Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

NvmCe2XrqN.elf

ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped

initial sample

Details

Filetype:	ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Entropy:	5.533174540851358
Filename:	NvmCe2XrqN.elf
Filesize:	77448
MD5:	0da42df48a7be5bf214fecc9a1fbeb51
SHA1:	24c740cf9b659f260059090ff401c223936aaff4
SHA256:	1a839b2b4269727dbe79fdabab344b96396a03a94404ff9f94d40b8673db396e
SHA512:	648f795bb78d71731a1047beaa878c5636ebb93e7a559311e6fe1fe053051e2df7d11129a172289c2e02c9a3b65c7552fd1dfb26a3937d62d6635d09d932e27a
SSDEEP:	1536:eFtVcVjvV+Wz6TQSPMU3CLdLiO9nGFSBZgFWkeFWA4s:ecVjvV+WzeQSHCLdLiO9nGFSBZgFLA4s
Preview:	.ELF.....................@.`...4..,X.....4. ...(.............@...@...........................E...E.....0..0L........dt.Q............................<...'......!'.......................<...'......!... ....'9... ......................<...'......!........'9.

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Sample deletes itself	Hooking and other Techniques for Hiding and Protection
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion
Yara signature match	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery

/tmp/qemu-open.tn6Ngr (deleted)

data

dropped

Details

File:	/tmp/qemu-open.tn6Ngr (deleted)
Category:	dropped
Dump:	qemu-open.tn6Ngr (deleted).32.dr
ID:	dr_0
Target ID:	32
Process:	/tmp/NvmCe2XrqN.elf
Type:	data
Entropy:	4.189898095464287
Encrypted:	false
Ssdeep:	3:TgHiCxHJN:TgCUJN
Size:	30
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

/usr/bin/dash

/usr/bin/rm

rm -f /tmp/tmp.iJLtKB5QY8 /tmp/tmp.dt7IYfcmuf /tmp/tmp.sKYu2lEDt7

/usr/bin/dash

/usr/bin/cat

cat /tmp/tmp.iJLtKB5QY8

/usr/bin/dash

/usr/bin/head

head -n 10

/usr/bin/dash

/usr/bin/tr

tr -d \\000-\\011\\013\\014\\016-\\037

/usr/bin/dash

/usr/bin/cut

cut -c -80

/usr/bin/dash

/usr/bin/cat

cat /tmp/tmp.iJLtKB5QY8

/usr/bin/dash

/usr/bin/head

head -n 10

/usr/bin/dash

/usr/bin/tr

tr -d \\000-\\011\\013\\014\\016-\\037

/usr/bin/dash

/usr/bin/cut

cut -c -80

/usr/bin/dash

/usr/bin/rm

rm -f /tmp/tmp.iJLtKB5QY8 /tmp/tmp.dt7IYfcmuf /tmp/tmp.sKYu2lEDt7

/tmp/NvmCe2XrqN.elf

There are 12 hidden processes, click here to show them.

Domains

Name

Malicious

kovey.mezo-api.xyz

45.131.111.219

Details

Name:	kovey.mezo-api.xyz
IP:	45.131.111.219
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Performs DNS queries to domains with low reputation	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

45.131.111.219

kovey.mezo-api.xyz

Germany

Details

IP:	45.131.111.219
TargetID:	-1
Country:	Germany
Countrycode:	DEU
ASN number:	398373
ASN name:	SERVERDESTROYERSUS
Private:	false
Domain:	kovey.mezo-api.xyz

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

109.202.202.202

unknown

Switzerland

Details

IP:	109.202.202.202
TargetID:	-1
Country:	Switzerland
Countrycode:	CHE
ASN number:	13030
ASN name:	INIT7CH
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.43

unknown

United Kingdom

Details

IP:	91.189.91.43
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.42

unknown

United Kingdom

Details

IP:	91.189.91.42
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7f63fc412000

page execute read

7f6481e22000

page read and write

7f6480a69000

page read and write

559bb98ca000

page execute and read and write

7f648152f000

page read and write

7f64818d0000

page read and write

7f648127f000

page read and write

559bb78cc000

page read and write

7f6481271000

page read and write

7f63fc456000

page read and write

7f6481f53000

page read and write

559bb763a000

page execute read

559bb9e9a000

page read and write

7f63fc453000

page read and write

559bb98e1000

page read and write

7f6481910000

page read and write

7f6481c41000

page read and write

559bb78c2000

page read and write

7ffc1d729000

page read and write

7f6481f4b000

page read and write

7f647c000000

page read and write

7f64818f3000

page read and write

7f647c021000

page read and write

7ffc1d7a1000

page execute read

7f6481f98000

page read and write

There are 15 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
NvmCe2XrqN.elf

Files

Processes

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportNvmCe2XrqN.elf

Files

Processes

Domains

IPs

Memdumps

IOC Report
NvmCe2XrqN.elf