Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

firmware.powerpc.elf

ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, stripped

initial sample

Details

Filetype:	ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, stripped
Entropy:	6.316237415117945
Filename:	firmware.powerpc.elf
Filesize:	107992
MD5:	f36fac9eb16b5dc10e67ae92432236b7
SHA1:	3c3cf06ec7e9a4d9e0f3c92d3c0a70cecf703e61
SHA256:	cf37e1ff64bf497fcfa11b61e9b801f397c6932424096b09b1f288f9f098096f
SHA512:	0d99666f2c33425a3aed8c192b70c9e88a0af93a245f799a74e4873b6695bb72d6cd15111b6a6fb281ccb64fc512e267fd63f507c260063fb5b6c85664d74be7
SSDEEP:	1536:FtHdIgQ8PK5pJg6TM1LO00Bc6WpsZnkYx4KDxU5fPULaUBaDo3:FZopT0OXBUWkYGKDu5rUP3
Preview:	.ELF...........................4.........4. ...(..........................................................).........dt.Q.............................!..\|......$H...H.o5...$8!. \|...N.. .!..\|.......?..........T..../...@..\?........+../...A..$8...})......N..

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion
Yara signature match	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery

/etc/d

ASCII text

dropped

Details

File:	/etc/d
Category:	dropped
Dump:	d.12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/firmware.powerpc.elf
Type:	ASCII text
Entropy:	2.446439344671016
Encrypted:	false
Ssdeep:	3:gi2gn:g7g
Size:	10
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

/tmp/firmware.powerpc.elf

Domains

Name

Malicious

daisy.ubuntu.com

162.213.35.24

IPs

Domain

Country

Malicious

185.125.190.26

unknown

United Kingdom

Details

IP:	185.125.190.26
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7ffe677e3000

page execute read

7fd8a8031000

page read and write

7ffe677bb000

page read and write

55ad56760000

page execute read

7fd99ce3d000

page read and write

7fd99d698000

page read and write

7fd8a802c000

page read and write

7fd99d56f000

page read and write

55ad5aa95000

page read and write

7fd99d1ff000

page read and write

55ad589e9000

page execute and read and write

55ad569eb000

page read and write

7fd99cba0000

page read and write

7fd998000000

page read and write

7fd998021000

page read and write

7fd8a801b000

page execute read

7fd99c39d000

page read and write

7fd99d6e5000

page read and write

55ad569e3000

page read and write

7fd99d6a0000

page read and write

7fd99cbae000

page read and write

55ad589ff000

page read and write

7fd99d224000

page read and write

There are 13 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
firmware.powerpc.elf

Files

Processes

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfirmware.powerpc.elf

Files

Processes

Domains

IPs

Memdumps

IOC Report
firmware.powerpc.elf