Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

YLjhvMJyOO.elf

ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped

initial sample

Details

Filetype:	ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
Entropy:	6.074528867235396
Filename:	YLjhvMJyOO.elf
Filesize:	60352
MD5:	28b05f9283819c954ddaadd1105f7dab
SHA1:	f3ebcecb0ada3ff4ea311aae953e56fdac485683
SHA256:	14b09fb51305b056b24300482dcca479ac19f36d6a5a519ba994c0ec692822d3
SHA512:	bf495d228720e3c0f517a4b5a434c54000b6b1eb2ebb21945564c10e44b3a23294e406c6a27923d9fa84352c9de9583752de744d561da72c836f5063a6aae8ec
SSDEEP:	1536:W0KxqIhS6sggMUJzkIAiF8EsITRPZkxa:W0KxqI5XLk82TR68
Preview:	.ELF...a..........(.........4...0.......4. ...(.....................<...<...............@...@...@.......x%..........Q.td..................................-...L."....0..........0@-.\P...0....S.0...P@...0... ....R......0...0...........0... ....R..... 0....S

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Sample deletes itself	Hooking and other Techniques for Hiding and Protection	File Deletion
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion
Yara signature match	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery

/tmp/qemu-open.nrn8tC (deleted)

data

dropped

Details

File:	/tmp/qemu-open.nrn8tC (deleted)
Category:	dropped
Dump:	qemu-open.nrn8tC (deleted).12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/YLjhvMJyOO.elf
Type:	data
Entropy:	4.415061012203069
Encrypted:	false
Ssdeep:	3:Tg5Eq1NR8HJN:TgaqfkJN
Size:	30
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

/tmp/YLjhvMJyOO.elf

Domains

Name

Malicious

kovey.mezo-api.xyz

45.131.111.219

kovey.mezo-api.xyz.= fvK66a1PV!E(%:5;= fMOOPV!a1EAP@@x

unknown

kovey.mezo-api.xyz.= f66a1PV!E(j5`V= fOOPV!a1EAc@@x

unknown

kovey.mezo-api.xyz.= ftc66a1PV!E(:5P= feOOPV!a1EA@@t

unknown

kovey.mezo-api.xyz.= fk66a1PV!E(:,5 = fJJJPV!a1E<=@@h

unknown

kovey.mezo-api.xyz.= f66a1PV!E(:#5I= fOOPV!a1EAe@@x

unknown

kovey.mezo-api.xyz.= fR66a1PV!E(|:1I5OL= fJJPV!a1E<Z@@5L

unknown

kovey.mezo-api.xyz.= fG/66a1PV!E(`mj5$= f1OOPV!a1EA@@t

unknown

kovey.mezo-api.xyz.= f66a1PV!E(je5!{= fNOOPV!a1EA*@@t

unknown

kovey.mezo-api.xyz.= f66a1PV!E(j~5uG= fOOPV!a1EA;@@x

unknown

kovey.mezo-api.xyz.= f66a1PV!E(x:5;= fOOPV!a1EA@@t

unknown

There are 1 hidden domains, click here to show them.

IPs

Domain

Country

Malicious

45.131.111.219

kovey.mezo-api.xyz

Germany

Details

IP:	45.131.111.219
TargetID:	-1
Country:	Germany
Countrycode:	DEU
ASN number:	398373
ASN name:	SERVERDESTROYERSUS
Private:	false
Domain:	kovey.mezo-api.xyz

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

Memdumps

Base Address

Regiontype

Protect

Malicious

7fad58026000

page execute read

55bd22a3c000

page execute read

7ffe359a4000

page read and write

7fad58031000

page read and write

7fae5e77e000

page read and write

7fad5802e000

page read and write

7fae5f29d000

page read and write

7fae5eeda000

page read and write

7fae5e6ec000

page read and write

7fae5ed4b000

page read and write

7fae57fff000

page read and write

7fae5f42f000

page read and write

55bd22c8d000

page read and write

55bd22c96000

page read and write

7ffe359be000

page execute read

7fae5dee4000

page read and write

55bd24cab000

page read and write

7fae58021000

page read and write

7fae5f0bc000

page read and write

7fae5eae0000

page read and write

55bd250a0000

page read and write

7fae5f3c6000

page read and write

7fae5ed6e000

page read and write

7fae5f3ea000

page read and write

55bd24c94000

page execute and read and write

There are 15 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
YLjhvMJyOO.elf

Files

Processes

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportYLjhvMJyOO.elf

Files

Processes

Domains

IPs

Memdumps

IOC Report
YLjhvMJyOO.elf