Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

ehDbsf5C6M.elf

ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, not stripped

initial sample

Details

Filetype:	ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, not stripped
Entropy:	6.206803169504761
Filename:	ehDbsf5C6M.elf
Filesize:	119174
MD5:	c772f71c82ccae9115f74dc58fcdb601
SHA1:	f22397ca47cbdce53af86635114f7a61ac019bf6
SHA256:	3d572695b0e5d9e53e4fef77b63023d2cce68dd18521b88d1d7a7384857b3ccd
SHA512:	2f1d27f907f99f8ea6bd07f73247e288f416bfaade022674da84403914f61b45c7cdb8cef4628978ae3370a3949e31c70471f259753db128f302d074f28bca2c
SSDEEP:	3072:aP7zy2FgpVpvvK5u/Pnij6WmiezXA2Roc:aP7eo2vvKY/PzWmiezXA2Roc
Preview:	.ELF...........................4..t......4. ...(......................`...`...............`...`...`.......x(..............aL..aL..aL................dt.Q.............................!..\|......$H...H..}...$8!. \|...N.. .!..\|.......?.........hD..../...@..`= .

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Opens /proc/net/* files useful for finding connected devices and routers	Spreading	Remote System Discovery
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion
Yara signature match	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery

/tmp/qemu-open.UGOJDz (deleted)

ASCII text

dropped

Details

File:	/tmp/qemu-open.UGOJDz (deleted)
Category:	dropped
Dump:	qemu-open.UGOJDz (deleted).12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/ehDbsf5C6M.elf
Type:	ASCII text
Entropy:	3.709552666863289
Encrypted:	false
Ssdeep:	6:iekrEcvwAsE5KlwSd4pzKaV6Lpms/a/1VCxGF:ur+m5MwSdIKaV6L1adVRF
Size:	230
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

/tmp/ehDbsf5C6M.elf

URLs

Name

Malicious

193.35.18.56:65490

Details

Name:	193.35.18.56:65490
TargetID:	0
From Memory:	false
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

IPs

Domain

Country

Malicious

193.35.18.56

unknown

Germany

Details

IP:	193.35.18.56
TargetID:	-1
Country:	Germany
Countrycode:	DEU
ASN number:	41865
ASN name:	BIALLNET-ASPL
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Connects to many ports of the same IP (likely port scanning)	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

109.202.202.202

unknown

Switzerland

Details

IP:	109.202.202.202
TargetID:	-1
Country:	Switzerland
Countrycode:	CHE
ASN number:	13030
ASN name:	INIT7CH
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.43

unknown

United Kingdom

Details

IP:	91.189.91.43
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.42

unknown

United Kingdom

Details

IP:	91.189.91.42
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7fe278018000

page execute read

7fe278018000

page execute read

7fe370deb000

page read and write

7fe37042a000

page read and write

55aa785bd000

page read and write

7fe27802f000

page execute and read and write

7fe370f61000

page read and write

7fe37041c000

page read and write

7fe370f61000

page read and write

55aa7c263000

page read and write

7fe370a7b000

page read and write

7fe3706b9000

page read and write

55aa7a5d1000

page read and write

7fe36fc19000

page read and write

7ffd9b2cc000

page read and write

55aa785b5000

page read and write

7fe278028000

page execute and read and write

55aa78332000

page execute read

55aa785b5000

page read and write

55aa7c263000

page read and write

7ffd9b2e7000

page execute read

7ffd9b2e7000

page execute read

55aa7a5bb000

page execute and read and write

7fe278030000

page read and write

7fe370f14000

page read and write

7fe370f1c000

page read and write

7fe37042a000

page read and write

7fe370a7b000

page read and write

7fe278030000

page read and write

7fe36fc19000

page read and write

7fe370deb000

page read and write

7fe278028000

page execute and read and write

7fe370aa0000

page read and write

7fe368000000

page read and write

7fe370f1c000

page read and write

7ffd9b2cc000

page read and write

55aa78332000

page execute read

55aa7a5bb000

page execute and read and write

7fe368021000

page read and write

7fe3706b9000

page read and write

7fe27802f000

page execute and read and write

7fe370f14000

page read and write

7fe37041c000

page read and write

55aa785bd000

page read and write

55aa7a5d1000

page read and write

7fe368021000

page read and write

7fe368000000

page read and write

7fe370aa0000

page read and write

There are 38 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
ehDbsf5C6M.elf

Files

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportehDbsf5C6M.elf

Files

Processes

URLs

IPs

Memdumps

IOC Report
ehDbsf5C6M.elf