Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

m68k.elf

ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, with debug_info, not stripped

initial sample

Details

Filetype:	ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, with debug_info, not stripped
Entropy:	6.342895414048336
Filename:	m68k.elf
Filesize:	384413
MD5:	14bd594fb443f98127ca63b753258fd6
SHA1:	9308e1fad20e7248d1b0c4e528fe981ef0346169
SHA256:	cfaeae48c950224be7c027e9eaa0e3c753d96dcd2c59c28fe9e210fe531970e8
SHA512:	e1f2629126315dda13e494e207a08cd92a0caae93afa331b0857b5597de94f483877d59c1afeb8ee73af95f120232b3ad515ee958d5e4eb718a2f20a65092ca5
SSDEEP:	6144:cejpR51faf8QeqacWucW0JcWcBlEAsMPU8PPKpd9kknRCSNCqeiGEJiiifJ2X7dl:dpR/1aXfJ26ymmvAY1Pasl9
Preview:	.ELF.......................D...4...@.....4. ...(.......................3...3...... ........4...4...4......}....... .dt.Q............................NV..a....da.....N^NuNV..J9....f>"y...P QJ.g.X.#....PN."y...P QJ.f.A.....J.g.Hy...4N.X.........N^NuNV..N^NuN

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Opens /proc/net/* files useful for finding connected devices and routers	Spreading	Remote System Discovery
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
Yara signature match	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
URLs found in memory or binary data	Networking
Writes log files to disk	Persistence and Installation Behavior

/tmp/Infected.log

ASCII text, with CRLF line terminators

dropped

Details

File:	/tmp/Infected.log
Category:	dropped
Dump:	Infected.log.12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/m68k.elf
Type:	ASCII text, with CRLF line terminators
Entropy:	4.71112089176799
Encrypted:	false
Ssdeep:	3:xRbQRAZvOWFsZWFBAK8dAuFUJ4gnicMMIVDt8Tovn:xR0qvOfZW8K8djmHicNoDt8kv
Size:	107
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Writes log files to disk	Persistence and Installation Behavior

/tmp/qemu-open.hfQ5bZ (deleted)

ASCII text

dropped

Details

File:	/tmp/qemu-open.hfQ5bZ (deleted)
Category:	dropped
Dump:	qemu-open.hfQ5bZ (deleted).12.dr
ID:	dr_1
Target ID:	12
Process:	/tmp/m68k.elf
Type:	ASCII text
Entropy:	3.709552666863289
Encrypted:	false
Ssdeep:	6:iekrEcvwAsE5KlwSd4pzKaV6Lpms/a/1VCxGF:ur+m5MwSdIKaV6L1adVRF
Size:	230
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

/tmp/m68k.elf

URLs

Name

Malicious

181.214.231.152:96666

https://developers.google.com/search/docs/advanced/crawling/overview-google-crawlers)

unknown

http://www.spidersoft.com)

unknown

http://help.yahoo.com/help/us/ysearch/slurp)

unknown

http://www.google.com/bot.html)

unknown

http://www.google.com/mobile/adsbot.html)

unknown

IPs

Domain

Country

Malicious

181.214.231.152

unknown

Chile

Details

IP:	181.214.231.152
TargetID:	-1
Country:	Chile
Countrycode:	CHL
ASN number:	61317
ASN name:	ASDETUKhttpwwwheficedcomGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Suricata IDS alerts with low severity for network traffic	Networking
Connects to IPs without corresponding DNS lookups	Networking

109.202.202.202

unknown

Switzerland

Details

IP:	109.202.202.202
TargetID:	-1
Country:	Switzerland
Countrycode:	CHE
ASN number:	13030
ASN name:	INIT7CH
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.43

unknown

United Kingdom

Details

IP:	91.189.91.43
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.42

unknown

United Kingdom

Details

IP:	91.189.91.42
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7fc9d804b000

page execute read

7fc9d804b000

page execute read

555e5121f000

page read and write

555e50928000

page read and write

555e4e659000

page execute read

7fca5de4e000

page read and write

7fc9d8057000

page read and write

7fca58000000

page read and write

7fc9d804e000

page read and write

555e4e659000

page execute read

7fca5e199000

page read and write

555e4e88b000

page read and write

7fca5e30f000

page read and write

7fca5d7ca000

page read and write

7fca5e2ca000

page read and write

555e50891000

page execute and read and write

7ffdf3dfb000

page execute read

555e5121f000

page read and write

7ffdf3dfb000

page execute read

7fca5de4e000

page read and write

7fca58000000

page read and write

7fca5e199000

page read and write

7fca5cfc7000

page read and write

555e50891000

page execute and read and write

7ffdf3d09000

page read and write

7fca5d7ca000

page read and write

7fca5cfc7000

page read and write

7fca5de29000

page read and write

7fca58021000

page read and write

7fca5da67000

page read and write

7fc9d804e000

page read and write

7fca5d7d8000

page read and write

7fca5e2ca000

page read and write

7fca5d7d8000

page read and write

7fca5e2c2000

page read and write

7fc9d8057000

page read and write

7fca5da67000

page read and write

555e50928000

page read and write

555e4e893000

page read and write

555e4e88b000

page read and write

7fca5de29000

page read and write

7fca5e30f000

page read and write

7ffdf3d09000

page read and write

555e4e893000

page read and write

7fca5e2c2000

page read and write

7fca58021000

page read and write

There are 36 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
m68k.elf

Files

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportm68k.elf

Files

Processes

URLs

IPs

Memdumps

IOC Report
m68k.elf