Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

84.elf

ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=fdb92fd0de3892fc2176220c6694f8eee61d4fa3, stripped

initial sample

/root/.config/autostart/gvfs.desktop

ASCII text

dropped

/root/.gvfs/84.elf

dropped

/tmp/_MEITTIAO4/_cffi_backend.so

ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=a8065860edce18a4dc4eef124c5ef5186663c879, stripped

dropped

/tmp/_MEITTIAO4/_codecs_cn.so

ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=514db53237f2feae68b921059fd270fb13189922, stripped

dropped

/tmp/_MEITTIAO4/_codecs_hk.so

ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=97e4ead34d3cee0d9e177d17cfa5b6ce7bd75c9f, stripped

dropped

/tmp/_MEITTIAO4/_codecs_iso2022.so

ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=327305681b550044f7c7d3974bb02e611a5f0d66, stripped

dropped

/tmp/_MEITTIAO4/_codecs_jp.so

ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=de2862cf1c79ce588099c9e88107338eb803b6b4, stripped

dropped

/tmp/_MEITTIAO4/_codecs_kr.so

ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=5f5a1cace8de7365928cd69d9c22f52f019b499d, stripped

dropped

/tmp/_MEITTIAO4/_codecs_tw.so

ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=9c3201f16e000ddb42f5b2b5ba4eb2cb37701577, stripped

dropped

/tmp/_MEITTIAO4/_ctypes.so

ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=9eb871f4b7c1f223cd7928397c52ec239b80d664, stripped

dropped

/tmp/_MEITTIAO4/_hashlib.so

ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=0f3b6573a291ea8cb69408512d6bdab7de25b832, stripped

dropped

/tmp/_MEITTIAO4/_json.so

ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=7465cc284b75613923b1ffde62d40bf513654c26, stripped

dropped

/tmp/_MEITTIAO4/_multibytecodec.so

ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=b3a1858bab7ca02b90b913ccedb9ce5019a489df, stripped

dropped

/tmp/_MEITTIAO4/_ssl.so

ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=566fc01e70b4bb52cc045ec9c932495462369c23, stripped

dropped

/tmp/_MEITTIAO4/bz2.so

ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=666dba81d12c5e460272832aa9823d35642a949c, stripped

dropped

/tmp/_MEITTIAO4/certifi/cacert.pem

ASCII text

dropped

/tmp/_MEITTIAO4/certifi/old_root.pem

ASCII text

dropped

/tmp/_MEITTIAO4/certifi/weak.pem

ASCII text

dropped

/tmp/_MEITTIAO4/cryptography-2.1.4-py2.7.egg-info/PKG-INFO

ASCII text

dropped

/tmp/_MEITTIAO4/cryptography-2.1.4-py2.7.egg-info/dependency_links.txt

very short file (no magic)

dropped

/tmp/_MEITTIAO4/cryptography-2.1.4-py2.7.egg-info/not-zip-safe

very short file (no magic)

dropped

/tmp/_MEITTIAO4/cryptography-2.1.4-py2.7.egg-info/requires.txt

ASCII text

dropped

/tmp/_MEITTIAO4/cryptography-2.1.4-py2.7.egg-info/top_level.txt

ASCII text

dropped

/tmp/_MEITTIAO4/cryptography.hazmat.bindings._constant_time.so

ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=26260b2f19ee2371e0719b4e5f18680e1737851a, stripped

dropped

/tmp/_MEITTIAO4/cryptography.hazmat.bindings._openssl.so

ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=0ead53b947feba0a793eddad8400ae751a20c5ba, stripped

dropped

/tmp/_MEITTIAO4/libbz2.so.1.0

ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=a4147045409ed969e6f3936f3726726f4719bb40, stripped

dropped

/tmp/_MEITTIAO4/libcrypto.so.1.1

ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=9349f6f4db60009a53cebe1e05c7056992595a36, stripped

dropped

/tmp/_MEITTIAO4/libexpat.so.1

ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=49976d874cc89dfcebf8c5dbf329149bfb40dab5, stripped

dropped

/tmp/_MEITTIAO4/libffi.so.6

ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=3555b5f599c9787dfddbf9e8df6f706b9044d985, stripped

dropped

/tmp/_MEITTIAO4/libpython2.7.so.1.0

ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=8a23a5727eea537355146d8842ad700ee02ac49c, stripped

dropped

/tmp/_MEITTIAO4/libreadline.so.7

ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=a21b81c1855c6444bc915d9331ab19923fa22c66, stripped

dropped

/tmp/_MEITTIAO4/libssl.so.1.1

ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=ca742a427e7aef089b39c4d773c20ea9e074ce8e, stripped

dropped

/tmp/_MEITTIAO4/libtinfo.so.5

ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=d20dc4f7881d9dd170d87fea8eec2a18e4949008, stripped

dropped

/tmp/_MEITTIAO4/libz.so.1

ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=ef3e006dfe3132a41d4d4dc0e407d6ea658e11c4, stripped

dropped

/tmp/_MEITTIAO4/pyexpat.so

ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=1fcab5ed75e10a3179769960716824a2e17cb3dd, stripped

dropped

/tmp/_MEITTIAO4/readline.so

ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=c153df9ee2f261c40fe564523ef2832027b0a8eb, stripped

dropped

/tmp/_MEITTIAO4/resource.so

ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=c69be48495f38778b2cf5753d7227d244f3de847, stripped

dropped

/tmp/_MEITTIAO4/termios.so

ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=8045f1e14355ca6e3ea401dd8e3a49d7142ab8a0, stripped

dropped

/tmp/list.txt

ASCII text

dropped

There are 30 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

/usr/bin/dash

/usr/bin/rm

rm -f /tmp/tmp.dyRqBbtRkK /tmp/tmp.wSbLfeKNbu /tmp/tmp.up7UPCnJlz

/usr/bin/dash

/usr/bin/rm

rm -f /tmp/tmp.dyRqBbtRkK /tmp/tmp.wSbLfeKNbu /tmp/tmp.up7UPCnJlz

/tmp/84.elf

/sbin/ldconfig

/sbin/ldconfig -p

/sbin/ldconfig.real

/sbin/ldconfig.real -p

/tmp/84.elf

/bin/sh

sh -c "uname -p 2> /dev/null"

/bin/sh

/usr/bin/uname

uname -p

/tmp/84.elf

/bin/sh

sh -c "cd; find . -type f > /tmp/list.txt"

/bin/sh

/usr/bin/find

find . -type f

/tmp/84.elf

/bin/sh

sh -c "chmod +x /root/.gvfs/84.elf"

/bin/sh

/usr/bin/chmod

chmod +x /root/.gvfs/84.elf

/usr/lib/systemd/systemd

/usr/sbin/uuidd

/usr/sbin/uuidd --socket-activation

There are 14 hidden processes, click here to show them.

URLs

Name

Malicious

http://84.247.176.126:33548/api/root_265403912816988/hello

84.247.176.126

http://84.247.176.126:33548/api/root_265403912816988/upload

84.247.176.126

http://python.org/dev/peps/pep-0263/

unknown

https://img.shields.io/pypi/v/cryptography.svg

unknown

http://www.valicert.com/

unknown

http://www.unicode.org/reports/tr44/tr44-4.html).

unknown

https://github.com/pyca/cryptography

unknown

https://cryptography.io/

unknown

https://pypi.python.org/pypi/cryptography/

unknown

https://mail.python.org/mailman/listinfo/cryptography-dev

unknown

https://codecov.io/github/pyca/cryptography?branch=master

unknown

https://codecov.io/github/pyca/cryptography/coverage.svg?branch=master

unknown

https://travis-ci.org/pyca/cryptography.svg?branch=master

unknown

http://www.unicode.org/reports/tr44/tr44-4.html).xxsubtype

unknown

https://travis-ci.org/pyca/cryptography

unknown

https://cryptography.io

unknown

https://github.com/pyca/cryptography/issues

unknown

https://readthedocs.org/projects/cryptography/badge/?version=latest

unknown

http://www.chambersign.org

unknown

https://cryptography.io/en/latest/installation/

unknown

There are 10 hidden URLs, click here to show them.

IPs

Domain

Country

Malicious

84.247.176.126

unknown

Norway

Details

IP:	84.247.176.126
TargetID:	-1
Country:	Norway
Countrycode:	NOR
ASN number:	29300
ASN name:	AS-DIRECTCONNECTNO
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol

54.171.230.55

unknown

United States

Details

IP:	54.171.230.55
TargetID:	-1
Country:	United States
Countrycode:	USA
ASN number:	16509
ASN name:	AMAZON-02US
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

109.202.202.202

unknown

Switzerland

Details

IP:	109.202.202.202
TargetID:	-1
Country:	Switzerland
Countrycode:	CHE
ASN number:	13030
ASN name:	INIT7CH
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.43

unknown

United Kingdom

Details

IP:	91.189.91.43
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.42

unknown

United Kingdom

Details

IP:	91.189.91.42
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7f3c0c038000

page read and write

7fff3bfbc000

page read and write

2458000

page read and write

408000

page execute read

7f3c0c293000

page read and write

7f3c0c22a000

page read and write

618000

page read and write

7fff3bfdb000

page execute read

608000

page read and write

7f3c0c24e000

page read and write

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
84.elf

Files

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report84.elf

Files

Processes

URLs

IPs

Memdumps

IOC Report
84.elf