Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

na.elf

ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped

initial sample

Details

Filetype:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
Entropy:	6.563015313506456
Filename:	na.elf
Filesize:	62816
MD5:	81dd71e9f03de8f7b5d7bd0066e9c205
SHA1:	0edf3d61c024022d383bfc979bb975baa97eb8da
SHA256:	f10799c82050872254a29aa22acbb636db36d6a2d9c48311bbb4f6c6ac8ccf84
SHA512:	eb4c29e66bebe5ebd9f691babc228faf7d904e9a57dd5226f43c3fa70a979622208e66c5a37d3f0595ac184411a4f1da9ebc8fbfcbfd7ca99e6582568b487224
SSDEEP:	1536:WOAdzrxaedED0wAcrQZNSCSTsYi7IlUvanvimH8WSzm:WOA9tzdED0wAcUZULs7IWSvhH8q
Preview:	.ELF....................d...4...........4. ...(..........................................................8..........Q.td............................U..S.......7....h....3...[]...$.............U......=.....t..5...................u........t....h.p..........

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Sample reads /proc/mounts (often used for finding a writable filesystem)	Persistence and Installation Behavior	File and Directory Discovery
Enumerates processes within the "proc" file system	Persistence and Installation Behavior	OS Credential Dumping
Reads system information from the proc file system	Persistence and Installation Behavior	System Information Discovery
Sample tries to kill a process (SIGKILL)	System Summary
Yara signature match	System Summary

/run/user/127/dconf/user

very short file (no magic)

dropped

Details

File:	/run/user/127/dconf/user
Category:	dropped
Dump:	user.31.dr
ID:	dr_0
Target ID:	31
Process:	/usr/libexec/gsd-sharing
Type:	very short file (no magic)
Entropy:	0.0
Encrypted:	false
Ssdeep:	3::
Size:	1
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

/tmp/na.elf

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/libexec/gnome-session-binary

/bin/sh

/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/bin/gnome-shell

/usr/bin/gnome-shell

/usr/libexec/gnome-session-binary

/bin/sh

/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-sharing

/usr/libexec/gsd-sharing

/usr/sbin/gdm3

/etc/gdm3/PrimeOff/Default

/usr/sbin/gdm3

/etc/gdm3/PrimeOff/Default

/usr/lib/systemd/systemd

/lib/systemd/systemd-user-runtime-dir

/lib/systemd/systemd-user-runtime-dir stop 127

There are 16 hidden processes, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

8058000

page execute read

8059000

page read and write

ffb76000

page read and write

805c000

page read and write

f7f73000

page execute read

f7f73000

page execute read

838d000

page read and write

8358000

page read and write

8058000

page execute read

8059000

page read and write

ffb76000

page read and write

8358000

page read and write

805c000

page read and write

There are 3 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
na.elf

Files

Processes

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportna.elf

Files

Processes

Memdumps

IOC Report
na.elf