Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

YpKL484IG5

ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped

initial sample

Details

Filetype:	ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
Entropy:	6.667136040804854
Filename:	YpKL484IG5
Filesize:	32140
MD5:	e9e2ace904c9f2049ee2d16403868e50
SHA1:	dcd1a8cef227c63725ed272a8b9e83f8306104d8
SHA256:	0ace9c1e48517f73c6385f9ebdf3f67a9e7a37bddca6503e1d8f5f6ad7dc91a6
SHA512:	f4bf61bbc2cd88641adddceb7544e53b2f9abae6e62f03bc2898cc1e2f714135e340ad2abde01beadc71064320c494dbfb5159c18675f0a448c22a795f380177
SSDEEP:	384:D+kUtKh11Cj3vHN2btttaukXT0oPaqO7LPaokol9rH/WUqBUMt9CH7Kzgsb:D+kUtKtCj3vHCEDGqpol9rfX+Ce
Preview:	.ELF.....................@.4....{......4. ...(...............@...@..g...g...............g...gA..gA.....X%..........Q.td............................././"O.n........#.@........#.*@.`...o&O.n...l..............................././.../.a"O.!...n...a.b("...q.

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion
Enumerates processes within the "proc" file system	Persistence and Installation Behavior	OS Credential Dumping
Sample tries to kill a process (SIGKILL)	System Summary
Found detection on Joe Sandbox Cloud Basic with higher score	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery

/tmp/qemu-open.1prlPu (deleted)

ASCII text, with no line terminators

dropped

Details

File:	/tmp/qemu-open.1prlPu (deleted)
Category:	dropped
Dump:	qemu-open.1prlPu (deleted).12.dr
ID:	dr_3
Target ID:	12
Process:	/tmp/YpKL484IG5
Type:	ASCII text, with no line terminators
Entropy:	3.625
Encrypted:	false
Ssdeep:	3:TgIJ:Tgo
Size:	16
Whitelisted:	false
Reputation:	low

/tmp/qemu-open.F9rJYt (deleted)

ASCII text, with no line terminators

dropped

Details

File:	/tmp/qemu-open.F9rJYt (deleted)
Category:	dropped
Dump:	qemu-open.F9rJYt (deleted).12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/YpKL484IG5
Type:	ASCII text, with no line terminators
Entropy:	3.625
Encrypted:	false
Ssdeep:	3:TgIJ:Tgo
Size:	16
Whitelisted:	false
Reputation:	low

/tmp/qemu-open.g4pvNs (deleted)

ASCII text, with no line terminators

dropped

Details

File:	/tmp/qemu-open.g4pvNs (deleted)
Category:	dropped
Dump:	qemu-open.g4pvNs (deleted).12.dr
ID:	dr_1
Target ID:	12
Process:	/tmp/YpKL484IG5
Type:	ASCII text, with no line terminators
Entropy:	3.625
Encrypted:	false
Ssdeep:	3:TgIJ:Tgo
Size:	16
Whitelisted:	false
Reputation:	low

/tmp/qemu-open.v6w7Qw (deleted)

ASCII text, with no line terminators

dropped

Details

File:	/tmp/qemu-open.v6w7Qw (deleted)
Category:	dropped
Dump:	qemu-open.v6w7Qw (deleted).12.dr
ID:	dr_2
Target ID:	12
Process:	/tmp/YpKL484IG5
Type:	ASCII text, with no line terminators
Entropy:	3.625
Encrypted:	false
Ssdeep:	3:TgIJ:Tgo
Size:	16
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

/tmp/YpKL484IG5

Details

PID:	5237
Target ID:	10
Parent PID:	5119
Name:	YpKL484IG5
Path:	/tmp/YpKL484IG5
Commandline:	/tmp/YpKL484IG5
Size:	4139976
MD5:	8943e5f8f8c280467b4472c15ae93ba9
Time:	09:02:59
Date:	29/10/2021

/tmp/YpKL484IG5

n/a

Details

PID:	5239
Target ID:	11
Parent PID:	5237
Name:	YpKL484IG5
Path:	/tmp/YpKL484IG5
Commandline:	n/a
Size:	4139976
MD5:	8943e5f8f8c280467b4472c15ae93ba9
Time:	09:03:00
Date:	29/10/2021

/tmp/YpKL484IG5

n/a

Details

PID:	5241
Target ID:	12
Parent PID:	5239
Name:	YpKL484IG5
Path:	/tmp/YpKL484IG5
Commandline:	n/a
Size:	4139976
MD5:	8943e5f8f8c280467b4472c15ae93ba9
Time:	09:03:00
Date:	29/10/2021

IPs

Domain

Country

Malicious

45.95.169.120

unknown

Croatia (LOCAL Name: Hrvatska)

Details

IP:	45.95.169.120
TargetID:	-1
Country:	Croatia (LOCAL Name: Hrvatska)
Countrycode:	HRV
ASN number:	42864
ASN name:	GIGANET-HUGigaNetInternetServiceProviderCoHU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

209.90.166.193

unknown

Canada

Details

IP:	209.90.166.193
TargetID:	-1
Country:	Canada
Countrycode:	CAN
ASN number:	6407
ASN name:	PRIMUS-AS6407CA
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

109.202.202.202

unknown

Switzerland

Details

IP:	109.202.202.202
TargetID:	-1
Country:	Switzerland
Countrycode:	CHE
ASN number:	13030
ASN name:	INIT7CH
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

182.52.32.82

unknown

Thailand

Details

IP:	182.52.32.82
TargetID:	-1
Country:	Thailand
Countrycode:	THA
ASN number:	23969
ASN name:	TOT-NETTOTPublicCompanyLimitedTH
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.43

unknown

United Kingdom

Details

IP:	91.189.91.43
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.42

unknown

United Kingdom

Details

IP:	91.189.91.42
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report

Files

Processes

IPs