Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

shngijernbh.ppc.elf

initial sample

Details

Entropy:	6.135818726098947
Filename:	shngijernbh.ppc.elf
Filesize:	89416
MD5:	827999a3d3c22b7e7186882d3f4d1b03
SHA1:	7b07f51f0dafacd60804c927c84eabf4a253f3bb
SHA256:	4f4f58d43ecbc79c84c06f78379504c093d616cb651e93e64bcd8c7ea80b1aed
SHA512:	01f849a573c3835812ee65aba2de7449976a4a90d12724f2b2aa84d296cecfa4f3b198b62c27a9f8e2d8899bbfad52180fe08a801e967d0e1f010a4a7d75119b
SSDEEP:	1536:b73KddvUAXKPjVgCdmH5RHvDpRIBiHh1h/lLKV15hvhUROFOmV6qDjjoflee:b76bvhXKPjVWnLPIBiB/65hv+ROFOmVa
Preview:	.ELF...........................4.........4. ...(.......................T...T...............T...T...T......g.........dt.Q.............................!..\|......$H...H..1...$8!. \|...N.. .!..\|.......?..........D..../...@..\?......l.+../...A..$8...}).....lN..

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Opens /proc/net/* files useful for finding connected devices and routers	Spreading	Remote System Discovery
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion
Yara signature match	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
URLs found in memory or binary data	Networking

/tmp/qemu-open.oRsFHP (deleted)

ASCII text

dropped

Details

File:	/tmp/qemu-open.oRsFHP (deleted)
Category:	dropped
Dump:	qemu-open.oRsFHP (deleted).12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/shngijernbh.ppc.elf
Type:	ASCII text
Entropy:	3.709552666863289
Encrypted:	false
Ssdeep:	6:iekrEcvwAsE5KlwSd4pzKaV6Lpms/a/1VCxGF:ur+m5MwSdIKaV6L1adVRF
Size:	230
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

/tmp/shngijernbh.ppc.elf

URLs

Name

Malicious

143.47.38.152:4258

Details

Name:	143.47.38.152:4258
TargetID:	0
From Memory:	false
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

http://www.baidu.com/search/spider.html)

unknown

http://www.billybobbot.com/crawler/)

unknown

http://fast.no/support/crawler.asp)

unknown

http://feedback.redkolibri.com/

unknown

http://www.baidu.com/search/spider.htm)

unknown

IPs

Domain

Country

Malicious

143.47.38.152

unknown

Ireland

Details

IP:	143.47.38.152
TargetID:	-1
Country:	Ireland
Countrycode:	IRL
ASN number:	52019
ASN name:	ORCL-EMEA-ASSE
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

109.202.202.202

unknown

Switzerland

Details

IP:	109.202.202.202
TargetID:	-1
Country:	Switzerland
Countrycode:	CHE
ASN number:	13030
ASN name:	INIT7CH
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.43

unknown

United Kingdom

Details

IP:	91.189.91.43
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.42

unknown

United Kingdom

Details

IP:	91.189.91.42
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7f5bd0012000

page execute read

7f5bd0012000

page execute read

7f5bd0028000

page read and write

7ffe3e6ec000

page execute read

7f5cc0021000

page read and write

56437ddc0000

page read and write

7f5cc5a5b000

page read and write

7f5bd0022000

page read and write

56437c3ec000

page execute and read and write

56437a3ee000

page read and write

7f5cc5b84000

page read and write

7ffe3e633000

page read and write

56437c402000

page read and write

7f5bd0028000

page read and write

7f5bd0022000

page read and write

56437a3e6000

page read and write

7f5cc56eb000

page read and write

7f5cc5a5b000

page read and write

7f5cc5b8c000

page read and write

7f5cc509a000

page read and write

7f5cc5b84000

page read and write

7f5cc508c000

page read and write

56437a163000

page execute read

7f5cc5710000

page read and write

7f5cc0021000

page read and write

56437ddc0000

page read and write

7f5cc5329000

page read and write

7f5cc4889000

page read and write

56437c3ec000

page execute and read and write

56437a163000

page execute read

7f5cc5bd1000

page read and write

7f5cc5b8c000

page read and write

7f5cc5bd1000

page read and write

56437a3e6000

page read and write

7f5cc5710000

page read and write

56437c402000

page read and write

7f5cc509a000

page read and write

7f5cc5329000

page read and write

7f5cc0000000

page read and write

7f5cc0000000

page read and write

56437a3ee000

page read and write

7f5cc508c000

page read and write

7ffe3e6ec000

page execute read

7f5cc4889000

page read and write

7f5cc56eb000

page read and write

7ffe3e633000

page read and write

There are 36 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
shngijernbh.ppc.elf

Files

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportshngijernbh.ppc.elf

Files

Processes

URLs

IPs

Memdumps

IOC Report
shngijernbh.ppc.elf