Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Download

na.elf

ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), statically linked, for GNU/Linux 3.2.0, BuildID[sha1]=bc565f9f2dafc5618defa8eccf705f85712c87da, stripped

initial sample

Details

Filetype:	ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), statically linked, for GNU/Linux 3.2.0, BuildID[sha1]=bc565f9f2dafc5618defa8eccf705f85712c87da, stripped
Entropy:	5.765281745771994
Filename:	na.elf
Filesize:	920568
MD5:	b81a16c6313cfebe5b7b7f7277cd94db
SHA1:	ddb99b07418253f1abc4686f071c9ee647fab9a4
SHA256:	7174e25bdb441fe5573842498af4e3898927b5db293561e5beaf98745e17c1d4
SHA512:	a5d6693219f0b02ffff322d87ab5ec01a9e8ca51328663a44641234979c16c3e6b30d56bdeca710dedef30ca05b78d2897aa42f88903635103de400c35ac26a3
SSDEEP:	12288:qb143S0q+8eXS1/f2Wc3slC3yjTjMv+9XSJhBXEsV3b9gh4J8zMSv7MzOup8Mplv:qmShf4OTjMgXSJhBXEsVrmz9MOup1KhE
Preview:	.ELF.....................@.....4....p....4. ...(.#."p......X.@.X.@.X................p......p.@.p.@.p.........................@...@........................&..N&..N&...F...V................4.@.4.@.4... ... .................@...@.....$...$..............'..N'

Signature Hits	Behavior Group	Mitre Attack
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Drops files in suspicious directories	Hooking and other Techniques for Hiding and Protection	Masquerading
Found Tor onion address	Networking	Proxy
Sample deletes itself	Hooking and other Techniques for Hiding and Protection
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Sample tries to set the executable flag	Persistence and Installation Behavior	File and Directory Permissions Modification
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion
Writes ELF files to disk	Persistence and Installation Behavior
Yara signature match	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
URLs found in memory or binary data	Networking

/etc/CommId

ASCII text, with no line terminators

dropped

Details

File:	/etc/CommId
Category:	dropped
Dump:	CommId.77.dr
ID:	dr_4
Target ID:	77
Process:	/usr/sbin/uplugplay
Type:	ASCII text, with no line terminators
Entropy:	3.5
Encrypted:	false
Ssdeep:	3:3xbWQO:Q
Size:	16
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Found Tor onion address	Networking	Proxy

/usr/sbin/uplugplay

ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), statically linked, for GNU/Linux 3.2.0, BuildID[sha1]=bc565f9f2dafc5618defa8eccf705f85712c87da, stripped

dropped

Details

File:	/usr/sbin/uplugplay
Category:	dropped
Dump:	uplugplay.12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/na.elf
Type:	ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), statically linked, for GNU/Linux 3.2.0, BuildID[sha1]=bc565f9f2dafc5618defa8eccf705f85712c87da, stripped
Entropy:	5.765281745771994
Encrypted:	false
Ssdeep:	12288:qb143S0q+8eXS1/f2Wc3slC3yjTjMv+9XSJhBXEsV3b9gh4J8zMSv7MzOup8Mplv:qmShf4OTjMgXSJhBXEsVrmz9MOup1KhE
Size:	920568
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Yara detected Prometei	Bitcoin Miner
Yara detected Prometei	Bitcoin Miner
Drops files in suspicious directories	Hooking and other Techniques for Hiding and Protection	Masquerading
Found Tor onion address	Networking	Proxy
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Sample tries to set the executable flag	Persistence and Installation Behavior	File and Directory Permissions Modification
Writes ELF files to disk	Persistence and Installation Behavior
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery

/memfd:snapd-env-generator (deleted)

ASCII text

dropped

Details

File:	/memfd:snapd-env-generator (deleted)
Category:	dropped
Dump:	memfd_snapd-env-generator (deleted).66.dr
ID:	dr_3
Target ID:	66
Process:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
Type:	ASCII text
Entropy:	3.7627880354948586
Encrypted:	false
Ssdeep:	3:+M4VMPQnMLmPQ9JEcwwbn:+M4m4MixcZb
Size:	76
Whitelisted:	false
Reputation:	high

/proc/6429/task/6430/comm

ASCII text, with no line terminators

dropped

Details

File:	/proc/6429/task/6430/comm
Category:	dropped
Dump:	comm.81.dr
ID:	dr_5
Target ID:	81
Process:	/usr/bin/nslookup
Type:	ASCII text, with no line terminators
Entropy:	3.09306920777189
Encrypted:	false
Ssdeep:	3:XfSPyVd:PSPS
Size:	14
Whitelisted:	false
Reputation:	high

/proc/6429/task/6431/comm

ASCII text, with no line terminators

dropped

Details

File:	/proc/6429/task/6431/comm
Category:	dropped
Dump:	comm0.81.dr
ID:	dr_6
Target ID:	81
Process:	/usr/bin/nslookup
Type:	ASCII text, with no line terminators
Entropy:	2.94770277922009
Encrypted:	false
Ssdeep:	3:XfRJy:P2
Size:	9
Whitelisted:	false
Reputation:	high

/proc/6429/task/6432/comm

ASCII text, with no line terminators

dropped

Details

File:	/proc/6429/task/6432/comm
Category:	dropped
Dump:	comm1.81.dr
ID:	dr_7
Target ID:	81
Process:	/usr/bin/nslookup
Type:	ASCII text, with no line terminators
Entropy:	3.084962500721156
Encrypted:	false
Ssdeep:	3:XfWdvRo:PWno
Size:	12
Whitelisted:	false
Reputation:	high

/usr/lib/systemd/system/uplugplay.service

ASCII text

dropped

Details

File:	/usr/lib/systemd/system/uplugplay.service
Category:	dropped
Dump:	uplugplay.service.12.dr
ID:	dr_1
Target ID:	12
Process:	/tmp/na.elf
Type:	ASCII text
Entropy:	4.769509838572339
Encrypted:	false
Ssdeep:	3:zMZa75X1PxQJqtWA1+DRvBADMikAdIgQ+aQmNJX4ev+sirSkQmWA1+DRvn:z8uXcqtWA4RZAMD+aBNdhTILQmWA4Rv
Size:	145
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

/tmp/na.elf

/bin/sh

sh -c "pgrep na.elf"

/bin/sh

/usr/bin/pgrep

pgrep na.elf

/tmp/na.elf

/bin/sh

sh -c "pidof na.elf"

/bin/sh

/usr/bin/pidof

pidof na.elf

/tmp/na.elf

/bin/sh

sh -c "pgrep uplugplay"

/bin/sh

/usr/bin/pgrep

pgrep uplugplay

/tmp/na.elf

/bin/sh

sh -c "pgrep upnpsetup"

/bin/sh

/usr/bin/pgrep

pgrep upnpsetup

/tmp/na.elf

/bin/sh

sh -c "pidof upnpsetup"

/bin/sh

/usr/bin/pidof

pidof upnpsetup

/tmp/na.elf

/bin/sh

sh -c "systemctl daemon-reload"

/bin/sh

/usr/bin/systemctl

systemctl daemon-reload

/tmp/na.elf

/bin/sh

sh -c "systemctl enable uplugplay.service"

/bin/sh

/usr/bin/systemctl

systemctl enable uplugplay.service

/tmp/na.elf

/bin/sh

sh -c "systemctl start uplugplay.service"

/bin/sh

/usr/bin/systemctl

systemctl start uplugplay.service

/usr/bin/dash

/usr/bin/rm

rm -f /tmp/tmp.O3o2oGOXJn /tmp/tmp.V9lcRtwRkW /tmp/tmp.OA4qhYcahA

/usr/bin/dash

/usr/bin/cat

cat /tmp/tmp.O3o2oGOXJn

/usr/bin/dash

/usr/bin/head

head -n 10

/usr/bin/dash

/usr/bin/tr

tr -d \\000-\\011\\013\\014\\016-\\037

/usr/bin/dash

/usr/bin/cut

cut -c -80

/usr/bin/dash

/usr/bin/cat

cat /tmp/tmp.O3o2oGOXJn

/usr/bin/dash

/usr/bin/head

head -n 10

/usr/bin/dash

/usr/bin/tr

tr -d \\000-\\011\\013\\014\\016-\\037

/usr/bin/dash

/usr/bin/cut

cut -c -80

/usr/bin/dash

/usr/bin/rm

rm -f /tmp/tmp.O3o2oGOXJn /tmp/tmp.V9lcRtwRkW /tmp/tmp.OA4qhYcahA

/usr/lib/systemd/systemd

/usr/lib/systemd/system-environment-generators/snapd-env-generator

/usr/lib/systemd/systemd

/usr/lib/systemd/system-environment-generators/snapd-env-generator

/usr/lib/systemd/systemd

/usr/sbin/uplugplay

/bin/sh

sh -c "/usr/sbin/uplugplay -Dcomsvc"

/bin/sh

/usr/sbin/uplugplay

/usr/sbin/uplugplay -Dcomsvc

/usr/sbin/uplugplay

/bin/sh

sh -c "nslookup p3.feefreepool.net 8.8.8.8"

/bin/sh

/usr/bin/nslookup

nslookup p3.feefreepool.net 8.8.8.8

There are 58 hidden processes, click here to show them.

URLs

Name

Malicious

http://p3.feefreepool.net/cgi-bin/prometei.cgihttp://dummy.zero/cgi-bin/prometei.cgihttps://gb7ni5rg

unknown

https://bugs.launchpad.net/ubuntu/

unknown

http://mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.b32.i2p/cgi-bin/prometei.cgi

unknown

http://p3.feefreepool.net/cgi-bin/prometei.cgi

unknown

https://gb7ni5rgeexdcncj.onion/cgi-bin/prometei.cgi

unknown

http://%s/cgi-bin/prometei.cgi

unknown

http://%s/cgi-bin/prometei.cgi?r=0&auth=hash&i=%s&enckey=%shttp://%s/cgi-bin/prometei.cgi%m%d%yxinch

unknown

https://http:///:.onion.i2p.zeroGET

unknown

http://dummy.zero/cgi-bin/prometei.cgi

unknown

http://%s/cgi-bin/prometei.cgi?r=0&auth=hash&i=%s&enckey=%s

unknown

Domains

Name

Malicious

p3.feefreepool.net

88.198.246.242

Details

Name:	p3.feefreepool.net
IP:	88.198.246.242
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found Tor onion address	Networking	Proxy
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

88.198.246.242

p3.feefreepool.net

Germany

54.171.230.55

unknown

United States

Details

IP:	54.171.230.55
TargetID:	-1
Country:	United States
Countrycode:	USA
ASN number:	16509
ASN name:	AMAZON-02US
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

109.202.202.202

unknown

Switzerland

Details

IP:	109.202.202.202
TargetID:	-1
Country:	Switzerland
Countrycode:	CHE
ASN number:	13030
ASN name:	INIT7CH
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.43

unknown

United Kingdom

Details

IP:	91.189.91.43
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.42

unknown

United Kingdom

Details

IP:	91.189.91.42
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

Download

7fa28526a000

page read and write

7fa2844d2000

page execute read

7fa300dfd000

page execute and read and write

7fa309fe3000

page read and write

7fa3037ff000

page execute and read and write

7fa302ffe000

page execute and read and write

7f7822e77000

page read and write

7f78234f9000

page read and write

7fa30a682000

page read and write

7fa309615000

page read and write

7fa30a2a1000

page read and write

7fa30acbd000

page read and write

7fa30ab94000

page read and write

7f779d26a000

page read and write

7f781c000000

page read and write

55f51bd15000

page execute read

7f782266f000

page read and write

7fa3005fc000

page execute and read and write

7f78234d6000

page read and write

7fa2ff5fa000

page execute and read and write

7f7823847000

page read and write

7fa30a642000

page read and write

7f7823b59000

page read and write

7f7822e85000

page read and write

7fa304021000

page read and write

55cd9ec8b000

page read and write

7fa280021000

page read and write

55cda0c89000

page execute and read and write

55cd9e9f9000

page execute read

7fa27c079000

page read and write

7fa302621000

page read and write

55cda1e26000

page read and write

7f7823135000

page read and write

7f781c021000

page read and write

55f51dfbc000

page read and write

7f7823b51000

page read and write

7fa2ffdfb000

page execute and read and write

7fa2fedf9000

page execute and read and write

7f7823516000

page read and write

7fa30acc5000

page read and write

55cd9ec81000

page read and write

55f51f38c000

page read and write

7fa309656000

page read and write

7fa3015fe000

page execute and read and write

55f51dfa5000

page execute and read and write

7fa30ad0a000

page read and write

7ffcca48e000

page read and write

55f51bfa7000

page read and write

7f7823a28000

page read and write

7fa30a665000

page read and write

7fa2844e7000

page read and write

7ffd9f1fb000

page execute read

7fa309719000

page read and write

7fa309697000

page read and write

7fa309ff1000

page read and write

7fa3096d8000

page read and write

7fa304000000

page read and write

55f51bf9d000

page read and write

7fa3097db000

page read and write

7f7823b9e000

page read and write

7fa30a9b3000

page read and write

7ffd9f1ef000

page read and write

7fa302600000

page execute and read and write

7fa301dff000

page execute and read and write

55cda0ca0000

page read and write

7ffcca4bb000

page execute read

There are 56 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
na.elf

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportna.elf

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
na.elf