Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

na.elf

ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped

initial sample

Details

Filetype:	ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
Entropy:	5.582655267042873
Filename:	na.elf
Filesize:	142080
MD5:	47b283fe2b62434075319b4e9ca076de
SHA1:	0b8a05062078824a5c64972d6281d350b5b7ad10
SHA256:	a364e8acff9c109c29a70ea35f6b27cb08ef74cd45fd8418c6e459edbe258b1c
SHA512:	49496c8b4fea6b35a5ca0c7b21ce9e85c076896bfdf6f4d33028a9b68d1a21f7263b7dd221caf95476561ec9a23f37f5e4fda574e32ff2912c7eddc21c774065
SSDEEP:	1536:B5WiGtiNJQv30GQZaBelvC6atxRa2bka4VAb9fTx0kvA23HJLqGE9l5qwywFCFDy:B5Wi0ib8avCTRaA4+BV0kvAkW+9m7p
Preview:	.ELF...a..........(.........4...p)......4. ...(.....................................................0I..............Q.td..................................-...L."...qm..........0@-.\P...0....S.0...P@...0... ....R......0...0...........0... ....R..... 0....S

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
URLs found in memory or binary data	Networking

/etc/systemd/system/sbolo.service

ASCII text

dropped

Details

File:	/etc/systemd/system/sbolo.service
Category:	dropped
Dump:	sbolo.service.12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/na.elf
Type:	ASCII text
Entropy:	5.0514883747404
Encrypted:	false
Ssdeep:	6:z80WuKyRZAMzdK+ann0RJ5R0pp+GWRo3N+GWRuwuOp+GWRQCdUO9LQmWA4Rv:zNRZAOK+aniRS+GWRg+GWRuwjp+GWRut
Size:	296
Whitelisted:	false
Reputation:	low

/memfd:snapd-env-generator (deleted)

ASCII text

dropped

Details

File:	/memfd:snapd-env-generator (deleted)
Category:	dropped
Dump:	memfd_snapd-env-generator (deleted).19.dr
ID:	dr_2
Target ID:	19
Process:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
Type:	ASCII text
Entropy:	3.7627880354948586
Encrypted:	false
Ssdeep:	3:+M4VMPQnMLmPQ9JEcwwbn:+M4m4MixcZb
Size:	76
Whitelisted:	false
Reputation:	moderate

/tmp/qemu-open.NkVkgH (deleted)

data

dropped

Details

File:	/tmp/qemu-open.NkVkgH (deleted)
Category:	dropped
Dump:	qemu-open.NkVkgH (deleted).13.dr
ID:	dr_1
Target ID:	13
Process:	/tmp/na.elf
Type:	data
Entropy:	3.8100810205217304
Encrypted:	false
Ssdeep:	3:TgBDlT1N:TgB11N
Size:	27
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

/tmp/na.elf

/bin/sh

sh -c "systemctl enable sbolo.service > /dev/null 2>&1"

/bin/sh

/usr/bin/systemctl

systemctl enable sbolo.service

/tmp/na.elf

/usr/lib/systemd/systemd

/usr/lib/systemd/system-environment-generators/snapd-env-generator

URLs

Name

Malicious

http://91.200.103.117/%s

unknown

http://91.200.103.117/bolubotnetarm

unknown

Domains

Name

Malicious

yi0key.heleh.com.vn

91.200.103.117

Details

Name:	yi0key.heleh.com.vn
IP:	91.200.103.117
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Connects to many ports of the same IP (likely port scanning)	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

daisy.ubuntu.com

162.213.35.25

IPs

Domain

Country

Malicious

91.200.103.117

yi0key.heleh.com.vn

Germany

Details

IP:	91.200.103.117
TargetID:	-1
Country:	Germany
Countrycode:	DEU
ASN number:	30823
ASN name:	COMBAHTONcombahtonGmbHDE
Private:	false
Domain:	yi0key.heleh.com.vn

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Connects to many ports of the same IP (likely port scanning)	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
URLs found in memory or binary data	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7fedd8035000

page execute read

7feedf08b000

page read and write

7feedeb39000

page read and write

7fedd804d000

page read and write

7feedeeaa000

page read and write

7feedf1d8000

page read and write

7feedecc8000

page read and write

5612a6d13000

page read and write

7feede8ce000

page read and write

5612a6d1c000

page read and write

7feed7fff000

page read and write

7ffd161f4000

page read and write

5612a9001000

page read and write

7feedeb5c000

page read and write

5612a6ac2000

page execute read

7fedd8042000

page read and write

7feedf1b4000

page read and write

7feeddcd2000

page read and write

7feed8021000

page read and write

7ffd161fd000

page execute read

7feede56c000

page read and write

5612a8d31000

page read and write

7feede4da000

page read and write

5612a8d1a000

page execute and read and write

7feedf21d000

page read and write

There are 15 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
na.elf

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportna.elf

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
na.elf