page execute read

Details

Name:	6239.1.0000000000400000.00000000005ae000.r-x.sdmp
TargetID:	12
Dumpstage:	process exit
Protect:	page execute read
Base address:	5ae000
Size:	1761280

Signature Hits	Behavior Group	Mitre Attack
Malicious sample detected (through community Yara rule)	System Summary
Yara signature match	System Summary
URLs found in memory or binary data	Networking

14ff000

page execute and read and write

1601000

page execute and read and write

7ffe35838000

page execute and read and write

30e7000

page execute and read and write

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
na.elf

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportna.elf

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
na.elf