Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

tyo2831qq.m68k.elf

ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, not stripped

initial sample

Details

Filetype:	ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, not stripped
Entropy:	6.315025315762783
Filename:	tyo2831qq.m68k.elf
Filesize:	158338
MD5:	3134049b6dd1e3fd8011067c436ff8cb
SHA1:	2eb528ed96e50dfb0e0cac97426deb769ee965d8
SHA256:	7d1b988102f6447b1f2c9ed95273c072946e8ed6768df132a92fb35eaa1d2347
SHA512:	424facb0bd36216c3cf550a8cdb8f0113f0321864cf897315c17b2a337fe7132974eeee0daaa377d6f148845fe5ab7e63b87810879cb581423f15143935b4166
SSDEEP:	3072:/EOSql29zGorF8qGnQeqacWucW0JcWcBFI5vN2sPw6MGp8DQv8J3v7NvAmmu1kTG:cPzonQeqacWucW0JcWcBkvE+pFp8DA8D
Preview:	.ELF.......................D...4.........4. ...(.......................r...r...... ........t...t...t......i....... .dt.Q............................NV..a....da....@N^NuNV..J9..".f>"y.... QJ.g.X.#.....N."y.... QJ.f.A.....J.g.Hy...tN.X.......".N^NuNV..N^NuN

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Opens /proc/net/* files useful for finding connected devices and routers	Spreading	Remote System Discovery
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
Yara signature match	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
URLs found in memory or binary data	Networking

/tmp/qemu-open.Mo7iia (deleted)

ASCII text

dropped

Details

File:	/tmp/qemu-open.Mo7iia (deleted)
Category:	dropped
Dump:	qemu-open.Mo7iia (deleted).12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/tyo2831qq.m68k.elf
Type:	ASCII text
Entropy:	3.709552666863289
Encrypted:	false
Ssdeep:	6:iekrEcvwAsE5KlwSd4pzKaV6Lpms/a/1VCxGF:ur+m5MwSdIKaV6L1adVRF
Size:	230
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

/tmp/tyo2831qq.m68k.elf

/usr/bin/dash

/usr/bin/rm

rm -f /tmp/tmp.wXq5xng5m7 /tmp/tmp.FxqBta5QgF /tmp/tmp.fxbzvn5wm5

/usr/bin/dash

/usr/bin/rm

rm -f /tmp/tmp.wXq5xng5m7 /tmp/tmp.FxqBta5QgF /tmp/tmp.fxbzvn5wm5

URLs

Name

Malicious

109.120.156.253:1780

Details

Name:	109.120.156.253:1780
TargetID:	0
From Memory:	false
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

http://www.baidu.com/search/spider.html)

unknown

http://www.billybobbot.com/crawler/)

unknown

http://fast.no/support/crawler.asp)

unknown

http://feedback.redkolibri.com/

unknown

http://www.baidu.com/search/spider.htm)

unknown

IPs

Domain

Country

Malicious

109.120.156.253

unknown

Russian Federation

Details

IP:	109.120.156.253
TargetID:	-1
Country:	Russian Federation
Countrycode:	RUS
ASN number:	30968
ASN name:	INFOBOX-ASInfoboxruAutonomousSystemRU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

54.171.230.55

unknown

United States

Details

IP:	54.171.230.55
TargetID:	-1
Country:	United States
Countrycode:	USA
ASN number:	16509
ASN name:	AMAZON-02US
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

109.202.202.202

unknown

Switzerland

Details

IP:	109.202.202.202
TargetID:	-1
Country:	Switzerland
Countrycode:	CHE
ASN number:	13030
ASN name:	INIT7CH
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.43

unknown

United Kingdom

Details

IP:	91.189.91.43
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.42

unknown

United Kingdom

Details

IP:	91.189.91.42
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7fa8fc021000

page execute read

7fa8fc021000

page execute read

555b2a9f7000

page read and write

7fa9822fd000

page read and write

7fa98192e000

page read and write

555b2c9fd000

page execute and read and write

7fa981fb2000

page read and write

555b2a7c5000

page execute read

7fa982426000

page read and write

7ffe3a9ed000

page execute read

7fa981f8d000

page read and write

555b2cfad000

page read and write

7fa98242e000

page read and write

7fa9822fd000

page read and write

7fa98193c000

page read and write

7fa97c000000

page read and write

7fa97c000000

page read and write

7fa8fc024000

page read and write

7fa981f8d000

page read and write

7fa8fc02a000

page read and write

7fa97c021000

page read and write

555b2ca94000

page read and write

7fa98112b000

page read and write

555b2c9fd000

page execute and read and write

7fa98193c000

page read and write

7fa981fb2000

page read and write

555b2ca94000

page read and write

555b2a9ff000

page read and write

555b2a9ff000

page read and write

7ffe3a912000

page read and write

7fa8fc02a000

page read and write

7fa98112b000

page read and write

555b2cfad000

page read and write

7fa981bcb000

page read and write

7fa982426000

page read and write

555b2a9f7000

page read and write

7ffe3a9ed000

page execute read

7fa98192e000

page read and write

7fa97c021000

page read and write

7fa98242e000

page read and write

7fa981bcb000

page read and write

7ffe3a912000

page read and write

7fa982473000

page read and write

555b2a7c5000

page execute read

7fa8fc024000

page read and write

7fa982473000

page read and write

There are 36 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
tyo2831qq.m68k.elf

Files

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reporttyo2831qq.m68k.elf

Files

Processes

URLs

IPs

Memdumps

IOC Report
tyo2831qq.m68k.elf