Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

EOtMo9xTFK.elf

ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, stripped

initial sample

Details

Filetype:	ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, stripped
Entropy:	6.259526425575277
Filename:	EOtMo9xTFK.elf
Filesize:	93144
MD5:	6c3a700a58d2e98fc03e53ce0eef9e38
SHA1:	48bd6184c08d72c98d89fd5f077194e6c25bb7da
SHA256:	f79aeac6047bf28872231a7c92c0e6bdb5648fca032a4485d6370625e021a646
SHA512:	72b61e21bf16b157c06e3442534d4a0e13af1953d09aad16e93f3aa91768566ad395282d4b8d243f2e38f2086c729779c3aff11103c84dbe60fa5f40dfabda4b
SSDEEP:	1536:LdWTHUOl+6GpBrLti0w8MyoQkIGmCSdc14T7/KNe8bUzhksCOnl2SV:LdWTN7GvrLti0KyoQkFSe1G6bUzCsCOT
Preview:	.ELF.......................D...4..jH.....4. ...(......................e...e....... .......e............0..%....... .dt.Q............................NV..a....da...=.N^NuNV..J9....f>"y.... QJ.g.X.#.....N."y.... QJ.f.A.....J.g.Hy..e.N.X.........N^NuNV..N^NuN

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Sample deletes itself	Hooking and other Techniques for Hiding and Protection	File Deletion
Enumerates processes within the "proc" file system	Persistence and Installation Behavior	OS Credential Dumping
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample tries to kill a process (SIGKILL)	System Summary
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
Yara signature match	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion

/tmp/qemu-open.sQEKTP (deleted)

data

dropped

Details

File:	/tmp/qemu-open.sQEKTP (deleted)
Category:	dropped
Dump:	qemu-open.sQEKTP (deleted).12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/EOtMo9xTFK.elf
Type:	data
Entropy:	4.481727678869737
Encrypted:	false
Ssdeep:	3:Tgix4s+HJN:TgixkJN
Size:	30
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

/tmp/EOtMo9xTFK.elf

/usr/libexec/gnome-session-binary

/bin/sh

/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-rfkill

/usr/libexec/gsd-rfkill

/usr/lib/systemd/systemd

/lib/systemd/systemd-hostnamed

Domains

Name

Malicious

kovey.mezo-api.xyz

45.131.111.219

Details

Name:	kovey.mezo-api.xyz
IP:	45.131.111.219
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Performs DNS queries to domains with low reputation	Networking
Queries the IP of a very long domain name	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

kovey.mezo-api.xyz.b> f:66a0PV!E(R:[5Yb> fc<OOPV!a0EA

unknown

kovey.mezo-api.xyz.b> f66a0PV!E(e:H5PYb> fNNPV!a0E@

unknown

kovey.mezo-api.xyz.b> f66a0PV!E(95Yb> fOOPV!a0EA

unknown

kovey.mezo-api.xyz.b> f66a0PV!E(-:5hYb> fOOPV!a0EA

unknown

kovey.mezo-api.xyz.b> fp66a0PV!E(:5I%Yb> frOOPV!a0EA

unknown

IPs

Domain

Country

Malicious

45.131.111.219

kovey.mezo-api.xyz

Germany

Details

IP:	45.131.111.219
TargetID:	-1
Country:	Germany
Countrycode:	DEU
ASN number:	398373
ASN name:	SERVERDESTROYERSUS
Private:	false
Domain:	kovey.mezo-api.xyz

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

89.190.156.145

unknown

United Kingdom

Details

IP:	89.190.156.145
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	7489
ASN name:	HOSTUS-GLOBAL-ASHostUSHK
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7f1100018000

page execute read

7f1187545000

page read and write

55fa241a6000

page read and write

7f1186a0e000

page read and write

55fa21bda000

page read and write

7ffee87fc000

page read and write

7f1180000000

page read and write

7f1186c9d000

page read and write

7ffee8800000

page execute read

7f1187500000

page read and write

7f11873cf000

page read and write

7f11861fd000

page read and write

7f1187084000

page read and write

7f110001d000

page read and write

7f1180021000

page read and write

7f1186a00000

page read and write

7f110001a000

page read and write

7f11874f8000

page read and write

55fa23be0000

page execute and read and write

55fa21be2000

page read and write

55fa219a8000

page execute read

7f118705f000

page read and write

55fa23c77000

page read and write

There are 13 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
EOtMo9xTFK.elf

Files

Processes

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportEOtMo9xTFK.elf

Files

Processes

Domains

IPs

Memdumps

IOC Report
EOtMo9xTFK.elf