Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

na.elf

ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), statically linked, no section header

initial sample

Details

Filetype:	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), statically linked, no section header
Entropy:	7.999848912152324
Filename:	na.elf
Filesize:	1689336
MD5:	318f9a39031c063412d184252bbfdd1b
SHA1:	8442551ca6adeff417ad96630ec256d9cac388be
SHA256:	16782165ceb9ac6ac5e8d6db387de9c18b9c214031ef36c0b092f9314342414a
SHA512:	4a84c65e734c313f185948c4d4c89f33290c38fd03a28c3d77a306fd1ad7c4702f5e4793b5289576726708755b000d7d71c0c17f84476d11c1ba9516cfbae10e
SSDEEP:	49152:gKjefDkLjKZKNI/5cZH30UwRDfDKPtKNqKlQwH:gWefoLjKUNIB6X0zRDxNq/8
Preview:	.ELF..............>.....X0......@...................@.8.................................................Pwf...............................f.......f.............................Q.td.......................................................$UPX!L........wE...C

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Found strings related to Crypto-Mining	Bitcoin Miner
Sample reads /proc/mounts (often used for finding a writable filesystem)	Persistence and Installation Behavior
Writes to CPU model specific registers (MSR) (e.g. miners improve performance by disabling HW prefetcher)	Bitcoin Miner
ELF contains segments with high entropy indicating compressed/encrypted content	Hooking and other Techniques for Hiding and Protection	Obfuscated Files or Information
Enumerates processes within the "proc" file system	Persistence and Installation Behavior	OS Credential Dumping
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Reads CPU information from /proc indicative of miner or evasive malware	Bitcoin Miner, Malware Analysis System Evasion
Reads CPU information from /sys indicative of miner or evasive malware	Bitcoin Miner, Malware Analysis System Evasion	System Information Discovery
Reads system information from the proc file system	Persistence and Installation Behavior
Reads the 'hosts' file potentially containing internal network hosts	Networking	File and Directory Discovery
Sample listens on a socket	Networking
Sample tries to kill a process (SIGKILL)	System Summary
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
URLs found in memory or binary data	Networking

/var/spool/cron/crontabs/tmp.sQeN7r

ASCII text

dropped

Details

File:	/var/spool/cron/crontabs/tmp.sQeN7r
Category:	dropped
Dump:	tmp.sQeN7r.22.dr
ID:	dr_2
Target ID:	22
Process:	/usr/bin/crontab
Type:	ASCII text
Entropy:	5.089740903025843
Encrypted:	false
Ssdeep:	6:SUrpqoqQjEOP1KmREJOBFQ3pFBXVBMvZHGMQ5UYLtCFt3HY+z:8QjHig83RXgJeHLUHY+
Size:	195
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Sample tries to persist itself using cron	Persistence and Installation Behavior

/sys/devices/system/node/node0/hugepages/hugepages-1048576kB/nr_hugepages

very short file (no magic)

dropped

Details

File:	/sys/devices/system/node/node0/hugepages/hugepages-1048576kB/nr_hugepages
Category:	dropped
Dump:	nr_hugepages.13.dr
ID:	dr_0
Target ID:	13
Process:	/tmp/na.elf
Type:	very short file (no magic)
Entropy:	0.0
Encrypted:	false
Ssdeep:	3:W:W
Size:	1
Whitelisted:	false
Reputation:	moderate

/sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages

ASCII text, with no line terminators

dropped

Details

File:	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages
Category:	dropped
Dump:	nr_hugepages0.13.dr
ID:	dr_1
Target ID:	13
Process:	/tmp/na.elf
Type:	ASCII text, with no line terminators
Entropy:	1.5
Encrypted:	false
Ssdeep:	3:MRV:Mz
Size:	4
Whitelisted:	false
Reputation:	moderate

Processes

Path

Cmdline

Malicious

/tmp/na.elf

/bin/sh

sh -c "command -v crontab >/dev/null 2>&1"

/tmp/na.elf

/bin/sh

sh -c "crontab -r >/dev/null 2>&1; echo \"@reboot /tmp/na.elf\" | crontab -"

/bin/sh

/usr/bin/crontab

crontab -r

/bin/sh

/usr/bin/crontab

crontab -

/tmp/na.elf

/bin/sh

sh -c "command -v php >/dev/null 2>&1"

/tmp/na.elf

/bin/sh

sh -c "command -v nginx >/dev/null 2>&1"

/tmp/na.elf

/bin/sh

sh -c "which apache2"

/bin/sh

/usr/bin/which

which apache2

/tmp/na.elf

/bin/sh

sh -c "which httpd"

/bin/sh

/usr/bin/which

which httpd

/tmp/na.elf

/bin/sh

sh -c "iptables -I INPUT -p tcp --dport 60601 -j ACCEPT >/dev/null 2>&1"

/bin/sh

/usr/sbin/iptables

iptables -I INPUT -p tcp --dport 60601 -j ACCEPT

/tmp/na.elf

/bin/sh

sh -c "/sbin/modprobe msr allow_writes=on > /dev/null 2>&1"

/bin/sh

/sbin/modprobe

/sbin/modprobe msr allow_writes=on

There are 22 hidden processes, click here to show them.

URLs

Name

Malicious

http://upx.sf.net

unknown

Details

Name:	http://upx.sf.net
TargetID:	12
From Memory:	true
Current Path:	/tmp/na.elf
Source:	na.elf

Signature Hits	Behavior Group	Mitre Attack
Sample is packed with UPX	Data Obfuscation	Obfuscated Files or Information
URLs found in memory or binary data	Networking

https://xmrig.com/wizard

unknown

https://gcc.gnu.org/bugsNSt7__cxx1115basic_stringbufIcSt11char_traitsIcESaIcEEENSt7__cxx1119basic_is

unknown

https://gcc.gnu.org/bugs

unknown

https://xmrig.com/wizard%s

unknown

Memdumps

Base Address

Regiontype

Protect

Malicious

7f1da4756000

page execute read

7f1da4b10000

page read and write

7f1da4b1a000

page read and write

7f1da4b0d000

page execute read

7ffcdbe36000

page read and write

7f1da4b1d000

page read and write

5555562d0000

page read and write

7ffcdbf99000

page execute read

7f1da4981000

page read and write

7f1da4aed000

page read and write

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
na.elf

Files

Processes

URLs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportna.elf

Files

Processes

URLs

Memdumps

IOC Report
na.elf