Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

na.elf

ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header

initial sample

Details

Filetype:	ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header
Entropy:	7.9417861831662675
Filename:	na.elf
Filesize:	428272
MD5:	9d2521b5e520b02534de2318a4e27df9
SHA1:	1ea7c9512e86dc296ae29b0f678c19de7cc337ca
SHA256:	0295807d74c8dcbc2f81c0436f047c75f307f9b5068e7a37a62ad890982be8df
SHA512:	c83ee1c2440d41d36121cad1c57ad29f16658992ce619f488eb716fd55384e6cf2b1da4fdb28f39112c224a98a524f24126508ed2f6d38d43c011a3f37dae309
SSDEEP:	12288:6QIkwT+V+46MTuxN+qpMBUH5kAAxwWVtBeSk:W4/y+qaBUZJAdVto
Preview:	.ELF..............>.....HwF.....@...................@.8...@.......................@.......@.....c.......c.................................F.......F.............................Q.td....................................................d&..UPX!(........8...8.

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Drops files in suspicious directories	Hooking and other Techniques for Hiding and Protection	Masquerading
Found Tor onion address	Networking	Proxy
Machine Learning detection for sample	AV Detection
Sample deletes itself	Hooking and other Techniques for Hiding and Protection	File Deletion
ELF contains segments with high entropy indicating compressed/encrypted content	Hooking and other Techniques for Hiding and Protection	Obfuscated Files or Information
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Sample tries to set the executable flag	Persistence and Installation Behavior	File and Directory Permissions Modification
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
Writes ELF files to disk	Persistence and Installation Behavior
URLs found in memory or binary data	Networking

/etc/CommId

ASCII text, with no line terminators

dropped

Details

File:	/etc/CommId
Category:	dropped
Dump:	CommId.57.dr
ID:	dr_4
Target ID:	57
Process:	/usr/sbin/uplugplay
Type:	ASCII text, with no line terminators
Entropy:	3.577819531114783
Encrypted:	false
Ssdeep:	3:wF3bXHpn:wNzJn
Size:	16
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Found Tor onion address	Networking	Proxy

/usr/sbin/uplugplay

ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header

dropped

Details

File:	/usr/sbin/uplugplay
Category:	dropped
Dump:	uplugplay.12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/na.elf
Type:	ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header
Entropy:	7.9417861831662675
Encrypted:	false
Ssdeep:	12288:6QIkwT+V+46MTuxN+qpMBUH5kAAxwWVtBeSk:W4/y+qaBUZJAdVto
Size:	428272
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Drops files in suspicious directories	Hooking and other Techniques for Hiding and Protection	Masquerading
Found Tor onion address	Networking	Proxy
Machine Learning detection for dropped file	AV Detection
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Sample tries to set the executable flag	Persistence and Installation Behavior	File and Directory Permissions Modification
Writes ELF files to disk	Persistence and Installation Behavior

/memfd:snapd-env-generator (deleted)

ASCII text

dropped

Details

File:	/memfd:snapd-env-generator (deleted)
Category:	dropped
Dump:	memfd_snapd-env-generator (deleted).46.dr
ID:	dr_3
Target ID:	46
Process:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
Type:	ASCII text
Entropy:	3.7627880354948586
Encrypted:	false
Ssdeep:	3:+M4VMPQnMLmPQ9JEcwwbn:+M4m4MixcZb
Size:	76
Whitelisted:	false
Reputation:	moderate

/usr/lib/systemd/system/uplugplay.service

ASCII text

dropped

Details

File:	/usr/lib/systemd/system/uplugplay.service
Category:	dropped
Dump:	uplugplay.service.12.dr
ID:	dr_1
Target ID:	12
Process:	/tmp/na.elf
Type:	ASCII text
Entropy:	4.769509838572339
Encrypted:	false
Ssdeep:	3:zMZa75X1PxQJqtWA1+DRvBADMikAdIgQ+aQmNJX4ev+sirSkQmWA1+DRvn:z8uXcqtWA4RZAMD+aBNdhTILQmWA4Rv
Size:	145
Whitelisted:	false
Reputation:	moderate

Processes

Path

Cmdline

Malicious

/tmp/na.elf

/bin/sh

sh -c "pgrep na.elf"

/bin/sh

/usr/bin/pgrep

pgrep na.elf

/tmp/na.elf

/bin/sh

sh -c "pgrep uplugplay"

/bin/sh

/usr/bin/pgrep

pgrep uplugplay

/tmp/na.elf

/bin/sh

sh -c "pidof uplugplay"

/bin/sh

/usr/bin/pidof

pidof uplugplay

/tmp/na.elf

/bin/sh

sh -c "pgrep upnpsetup"

/bin/sh

/usr/bin/pgrep

pgrep upnpsetup

/tmp/na.elf

/bin/sh

sh -c "pidof upnpsetup"

/bin/sh

/usr/bin/pidof

pidof upnpsetup

/tmp/na.elf

/bin/sh

sh -c "systemctl daemon-reload"

/bin/sh

/usr/bin/systemctl

systemctl daemon-reload

/tmp/na.elf

/bin/sh

sh -c "systemctl enable uplugplay.service"

/bin/sh

/usr/bin/systemctl

systemctl enable uplugplay.service

/tmp/na.elf

/bin/sh

sh -c "systemctl start uplugplay.service"

/bin/sh

/usr/bin/systemctl

systemctl start uplugplay.service

/usr/lib/systemd/systemd

/usr/lib/systemd/system-environment-generators/snapd-env-generator

/usr/lib/systemd/systemd

/usr/lib/systemd/system-environment-generators/snapd-env-generator

/usr/lib/systemd/systemd

/usr/sbin/uplugplay

/bin/sh

sh -c "/usr/sbin/uplugplay -Dcomsvc"

/bin/sh

/usr/sbin/uplugplay

/usr/sbin/uplugplay -Dcomsvc

There are 34 hidden processes, click here to show them.

URLs

Name

Malicious

http://p3.feefreepool.net/cgi-bin/prometei.cgihttp://dummy.zero/cgi-bin/prometei.cgihttps://gb7ni5rg

unknown

Details

Name:	http://p3.feefreepool.net/cgi-bin/prometei.cgihttp://dummy.zero/cgi-bin/prometei.cgihttps://gb7ni5rg
TargetID:	25156
From Memory:	true
Source:	na.elf, 6244.1.0000000000520000.0000000001565000.rw-.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found Tor onion address	Networking	Proxy
URLs found in memory or binary data	Networking

http://upx.sf.net

unknown

Details

Name:	http://upx.sf.net
TargetID:	-1
From Memory:	true
Source:	na.elf, uplugplay.12.dr
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Sample is packed with UPX	Data Obfuscation	Obfuscated Files or Information
URLs found in memory or binary data	Networking

http://mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.b32.i2p/cgi-bin/prometei.cgi

unknown

Details

Name:	http://mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.b32.i2p/cgi-bin/prometei.cgi
TargetID:	25156
From Memory:	true
Source:	na.elf, 6244.1.0000000000520000.0000000001565000.rw-.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found Tor onion address	Networking	Proxy
URLs found in memory or binary data	Networking

http://p3.feefreepool.net/cgi-bin/prometei.cgi

unknown

Details

Name:	http://p3.feefreepool.net/cgi-bin/prometei.cgi
TargetID:	25156
From Memory:	true
Source:	na.elf, 6244.1.0000000000520000.0000000001565000.rw-.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found Tor onion address	Networking	Proxy
URLs found in memory or binary data	Networking

https://gb7ni5rgeexdcncj.onion/cgi-bin/prometei.cgi

unknown

Details

Name:	https://gb7ni5rgeexdcncj.onion/cgi-bin/prometei.cgi
TargetID:	25156
From Memory:	true
Source:	na.elf, 6244.1.0000000000520000.0000000001565000.rw-.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found Tor onion address	Networking	Proxy
URLs found in memory or binary data	Networking

http://dummy.zero/cgi-bin/prometei.cgi

unknown

Details

Name:	http://dummy.zero/cgi-bin/prometei.cgi
TargetID:	25156
From Memory:	true
Source:	na.elf, 6244.1.0000000000520000.0000000001565000.rw-.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found Tor onion address	Networking	Proxy
URLs found in memory or binary data	Networking

Domains

Name

Malicious

p3.feefreepool.net

88.198.246.242

Details

Name:	p3.feefreepool.net
IP:	88.198.246.242
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Found Tor onion address	Networking	Proxy
HTTP GET or POST without a user agent	Networking
Suricata IDS alerts with low severity for network traffic	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

88.198.246.242

p3.feefreepool.net

Germany

Details

IP:	88.198.246.242
TargetID:	-1
Country:	Germany
Countrycode:	DEU
ASN number:	24940
ASN name:	HETZNER-ASDE
Private:	false
Domain:	p3.feefreepool.net

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Suricata IDS alerts with low severity for network traffic	Networking

109.202.202.202

unknown

Switzerland

Details

IP:	109.202.202.202
TargetID:	-1
Country:	Switzerland
Countrycode:	CHE
ASN number:	13030
ASN name:	INIT7CH
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.43

unknown

United Kingdom

Details

IP:	91.189.91.43
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.42

unknown

United Kingdom

Details

IP:	91.189.91.42
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7fff0bfce000

page execute read

7ff545ffc000

page read and write

7ff544ffa000

page read and write

7ff54ccf7000

page read and write

7ff5477ff000

page read and write

4ed000

page execute read

7ff548000000

page read and write

7ff548021000

page read and write

7ff546ffe000

page read and write

7ff5467fd000

page read and write

7ff54d4f8000

page read and write

7ff5447f9000

page read and write

1565000

page read and write

7fff0be56000

page read and write

23ac000

page read and write

7ff5457fb000

page read and write

There are 6 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
na.elf

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportna.elf

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
na.elf