Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

armv6l.elf

ELF 32-bit LSB executable, ARM, EABI4 version 1 (GNU/Linux), statically linked, no section header

initial sample

Details

Filetype:	ELF 32-bit LSB executable, ARM, EABI4 version 1 (GNU/Linux), statically linked, no section header
Entropy:	7.991055449530635
Filename:	armv6l.elf
Filesize:	85200
MD5:	ae688d68851d9b270eada996c4cf0550
SHA1:	521d1c7e9b4c51a534f885a9eda780036d5433d8
SHA256:	480d339e2609f68438b81e08b0bef9cb67343359f04565c543c7e69de6a54b0c
SHA512:	fbe03b2bc040b014ad63ac90c5a415668a0014faaca236742f156569495864f8e1d9a3e57c6b028b2f735b3e46950e1dbea6961f56335be2a727e88a6f97c666
SSDEEP:	1536:I6maMjR+qy4rnLy9pwjhdx87oYfibFv/oiq4EYS7Hi8z42/ChsXYa4dD/:IT7jMqy4rnQwjhP80/NqrYS7p41aK
Preview:	.ELF..............(......^..4...........4. ...(..........................................>...>...>..................Q.td............................r.'.UPX!........Q-..Q-......_..........?.E.h;....#..$..............C..... ...aO...N...".%....u..pd...G.. ..

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Opens /proc/net/* files useful for finding connected devices and routers	Spreading	Remote System Discovery
ELF contains segments with high entropy indicating compressed/encrypted content	Hooking and other Techniques for Hiding and Protection
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
URLs found in memory or binary data	Networking
Writes log files to disk	Persistence and Installation Behavior

/tmp/Infected.log

ASCII text, with CRLF line terminators

dropped

Details

File:	/tmp/Infected.log
Category:	dropped
Dump:	Infected.log.12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/armv6l.elf
Type:	ASCII text, with CRLF line terminators
Entropy:	4.71112089176799
Encrypted:	false
Ssdeep:	3:xRbQRAZvOWFsZWFBAK8dAuFUJ4gnicMMIVDt8Tovn:xR0qvOfZW8K8djmHicNoDt8kv
Size:	107
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Writes log files to disk	Persistence and Installation Behavior

Processes

Path

Cmdline

Malicious

/tmp/armv6l.elf

URLs

Name

Malicious

http://upx.sf.net

unknown

Details

Name:	http://upx.sf.net
TargetID:	12
From Memory:	true
Current Path:	/tmp/armv6l.elf
Source:	armv6l.elf

Signature Hits	Behavior Group	Mitre Attack
Sample is packed with UPX	Data Obfuscation	Obfuscated Files or Information
URLs found in memory or binary data	Networking

https://developers.google.com/search/docs/advanced/crawling/overview-google-crawlers)

unknown

http://www.spidersoft.com)

unknown

http://help.yahoo.com/help/us/ysearch/slurp)

unknown

http://www.google.com/bot.html)

unknown

http://www.google.com/mobile/adsbot.html)

unknown

Domains

Name

Malicious

daisy.ubuntu.com

162.213.35.25

IPs

Domain

Country

Malicious

181.214.231.152

unknown

Chile

Details

IP:	181.214.231.152
TargetID:	-1
Country:	Chile
Countrycode:	CHL
ASN number:	61317
ASN name:	ASDETUKhttpwwwheficedcomGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Suricata IDS alerts with low severity for network traffic	Networking
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7f77d4064000

page execute read

7f77d4064000

page execute read

7f78d8d88000

page read and write

7f78d8a26000

page read and write

55734f43f000

page execute read

7f78d8994000

page read and write

7f78d9182000

page read and write

7f78d8d88000

page read and write

7f78d818c000

page read and write

7f78d966e000

page read and write

7ffe965f7000

page execute read

55734f690000

page read and write

7f78d4021000

page read and write

7ffe96587000

page read and write

7f78d9692000

page read and write

7f77d4075000

page read and write

7f78d9692000

page read and write

7f78d96d7000

page read and write

557352472000

page read and write

557352472000

page read and write

7f78d9182000

page read and write

55734f690000

page read and write

7f78d3fff000

page read and write

7ffe96587000

page read and write

7ffe965f7000

page execute read

55734f699000

page read and write

7f78d4021000

page read and write

7f78d9364000

page read and write

55734f699000

page read and write

5573516ae000

page read and write

7f78d8994000

page read and write

5573516ae000

page read and write

7f78d818c000

page read and write

7f78d8ff3000

page read and write

7f78d8a26000

page read and write

557351697000

page execute and read and write

7f77d4075000

page read and write

7f78d8ff3000

page read and write

7f78d9545000

page read and write

7f78d96d7000

page read and write

7f78d9545000

page read and write

7f78d3fff000

page read and write

7f78d9364000

page read and write

557351697000

page execute and read and write

7f78d9016000

page read and write

7f78d9016000

page read and write

7f78d966e000

page read and write

55734f43f000

page execute read

There are 38 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
armv6l.elf

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportarmv6l.elf

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
armv6l.elf