Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

i686.elf

ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, no section header

initial sample

Details

Filetype:	ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, no section header
Entropy:	7.987775544148582
Filename:	i686.elf
Filesize:	78212
MD5:	a4a64141a96e6679bb87e0a335c72e06
SHA1:	0ee3e7f22525c874813ef1b05dd7b26da8669f3a
SHA256:	fdf80392d5d571c121a8f9335b7fcdc90bb40cc6e032130b505b99c1a455d12f
SHA512:	0cad3df5397c2c32c06f3ca7bfcaafc58c87a777594fc3ae766a92cc55de32f374b2819c6c66797affc68347f7d934e8e13a39d9da66e6a74616d2002261f6a8
SSDEEP:	1536:j1iYGrpW441CnG0ZdHk92kbidTHeactdmNnouy8GylWte3yoxGcfpT:j1iY6D4IPZ2eT+aIm1outAteCrcfpT
Preview:	.ELF........................4...........4. ...(.....................................................................Q.td.............................-Z.UPX!........V...V.......e..........?..k.I/.j....\......t..:.....yq.0j.......\.....x.......xt4.!.8.X...A

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Opens /proc/net/* files useful for finding connected devices and routers	Spreading	Remote System Discovery
ELF contains segments with high entropy indicating compressed/encrypted content	Hooking and other Techniques for Hiding and Protection	Obfuscated Files or Information
URLs found in memory or binary data	Networking
Writes log files to disk	Persistence and Installation Behavior

/tmp/Infected.log

ASCII text, with CRLF line terminators

dropped

Details

File:	/tmp/Infected.log
Category:	dropped
Dump:	Infected.log.12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/i686.elf
Type:	ASCII text, with CRLF line terminators
Entropy:	4.71112089176799
Encrypted:	false
Ssdeep:	3:xRbQRAZvOWFsZWFBAK8dAuFUJ4gnicMMIVDt8Tovn:xR0qvOfZW8K8djmHicNoDt8kv
Size:	107
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Writes log files to disk	Persistence and Installation Behavior

Processes

Path

Cmdline

Malicious

/tmp/i686.elf

URLs

Name

Malicious

http://upx.sf.net

unknown

Details

Name:	http://upx.sf.net
TargetID:	12
From Memory:	true
Current Path:	/tmp/i686.elf
Source:	i686.elf

Signature Hits	Behavior Group	Mitre Attack
Sample is packed with UPX	Data Obfuscation	Obfuscated Files or Information
URLs found in memory or binary data	Networking

https://developers.google.com/search/docs/advanced/crawling/overview-google-crawlers)

unknown

http://www.spidersoft.com)

unknown

http://help.yahoo.com/help/us/ysearch/slurp)

unknown

http://www.google.com/bot.html)

unknown

http://www.google.com/mobile/adsbot.html)

unknown

Domains

Name

Malicious

daisy.ubuntu.com

162.213.35.24

IPs

Domain

Country

Malicious

181.214.231.152

unknown

Chile

Details

IP:	181.214.231.152
TargetID:	-1
Country:	Chile
Countrycode:	CHL
ASN number:	61317
ASN name:	ASDETUKhttpwwwheficedcomGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Suricata IDS alerts with low severity for network traffic	Networking
Connects to IPs without corresponding DNS lookups	Networking

185.125.190.26

unknown

United Kingdom

Details

IP:	185.125.190.26
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

8090000

page execute read

8090000

page execute read

ff9f9000

page read and write

c02000

page execute read

9eb3000

page read and write

8099000

page read and write

c02000

page execute read

9eb3000

page read and write

f7f5d000

page execute read

8099000

page read and write

ff9f9000

page read and write

f7f5d000

page execute read

There are 2 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
i686.elf

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reporti686.elf

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
i686.elf