Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

FBI.sh4.elf

ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped

initial sample

Details

Filetype:	ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
Entropy:	6.920596254616313
Filename:	FBI.sh4.elf
Filesize:	92024
MD5:	b1f662abfdb22d1b0fe96da141637274
SHA1:	6e27cdbc13eae576f8806f80ef5a08de6dbd0dae
SHA256:	cc173070d6d0d5c1d1e425be668726042fda8d5ecc17eb2614bb1fe2d7ed761a
SHA512:	00a309cd8cb724cf0922c5d5cc90d46f8caf8d18733b777c5a3eedae1ca18fca375df42c74f70c3befc302d59910a9e5e63c5188433782fa986475145c12b96f
SSDEEP:	1536:DozT9njzEnE9QdqKjD2V5BETSxqFCwgRafneaD5hL9njfpJm:wpjgnEetjCESxqFGaHD5hBjfpJ
Preview:	.ELF.....................@.4...pe......4. ...(...............@...@..R...R...............R...RB..RB......j..........Q.td............................././"O.n........#.@........#.*@.....o&O.n...l..............................././.../.a"O.!...n...a.b("...q.

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
Yara signature match	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
URLs found in memory or binary data	Networking

/run/systemd/resolve/stub-resolv.conf

ASCII text

dropped

Details

File:	/run/systemd/resolve/stub-resolv.conf
Category:	dropped
Dump:	stub-resolv.conf.15.dr
ID:	dr_1
Target ID:	15
Process:	/tmp/FBI.sh4.elf
Type:	ASCII text
Entropy:	3.3918926446809334
Encrypted:	false
Ssdeep:	24:KaLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLn:KC
Size:	3762
Whitelisted:	false
Reputation:	moderate

Processes

Path

Cmdline

Malicious

/tmp/FBI.sh4.elf

URLs

Name

Malicious

http://www.baidu.com/search/spider.html)

unknown

http://www.billybobbot.com/crawler/)

unknown

http://fast.no/support/crawler.asp)

unknown

http://feedback.redkolibri.com/

unknown

http://www.baidu.com/search/spider.htm)

unknown

IPs

Domain

Country

Malicious

154.213.187.206

unknown

Seychelles

Details

IP:	154.213.187.206
TargetID:	-1
Country:	Seychelles
Countrycode:	SYC
ASN number:	22769
ASN name:	DDOSING-BGP-NETWORKUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

109.202.202.202

unknown

Switzerland

Details

IP:	109.202.202.202
TargetID:	-1
Country:	Switzerland
Countrycode:	CHE
ASN number:	13030
ASN name:	INIT7CH
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking

91.189.91.43

unknown

United Kingdom

Details

IP:	91.189.91.43
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.42

unknown

United Kingdom

Details

IP:	91.189.91.42
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7ff2ac416000

page execute read

7ff334cd5000

page read and write

7ff2ac42c000

page read and write

7ff3348ee000

page read and write

558749462000

page read and write

7ff335151000

page read and write

7ff32c021000

page read and write

7ffe32758000

page read and write

7ffe3278d000

page execute read

5587462c4000

page execute read

5587464e2000

page read and write

5587464da000

page read and write

7ff33465f000

page read and write

7ff335196000

page read and write

7ff334651000

page read and write

7ff333e4e000

page read and write

7ff2ac426000

page read and write

7ff335020000

page read and write

5587484e0000

page execute and read and write

7ff334cb0000

page read and write

5587484f7000

page read and write

7ff335149000

page read and write

7ff32c000000

page read and write

There are 13 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
FBI.sh4.elf

Files

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportFBI.sh4.elf

Files

Processes

URLs

IPs

Memdumps

IOC Report
FBI.sh4.elf