Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

armv5l.elf

ELF 32-bit LSB executable, ARM, EABI4 version 1 (GNU/Linux), statically linked, no section header

initial sample

Details

Filetype:	ELF 32-bit LSB executable, ARM, EABI4 version 1 (GNU/Linux), statically linked, no section header
Entropy:	7.991034104624289
Filename:	armv5l.elf
Filesize:	85200
MD5:	896d1c0e0d19f17cd2608499c1429eaa
SHA1:	b0bc28ae92637590802846bc2f6395fc4dc59cc5
SHA256:	c581ab2ef043d45bd025dc44c4b941fe57c48d125664048de2f12c6250fc47cb
SHA512:	cd87763779fb62ae2a70ec2908469d413b19c8b743f959e3a856f69e24418a2244507f9b348a0e85efe3a11108bb65617ca5c8ba4ae6c08160d402b92a17d604
SSDEEP:	1536:I6maMjR+qy4rnLy9pwjhdx87oYfibFv/oiq4EYS7Hi8z42/Y9ksEB4DQg:IT7jMqy4rnQwjhP80/NqrYS7p4h9BEBc
Preview:	.ELF..............(......^..4...........4. ...(..........................................>...>...>..................Q.td............................r.'.UPX!........Q-..Q-......_..........?.E.h;....#..$..............C..... ...aO...N...".%....u..pd...G.. ..

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Opens /proc/net/* files useful for finding connected devices and routers	Spreading	Remote System Discovery
ELF contains segments with high entropy indicating compressed/encrypted content	Hooking and other Techniques for Hiding and Protection
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
URLs found in memory or binary data	Networking
Writes log files to disk	Persistence and Installation Behavior

/tmp/Infected.log

ASCII text, with CRLF line terminators

dropped

Details

File:	/tmp/Infected.log
Category:	dropped
Dump:	Infected.log.12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/armv5l.elf
Type:	ASCII text, with CRLF line terminators
Entropy:	4.71112089176799
Encrypted:	false
Ssdeep:	3:xRbQRAZvOWFsZWFBAK8dAuFUJ4gnicMMIVDt8Tovn:xR0qvOfZW8K8djmHicNoDt8kv
Size:	107
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Writes log files to disk	Persistence and Installation Behavior

Processes

Path

Cmdline

Malicious

/tmp/armv5l.elf

URLs

Name

Malicious

http://upx.sf.net

unknown

Details

Name:	http://upx.sf.net
TargetID:	12
From Memory:	true
Current Path:	/tmp/armv5l.elf
Source:	armv5l.elf

Signature Hits	Behavior Group	Mitre Attack
Sample is packed with UPX	Data Obfuscation	Obfuscated Files or Information
URLs found in memory or binary data	Networking

https://developers.google.com/search/docs/advanced/crawling/overview-google-crawlers)

unknown

http://www.spidersoft.com)

unknown

http://help.yahoo.com/help/us/ysearch/slurp)

unknown

http://www.google.com/bot.html)

unknown

http://www.google.com/mobile/adsbot.html)

unknown

Domains

Name

Malicious

daisy.ubuntu.com

162.213.35.25

IPs

Domain

Country

Malicious

181.214.231.152

unknown

Chile

Details

IP:	181.214.231.152
TargetID:	-1
Country:	Chile
Countrycode:	CHL
ASN number:	61317
ASN name:	ASDETUKhttpwwwheficedcomGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Suricata IDS alerts with low severity for network traffic	Networking
Connects to IPs without corresponding DNS lookups	Networking

185.125.190.26

unknown

United Kingdom

Details

IP:	185.125.190.26
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7f0824064000

page execute read

7f0824064000

page execute read

7f092c22d000

page read and write

561407b0a000

page execute and read and write

7f092c250000

page read and write

7f092c8cc000

page read and write

7f092bbce000

page read and write

7f0824075000

page read and write

7f092b3c6000

page read and write

7f092c59e000

page read and write

7f0924021000

page read and write

7f092bc60000

page read and write

561405b03000

page read and write

561405b0c000

page read and write

7f092c8a8000

page read and write

7ffc0450a000

page execute read

7f092c3bc000

page read and write

7f092bfc2000

page read and write

7f092c22d000

page read and write

561407b21000

page read and write

7f0824075000

page read and write

7f092c911000

page read and write

7f0924021000

page read and write

7f092c3bc000

page read and write

7f092c77f000

page read and write

7f092c8cc000

page read and write

7f092bc60000

page read and write

7ffc044f6000

page read and write

561405b0c000

page read and write

5614099c3000

page read and write

5614099c3000

page read and write

7f0923fff000

page read and write

561407b21000

page read and write

7ffc0450a000

page execute read

7f092c911000

page read and write

561407b0a000

page execute and read and write

7f092c77f000

page read and write

7f092b3c6000

page read and write

7f092bbce000

page read and write

7f0923fff000

page read and write

7f092bfc2000

page read and write

561405b03000

page read and write

5614058b2000

page execute read

7ffc044f6000

page read and write

5614058b2000

page execute read

7f092c250000

page read and write

7f092c8a8000

page read and write

7f092c59e000

page read and write

There are 38 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
armv5l.elf

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportarmv5l.elf

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
armv5l.elf