Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

na.elf

ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, not stripped

initial sample

Details

Filetype:	ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, not stripped
Entropy:	6.0941203566309206
Filename:	na.elf
Filesize:	98919
MD5:	f2a0d87851bb84e277886f990dc2c158
SHA1:	82da6a671aa6f8e7e8bc430bf72a76ae600991c6
SHA256:	4419f121bc4355af2eca56a0bcce40105daae0fc37310a41d7720779c710a61e
SHA512:	5520e1acfd8ed317468ec01b5244fb0d3657b2fc7ec5e3e43994053875698858ec958efd9d7c18bea2e0fde6fd6ef4e4fa524759fa75acbe2e93ace26be89441
SSDEEP:	3072:Vgdr2vIBAxMyAOLRcftLhOemuxVqDr78fz1e:Vgdr2vIRyAYc9hOemuxVqDr78fz1e
Preview:	.ELF.......................D...4..4t.....4. ...(......................%...%....... .......%...E...E.......g....... .dt.Q............................NV..a....da....dN^NuNV..J9..Ipf>"y..E. QJ.g.X.#...E.N."y..E. QJ.f.A.....J.g.Hy..%.N.X.......IpN^NuNV..N^NuN

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Opens /proc/net/* files useful for finding connected devices and routers	Spreading	Remote System Discovery
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion
Yara signature match	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
Sample and/or dropped files contains symbols with file path information	System Summary

/tmp/qemu-open.zUGkuH (deleted)

ASCII text

dropped

Details

File:	/tmp/qemu-open.zUGkuH (deleted)
Category:	dropped
Dump:	qemu-open.zUGkuH (deleted).12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/na.elf
Type:	ASCII text
Entropy:	3.709552666863289
Encrypted:	false
Ssdeep:	6:iekrEcvwAsE5KlwSd4pzKaV6Lpms/a/1VCxGF:ur+m5MwSdIKaV6L1adVRF
Size:	230
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

/tmp/na.elf

URLs

Name

Malicious

93.123.85.205:7777

Details

Name:	93.123.85.205:7777
TargetID:	0
From Memory:	false
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

Domains

Name

Malicious

daisy.ubuntu.com

162.213.35.25

IPs

Domain

Country

Malicious

93.123.85.205

unknown

Bulgaria

Details

IP:	93.123.85.205
TargetID:	-1
Country:	Bulgaria
Countrycode:	BGR
ASN number:	43561
ASN name:	NET1-ASBG
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7f7e04014000

page execute read

7f7e04014000

page execute read

7ffcf4046000

page read and write

7f7e8b240000

page read and write

7f7e04016000

page read and write

7f7e8c588000

page read and write

7f7e84000000

page read and write

7f7e84021000

page read and write

558664875000

page execute read

7f7e8ba43000

page read and write

7f7e8c0a2000

page read and write

7f7e8ba51000

page read and write

7f7e8bce0000

page read and write

558666b44000

page read and write

7f7e8c0c7000

page read and write

558664aa7000

page read and write

7f7e8c53b000

page read and write

5586680bc000

page read and write

7f7e8c543000

page read and write

7f7e84021000

page read and write

7ffcf40f8000

page execute read

7ffcf40f8000

page execute read

7f7e8c0a2000

page read and write

5586680bc000

page read and write

558666aad000

page execute and read and write

558664aa7000

page read and write

7f7e8bce0000

page read and write

7f7e8c588000

page read and write

7f7e8ba51000

page read and write

558664aaf000

page read and write

7f7e84000000

page read and write

7f7e8c412000

page read and write

7f7e8b240000

page read and write

7f7e8c0c7000

page read and write

558664aaf000

page read and write

7f7e8c412000

page read and write

7f7e04016000

page read and write

7f7e8c53b000

page read and write

7f7e8c543000

page read and write

558666aad000

page execute and read and write

7f7e0401c000

page read and write

558666b44000

page read and write

558664875000

page execute read

7f7e8ba43000

page read and write

7f7e0401c000

page read and write

7ffcf4046000

page read and write

There are 36 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
na.elf

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportna.elf

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
na.elf