Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Download

na.elf

ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header

initial sample

Details

Filetype:	ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header
Entropy:	7.942812331838788
Filename:	na.elf
Filesize:	435932
MD5:	6c688829a09019768351ddf3af7d102a
SHA1:	931ea85b4b684279358988fbb0d6bb5821d0f99f
SHA256:	90595afd6129671331e1305a78d8a45c8234ea8dc8a8194148f057b7fb38aeb0
SHA512:	81a883209c6071793cbbecf5b21e18642585d1e5e11c537cf22975b4f1d82277b9c9c8176761861342ec187d46c909626171e7d4de46f154455ddc580b4995d3
SSDEEP:	6144:63fxS1fHETSACF2Gzm5DVvSHrKKRH4SCra+HWMiFbcAOXmb4Dsi6wwcitgf:25WOSACZSV6eKRH5EPiamb4DsDwwcP
Preview:	.ELF..............>.....`.].....@...................@.8...........................@.......@.............XH...............................PW......PW.....M.......M...............Q.td....................................................V..9UPX!............!v.

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Drops files in suspicious directories	Hooking and other Techniques for Hiding and Protection	Masquerading
Found Tor onion address	Networking	Proxy
Sample deletes itself	Hooking and other Techniques for Hiding and Protection	File Deletion
ELF contains segments with high entropy indicating compressed/encrypted content	Hooking and other Techniques for Hiding and Protection
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Sample tries to set the executable flag	Persistence and Installation Behavior	File and Directory Permissions Modification
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
Writes ELF files to disk	Persistence and Installation Behavior
Yara signature match	System Summary
URLs found in memory or binary data	Networking

/etc/CommId

ASCII text, with no line terminators

dropped

Details

File:	/etc/CommId
Category:	dropped
Dump:	CommId.55.dr
ID:	dr_4
Target ID:	55
Process:	/usr/sbin/uplugplay
Type:	ASCII text, with no line terminators
Entropy:	3.375
Encrypted:	false
Ssdeep:	3:FWQq1n:/On
Size:	16
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Found Tor onion address	Networking	Proxy

/usr/sbin/uplugplay

ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header

dropped

Details

File:	/usr/sbin/uplugplay
Category:	dropped
Dump:	uplugplay.12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/na.elf
Type:	ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header
Entropy:	7.942812331838788
Encrypted:	false
Ssdeep:	6144:63fxS1fHETSACF2Gzm5DVvSHrKKRH4SCra+HWMiFbcAOXmb4Dsi6wwcitgf:25WOSACZSV6eKRH5EPiamb4DsDwwcP
Size:	435932
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Drops files in suspicious directories	Hooking and other Techniques for Hiding and Protection	Masquerading
Found Tor onion address	Networking	Proxy
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Sample tries to set the executable flag	Persistence and Installation Behavior	File and Directory Permissions Modification
Writes ELF files to disk	Persistence and Installation Behavior

/memfd:snapd-env-generator (deleted)

ASCII text

dropped

Details

File:	/memfd:snapd-env-generator (deleted)
Category:	dropped
Dump:	memfd_snapd-env-generator (deleted).44.dr
ID:	dr_3
Target ID:	44
Process:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
Type:	ASCII text
Entropy:	3.7627880354948586
Encrypted:	false
Ssdeep:	3:+M4VMPQnMLmPQ9JEcwwbn:+M4m4MixcZb
Size:	76
Whitelisted:	false
Reputation:	high

/usr/lib/systemd/system/uplugplay.service

ASCII text

dropped

Details

File:	/usr/lib/systemd/system/uplugplay.service
Category:	dropped
Dump:	uplugplay.service.12.dr
ID:	dr_1
Target ID:	12
Process:	/tmp/na.elf
Type:	ASCII text
Entropy:	4.769509838572339
Encrypted:	false
Ssdeep:	3:zMZa75X1PxQJqtWA1+DRvBADMikAdIgQ+aQmNJX4ev+sirSkQmWA1+DRvn:z8uXcqtWA4RZAMD+aBNdhTILQmWA4Rv
Size:	145
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

/tmp/na.elf

/bin/sh

sh -c "pgrep na.elf"

/bin/sh

/usr/bin/pgrep

pgrep na.elf

/tmp/na.elf

/bin/sh

sh -c "pgrep uplugplay"

/bin/sh

/usr/bin/pgrep

pgrep uplugplay

/tmp/na.elf

/bin/sh

sh -c "pidof uplugplay"

/bin/sh

/usr/bin/pidof

pidof uplugplay

/tmp/na.elf

/bin/sh

sh -c "pgrep upnpsetup"

/bin/sh

/usr/bin/pgrep

pgrep upnpsetup

/tmp/na.elf

/bin/sh

sh -c "pidof upnpsetup"

/bin/sh

/usr/bin/pidof

pidof upnpsetup

/tmp/na.elf

/bin/sh

sh -c "systemctl daemon-reload"

/bin/sh

/usr/bin/systemctl

systemctl daemon-reload

/tmp/na.elf

/bin/sh

sh -c "systemctl enable uplugplay.service"

/bin/sh

/usr/bin/systemctl

systemctl enable uplugplay.service

/tmp/na.elf

/bin/sh

sh -c "systemctl start uplugplay.service"

/bin/sh

/usr/bin/systemctl

systemctl start uplugplay.service

/usr/lib/systemd/systemd

/usr/lib/systemd/system-environment-generators/snapd-env-generator

/usr/lib/systemd/systemd

/usr/lib/systemd/system-environment-generators/snapd-env-generator

/usr/lib/systemd/systemd

/usr/sbin/uplugplay

/bin/sh

sh -c "/usr/sbin/uplugplay -Dcomsvc"

/bin/sh

/usr/sbin/uplugplay

/usr/sbin/uplugplay -Dcomsvc

/usr/sbin/uplugplay

/bin/sh

sh -c hostnamectl

/bin/sh

/usr/bin/hostnamectl

hostnamectl

/usr/sbin/uplugplay

/bin/sh

sh -c hostnamectl

/bin/sh

/usr/bin/hostnamectl

hostnamectl

/usr/sbin/uplugplay

/bin/sh

sh -c "dmidecode --type baseboard"

/bin/sh

/usr/sbin/dmidecode

dmidecode --type baseboard

/usr/sbin/uplugplay

/bin/sh

sh -c uptime

/bin/sh

/usr/bin/uptime

uptime

/usr/sbin/uplugplay

/bin/sh

sh -c "uname -a"

/bin/sh

/usr/bin/uname

uname -a

/usr/sbin/uplugplay

/bin/sh

sh -c dmidecode

/bin/sh

/usr/sbin/dmidecode

dmidecode

/usr/sbin/uplugplay

/bin/sh

sh -c uptime

/bin/sh

/usr/bin/uptime

uptime

/usr/sbin/uplugplay

/bin/sh

sh -c "uname -a"

/bin/sh

/usr/bin/uname

uname -a

/usr/lib/systemd/systemd

/lib/systemd/systemd-hostnamed

/usr/bin/dash

/usr/bin/rm

rm -f /tmp/tmp.S1wY9tGCVt /tmp/tmp.TWgSy8Ra8I /tmp/tmp.0XNgtrCFs6

/usr/bin/dash

/usr/bin/cat

cat /tmp/tmp.S1wY9tGCVt

/usr/bin/dash

/usr/bin/head

head -n 10

/usr/bin/dash

/usr/bin/tr

tr -d \\000-\\011\\013\\014\\016-\\037

/usr/bin/dash

/usr/bin/cut

cut -c -80

/usr/bin/dash

/usr/bin/cat

cat /tmp/tmp.S1wY9tGCVt

/usr/bin/dash

/usr/bin/head

head -n 10

/usr/bin/dash

/usr/bin/tr

tr -d \\000-\\011\\013\\014\\016-\\037

/usr/bin/dash

/usr/bin/cut

cut -c -80

/usr/bin/dash

/usr/bin/rm

rm -f /tmp/tmp.S1wY9tGCVt /tmp/tmp.TWgSy8Ra8I /tmp/tmp.0XNgtrCFs6

There are 88 hidden processes, click here to show them.

URLs

Name

Malicious

http://152.36.128.18/cgi-bin/p.cgi?r=9&i=Y1B3N2Y000JM5I0P

152.36.128.18

http://152.36.128.18/cgi-bin/p.cgi?add=aW5mbyB7DQp2NC4wMlZfVW5peDY0DQpnYWxhc3NpYQ0KDQoyeCBJbnRlbChSKSBYZW9uKFIpIFNpbHZlciA0MjEwIENQVSBAIDIuMjBHSHoNCjMwNjQyOTYga0INCnZtd2FyZQ0KDQoNCg0KVWJ1bnR1ICYgMjAuMDQuMiBMVFMgKEZvY2FsIEZvc3NhKSAgJiBidWxsc2V5ZS9zaWQgJiANCg0KL3Vzci9zYmluLw0KIDIzOjUwOjEzIHVwIDEgbWluLCAgMSB1c2VyLCAgbG9hZCBhdmVyYWdlOiAyLjI4LCAwLjk3LCAwLjM2fDE3NDUwMzgyMTMNCiMgZG1pZGVjb2RlIDMuMg0KfQ0K&i=Y1B3N2Y000JM5I0P&h=galassia&enckey=boW+shuEvBzdGZVCvYY9lRTTCxrm/Cj7mmSqy4KvsFg5n3m2cLX0KXuQRzb+8/Y5loqot/LW9Or5C7RGOkL/fdxyXk5BpgxLRKLSovweJMs0eucp8UpyCeVNwroKzt6ngx8bR8F46BcKNNf64tHbtgxjFZrVnSQP9EVk3yn+anM=

152.36.128.18

http://152.36.128.18/cgi-bin/p.cgihttp://dummy.zero/cgi-bin/prometei.cgihttps://gb7ni5rgeexdcncj.oni

unknown

http://xinbicfea.org/cgi-bin/p.cgi?r=0&auth=hash&i=Y1B3N2Y000JM5I0P&enckey=boW-shuEvBzdGZVCvYY9lRTTCxrm/Cj7mmSqy4KvsFg5n3m2cLX0KXuQRzb-8/Y5loqot/LW9Or5C7RGOkL/fdxyXk5BpgxLRKLSovweJMs0eucp8UpyCeVNwroKzt6ngx8bR8F46BcKNNf64tHbtgxjFZrVnSQP9EVk3yn-anM_

85.214.228.140

http://xinchaobicfea.net/cgi-bin/p.cgi?r=0&auth=hash&i=Y1B3N2Y000JM5I0P&enckey=boW-shuEvBzdGZVCvYY9lRTTCxrm/Cj7mmSqy4KvsFg5n3m2cLX0KXuQRzb-8/Y5loqot/LW9Or5C7RGOkL/fdxyXk5BpgxLRKLSovweJMs0eucp8UpyCeVNwroKzt6ngx8bR8F46BcKNNf64tHbtgxjFZrVnSQP9EVk3yn-anM_

54.170.242.139

http://upx.sf.net

unknown

http://mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.b32.i2p/cgi-bin/prometei.cgi

unknown

https://gb7ni5rgeexdcncj.onion/cgi-bin/prometei.cgi

unknown

http://152.36.128.18/cgi-bin/p.cgi

unknown

http://dummy.zero/cgi-bin/prometei.cgi

unknown

http://152.36.128

unknown

There are 1 hidden URLs, click here to show them.

Domains

Name

Malicious

xinbicfea.org

85.214.228.140

Details

Name:	xinbicfea.org
IP:	85.214.228.140
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
Suricata IDS alerts with low severity for network traffic	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

xinchaobicfea.net

54.170.242.139

Details

Name:	xinchaobicfea.net
IP:	54.170.242.139
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
Suricata IDS alerts with low severity for network traffic	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

xinchaobicfea.com

unknown

IPs

Domain

Country

Malicious

152.36.128.18

unknown

United States

Details

IP:	152.36.128.18
TargetID:	-1
Country:	United States
Countrycode:	USA
ASN number:	81
ASN name:	NCRENUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found Tor onion address	Networking	Proxy
HTTP GET or POST without a user agent	Networking
Suricata IDS alerts with low severity for network traffic	Networking
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking

54.171.230.55

unknown

United States

Details

IP:	54.171.230.55
TargetID:	-1
Country:	United States
Countrycode:	USA
ASN number:	16509
ASN name:	AMAZON-02US
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

54.170.242.139

xinchaobicfea.net

United States

Details

IP:	54.170.242.139
TargetID:	-1
Country:	United States
Countrycode:	USA
ASN number:	16509
ASN name:	AMAZON-02US
Private:	false
Domain:	xinchaobicfea.net

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts with low severity for network traffic	Networking

85.214.228.140

xinbicfea.org

Germany

Details

IP:	85.214.228.140
TargetID:	-1
Country:	Germany
Countrycode:	DEU
ASN number:	6724
ASN name:	STRATOSTRATOAGDE
Private:	false
Domain:	xinbicfea.org

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts with low severity for network traffic	Networking

185.125.190.26

unknown

United Kingdom

Details

IP:	185.125.190.26
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

Download

7f7aa8b16000

page read and write

7f7aa0ffa000

page read and write

7f7aa9317000

page read and write

7f7aa2ffe000

page read and write

7f7aa1ffc000

page read and write

4f9000

page execute read

7f7aa17fb000

page read and write

7ffc6bdd2000

page execute read

19c4000

page read and write

7f7aa27fd000

page read and write

7ffc6bcb2000

page read and write

7f7aa4000000

page read and write

1575000

page read and write

7f7aa37ff000

page read and write

7f7aa07f9000

page read and write

7f7aa4021000

page read and write

There are 6 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
na.elf

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportna.elf

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
na.elf