Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

zJk9UEOnQ7

ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, stripped

initial sample

Details

Filetype:	ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, stripped
Entropy:	6.179513692558146
Filename:	zJk9UEOnQ7
Filesize:	63160
MD5:	309bf4c5ed21406e7014eb818dc1788f
SHA1:	a22d7169e00733c6de7a3ba69e8d05a38b635f13
SHA256:	040224bd9ea2a0069c349f9a514c3ccd977307f217516ecac9266897c1e6641d
SHA512:	613d2667cc9fbb4e6505140f06846886488add415f9ab115515242db2fadc8534dd3cd162f603f694bb0fe1c878938cb184f8702b4718a50f64d14289cabe286
SSDEEP:	1536:Z4b/GEEStcNEu6F+lnWgnE629to3s1xP8oHAHSN9:ipqNraez4focgSN9
Preview:	.ELF...........................4...(.....4. ...(.......................................................,............dt.Q................................@..(....@.8.................#.....`...`.....!....."...@.....".........`......$"..."...@...........`....

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
Enumerates processes within the "proc" file system	Persistence and Installation Behavior	OS Credential Dumping
Sample listens on a socket	Networking
Sample tries to kill a process (SIGKILL)	System Summary
Found detection on Joe Sandbox Cloud Basic with higher score	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
URLs found in memory or binary data	Networking

/proc/5310/oom_score_adj

ASCII text

dropped

Details

File:	/proc/5310/oom_score_adj
Category:	dropped
Dump:	oom_score_adj.55.dr
ID:	dr_1
Target ID:	55
Process:	/usr/sbin/sshd
Type:	ASCII text
Entropy:	1.7924812503605778
Encrypted:	false
Ssdeep:	3:ptn:Dn
Size:	6
Whitelisted:	false
Reputation:	high

/run/sshd.pid

ASCII text

dropped

Details

File:	/run/sshd.pid
Category:	dropped
Dump:	sshd.pid.55.dr
ID:	dr_2
Target ID:	55
Process:	/usr/sbin/sshd
Type:	ASCII text
Entropy:	2.321928094887362
Encrypted:	false
Ssdeep:	3:DUF:y
Size:	5
Whitelisted:	false
Reputation:	low

/var/cache/motd-news

ASCII text

dropped

Details

File:	/var/cache/motd-news
Category:	dropped
Dump:	motd-news.20.dr
ID:	dr_0
Target ID:	20
Process:	/usr/bin/cut
Type:	ASCII text
Entropy:	4.515771857099866
Encrypted:	false
Ssdeep:	3:P2lnI+5MsqqzNLz+FRNScHUBfRau95++sZzR5woLB1Fh0VTGTl/X5kURn:OZ8uNLzDc0pR75+9Zz/woFmIT52URn
Size:	191
Whitelisted:	false
Reputation:	moderate

Processes

Path

Cmdline

Malicious

/usr/bin/dash

n/a

/usr/bin/cat

cat /tmp/tmp.91tEJtbEWc

/usr/bin/dash

n/a

/usr/bin/head

head -n 10

/usr/bin/dash

n/a

/usr/bin/tr

tr -d \\000-\\011\\013\\014\\016-\\037

/usr/bin/dash

n/a

/usr/bin/cut

cut -c -80

/usr/bin/dash

n/a

/usr/bin/cat

cat /tmp/tmp.91tEJtbEWc

/usr/bin/dash

n/a

/usr/bin/head

head -n 10

/usr/bin/dash

n/a

/usr/bin/tr

tr -d \\000-\\011\\013\\014\\016-\\037

/usr/bin/dash

n/a

/usr/bin/cut

cut -c -80

/usr/bin/dash

n/a

/usr/bin/rm

rm -f /tmp/tmp.91tEJtbEWc /tmp/tmp.Zus0sicMvy /tmp/tmp.qH6x8mL5YT

/tmp/zJk9UEOnQ7

n/a

/tmp/zJk9UEOnQ7

n/a

/tmp/zJk9UEOnQ7

n/a

/tmp/zJk9UEOnQ7

n/a

/tmp/zJk9UEOnQ7

n/a

/tmp/zJk9UEOnQ7

n/a

/tmp/zJk9UEOnQ7

n/a

/tmp/zJk9UEOnQ7

n/a

/tmp/zJk9UEOnQ7

n/a

/tmp/zJk9UEOnQ7

n/a

/tmp/zJk9UEOnQ7

n/a

/tmp/zJk9UEOnQ7

n/a

/tmp/zJk9UEOnQ7

n/a

/tmp/zJk9UEOnQ7

n/a

/tmp/zJk9UEOnQ7

n/a

/tmp/zJk9UEOnQ7

n/a

/tmp/zJk9UEOnQ7

n/a

/tmp/zJk9UEOnQ7

n/a

/tmp/zJk9UEOnQ7

n/a

/tmp/zJk9UEOnQ7

n/a

/tmp/zJk9UEOnQ7

n/a

/tmp/zJk9UEOnQ7

n/a

/tmp/zJk9UEOnQ7

n/a

/usr/lib/systemd/systemd

n/a

/usr/sbin/sshd

/usr/sbin/sshd -t

/usr/lib/systemd/systemd

n/a

/usr/sbin/sshd

/usr/sbin/sshd -D

There are 36 hidden processes, click here to show them.

URLs

Name

Malicious

http://127.0.0.1:52869/picdesc.xml

91.214.119.55

Details

Name:	http://127.0.0.1:52869/picdesc.xml
IP:	91.214.119.55
TargetID:	-1
From Memory:	false
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)	Networking

http://37.0.9.202/bins/Hilix.mips

unknown

Details

Name:	http://37.0.9.202/bins/Hilix.mips
TargetID:	21057
From Memory:	true
Source:	zJk9UEOnQ7, 5241.1.000000003d7c595a.000000003a80a9d8.r-x.sdmp

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
Multi AV Scanner detection for domain / URL	AV Detection
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

http://127.0.0.1:52869/wanipcn.xml

91.214.119.55

Details

Name:	http://127.0.0.1:52869/wanipcn.xml
IP:	91.214.119.55
TargetID:	-1
From Memory:	false
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)	Networking

http://schemas.xmlsoap.org/soap/encoding/

unknown

Details

Name:	http://schemas.xmlsoap.org/soap/encoding/
TargetID:	21057
From Memory:	true
Source:	zJk9UEOnQ7, 5241.1.000000003d7c595a.000000003a80a9d8.r-x.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

https://ubuntu.com/blog/microk8s-memory-optimisation

unknown

Details

Name:	https://ubuntu.com/blog/microk8s-memory-optimisation
TargetID:	20
From Memory:	true
Current Path:	/usr/bin/cut
Source:	motd-news.20.dr
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://schemas.xmlsoap.org/soap/envelope/

unknown

Details

Name:	http://schemas.xmlsoap.org/soap/envelope/
TargetID:	21057
From Memory:	true
Source:	zJk9UEOnQ7, 5241.1.000000003d7c595a.000000003a80a9d8.r-x.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

185.220.10.243

unknown

Spain

45.63.53.210

unknown

United States

103.92.122.33

unknown

India

177.200.187.233

unknown

Brazil

45.130.62.177

unknown

Israel

185.114.210.159

unknown

Switzerland

45.199.228.247

unknown

Seychelles

45.21.146.145

unknown

United States

105.103.188.148

unknown

Algeria

197.143.201.55

unknown

Algeria

91.90.138.87

unknown

Israel

197.19.253.197

unknown

Tunisia

197.44.77.183

unknown

Egypt

185.38.220.159

unknown

Poland

68.49.212.219

unknown

United States

45.153.14.26

unknown

Russian Federation

156.43.68.96

unknown

United Kingdom

172.255.87.27

unknown

United States

45.246.175.184

unknown

Egypt

45.246.175.186

unknown

Egypt

185.203.160.64

unknown

Iran (ISLAMIC Republic Of)

91.130.14.16

unknown

Austria

91.130.14.18

unknown

Austria

91.167.86.160

unknown

France

185.204.16.74

unknown

Czech Republic

185.21.99.33

unknown

Austria

185.166.97.85

unknown

Switzerland

91.167.86.167

unknown

France

91.178.113.232

unknown

Belgium

164.85.190.86

unknown

Brazil

91.183.234.36

unknown

Belgium

91.67.33.164

unknown

Germany

41.5.41.242

unknown

South Africa

91.67.33.166

unknown

Germany

8.40.221.25

unknown

United States

45.44.104.180

unknown

Canada

185.78.7.94

unknown

United Kingdom

91.163.145.86

unknown

France

45.237.182.82

unknown

Brazil

92.212.74.4

unknown

Germany

91.219.76.54

unknown

Netherlands

59.1.116.39

unknown

Korea Republic of

45.221.254.31

unknown

Benin

197.51.4.224

unknown

Egypt

91.184.212.207

unknown

Cyprus

45.50.54.54

unknown

United States

45.111.37.150

unknown

Egypt

201.67.116.239

unknown

Brazil

91.211.55.231

unknown

Russian Federation

45.145.30.185

unknown

Turkey

66.55.202.243

unknown

United States

119.104.84.1

unknown

Japan

45.227.105.109

unknown

Brazil

156.158.50.68

unknown

Tanzania United Republic of

197.211.66.63

unknown

South Africa

197.92.49.8

unknown

South Africa

2.135.247.91

unknown

Kazakhstan

45.127.206.114

unknown

Indonesia

45.106.6.117

unknown

Egypt

96.78.116.253

unknown

United States

89.61.196.207

unknown

Germany

185.50.154.127

unknown

United Kingdom

24.29.246.12

unknown

United States

91.100.152.119

unknown

Denmark

41.227.43.22

unknown

Tunisia

45.94.158.129

unknown

Ukraine

45.117.212.64

unknown

India

70.49.63.170

unknown

Canada

160.181.79.212

unknown

South Africa

140.123.127.169

unknown

Taiwan; Republic of China (ROC)

202.203.120.2

unknown

China

45.104.92.38

unknown

Egypt

185.156.114.171

unknown

Norway

185.228.32.110

unknown

Austria

45.104.148.70

unknown

Egypt

183.236.151.32

unknown

China

185.86.223.119

unknown

Iceland

45.30.40.163

unknown

United States

126.11.178.137

unknown

Japan

41.3.151.166

unknown

South Africa

91.66.119.226

unknown

Germany

45.91.88.230

unknown

Romania

45.9.118.68

unknown

Netherlands

103.200.224.62

unknown

China

45.48.194.85

unknown

United States

41.217.104.32

unknown

Nigeria

91.198.173.169

unknown

Switzerland

208.73.200.152

unknown

United States

185.78.207.26

unknown

United Kingdom

185.171.27.35

unknown

Turkey

185.156.114.187

unknown

Norway

185.248.70.63

unknown

Netherlands

156.13.155.42

unknown

New Zealand

185.19.109.116

unknown

United Kingdom

156.49.160.41

unknown

Sweden

185.25.208.150

unknown

United Kingdom

45.21.146.194

unknown

United States

45.246.175.149

unknown

Egypt

45.242.108.56

unknown

Egypt

42.122.248.206

unknown

China

There are 90 hidden IPs, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report

Files

Processes

URLs

IPs