Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

/usr/bin/dash

/usr/bin/rm

rm -f /tmp/tmp.m8sFBhpWbO /tmp/tmp.wfTmSQT64H /tmp/tmp.fGwZf7Pteh

/usr/bin/dash

/usr/bin/cat

cat /tmp/tmp.m8sFBhpWbO

/usr/bin/dash

/usr/bin/head

head -n 10

/usr/bin/dash

/usr/bin/tr

tr -d \\000-\\011\\013\\014\\016-\\037

/usr/bin/dash

/usr/bin/cut

cut -c -80

/usr/bin/dash

/usr/bin/cat

cat /tmp/tmp.m8sFBhpWbO

/usr/bin/dash

/usr/bin/head

head -n 10

/usr/bin/dash

/usr/bin/tr

tr -d \\000-\\011\\013\\014\\016-\\037

/usr/bin/dash

/usr/bin/cut

cut -c -80

/usr/bin/dash

/usr/bin/rm

rm -f /tmp/tmp.m8sFBhpWbO /tmp/tmp.wfTmSQT64H /tmp/tmp.fGwZf7Pteh

/tmp/la.bot.sparc.elf

There are 11 hidden processes, click here to show them.

URLs

Name

Malicious

http:///wget.sh

unknown

Details

Name:	http:///wget.sh
TargetID:	32
From Memory:	true
Current Path:	/tmp/la.bot.sparc.elf
Source:	la.bot.sparc.elf

Signature Hits	Behavior Group	Mitre Attack
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

http:///curl.sh

unknown

Details

Name:	http:///curl.sh
TargetID:	32
From Memory:	true
Current Path:	/tmp/la.bot.sparc.elf
Source:	la.bot.sparc.elf

Signature Hits	Behavior Group	Mitre Attack
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

109.202.202.202

unknown

Switzerland

Details

IP:	109.202.202.202
TargetID:	-1
Country:	Switzerland
Countrycode:	CHE
ASN number:	13030
ASN name:	INIT7CH
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.43

unknown

United Kingdom

Details

IP:	91.189.91.43
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.42

unknown

United Kingdom

Details

IP:	91.189.91.42
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7f2a61f39000

page read and write

5617adabf000

page read and write

5617afac6000

page execute and read and write

7f2a618b5000

page read and write

5617b10ef000

page read and write

5617adac8000

page read and write

7ffc42291000

page read and write

7ffc42382000

page execute read

7f2a5c000000

page read and write

7f2a62284000

page read and write

7f2a61f14000

page read and write

7f2a61b52000

page read and write

7f2a5c021000

page read and write

7f2a610b2000

page read and write

7f2a623fa000

page read and write

7f2a623ad000

page read and write

5617ad891000

page execute read

7f295c034000

page read and write

7f2a618c3000

page read and write

7f295c024000

page execute read

5617afadd000

page read and write

7f2a623b5000

page read and write

7f295c038000

page read and write

There are 13 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
la.bot.sparc.elf

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportla.bot.sparc.elf

Processes

URLs

IPs

Memdumps

IOC Report
la.bot.sparc.elf