Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

na.elf

ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, with debug_info, not stripped

initial sample

Details

Filetype:	ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, with debug_info, not stripped
Entropy:	5.989971441900817
Filename:	na.elf
Filesize:	127170
MD5:	7235320a90d937ed6e0d82981f78590f
SHA1:	69118135391952ef882bdb3e743c9f6480e99cef
SHA256:	22dbc9445b010b3cc9a93992a6f5a00b71716e013d51f30ccd2d3ede4e1c642a
SHA512:	aa08efb2d281b7661409bd6513b9b094f44eb8f383e7d3c1f68998b74d5d229c07ee3cdc1daf6e294d301cb702ec20f7061e86df0f75fec28451800141cee61e
SSDEEP:	3072:jQqwW3NEI4VvL6phaPJvcIqmPwAw85YIn:cq/qvL6phaPJvBqmPwAw8CIn
Preview:	.ELF...........................4...$.....4. ...(......................yD..yD...........................t..v................H...H...H................dt.Q................................@..(....@.L.................#.....ax..`.....!....."`..@.....".........`

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Opens /proc/net/* files useful for finding connected devices and routers	Spreading	Remote System Discovery
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion
Yara signature match	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
URLs found in memory or binary data	Networking

/tmp/qemu-open.JgkToj (deleted)

ASCII text

dropped

Details

File:	/tmp/qemu-open.JgkToj (deleted)
Category:	dropped
Dump:	qemu-open.JgkToj (deleted).12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/na.elf
Type:	ASCII text
Entropy:	3.709552666863289
Encrypted:	false
Ssdeep:	6:iekrEcvwAsE5KlwSd4pzKaV6Lpms/a/1VCxGF:ur+m5MwSdIKaV6L1adVRF
Size:	230
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

/tmp/na.elf

URLs

Name

Malicious

5.42.98.74:4258

Details

Name:	5.42.98.74:4258
TargetID:	0
From Memory:	false
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

http://www.baidu.com/search/spider.html)

unknown

http://www.billybobbot.com/crawler/)

unknown

http://fast.no/support/crawler.asp)

unknown

http://feedback.redkolibri.com/

unknown

http://www.baidu.com/search/spider.htm)

unknown

Domains

Name

Malicious

daisy.ubuntu.com

162.213.35.24

IPs

Domain

Country

Malicious

5.42.98.74

unknown

Russian Federation

Details

IP:	5.42.98.74
TargetID:	-1
Country:	Russian Federation
Countrycode:	RUS
ASN number:	39493
ASN name:	RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7f3f90029000

page execute read

7f3f90029000

page execute read

7f4095276000

page read and write

7f4095ad9000

page read and write

7f4095ad9000

page read and write

7f40959a8000

page read and write

556511589000

page execute and read and write

7f4095b1e000

page read and write

7f4095638000

page read and write

55650f58b000

page read and write

7f4094fd9000

page read and write

7f4090021000

page read and write

7fffb2950000

page execute read

7f3f90042000

page read and write

556511883000

page read and write

55650f354000

page execute read

7f4095b1e000

page read and write

7fffb2860000

page read and write

556511589000

page execute and read and write

7f40959a8000

page read and write

7f3f9003a000

page read and write

7f4090000000

page read and write

7f4095ad1000

page read and write

5565115a0000

page read and write

7f4095ad1000

page read and write

5565115a0000

page read and write

7f4094fe7000

page read and write

7f4090000000

page read and write

7f4090021000

page read and write

55650f58b000

page read and write

55650f582000

page read and write

7f40947d6000

page read and write

55650f354000

page execute read

7f409565d000

page read and write

7f4094fd9000

page read and write

7f3f9003a000

page read and write

7fffb2950000

page execute read

7f40947d6000

page read and write

7f4094fe7000

page read and write

7f3f90042000

page read and write

7f4095638000

page read and write

7fffb2860000

page read and write

55650f582000

page read and write

7f409565d000

page read and write

7f4095276000

page read and write

556511883000

page read and write

There are 36 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
na.elf

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportna.elf

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
na.elf