Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

2PyBVArH3t.elf

ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, not stripped

initial sample

Details

Filetype:	ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, not stripped
Entropy:	6.315471824077138
Filename:	2PyBVArH3t.elf
Filesize:	161069
MD5:	8716a897dbdecdbf9401812e9323ff95
SHA1:	1f5e3feb52b8072c522ff6c25bce835420e61fdf
SHA256:	aeb35c0279143719de052492fa1dd750b67e43353b20bbc61af498addaec943a
SHA512:	0a3eed72bb11afb453353f63c82c419d10b5a8954e2b42e03858a2b62b9291390e1303cbf67890a9b7ced9241ae964b41f921c827e7d3b0205416da4a46a8d1e
SSDEEP:	1536:NEpsna8p7lUHWt/wi4MHk7iQmLSxKBl4yBMNgwZ5hCHhTugEmJ/sSiFMh3n:NO0aGUH+Hk7W9LFNW5hCFufmRsSiSh3n
Preview:	.ELF...........................4.........4. ...(.......................p...p...............p...p...p......t.........................................dt.Q.............................!..\|......$H...H..-...$8!. \|...N.. .!..\|.......?.............../...@..`= .

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Opens /proc/net/* files useful for finding connected devices and routers	Spreading	Remote System Discovery
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
Yara signature match	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
URLs found in memory or binary data	Networking

/tmp/qemu-open.n0QV2N (deleted)

ASCII text

dropped

Details

File:	/tmp/qemu-open.n0QV2N (deleted)
Category:	dropped
Dump:	qemu-open.n0QV2N (deleted).12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/2PyBVArH3t.elf
Type:	ASCII text
Entropy:	3.709552666863289
Encrypted:	false
Ssdeep:	6:iekrEcvwAsE5KlwSd4pzKaV6Lpms/a/1VCxGF:ur+m5MwSdIKaV6L1adVRF
Size:	230
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

/tmp/2PyBVArH3t.elf

URLs

Name

Malicious

http://www.billybobbot.com/crawler/)

unknown

Details

Name:	http://www.billybobbot.com/crawler/)
TargetID:	12
From Memory:	true
Current Path:	/tmp/2PyBVArH3t.elf
Source:	2PyBVArH3t.elf

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
URLs found in memory or binary data	Networking

93.123.85.170:26586

Details

Name:	93.123.85.170:26586
TargetID:	0
From Memory:	false
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

http://www.baidu.com/search/spider.html)

unknown

http://fast.no/support/crawler.asp)

unknown

http://feedback.redkolibri.com/

unknown

http://www.baidu.com/search/spider.htm)

unknown

IPs

Domain

Country

Malicious

93.123.85.170

unknown

Bulgaria

Details

IP:	93.123.85.170
TargetID:	-1
Country:	Bulgaria
Countrycode:	BGR
ASN number:	43561
ASN name:	NET1-ASBG
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

109.202.202.202

unknown

Switzerland

Details

IP:	109.202.202.202
TargetID:	-1
Country:	Switzerland
Countrycode:	CHE
ASN number:	13030
ASN name:	INIT7CH
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.43

unknown

United Kingdom

Details

IP:	91.189.91.43
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.42

unknown

United Kingdom

Details

IP:	91.189.91.42
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7fdb08022000

page execute read

7fdb08022000

page execute read

7fdbffca9000

page read and write

7fdbffca9000

page read and write

7fdbff8c2000

page read and write

7fff7175e000

page read and write

559cfd487000

page read and write

7fff717a1000

page execute read

7fdb0803a000

page read and write

559cfd204000

page execute read

7fdbf8021000

page read and write

7fdc00125000

page read and write

559cfd48f000

page read and write

7fdbff625000

page read and write

7fdbf8000000

page read and write

7fdbff625000

page read and write

7fdbff633000

page read and write

7fdbff633000

page read and write

7fdc0016a000

page read and write

7fdbffc84000

page read and write

7fdb08032000

page execute and read and write

7fff717a1000

page execute read

7fff7175e000

page read and write

7fdbf8000000

page read and write

559cfd487000

page read and write

559cff4a3000

page read and write

559cffde1000

page read and write

7fdc00125000

page read and write

7fdbf8021000

page read and write

7fdc0016a000

page read and write

7fdc0011d000

page read and write

559cff48d000

page execute and read and write

7fdb08032000

page execute and read and write

7fdb0803a000

page read and write

7fdbfee22000

page read and write

559cffde1000

page read and write

7fdbffff4000

page read and write

7fdb08039000

page execute and read and write

7fdc0011d000

page read and write

7fdbfee22000

page read and write

559cfd204000

page execute read

7fdbffff4000

page read and write

7fdbffc84000

page read and write

559cff48d000

page execute and read and write

7fdb08039000

page execute and read and write

559cfd48f000

page read and write

7fdbff8c2000

page read and write

559cff4a3000

page read and write

There are 38 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
2PyBVArH3t.elf

Files

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report2PyBVArH3t.elf

Files

Processes

URLs

IPs

Memdumps

IOC Report
2PyBVArH3t.elf