Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

na.elf

ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, not stripped

initial sample

Details

Filetype:	ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, not stripped
Entropy:	6.315390245133498
Filename:	na.elf
Filesize:	161069
MD5:	2680ab43bbe05ee8b1cf07b380388157
SHA1:	30916c62735e5ba7d2679c8cbe96a85ae679da35
SHA256:	0d1484c3be6c18c1a12c91e2cd2f0760ec348ac5fd948aabd0f43acabcc33f16
SHA512:	501cd5303af34d27d1a03de058b8df2c14e62363a143e9adea6cc59542ca37557de802015f2f0fe65e4d4b39e1d465a09f54dcf549ef877edbf083ef20ad03aa
SSDEEP:	1536:NEpsna8p7lUHWt/wi4MHk7iQmLSxKBl4yBMNgwG5hCHhTugEmJ/sSiFMh3n:NO0aGUH+Hk7W9LFN55hCFufmRsSiSh3n
Preview:	.ELF...........................4.........4. ...(.......................p...p...............p...p...p......t.........................................dt.Q.............................!..\|......$H...H..-...$8!. \|...N.. .!..\|.......?.............../...@..`= .

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Opens /proc/net/* files useful for finding connected devices and routers	Spreading	Remote System Discovery
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
Yara signature match	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
URLs found in memory or binary data	Networking

/tmp/qemu-open.ye3Xt3 (deleted)

ASCII text

dropped

Details

File:	/tmp/qemu-open.ye3Xt3 (deleted)
Category:	dropped
Dump:	qemu-open.ye3Xt3 (deleted).12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/na.elf
Type:	ASCII text
Entropy:	3.709552666863289
Encrypted:	false
Ssdeep:	6:iekrEcvwAsE5KlwSd4pzKaV6Lpms/a/1VCxGF:ur+m5MwSdIKaV6L1adVRF
Size:	230
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

/tmp/na.elf

URLs

Name

Malicious

93.123.85.167:77

Details

Name:	93.123.85.167:77
TargetID:	0
From Memory:	false
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

http://www.baidu.com/search/spider.html)

unknown

http://www.billybobbot.com/crawler/)

unknown

http://fast.no/support/crawler.asp)

unknown

http://feedback.redkolibri.com/

unknown

http://www.baidu.com/search/spider.htm)

unknown

Domains

Name

Malicious

daisy.ubuntu.com

162.213.35.24

IPs

Domain

Country

Malicious

93.123.85.167

unknown

Bulgaria

Details

IP:	93.123.85.167
TargetID:	-1
Country:	Bulgaria
Countrycode:	BGR
ASN number:	43561
ASN name:	NET1-ASBG
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

185.125.190.26

unknown

United Kingdom

Details

IP:	185.125.190.26
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7f7058022000

page execute read

7f7058022000

page execute read

7f714eff0000

page read and write

7f714f853000

page read and write

7f714e550000

page read and write

55655bce1000

page read and write

7f714f722000

page read and write

7f7058039000

page execute and read and write

7f714f3d7000

page read and write

55655bce1000

page read and write

556559ccd000

page read and write

7f7148000000

page read and write

7f714f84b000

page read and write

7f714ed53000

page read and write

556559a42000

page execute read

7f714f3b2000

page read and write

7f705803a000

page read and write

556559cc5000

page read and write

556559cc5000

page read and write

7ffd67b70000

page execute read

556559a42000

page execute read

7f714f898000

page read and write

7f714f722000

page read and write

7f714eff0000

page read and write

7f714e550000

page read and write

55655c5bf000

page read and write

7f714f84b000

page read and write

7ffd67ab3000

page read and write

7f7148000000

page read and write

7ffd67ab3000

page read and write

7f7148021000

page read and write

55655bccb000

page execute and read and write

7f7148021000

page read and write

55655bccb000

page execute and read and write

556559ccd000

page read and write

7ffd67b70000

page execute read

7f7058032000

page execute and read and write

55655c5bf000

page read and write

7f7058039000

page execute and read and write

7f7058032000

page execute and read and write

7f714f853000

page read and write

7f705803a000

page read and write

7f714f3b2000

page read and write

7f714f3d7000

page read and write

7f714ed61000

page read and write

7f714f898000

page read and write

7f714ed61000

page read and write

7f714ed53000

page read and write

There are 38 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
na.elf

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportna.elf

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
na.elf