Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

la.bot.arm6.elf

ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, stripped

initial sample

Details

Filetype:	ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, stripped
Entropy:	6.109575297206135
Filename:	la.bot.arm6.elf
Filesize:	103924
MD5:	90b819fa8230ce967a73e622ebd53a77
SHA1:	6e98307cb3a0950706c479f280faec3689eeb33c
SHA256:	e12838884713a4861bae188d5143bc403c9368047a4adf510e60009c5b15de5e
SHA512:	7543f045a365416510d42b127eb108bd5b070f60da66d37ffd01ddf415759132da2c4c5856a4b0890bd1977d182bf1821638bee08e6820c380533db7cdae0818
SSDEEP:	3072:F2G1tz4Pp5kOorAWft4TsDh0DNPfip79YaZAjc7dBqOnk9Ib:F2y4h6OeftkNPa1iayj2iz9o
Preview:	.ELF..............(.....T...4...........4. ...(.....................x...x................................x..........Q.td..................................-...L..................@-.,@...0....S..... 0....S.........../..0...0...@..../...............-.@0....S

Signature Hits	Behavior Group	Mitre Attack
Sample reads /proc/mounts (often used for finding a writable filesystem)	Persistence and Installation Behavior	File and Directory Discovery
Enumerates processes within the "proc" file system	Persistence and Installation Behavior	OS Credential Dumping
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample listens on a socket	Networking
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
URLs found in memory or binary data	Networking

/heavens.txt

ASCII text, with no line terminators

dropped

Details

File:	/heavens.txt
Category:	dropped
Dump:	heavens.txt.16.dr
ID:	dr_2
Target ID:	16
Process:	/tmp/la.bot.arm6.elf
Type:	ASCII text, with no line terminators
Entropy:	4.104536948901685
Encrypted:	false
Ssdeep:	3:XX6RivErqLw54zFE0iRJpZLWFqSYoJFiBOKK7FTxPh:H6wcmLk4zFHyBRST4OR7FT5h
Size:	141
Whitelisted:	false
Reputation:	moderate

/tmp/qemu-open.jnsPKW (deleted)

ASCII text

dropped

Details

File:	/tmp/qemu-open.jnsPKW (deleted)
Category:	dropped
Dump:	qemu-open.jnsPKW (deleted).15.dr
ID:	dr_1
Target ID:	15
Process:	/tmp/la.bot.arm6.elf
Type:	ASCII text
Entropy:	3.9716452020844164
Encrypted:	false
Ssdeep:	6:XtDFRLF/VUk/FYDFRp0Y/V/3VVymH/gb/DmIWmVmsVot/VOArB/VH:9XL0MQXdVImfgbiIWmul
Size:	366
Whitelisted:	false
Reputation:	low

/tmp/qemu-open.qM07cV (deleted)

ASCII text

dropped

Details

File:	/tmp/qemu-open.qM07cV (deleted)
Category:	dropped
Dump:	qemu-open.qM07cV (deleted).15.dr
ID:	dr_0
Target ID:	15
Process:	/tmp/la.bot.arm6.elf
Type:	ASCII text
Entropy:	3.9716452020844164
Encrypted:	false
Ssdeep:	6:XtDFRLF/VUk/FYDFRp0Y/V/3VVymH/gb/DmIWmVmsVot/VOArB/VH:9XL0MQXdVImfgbiIWmul
Size:	366
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

/tmp/la.bot.arm6.elf

URLs

Name

Malicious

http:///wget.sh

unknown

Details

Name:	http:///wget.sh
TargetID:	16
From Memory:	true
Current Path:	/tmp/la.bot.arm6.elf
Source:	la.bot.arm6.elf
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

http:///curl.sh

unknown

Details

Name:	http:///curl.sh
TargetID:	16
From Memory:	true
Current Path:	/tmp/la.bot.arm6.elf
Source:	la.bot.arm6.elf
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

Domains

Name

Malicious

checkout.coziest.lol

unknown

IPs

Domain

Country

Malicious

177.250.189.28

unknown

Paraguay

171.56.106.63

unknown

India

94.70.184.219

unknown

Greece

3.152.45.201

unknown

United States

42.75.205.46

unknown

Taiwan; Republic of China (ROC)

138.188.155.106

unknown

Switzerland

158.61.243.113

unknown

United States

165.254.13.47

unknown

United States

4.69.205.195

unknown

United States

160.4.22.67

unknown

New Zealand

69.209.103.213

unknown

United States

178.79.182.90

unknown

United Kingdom

69.219.106.160

unknown

United States

162.135.59.44

unknown

United States

169.70.104.75

unknown

United States

94.68.108.249

unknown

Greece

67.157.100.80

unknown

United States

51.146.199.34

unknown

United Kingdom

206.221.192.30

unknown

United States

85.135.124.190

unknown

Czech Republic

162.231.158.105

unknown

United States

154.197.56.142

unknown

Seychelles

140.253.239.109

unknown

Australia

210.74.142.85

unknown

China

13.172.228.138

unknown

United States

18.91.81.55

unknown

United States

25.41.196.218

unknown

United Kingdom

19.37.207.86

unknown

United States

85.127.141.174

unknown

Austria

36.197.31.45

unknown

China

73.51.119.68

unknown

United States

153.144.230.202

unknown

Japan

75.125.72.216

unknown

United States

56.188.133.177

unknown

United States

70.143.217.226

unknown

United States

12.209.250.110

unknown

United States

173.91.175.144

unknown

United States

123.187.56.141

unknown

China

87.21.160.204

unknown

Italy

108.181.135.156

unknown

Canada

84.119.27.25

unknown

Netherlands

75.81.3.80

unknown

United States

184.23.88.238

unknown

United States

132.58.1.156

unknown

United States

159.224.23.237

unknown

Ukraine

59.106.100.128

unknown

Japan

98.89.211.107

unknown

United States

215.67.27.113

unknown

United States

22.5.197.21

unknown

United States

47.90.7.34

unknown

United States

163.237.55.198

unknown

United States

78.73.239.235

unknown

Sweden

166.120.28.183

unknown

Australia

223.12.127.139

unknown

China

170.238.77.167

unknown

Brazil

143.73.82.102

unknown

United States

156.56.34.70

unknown

United States

174.119.80.248

unknown

Canada

19.200.35.246

unknown

United States

207.175.163.210

unknown

United States

34.208.154.238

unknown

United States

137.212.155.247

unknown

United States

138.250.82.233

unknown

United Kingdom

147.249.150.140

unknown

United States

176.54.70.227

unknown

Turkey

186.106.194.191

unknown

Chile

211.171.222.244

unknown

Korea Republic of

202.134.175.250

unknown

India

30.84.132.209

unknown

United States

153.219.110.84

unknown

Japan

67.217.246.62

unknown

United States

26.169.5.238

unknown

United States

18.2.115.133

unknown

United States

162.215.31.89

unknown

United States

22.233.96.48

unknown

United States

61.90.75.65

unknown

Thailand

214.88.201.239

unknown

United States

31.57.170.63

unknown

Iran (ISLAMIC Republic Of)

128.44.88.217

unknown

United States

74.141.106.82

unknown

United States

29.7.40.70

unknown

United States

37.53.105.207

unknown

Ukraine

85.72.245.68

unknown

Greece

161.207.226.55

unknown

China

52.2.252.191

unknown

United States

217.175.126.28

unknown

Sweden

59.114.110.50

unknown

Taiwan; Republic of China (ROC)

18.96.213.242

unknown

United States

132.91.197.188

unknown

United States

11.124.232.135

unknown

United States

166.49.181.111

unknown

United Kingdom

123.54.154.164

unknown

China

216.83.139.44

unknown

United States

60.127.187.180

unknown

Japan

223.135.96.89

unknown

Japan

35.196.81.252

unknown

United States

101.224.3.236

unknown

China

75.217.101.207

unknown

United States

204.58.194.244

unknown

United States

148.228.111.151

unknown

Mexico

There are 90 hidden IPs, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

7fbca4030000

page execute read

7fbca4030000

page execute read

7fbdabcb9000

page read and write

7fbdabc95000

page read and write

5579de187000

page read and write

7fbdab7a9000

page read and write

7fbca4043000

page read and write

5579da581000

page read and write

7fbdab04d000

page read and write

7fbda4021000

page read and write

5579dc596000

page read and write

7fbdabb6c000

page read and write

7fbca4039000

page read and write

5579da578000

page read and write

7fff8c395000

page read and write

7fbda3fff000

page read and write

7fbdab63d000

page read and write

5579da327000

page execute read

7fbdabc95000

page read and write

5579da578000

page read and write

7fbdab7a9000

page read and write

7fbdabb6c000

page read and write

5579da581000

page read and write

5579dc596000

page read and write

5579dc57f000

page execute and read and write

7fbdaafbb000

page read and write

7fbca4039000

page read and write

7fbdabcfe000

page read and write

7fbdaa7b3000

page read and write

7fff8c3ad000

page execute read

7fbdab04d000

page read and write

7fff8c3ad000

page execute read

7fbdab98b000

page read and write

5579dc57f000

page execute and read and write

7fbdabcfe000

page read and write

7fbdab3af000

page read and write

7fbda4021000

page read and write

7fbdab98b000

page read and write

7fbda3fff000

page read and write

7fff8c395000

page read and write

7fbca4043000

page read and write

5579de187000

page read and write

7fbdab61a000

page read and write

5579da327000

page execute read

7fbdab3af000

page read and write

7fbdabcb9000

page read and write

7fbdaafbb000

page read and write

7fbdab61a000

page read and write

7fbdab63d000

page read and write

7fbdaa7b3000

page read and write

There are 40 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
la.bot.arm6.elf

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportla.bot.arm6.elf

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
la.bot.arm6.elf