Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

/usr/bin/dash

/usr/bin/rm

rm -f /tmp/tmp.SlD6jxRmUc /tmp/tmp.9a8sFUeCt4 /tmp/tmp.zXHH5HubB7

/usr/bin/dash

/usr/bin/cat

cat /tmp/tmp.SlD6jxRmUc

/usr/bin/dash

/usr/bin/head

head -n 10

/usr/bin/dash

/usr/bin/tr

tr -d \\000-\\011\\013\\014\\016-\\037

/usr/bin/dash

/usr/bin/cut

cut -c -80

/usr/bin/dash

/usr/bin/cat

cat /tmp/tmp.SlD6jxRmUc

/usr/bin/dash

/usr/bin/head

head -n 10

/usr/bin/dash

/usr/bin/tr

tr -d \\000-\\011\\013\\014\\016-\\037

/usr/bin/dash

/usr/bin/cut

cut -c -80

/usr/bin/dash

/usr/bin/rm

rm -f /tmp/tmp.SlD6jxRmUc /tmp/tmp.9a8sFUeCt4 /tmp/tmp.zXHH5HubB7

/tmp/sshd.elf

There are 11 hidden processes, click here to show them.

URLs

Name

Malicious

http://www.openssl.org/support/faq.htmlmd_rand.c

unknown

http://www.openssl.org/support/faq.html

unknown

IPs

Domain

Country

Malicious

109.202.202.202

unknown

Switzerland

Details

IP:	109.202.202.202
TargetID:	-1
Country:	Switzerland
Countrycode:	CHE
ASN number:	13030
ASN name:	INIT7CH
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.43

unknown

United Kingdom

Details

IP:	91.189.91.43
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.42

unknown

United Kingdom

Details

IP:	91.189.91.42
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7f52af088000

page read and write

7f52aed17000

page read and write

7f52af392000

page read and write

7f52af269000

page read and write

7f52a7fff000

page read and write

7f52adeb0000

page read and write

7f52af3fb000

page read and write

55b036383000

page read and write

55b038382000

page execute and read and write

7fff411bf000

page execute read

7f52a8021000

page read and write

7f51a812d000

page execute read

7f51a813e000

page read and write

7fff41188000

page read and write

7f52af3b6000

page read and write

7f52ae6b8000

page read and write

7f52aeaac000

page read and write

55b03637a000

page read and write

7f52aed3a000

page read and write

55b036129000

page execute read

7f52aeea6000

page read and write

7f51a8144000

page read and write

55b03a442000

page read and write

55b038398000

page read and write

7f52ae74a000

page read and write

There are 15 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
sshd.elf

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportsshd.elf

Processes

URLs

IPs

Memdumps

IOC Report
sshd.elf