Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

m68k.elf

ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, not stripped

initial sample

Details

Filetype:	ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, not stripped
Entropy:	6.321142299000342
Filename:	m68k.elf
Filesize:	159434
MD5:	4dc0d169fb5449f0bd1ad56e891e7a3f
SHA1:	bfefbe59b96d3875b028a135a76cbf99dd40122d
SHA256:	590224bde28bd1c0668ec90ea466df10c30fde3b056b0e33eedd26c60d2554f1
SHA512:	c8f1b7c2c3f6ba5c1cf28a181aeecad89066e15f2c310e7cfcc4e65b43e083cd9bc3960fe2f5fff6b7e53fbe582bb272bb844fb8266c565a735b94b007aa2520
SSDEEP:	3072:6upHLzPDDsUOrq5fQeqacWucW0JcWcBFzxDDYhuM45DR8DSv/J3DtcaQ1iwmmu1L:l3fQeqacWucW0JcWcB/D8UHRR8DW/J3Z
Preview:	.ELF.......................D...4.........4. ...(.................................. ...........#...#.......i....... .dt.Q............................NV..a....da.....N^NuNV..J9..'<f>"y..#. QJ.g.X.#...#.N."y..#. QJ.f.A.....J.g.Hy..#.N.X.......'<N^NuNV..N^NuN

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Opens /proc/net/* files useful for finding connected devices and routers	Spreading	Remote System Discovery
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
Yara signature match	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
URLs found in memory or binary data	Networking

/tmp/qemu-open.HLZafR (deleted)

ASCII text

dropped

Details

File:	/tmp/qemu-open.HLZafR (deleted)
Category:	dropped
Dump:	qemu-open.HLZafR (deleted).12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/m68k.elf
Type:	ASCII text
Entropy:	3.709552666863289
Encrypted:	false
Ssdeep:	6:iekrEcvwAsE5KlwSd4pzKaV6Lpms/a/1VCxGF:ur+m5MwSdIKaV6L1adVRF
Size:	230
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

/tmp/m68k.elf

URLs

Name

Malicious

185.82.202.195:67

Details

Name:	185.82.202.195:67
TargetID:	0
From Memory:	false
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

http://www.baidu.com/search/spider.html)

unknown

http://www.billybobbot.com/crawler/)

unknown

http://fast.no/support/crawler.asp)

unknown

http://feedback.redkolibri.com/

unknown

http://www.baidu.com/search/spider.htm)

unknown

Domains

Name

Malicious

daisy.ubuntu.com

162.213.35.24

IPs

Domain

Country

Malicious

185.82.202.195

unknown

Netherlands

Details

IP:	185.82.202.195
TargetID:	-1
Country:	Netherlands
Countrycode:	NLD
ASN number:	60117
ASN name:	HSAE
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7f66e8022000

page execute read

7f66e8022000

page execute read

7f6770202000

page read and write

7f676f99f000

page read and write

7f6770202000

page read and write

7f66e802a000

page read and write

7f676f710000

page read and write

7f676f99f000

page read and write

557ac1b4b000

page read and write

7f676f702000

page read and write

7f6770247000

page read and write

557ac3b51000

page execute and read and write

7f676f710000

page read and write

557ac1919000

page execute read

7f676f702000

page read and write

557ac3be8000

page read and write

557ac4453000

page read and write

7ffc2dbfd000

page execute read

7f66e8024000

page read and write

7f67701fa000

page read and write

7ffc2dbc8000

page read and write

7f676fd86000

page read and write

557ac3b51000

page execute and read and write

7f676fd61000

page read and write

557ac3be8000

page read and write

557ac4453000

page read and write

7ffc2dbfd000

page execute read

7f676eeff000

page read and write

7f66e8024000

page read and write

7f6768021000

page read and write

7f676fd86000

page read and write

7f67701fa000

page read and write

7f676eeff000

page read and write

7f67700d1000

page read and write

7f67700d1000

page read and write

557ac1b4b000

page read and write

7f6770247000

page read and write

557ac1b53000

page read and write

557ac1919000

page execute read

7f676fd61000

page read and write

7ffc2dbc8000

page read and write

7f66e802a000

page read and write

7f6768000000

page read and write

557ac1b53000

page read and write

7f6768000000

page read and write

7f6768021000

page read and write

There are 36 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
m68k.elf

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportm68k.elf

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
m68k.elf