Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Aqua.ppc.elf

ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, stripped

initial sample

Details

Filetype:	ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, stripped
Entropy:	6.2418568869030295
Filename:	Aqua.ppc.elf
Filesize:	51736
MD5:	a6268186d05e4eaa6c9df694ff8dbdf3
SHA1:	7417afb728c69ca3d3a46238993e6079e8682a2f
SHA256:	e6e8e801213af1825a13a978d95a344594b41d7fe7d68061dcc311e1f4aeec1a
SHA512:	5fde17020ce65031abcd923c4d0331deecbc50855f8bdb474bb3475d1e62bbe8f8079fb144716d00d77250baed12a3e8aa00902ac8bf552ebe36d87507508d3a
SSDEEP:	768:Yp7Fc/pm5R+LYRNQSOjd7yo2MBVYcUbT9HB4zLZLK5k9UO4Fw+t/muIuG:aFKc5zgSid7yo2cq99HCzQ5k9/9+Zmui
Preview:	.ELF...........................4...8.....4. ...(.......................8...8...............<...<...<......%p........dt.Q.............................!..\|......$H...H......$8!. \|...N.. .!..\|.......?..........8..../...@..\?......T.+../...A..$8...}).....TN..

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Sample deletes itself	Hooking and other Techniques for Hiding and Protection	File Deletion
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion

/tmp/qemu-open.mZtje5 (deleted)

data

dropped

Details

File:	/tmp/qemu-open.mZtje5 (deleted)
Category:	dropped
Dump:	qemu-open.mZtje5 (deleted).12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/Aqua.ppc.elf
Type:	data
Entropy:	4.110577243331642
Encrypted:	false
Ssdeep:	3:TgqLs+HJN:TgcJN
Size:	28
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

/tmp/Aqua.ppc.elf

Domains

Name

Malicious

45.148.10.84

unknown

IPs

Domain

Country

Malicious

185.125.190.26

unknown

United Kingdom

Details

IP:	185.125.190.26
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7ffbdff5f000

page read and write

7ffbdf0d8000

page read and write

7ffbdf8e9000

page read and write

7ffbd8000000

page read and write

7ffbdff3a000

page read and write

7ffd10bd5000

page execute read

7ffbe0420000

page read and write

7ffbdf8db000

page read and write

557801661000

page read and write

7ffbd8021000

page read and write

55780164b000

page execute and read and write

7ffbe03db000

page read and write

5577ff3c2000

page execute read

7ffbe03d3000

page read and write

7ffbe02aa000

page read and write

7ffd10b3f000

page read and write

557802900000

page read and write

5577ff645000

page read and write

7ffae8021000

page read and write

5577ff64d000

page read and write

7ffae800e000

page execute read

7ffae801e000

page read and write

7ffbdfb78000

page read and write

There are 13 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Aqua.ppc.elf

Files

Processes

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportAqua.ppc.elf

Files

Processes

Domains

IPs

Memdumps

IOC Report
Aqua.ppc.elf