Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

m68k.elf

ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, with debug_info, not stripped

initial sample

Details

Filetype:	ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, with debug_info, not stripped
Entropy:	6.363689230334479
Filename:	m68k.elf
Filesize:	402263
MD5:	63f5737a2f9c488d0d25ef4029e19845
SHA1:	678f6ab1ceac601b87cf7b399f2aa10fa6b961bb
SHA256:	5c7b74183c09281bd1c706768a04fb532b68b2f5036051b1baf32b05fdb3a334
SHA512:	68a31201ccd5f2aa9686dbb28e2a59227f3fa5b3b8b21aa43079d6baffc3843d9943b365aa29667fc84fd058b68a38551742a3db312f06711753f6d1916afb54
SSDEEP:	6144:b8tTKAd0QeqacWucW0JcWcBHsCsmcQ8P8Kpd9kknRCSNCqeiGEJiiif3N5N2AtKm:b8tmnrWf3HIKmmvrY1PYwk7
Preview:	.ELF.......................D...4.........4. ...(.................................. .......................}....... .dt.Q............................NV..a....da.....N^NuNV..J9... f>"y.... QJ.g.X.#.....N."y.... QJ.f.A.....J.g.Hy....N.X........ N^NuNV..N^NuN

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Opens /proc/net/* files useful for finding connected devices and routers	Spreading	Remote System Discovery
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
Yara signature match	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
URLs found in memory or binary data	Networking
Writes log files to disk	Persistence and Installation Behavior

/tmp/Infected.log

ASCII text, with CRLF line terminators

dropped

Details

File:	/tmp/Infected.log
Category:	dropped
Dump:	Infected.log.12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/m68k.elf
Type:	ASCII text, with CRLF line terminators
Entropy:	4.71112089176799
Encrypted:	false
Ssdeep:	3:xRbQRAZvOWFsZWFBAK8dAuFUJ4gnicMMIVDt8Tovn:xR0qvOfZW8K8djmHicNoDt8kv
Size:	107
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Writes log files to disk	Persistence and Installation Behavior

/tmp/qemu-open.enIqGb (deleted)

ASCII text

dropped

Details

File:	/tmp/qemu-open.enIqGb (deleted)
Category:	dropped
Dump:	qemu-open.enIqGb (deleted).12.dr
ID:	dr_1
Target ID:	12
Process:	/tmp/m68k.elf
Type:	ASCII text
Entropy:	3.709552666863289
Encrypted:	false
Ssdeep:	6:iekrEcvwAsE5KlwSd4pzKaV6Lpms/a/1VCxGF:ur+m5MwSdIKaV6L1adVRF
Size:	230
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

/tmp/m68k.elf

/usr/bin/dash

/usr/bin/rm

rm -f /tmp/tmp.0lLnnSd7nq /tmp/tmp.3Pjf9XhPIl /tmp/tmp.MRNLN2GR5r

/usr/bin/dash

/usr/bin/rm

rm -f /tmp/tmp.0lLnnSd7nq /tmp/tmp.3Pjf9XhPIl /tmp/tmp.MRNLN2GR5r

URLs

Name

Malicious

https://developers.google.com/search/docs/advanced/crawling/overview-google-crawlers)

unknown

http://www.spidersoft.com)

unknown

http://help.yahoo.com/help/us/ysearch/slurp)

unknown

http://www.google.com/bot.html)

unknown

181.214.231.152:96666

Details

Name:	181.214.231.152:96666
TargetID:	0
From Memory:	false
Source:	config extractor
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol

http://www.google.com/mobile/adsbot.html)

unknown

Domains

Name

Malicious

daisy.ubuntu.com

162.213.35.24

Details

Name:	daisy.ubuntu.com
IP:	162.213.35.24
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

181.214.231.152

unknown

Chile

Details

IP:	181.214.231.152
TargetID:	-1
Country:	Chile
Countrycode:	CHL
ASN number:	61317
ASN name:	ASDETUKhttpwwwheficedcomGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Suricata IDS alerts with low severity for network traffic	Networking
Connects to IPs without corresponding DNS lookups	Networking

54.217.10.153

unknown

United States

185.125.190.26

unknown

United Kingdom

Details

IP:	185.125.190.26
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7ff6e004e000

page execute read

7ff6e004e000

page execute read

55e6a3c04000

page read and write

55e6a4011000

page read and write

55e6a1935000

page execute read

7ff768565000

page read and write

7ff7682d6000

page read and write

7ffe057f5000

page execute read

7ff760021000

page read and write

55e6a1b67000

page read and write

7ff6e0051000

page read and write

7ff768dc8000

page read and write

55e6a1b67000

page read and write

55e6a3b6d000

page execute and read and write

7ff6e0059000

page read and write

55e6a1b6f000

page read and write

7ff767ac5000

page read and write

7ff760000000

page read and write

7ffe05791000

page read and write

55e6a4011000

page read and write

7ff768927000

page read and write

7ff768dc0000

page read and write

7ffe05791000

page read and write

55e6a3c04000

page read and write

7ff7682c8000

page read and write

55e6a3b6d000

page execute and read and write

7ff6e0051000

page read and write

7ff6e0059000

page read and write

7ff768e0d000

page read and write

7ff760000000

page read and write

7ff768927000

page read and write

7ff7682c8000

page read and write

7ff768c97000

page read and write

7ff7682d6000

page read and write

7ff768dc8000

page read and write

7ff768565000

page read and write

55e6a1b6f000

page read and write

7ff76894c000

page read and write

7ffe057f5000

page execute read

7ff767ac5000

page read and write

7ff76894c000

page read and write

55e6a1935000

page execute read

7ff760021000

page read and write

7ff768c97000

page read and write

7ff768e0d000

page read and write

7ff768dc0000

page read and write

There are 36 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
m68k.elf

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportm68k.elf

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
m68k.elf