Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Yoshi.x86-20211110-0350

ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped

initial sample

Details

Filetype:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
Entropy:	6.464702529748402
Filename:	Yoshi.x86-20211110-0350
Filesize:	111376
MD5:	cb3473a526b235ecf6fbbc98dbe82c94
SHA1:	acb10559e631f61d25fa9a3a2220e4d6c26982d3
SHA256:	c78e289b48b8290926103ded72ca2dcdc17ba5f6cf5b2d8178b0526ab6248c94
SHA512:	867f2d3835039902fa163e5c41b6d69b6f32fa8a9b3a8a3092f9143db8a3c17fb021014ccf2cf7edc8d8125f5bc899765c9e244de6b34c1f3a1e7cf7a1074f3b
SSDEEP:	3072:hV4ifcpWpQS4fdtFZLluZbGsEzeYi7vDWzbCYld9n:vXQCH4fPF9gZ1EqxDWqI
Preview:	.ELF....................d...4...........4. ...(..............................................0...0..@...@...........Q.td............................U..S.......w....h....3...[]...$.............U......=@1...t..5....$0.....$0......u........t....h./..........

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Yara signature match	System Summary
Enumerates processes within the "proc" file system	Persistence and Installation Behavior	OS Credential Dumping
Sample tries to kill a process (SIGKILL)	System Summary
Found detection on Joe Sandbox Cloud Basic with higher score	System Summary

/run/user/127/dconf/user

very short file (no magic)

dropped

Details

File:	/run/user/127/dconf/user
Category:	dropped
Dump:	user.36.dr
ID:	dr_1
Target ID:	36
Process:	/usr/bin/gnome-shell
Type:	very short file (no magic)
Entropy:	0.0
Encrypted:	false
Ssdeep:	3::
Size:	1
Whitelisted:	false
Reputation:	moderate

/run/user/127/pulse/pid

ASCII text

dropped

Details

File:	/run/user/127/pulse/pid
Category:	dropped
Dump:	pid.73.dr
ID:	dr_4
Target ID:	73
Process:	/usr/bin/pulseaudio
Type:	ASCII text
Entropy:	1.9219280948873623
Encrypted:	false
Ssdeep:	3:JTQv:d6
Size:	5
Whitelisted:	false
Reputation:	low

/tmp/server-0.xkm

Compiled XKB Keymap: lsb, version 15

dropped

Details

File:	/tmp/server-0.xkm
Category:	dropped
Dump:	server-0.xkm.55.dr
ID:	dr_3
Target ID:	55
Process:	/usr/bin/xkbcomp
Type:	Compiled XKB Keymap: lsb, version 15
Entropy:	4.8492493153178975
Encrypted:	false
Ssdeep:	192:tDyb2zOmnECQmwTVFfLaSLus4UVcqLkjoqdD//HJeCQ1+JdDx0s2T:tDyAxvYhFf+S6tUzmp7/1MJ
Size:	12060
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting

/var/cache/motd-news

ASCII text

dropped

Details

File:	/var/cache/motd-news
Category:	dropped
Dump:	motd-news.30.dr
ID:	dr_0
Target ID:	30
Process:	/usr/bin/cut
Type:	ASCII text
Entropy:	4.515771857099866
Encrypted:	false
Ssdeep:	3:P2lnI+5MsqqzNLz+FRNScHUBfRau95++sZzR5woLB1Fh0VTGTl/X5kURn:OZ8uNLzDc0pR75+9Zz/woFmIT52URn
Size:	191
Whitelisted:	false
Reputation:	moderate

/var/lib/gdm3/.config/ibus/bus/ee49dfd4fa47433baee88884e2d7de7c-unix-0

ASCII text

dropped

Details

File:	/var/lib/gdm3/.config/ibus/bus/ee49dfd4fa47433baee88884e2d7de7c-unix-0
Category:	dropped
Dump:	ee49dfd4fa47433baee88884e2d7de7c-unix-0.39.dr
ID:	dr_2
Target ID:	39
Process:	/usr/bin/ibus-daemon
Type:	ASCII text
Entropy:	5.169155049816653
Encrypted:	false
Ssdeep:	6:SbF4b2sONeZVkSoQ65EfqFFAU+qmnQT23msRvkTFacecf8h/zKLGWWvDmkH19v:q5sU3LWfLUDmQymqSFbfomShzfv
Size:	381
Whitelisted:	false
Reputation:	low

/var/lib/gdm3/.config/pulse/ee49dfd4fa47433baee88884e2d7de7c-default-sink

very short file (no magic)

dropped

Details

File:	/var/lib/gdm3/.config/pulse/ee49dfd4fa47433baee88884e2d7de7c-default-sink
Category:	dropped
Dump:	ee49dfd4fa47433baee88884e2d7de7c-default-sink.73.dr
ID:	dr_5
Target ID:	73
Process:	/usr/bin/pulseaudio
Type:	very short file (no magic)
Entropy:	0.0
Encrypted:	false
Ssdeep:	3:v:v
Size:	1
Whitelisted:	false
Reputation:	moderate

/var/lib/gdm3/.config/pulse/ee49dfd4fa47433baee88884e2d7de7c-default-source

very short file (no magic)

dropped

Details

File:	/var/lib/gdm3/.config/pulse/ee49dfd4fa47433baee88884e2d7de7c-default-source
Category:	dropped
Dump:	ee49dfd4fa47433baee88884e2d7de7c-default-source.73.dr
ID:	dr_6
Target ID:	73
Process:	/usr/bin/pulseaudio
Type:	very short file (no magic)
Entropy:	0.0
Encrypted:	false
Ssdeep:	3:v:v
Size:	1
Whitelisted:	false
Reputation:	moderate

Processes

Path

Cmdline

Malicious

/tmp/Yoshi.x86-20211110-0350

n/a

/tmp/Yoshi.x86-20211110-0350

n/a

/tmp/Yoshi.x86-20211110-0350

n/a

/tmp/Yoshi.x86-20211110-0350

n/a

/tmp/Yoshi.x86-20211110-0350

n/a

/tmp/Yoshi.x86-20211110-0350

n/a

/tmp/Yoshi.x86-20211110-0350

n/a

/usr/bin/dash

n/a

/usr/bin/cat

cat /tmp/tmp.y33HJzJgyl

/usr/bin/dash

n/a

/usr/bin/head

head -n 10

/usr/bin/dash

n/a

/usr/bin/tr

tr -d \\000-\\011\\013\\014\\016-\\037

/usr/bin/dash

n/a

/usr/bin/cut

cut -c -80

/usr/bin/dash

n/a

/usr/bin/cat

cat /tmp/tmp.y33HJzJgyl

/usr/bin/dash

n/a

/usr/bin/head

head -n 10

/usr/bin/dash

n/a

/usr/bin/tr

tr -d \\000-\\011\\013\\014\\016-\\037

/usr/bin/dash

n/a

/usr/bin/cut

cut -c -80

/usr/bin/dash

n/a

/usr/bin/rm

rm -f /tmp/tmp.y33HJzJgyl /tmp/tmp.Vw6fOLR470 /tmp/tmp.pbb6pGxeaC

/usr/libexec/gnome-session-binary

n/a

/bin/sh

/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/bin/gnome-shell

/usr/bin/gnome-shell

n/a

/usr/bin/ibus-daemon

ibus-daemon --panel disable --xim

/usr/bin/ibus-daemon

n/a

/usr/libexec/ibus-memconf

/usr/bin/ibus-daemon

n/a

/usr/bin/ibus-daemon

n/a

/usr/libexec/ibus-x11

/usr/libexec/ibus-x11 --kill-daemon

/usr/bin/ibus-daemon

n/a

/usr/libexec/ibus-engine-simple

/usr/lib/systemd/systemd

n/a

/lib/systemd/systemd-localed

/usr/bin/dbus-daemon

n/a

/usr/libexec/ibus-portal

/usr/lib/systemd/systemd

n/a

/usr/lib/upower/upowerd

/usr/lib/xorg/Xorg

n/a

/bin/sh

sh -c "\"/usr/bin/xkbcomp\" -w 1 \"-R/usr/share/X11/xkb\" -xkm \"-\" -em1 \"The XKEYBOARD keymap compiler (xkbcomp) reports:\" -emp \"> \" -eml \"Errors from xkbcomp are not fatal to the X server\" \"/tmp/server-0.xkm\""

/bin/sh

n/a

/usr/bin/xkbcomp

/usr/bin/xkbcomp -w 1 -R/usr/share/X11/xkb -xkm - -em1 "The XKEYBOARD keymap compiler (xkbcomp) reports:" -emp "> " -eml "Errors from xkbcomp are not fatal to the X server" /tmp/server-0.xkm

/usr/lib/systemd/systemd

n/a

/usr/lib/accountsservice/accounts-daemon

n/a

/usr/share/language-tools/language-validate

/usr/share/language-tools/language-validate en_US.UTF-8

/usr/share/language-tools/language-validate

n/a

/usr/share/language-tools/language-options

n/a

/bin/sh

sh -c "locale -a | grep -F .utf8 "

/bin/sh

n/a

/usr/bin/locale

locale -a

/bin/sh

n/a

/usr/bin/grep

grep -F .utf8

/usr/lib/systemd/systemd

n/a

/usr/libexec/geoclue

/usr/bin/dbus-daemon

n/a

/usr/bin/gjs

/usr/bin/gjs /usr/share/gnome-shell/org.gnome.Shell.Notifications

/usr/lib/systemd/systemd

n/a

/usr/bin/pulseaudio

/usr/bin/pulseaudio --daemonize=no --log-target=journal

/usr/lib/systemd/systemd

n/a

/usr/libexec/fprintd

There are 58 hidden processes, click here to show them.

URLs

Name

Malicious

https://ubuntu.com/blog/microk8s-memory-optimisation

unknown

Details

Name:	https://ubuntu.com/blog/microk8s-memory-optimisation
TargetID:	30
From Memory:	true
Current Path:	/usr/bin/cut
Source:	motd-news.30.dr
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

14.213.58.84

unknown

China

27.241.214.158

unknown

Taiwan; Republic of China (ROC)

103.165.24.206

unknown

206.81.117.10

unknown

United States

221.235.231.36

unknown

China

60.205.108.60

unknown

China

78.200.7.192

unknown

France

38.218.179.213

unknown

United States

12.15.101.249

unknown

United States

185.41.19.218

unknown

Norway

176.237.211.68

unknown

Turkey

77.68.188.231

unknown

Denmark

139.198.97.214

unknown

China

110.69.124.69

unknown

Korea Republic of

61.93.172.176

unknown

Hong Kong

20.109.196.213

unknown

United States

160.120.172.228

unknown

Cote D'ivoire

151.22.11.137

unknown

Italy

77.129.234.62

unknown

France

152.39.223.145

unknown

United States

24.69.97.22

unknown

Canada

156.214.15.119

unknown

Egypt

94.132.45.221

unknown

Portugal

58.250.84.151

unknown

China

114.59.247.87

unknown

Indonesia

36.54.36.167

unknown

Japan

182.25.78.39

unknown

Indonesia

86.40.94.173

unknown

Ireland

147.51.110.245

unknown

United States

101.121.5.200

unknown

China

104.90.135.191

unknown

United States

181.204.131.176

unknown

Colombia

8.124.12.149

unknown

United States

213.192.183.95

unknown

Finland

70.187.228.16

unknown

United States

203.144.121.101

unknown

China

203.153.200.75

unknown

Australia

66.142.171.115

unknown

United States

80.142.180.164

unknown

Germany

173.199.168.228

unknown

United States

205.147.235.48

unknown

United States

182.49.45.63

unknown

China

152.45.134.40

unknown

United States

66.44.154.146

unknown

United States

112.160.188.211

unknown

Korea Republic of

62.86.66.106

unknown

Italy

102.2.61.4

unknown

146.208.227.123

unknown

United States

98.42.156.209

unknown

United States

99.180.232.127

unknown

United States

94.94.36.64

unknown

Italy

210.85.166.50

unknown

Taiwan; Republic of China (ROC)

223.129.191.223

unknown

China

166.252.202.216

unknown

United States

23.72.69.192

unknown

United States

18.28.89.254

unknown

United States

39.118.64.129

unknown

Korea Republic of

13.31.0.48

unknown

United States

176.68.84.160

unknown

Sweden

130.17.184.100

unknown

United States

38.250.231.37

unknown

United States

78.60.212.7

unknown

Lithuania

8.89.57.170

unknown

United States

34.174.118.58

unknown

United States

142.98.45.249

unknown

Canada

159.155.32.13

unknown

United States

36.173.104.143

unknown

China

166.147.21.15

unknown

United States

209.210.62.0

unknown

United States

122.149.110.158

unknown

Australia

188.126.70.104

unknown

Sweden

161.191.74.102

unknown

United States

2.125.47.38

unknown

United Kingdom

97.175.248.212

unknown

United States

60.186.26.114

unknown

China

73.105.10.72

unknown

United States

151.105.118.221

unknown

Finland

57.44.124.153

unknown

Belgium

90.202.191.182

unknown

United Kingdom

163.243.147.68

unknown

United States

71.29.203.30

unknown

United States

8.232.159.248

unknown

United States

218.167.76.218

unknown

Taiwan; Republic of China (ROC)

223.93.32.178

unknown

China

84.87.28.24

unknown

Netherlands

158.192.236.217

unknown

France

181.217.21.237

unknown

Brazil

45.106.6.141

unknown

Egypt

32.143.225.66

unknown

United States

8.30.115.172

unknown

United States

86.44.199.169

unknown

Ireland

14.241.252.211

unknown

Viet Nam

92.211.109.198

unknown

Germany

20.132.107.120

unknown

United States

187.239.163.155

unknown

Mexico

53.63.240.198

unknown

Germany

200.26.181.233

unknown

Paraguay

190.176.180.80

unknown

Argentina

4.191.205.63

unknown

United States

87.186.120.255

unknown

Germany

There are 90 hidden IPs, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report

Files

Processes

URLs

IPs