Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

na.elf

ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped

initial sample

Details

Filetype:	ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped
Entropy:	5.259982316564114
Filename:	na.elf
Filesize:	125962
MD5:	dfa1f75be77ec732f133338460e60187
SHA1:	36c5a05a9ed5c961e12e2e00fc654348a10df818
SHA256:	fabb2ffc230d3033b25217310e97da8872eb2e03e7647173951c7469021e2729
SHA512:	babee559eef68c1929360f62d976248dabd3fedbadd8d441c666c6688e45fa2e5be83ce52004d349bb878c0a96af86d9d91b188235e0670191227da57812e425
SSDEEP:	1536:M7je1TMGq+f+AQ2rK7zeXeReXe8V2rK7Ie+u60GAzQj1l72HBeHEdWfRZrmW+IFj:Ted0W0MZQHzd6RZrmW+IFB1Dt1hR/
Preview:	.ELF.....................@.....4.........4. ...(....p........@...@...........................@...@....pD..pD..............pD.EpD.EpD......l.........dt.Q.................................................E..<...'......!'.......................<...'......!...

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Opens /proc/net/* files useful for finding connected devices and routers	Spreading	Remote System Discovery
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion
Yara signature match	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
Sample and/or dropped files contains symbols with file path information	System Summary

/tmp/qemu-open.MnLeFo (deleted)

ASCII text

dropped

Details

File:	/tmp/qemu-open.MnLeFo (deleted)
Category:	dropped
Dump:	qemu-open.MnLeFo (deleted).12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/na.elf
Type:	ASCII text
Entropy:	3.709552666863289
Encrypted:	false
Ssdeep:	6:iekrEcvwAsE5KlwSd4pzKaV6Lpms/a/1VCxGF:ur+m5MwSdIKaV6L1adVRF
Size:	230
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

/tmp/na.elf

URLs

Name

Malicious

93.123.85.205:7777

Details

Name:	93.123.85.205:7777
TargetID:	0
From Memory:	false
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

Domains

Name

Malicious

daisy.ubuntu.com

162.213.35.25

IPs

Domain

Country

Malicious

93.123.85.205

unknown

Bulgaria

Details

IP:	93.123.85.205
TargetID:	-1
Country:	Bulgaria
Countrycode:	BGR
ASN number:	43561
ASN name:	NET1-ASBG
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

185.125.190.26

unknown

United Kingdom

Details

IP:	185.125.190.26
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7f68a8418000

page execute read

7f68a8418000

page execute read

7f692fdc7000

page read and write

559e104de000

page read and write

7f692fdc7000

page read and write

559e12c15000

page read and write

559e124dc000

page execute and read and write

7f692fc9e000

page read and write

7f692fc9e000

page read and write

7f68a8458000

page read and write

7f692f74c000

page read and write

7f692f0ed000

page read and write

559e1024c000

page execute read

7f692f0fb000

page read and write

7f6928021000

page read and write

7ffdd1b17000

page read and write

559e104d4000

page read and write

7f68a845e000

page read and write

7f692e8e5000

page read and write

7f692f74c000

page read and write

7f692fdcf000

page read and write

559e124f3000

page read and write

7f692f0fb000

page read and write

7f692fe14000

page read and write

7f692f76f000

page read and write

7f6928000000

page read and write

7f692fdcf000

page read and write

7f68a8458000

page read and write

7f692f78c000

page read and write

559e124dc000

page execute and read and write

559e104de000

page read and write

7f692fabd000

page read and write

7f6928021000

page read and write

7f692f3ab000

page read and write

7f692e8e5000

page read and write

7f692f76f000

page read and write

7f692fe14000

page read and write

7f692f0ed000

page read and write

7ffdd1b91000

page execute read

7f692f78c000

page read and write

7f68a845e000

page read and write

7f692f3ab000

page read and write

559e1024c000

page execute read

559e12c15000

page read and write

7ffdd1b17000

page read and write

7f692fabd000

page read and write

559e124f3000

page read and write

7ffdd1b91000

page execute read

559e104d4000

page read and write

7f6928000000

page read and write

There are 40 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
na.elf

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportna.elf

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
na.elf