Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Trhc0oj3L5.elf

ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, stripped

initial sample

Details

Filetype:	ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, stripped
Entropy:	6.011219863203505
Filename:	Trhc0oj3L5.elf
Filesize:	91716
MD5:	ce22ca3990271926f6c74c1402d45a17
SHA1:	c673a79ded420df2738001bdd9957d562dfc6bf6
SHA256:	b5c23c8c3ff16addf37d54d3fab67ab3e1f06bb3987ff5a49b27e7a631f1de58
SHA512:	efeda7f4d7864674e70c9802bc9b2db0bad0bb13f882972223296e95a59941886e61c03fd0040637fd0a0655bf6411cd0b4f8c776f3a4c409d490321f7845802
SSDEEP:	1536:vUaSo7kKDcfW5JtmKMLpQ7mpn/oj1UtczNk5Pc4REmZ6tO5ciMF:8zOo4dMNPn/izNU0IBGF
Preview:	.ELF...........................4..d......4. ...(......................Z...Z...............`...`...`....H..&(........dt.Q................................@..(....@.JM................#.....`H..`.....!..... $..@.....".........`......$ $.. $..@...........`....

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Sample deletes itself	Hooking and other Techniques for Hiding and Protection	File Deletion
Enumerates processes within the "proc" file system	Persistence and Installation Behavior	OS Credential Dumping
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample tries to kill a process (SIGKILL)	System Summary
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion
Yara signature match	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery

/tmp/qemu-open.QrfOZw (deleted)

data

dropped

Details

File:	/tmp/qemu-open.QrfOZw (deleted)
Category:	dropped
Dump:	qemu-open.QrfOZw (deleted).12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/Trhc0oj3L5.elf
Type:	data
Entropy:	4.415061012203069
Encrypted:	false
Ssdeep:	3:TgrGgmVR8HJN:TgSgmyJN
Size:	30
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

/tmp/Trhc0oj3L5.elf

/usr/libexec/gnome-session-binary

/bin/sh

/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-rfkill

/usr/libexec/gsd-rfkill

/usr/lib/systemd/systemd

/lib/systemd/systemd-hostnamed

Domains

Name

Malicious

kovey.mezo-api.xyz

45.131.111.219

Details

Name:	kovey.mezo-api.xyz
IP:	45.131.111.219
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Performs DNS queries to domains with low reputation	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

45.131.111.219

kovey.mezo-api.xyz

Germany

Details

IP:	45.131.111.219
TargetID:	-1
Country:	Germany
Countrycode:	DEU
ASN number:	398373
ASN name:	SERVERDESTROYERSUS
Private:	false
Domain:	kovey.mezo-api.xyz

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

89.190.156.145

unknown

United Kingdom

Details

IP:	89.190.156.145
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	7489
ASN name:	HOSTUS-GLOBAL-ASHostUSHK
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7f7498027000

page execute read

7f75a00c9000

page read and write

7f759fa53000

page read and write

7ffe8cf9d000

page read and write

7f75a053d000

page read and write

55a9b96fd000

page read and write

7f759fce2000

page read and write

7f759fa45000

page read and write

55a9bb6fb000

page execute and read and write

7f7498038000

page read and write

7f75a0545000

page read and write

55a9bb712000

page read and write

55a9b96f4000

page read and write

7f759f242000

page read and write

7f7598021000

page read and write

7f75a00a4000

page read and write

7f75a058a000

page read and write

55a9bd14c000

page read and write

55a9b94c6000

page execute read

7f749803b000

page read and write

7ffe8cfe5000

page execute read

7f75a0414000

page read and write

7f7598000000

page read and write

There are 13 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Trhc0oj3L5.elf

Files

Processes

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportTrhc0oj3L5.elf

Files

Processes

Domains

IPs

Memdumps

IOC Report
Trhc0oj3L5.elf