Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

na.elf

initial sample

Details

Entropy:	5.489955411861713
Filename:	na.elf
Filesize:	214648
MD5:	bd1cb39a21234fda4d5883cf1e4d4af9
SHA1:	1649a12fe78692fd297c546730dea2719c363e32
SHA256:	4b39eab08424fd75aa2135166cc0b123d69d9ab7c0714ba98c56beb1a6e969ad
SHA512:	a55993a479fce59d5bf8e8e24cdda2978078f025942fa80dcb8a1e6343be798095f25471bc88e07614fd5d276d6711b8a8638727a2b41f66fc45e6b939e9a7f6
SSDEEP:	3072:3XC9j6w2ZQgoYJlQeRmhDvy2uSNbtmWu+R9ask0QcYb+5hRBg1cmrpy6n9Nn:3SDCzcYb+5hR5mrpy6n9Nn
Preview:	.ELF.....................@.....4.........4. ...(....p........@...@...........................@...@.....P...P.................C...C.........................D.C.D.C.D................dt.Q.................................................D.P<...'.-d...!'......

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Opens /proc/net/* files useful for finding connected devices and routers	Spreading	Remote System Discovery
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
Yara signature match	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
URLs found in memory or binary data	Networking

/tmp/qemu-open.sjtPX8 (deleted)

ASCII text

dropped

Details

File:	/tmp/qemu-open.sjtPX8 (deleted)
Category:	dropped
Dump:	qemu-open.sjtPX8 (deleted).12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/na.elf
Type:	ASCII text
Entropy:	3.709552666863289
Encrypted:	false
Ssdeep:	6:iekrEcvwAsE5KlwSd4pzKaV6Lpms/a/1VCxGF:ur+m5MwSdIKaV6L1adVRF
Size:	230
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

/tmp/na.elf

URLs

Name

Malicious

93.123.85.167:77

Details

Name:	93.123.85.167:77
TargetID:	0
From Memory:	false
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

http://www.baidu.com/search/spider.html)

unknown

http://www.billybobbot.com/crawler/)

unknown

http://fast.no/support/crawler.asp)

unknown

http://feedback.redkolibri.com/

unknown

http://www.baidu.com/search/spider.htm)

unknown

Domains

Name

Malicious

daisy.ubuntu.com

162.213.35.25

IPs

Domain

Country

Malicious

93.123.85.167

unknown

Bulgaria

Details

IP:	93.123.85.167
TargetID:	-1
Country:	Bulgaria
Countrycode:	BGR
ASN number:	43561
ASN name:	NET1-ASBG
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7f4f4c42a000

page execute read

7f4f4c42a000

page execute read

7f4fd4348000

page read and write

7f4fcc000000

page read and write

55935e1d8000

page execute and read and write

7f4fd41d2000

page read and write

7f4fd3621000

page read and write

7f4fd3ca3000

page read and write

7f4fd3cc0000

page read and write

7f4fd3ff1000

page read and write

7fff7b8e3000

page read and write

55935c1d0000

page read and write

7f4fcc000000

page read and write

7f4fd38df000

page read and write

7f4f4c43c000

page read and write

7f4fd4303000

page read and write

7f4fd362f000

page read and write

7fff7b9b1000

page execute read

7f4fd3cc0000

page read and write

7f4fd42fb000

page read and write

7f4fd3ff1000

page read and write

7f4f4c43c000

page read and write

7f4f4c444000

page read and write

7f4fd41d2000

page read and write

7f4fd4303000

page read and write

55935e1d8000

page execute and read and write

7f4fd3c80000

page read and write

7f4fd362f000

page read and write

55935e1ef000

page read and write

7f4fd38df000

page read and write

55935c1da000

page read and write

7f4fd4348000

page read and write

7fff7b8e3000

page read and write

7f4fd3c80000

page read and write

7f4fcc021000

page read and write

55935c1da000

page read and write

7f4fd2e19000

page read and write

7f4fcc021000

page read and write

7fff7b9b1000

page execute read

7f4fd2e19000

page read and write

55935f844000

page read and write

7f4fd3621000

page read and write

7f4f4c444000

page read and write

55935bf48000

page execute read

55935e1ef000

page read and write

55935c1d0000

page read and write

55935f844000

page read and write

7f4fd42fb000

page read and write

55935bf48000

page execute read

7f4fd3ca3000

page read and write

There are 40 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
na.elf

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportna.elf

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
na.elf