Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

hmDumpR4Ys.elf

ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header

initial sample

Details

Filetype:	ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header
Entropy:	7.908101450073808
Filename:	hmDumpR4Ys.elf
Filesize:	1441224
MD5:	301cc407abd6736140ae0df3c53aec64
SHA1:	e611be05f66ae77beb53328e98217f89af449096
SHA256:	e3aab908800cb4601bc4a87ac9ac48d816ced57cdb409b6e2468956cc50bdf04
SHA512:	35f2b4eb255ab59c0e26625c78a1797610272027bb0440cefa4f8290f8254760eff2104c959731b3cbc68c92f2668080490c98dd943c067580a140496ac2e360
SSDEEP:	24576:nAHgTVEYTG8g9dnGU3XNqW+E8C73G+xY3/My4c763Gheij87uptkuLpIXEfsxp:n2E5g9hbXUjHQ3G33Uy4+zj87rcpIXEq
Preview:	.ELF..............>.......U.....@...................@.8...@.......................@.......@....................... ......................7.......7..............................Q.td....................................................1..gUPX!8.......H.:.H.:

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Drops invisible ELF files	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Creates hidden files and/or directories	Persistence and Installation Behavior
ELF contains segments with high entropy indicating compressed/encrypted content	Hooking and other Techniques for Hiding and Protection	Obfuscated Files or Information
Reads the 'hosts' file potentially containing internal network hosts	Networking	File and Directory Discovery
Sample tries to set the executable flag	Persistence and Installation Behavior	File and Directory Permissions Modification
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
Writes ELF files to disk	Persistence and Installation Behavior
URLs found in memory or binary data	Networking

/tmp/.sys.rrcache.data

ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=dab48a037fb31fef87b543e0e0d4527fb63b9b7e, not stripped

dropped

Details

File:	/tmp/.sys.rrcache.data
Category:	dropped
Dump:	.sys.rrcache.data.13.dr
ID:	dr_0
Target ID:	13
Process:	/tmp/hmDumpR4Ys.elf
Type:	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=dab48a037fb31fef87b543e0e0d4527fb63b9b7e, not stripped
Entropy:	2.4518598765872603
Encrypted:	false
Ssdeep:	96:RYEmvgNCBWBdby7q6oFo/dj3J/mq2EJvGJvxZjqdehuw7/3BQoBVW+iVxGxo:RIgNC8a7loFoFJ/VGVxXh3jvXFiD
Size:	15840
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Drops invisible ELF files	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Creates hidden files and/or directories	Persistence and Installation Behavior	Hidden Files and Directories
Sample tries to set the executable flag	Persistence and Installation Behavior	File and Directory Permissions Modification
Writes ELF files to disk	Persistence and Installation Behavior

Processes

Path

Cmdline

Malicious

/tmp/hmDumpR4Ys.elf

URLs

Name

Malicious

http://upx.sf.net

unknown

Details

Name:	http://upx.sf.net
TargetID:	12
From Memory:	true
Current Path:	/tmp/hmDumpR4Ys.elf
Source:	hmDumpR4Ys.elf
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Sample is packed with UPX	Data Obfuscation	Obfuscated Files or Information
URLs found in memory or binary data	Networking

http://www.openssl.org/support/faq.htmlRAND

unknown

http://www.openssl.org/support/faq.html

unknown

https://www.megtech.xyz/

unknown

Domains

Name

Malicious

www.megtech.xyz

15.197.130.221

Details

Name:	www.megtech.xyz
IP:	15.197.130.221
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Performs DNS queries to domains with low reputation	Networking
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

daisy.ubuntu.com

162.213.35.24

IPs

Domain

Country

Malicious

15.197.130.221

www.megtech.xyz

United States

Memdumps

Base Address

Regiontype

Protect

Malicious

7f6a3e396000