IOC Report
efjepc.elf

Files

File Path

Type

Category

Malicious

Download

efjepc.elf

ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, stripped

initial sample

Details

Filetype:	ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, stripped
Entropy:	5.577577826781861
Filename:	efjepc.elf
Filesize:	162816
MD5:	e142ebfafd66b5fba15d66f0e4778cd3
SHA1:	5c7d26fdddc5f72da721716a21a6880714214334
SHA256:	866c7b98e222ea729842bc96af910d280c4668e9f61acd3cdb1e25b8083f9acd
SHA512:	bca4c402815a30e54abb0d17d9519632f030e847e4f3fb4b0b0a9c0832daf8afa599acd97f36d58c7ab94108b4980122d9150f9b0b1c323173b914e0063d2f17
SSDEEP:	1536:50nR1GNVetJ+yJvKR877Pxg2Mwbrgu/FkV4lcX0OS6RJeskdvAQ8G0PWAYw2DqI8:5UaA/v77xNbrDt7HO7RUaQ9TcV
Preview:	.ELF...........................4..y......4. ...(......................&...&...............0...0...0...I....H........dt.Q.............................!..\|......$H...H......$8!. \|...N.. .!..\|.......?.........z...../...@..\?.....0D.+../...A..$8...})....0DN..

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Deletes system log files	Hooking and other Techniques for Hiding and Protection	Indicator Removal
Manipulation of devices in /dev	Data Obfuscation
Sample deletes itself	Hooking and other Techniques for Hiding and Protection	File Deletion
Sample tries to kill multiple processes (SIGKILL)	System Summary	Service Stop
Enumerates processes within the "proc" file system	Persistence and Installation Behavior	OS Credential Dumping
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample tries to kill a process (SIGKILL)	System Summary
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion

/proc/5424/task/5424/comm

very short file (no magic)

dropped

Details

File:	/proc/5424/task/5424/comm
Category:	dropped
Dump:	comm.12.dr
ID:	dr_2
Target ID:	12
Process:	/tmp/efjepc.elf
Type:	very short file (no magic)
Entropy:	0.0
Encrypted:	false
Ssdeep:	3:I:I
Size:	1
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery

/tmp/qemu-open.DClMcj (deleted)

ASCII text

dropped

Details

File:	/tmp/qemu-open.DClMcj (deleted)
Category:	dropped
Dump:	qemu-open.DClMcj (deleted).12.dr
ID:	dr_1
Target ID:	12
Process:	/tmp/efjepc.elf
Type:	ASCII text
Entropy:	2.508467371678925
Encrypted:	false
Ssdeep:	3:EBFNKoKAMVG2EXWFVFe/FNvN:EB3KXYXCG/1
Size:	152
Whitelisted:	false
Reputation:	low

/tmp/qemu-open.MeefRi (deleted)

data

dropped

Details

File:	/tmp/qemu-open.MeefRi (deleted)
Category:	dropped
Dump:	qemu-open.MeefRi (deleted).12.dr
ID:	dr_3
Target ID:	12
Process:	/tmp/efjepc.elf
Type:	data
Entropy:	3.9500637564362093
Encrypted:	false
Ssdeep:	3:TgNVG2iHJN:TgQJN
Size:	26
Whitelisted:	false
Reputation:	moderate

/tmp/qemu-open.oObl1l (deleted)

ASCII text, with no line terminators

dropped

Details

File:	/tmp/qemu-open.oObl1l (deleted)
Category:	dropped
Dump:	qemu-open.oObl1l (deleted).12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/efjepc.elf
Type:	ASCII text, with no line terminators
Entropy:	3.337175341123077
Encrypted:	false
Ssdeep:	3:TgNVG2/:TgT
Size:	17
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

/tmp/efjepc.elf

/tmp/efjepc.elf

/tmp/efjepc.elf

-

/tmp/efjepc.elf

-

/tmp/efjepc.elf

-

/tmp/efjepc.elf

-

/usr/bin/xfce4-panel

-

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 6 12582920 systray "Notification Area" "Area where notification icons appear"

/usr/bin/xfce4-panel

-

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libstatusnotifier.so 7 12582921 statusnotifier "Status Notifier Plugin" "Provides a panel area for status notifier items (application indicators)"

/usr/bin/xfce4-panel

-

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libpulseaudio-plugin.so 8 12582922 pulseaudio "PulseAudio Plugin" "Adjust the audio volume of the PulseAudio sound system"

/usr/bin/xfce4-panel

-

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libxfce4powermanager.so 9 12582923 power-manager-plugin "Power Manager Plugin" "Display the battery levels of your devices and control the brightness of your display"

/usr/bin/xfce4-panel

-

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libnotification-plugin.so 10 12582924 notification-plugin "Notification Plugin" "Notification plugin for the Xfce panel"

/usr/bin/xfce4-panel

-

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libactions.so 14 12582925 actions "Action Buttons" "Log out, lock or other system actions"

/usr/bin/dash

-

/usr/bin/rm

rm -f /tmp/tmp.r537UGDdmb /tmp/tmp.3hQJd9yzJc /tmp/tmp.usH1vlJkGi

/usr/bin/dash

-

/usr/bin/cat

cat /tmp/tmp.r537UGDdmb

/usr/bin/dash

-

/usr/bin/head

head -n 10

/usr/bin/dash

-

/usr/bin/tr

tr -d \\000-\\011\\013\\014\\016-\\037

/usr/bin/dash

-

/usr/bin/cut

cut -c -80

/usr/bin/dash

-

/usr/bin/cat

cat /tmp/tmp.r537UGDdmb

/usr/bin/dash

-

/usr/bin/head

head -n 10

/usr/bin/dash

-

/usr/bin/tr

tr -d \\000-\\011\\013\\014\\016-\\037

/usr/bin/dash

-

/usr/bin/cut

cut -c -80

/usr/bin/dash

-

/usr/bin/rm

rm -f /tmp/tmp.r537UGDdmb /tmp/tmp.3hQJd9yzJc /tmp/tmp.usH1vlJkGi

/usr/bin/dbus-daemon

-

/usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd

/usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd

There are 29 hidden processes, click here to show them.

Domains

Name

IP

Malicious

raw.awaken-network.net

141.98.10.142

Details

Name:	raw.awaken-network.net
IP:	141.98.10.142
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

IP

Domain

Country

Malicious

54.217.10.153

unknown

United States

Details

IP:	54.217.10.153
TargetID:	-1
Country:	United States
Countrycode:	USA
ASN number:	16509
ASN name:	AMAZON-02US
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

141.98.10.142

raw.awaken-network.net

Lithuania

Details

IP:	141.98.10.142
TargetID:	-1
Country:	Lithuania
Countrycode:	LTU
ASN number:	209605
ASN name:	HOSTBALTICLT
Private:	false
Domain:	raw.awaken-network.net

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

Memdumps

Base Address

Regiontype

Protect

Malicious

Download

7f5f18024000

page execute read

7f600cb81000

page read and write

7f600d1d2000

page read and write

55730bfaf000

page read and write

557309f93000

page read and write

7ffe3be6d000

page execute read

7f600d6b8000

page read and write

7f600d673000

page read and write

7f5f18039000

page read and write

557309d10000

page execute read

7f600d66b000

page read and write

7f5f18046000

page read and write

7f600cb73000

page read and write

7f600c370000

page read and write

557309d10000

page execute read

7f600d1f7000

page read and write

7f6008021000

page read and write

7f600ce10000

page read and write

557309f9b000

page read and write

7f6008000000

page read and write

55730bf99000

page execute and read and write

7f600d542000

page read and write

55730d153000

page read and write

7ffe3be40000

page read and write

There are 14 hidden memdumps, click here to show them.