Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

aNeRrtorRm.elf

ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped

initial sample

Details

Filetype:	ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Entropy:	5.561543092580068
Filename:	aNeRrtorRm.elf
Filesize:	110248
MD5:	69093cf8ce568e871aa1f0f470f01ea9
SHA1:	848c9ea208bb50c986c6340342fb08cc0176ba17
SHA256:	8cb30ba3d4e41fff1d38b6795c38c95411bbc09a9ceaf8ccba0bdc271406b4e1
SHA512:	1d3a3ac6b8ccc719763c2e3373ff3435470a136ea18932f7eed7cb2906b7ce17a028f4c944c0c487440125c186791c9031c9676ce7e1308cf4f82816df6c7c25
SSDEEP:	1536:HAXJZtGTIE6xOGydThWA4sojYsztmovggQMqueuZG15SdR7opm7zUb+nKmxSiu:HqJ7GTIE6xIuglueufoupnKmG
Preview:	.ELF....................`.@.4...x.......4. ...(...............@...@...........................E...E.....L0..........Q.td...............................<.%.'!......'.......................<.%.'!... .........9'.. ........................<.%.'!...$.......ps9

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Sample deletes itself	Hooking and other Techniques for Hiding and Protection	File Deletion
Enumerates processes within the "proc" file system	Persistence and Installation Behavior	OS Credential Dumping
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample tries to kill a process (SIGKILL)	System Summary
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion
Yara signature match	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery

/tmp/qemu-open.wR9ZYW (deleted)

data

dropped

Details

File:	/tmp/qemu-open.wR9ZYW (deleted)
Category:	dropped
Dump:	qemu-open.wR9ZYW (deleted).12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/aNeRrtorRm.elf
Type:	data
Entropy:	4.098068512058838
Encrypted:	false
Ssdeep:	3:TgCARvLA4HJN:TgCAJFJN
Size:	30
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

/tmp/aNeRrtorRm.elf

/usr/libexec/gnome-session-binary

/bin/sh

/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-rfkill

/usr/libexec/gsd-rfkill

/usr/lib/systemd/systemd

/lib/systemd/systemd-hostnamed

Domains

Name

Malicious

kovey.mezo-api.xyz

45.131.111.219

Details

Name:	kovey.mezo-api.xyz
IP:	45.131.111.219
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Performs DNS queries to domains with low reputation	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

45.131.111.219

kovey.mezo-api.xyz

Germany

Details

IP:	45.131.111.219
TargetID:	-1
Country:	Germany
Countrycode:	DEU
ASN number:	398373
ASN name:	SERVERDESTROYERSUS
Private:	false
Domain:	kovey.mezo-api.xyz

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

89.190.156.145

unknown

United Kingdom

Details

IP:	89.190.156.145
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	7489
ASN name:	HOSTUS-GLOBAL-ASHostUSHK
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

109.202.202.202

unknown

Switzerland

Details

IP:	109.202.202.202
TargetID:	-1
Country:	Switzerland
Countrycode:	CHE
ASN number:	13030
ASN name:	INIT7CH
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.43

unknown

United Kingdom

Details

IP:	91.189.91.43
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.42

unknown

United Kingdom

Details

IP:	91.189.91.42
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7f60b841a000

page execute read

55d20d193000

page read and write

55d20cf0b000

page execute read

7f6138021000

page read and write

7f613e0d4000

page read and write

7f613e087000

page read and write

7f613d3ad000

page read and write

7ffff41d3000

page execute read

55d20d19d000

page read and write

7f60b845e000

page read and write

7f613da0c000

page read and write

7f6138000000

page read and write

55d20f1b2000

page read and write

7f613e08f000

page read and write

7f613cba5000

page read and write

7f613dd7d000

page read and write

7f613da4c000

page read and write

7f613d3bb000

page read and write

55d20f19b000

page execute and read and write

55d21036d000

page read and write

7f60b845b000

page read and write

7ffff41c9000

page read and write

7f613da2f000

page read and write

7f613d66b000

page read and write

7f613df5e000

page read and write

There are 15 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
aNeRrtorRm.elf

Files

Processes

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportaNeRrtorRm.elf

Files

Processes

Domains

IPs

Memdumps

IOC Report
aNeRrtorRm.elf