Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

dlr.arm7.elf

ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, stripped

initial sample

Details

Filetype:	ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, stripped
Entropy:	4.8010558734870195
Filename:	dlr.arm7.elf
Filesize:	1500
MD5:	25a86731d1a9438d58651943ebbe60df
SHA1:	5e373c976aeb3296accaa191bc635d86fb0c254e
SHA256:	199bbc0daaeae9fc3998feae15204f991cf95884b8882e941234b1722c222780
SHA512:	20ae9e11cc707021cfc16024d7066f1b0945a24f353abb8aed57caeba18c876d4e9bd2a8a999b1f652d76f00f1d84e033b656bdb5146b8cc501041192c0c0c1c
SSDEEP:	24:uAd9KGpa7Urz/jlfeCAXK1hH9Vev3gRGaJ9i9BBuLlgCk9gD10yd:uA9KGpa7UrLZe4I+J+Bu5kE10yd
Preview:	.ELF..............(.........4...........4. ...(.....................l...l...............l...l...l.......................l...l...l...................Q.td.........................................8...<...4...........(.."...#...../...-.......M................

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion
Writes ELF files to disk	Persistence and Installation Behavior
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery

/tmp/byte

ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, with debug_info, not stripped

dropped

Details

File:	/tmp/byte
Category:	dropped
Dump:	byte.12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/dlr.arm7.elf
Type:	ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, with debug_info, not stripped
Entropy:	6.017026154297146
Encrypted:	false
Ssdeep:	3072:ZuxucGNj1tc4ag5gJGW4f5XK7eLuvII4qYuNzEM/9Od4Wt:sxucGRs4ag5UGWW5MeyvPYuNYM/9Od4+
Size:	161981
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Yara detected Mirai	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Okiru	Stealing of Sensitive Information, Remote Access Functionality
Writes ELF files to disk	Persistence and Installation Behavior

Processes

Path

Cmdline

Malicious

/tmp/dlr.arm7.elf

IPs

Domain

Country

Malicious

154.216.16.39

unknown

Seychelles

Details

IP:	154.216.16.39
TargetID:	-1
Country:	Seychelles
Countrycode:	SYC
ASN number:	135357
ASN name:	SKHT-ASShenzhenKatherineHengTechnologyInformationCo
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7fa351ead000

page read and write

7fa34c021000

page read and write

7fa3521db000

page read and write

55baa17c9000

page execute read

7ffe6fdf0000

page execute read

7fa35156f000

page read and write

7fa352220000

page read and write

7fa3518d1000

page read and write

7fa3521b7000

page read and write

7fa350cd5000

page read and write

55baa1a1a000

page read and write

7fa3514dd000

page read and write

7fa351b5f000

page read and write

55baa1a23000

page read and write

7fa24c020000

page read and write

7fa35208e000

page read and write

55baa3a21000

page execute and read and write

55baa3a38000

page read and write

7ffe6fdbc000

page read and write

7fa34bfff000

page read and write

7fa351b3c000

page read and write

7fa351ccb000

page read and write

55baa537f000

page read and write

7fa24c018000

page execute read

There are 14 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
dlr.arm7.elf

Files

Processes

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportdlr.arm7.elf

Files

Processes

IPs

Memdumps

IOC Report
dlr.arm7.elf