Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

/tmp/arm6.nn.elf

/usr/bin/dash

/usr/bin/rm

rm -f /tmp/tmp.iEXim8CPaV /tmp/tmp.7NdVdInXSp /tmp/tmp.0CJDfwaPWW

/usr/bin/dash

/usr/bin/cat

cat /tmp/tmp.iEXim8CPaV

/usr/bin/dash

/usr/bin/head

head -n 10

/usr/bin/dash

/usr/bin/tr

tr -d \\000-\\011\\013\\014\\016-\\037

/usr/bin/dash

/usr/bin/cut

cut -c -80

/usr/bin/dash

/usr/bin/cat

cat /tmp/tmp.iEXim8CPaV

/usr/bin/dash

/usr/bin/head

head -n 10

/usr/bin/dash

/usr/bin/tr

tr -d \\000-\\011\\013\\014\\016-\\037

/usr/bin/dash

/usr/bin/cut

cut -c -80

/usr/bin/dash

/usr/bin/rm

rm -f /tmp/tmp.iEXim8CPaV /tmp/tmp.7NdVdInXSp /tmp/tmp.0CJDfwaPWW

There are 11 hidden processes, click here to show them.

URLs

Name

Malicious

http://94.156.227.233/curl.sh

unknown

Details

Name:	http://94.156.227.233/curl.sh
TargetID:	12
From Memory:	true
Current Path:	/tmp/arm6.nn.elf
Source:	arm6.nn.elf
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

http://94.156.227.233/lol.sh

unknown

Details

Name:	http://94.156.227.233/lol.sh
TargetID:	12
From Memory:	true
Current Path:	/tmp/arm6.nn.elf
Source:	arm6.nn.elf
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

http://94.156.227.233/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/s

unknown

http://94.156.227.233/

unknown

Details

Name:	http://94.156.227.233/
TargetID:	12
From Memory:	true
Current Path:	/tmp/arm6.nn.elf
Source:	arm6.nn.elf
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

54.171.230.55

unknown

United States

Details

IP:	54.171.230.55
TargetID:	-1
Country:	United States
Countrycode:	USA
ASN number:	16509
ASN name:	AMAZON-02US
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

109.202.202.202

unknown

Switzerland

Details

IP:	109.202.202.202
TargetID:	-1
Country:	Switzerland
Countrycode:	CHE
ASN number:	13030
ASN name:	INIT7CH
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.43

unknown

United Kingdom

Details

IP:	91.189.91.43
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.42

unknown

United Kingdom

Details

IP:	91.189.91.42
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7ffa5c032000

page execute read

7ffb62323000

page read and write

7ffb62694000

page read and write

7ffb6299e000

page read and write

55e2f8ac3000

page read and write

7ffb629c2000

page read and write

7ffb61d56000

page read and write

7ffb62875000

page read and write

55e2f7a66000

page read and write

7ffb5bfff000

page read and write

7ffb62346000

page read and write

55e2f57f7000

page execute read

7ffb5c021000

page read and write

7ffb624b2000

page read and write

7ffb62a07000

page read and write

55e2f7a4f000

page execute and read and write

7ffa5c03b000

page read and write

55e2f5a51000

page read and write

55e2f5a48000

page read and write

7ffc6dd2f000

page read and write

7ffb620b8000

page read and write

7ffc6dda9000

page execute read

7ffb61cc4000

page read and write

7ffa5c045000

page read and write

7ffb614bc000

page read and write

There are 15 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
arm6.nn.elf

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportarm6.nn.elf

Processes

URLs

IPs

Memdumps

IOC Report
arm6.nn.elf