Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Download

efefa7.elf

ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, with debug_info, not stripped

initial sample

Details

Filetype:	ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, with debug_info, not stripped
Entropy:	5.87169389816735
Filename:	efefa7.elf
Filesize:	177056
MD5:	7680ab1d5888a665c5d5a1c4be985cd0
SHA1:	6db351e9f2eabb37f8c6b5efbe8dd913340e01ea
SHA256:	a5e3e7a27988bb59e06e7fddd223c803a939a4af9403a0e7f94f1fd35072a3d8
SHA512:	b668d2f2dec3f7f61a9c86a1a5d74f27ce1941a7cc488344ca072ef589c51af5cc1c28aa59f0ed904165347e103e3ddab22ca05219c5ee0c699d439e5ed61c48
SSDEEP:	3072:uuSYhkAxaaQsY6WGa/zD/wZA9qhnRXMWTQaRNy9faLBM/9uKwcf0:uuSYKRaBhda/zD/wZAIh1MCQcU9fa1MK
Preview:	.ELF..............(.........4...\|.......4. ...(........p<...<-..<-..8...8...........................t...t...........................................................................Q.td..................................-...L..................@-.,@...0....S

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Manipulation of devices in /dev	Data Obfuscation
Sample deletes itself	Hooking and other Techniques for Hiding and Protection	File Deletion
Enumerates processes within the "proc" file system	Persistence and Installation Behavior	OS Credential Dumping
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample and/or dropped files contains symbols with suspicious names	System Summary	Masquerading
Sample tries to kill a process (SIGKILL)	System Summary
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion

/proc/6212/task/6212/comm

very short file (no magic)

dropped

Details

File:	/proc/6212/task/6212/comm
Category:	dropped
Dump:	comm.12.dr
ID:	dr_2
Target ID:	12
Process:	/tmp/efefa7.elf
Type:	very short file (no magic)
Entropy:	0.0
Encrypted:	false
Ssdeep:	3:I:I
Size:	1
Whitelisted:	false
Reputation:	moderate

/tmp/qemu-open.Cip1DW (deleted)

ASCII text

dropped

Details

File:	/tmp/qemu-open.Cip1DW (deleted)
Category:	dropped
Dump:	qemu-open.Cip1DW (deleted).12.dr
ID:	dr_1
Target ID:	12
Process:	/tmp/efefa7.elf
Type:	ASCII text
Entropy:	2.524850430860984
Encrypted:	false
Ssdeep:	3:HXACLNTUdVvo/FNvN:3zNYdVA/1
Size:	152
Whitelisted:	false
Reputation:	low

/tmp/qemu-open.KGNrcW (deleted)

data

dropped

Details

File:	/tmp/qemu-open.KGNrcW (deleted)
Category:	dropped
Dump:	qemu-open.KGNrcW (deleted).12.dr
ID:	dr_3
Target ID:	12
Process:	/tmp/efefa7.elf
Type:	data
Entropy:	3.921029621737614
Encrypted:	false
Ssdeep:	3:TgPLc8HJN:TgzFJN
Size:	26
Whitelisted:	false
Reputation:	moderate

/tmp/qemu-open.TPu1FT (deleted)

ASCII text, with no line terminators

dropped

Details

File:	/tmp/qemu-open.TPu1FT (deleted)
Category:	dropped
Dump:	qemu-open.TPu1FT (deleted).12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/efefa7.elf
Type:	ASCII text, with no line terminators
Entropy:	3.292770193936991
Encrypted:	false
Ssdeep:	3:TgPLyn:Tgzy
Size:	17
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

/tmp/efefa7.elf

/usr/bin/dash

/usr/bin/rm

rm -f /tmp/tmp.FO5ZfineMZ /tmp/tmp.v0FO74aAEU /tmp/tmp.XjvKqPdygn

/usr/bin/dash

/usr/bin/cat

cat /tmp/tmp.FO5ZfineMZ

/usr/bin/dash

/usr/bin/head

head -n 10

/usr/bin/dash

/usr/bin/tr

tr -d \\000-\\011\\013\\014\\016-\\037

/usr/bin/dash

/usr/bin/cut

cut -c -80

/usr/bin/dash

/usr/bin/cat

cat /tmp/tmp.FO5ZfineMZ

/usr/bin/dash

/usr/bin/head

head -n 10

/usr/bin/dash

/usr/bin/tr

tr -d \\000-\\011\\013\\014\\016-\\037

/usr/bin/dash

/usr/bin/cut

cut -c -80

/usr/bin/dash

/usr/bin/rm

rm -f /tmp/tmp.FO5ZfineMZ /tmp/tmp.v0FO74aAEU /tmp/tmp.XjvKqPdygn

There are 15 hidden processes, click here to show them.

Domains

Name

Malicious

raw.awaken-network.net

141.98.10.142

Details

Name:	raw.awaken-network.net
IP:	141.98.10.142
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Sends malformed DNS queries	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Found strings indicative of a multi-platform dropper	Spreading	Scripting
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

raw.awaken-network.net. [malformed]

unknown

IPs

Domain

Country

Malicious

54.171.230.55

unknown

United States

Details

IP:	54.171.230.55
TargetID:	-1
Country:	United States
Countrycode:	USA
ASN number:	16509
ASN name:	AMAZON-02US
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

141.98.10.142

raw.awaken-network.net

Lithuania

Details

IP:	141.98.10.142
TargetID:	-1
Country:	Lithuania
Countrycode:	LTU
ASN number:	209605
ASN name:	HOSTBALTICLT
Private:	false
Domain:	raw.awaken-network.net

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

109.202.202.202

unknown

Switzerland

Details

IP:	109.202.202.202
TargetID:	-1
Country:	Switzerland
Countrycode:	CHE
ASN number:	13030
ASN name:	INIT7CH
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.43

unknown

United Kingdom

Details

IP:	91.189.91.43
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.42

unknown

United Kingdom

Details

IP:	91.189.91.42
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

Download

7f86b24f3000

page read and write

56330aa7d000

page execute read

7f86b168c000

page read and write

56330ccec000

page read and write

56330d118000

page read and write

56330acd7000

page read and write

7f86b2682000

page read and write

7f85ac032000

page execute read

56330acd7000

page read and write

7f85ac032000

page execute read

56330d118000

page read and write

7f86b1f26000

page read and write

7fff06f5e000

page execute read

7f85ac158000

page read and write

56330d13c000

page read and write

56330ccd5000

page execute and read and write

7f86b2288000

page read and write

7f86b2b92000

page read and write

7f85ac048000

page read and write

7f86b2a45000

page read and write

7f86b2bd7000

page read and write

7f85ac048000

page read and write

7f86b2864000

page read and write

7f86b2516000

page read and write

7f86b1f26000

page read and write

7f86b2b6e000

page read and write

56330ccec000

page read and write

7f86b168c000

page read and write

7f86abfff000

page read and write

7f86b2516000

page read and write

7f86b24f3000

page read and write

7f85ac03b000

page read and write

7f86b2b92000

page read and write

7f86b2b92000

page read and write

7f86ac021000

page read and write

7f85ac048000

page read and write

7f86b2b6e000

page read and write

7f85ac032000

page execute read

7f86ac021000

page read and write

7fff06f5e000

page execute read

56330acd7000

page read and write

56330acce000

page read and write

7fff06f5e000

page execute read

7fff06e8c000

page read and write

7f86b2288000

page read and write

7f86b2682000

page read and write

7f86b2516000

page read and write

7f86b1e94000

page read and write

7fff06e8c000

page read and write

56330acce000

page read and write

7f86b2a45000

page read and write

7f86b2bd7000

page read and write

7f86abfff000

page read and write

56330ccd5000

page execute and read and write

7f86ac021000

page read and write

56330ccec000

page read and write

56330d15f000

page read and write

7f86b2a45000

page read and write

56330aa7d000

page execute read

7f86b2864000

page read and write

7f86b24f3000

page read and write

7f86abfff000

page read and write

7f85ac03b000

page read and write

7f86b2864000

page read and write

7f85ac03b000

page read and write

7f86b2b6e000

page read and write

7f86b2682000

page read and write

7f86b1e94000

page read and write

7fff06e8c000

page read and write

56330aa7d000

page execute read

56330ccd5000

page execute and read and write

7f86b2288000

page read and write

56330acce000

page read and write

7f86b2bd7000

page read and write

7f86b1f26000

page read and write

7f86b168c000

page read and write

7f86b1e94000

page read and write

There are 67 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
efefa7.elf

Files

Processes

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportefefa7.elf

Files

Processes

Domains

IPs

Memdumps

IOC Report
efefa7.elf