Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

ssk7Ah3h5D.elf

ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped

initial sample

Details

Filetype:	ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
Entropy:	5.919366869975419
Filename:	ssk7Ah3h5D.elf
Filesize:	46488
MD5:	261d2f20496314ed0d2c0f61fff32168
SHA1:	e950602f9aa98aeee313f1da6667f812173dd981
SHA256:	04142d7f8d6a95f13b4abeca0d6ca747eecc1390d4aa929db0f08310fb596745
SHA512:	bb275d61f4524c6f07e5c1efd855d044bd5ee0b6f24e12a464206c69cfa8b23db59c09a0fc3d1219fd5532ebc499dfd69c6a3d7d41b3f8c72b480f92b7862db4
SSDEEP:	768:dXd2Q45NNn6lQvagWqqyHSXbtCnm/TdJDuwD6JRgRm0+wsOtcfWdKQXLGpb:VNBC6IEfDYS7+YmWdH
Preview:	.ELF...a..........(.........4...........4. ...(.....................................................4....S..........Q.td..................................-...L."...R*..........0@-.\P...0....S.0...P@...0... ....R......0...0...........0... ....R..... 0....S

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Enumerates processes within the "proc" file system	Persistence and Installation Behavior	OS Credential Dumping
Sample listens on a socket	Networking
Sample tries to kill a process (SIGKILL)	System Summary
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion

/run/user/127/dconf/user

very short file (no magic)

dropped

Details

File:	/run/user/127/dconf/user
Category:	dropped
Dump:	user.19.dr
ID:	dr_0
Target ID:	19
Process:	/usr/libexec/gsd-sharing
Type:	very short file (no magic)
Entropy:	0.0
Encrypted:	false
Ssdeep:	3::
Size:	1
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

/tmp/ssk7Ah3h5D.elf

/usr/libexec/gnome-session-binary

/bin/sh

/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-sharing

/usr/libexec/gsd-sharing

/usr/libexec/gnome-session-binary

/bin/sh

/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/bin/gnome-shell

/usr/bin/gnome-shell

/usr/sbin/gdm3

/etc/gdm3/PrimeOff/Default

/usr/sbin/gdm3

/etc/gdm3/PrimeOff/Default

/usr/lib/systemd/systemd

/lib/systemd/systemd-user-runtime-dir

/lib/systemd/systemd-user-runtime-dir stop 127

There are 5 hidden processes, click here to show them.

Domains

Name

Malicious

subcarrace.indy. [malformed]

unknown

daisy.ubuntu.com

162.213.35.25

fortyfivehundred.dyn

unknown

IPs

Domain

Country

Malicious

154.205.144.234

unknown

Seychelles

Details

IP:	154.205.144.234
TargetID:	-1
Country:	Seychelles
Countrycode:	SYC
ASN number:	26484
ASN name:	IKGUL-26484US
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to many ports of the same IP (likely port scanning)	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

162.243.19.47

unknown

United States

Details

IP:	162.243.19.47
TargetID:	-1
Country:	United States
Countrycode:	USA
ASN number:	14061
ASN name:	DIGITALOCEAN-ASNUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

116.203.104.203

unknown

Germany

Details

IP:	116.203.104.203
TargetID:	-1
Country:	Germany
Countrycode:	DEU
ASN number:	24940
ASN name:	HETZNER-ASDE
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7f9fc8021000

page read and write

565309558000

page read and write

7f9fd0091000

page read and write

7fff46119000

page execute read

56530b56d000

page read and write

7f9fcfd2f000

page read and write

5653092fe000

page execute read

7f9fd02fc000

page read and write

7f9ec8032000

page read and write

7f9fd031f000

page read and write

7f9fcfc9d000

page read and write

7f9fd0977000

page read and write

7fff460ae000

page read and write

56530b556000

page execute and read and write

7f9ec802b000

page read and write

7f9fd084e000

page read and write

7f9fc7fff000

page read and write

7f9fd099b000

page read and write

56530954f000

page read and write

56530cbd7000

page read and write

7f9fd048b000

page read and write

7f9ec8023000

page execute read

7f9fcf495000

page read and write

7f9fd066d000

page read and write

7f9fd09e0000

page read and write

There are 15 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
ssk7Ah3h5D.elf

Files

Processes

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportssk7Ah3h5D.elf

Files

Processes

Domains

IPs

Memdumps

IOC Report
ssk7Ah3h5D.elf