Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

XIbeqhmmQI.elf

ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, not stripped

initial sample

Details

Filetype:	ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, not stripped
Entropy:	6.200231493529127
Filename:	XIbeqhmmQI.elf
Filesize:	124657
MD5:	b3082b54883b4590a4e701bf979d56e7
SHA1:	b429250cfbb2ac989513d70413d8ce5a5104d464
SHA256:	92a2f830bae3bd28bf3374314b2e4f0162d82bd4f14cbc1c54d4a19117d2a45d
SHA512:	c0b3004b7fe4ff243432f7b01f419ec9c4d200b7066715cb1f4882346ad4fb1eaa5ab341ee6c61a51d5b7467347f0e00cfa15a92cd176f35a7527d724f2a9ca7
SSDEEP:	3072:xlCqq1QekacWVcW0JcWcB1m1Huw39oVObUF8fYEXR8eJgVaWmBWnw+cHMOc:xw1QekacWVcW0JcWcBmHx3CV5F8fRXRW
Preview:	.ELF.......................D...4...<.....4. ...(......................\|...\|....... .......\|...............m\...... .dt.Q............................NV..a....da...-.N^NuNV..J9....f>"y...8 QJ.g.X.#....8N."y...8 QJ.f.A.....J.g.Hy....N.X.........N^NuNV..N^NuN

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Opens /proc/net/* files useful for finding connected devices and routers	Spreading	Remote System Discovery
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
Yara signature match	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion

/tmp/qemu-open.VmV1rV (deleted)

ASCII text

dropped

Details

File:	/tmp/qemu-open.VmV1rV (deleted)
Category:	dropped
Dump:	qemu-open.VmV1rV (deleted).12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/XIbeqhmmQI.elf
Type:	ASCII text
Entropy:	3.709552666863289
Encrypted:	false
Ssdeep:	6:iekrEcvwAsE5KlwSd4pzKaV6Lpms/a/1VCxGF:ur+m5MwSdIKaV6L1adVRF
Size:	230
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

/tmp/XIbeqhmmQI.elf

URLs

Name

Malicious

193.35.18.56:65490

Details

Name:	193.35.18.56:65490
TargetID:	0
From Memory:	false
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

IPs

Domain

Country

Malicious

193.35.18.56

unknown

Germany

Details

IP:	193.35.18.56
TargetID:	-1
Country:	Germany
Countrycode:	DEU
ASN number:	41865
ASN name:	BIALLNET-ASPL
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Connects to many ports of the same IP (likely port scanning)	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

109.202.202.202

unknown

Switzerland

Details

IP:	109.202.202.202
TargetID:	-1
Country:	Switzerland
Countrycode:	CHE
ASN number:	13030
ASN name:	INIT7CH
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.43

unknown

United Kingdom

Details

IP:	91.189.91.43
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.42

unknown

United Kingdom

Details

IP:	91.189.91.42
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7fba18019000

page execute read

7fba18019000

page execute read

7fba98021000

page read and write

7fba9f3e2000

page read and write

7fba9f3f0000

page read and write

7fba9fee2000

page read and write

7fff954b5000

page read and write

7fba9ff27000

page read and write

7fba98000000

page read and write

7fba9fa41000

page read and write

7fba9fa66000

page read and write

7fba9feda000

page read and write

7fba9fdb1000

page read and write

55ad07cd3000

page read and write

55ad05a04000

page execute read

7fba1801c000

page read and write

55ad05c36000

page read and write

7fba9f67f000

page read and write

55ad07cd3000

page read and write

7fba9f3f0000

page read and write

7fba9f67f000

page read and write

7fba18022000

page read and write

55ad07c3c000

page execute and read and write

55ad095e2000

page read and write

7fba9fa66000

page read and write

7fba9fdb1000

page read and write

7fba18022000

page read and write

7fba9feda000

page read and write

7fba9f3e2000

page read and write

7fba1801c000

page read and write

55ad05c3e000

page read and write

7fba98000000

page read and write

55ad07c3c000

page execute and read and write

7fba9fa41000

page read and write

7fff955f9000

page execute read

7fba9fee2000

page read and write

7fba9ebdf000

page read and write

55ad05c3e000

page read and write

7fff954b5000

page read and write

55ad05c36000

page read and write

55ad095e2000

page read and write

7fba9ebdf000

page read and write

7fff955f9000

page execute read

7fba9ff27000

page read and write

55ad05a04000

page execute read

7fba98021000

page read and write

There are 36 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
XIbeqhmmQI.elf

Files

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportXIbeqhmmQI.elf

Files

Processes

URLs

IPs

Memdumps

IOC Report
XIbeqhmmQI.elf