IOC Report
na.elf

Files

File Path

Type

Category

Malicious

na.elf

ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped

initial sample

Details

Filetype:	ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
Entropy:	6.734594317883228
Filename:	na.elf
Filesize:	50168
MD5:	273d1a144bdc864eb02fd58c6af0d175
SHA1:	a83f60d7cc0f64c6ed46ceed2626564a272142d0
SHA256:	abc657ca364d1060c2eb69093e3f06266603f1f602ad3d1d309ed8acb4c7f5c6
SHA512:	4887f16f6aef7ba29005947b3ff019d805a1eb0524c8a8c5980c51853b109183c32916e2601c2896a5238f4a4f0d485703b32d87cf3fe31647bd5f3ca05f4bd3
SSDEEP:	768:Oa2vU7eng2qGJert7LrLMU6fgatQh+YbT/9+m3CZQoV/bnmCozw:Oa4U7G7SvT6ftBTm3KVrmCo8
Preview:	.ELF.....................@.4...h.......4. ...(...............@...@.@...@.....................A...A.(...<...........Q.td............................././"O.n........#.@........#.*@.....o&O.n...l..............................././.../.a"O.!...n...a.b("...q.

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Sample tries to kill multiple processes (SIGKILL)	System Summary	Service Stop
Enumerates processes within the "proc" file system	Persistence and Installation Behavior	OS Credential Dumping
Sample tries to kill a process (SIGKILL)	System Summary
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
Yara signature match	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion

/home/saturnino/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-panel.xml.new

XML 1.0 document, ASCII text

dropped

Details

File:	/home/saturnino/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-panel.xml.new
Category:	dropped
Dump:	xfce4-panel.xml.new.29.dr
ID:	dr_0
Target ID:	29
Process:	/usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd
Type:	XML 1.0 document, ASCII text
Entropy:	4.457618060812407
Encrypted:	false
Ssdeep:	96:R14GBdYLSNUH+ZAFQrSRR6dn0tWlTDFwIfM/vfzPpjT9I3jZ/qeH2Wg:74GnYLSNUH+ZAyrSRRYn0taTDKIfMPzv
Size:	5128
Whitelisted:	false
Reputation:	moderate

Processes

Path

Cmdline

Malicious

/tmp/na.elf

/tmp/na.elf

/tmp/na.elf

-

/tmp/na.elf

-

/tmp/na.elf

-

/usr/bin/xfce4-panel

-

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 6 12582920 systray "Notification Area" "Area where notification icons appear"

/usr/bin/xfce4-panel

-

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libstatusnotifier.so 7 12582921 statusnotifier "Status Notifier Plugin" "Provides a panel area for status notifier items (application indicators)"

/usr/bin/xfce4-panel

-

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libpulseaudio-plugin.so 8 12582922 pulseaudio "PulseAudio Plugin" "Adjust the audio volume of the PulseAudio sound system"

/usr/bin/xfce4-panel

-

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libxfce4powermanager.so 9 12582923 power-manager-plugin "Power Manager Plugin" "Display the battery levels of your devices and control the brightness of your display"

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

-

/usr/sbin/xfpm-power-backlight-helper

/usr/sbin/xfpm-power-backlight-helper --get-max-brightness

/usr/bin/xfce4-panel

-

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libnotification-plugin.so 10 12582924 notification-plugin "Notification Plugin" "Notification plugin for the Xfce panel"

/usr/bin/xfce4-panel

-

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libactions.so 14 12582925 actions "Action Buttons" "Log out, lock or other system actions"

/usr/bin/dbus-daemon

-

/usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd

/usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd

/usr/lib/systemd/systemd

-

/usr/lib/x86_64-linux-gnu/xfce4/notifyd/xfce4-notifyd

/usr/lib/x86_64-linux-gnu/xfce4/notifyd/xfce4-notifyd

There are 12 hidden processes, click here to show them.

Domains

Name

IP

Malicious

daisy.ubuntu.com

162.213.35.25

IPs

IP

Domain

Country

Malicious

188.212.158.45

unknown

Romania

Details

IP:	188.212.158.45
TargetID:	-1
Country:	Romania
Countrycode:	ROU
ASN number:	6910
ASN name:	DIALTELECOMRO
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7ff22c40c000

page execute read

7ff22c40c000

page execute read

7ff22c40c000

page execute read

7ff2b47bc000

page read and write

560d9f62f000

page read and write

7ff2b47ca000

page read and write

7ffc02e90000

page execute read

560d9f62f000

page read and write

560d9c06f000

page execute read

7ff22c41d000

page read and write

560d9c06f000

page execute read

7ff2b4a59000

page read and write

560d9c285000

page read and write

7ff2ac021000

page read and write

7ff2b4e1b000

page read and write

7ff2b4e40000

page read and write

7ff2b4e1b000

page read and write

7ff2b4a59000

page read and write

7ff2ac021000

page read and write

7ff2b518b000

page read and write

7ff2b47ca000

page read and write

7ff22c41d000

page read and write

7ffc02e3f000

page read and write

7ff2b518b000

page read and write

7ff2b47ca000

page read and write

560d9e2a2000

page read and write

7ff22c41e000

page read and write

7ff2b5301000

page read and write

7ff2b52bc000

page read and write

560d9c28d000

page read and write

7ff2b47bc000

page read and write

7ff2b52b4000

page read and write

560d9e2a2000

page read and write

7ff2b52b4000

page read and write

7ffc02e3f000

page read and write

7ffc02e90000

page execute read

7ff2b3fb9000

page read and write

7ff2b4e40000

page read and write

560d9e2a2000

page read and write

7ffc02e3f000

page read and write

7ffc02e90000

page execute read

7ff22c41e000

page read and write

7ff2b52bc000

page read and write

7ff2ac000000

page read and write

7ff2ac000000

page read and write

560d9e28b000

page execute and read and write

560d9e28b000

page execute and read and write

7ff2b3fb9000

page read and write

7ff2b4e1b000

page read and write

7ff2b4e40000

page read and write

7ff2b52b4000

page read and write

7ff2b4a59000

page read and write

560d9c28d000

page read and write

560d9e28b000

page execute and read and write

560d9f62f000

page read and write

7ff2ac000000

page read and write

560d9c285000

page read and write

7ff2b5301000

page read and write

560d9c06f000

page execute read

560d9c28d000

page read and write

7ff2ac021000

page read and write

560d9c285000

page read and write

7ff2b47bc000

page read and write

7ff22c41d000

page read and write

7ff2b5301000

page read and write

7ff22c41e000

page read and write

7ff2b3fb9000

page read and write

7ff2b52bc000

page read and write

7ff2b518b000

page read and write

There are 59 hidden memdumps, click here to show them.