Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

na.elf

ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped

initial sample

Details

Filetype:	ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
Entropy:	6.269781769889728
Filename:	na.elf
Filesize:	125284
MD5:	8a1de97bd5a302571f7cd7cd23ac8ad6
SHA1:	09304aa19c1ff458218098799e844f51e67f671c
SHA256:	8e05d02bfd535a557c2691defd2d30b8d7599e952a06247c7e44554fad54c25a
SHA512:	510647d6f8291fcac13a7a7616a429ae432f3caf4a9b027d697b2ccd5dbb97a1803a650582858ea2124a5e0054e9baffd191b97e2a92d9432ae1467ca0861e7c
SSDEEP:	1536:VaQwt2WOypOJl76R54UqQK0CLKQ0ytHEePVrNVm/W/Zbi9ghp5J1p:VnpKUlQuUpLQeePVrm/WRbi+5J1
Preview:	.ELF.....................@.4...........4. ...(...............@...@...........................B...B.LI..............Q.td............................././"O.n........#.@........#.*@.t...o&O.n...l..............................././.../.a"O.!...n...a.b("...q.

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
URLs found in memory or binary data	Networking

/etc/systemd/system/sbolo.service

ASCII text

dropped

Details

File:	/etc/systemd/system/sbolo.service
Category:	dropped
Dump:	sbolo.service.12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/na.elf
Type:	ASCII text
Entropy:	5.0752139838196015
Encrypted:	false
Ssdeep:	6:z80WuKyRZAMzdK+ann0RJ5R0qG2+GWRo3N+GWRuwuOp+GWRQCdUO9LQmWA4Rv:zNRZAOK+aniRdG2+GWRg+GWRuwjp+GWo
Size:	296
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Found strings indicative of a multi-platform dropper	Spreading	Scripting

/memfd:snapd-env-generator (deleted)

ASCII text

dropped

Details

File:	/memfd:snapd-env-generator (deleted)
Category:	dropped
Dump:	memfd_snapd-env-generator (deleted).19.dr
ID:	dr_2
Target ID:	19
Process:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
Type:	ASCII text
Entropy:	3.7627880354948586
Encrypted:	false
Ssdeep:	3:+M4VMPQnMLmPQ9JEcwwbn:+M4m4MixcZb
Size:	76
Whitelisted:	false
Reputation:	moderate

/tmp/qemu-open.iX82IG (deleted)

data

dropped

Details

File:	/tmp/qemu-open.iX82IG (deleted)
Category:	dropped
Dump:	qemu-open.iX82IG (deleted).13.dr
ID:	dr_1
Target ID:	13
Process:	/tmp/na.elf
Type:	data
Entropy:	3.8100810205217304
Encrypted:	false
Ssdeep:	3:TgBDlT1N:TgB11N
Size:	27
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

/tmp/na.elf

/bin/sh

sh -c "systemctl enable sbolo.service > /dev/null 2>&1"

/bin/sh

/usr/bin/systemctl

systemctl enable sbolo.service

/tmp/na.elf

/usr/lib/systemd/systemd

/usr/lib/systemd/system-environment-generators/snapd-env-generator

URLs

Name

Malicious

http://91.200.103.117/bolubotnetsh4

unknown

http://91.200.103.117/%s

unknown

Domains

Name

Malicious

yi0key.heleh.com.vn

91.200.103.117

Details

Name:	yi0key.heleh.com.vn
IP:	91.200.103.117
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Connects to many ports of the same IP (likely port scanning)	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

daisy.ubuntu.com

162.213.35.25

IPs

Domain

Country

Malicious

91.200.103.117

yi0key.heleh.com.vn

Germany

Details

IP:	91.200.103.117
TargetID:	-1
Country:	Germany
Countrycode:	DEU
ASN number:	30823
ASN name:	COMBAHTONcombahtonGmbHDE
Private:	false
Domain:	yi0key.heleh.com.vn

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Connects to many ports of the same IP (likely port scanning)	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
URLs found in memory or binary data	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7f1a6041a000

page execute read

7f1ae0000000

page read and write

7f1a6042f000

page read and write

7ffe1c6ff000

page read and write

7ffe1c71b000

page execute read

7f1ae70fc000

page read and write

5636b2740000

page read and write

5636b1eb7000

page read and write

7f1ae0021000

page read and write

5636afc84000

page execute read

7f1ae5f2a000

page read and write

7f1ae672d000

page read and write

5636afea2000

page read and write

7f1ae7272000

page read and write

7f1ae673b000

page read and write

7f1ae69ca000

page read and write

7f1ae6db1000

page read and write

7f1ae722d000

page read and write

5636b1ea0000

page execute and read and write

7f1a6043a000

page read and write

5636afe9a000

page read and write

7f1ae7225000

page read and write

7f1ae6d8c000

page read and write

There are 13 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
na.elf

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportna.elf

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
na.elf