Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

na.elf

ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped

initial sample

Details

Filetype:	ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Entropy:	5.085823091564988
Filename:	na.elf
Filesize:	186872
MD5:	ecffaf9ddeb2137988036bf8d7153b67
SHA1:	834a8cce9907e2ce918040cef2944f5d1dcb0d08
SHA256:	1afd5b2da3e7a198208d882e61c3c651b7718ce9d67a4c6f0c2c882492f7eb41
SHA512:	10b49e818b49627df7525d832d2e69ccd6d970b94df3dfd43880698076b5e84a0bc5b9103a037b4ee4e4086fac3a97df2abe7436cf9f47acb65aabfd4c3c9749
SSDEEP:	3072:vPriURH2E8uPFvMLmM1GK2+BH6PvaD/8uj7Zy:vjiUR2EpFvMLnLIPq/njty
Preview:	.ELF.....................@.`...4.........4. ...(.............@...@...........................F...F....T....<........dt.Q............................<...'.M....!'.......................<...'.L....!... ....'9... ......................<...'.L....!...$....'9W

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Found strings indicative of a multi-platform dropper	Spreading
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
URLs found in memory or binary data	Networking

/etc/systemd/system/sbolo.service

ASCII text

dropped

Details

File:	/etc/systemd/system/sbolo.service
Category:	dropped
Dump:	sbolo.service.12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/na.elf
Type:	ASCII text
Entropy:	5.057113383448013
Encrypted:	false
Ssdeep:	6:z80WuKyRZAMzdK+ann0RJ5R0J/K+GWRo3N+GWRuwuOp+GWRQCdUO9LQmWA4Rv:zNRZAOK+aniRi/K+GWRg+GWRuwjp+GWo
Size:	297
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary

/memfd:snapd-env-generator (deleted)

ASCII text

dropped

Details

File:	/memfd:snapd-env-generator (deleted)
Category:	dropped
Dump:	memfd_snapd-env-generator (deleted).19.dr
ID:	dr_2
Target ID:	19
Process:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
Type:	ASCII text
Entropy:	3.7627880354948586
Encrypted:	false
Ssdeep:	3:+M4VMPQnMLmPQ9JEcwwbn:+M4m4MixcZb
Size:	76
Whitelisted:	false
Reputation:	moderate

/tmp/qemu-open.EZS4Br (deleted)

data

dropped

Details

File:	/tmp/qemu-open.EZS4Br (deleted)
Category:	dropped
Dump:	qemu-open.EZS4Br (deleted).13.dr
ID:	dr_1
Target ID:	13
Process:	/tmp/na.elf
Type:	data
Entropy:	3.8100810205217304
Encrypted:	false
Ssdeep:	3:TgBDlT1N:TgB11N
Size:	27
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

/tmp/na.elf

/bin/sh

sh -c "systemctl enable sbolo.service > /dev/null 2>&1"

/bin/sh

/usr/bin/systemctl

systemctl enable sbolo.service

/tmp/na.elf

/usr/lib/systemd/systemd

/usr/lib/systemd/system-environment-generators/snapd-env-generator

URLs

Name

Malicious

http://91.200.103.117/%s

unknown

http://91.200.103.117/bolubotnetmips

unknown

Domains

Name

Malicious

yi0key.heleh.com.vn

91.200.103.117

Details

Name:	yi0key.heleh.com.vn
IP:	91.200.103.117
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Connects to many ports of the same IP (likely port scanning)	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

daisy.ubuntu.com

162.213.35.25

IPs

Domain

Country

Malicious

91.200.103.117

yi0key.heleh.com.vn

Germany

Details

IP:	91.200.103.117
TargetID:	-1
Country:	Germany
Countrycode:	DEU
ASN number:	30823
ASN name:	COMBAHTONcombahtonGmbHDE
Private:	false
Domain:	yi0key.heleh.com.vn

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Connects to many ports of the same IP (likely port scanning)	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
URLs found in memory or binary data	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7f28c4429000

page execute read

559299d33000

page execute and read and write

7f2944000000

page read and write

7f28c446e000

page read and write

559297d35000

page read and write

7f294aeea000

page read and write

7f294a528000

page read and write

7ffdfcfe9000

page execute read

7f2949d12000

page read and write

559297d2b000

page read and write

7f294ab9c000

page read and write

7ffdfcec5000

page read and write

55929b8ee000

page read and write

7f294b1fc000

page read and write

7f294a51a000

page read and write

7f28c4479000

page read and write

7f294b241000

page read and write

7f294ab79000

page read and write

7f2944021000

page read and write

559297aa3000

page execute read

7f294a7d8000

page read and write

7f294b1f4000

page read and write

7f294abb9000

page read and write

559299d4a000

page read and write

7f294b0cb000

page read and write

There are 15 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
na.elf

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportna.elf

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
na.elf