IOC Report
boatnet.sh4.elf

Files

File Path

Type

Category

Malicious

boatnet.sh4.elf

ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped

initial sample

Details

Filetype:	ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
Entropy:	6.73431393972051
Filename:	boatnet.sh4.elf
Filesize:	50168
MD5:	777b7d5192e23910a2bc2646cc3d13d5
SHA1:	fb105277018d98211977701d3be3986609cdbc36
SHA256:	5150a163ed47b4582f123ec1e2377f290cd3d3619ae5442319f110aabe351fce
SHA512:	5ba59a06ef08ea68517bf18cd6514159e6d1722281d8fc6f3e1dbf9a0d0f8e0a95a8fc65f7aebadc6d6aef0ae7994005278fd188a4f56de18e5283ab799a309f
SSDEEP:	768:Oa2vU7eng2qGJert7LrLMU6fgatQh+YbT/9+m3CZQoV/bnmCozw:Oa4U7G7SvT6ftBTm3KVrmCo8
Preview:	.ELF.....................@.4...h.......4. ...(...............@...@.@...@.....................A...A.(...<...........Q.td............................././"O.n........#.@........#.*@.....o&O.n...l..............................././.../.a"O.!...n...a.b("...q.

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Sample tries to kill multiple processes (SIGKILL)	System Summary	Service Stop
Enumerates processes within the "proc" file system	Persistence and Installation Behavior	OS Credential Dumping
Sample tries to kill a process (SIGKILL)	System Summary
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
Yara signature match	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion

/home/saturnino/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-panel.xml.new

XML 1.0 document, ASCII text

dropped

Details

File:	/home/saturnino/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-panel.xml.new
Category:	dropped
Dump:	xfce4-panel.xml.new.30.dr
ID:	dr_0
Target ID:	30
Process:	/usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd
Type:	XML 1.0 document, ASCII text
Entropy:	4.457618060812407
Encrypted:	false
Ssdeep:	96:R14GBdYLSNUH+ZAFQrSRR6dn0tWlTDFwIfM/vfzPpjT9I3jZ/qeH2Wg:74GnYLSNUH+ZAyrSRRYn0taTDKIfMPzv
Size:	5128
Whitelisted:	false
Reputation:	moderate

Processes

Path

Cmdline

Malicious

/tmp/boatnet.sh4.elf

/tmp/boatnet.sh4.elf

/tmp/boatnet.sh4.elf

-

/tmp/boatnet.sh4.elf

-

/tmp/boatnet.sh4.elf

-

/usr/bin/xfce4-panel

-

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 6 12582920 systray "Notification Area" "Area where notification icons appear"

/usr/bin/xfce4-panel

-

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libstatusnotifier.so 7 12582921 statusnotifier "Status Notifier Plugin" "Provides a panel area for status notifier items (application indicators)"

/usr/bin/xfce4-panel

-

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libpulseaudio-plugin.so 8 12582922 pulseaudio "PulseAudio Plugin" "Adjust the audio volume of the PulseAudio sound system"

/usr/bin/xfce4-panel

-

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libxfce4powermanager.so 9 12582923 power-manager-plugin "Power Manager Plugin" "Display the battery levels of your devices and control the brightness of your display"

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

-

/usr/sbin/xfpm-power-backlight-helper

/usr/sbin/xfpm-power-backlight-helper --get-max-brightness

/usr/bin/xfce4-panel

-

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libnotification-plugin.so 10 12582924 notification-plugin "Notification Plugin" "Notification plugin for the Xfce panel"

/usr/bin/xfce4-panel

-

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libactions.so 14 12582925 actions "Action Buttons" "Log out, lock or other system actions"

/usr/bin/dbus-daemon

-

/usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd

/usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd

/usr/lib/systemd/systemd

-

/usr/lib/x86_64-linux-gnu/xfce4/notifyd/xfce4-notifyd

/usr/lib/x86_64-linux-gnu/xfce4/notifyd/xfce4-notifyd

There are 12 hidden processes, click here to show them.

Domains

Name

IP

Malicious

daisy.ubuntu.com

162.213.35.24

IPs

IP

Domain

Country

Malicious

93.123.85.38

unknown

Bulgaria

Details

IP:	93.123.85.38
TargetID:	-1
Country:	Bulgaria
Countrycode:	BGR
ASN number:	43561
ASN name:	NET1-ASBG
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7fe0cc40c000

page execute read

7fe0cc40c000

page execute read

7fe0cc40c000

page execute read

7fe14c021000

page read and write

55b655423000

page read and write

7fe154a44000

page read and write

7fe153749000

page read and write

7fe154a91000

page read and write

55b655f6b000

page read and write

7fe153f4c000

page read and write

7fe14c000000

page read and write

55b65540c000

page execute and read and write

7fe153749000

page read and write

7ffd108e1000

page read and write

55b653406000

page read and write

7fe154a4c000

page read and write

7fe14c000000

page read and write

7fe0cc41e000

page read and write

55b65540c000

page execute and read and write

7fe15491b000

page read and write

55b653406000

page read and write

55b65340e000

page read and write

7fe15491b000

page read and write

55b655f6b000

page read and write

7fe1545ab000

page read and write

7ffd109fe000

page execute read

7fe14c021000

page read and write

7fe0cc41d000

page read and write

7fe1541e9000

page read and write

7ffd108e1000

page read and write

7fe1545ab000

page read and write

7fe1545d0000

page read and write

7fe14c000000

page read and write

7fe153f4c000

page read and write

7fe153f5a000

page read and write

7fe0cc41d000

page read and write

7fe14c021000

page read and write

7fe1545d0000

page read and write

7fe0cc41e000

page read and write

7fe153f5a000

page read and write

55b65340e000

page read and write

7fe15491b000

page read and write

55b65340e000

page read and write

7fe154a44000

page read and write

7fe154a91000

page read and write

7fe1541e9000

page read and write

7fe154a4c000

page read and write

7ffd108e1000

page read and write

7fe0cc41e000

page read and write

7fe154a4c000

page read and write

55b653406000

page read and write

55b655423000

page read and write

7fe153f5a000

page read and write

7fe153f4c000

page read and write

7fe1541e9000

page read and write

7fe0cc41d000

page read and write

55b655423000

page read and write

55b6531f0000

page execute read

7fe154a44000

page read and write

7fe153749000

page read and write

7ffd109fe000

page execute read

55b6531f0000

page execute read

55b655f6b000

page read and write

55b6531f0000

page execute read

55b65540c000

page execute and read and write

7fe1545ab000

page read and write

7fe154a91000

page read and write

7fe1545d0000

page read and write

7ffd109fe000

page execute read

There are 59 hidden memdumps, click here to show them.