Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

na.elf

ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (GNU/Linux), statically linked, no section header

initial sample

Details

Filetype:	ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (GNU/Linux), statically linked, no section header
Entropy:	7.904015995642778
Filename:	na.elf
Filesize:	21884
MD5:	3b3f85f01e0fc3cf044cfea14fd749be
SHA1:	ff38e477413b761dbec67713a33a55f8c647d1ff
SHA256:	cae65662731317b91dc9db5d904aed3dd25d2ef3af704b0108ef88dc793c9cd6
SHA512:	1e4b342710e9850151ca941c29467fe5b76aaa5f13a226e40829edab4633d9f4a03e39bd21b65c058a5078fac6e5c9dbc62ab12b6df833cb9211feea4c5b429b
SSDEEP:	384:m/JywWc84Tp2YshxqlDeAkSqjGJLeCE5zRW6C52M4uVcqgw05VxJb:mRxsSVsMD6xiJJE5zRWNf4uVcqgw09V
Preview:	.ELF......................B....4.........4. ...(......................Tx..Tx...............D...D...D................dt.Q................................UPX!...........\...\.......R.......?.E.h4...@b............./.}....D*aN.........t.w..X.^6>....d........+

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Sample tries to kill multiple processes (SIGKILL)	System Summary	Service Stop
ELF contains segments with high entropy indicating compressed/encrypted content	Hooking and other Techniques for Hiding and Protection	Obfuscated Files or Information
Enumerates processes within the "proc" file system	Persistence and Installation Behavior	OS Credential Dumping
Sample tries to kill a process (SIGKILL)	System Summary
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
URLs found in memory or binary data	Networking

/home/saturnino/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-panel.xml.new

XML 1.0 document, ASCII text

dropped

Details

File:	/home/saturnino/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-panel.xml.new
Category:	dropped
Dump:	xfce4-panel.xml.new.35.dr
ID:	dr_0
Target ID:	35
Process:	/usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd
Type:	XML 1.0 document, ASCII text
Entropy:	4.457618060812407
Encrypted:	false
Ssdeep:	96:R14GBdYLSNUH+ZAFQrSRR6dn0tWlTDFwIfM/vfzPpjT9I3jZ/qeH2Wg:74GnYLSNUH+ZAyrSRRYn0taTDKIfMPzv
Size:	5128
Whitelisted:	false
Reputation:	moderate

Processes

Path

Cmdline

Malicious

/usr/bin/dash

/usr/bin/rm

rm -f /tmp/tmp.p93StxAWxs /tmp/tmp.HsCnpj9K50 /tmp/tmp.BA327CyFUO

/usr/bin/dash

/usr/bin/rm

rm -f /tmp/tmp.p93StxAWxs /tmp/tmp.HsCnpj9K50 /tmp/tmp.BA327CyFUO

/tmp/na.elf

/usr/bin/xfce4-panel

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 6 12582920 systray "Notification Area" "Area where notification icons appear"

/usr/bin/xfce4-panel

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libstatusnotifier.so 7 12582921 statusnotifier "Status Notifier Plugin" "Provides a panel area for status notifier items (application indicators)"

/usr/bin/xfce4-panel

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libpulseaudio-plugin.so 8 12582922 pulseaudio "PulseAudio Plugin" "Adjust the audio volume of the PulseAudio sound system"

/usr/bin/xfce4-panel

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libxfce4powermanager.so 9 12582923 power-manager-plugin "Power Manager Plugin" "Display the battery levels of your devices and control the brightness of your display"

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/sbin/xfpm-power-backlight-helper

/usr/sbin/xfpm-power-backlight-helper --get-max-brightness

/usr/bin/xfce4-panel

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libnotification-plugin.so 10 12582924 notification-plugin "Notification Plugin" "Notification plugin for the Xfce panel"

/usr/bin/xfce4-panel

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libactions.so 14 12582925 actions "Action Buttons" "Log out, lock or other system actions"

/usr/bin/dbus-daemon

/usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd

/usr/lib/systemd/systemd

/usr/lib/x86_64-linux-gnu/xfce4/notifyd/xfce4-notifyd

There are 16 hidden processes, click here to show them.

URLs

Name

Malicious

http://upx.sf.net

unknown

Details

Name:	http://upx.sf.net
TargetID:	16
From Memory:	true
Current Path:	/tmp/na.elf
Source:	na.elf

Signature Hits	Behavior Group	Mitre Attack
Sample is packed with UPX	Data Obfuscation	Obfuscated Files or Information
URLs found in memory or binary data	Networking

Domains

Name

Malicious

daisy.ubuntu.com

162.213.35.25

IPs

Domain

Country

Malicious

185.125.190.26

unknown

United Kingdom

Details

IP:	185.125.190.26
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

188.212.158.45

unknown

Romania

Details

IP:	188.212.158.45
TargetID:	-1
Country:	Romania
Countrycode:	ROU
ASN number:	6910
ASN name:	DIALTELECOMRO
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7f88ec00d000

page execute read

7f89e3217000

page read and write

7f88ec020000

page read and write

7f89dc000000

page read and write

5617b9152000

page read and write

7f88ec00e000

page execute and read and write

7f89e3a28000

page read and write

7f89e3cb7000

page read and write

7f89e409e000

page read and write

7f89e3217000

page read and write

5617b913c000

page execute and read and write

7f89e451a000

page read and write

5617b713e000

page read and write

5617b9152000

page read and write

7f89e3cb7000

page read and write

7f89e4079000

page read and write

7f89e3a1a000

page read and write

7fff28f29000

page read and write

7f89e3cb7000

page read and write

5617b9217000

page read and write

7fff28f29000

page read and write

5617b913c000

page execute and read and write

7f88ec007000

page execute and read and write

5617b913c000

page execute and read and write

7f88ec00e000

page execute and read and write

7f89dc000000

page read and write

7f89e4079000

page read and write

5617b9152000

page read and write

5617b9217000

page read and write

7f88ec020000

page read and write

7f89e4512000

page read and write

7f89e4512000

page read and write

7f89e43e9000

page read and write

7f89dc021000

page read and write

5617b6eb3000

page execute read

7f89e455f000

page read and write

7f89e3a28000

page read and write

7f89e4512000

page read and write

7fff28fa8000

page execute read

5617b713e000

page read and write

7f89e3217000

page read and write

5617b6eb3000

page execute read

5617b713e000

page read and write

7f88ec00d000

page execute read

7f89e43e9000

page read and write

5617b7136000

page read and write

7f89e3a28000

page read and write

7f88ec002000

page execute read

7f89e455f000

page read and write

7fff28fa8000

page execute read

5617b7136000

page read and write

7f89e409e000

page read and write

7f89e451a000

page read and write

7f88ec020000

page read and write

5617b9217000

page read and write

7f88ec007000

page execute and read and write

5617b6eb3000

page execute read

7f89e455f000

page read and write

5617b7136000

page read and write

7f89e451a000

page read and write

7f89dc021000

page read and write

7f89dc021000

page read and write

7f89e3a1a000

page read and write

7fff28f29000

page read and write

7f89dc000000

page read and write

7f89e4079000

page read and write

7f88ec00e000

page execute and read and write

7fff28fa8000

page execute read

7f88ec002000

page execute read

7f88ec00d000

page execute read

7f88ec007000

page execute and read and write

7f89e43e9000

page read and write

7f89e409e000

page read and write

7f89e3a1a000

page read and write

7f88ec002000

page execute read

There are 65 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
na.elf

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportna.elf

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
na.elf