Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

SYoMGYCkDG.elf

ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, not stripped

initial sample

Details

Filetype:	ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, not stripped
Entropy:	6.309384593544864
Filename:	SYoMGYCkDG.elf
Filesize:	161741
MD5:	7b5efc69d9d1010e7afe290236ace207
SHA1:	8caaf963a63f5983cbfeae5db54cfd21628ba53d
SHA256:	41d996b9f378244771954f478f5790e72009dfce3e4aad7d1035793bd08d2ac2
SHA512:	f1ea87e2d43222a6ed466e2931f1c9734ca3fe1febb754e7b2df6b633937980656a320d7371e2ab88ec1a8a35ce07cb6d7c11d383c88ebd47fdc40372e4319bb
SSDEEP:	3072:KN6x6sUSIRD3us+PB5ht+UTHmRsSiSh3n:KN6x6/XkxB5htvHmRsSiSh3n
Preview:	.ELF...........................4...$.....4. ...(..........................................................t................d...d...d................dt.Q.............................!..\|......$H...H......$8!. \|...N.. .!..\|.......?..........4..../...@..`= .

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Opens /proc/net/* files useful for finding connected devices and routers	Spreading	Remote System Discovery
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
Yara signature match	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
URLs found in memory or binary data	Networking

/tmp/qemu-open.Y54pMM (deleted)

ASCII text

dropped

Details

File:	/tmp/qemu-open.Y54pMM (deleted)
Category:	dropped
Dump:	qemu-open.Y54pMM (deleted).12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/SYoMGYCkDG.elf
Type:	ASCII text
Entropy:	3.709552666863289
Encrypted:	false
Ssdeep:	6:iekrEcvwAsE5KlwSd4pzKaV6Lpms/a/1VCxGF:ur+m5MwSdIKaV6L1adVRF
Size:	230
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

/tmp/SYoMGYCkDG.elf

/usr/bin/dash

/usr/bin/rm

rm -f /tmp/tmp.SRW62QzKFs /tmp/tmp.PYYO00TAbo /tmp/tmp.kVqVH3y4Dp

/usr/bin/dash

/usr/bin/rm

rm -f /tmp/tmp.SRW62QzKFs /tmp/tmp.PYYO00TAbo /tmp/tmp.kVqVH3y4Dp

URLs

Name

Malicious

162.215.219.170:4444

Details

Name:	162.215.219.170:4444
TargetID:	0
From Memory:	false
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

http://www.baidu.com/search/spider.html)

unknown

http://www.billybobbot.com/crawler/)

unknown

http://fast.no/support/crawler.asp)

unknown

http://feedback.redkolibri.com/

unknown

http://www.baidu.com/search/spider.htm)

unknown

Domains

Name

Malicious

daisy.ubuntu.com

162.213.35.25

IPs

Domain

Country

Malicious

162.215.219.170

unknown

United States

Details

IP:	162.215.219.170
TargetID:	-1
Country:	United States
Countrycode:	USA
ASN number:	46606
ASN name:	UNIFIEDLAYER-AS-1US
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

54.217.10.153

unknown

United States

Memdumps

Base Address

Regiontype

Protect

Malicious

7fb258022000

page execute read

7fb258022000

page execute read

563965163000

page read and write

7fb350bda000

page read and write

7fb258032000

page execute and read and write

7fb25803a000

page read and write

7fb34fa08000

page read and write

563961bff000

page read and write

7fb3504a8000

page read and write

7fb35020b000

page read and write

563961974000

page execute read

7ffd5558b000

page execute read

563961bf7000

page read and write

563963c13000

page read and write

7fb258039000

page execute and read and write

7fb35086a000

page read and write

7fb350219000

page read and write

7fb25803a000

page read and write

7fb350bda000

page read and write

7ffd55515000

page read and write

7fb35088f000

page read and write

7fb35086a000

page read and write

7fb3504a8000

page read and write

563961974000

page execute read

7fb350d0b000

page read and write

563961bff000

page read and write

7ffd55515000

page read and write

563963bfd000

page execute and read and write

7ffd5558b000

page execute read

7fb350d03000

page read and write

7fb258039000

page execute and read and write

7fb348021000

page read and write

563965163000

page read and write

563963bfd000

page execute and read and write

7fb350d50000

page read and write

7fb350d50000

page read and write

7fb35020b000

page read and write

7fb348021000

page read and write

7fb350d0b000

page read and write

7fb348000000

page read and write

563961bf7000

page read and write

7fb350219000

page read and write

7fb350d03000

page read and write

7fb348000000

page read and write

563963c13000

page read and write

7fb258032000

page execute and read and write

7fb35088f000

page read and write

7fb34fa08000

page read and write

There are 38 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
SYoMGYCkDG.elf

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportSYoMGYCkDG.elf

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
SYoMGYCkDG.elf