Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

4LbWi40g57.elf

ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped

initial sample

Details

Filetype:	ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
Entropy:	5.919290729503602
Filename:	4LbWi40g57.elf
Filesize:	46488
MD5:	47c38dfe1d4d3661c6216b5be3b48bea
SHA1:	64b780eddfabbf48d8f8c29cfa4ece8f5b93d092
SHA256:	ef069f81e2fbf94c1bba6f5de1acf95ad5b0b236dd8a931765b2dd9b0a877c3f
SHA512:	2efa477ae9822fe0df2daf539a04b56b957a382d89a7be41aa4efcbcd8b1cdb382e5bd05cbb3ff3f2327f971dc6a208fd84bc322aacddb1a315ec1e2af82e911
SSDEEP:	768:HXd2Q45NNn6lQvagWqqyHSXbtCnm/TdJDuwD6JRgRm0+wsOtcfWdKQXLGpb:3NBC6IEfDYS7+YmWdH
Preview:	.ELF...a..........(.........4...........4. ...(.....................................................4....S..........Q.td..................................-...L."...R*..........0@-.\P...0....S.0...P@...0... ....R......0...0...........0... ....R..... 0....S

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Enumerates processes within the "proc" file system	Persistence and Installation Behavior	OS Credential Dumping
Sample listens on a socket	Networking
Sample tries to kill a process (SIGKILL)	System Summary
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion

/run/user/127/dconf/user

very short file (no magic)

dropped

Details

File:	/run/user/127/dconf/user
Category:	dropped
Dump:	user.20.dr
ID:	dr_0
Target ID:	20
Process:	/usr/libexec/gsd-sharing
Type:	very short file (no magic)
Entropy:	0.0
Encrypted:	false
Ssdeep:	3::
Size:	1
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

/tmp/4LbWi40g57.elf

/usr/libexec/gnome-session-binary

/bin/sh

/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/bin/gnome-shell

/usr/bin/gnome-shell

/usr/libexec/gnome-session-binary

/bin/sh

/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-sharing

/usr/libexec/gsd-sharing

/usr/sbin/gdm3

/etc/gdm3/PrimeOff/Default

/usr/sbin/gdm3

/etc/gdm3/PrimeOff/Default

/usr/lib/systemd/systemd

/lib/systemd/systemd-user-runtime-dir

/lib/systemd/systemd-user-runtime-dir stop 127

There are 5 hidden processes, click here to show them.

Domains

Name

Malicious

daisy.ubuntu.com

162.213.35.24

subcarrace.indy

154.223.21.228

Details

Name:	subcarrace.indy
IP:	154.223.21.228
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

185.125.190.26

unknown

United Kingdom

Details

IP:	185.125.190.26
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

154.223.21.228

subcarrace.indy

Seychelles

Details

IP:	154.223.21.228
TargetID:	-1
Country:	Seychelles
Countrycode:	SYC
ASN number:	134705
ASN name:	ITACE-AS-APItaceInternationalLimitedHK
Private:	false
Domain:	subcarrace.indy

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

Memdumps

Base Address

Regiontype

Protect

Malicious

7f04a1fae000

page read and write

56446f2c6000

page read and write

7f049c021000

page read and write

7ffcefc77000

page read and write

7f04a1c4c000

page read and write

7f039c023000

page execute read

56446cec3000

page execute read

56446d11d000

page read and write

7f04a276b000

page read and write

56446d114000

page read and write

7ffcefc86000

page execute read

7f04a2219000

page read and write

7f04a28b8000

page read and write

7f04a223c000

page read and write

7f049bfff000

page read and write

7f039c02b000

page read and write

56446f132000

page read and write

7f039c032000

page read and write

7f04a13b2000

page read and write

7f04a1bba000

page read and write

7f04a23a8000

page read and write

7f04a28fd000

page read and write

7f04a2894000

page read and write

7f04a258a000

page read and write

56446f11b000

page execute and read and write

There are 15 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
4LbWi40g57.elf

Files

Processes

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report4LbWi40g57.elf

Files

Processes

Domains

IPs

Memdumps

IOC Report
4LbWi40g57.elf