IOC Report
boatnet.arm.elf

Files

File Path

Type

Category

Malicious

boatnet.arm.elf

ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, no section header

initial sample

Details

Filetype:	ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, no section header
Entropy:	7.915215349152914
Filename:	boatnet.arm.elf
Filesize:	22160
MD5:	e5a6bb7e2679eeda12646bc535ca890f
SHA1:	abc6863271f04a96511da1f9fac4b65f87ebb4df
SHA256:	ddeb39f92cec71c0ae9d82ab8743c4c9e8a22f08edab5ec6291ab8218fa83b6e
SHA512:	64167932f3a9b08aea189159ecbaad2c8feef52a284d238b3e1122a876c3531313220032df3cdbd5ab4b40c255215f2a54c7c624ed6589401b92a35f916fb8f9
SSDEEP:	384:xvtIoZxrSniaXs+qx+bwqPX+VOcFd5fHq52lxj6Sd6rhymdGUop5hr:xvQn4j+ZO5fKAlxjdus3Uozt
Preview:	.ELF...a..........(.........4...........4. ...(......................U...U...............\..........................Q.td..............................CvUPX!........`...`.......Q..........?.E.h;.}...^..........f@.,v..(fw....&.x:.E....\|.........y]8J.r.F.O.v

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Sample tries to kill multiple processes (SIGKILL)	System Summary	Service Stop
ELF contains segments with high entropy indicating compressed/encrypted content	Hooking and other Techniques for Hiding and Protection	Obfuscated Files or Information
Enumerates processes within the "proc" file system	Persistence and Installation Behavior	OS Credential Dumping
Sample tries to kill a process (SIGKILL)	System Summary
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
URLs found in memory or binary data	Networking

/home/saturnino/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-panel.xml.new

XML 1.0 document, ASCII text

dropped

Details

File:	/home/saturnino/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-panel.xml.new
Category:	dropped
Dump:	xfce4-panel.xml.new.29.dr
ID:	dr_0
Target ID:	29
Process:	/usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd
Type:	XML 1.0 document, ASCII text
Entropy:	4.457618060812407
Encrypted:	false
Ssdeep:	96:R14GBdYLSNUH+ZAFQrSRR6dn0tWlTDFwIfM/vfzPpjT9I3jZ/qeH2Wg:74GnYLSNUH+ZAyrSRRYn0taTDKIfMPzv
Size:	5128
Whitelisted:	false
Reputation:	moderate

Processes

Path

Cmdline

Malicious

/tmp/boatnet.arm.elf

/tmp/boatnet.arm.elf

/tmp/boatnet.arm.elf

-

/tmp/boatnet.arm.elf

-

/tmp/boatnet.arm.elf

-

/usr/bin/xfce4-panel

-

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 6 12582920 systray "Notification Area" "Area where notification icons appear"

/usr/bin/xfce4-panel

-

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libstatusnotifier.so 7 12582921 statusnotifier "Status Notifier Plugin" "Provides a panel area for status notifier items (application indicators)"

/usr/bin/xfce4-panel

-

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libpulseaudio-plugin.so 8 12582922 pulseaudio "PulseAudio Plugin" "Adjust the audio volume of the PulseAudio sound system"

/usr/bin/xfce4-panel

-

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libxfce4powermanager.so 9 12582923 power-manager-plugin "Power Manager Plugin" "Display the battery levels of your devices and control the brightness of your display"

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

-

/usr/sbin/xfpm-power-backlight-helper

/usr/sbin/xfpm-power-backlight-helper --get-max-brightness

/usr/bin/xfce4-panel

-

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libnotification-plugin.so 10 12582924 notification-plugin "Notification Plugin" "Notification plugin for the Xfce panel"

/usr/bin/xfce4-panel

-

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libactions.so 14 12582925 actions "Action Buttons" "Log out, lock or other system actions"

/usr/bin/dbus-daemon

-

/usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd

/usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd

/usr/lib/systemd/systemd

-

/usr/lib/x86_64-linux-gnu/xfce4/notifyd/xfce4-notifyd

/usr/lib/x86_64-linux-gnu/xfce4/notifyd/xfce4-notifyd

There are 12 hidden processes, click here to show them.

URLs

Name

IP

Malicious

http://upx.sf.net

unknown

Details

Name:	http://upx.sf.net
TargetID:	12
From Memory:	true
Current Path:	/tmp/boatnet.arm.elf
Source:	boatnet.arm.elf

Signature Hits	Behavior Group	Mitre Attack
Sample is packed with UPX	Data Obfuscation	Obfuscated Files or Information
URLs found in memory or binary data	Networking

Domains

Name

IP

Malicious

daisy.ubuntu.com

162.213.35.25

IPs

IP

Domain

Country

Malicious

93.123.85.38

unknown

Bulgaria

Details

IP:	93.123.85.38
TargetID:	-1
Country:	Bulgaria
Countrycode:	BGR
ASN number:	43561
ASN name:	NET1-ASBG
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7f2818025000

page execute read

7f2818025000

page execute read

7f2818025000

page execute read

7f291f11b000

page read and write

7f291ef89000

page read and write

7f291eda8000

page read and write

7f291e46a000

page read and write

7f291e7cc000

page read and write

7f291f0d6000

page read and write

7f291e46a000

page read and write

55e889a83000

page read and write

7f291ef89000

page read and write

7f2917fff000

page read and write

7f291ebc6000

page read and write

7f291ebc6000

page read and write

55e88603a000

page read and write

7f281802e000

page read and write

7fffb2bb2000

page read and write

55e889a83000

page read and write

55e885de9000

page execute read

55e886043000

page read and write

7f291ea37000

page read and write

7f291ea37000

page read and write

7f291eda8000

page read and write

7f291e3d8000

page read and write

7f291e7cc000

page read and write

55e885de9000

page execute read

55e888041000

page execute and read and write

7fffb2bb2000

page read and write

7f2918021000

page read and write

7f281802e000

page read and write

7f291e3d8000

page read and write

7f2918021000

page read and write

7f291f11b000

page read and write

7f291f0d6000

page read and write

55e889a83000

page read and write

55e88603a000

page read and write

7fffb2bb2000

page read and write

7f291f0b2000

page read and write

7fffb2bea000

page execute read

7f291dbd0000

page read and write

55e888041000

page execute and read and write

7f291ea5a000

page read and write

55e88603a000

page read and write

7f291eda8000

page read and write

7f291ea37000

page read and write

7f291f11b000

page read and write

7f291f0b2000

page read and write

55e888058000

page read and write

7fffb2bea000

page execute read

7f291e46a000

page read and write

7f291e3d8000

page read and write

55e886043000

page read and write

7f2917fff000

page read and write

7f291f0b2000

page read and write

7f2918021000

page read and write

7f281802e000

page read and write

7f291dbd0000

page read and write

7f291e7cc000

page read and write

55e886043000

page read and write

7f291ea5a000

page read and write

7f291dbd0000

page read and write

55e885de9000

page execute read

7fffb2bea000

page execute read

7f291f0d6000

page read and write

7f291ea5a000

page read and write

55e888058000

page read and write

55e888041000

page execute and read and write

7f291ebc6000

page read and write

55e888058000

page read and write

7f291ef89000

page read and write

7f2917fff000

page read and write

There are 62 hidden memdumps, click here to show them.