Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Aqua.arm7.elf

ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, with debug_info, not stripped

initial sample

Details

Filetype:	ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, with debug_info, not stripped
Entropy:	5.962670792601127
Filename:	Aqua.arm7.elf
Filesize:	137351
MD5:	707f6a09c63e7c2ea16645b991beece2
SHA1:	9d84b9d10704c06098b4eaec5f96e34d4ba47635
SHA256:	87f1ad61c3f9896c05477b1598f701f33ea9017b0691a19d6ac152b1c4cecf0d
SHA512:	ae7dd55b580561bf3ddab5ecc970f3c1317a83f01b8018cd4a21e2007bef3bd6d31b9a569da8069772c0abcf5409cc1b93e0918553626bd5d0ec317ae339c97c
SSDEEP:	3072:i23pdvy+BPavQj2KlhdEfNJtgX/zOz+M/9V83Lq3p:i23pA8PavQj2KBEqX/zjM/9V83LqZ
Preview:	.ELF..............(.........4...........4. ...(........p(/..(...(...................................@0..@0..............@0..@0..@0.......2..............D0..D0..D0..................Q.td..................................-...L..................@-.,@...0....S

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Sample deletes itself	Hooking and other Techniques for Hiding and Protection	File Deletion
Sample and/or dropped files contains symbols with suspicious names	System Summary	Masquerading
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery

/tmp/qemu-open.f7nSNS (deleted)

data

dropped

Details

File:	/tmp/qemu-open.f7nSNS (deleted)
Category:	dropped
Dump:	qemu-open.f7nSNS (deleted).12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/Aqua.arm7.elf
Type:	data
Entropy:	4.1162646156680225
Encrypted:	false
Ssdeep:	3:Tg2I8HJN:TggJN
Size:	29
Whitelisted:	false
Reputation:	moderate

Processes

Path

Cmdline

Malicious

/tmp/Aqua.arm7.elf

Domains

Name

Malicious

45.148.10.84

unknown

Memdumps

Base Address

Regiontype

Protect

Malicious

7f801c021000

page read and write

7f8023d39000

page read and write

55865b5bd000

page read and write

55865879d000

page execute read

7f80240ac000

page read and write

55865aa0c000

page read and write

7f80233fb000

page read and write

7f80239eb000

page read and write

5586589ee000

page read and write

7ffef79ae000

page read and write

7f8023f1a000

page read and write

7f8022b61000

page read and write

7f801bfff000

page read and write

7f802375d000

page read and write

7ffef79ff000

page execute read

7f8023369000

page read and write

7f8024067000

page read and write

7f8024043000

page read and write

5586589f7000

page read and write

7f7f1c02b000

page execute read

7f8023b57000

page read and write

7f7f1c033000

page read and write

55865a9f5000

page execute and read and write

7f7f1c038000

page read and write

7f80239c8000

page read and write

There are 15 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Aqua.arm7.elf

Files

Processes

Domains

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportAqua.arm7.elf

Files

Processes

Domains

Memdumps

IOC Report
Aqua.arm7.elf