Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

sparc.elf

ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, with debug_info, not stripped

initial sample

Details

Filetype:	ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, with debug_info, not stripped
Entropy:	6.3569156756526635
Filename:	sparc.elf
Filesize:	397823
MD5:	4928c4a9da65fbf558da6a813d999809
SHA1:	7f80f0c396cd44e5e26ce859b872c9bb960c262a
SHA256:	36a737a9ea4c2302105cee78d39977abed01969183219bc3ab2e8182bac03e97
SHA512:	9ac8ecb075383c22acc0a774a13d606ce7bbff4ec6a00cdea1721af1fd3cab735bcc0b4707fc60b8b394f494be2233bdc08abde29a53cfe329a0c36954001980
SSDEEP:	6144:uy89wpLjywZimx8HNZCC5Xk0pg6KEQQZ0s0DkBd3Xq4bupMmEwMGW69:Jnim/DwxmEwMGW69
Preview:	.ELF...........................4.........4. ...(.......................4...4...........................p...8........dt.Q................................@..(....@.x.................#.....bp..`.....!.....!...@.....".........`......$!...!...@...........`....

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Opens /proc/net/* files useful for finding connected devices and routers	Spreading	Remote System Discovery
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion
Yara signature match	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
Sample and/or dropped files contains symbols with file path information	System Summary
URLs found in memory or binary data	Networking
Writes log files to disk	Persistence and Installation Behavior

/tmp/Infected.log

ASCII text, with CRLF line terminators

dropped

Details

File:	/tmp/Infected.log
Category:	dropped
Dump:	Infected.log.12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/sparc.elf
Type:	ASCII text, with CRLF line terminators
Entropy:	4.71112089176799
Encrypted:	false
Ssdeep:	3:xRbQRAZvOWFsZWFBAK8dAuFUJ4gnicMMIVDt8Tovn:xR0qvOfZW8K8djmHicNoDt8kv
Size:	107
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Writes log files to disk	Persistence and Installation Behavior

/tmp/qemu-open.UI4Pt6 (deleted)

ASCII text

dropped

Details

File:	/tmp/qemu-open.UI4Pt6 (deleted)
Category:	dropped
Dump:	qemu-open.UI4Pt6 (deleted).12.dr
ID:	dr_1
Target ID:	12
Process:	/tmp/sparc.elf
Type:	ASCII text
Entropy:	3.709552666863289
Encrypted:	false
Ssdeep:	6:iekrEcvwAsE5KlwSd4pzKaV6Lpms/a/1VCxGF:ur+m5MwSdIKaV6L1adVRF
Size:	230
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

/tmp/sparc.elf

URLs

Name

Malicious

181.214.231.152:96666

https://developers.google.com/search/docs/advanced/crawling/overview-google-crawlers)

unknown

http://www.spidersoft.com)

unknown

http://help.yahoo.com/help/us/ysearch/slurp)

unknown

http://www.google.com/bot.html)

unknown

http://www.google.com/mobile/adsbot.html)

unknown

Domains

Name

Malicious

daisy.ubuntu.com

162.213.35.25

IPs

Domain

Country

Malicious

181.214.231.152

unknown

Chile

Details

IP:	181.214.231.152
TargetID:	-1
Country:	Chile
Countrycode:	CHL
ASN number:	61317
ASN name:	ASDETUKhttpwwwheficedcomGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Suricata IDS alerts with low severity for network traffic	Networking
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7f21d805f000

page execute read

7f21d805f000

page execute read

7ffd02826000

page read and write

5638c82f4000

page read and write

7f22e04c4000

page read and write

5638c80bd000

page execute read

7f22dfcb3000

page read and write

7f22e0b15000

page read and write

5638ca3cf000

page read and write

7f22e0ffb000

page read and write

5638ca3cf000

page read and write

5638ca309000

page read and write

7f22e04b6000

page read and write

7f22e0b3a000

page read and write

7f22e0fb6000

page read and write

5638ca2f2000

page execute and read and write

7f21d8071000

page read and write

7f22e0753000

page read and write

5638ca2f2000

page execute and read and write

7ffd02826000

page read and write

7ffd02936000

page execute read

5638c82f4000

page read and write

7f21d8071000

page read and write

7f22e0b3a000

page read and write

7f21d8079000

page read and write

7f22e0fae000

page read and write

7f22e0e85000

page read and write

7f22e0753000

page read and write

5638c82eb000

page read and write

7f21d8079000

page read and write

7f22d8000000

page read and write

7f22d8021000

page read and write

5638ca309000

page read and write

7f22e0fae000

page read and write

5638c80bd000

page execute read

7f22dfcb3000

page read and write

7f22d8021000

page read and write

7f22e04c4000

page read and write

7f22e0fb6000

page read and write

7ffd02936000

page execute read

7f22d8000000

page read and write

7f22e0b15000

page read and write

7f22e04b6000

page read and write

5638c82eb000

page read and write

7f22e0ffb000

page read and write

7f22e0e85000

page read and write

There are 36 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
sparc.elf

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportsparc.elf

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
sparc.elf