Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

/usr/bin/dash

/usr/bin/rm

rm -f /tmp/tmp.2WbCjJ6Io2 /tmp/tmp.eIOne8WmEs /tmp/tmp.0JFMJ6cge1

/usr/bin/dash

/usr/bin/cat

cat /tmp/tmp.2WbCjJ6Io2

/usr/bin/dash

/usr/bin/head

head -n 10

/usr/bin/dash

/usr/bin/tr

tr -d \\000-\\011\\013\\014\\016-\\037

/usr/bin/dash

/usr/bin/cut

cut -c -80

/usr/bin/dash

/usr/bin/cat

cat /tmp/tmp.2WbCjJ6Io2

/usr/bin/dash

/usr/bin/head

head -n 10

/usr/bin/dash

/usr/bin/tr

tr -d \\000-\\011\\013\\014\\016-\\037

/usr/bin/dash

/usr/bin/cut

cut -c -80

/usr/bin/dash

/usr/bin/rm

rm -f /tmp/tmp.2WbCjJ6Io2 /tmp/tmp.eIOne8WmEs /tmp/tmp.0JFMJ6cge1

/tmp/sh4.elf

There are 14 hidden processes, click here to show them.

IPs

Domain

Country

Malicious

109.202.202.202

unknown

Switzerland

Details

IP:	109.202.202.202
TargetID:	-1
Country:	Switzerland
Countrycode:	CHE
ASN number:	13030
ASN name:	INIT7CH
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

193.111.248.45

unknown

Russian Federation

Details

IP:	193.111.248.45
TargetID:	-1
Country:	Russian Federation
Countrycode:	RUS
ASN number:	8100
ASN name:	ASN-QUADRANET-GLOBALUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.43

unknown

United Kingdom

Details

IP:	91.189.91.43
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.42

unknown

United Kingdom

Details

IP:	91.189.91.42
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7fc274410000

page execute read

7fc274410000

page execute read

7fc274410000

page execute read

561f83ec6000

page read and write

561f83bd3000

page execute and read and write

7fc2f8a3e000

page read and write

7fc2f4021000

page read and write

7fc2f8cdb000

page read and write

7fc2f940d000

page read and write

7ffd1e3bb000

page execute read

7fc2f4000000

page read and write

561f819b7000

page execute read

7fc2f9536000

page read and write

561f81bcd000

page read and write

561f819b7000

page execute read

561f83bd3000

page execute and read and write

7fc2f4000000

page read and write

7fc2f9583000

page read and write

7fc2f953e000

page read and write

561f83bd3000

page execute and read and write

561f83ec6000

page read and write

7fc2f90c2000

page read and write

7fc274418000

page read and write

7fc2f823b000

page read and write

7fc2f953e000

page read and write

7fc274411000

page read and write

7fc2f9583000

page read and write

561f81bd5000

page read and write

7fc2f9536000

page read and write

7fc2f940d000

page read and write

7fc274411000

page read and write

561f81bcd000

page read and write

7ffd1e3bb000

page execute read

7fc2f9583000

page read and write

7ffd1e3bb000

page execute read

561f83bea000

page read and write

7ffd1e3af000

page read and write

561f83bea000

page read and write

7fc274418000

page read and write

7fc274411000

page read and write

7fc2f90c2000

page read and write

7fc2f953e000

page read and write

7fc2f8cdb000

page read and write

7fc2f8a4c000

page read and write

7fc2f823b000

page read and write

7fc2f8a4c000

page read and write

7fc2f909d000

page read and write

7fc2f909d000

page read and write

561f81bd5000

page read and write

561f83bea000

page read and write

561f83ec6000

page read and write

7fc2f8a4c000

page read and write

7ffd1e3af000

page read and write

7fc2f4021000

page read and write

7fc2f8a3e000

page read and write

7fc2f4000000

page read and write

7fc2f9536000

page read and write

561f81bcd000

page read and write

7fc2f823b000

page read and write

7fc2f909d000

page read and write

7fc2f940d000

page read and write

7fc2f90c2000

page read and write

7fc2f8a3e000

page read and write

561f81bd5000

page read and write

7fc2f8cdb000

page read and write

561f819b7000

page execute read

7fc2f4021000

page read and write

7fc274418000

page read and write

7ffd1e3af000

page read and write

There are 59 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
sh4.elf

Processes

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportsh4.elf

Processes

IPs

Memdumps

IOC Report
sh4.elf