Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

XmztmwSit3.elf

ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, stripped

initial sample

Details

Filetype:	ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, stripped
Entropy:	6.096682872753074
Filename:	XmztmwSit3.elf
Filesize:	75272
MD5:	c1ae54dea595011b6e14b406a53f5b10
SHA1:	12992b3e634b521248e31edb4d763f8ec6f22ae7
SHA256:	e02b1435d31e96fc6b9bee4ddfaab46143aa7bbb4e9c6bdea70291f306672b0e
SHA512:	0dda9688db47cc54bf3683199332fe9646224bc3464a816cc973efec2d735611723be329de51b4b8e2b89c0c09923b08f6df42bb0ab83744e787e6eb62e2f9e6
SSDEEP:	1536:uqHMSSgigp94Fpf9CeZnkq5sgt6W/lM5/r/pstTj:lJnpWhCeWqHoQl8/Tpcj
Preview:	.ELF...........................4..$x.....4. ...(...................... .. .............. $.. $.. $......&.........dt.Q................................@..(....@.A\|................#.....`8..`.....!..... <..@.....".........`......$ <.. <..@...........`....

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Sample listens on a socket	Networking
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery

/tmp/qemu-open.wy6Lxl (deleted)

ASCII text

dropped

Details

File:	/tmp/qemu-open.wy6Lxl (deleted)
Category:	dropped
Dump:	qemu-open.wy6Lxl (deleted).13.dr
ID:	dr_0
Target ID:	13
Process:	/tmp/XmztmwSit3.elf
Type:	ASCII text
Entropy:	3.521640636343319
Encrypted:	false
Ssdeep:	3:k+Fav:k+Fk
Size:	14
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

/tmp/XmztmwSit3.elf

/usr/bin/dash

/usr/bin/rm

rm -f /tmp/tmp.rLIS1Axjqg /tmp/tmp.kl74NVvZwE /tmp/tmp.GmcWMqmMNl

/usr/bin/dash

/usr/bin/rm

rm -f /tmp/tmp.rLIS1Axjqg /tmp/tmp.kl74NVvZwE /tmp/tmp.GmcWMqmMNl

Domains

Name

Malicious

jhbaghjbasdg.shop

185.196.8.213

Details

Name:	jhbaghjbasdg.shop
IP:	185.196.8.213
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Connects to many ports of the same IP (likely port scanning)	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

185.196.8.213

jhbaghjbasdg.shop

Switzerland

Details

IP:	185.196.8.213
TargetID:	-1
Country:	Switzerland
Countrycode:	CHE
ASN number:	34888
ASN name:	SIMPLECARRER2IT
Private:	false
Domain:	jhbaghjbasdg.shop

Signature Hits	Behavior Group	Mitre Attack
Connects to many ports of the same IP (likely port scanning)	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

34.249.145.219

unknown

United States

Details

IP:	34.249.145.219
TargetID:	-1
Country:	United States
Countrycode:	USA
ASN number:	16509
ASN name:	AMAZON-02US
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

109.202.202.202

unknown

Switzerland

Details

IP:	109.202.202.202
TargetID:	-1
Country:	Switzerland
Countrycode:	CHE
ASN number:	13030
ASN name:	INIT7CH
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.43

unknown

United Kingdom

Details

IP:	91.189.91.43
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.42

unknown

United Kingdom

Details

IP:	91.189.91.42
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

55ac6da69000

page read and write

55ac6b0c7000

page read and write

7f887a309000

page read and write

7f88797d2000

page read and write

55ac6d0c5000

page execute and read and write

7f88797c4000

page read and write

55ac6d0dc000

page read and write

7f8774034000

page read and write

7f887a193000

page read and write

7f887a309000

page read and write

7f8879e48000

page read and write

7f8874021000

page read and write

55ac6ae90000

page execute read

7f887a2c4000

page read and write

7f8874000000

page read and write

7f8774034000

page read and write

7f8874000000

page read and write

7f8879a61000

page read and write

55ac6b0be000

page read and write

7ffc0c97c000

page execute read

7f8774024000

page execute read

7f887a2bc000

page read and write

55ac6b0be000

page read and write

7f8774037000

page read and write

55ac6d0dc000

page read and write

7f88797c4000

page read and write

55ac6da49000

page read and write

55ac6da69000

page read and write

55ac6b0c7000

page read and write

7f8874021000

page read and write

7f887a2c4000

page read and write

7f887a193000

page read and write

7f8878fc1000

page read and write

7f8879e48000

page read and write

7f887a2bc000

page read and write

7f8774024000

page execute read

55ac6d0c5000

page execute and read and write

7f8878fc1000

page read and write

7f8774037000

page read and write

7f8879a61000

page read and write

7ffc0c97c000

page execute read

7f88797d2000

page read and write

7f8879e23000

page read and write

7f8879e23000

page read and write

7ffc0c8eb000

page read and write

7ffc0c8eb000

page read and write

55ac6ae90000

page execute read

There are 37 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
XmztmwSit3.elf

Files

Processes

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportXmztmwSit3.elf

Files

Processes

Domains

IPs

Memdumps

IOC Report
XmztmwSit3.elf