Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

na.elf

ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, not stripped

initial sample

Details

Filetype:	ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, not stripped
Entropy:	6.152587075556178
Filename:	na.elf
Filesize:	108983
MD5:	4d2d2f68414f89df18743d70a56473d8
SHA1:	118fad398cdc14b864f308af76515b3ff5ff84db
SHA256:	05be52ca16fd42e1d78a566a99f062b102557b22db923a606a0ef88a929ac4e0
SHA512:	d8cfc7486704550b22686099b52d2d781168a96a22cd68aa5d4e93c811f57bd3a501ae395342496076750269d6a934540dc3f487853e2802c50769b33250494e
SSDEEP:	3072:0QWtewn5BpeGQq4k3SI5he1B3m7ArEfT3n:0QWtetq4M5hMVm7ArEfT3n
Preview:	.ELF...........................4..O......4. ...(......................>h..>h..............@...@...@.......t...............@T..@T..@T................dt.Q.............................!..\|......$H...H......$8!. \|...N.. .!..\|.......?.........D,..../...@..`= .

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Opens /proc/net/* files useful for finding connected devices and routers	Spreading	Remote System Discovery
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
Yara signature match	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
URLs found in memory or binary data	Networking

/tmp/qemu-open.7vP5t8 (deleted)

ASCII text

dropped

Details

File:	/tmp/qemu-open.7vP5t8 (deleted)
Category:	dropped
Dump:	qemu-open.7vP5t8 (deleted).12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/na.elf
Type:	ASCII text
Entropy:	3.709552666863289
Encrypted:	false
Ssdeep:	6:iekrEcvwAsE5KlwSd4pzKaV6Lpms/a/1VCxGF:ur+m5MwSdIKaV6L1adVRF
Size:	230
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

/tmp/na.elf

URLs

Name

Malicious

5.42.98.74:4258

Details

Name:	5.42.98.74:4258
TargetID:	0
From Memory:	false
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

http://www.baidu.com/search/spider.html)

unknown

http://www.billybobbot.com/crawler/)

unknown

http://fast.no/support/crawler.asp)

unknown

http://feedback.redkolibri.com/

unknown

http://www.baidu.com/search/spider.htm)

unknown

Domains

Name

Malicious

daisy.ubuntu.com

162.213.35.24

IPs

Domain

Country

Malicious

5.42.98.74

unknown

Russian Federation

Details

IP:	5.42.98.74
TargetID:	-1
Country:	Russian Federation
Countrycode:	RUS
ASN number:	39493
ASN name:	RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7f84cc015000

page execute read

7f84cc015000

page execute read

560271ee2000

page read and write

7f85bc000000

page read and write

7f85c3d40000

page read and write

7f84cc02d000

page execute and read and write

560271eea000

page read and write

7f85bc021000

page read and write

7f85c4bc7000

page read and write

7f85c4543000

page read and write

7f85c4f12000

page read and write

7f85c3d40000

page read and write

7f85c5043000

page read and write

7f85c5088000

page read and write

7f84cc026000

page execute and read and write

7f84cc026000

page execute and read and write

7f85c5088000

page read and write

560271eea000

page read and write

560273efe000

page read and write

7f85bc000000

page read and write

7f85c503b000

page read and write

560271c5f000

page execute read

7f84cc02d000

page execute and read and write

560273efe000

page read and write

7f85c47e0000

page read and write

7f84cc02e000

page read and write

7f85c4543000

page read and write

7f85c4ba2000

page read and write

7f85c4ba2000

page read and write

560273ee8000

page execute and read and write

7ffda68ec000

page read and write

7ffda69ac000

page execute read

7f85c4bc7000

page read and write

7f85bc021000

page read and write

7ffda69ac000

page execute read

7f85c4551000

page read and write

7f85c4f12000

page read and write

560271c5f000

page execute read

7f85c5043000

page read and write

560271ee2000

page read and write

56027433d000

page read and write

7f85c503b000

page read and write

56027433d000

page read and write

7f85c4551000

page read and write

7f85c47e0000

page read and write

7ffda68ec000

page read and write

7f84cc02e000

page read and write

560273ee8000

page execute and read and write

There are 38 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
na.elf

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportna.elf

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
na.elf