Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

m68k.elf

ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, with debug_info, not stripped

initial sample

Details

Filetype:	ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, with debug_info, not stripped
Entropy:	6.35617199769401
Filename:	m68k.elf
Filesize:	397282
MD5:	2d829532d3dd613444a671b199631386
SHA1:	5c8842ed7bf975d042fcd0af6d4dbb01e226efdf
SHA256:	084f8653b99e60501ab3406d1f4c40f5677646d8bfec475a0a75a0cffe7ce88b
SHA512:	1781b081af436fa546fea03af3696095b877ea64eebebc261cf4efafaef2a3cb60d0be1328b745b09e757f310136b1901841d869b1be9b73dfcefdd18bc0238b
SSDEEP:	6144:Ihj1RSdQeqacWucW0JcWcB1J9s2gI8PfKpd9kknRCSNCqeiGEJiiifj7CoWLanPO:Ihj1RcXDfjtnjKmmvrY1PYwk9
Preview:	.ELF.......................D...4.........4. ...(.................................. .......................}....... .dt.Q............................NV..a....da....0N^NuNV..J9...Df>"y.... QJ.g.X.#.....N."y.... QJ.f.A.....J.g.Hy....N.X........DN^NuNV..N^NuN

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Opens /proc/net/* files useful for finding connected devices and routers	Spreading	Remote System Discovery
Reads the 'hosts' file potentially containing internal network hosts	Networking	File and Directory Discovery
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
Yara signature match	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
URLs found in memory or binary data	Networking
Writes log files to disk	Persistence and Installation Behavior

/tmp/Infected.log

ASCII text, with CRLF line terminators

dropped

Details

File:	/tmp/Infected.log
Category:	dropped
Dump:	Infected.log.12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/m68k.elf
Type:	ASCII text, with CRLF line terminators
Entropy:	4.71112089176799
Encrypted:	false
Ssdeep:	3:xRbQRAZvOWFsZWFBAK8dAuFUJ4gnicMMIVDt8Tovn:xR0qvOfZW8K8djmHicNoDt8kv
Size:	107
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Writes log files to disk	Persistence and Installation Behavior

/tmp/qemu-open.KiYzmc (deleted)

ASCII text

dropped

Details

File:	/tmp/qemu-open.KiYzmc (deleted)
Category:	dropped
Dump:	qemu-open.KiYzmc (deleted).12.dr
ID:	dr_1
Target ID:	12
Process:	/tmp/m68k.elf
Type:	ASCII text
Entropy:	3.709552666863289
Encrypted:	false
Ssdeep:	6:iekrEcvwAsE5KlwSd4pzKaV6Lpms/a/1VCxGF:ur+m5MwSdIKaV6L1adVRF
Size:	230
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

/tmp/m68k.elf

URLs

Name

Malicious

181.214.231.152:96666

https://developers.google.com/search/docs/advanced/crawling/overview-google-crawlers)

unknown

http://www.spidersoft.com)

unknown

http://help.yahoo.com/help/us/ysearch/slurp)

unknown

http://www.google.com/bot.html)

unknown

http://www.google.com/mobile/adsbot.html)

unknown

Domains

Name

Malicious

daisy.ubuntu.com

162.213.35.24

IPs

Domain

Country

Malicious

181.214.231.152

unknown

Chile

Details

IP:	181.214.231.152
TargetID:	-1
Country:	Chile
Countrycode:	CHL
ASN number:	61317
ASN name:	ASDETUKhttpwwwheficedcomGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Suricata IDS alerts with low severity for network traffic	Networking
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7f51c004d000

page execute read

7f51c004d000

page execute read

7f51c004d000

page execute read

56066d0e3000

page read and write

7f5245dc0000

page read and write

7f52452d6000

page read and write

7f51c0050000

page read and write

56066ff3a000

page read and write

56066ff3a000

page read and write

7f5240000000

page read and write

7f5244ac5000

page read and write

7f5245dc8000

page read and write

7f52452c8000

page read and write

7f5244ac5000

page read and write

7f5240021000

page read and write

56066ceb1000

page execute read

56066d0e3000

page read and write

56066f0e9000

page execute and read and write

56066f0e9000

page execute and read and write

7f51c0059000

page read and write

7f5245927000

page read and write

56066ceb1000

page execute read

7f52452c8000

page read and write

56066d0e3000

page read and write

7f5245dc8000

page read and write

7f5245c97000

page read and write

56066d0eb000

page read and write

7f5245dc0000

page read and write

7f5245e0d000

page read and write

7ffe00b8f000

page execute read

7ffe00b8f000

page execute read

56066f0e9000

page execute and read and write

7f5245e0d000

page read and write

7f5244ac5000

page read and write

7f5245927000

page read and write

56066f180000

page read and write

7f52452d6000

page read and write

7f5245e0d000

page read and write

7f51c0050000

page read and write

7f5245dc8000

page read and write

7f5245565000

page read and write

56066ceb1000

page execute read

56066f180000

page read and write

56066f180000

page read and write

7f51c0059000

page read and write

7f5245c97000

page read and write

7f51c0059000

page read and write

56066ff3a000

page read and write

56066d0eb000

page read and write

7f51c0050000

page read and write

7f5240000000

page read and write

7f524594c000

page read and write

7f5240000000

page read and write

7f5245565000

page read and write

7f52452d6000

page read and write

7f5245c97000

page read and write

56066d0eb000

page read and write

7ffe00b51000

page read and write

7f5245dc0000

page read and write

7f524594c000

page read and write

7f5240021000

page read and write

7f524594c000

page read and write

7ffe00b8f000

page execute read

7f5245565000

page read and write

7f5240021000

page read and write

7ffe00b51000

page read and write

7f5245927000

page read and write

7ffe00b51000

page read and write

7f52452c8000

page read and write

There are 59 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
m68k.elf

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportm68k.elf

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
m68k.elf