Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Download

na.elf

ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), statically linked, for GNU/Linux 3.2.0, BuildID[sha1]=bc565f9f2dafc5618defa8eccf705f85712c87da, stripped

initial sample

Details

Filetype:	ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), statically linked, for GNU/Linux 3.2.0, BuildID[sha1]=bc565f9f2dafc5618defa8eccf705f85712c87da, stripped
Entropy:	5.765280130468546
Filename:	na.elf
Filesize:	920568
MD5:	4e62da572d8d534830dd2e38ca383e56
SHA1:	daadc0a3d4c124000410d117094394859691c349
SHA256:	1f156e8d364eeb36eafa213669c508d72ccb516f96852dcd61102f2a65d8cc05
SHA512:	b569dcf84faf41b3ba3d17b8e22245d1d19cf85f6b3eb72f17e9156eac084ab8e82cf62799a39d7c68aab0826e6797384a023f8a8119a5f8eaf1a7411d8bf261
SSDEEP:	12288:qb143S0q+8eXS1/f2Wc3slC3yjTjMv+9XSJhBXEsV3b9gh4J8zMSv7MzOup8Mpl8:qmShf4OTjMgXSJhBXEsVrmz9MOup1Kh7
Preview:	.ELF.....................@.....4....p....4. ...(.#."p......X.@.X.@.X................p......p.@.p.@.p.........................@...@........................&..N&..N&...F...V................4.@.4.@.4... ... .................@...@.....$...$..............'..N'

Signature Hits	Behavior Group	Mitre Attack
Malicious sample detected (through community Yara rule)	System Summary
Drops files in suspicious directories	Hooking and other Techniques for Hiding and Protection	Masquerading
Found Tor onion address	Networking	Proxy
Sample deletes itself	Hooking and other Techniques for Hiding and Protection	File Deletion
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Sample tries to set the executable flag	Persistence and Installation Behavior	File and Directory Permissions Modification
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion
Writes ELF files to disk	Persistence and Installation Behavior
Yara signature match	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
URLs found in memory or binary data	Networking

/etc/CommId

ASCII text, with no line terminators

dropped

Details

File:	/etc/CommId
Category:	dropped
Dump:	CommId.59.dr
ID:	dr_4
Target ID:	59
Process:	/usr/sbin/uplugplay
Type:	ASCII text, with no line terminators
Entropy:	3.875
Encrypted:	false
Ssdeep:	3:IGTrn:IG3
Size:	16
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Found Tor onion address	Networking	Proxy

/usr/sbin/uplugplay

ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), statically linked, for GNU/Linux 3.2.0, BuildID[sha1]=bc565f9f2dafc5618defa8eccf705f85712c87da, stripped

dropped

Details

File:	/usr/sbin/uplugplay
Category:	dropped
Dump:	uplugplay.12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/na.elf
Type:	ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), statically linked, for GNU/Linux 3.2.0, BuildID[sha1]=bc565f9f2dafc5618defa8eccf705f85712c87da, stripped
Entropy:	5.765280130468546
Encrypted:	false
Ssdeep:	12288:qb143S0q+8eXS1/f2Wc3slC3yjTjMv+9XSJhBXEsV3b9gh4J8zMSv7MzOup8Mpl8:qmShf4OTjMgXSJhBXEsVrmz9MOup1Kh7
Size:	920568
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Yara detected Prometei	Bitcoin Miner
Yara detected Prometei	Bitcoin Miner
Drops files in suspicious directories	Hooking and other Techniques for Hiding and Protection	Masquerading
Found Tor onion address	Networking	Proxy
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Sample tries to set the executable flag	Persistence and Installation Behavior	File and Directory Permissions Modification
Writes ELF files to disk	Persistence and Installation Behavior
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery

/memfd:snapd-env-generator (deleted)

ASCII text

dropped

Details

File:	/memfd:snapd-env-generator (deleted)
Category:	dropped
Dump:	memfd_snapd-env-generator (deleted).48.dr
ID:	dr_3
Target ID:	48
Process:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
Type:	ASCII text
Entropy:	3.7627880354948586
Encrypted:	false
Ssdeep:	3:+M4VMPQnMLmPQ9JEcwwbn:+M4m4MixcZb
Size:	76
Whitelisted:	false
Reputation:	high

/proc/5609/task/5612/comm

ASCII text, with no line terminators

dropped

Details

File:	/proc/5609/task/5612/comm
Category:	dropped
Dump:	comm.63.dr
ID:	dr_5
Target ID:	63
Process:	/usr/bin/nslookup
Type:	ASCII text, with no line terminators
Entropy:	3.09306920777189
Encrypted:	false
Ssdeep:	3:XfSPyVd:PSPS
Size:	14
Whitelisted:	false
Reputation:	high

/proc/5609/task/5613/comm

ASCII text, with no line terminators

dropped

Details

File:	/proc/5609/task/5613/comm
Category:	dropped
Dump:	comm0.63.dr
ID:	dr_6
Target ID:	63
Process:	/usr/bin/nslookup
Type:	ASCII text, with no line terminators
Entropy:	2.94770277922009
Encrypted:	false
Ssdeep:	3:XfRJy:P2
Size:	9
Whitelisted:	false
Reputation:	high

/proc/5609/task/5614/comm

ASCII text, with no line terminators

dropped

Details

File:	/proc/5609/task/5614/comm
Category:	dropped
Dump:	comm1.63.dr
ID:	dr_7
Target ID:	63
Process:	/usr/bin/nslookup
Type:	ASCII text, with no line terminators
Entropy:	3.084962500721156
Encrypted:	false
Ssdeep:	3:XfWdvRo:PWno
Size:	12
Whitelisted:	false
Reputation:	high

/usr/lib/systemd/system/uplugplay.service

ASCII text

dropped

Details

File:	/usr/lib/systemd/system/uplugplay.service
Category:	dropped
Dump:	uplugplay.service.12.dr
ID:	dr_1
Target ID:	12
Process:	/tmp/na.elf
Type:	ASCII text
Entropy:	4.769509838572339
Encrypted:	false
Ssdeep:	3:zMZa75X1PxQJqtWA1+DRvBADMikAdIgQ+aQmNJX4ev+sirSkQmWA1+DRvn:z8uXcqtWA4RZAMD+aBNdhTILQmWA4Rv
Size:	145
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

/tmp/na.elf

/bin/sh

sh -c "pgrep na.elf"

/bin/sh

/usr/bin/pgrep

pgrep na.elf

/tmp/na.elf

/bin/sh

sh -c "pidof na.elf"

/bin/sh

/usr/bin/pidof

pidof na.elf

/tmp/na.elf

/bin/sh

sh -c "pgrep uplugplay"

/bin/sh

/usr/bin/pgrep

pgrep uplugplay

/tmp/na.elf

/bin/sh

sh -c "pidof uplugplay"

/bin/sh

/usr/bin/pidof

pidof uplugplay

/tmp/na.elf

/bin/sh

sh -c "pgrep upnpsetup"

/bin/sh

/usr/bin/pgrep

pgrep upnpsetup

/tmp/na.elf

/bin/sh

sh -c "pidof upnpsetup"

/bin/sh

/usr/bin/pidof

pidof upnpsetup

/tmp/na.elf

/bin/sh

sh -c "systemctl daemon-reload"

/bin/sh

/usr/bin/systemctl

systemctl daemon-reload

/tmp/na.elf

/bin/sh

sh -c "systemctl enable uplugplay.service"

/bin/sh

/usr/bin/systemctl

systemctl enable uplugplay.service

/tmp/na.elf

/bin/sh

sh -c "systemctl start uplugplay.service"

/bin/sh

/usr/bin/systemctl

systemctl start uplugplay.service

/usr/lib/systemd/systemd

/usr/lib/systemd/system-environment-generators/snapd-env-generator

/usr/lib/systemd/systemd

/usr/lib/systemd/system-environment-generators/snapd-env-generator

/usr/lib/systemd/systemd

/usr/sbin/uplugplay

/bin/sh

sh -c "/usr/sbin/uplugplay -Dcomsvc"

/bin/sh

/usr/sbin/uplugplay

/usr/sbin/uplugplay -Dcomsvc

/usr/sbin/uplugplay

/bin/sh

sh -c "nslookup p3.feefreepool.net 8.8.8.8"

/bin/sh

/usr/bin/nslookup

nslookup p3.feefreepool.net 8.8.8.8

There are 42 hidden processes, click here to show them.

URLs

Name

Malicious

http://p3.feefreepool.net/cgi-bin/prometei.cgihttp://dummy.zero/cgi-bin/prometei.cgihttps://gb7ni5rg

unknown

https://bugs.launchpad.net/ubuntu/

unknown

http://mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.b32.i2p/cgi-bin/prometei.cgi

unknown

http://p3.feefreepool.net/cgi-bin/prometei.cgi

unknown

https://gb7ni5rgeexdcncj.onion/cgi-bin/prometei.cgi

unknown

http://%s/cgi-bin/prometei.cgi

unknown

http://%s/cgi-bin/prometei.cgi?r=0&auth=hash&i=%s&enckey=%shttp://%s/cgi-bin/prometei.cgi%m%d%yxinch

unknown

https://http:///:.onion.i2p.zeroGET

unknown

http://dummy.zero/cgi-bin/prometei.cgi

unknown

http://%s/cgi-bin/prometei.cgi?r=0&auth=hash&i=%s&enckey=%s

unknown

Domains

Name

Malicious

p3.feefreepool.net

88.198.246.242

Details

Name:	p3.feefreepool.net
IP:	88.198.246.242
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found Tor onion address	Networking	Proxy
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

88.198.246.242

p3.feefreepool.net

Germany

Details

IP:	88.198.246.242
TargetID:	-1
Country:	Germany
Countrycode:	DEU
ASN number:	24940
ASN name:	HETZNER-ASDE
Private:	false
Domain:	p3.feefreepool.net

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

Download

7f2e9126a000

page read and write

7f2e904d2000

page execute read

7f2f17383000

page read and write

7f2f17446000

page read and write

55df88fd9000

page execute read

7f24b67b7000

page read and write

7ffe2d2c5000

page read and write

55acd0e42000

page execute and read and write

7f2f18762000

page read and write

7f2f0bdfb000

page execute and read and write

7f24b67a9000

page read and write

7f2f10021000

page read and write

7f2f18414000

page read and write

7f24b7179000

page read and write

55accee44000

page read and write

7f2f0b5fa000

page execute and read and write

7f2f0a5f8000

page execute and read and write

7f2f10000000

page read and write

7f24b74d0000

page read and write

7f243126a000

page read and write

7f24b748b000

page read and write

7f2f18431000

page read and write

7f2f173c4000

page read and write

55df8926b000

page read and write

7f2f0e621000

page read and write

7f2f18943000

page read and write

7f24b6a67000

page read and write

7f2e8c021000

page read and write

7f2f17d92000

page read and write

7ffe2d3a1000

page execute read

55acd0e59000

page read and write

7f24b7483000

page read and write

7fff13fa9000

page read and write

7f2f0adf9000

page execute and read and write

7f2f0d5fe000

page execute and read and write

7f2f17da0000

page read and write

7f2e904e7000

page read and write

55df89261000

page read and write

55df8b269000

page execute and read and write

7f2e88090000

page read and write

7f2f0effe000

page execute and read and write

7f2f09df7000

page execute and read and write

7f2f0cdfd000

page execute and read and write

7f2f0e600000

page execute and read and write

55acd1f63000

page read and write

7f24b735a000

page read and write

7f24b0021000

page read and write

7f24b5fa1000

page read and write

7f2f18a6c000

page read and write

7f2f17405000

page read and write

55df8c4c1000

page read and write

7f24b6e48000

page read and write

7f24b6e2b000

page read and write

55accebb2000

page execute read

55accee3a000

page read and write

7f24b6e08000

page read and write

7f24b0000000

page read and write

7f2f0ddff000

page execute and read and write

7fff13ffb000

page execute read

7f2f0c5fc000

page execute and read and write

7f2f18a74000

page read and write

55df8b280000

page read and write

7f2f0f7ff000

page execute and read and write

7f2f183f1000

page read and write

7f2f17487000

page read and write

7f2f18ab9000

page read and write

7f2f1758a000

page read and write

7f2f18050000

page read and write

7f2f174c8000

page read and write

There are 59 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
na.elf

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportna.elf

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
na.elf