Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

sparc.elf

ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, with debug_info, not stripped

initial sample

Details

Filetype:	ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, with debug_info, not stripped
Entropy:	6.331161778368879
Filename:	sparc.elf
Filesize:	419657
MD5:	bdd5844f56bf9cf54acfb3f2d3685259
SHA1:	6213dfc1c602cdcbef8da588d8b6e81efe3112a9
SHA256:	784b44482f692e2129489ee6196fb51980d25d9bc2149f6a0db33fb846a471e5
SHA512:	2683d2b02e1f1baf6ab4fb7738eb0c68d8d9b6bbdfa369401d7db67d08644b837d2ce247a4a23a555e6709e6689e125345f03895a82e22c136155edca16ffe97
SSDEEP:	6144:TUzMa9JqpP8HNZCC5Xk0pg6KEQQZ0s0DkBBnlnjCznlYxmEwMFcH7:TPSqp1D8UzlkmEwMFcH7
Preview:	.ELF...........................4.........4. ...(.......................................... ... ... ....p...8........dt.Q................................@..(....@..v................#.....bp..`.....!.....!...@.....".........`......$!...!...@...........`....

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Opens /proc/net/* files useful for finding connected devices and routers	Spreading	Remote System Discovery
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
Yara signature match	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
Sample and/or dropped files contains symbols with file path information	System Summary
URLs found in memory or binary data	Networking
Writes log files to disk	Persistence and Installation Behavior

/tmp/Infected.log

ASCII text, with CRLF line terminators

dropped

Details

File:	/tmp/Infected.log
Category:	dropped
Dump:	Infected.log.12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/sparc.elf
Type:	ASCII text, with CRLF line terminators
Entropy:	4.71112089176799
Encrypted:	false
Ssdeep:	3:xRbQRAZvOWFsZWFBAK8dAuFUJ4gnicMMIVDt8Tovn:xR0qvOfZW8K8djmHicNoDt8kv
Size:	107
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Writes log files to disk	Persistence and Installation Behavior

/tmp/qemu-open.Lo2pCW (deleted)

ASCII text

dropped

Details

File:	/tmp/qemu-open.Lo2pCW (deleted)
Category:	dropped
Dump:	qemu-open.Lo2pCW (deleted).12.dr
ID:	dr_1
Target ID:	12
Process:	/tmp/sparc.elf
Type:	ASCII text
Entropy:	3.709552666863289
Encrypted:	false
Ssdeep:	6:iekrEcvwAsE5KlwSd4pzKaV6Lpms/a/1VCxGF:ur+m5MwSdIKaV6L1adVRF
Size:	230
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

/tmp/sparc.elf

URLs

Name

Malicious

https://developers.google.com/search/docs/advanced/crawling/overview-google-crawlers)

unknown

http://www.spidersoft.com)

unknown

http://help.yahoo.com/help/us/ysearch/slurp)

unknown

http://www.google.com/bot.html)

unknown

181.214.231.152:96666

Details

Name:	181.214.231.152:96666
TargetID:	0
From Memory:	false
Source:	config extractor
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol

http://www.google.com/mobile/adsbot.html)

unknown

Domains

Name

Malicious

daisy.ubuntu.com

162.213.35.25

Details

Name:	daisy.ubuntu.com
IP:	162.213.35.25
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

181.214.231.152

unknown

Chile

Details

IP:	181.214.231.152
TargetID:	-1
Country:	Chile
Countrycode:	CHL
ASN number:	61317
ASN name:	ASDETUKhttpwwwheficedcomGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Suricata IDS alerts with low severity for network traffic	Networking
Connects to IPs without corresponding DNS lookups	Networking

185.125.190.26

unknown

United Kingdom

Details

IP:	185.125.190.26
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7fd7ec063000

page execute read

7fd7ec063000

page execute read

55e0290b0000

page read and write

55e02c9e3000

page read and write

7fd8ec000000

page read and write

55e02b0b7000

page execute and read and write

7fd8f3ed2000

page read and write

7fd8f37a0000

page read and write

7fd8f3511000

page read and write

55e02b0b7000

page execute and read and write

7fd7ec07d000

page read and write

55e028e82000

page execute read

7ffdf1302000

page execute read

7fd8f37a0000

page read and write

7fd8f2d00000

page read and write

7fd7ec07d000

page read and write

7fd8f3503000

page read and write

7fd8f3b62000

page read and write

7ffdf124e000

page read and write

7fd8f3b62000

page read and write

55e028e82000

page execute read

55e0290b0000

page read and write

7fd8f4048000

page read and write

7fd8ec021000

page read and write

7fd8f3b87000

page read and write

7fd8f3ed2000

page read and write

7fd8f4003000

page read and write

7fd8ec000000

page read and write

55e02c9e3000

page read and write

7fd8ec021000

page read and write

7fd7ec075000

page read and write

55e0290b9000

page read and write

7fd8f3503000

page read and write

55e0290b9000

page read and write

7fd8f3ffb000

page read and write

55e02b0ce000

page read and write

7fd8f4003000

page read and write

7fd8f3ffb000

page read and write

7ffdf1302000

page execute read

7fd7ec075000

page read and write

55e02b0ce000

page read and write

7ffdf124e000

page read and write

7fd8f3511000

page read and write

7fd8f3b87000

page read and write

7fd8f2d00000

page read and write

7fd8f4048000

page read and write

There are 36 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
sparc.elf

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportsparc.elf

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
sparc.elf