Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

na.elf

ELF 32-bit LSB shared object, Intel 80386, version 1 (GNU/Linux), statically linked, no section header

initial sample

Details

Filetype:	ELF 32-bit LSB shared object, Intel 80386, version 1 (GNU/Linux), statically linked, no section header
Entropy:	7.999856524278898
Filename:	na.elf
Filesize:	1647852
MD5:	8087c36ad6c48d8871089112ba7e86c8
SHA1:	f1cab2cf7c94b3b06f23f291d42bc7c1b246dcea
SHA256:	f1f34b7b798f8ec472b69eb5bd196381d749ced4d4a461d563896dfa827c84b6
SHA512:	b6f69551bbf8ba0dfe50aedcf222a457c829f0b47d4b14dd69de39721aa036c827b16bf903242773350b9cd00f3e059db6138adb20cb0d8981c3a73f80d47387
SSDEEP:	24576:iSOMGoq9mdCBgPcpjqnQ9KiDIGpjPEBNNKBDB2qejN8O4xuJsIu7FiiExxg25Kej:owVYqnQ9KSIKTqK7ejNz4UJsteEJs
Preview:	.ELF......................e.4...........4. .............................(.L...................L...L.."..."..........Q.td................................UPX!..........K.!.J.T...........<..?.E.`...X..)....r.}GK....6/....Q.Zl...S..7p......S...l..w....\...\..

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Found strings related to Crypto-Mining	Bitcoin Miner
ELF contains segments with high entropy indicating compressed/encrypted content	Hooking and other Techniques for Hiding and Protection
Enumerates processes within the "proc" file system	Persistence and Installation Behavior	OS Credential Dumping
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Reads system information from the proc file system	Persistence and Installation Behavior	System Information Discovery
Reads the 'hosts' file potentially containing internal network hosts	Networking	File and Directory Discovery
Sample listens on a socket	Networking
Sample tries to kill a process (SIGKILL)	System Summary
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
URLs found in memory or binary data	Networking

/var/spool/cron/crontabs/tmp.NT5FO0

ASCII text

dropped

Details

File:	/var/spool/cron/crontabs/tmp.NT5FO0
Category:	dropped
Dump:	tmp.NT5FO0.22.dr
ID:	dr_2
Target ID:	22
Process:	/usr/bin/crontab
Type:	ASCII text
Entropy:	5.113279828491398
Encrypted:	false
Ssdeep:	6:SUrpqoqQjEOP1KmREJOBFQ3pFOhZHGMQ5UYLtCFt3HY+z:8QjHig83+3eHLUHY+
Size:	195
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Sample tries to persist itself using cron	Persistence and Installation Behavior

/sys/devices/system/node/node0/hugepages/hugepages-1048576kB/nr_hugepages

very short file (no magic)

dropped

Details

File:	/sys/devices/system/node/node0/hugepages/hugepages-1048576kB/nr_hugepages
Category:	dropped
Dump:	nr_hugepages.13.dr
ID:	dr_0
Target ID:	13
Process:	/tmp/na.elf
Type:	very short file (no magic)
Entropy:	0.0
Encrypted:	false
Ssdeep:	3:W:W
Size:	1
Whitelisted:	false
Reputation:	moderate

/sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages

ASCII text, with no line terminators

dropped

Details

File:	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages
Category:	dropped
Dump:	nr_hugepages0.13.dr
ID:	dr_1
Target ID:	13
Process:	/tmp/na.elf
Type:	ASCII text, with no line terminators
Entropy:	1.5
Encrypted:	false
Ssdeep:	3:MRV:Mz
Size:	4
Whitelisted:	false
Reputation:	moderate

Processes

Path

Cmdline

Malicious

/tmp/na.elf

/bin/sh

sh -c "command -v crontab >/dev/null 2>&1"

/tmp/na.elf

/bin/sh

sh -c "crontab -r >/dev/null 2>&1; echo \"@reboot /tmp/na.elf\" | crontab -"

/bin/sh

/usr/bin/crontab

crontab -r

/bin/sh

/usr/bin/crontab

crontab -

/tmp/na.elf

/bin/sh

sh -c "command -v php >/dev/null 2>&1"

/tmp/na.elf

/bin/sh

sh -c "command -v nginx >/dev/null 2>&1"

/tmp/na.elf

/bin/sh

sh -c "which apache2"

/bin/sh

/usr/bin/which

which apache2

/tmp/na.elf

/bin/sh

sh -c "which httpd"

/bin/sh

/usr/bin/which

which httpd

/tmp/na.elf

/bin/sh

sh -c "iptables -I INPUT -p tcp --dport 50101 -j ACCEPT >/dev/null 2>&1"

/bin/sh

/usr/sbin/iptables

iptables -I INPUT -p tcp --dport 50101 -j ACCEPT

There are 18 hidden processes, click here to show them.

URLs

Name

Malicious

http://upx.sf.net

unknown

Details

Name:	http://upx.sf.net
TargetID:	12
From Memory:	true
Current Path:	/tmp/na.elf
Source:	na.elf

Signature Hits	Behavior Group	Mitre Attack
Sample is packed with UPX	Data Obfuscation	Obfuscated Files or Information
URLs found in memory or binary data	Networking

https://gcc.gnu.org/bugs/):

unknown

https://xmrig.com/wizard

unknown

https://xmrig.com/wizard%s

unknown

Memdumps

Base Address

Regiontype

Protect

Malicious

f7de0000

page execute read

Details

Name:	5493.1.00000000f7930000.00000000f7de0000.r-x.sdmp
TargetID:	12
Dumpstage:	process exit
Protect:	page execute read
Base address:	f7de0000
Size:	4915200

Signature Hits	Behavior Group	Mitre Attack
Malicious sample detected (through community Yara rule)	System Summary
Yara detected Xmrig cryptocurrency miner	Bitcoin Miner
Found strings related to Crypto-Mining	Bitcoin Miner
Yara signature match	System Summary
URLs found in memory or binary data	Networking

f7930000

page execute read

f7f8b000

page read and write

f7dfd000

page read and write

58362000

page read and write

f7f8f000

page read and write

ffbad000

page read and write

f7f83000

page read and write

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
na.elf

Files

Processes

URLs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportna.elf

Files

Processes

URLs

Memdumps

IOC Report
na.elf