Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

CITauQKjMd.elf

ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, stripped

initial sample

Details

Filetype:	ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, stripped
Entropy:	6.3486998617006485
Filename:	CITauQKjMd.elf
Filesize:	223036
MD5:	904754496395df70d83303ca7eb86b76
SHA1:	a0bdbaff3f3679172424350323573951f3511f26
SHA256:	088220b4f326bef3aee167befda0215905e73f9129d0c60a3086fccb019d0eb6
SHA512:	8690abac76d74dedec460f0ebecee95535b7735ca4e908e95b0caa7622d3f262fc79984cf51ad2d6ce9fcf9a1a963665d79050a909f2f0ecdb7fac75eb804b0a
SSDEEP:	6144:ZO4irQeuacWjcW0JcWcBMr+KS128Tc7T4OdDQn8:ZXWOAJ8
Preview:	.ELF.......................D...4..e......4. ...(......................_..._....... ......._...............k....... .dt.Q............................NV..a....da.....N^NuNV..J9...pf>"y.... QJ.g.X.#.....N."y.... QJ.f.A.....J.g.Hy....N.X........pN^NuNV..N^NuN

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Opens /proc/net/* files useful for finding connected devices and routers	Spreading	Remote System Discovery
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
Yara signature match	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
URLs found in memory or binary data	Networking

/tmp/qemu-open.IZmX2b (deleted)

ASCII text

dropped

Details

File:	/tmp/qemu-open.IZmX2b (deleted)
Category:	dropped
Dump:	qemu-open.IZmX2b (deleted).12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/CITauQKjMd.elf
Type:	ASCII text
Entropy:	3.709552666863289
Encrypted:	false
Ssdeep:	6:iekrEcvwAsE5KlwSd4pzKaV6Lpms/a/1VCxGF:ur+m5MwSdIKaV6L1adVRF
Size:	230
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

/tmp/CITauQKjMd.elf

URLs

Name

Malicious

193.35.18.127:19286

Details

Name:	193.35.18.127:19286
TargetID:	0
From Memory:	false
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

http://www.majestic12.co.uk/bot.php?

unknown

http://majestic12.co.uk/bot.php?

unknown

http://wortschatz.uni-leipzig.de/findlinks/)

unknown

http://code.google.com/appengine;

unknown

http://www.brandwatch.net)

unknown

http://www.mojeek.com/bot.html)

unknown

Domains

Name

Malicious

daisy.ubuntu.com

162.213.35.24

Details

Name:	daisy.ubuntu.com
IP:	162.213.35.24
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

193.35.18.127

unknown

Germany

Details

IP:	193.35.18.127
TargetID:	-1
Country:	Germany
Countrycode:	DEU
ASN number:	41865
ASN name:	BIALLNET-ASPL
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Connects to many ports of the same IP (likely port scanning)	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7f4548037000

page execute read

7f4548037000

page execute read

557327a36000

page execute and read and write

7ffcd757b000

page execute read

7f45cffd6000

page read and write

7f45d09a5000

page read and write

557325a30000

page read and write

557325a38000

page read and write

7f45cffe4000

page read and write

7f45d0635000

page read and write

7f45d0ace000

page read and write

7f45cf7d3000

page read and write

7f45d0b1b000

page read and write

7f45d0b1b000

page read and write

7f45cf7d3000

page read and write

7f45d065a000

page read and write

7f45c8000000

page read and write

5573257fe000

page execute read

557329190000

page read and write

7f45d0ace000

page read and write

7f45c8021000

page read and write

7f45d0635000

page read and write

5573257fe000

page execute read

557325a30000

page read and write

7f45d0ad6000

page read and write

557325a38000

page read and write

7f45d0ad6000

page read and write

7f45cffe4000

page read and write

7f4548040000

page read and write

7f45d065a000

page read and write

7ffcd7567000

page read and write

557327a36000

page execute and read and write

7f45cffd6000

page read and write

7f4548040000

page read and write

7ffcd7567000

page read and write

7f45d0273000

page read and write

7f45c8000000

page read and write

557327acd000

page read and write

557327acd000

page read and write

7f45d09a5000

page read and write

7f45c8021000

page read and write

7ffcd757b000

page execute read

557329190000

page read and write

7f45d0273000

page read and write

7f454803a000

page read and write

7f454803a000

page read and write

There are 36 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
CITauQKjMd.elf

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportCITauQKjMd.elf

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
CITauQKjMd.elf