IOC Report
boatnet.sh4.elf

Files

File Path

Type

Category

Malicious

boatnet.sh4.elf

ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped

initial sample

Details

Filetype:	ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
Entropy:	6.734427983506553
Filename:	boatnet.sh4.elf
Filesize:	50168
MD5:	52fc087fc124782824d156800eb15a19
SHA1:	c68f92cb733311a17a43b115f309b5cdf36c8a60
SHA256:	a70db22272cced3971f1442c50e9d7ee44e5910f1390d361e3f39c953494c63c
SHA512:	c3e309fe6a724ed7285404df968b805c2fcd5480c34ae511a39832752f2fa85dc8cc059d28a2d1992330c5414e262b918653185e514b52e925631efd0e334a68
SSDEEP:	768:Oa2vU7eng2qGJert7LrLMU6fgatQh+YbT/9+m3CZQoV/bnmCozw:Oa4U7G7SvT6ftBTm3KVrmCo8
Preview:	.ELF.....................@.4...h.......4. ...(...............@...@.@...@.....................A...A.(...<...........Q.td............................././"O.n........#.@........#.*@.....o&O.n...l..............................././.../.a"O.!...n...a.b("...q.

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Sample tries to kill multiple processes (SIGKILL)	System Summary	Service Stop
Enumerates processes within the "proc" file system	Persistence and Installation Behavior	OS Credential Dumping
Sample tries to kill a process (SIGKILL)	System Summary
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion
Yara signature match	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery

/home/saturnino/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-panel.xml.new

XML 1.0 document, ASCII text

dropped

Details

File:	/home/saturnino/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-panel.xml.new
Category:	dropped
Dump:	xfce4-panel.xml.new.39.dr
ID:	dr_0
Target ID:	39
Process:	/usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd
Type:	XML 1.0 document, ASCII text
Entropy:	4.457618060812407
Encrypted:	false
Ssdeep:	96:R14GBdYLSNUH+ZAFQrSRR6dn0tWlTDFwIfM/vfzPpjT9I3jZ/qeH2Wg:74GnYLSNUH+ZAyrSRRYn0taTDKIfMPzv
Size:	5128
Whitelisted:	false
Reputation:	moderate

Processes

Path

Cmdline

Malicious

/tmp/boatnet.sh4.elf

/tmp/boatnet.sh4.elf

/tmp/boatnet.sh4.elf

-

/tmp/boatnet.sh4.elf

-

/tmp/boatnet.sh4.elf

-

/usr/bin/xfce4-session

-

/usr/bin/xfce4-panel

xfce4-panel --display :1.0 --sm-client-id 2b4cc744e-8b9d-436f-9a4a-312b40faa2ec

/usr/bin/xfce4-panel

-

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 6 12582920 systray "Notification Area" "Area where notification icons appear"

/usr/bin/xfce4-panel

-

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libstatusnotifier.so 7 12582921 statusnotifier "Status Notifier Plugin" "Provides a panel area for status notifier items (application indicators)"

/usr/bin/xfce4-panel

-

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libpulseaudio-plugin.so 8 12582922 pulseaudio "PulseAudio Plugin" "Adjust the audio volume of the PulseAudio sound system"

/usr/bin/xfce4-panel

-

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libxfce4powermanager.so 9 12582923 power-manager-plugin "Power Manager Plugin" "Display the battery levels of your devices and control the brightness of your display"

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

-

/usr/sbin/xfpm-power-backlight-helper

/usr/sbin/xfpm-power-backlight-helper --get-max-brightness

/usr/bin/xfce4-panel

-

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libnotification-plugin.so 10 12582924 notification-plugin "Notification Plugin" "Notification plugin for the Xfce panel"

/usr/bin/xfce4-panel

-

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libactions.so 14 12582925 actions "Action Buttons" "Log out, lock or other system actions"

/usr/bin/xfce4-panel

-

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 6 12582920 systray "Notification Area" "Area where notification icons appear"

/usr/bin/xfce4-panel

-

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libstatusnotifier.so 7 12582921 statusnotifier "Status Notifier Plugin" "Provides a panel area for status notifier items (application indicators)"

/usr/bin/xfce4-panel

-

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libpulseaudio-plugin.so 8 12582922 pulseaudio "PulseAudio Plugin" "Adjust the audio volume of the PulseAudio sound system"

/usr/bin/xfce4-panel

-

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libxfce4powermanager.so 9 12582923 power-manager-plugin "Power Manager Plugin" "Display the battery levels of your devices and control the brightness of your display"

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

-

/usr/sbin/xfpm-power-backlight-helper

/usr/sbin/xfpm-power-backlight-helper --get-max-brightness

/usr/bin/xfce4-panel

-

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libnotification-plugin.so 10 12582924 notification-plugin "Notification Plugin" "Notification plugin for the Xfce panel"

/usr/bin/xfce4-panel

-

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libactions.so 14 12582925 actions "Action Buttons" "Log out, lock or other system actions"

/usr/bin/dbus-daemon

-

/usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd

/usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd

/usr/lib/systemd/systemd

-

/usr/lib/x86_64-linux-gnu/xfce4/notifyd/xfce4-notifyd

/usr/lib/x86_64-linux-gnu/xfce4/notifyd/xfce4-notifyd

/usr/bin/dbus-daemon

-

/usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd

/usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd

There are 30 hidden processes, click here to show them.

IPs

IP

Domain

Country

Malicious

93.123.85.192

unknown

Bulgaria

Details

IP:	93.123.85.192
TargetID:	-1
Country:	Bulgaria
Countrycode:	BGR
ASN number:	43561
ASN name:	NET1-ASBG
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Suricata IDS alerts with low severity for network traffic	Networking
Connects to IPs without corresponding DNS lookups	Networking

109.202.202.202

unknown

Switzerland

Details

IP:	109.202.202.202
TargetID:	-1
Country:	Switzerland
Countrycode:	CHE
ASN number:	13030
ASN name:	INIT7CH
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.43

unknown

United Kingdom

Details

IP:	91.189.91.43
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.42

unknown

United Kingdom

Details

IP:	91.189.91.42
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7f7dd440c000

page execute read

7f7dd440c000

page execute read

7f7dd440c000

page execute read

55e0923a1000

page execute and read and write

7f7e5a7f3000

page read and write

55e093a5b000

page read and write

7f7e5baf6000

page read and write

7f7e5baee000

page read and write

7f7e5aff6000

page read and write

55e0923b8000

page read and write

55e0923b8000

page read and write

55e09039b000

page read and write

55e093a5b000

page read and write

55e090185000

page execute read

55e09039b000

page read and write

55e0923a1000

page execute and read and write

55e0903a3000

page read and write

7f7e5b293000

page read and write

7f7e5bb3b000

page read and write

7f7e5a7f3000

page read and write

7f7e5b293000

page read and write

7fffa2972000

page execute read

7f7e5b004000

page read and write

7f7e54021000

page read and write

55e0923b8000

page read and write

7f7dd441e000

page read and write

7f7e54021000

page read and write

7f7e54000000

page read and write

7f7e5b9c5000

page read and write

55e0903a3000

page read and write

7f7e5bb3b000

page read and write

7fffa2972000

page execute read

7f7e54000000

page read and write

7f7dd441e000

page read and write

7f7e5b9c5000

page read and write

7f7e5b004000

page read and write

7f7e5baee000

page read and write

55e090185000

page execute read

7f7e5b655000

page read and write

7f7e5aff6000

page read and write

7f7e5baf6000

page read and write

7f7e5b67a000

page read and write

55e0923a1000

page execute and read and write

7f7e5b67a000

page read and write

7f7e5a7f3000

page read and write

7f7e54000000

page read and write

7fffa28ee000

page read and write

7f7dd441d000

page read and write

7f7dd441d000

page read and write

7fffa28ee000

page read and write

7f7e5b004000

page read and write

7f7e5baee000

page read and write

7fffa2972000

page execute read

7fffa28ee000

page read and write

7f7e5bb3b000

page read and write

7f7e5b655000

page read and write

7f7e5b9c5000

page read and write

55e093a5b000

page read and write

7f7e5aff6000

page read and write

7f7dd441e000

page read and write

7f7e5b293000

page read and write

7f7e5baf6000

page read and write

7f7e5b67a000

page read and write

55e0903a3000

page read and write

55e090185000

page execute read

7f7dd441d000

page read and write

7f7e54021000

page read and write

55e09039b000

page read and write

7f7e5b655000

page read and write

There are 59 hidden memdumps, click here to show them.