Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

na.elf

ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, with debug_info, not stripped

initial sample

Details

Filetype:	ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, with debug_info, not stripped
Entropy:	5.984875409135291
Filename:	na.elf
Filesize:	159775
MD5:	a90e60adfd6dcbfa16615dde5f96c3d4
SHA1:	2f6619597f57c3f51885382742378f48c715411e
SHA256:	0d02114b75777f43679564ba57a32e1e1fbe5c4ca4d759bd20f68657b08318fc
SHA512:	49fc5b2a2f9e9adffc29d4065b3766a8865b89f9150cc02c0b0dd76f5485727fbb1c92c043a61c41207effc6dbac8c92cf1abbf14bfa94359852d55965fe5f6f
SSDEEP:	3072:pX0ZAZk9ZrIE26aRE5/+kW5zmM+0/xJJNg3pu5M/9zXjjz:pEOy9ZU16aRE5/+k+zmMfJrg3poM/9zj
Preview:	.ELF..............(.........4...(.......4. ...(........p.v..........p...p...........................`x..`x..............`x..`x..`x.......t..............dx..dx..dx..................Q.td..................................-...L..................@-.,@...0....S

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample and/or dropped files contains symbols with suspicious names	System Summary	Masquerading
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
URLs found in memory or binary data	Networking

/etc/systemd/system/sbolo.service

ASCII text

dropped

Details

File:	/etc/systemd/system/sbolo.service
Category:	dropped
Dump:	sbolo.service.12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/na.elf
Type:	ASCII text
Entropy:	5.060253001935413
Encrypted:	false
Ssdeep:	6:z80WuKyRZAMzdK+ann0RJ5R0w+GWRo3N+GWRuwuOp+GWRQCdUO9LQmWA4Rv:zNRZAOK+aniR3+GWRg+GWRuwjp+GWRut
Size:	297
Whitelisted:	false
Reputation:	low

/memfd:snapd-env-generator (deleted)

ASCII text

dropped

Details

File:	/memfd:snapd-env-generator (deleted)
Category:	dropped
Dump:	memfd_snapd-env-generator (deleted).19.dr
ID:	dr_2
Target ID:	19
Process:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
Type:	ASCII text
Entropy:	3.7627880354948586
Encrypted:	false
Ssdeep:	3:+M4VMPQnMLmPQ9JEcwwbn:+M4m4MixcZb
Size:	76
Whitelisted:	false
Reputation:	moderate

/tmp/qemu-open.rzupep (deleted)

data

dropped

Details

File:	/tmp/qemu-open.rzupep (deleted)
Category:	dropped
Dump:	qemu-open.rzupep (deleted).13.dr
ID:	dr_1
Target ID:	13
Process:	/tmp/na.elf
Type:	data
Entropy:	3.8100810205217304
Encrypted:	false
Ssdeep:	3:TgBDlT1N:TgB11N
Size:	27
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

/tmp/na.elf

/bin/sh

/bin/sh -c "systemctl enable sbolo.service > /dev/null 2>&1"

/bin/sh

/usr/bin/systemctl

systemctl enable sbolo.service

/tmp/na.elf

/usr/lib/systemd/systemd

/usr/lib/systemd/system-environment-generators/snapd-env-generator

URLs

Name

Malicious

http://91.200.103.117/%s

unknown

http://91.200.103.117/bolubotnetarm7

unknown

Domains

Name

Malicious

yi0key.heleh.com.vn

91.200.103.117

Details

Name:	yi0key.heleh.com.vn
IP:	91.200.103.117
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Connects to many ports of the same IP (likely port scanning)	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

91.200.103.117

yi0key.heleh.com.vn

Germany

Details

IP:	91.200.103.117
TargetID:	-1
Country:	Germany
Countrycode:	DEU
ASN number:	30823
ASN name:	COMBAHTONcombahtonGmbHDE
Private:	false
Domain:	yi0key.heleh.com.vn

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Connects to many ports of the same IP (likely port scanning)	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
URLs found in memory or binary data	Networking

109.202.202.202

unknown

Switzerland

Details

IP:	109.202.202.202
TargetID:	-1
Country:	Switzerland
Countrycode:	CHE
ASN number:	13030
ASN name:	INIT7CH
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.43

unknown

United Kingdom

Details

IP:	91.189.91.43
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.42

unknown

United Kingdom

Details

IP:	91.189.91.42
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7f2a3c02f000

page execute read

7f2b42cba000

page read and write

7f2b42958000

page read and write

7f2b43296000

page read and write

7f2b428c6000

page read and write

7ffd404ef000

page read and write

7f2b43609000

page read and write

7ffd405d6000

page execute read

7f2a3c037000

page read and write

7f2b420be000

page read and write

559cacc32000

page read and write

7f2b42f25000

page read and write

7f2b430b4000

page read and write

7f2b43477000

page read and write

7f2b435a0000

page read and write

7f2b3bfff000

page read and write

559caa9c3000

page execute read

559caac14000

page read and write

7f2b3c021000

page read and write

7f2a3c040000

page read and write

559cacc1b000

page execute and read and write

7f2b435c4000

page read and write

559caac1d000

page read and write

7f2b42f48000

page read and write

559cad892000

page read and write

There are 15 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
na.elf

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportna.elf

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
na.elf