Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

/tmp/Cr8Dw4Ybgh.elf

/usr/bin/xfce4-panel

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 6 12582920 systray "Notification Area" "Area where notification icons appear"

/usr/bin/xfce4-panel

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libstatusnotifier.so 7 12582921 statusnotifier "Status Notifier Plugin" "Provides a panel area for status notifier items (application indicators)"

/usr/bin/xfce4-panel

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libpulseaudio-plugin.so 8 12582922 pulseaudio "PulseAudio Plugin" "Adjust the audio volume of the PulseAudio sound system"

/usr/bin/xfce4-panel

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libxfce4powermanager.so 9 12582923 power-manager-plugin "Power Manager Plugin" "Display the battery levels of your devices and control the brightness of your display"

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/sbin/xfpm-power-backlight-helper

/usr/sbin/xfpm-power-backlight-helper --get-max-brightness

/usr/bin/xfce4-panel

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libnotification-plugin.so 10 12582924 notification-plugin "Notification Plugin" "Notification plugin for the Xfce panel"

/usr/bin/xfce4-panel

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libactions.so 14 12582925 actions "Action Buttons" "Log out, lock or other system actions"

/usr/bin/dbus-daemon

/usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd

/usr/lib/systemd/systemd

/usr/lib/x86_64-linux-gnu/xfce4/notifyd/xfce4-notifyd

There are 12 hidden processes, click here to show them.

URLs

Name

Malicious

http://upx.sf.net

unknown

Details

Name:	http://upx.sf.net
TargetID:	12
From Memory:	true
Current Path:	/tmp/Cr8Dw4Ybgh.elf
Source:	Cr8Dw4Ybgh.elf

Signature Hits	Behavior Group	Mitre Attack
Sample is packed with UPX	Data Obfuscation	Obfuscated Files or Information
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

37.221.93.146

unknown

Germany

Details

IP:	37.221.93.146
TargetID:	-1
Country:	Germany
Countrycode:	DEU
ASN number:	395800
ASN name:	GBTCLOUDUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

109.202.202.202

unknown

Switzerland

Details

IP:	109.202.202.202
TargetID:	-1
Country:	Switzerland
Countrycode:	CHE
ASN number:	13030
ASN name:	INIT7CH
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.43

unknown

United Kingdom

Details

IP:	91.189.91.43
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.42

unknown

United Kingdom

Details

IP:	91.189.91.42
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7f62d8412000

page execute read

7f62d8412000

page execute read

7f62d8412000

page execute read

7f6360bfd000

page read and write

560ae7523000

page read and write

7ffe2fd95000

page read and write

560ae7291000

page execute read

7f6361255000

page read and write

7f636057b000

page read and write

560aeaea9000

page read and write

7f6360bfd000

page read and write

7f6358000000

page read and write

560ae9538000

page read and write

7f6358021000

page read and write

7f6361255000

page read and write

7f636125d000

page read and write

7f63612a2000

page read and write

560ae7519000

page read and write

7f6360f4b000

page read and write

7f636112c000

page read and write

560ae7519000

page read and write

7f6358021000

page read and write

7f6360c1a000

page read and write

560ae7291000

page execute read

7ffe2fde9000

page execute read

560aeaea9000

page read and write

7f6358000000

page read and write

560ae9538000

page read and write

7f6360839000

page read and write

7f6360f4b000

page read and write

7f62d8454000

page read and write

560ae7519000

page read and write

7f6360c1a000

page read and write

7f636057b000

page read and write

560ae9521000

page execute and read and write

7ffe2fde9000

page execute read

7f62d8454000

page read and write

7f635fd73000

page read and write

7f63612a2000

page read and write

7f6360839000

page read and write

7f63612a2000

page read and write

7f6360589000

page read and write

7f635fd73000

page read and write

7f6360f4b000

page read and write

7f6360bda000

page read and write

560ae9538000

page read and write

560ae9521000

page execute and read and write

7f6358000000

page read and write

7f6360839000

page read and write

7f6358021000

page read and write

7f6360bfd000

page read and write

7f62d8140000

page execute and read and write

7f635fd73000

page read and write

7f62d8454000

page read and write

560aeaea9000

page read and write

7f6361255000

page read and write

7f6360c1a000

page read and write

7f62d8140000

page execute and read and write

7ffe2fd95000

page read and write

7f6360589000

page read and write

7f6360bda000

page read and write

560ae7291000

page execute read

7f6360bda000

page read and write

7f636125d000

page read and write

7f636112c000

page read and write

7f636125d000

page read and write

7f6360589000

page read and write

7ffe2fd95000

page read and write

7f636112c000

page read and write

7f62d8140000

page execute and read and write

7ffe2fde9000

page execute read

7f636057b000

page read and write

560ae9521000

page execute and read and write

560ae7523000

page read and write

560ae7523000

page read and write

There are 65 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Cr8Dw4Ybgh.elf

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportCr8Dw4Ybgh.elf

Processes

URLs

IPs

Memdumps

IOC Report
Cr8Dw4Ybgh.elf