Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

e1x.sh4.elf

ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped

initial sample

Details

Filetype:	ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
Entropy:	6.76644513769443
Filename:	e1x.sh4.elf
Filesize:	64592
MD5:	8fe07b9e561c0fcecb38368ddfdd78bf
SHA1:	d43d057440db8c124d9d4f6a1d298382ac9a49b7
SHA256:	2600d43fbb23bf5f92a14f5f55601ebf00827f7dd83ff45d543c4e2a59af33b1
SHA512:	7eb9df5afdec1e949aa12282c8df47f1c1e5e7780495891e21112d36d2847d1e4aa4bf3b9a903b159e009ec30d60786a4d721d5df19afc660ab03b97f3cee11c
SSDEEP:	1536:H7YTkshpZzQYFvCViicJRpemHQ/XtfYr:HUws7ZZ5EcgBA
Preview:	.ELF.....................@.4...........4. ...(...............@...@. ... ............... ... .A. .A.0...`...........Q.td..............................././"O.n......#.@........#.*@l...&O.n.l..................................././.../.a"O.!...n...a.b("...q.

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Sample deletes itself	Hooking and other Techniques for Hiding and Protection	File Deletion
Creates hidden files and/or directories	Persistence and Installation Behavior	Hidden Files and Directories
Enumerates processes within the "proc" file system	Persistence and Installation Behavior	OS Credential Dumping
Sleeps for long times indicative of sandbox evasion	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion

/tmp/.system_idle

ASCII text

dropped

Details

File:	/tmp/.system_idle
Category:	dropped
Dump:	.system_idle.12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/e1x.sh4.elf
Type:	ASCII text
Entropy:	1.9219280948873623
Encrypted:	false
Ssdeep:	3:Eq:Eq
Size:	5
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates hidden files and/or directories	Persistence and Installation Behavior	Hidden Files and Directories

Processes

Path

Cmdline

Malicious

/tmp/e1x.sh4.elf

IPs

Domain

Country

Malicious

204.35.87.194

unknown

United States

Details

IP:	204.35.87.194
TargetID:	-1
Country:	United States
Countrycode:	USA
ASN number:	721
ASN name:	DNIC-ASBLK-00721-00726US
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7f20e0410000

page execute read

7f2168394000

page read and write

7ffd2edb8000

page read and write

7f2160021000

page read and write

55db8c54c000

page execute read

55db8e77f000

page read and write

7f2168ecb000

page read and write

7f2168623000

page read and write

55db8e99b000

page read and write

55db8c762000

page read and write

7f20e0421000

page read and write

7f2168e7e000

page read and write

7ffd2ede5000

page execute read

7f2168e86000

page read and write

7f20e0420000

page read and write

7f2168a0a000

page read and write

55db8e768000

page execute and read and write

7f2168386000

page read and write

7f2167b83000

page read and write

7f2160000000

page read and write

7f2168d55000

page read and write

55db8c76a000

page read and write

7f21689e5000

page read and write

There are 13 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
e1x.sh4.elf

Files

Processes

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reporte1x.sh4.elf

Files

Processes

IPs

Memdumps

IOC Report
e1x.sh4.elf