Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

na.elf

ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), statically linked, for GNU/Linux 3.2.0, BuildID[sha1]=bc565f9f2dafc5618defa8eccf705f85712c87da, stripped

initial sample

Details

Filetype:	ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), statically linked, for GNU/Linux 3.2.0, BuildID[sha1]=bc565f9f2dafc5618defa8eccf705f85712c87da, stripped
Entropy:	5.765261555711522
Filename:	na.elf
Filesize:	920568
MD5:	3a901423737785cbcb6f5f91a52dbc73
SHA1:	330df5698199f6808df870255169d2a28108fa24
SHA256:	add24e53fba139eab9c56351c0ee86f99192a8328dd7c62c2133eb572c08c6a4
SHA512:	406de4d895eb2b8e6bf42973d6e5b15b247ac28692a164371e9b72ba1ebdf9a5f7e57a4134baa6cdda43577fbb395409b5c48c46769288513729ef5115f7960d
SSDEEP:	12288:qb143S0q+8eXS1/f2Wc3slC3yjTjMv+9XSJhBXEsV3b9gh4J8zMSv7MzOup8Mplx:qmShf4OTjMgXSJhBXEsVrmz9MOup1Khe
Preview:	.ELF.....................@.....4....p....4. ...(.#."p......X.@.X.@.X................p......p.@.p.@.p.........................@...@........................&..N&..N&...F...V................4.@.4.@.4... ... .................@...@.....$...$..............'..N'

Signature Hits	Behavior Group	Mitre Attack
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Drops files in suspicious directories	Hooking and other Techniques for Hiding and Protection	Masquerading
Found Tor onion address	Networking	Proxy
Sample deletes itself	Hooking and other Techniques for Hiding and Protection
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Sample tries to set the executable flag	Persistence and Installation Behavior	File and Directory Permissions Modification
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
Writes ELF files to disk	Persistence and Installation Behavior
Yara signature match	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
URLs found in memory or binary data	Networking

/etc/CommId

ASCII text, with no line terminators

dropped

Details

File:	/etc/CommId
Category:	dropped
Dump:	CommId.65.dr
ID:	dr_4
Target ID:	65
Process:	/usr/sbin/uplugplay
Type:	ASCII text, with no line terminators
Entropy:	3.577819531114783
Encrypted:	false
Ssdeep:	3:MXIt:MXM
Size:	16
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Found Tor onion address	Networking	Proxy

/usr/sbin/uplugplay

ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), statically linked, for GNU/Linux 3.2.0, BuildID[sha1]=bc565f9f2dafc5618defa8eccf705f85712c87da, stripped

dropped

Details

File:	/usr/sbin/uplugplay
Category:	dropped
Dump:	uplugplay.16.dr
ID:	dr_0
Target ID:	16
Process:	/tmp/na.elf
Type:	ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), statically linked, for GNU/Linux 3.2.0, BuildID[sha1]=bc565f9f2dafc5618defa8eccf705f85712c87da, stripped
Entropy:	5.765261555711522
Encrypted:	false
Ssdeep:	12288:qb143S0q+8eXS1/f2Wc3slC3yjTjMv+9XSJhBXEsV3b9gh4J8zMSv7MzOup8Mplx:qmShf4OTjMgXSJhBXEsVrmz9MOup1Khe
Size:	920568
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Yara detected Prometei	Bitcoin Miner
Drops files in suspicious directories	Hooking and other Techniques for Hiding and Protection	Masquerading
Found Tor onion address	Networking	Proxy
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Sample tries to set the executable flag	Persistence and Installation Behavior	File and Directory Permissions Modification
Writes ELF files to disk	Persistence and Installation Behavior
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery

/memfd:snapd-env-generator (deleted)

ASCII text

dropped

Details

File:	/memfd:snapd-env-generator (deleted)
Category:	dropped
Dump:	memfd_snapd-env-generator (deleted).54.dr
ID:	dr_3
Target ID:	54
Process:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
Type:	ASCII text
Entropy:	3.7627880354948586
Encrypted:	false
Ssdeep:	3:+M4VMPQnMLmPQ9JEcwwbn:+M4m4MixcZb
Size:	76
Whitelisted:	false
Reputation:	moderate

/proc/6423/task/6424/comm

ASCII text, with no line terminators

dropped

Details

File:	/proc/6423/task/6424/comm
Category:	dropped
Dump:	comm.69.dr
ID:	dr_5
Target ID:	69
Process:	/usr/bin/nslookup
Type:	ASCII text, with no line terminators
Entropy:	3.09306920777189
Encrypted:	false
Ssdeep:	3:XfSPyVd:PSPS
Size:	14
Whitelisted:	false
Reputation:	moderate

/proc/6423/task/6425/comm

ASCII text, with no line terminators

dropped

Details

File:	/proc/6423/task/6425/comm
Category:	dropped
Dump:	comm0.69.dr
ID:	dr_6
Target ID:	69
Process:	/usr/bin/nslookup
Type:	ASCII text, with no line terminators
Entropy:	2.94770277922009
Encrypted:	false
Ssdeep:	3:XfRJy:P2
Size:	9
Whitelisted:	false
Reputation:	moderate

/proc/6423/task/6426/comm

ASCII text, with no line terminators

dropped

Details

File:	/proc/6423/task/6426/comm
Category:	dropped
Dump:	comm1.69.dr
ID:	dr_7
Target ID:	69
Process:	/usr/bin/nslookup
Type:	ASCII text, with no line terminators
Entropy:	3.084962500721156
Encrypted:	false
Ssdeep:	3:XfWdvRo:PWno
Size:	12
Whitelisted:	false
Reputation:	moderate

/usr/lib/systemd/system/uplugplay.service

ASCII text

dropped

Details

File:	/usr/lib/systemd/system/uplugplay.service
Category:	dropped
Dump:	uplugplay.service.16.dr
ID:	dr_1
Target ID:	16
Process:	/tmp/na.elf
Type:	ASCII text
Entropy:	4.769509838572339
Encrypted:	false
Ssdeep:	3:zMZa75X1PxQJqtWA1+DRvBADMikAdIgQ+aQmNJX4ev+sirSkQmWA1+DRvn:z8uXcqtWA4RZAMD+aBNdhTILQmWA4Rv
Size:	145
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

/usr/bin/dash

/usr/bin/rm

rm -f /tmp/tmp.IxF8b80PrJ /tmp/tmp.MxENF9epsP /tmp/tmp.cpiNHxKqd7

/usr/bin/dash

/usr/bin/rm

rm -f /tmp/tmp.IxF8b80PrJ /tmp/tmp.MxENF9epsP /tmp/tmp.cpiNHxKqd7

/tmp/na.elf

/bin/sh

sh -c "pgrep na.elf"

/bin/sh

/usr/bin/pgrep

pgrep na.elf

/tmp/na.elf

/bin/sh

sh -c "pidof na.elf"

/bin/sh

/usr/bin/pidof

pidof na.elf

/tmp/na.elf

/bin/sh

sh -c "pgrep uplugplay"

/bin/sh

/usr/bin/pgrep

pgrep uplugplay

/tmp/na.elf

/bin/sh

sh -c "pidof uplugplay"

/bin/sh

/usr/bin/pidof

pidof uplugplay

/tmp/na.elf

/bin/sh

sh -c "pgrep upnpsetup"

/bin/sh

/usr/bin/pgrep

pgrep upnpsetup

/tmp/na.elf

/bin/sh

sh -c "pidof upnpsetup"

/bin/sh

/usr/bin/pidof

pidof upnpsetup

/tmp/na.elf

/bin/sh

sh -c "systemctl daemon-reload"

/bin/sh

/usr/bin/systemctl

systemctl daemon-reload

/tmp/na.elf

/bin/sh

sh -c "systemctl enable uplugplay.service"

/bin/sh

/usr/bin/systemctl

systemctl enable uplugplay.service

/tmp/na.elf

/bin/sh

sh -c "systemctl start uplugplay.service"

/bin/sh

/usr/bin/systemctl

systemctl start uplugplay.service

/usr/lib/systemd/systemd

/usr/lib/systemd/system-environment-generators/snapd-env-generator

/usr/lib/systemd/systemd

/usr/lib/systemd/system-environment-generators/snapd-env-generator

/usr/lib/systemd/systemd

/usr/sbin/uplugplay

/bin/sh

sh -c "/usr/sbin/uplugplay -Dcomsvc"

/bin/sh

/usr/sbin/uplugplay

/usr/sbin/uplugplay -Dcomsvc

/usr/sbin/uplugplay

/bin/sh

sh -c "nslookup p3.feefreepool.net 8.8.8.8"

/bin/sh

/usr/bin/nslookup

nslookup p3.feefreepool.net 8.8.8.8

There are 46 hidden processes, click here to show them.

URLs

Name

Malicious

http://p3.feefreepool.net/cgi-bin/prometei.cgihttp://dummy.zero/cgi-bin/prometei.cgihttps://gb7ni5rg

unknown

https://bugs.launchpad.net/ubuntu/

unknown

http://mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.b32.i2p/cgi-bin/prometei.cgi

unknown

http://p3.feefreepool.net/cgi-bin/prometei.cgi

unknown

https://gb7ni5rgeexdcncj.onion/cgi-bin/prometei.cgi

unknown

http://%s/cgi-bin/prometei.cgi

unknown

http://%s/cgi-bin/prometei.cgi?r=0&auth=hash&i=%s&enckey=%shttp://%s/cgi-bin/prometei.cgi%m%d%yxinch

unknown

https://http:///:.onion.i2p.zeroGET

unknown

http://dummy.zero/cgi-bin/prometei.cgi

unknown

http://%s/cgi-bin/prometei.cgi?r=0&auth=hash&i=%s&enckey=%s

unknown

Domains

Name

Malicious

p3.feefreepool.net

88.198.246.242

Details

Name:	p3.feefreepool.net
IP:	88.198.246.242
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Found Tor onion address	Networking	Proxy
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
HTTP GET or POST without a user agent	Networking
Suricata IDS alerts with low severity for network traffic	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

88.198.246.242

p3.feefreepool.net

Germany

Details

IP:	88.198.246.242
TargetID:	-1
Country:	Germany
Countrycode:	DEU
ASN number:	24940
ASN name:	HETZNER-ASDE
Private:	false
Domain:	p3.feefreepool.net

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Suricata IDS alerts with low severity for network traffic	Networking

109.202.202.202

unknown

Switzerland

Details

IP:	109.202.202.202
TargetID:	-1
Country:	Switzerland
Countrycode:	CHE
ASN number:	13030
ASN name:	INIT7CH
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.43

unknown

United Kingdom

Details

IP:	91.189.91.43
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.42

unknown

United Kingdom

Details

IP:	91.189.91.42
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7f5e78451000

page execute read

7f5e791e9000

page read and write

55bbcf866000

page read and write

55bbcf5de000

page execute read

7f27aff5e000

page read and write

55c33b0f6000

page read and write

7f5e78466000

page read and write

55bbd186e000

page execute and read and write

7f5efce6f000

page read and write

7f5e70062000

page read and write

7f5ef1d76000

page execute and read and write

7f5efceaf000

page read and write

7f5ef5d7e000

page execute and read and write

7ffcba1d8000

page execute read

55bbd3299000

page read and write

7f5ef2d78000

page execute and read and write

7f272926a000

page read and write

7f5e77e3a000

page read and write

7f5e77ebc000

page read and write

7f5e68032000

page read and write

7f5efd3c1000

page read and write

55bbd1885000

page read and write

7f5e77f7f000

page read and write

7f5e77e7b000

page read and write

7f5ef6f7d000

page execute and read and write

7f5efd4ea000

page read and write

7f5ef557d000

page execute and read and write

7f5ef4d7c000

page execute and read and write

7f5ef8021000

page read and write

55c339462000

page execute and read and write

55c33745a000

page read and write

7f27b1136000

page read and write

7f5efd4f2000

page read and write

7f5efcace000

page read and write

7ffcba196000

page read and write

55c339479000

page read and write

7f27b0e05000

page read and write

7f5efd537000

page read and write

7f5e77efd000

page read and write

7f5efc810000

page read and write

55bbcf870000

page read and write

7f27a8021000

page read and write

7f5ef3d7a000

page execute and read and write

7f27b0de8000

page read and write

7f5ef777e000

page execute and read and write

7f5ef457b000

page execute and read and write

7f27b1448000

page read and write

7f5ef8000000

page read and write

7f5efc81e000

page read and write

7f5ef2577000

page execute and read and write

7f5efd1e0000

page read and write

7f5ef3579000

page execute and read and write

7f27b0774000

page read and write

7f27b148d000

page read and write

7f5e77f3e000

page read and write

7f27b1317000

page read and write

7f27a8000000

page read and write

7f27b0766000

page read and write

55c337464000

page read and write

7f27b1440000

page read and write

7f27b0a24000

page read and write

7ffd76753000

page execute read

7f27b0dc5000

page read and write

7ffd76641000

page read and write

7f5ef65a0000

page read and write

7f5efce92000

page read and write

55c3371d2000

page execute read

7f5ef657f000

page execute and read and write

There are 58 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
na.elf

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportna.elf

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
na.elf