Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Download

xd.arm7.elf

ELF 32-bit LSB executable, ARM, EABI4 version 1 (GNU/Linux), statically linked, no section header

initial sample

/var/cache/man/6326

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/cs/6326

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/cs/index.db.nDpyzz

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/da/6326

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/da/index.db.xTR9zz

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/de/6326

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/de/index.db.301NZw

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/es/6326

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/es/index.db.v2s7Nv

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/fi/6326

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/fi/index.db.2Wpngw

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/fr.ISO8859-1/6326

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/fr.ISO8859-1/index.db.ITGL0w

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/fr.UTF-8/6326

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/fr.UTF-8/index.db.6LWx5x

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/fr/6326

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/fr/index.db.namXjw

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/hu/6326

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/hu/index.db.iAJ40x

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/id/6326

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/id/index.db.0p8Lbx

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/index.db.cjc7Rx

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/it/6326

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/it/index.db.KnKoFw

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/ja/6326

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/ja/index.db.GgPChx

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/ko/6326

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/ko/index.db.H0549y

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/nl/6326

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/nl/index.db.iLmqXw

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/pl/6326

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/pl/index.db.BJXk4z

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/pt/6326

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/pt/index.db.KUuGGz

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/pt_BR/6326

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/pt_BR/index.db.0qNhDw

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/ru/6326

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/ru/index.db.dc8LLx

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/sl/6326

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/sl/index.db.YAItew

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/sr/6326

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/sr/index.db.sVLTCx

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/sv/6326

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/sv/index.db.IyLb6w

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/tr/6326

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/tr/index.db.AZUgCy

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/zh_CN/6326

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/zh_CN/index.db.bQIkOw

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/zh_TW/6326

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/zh_TW/index.db.LVddUx

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/lib/logrotate/status.tmp

ASCII text

dropped

There are 42 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

/tmp/xd.arm7.elf

/usr/lib/systemd/systemd

/usr/sbin/logrotate

/usr/sbin/logrotate /etc/logrotate.conf

/usr/lib/systemd/systemd

/usr/bin/install

/usr/bin/install -d -o man -g man -m 0755 /var/cache/man

/usr/lib/systemd/systemd

/usr/bin/find

/usr/bin/find /var/cache/man -type f -name *.gz -atime +6 -delete

/usr/lib/systemd/systemd

/usr/bin/mandb

/usr/bin/mandb --quiet

/usr/bin/dash

/usr/bin/rm

rm -f /tmp/tmp.qITcp3Q12J /tmp/tmp.O175aKJtiZ /tmp/tmp.FujIj6PsPc

/usr/bin/dash

/usr/bin/rm

rm -f /tmp/tmp.qITcp3Q12J /tmp/tmp.O175aKJtiZ /tmp/tmp.FujIj6PsPc

There are 4 hidden processes, click here to show them.

URLs

Name

Malicious

http://upx.sf.net

unknown

Details

Name:	http://upx.sf.net
TargetID:	12
From Memory:	true
Current Path:	/tmp/xd.arm7.elf
Source:	xd.arm7.elf
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Sample is packed with UPX	Data Obfuscation	Obfuscated Files or Information
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

54.171.230.55

unknown

United States

Details

IP:	54.171.230.55
TargetID:	-1
Country:	United States
Countrycode:	USA
ASN number:	16509
ASN name:	AMAZON-02US
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

209.141.33.93

unknown

United States

Details

IP:	209.141.33.93
TargetID:	-1
Country:	United States
Countrycode:	USA
ASN number:	53667
ASN name:	PONYNETUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

34.249.145.219

unknown

United States

Details

IP:	34.249.145.219
TargetID:	-1
Country:	United States
Countrycode:	USA
ASN number:	16509
ASN name:	AMAZON-02US
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

109.202.202.202

unknown

Switzerland

Details

IP:	109.202.202.202
TargetID:	-1
Country:	Switzerland
Countrycode:	CHE
ASN number:	13030
ASN name:	INIT7CH
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.43

unknown

United Kingdom

Details

IP:	91.189.91.43
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.42

unknown

United Kingdom

Details

IP:	91.189.91.42
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

Download

7ffd4e1f7000

page execute read

7fa5a05a9000

page read and write

55f9fff13000

page read and write

55f9fff1c000

page read and write

7fa5a0ab9000

page read and write

7fa5a043d000

page read and write

7ffd4e086000

page read and write

7fa5a0a95000

page read and write

7fa5a0afe000

page read and write

7fa59f5b3000

page read and write

55fa01f1a000

page execute and read and write

7fa498029000

page execute read

7fa597fff000

page read and write

7fa59fdbb000

page read and write

7fa5a078b000

page read and write

7fa49803a000

page read and write

55f9ffcc2000

page execute read

55fa01f31000

page read and write

7fa5a041a000

page read and write

7fa5a01af000

page read and write

7fa598021000

page read and write

7fa5a096c000

page read and write

55fa0219e000

page read and write

7fa59fe4d000

page read and write

There are 14 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
xd.arm7.elf

Files

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportxd.arm7.elf

Files

Processes

URLs

IPs

Memdumps

IOC Report
xd.arm7.elf