Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Q3nsFVfbem.elf

ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, not stripped

initial sample

Details

Filetype:	ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, not stripped
Entropy:	6.15677285645062
Filename:	Q3nsFVfbem.elf
Filesize:	266847
MD5:	2ec6d7db26f0423bffa52f289d3a75f7
SHA1:	ea750b61363c6e9fa0befc3b1933f2f0d1a17e26
SHA256:	25bdaf5c1d6720d6e7e399f7ade6037ee0cc43b5756798e02b94417c5fd78e27
SHA512:	29cecf68429f2ec128c23d9c23a24f5070109496024e9863d74f6dde149a42184f4ad0b2a485b72cb7ebd403310c5c610191c8fa1df8f7638531c5bf7102a326
SSDEEP:	6144:rjFjqaN4ccxKYrONaT/7X5F5N5F5bXdahQ5mWwA9Ub4:rjFjvN46YrONAPP7ZXdZmWwA9Ub4
Preview:	.ELF...........................4.........4. ...(.......................................................\|..x................H...H...H................dt.Q................................@..(....@.q.................#..i..c...`.....!..h.."\..@.....".........`

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Opens /proc/net/* files useful for finding connected devices and routers	Spreading	Remote System Discovery
Sample and/or dropped files contains symbols with suspicious names	System Summary	Masquerading
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion
Yara signature match	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
URLs found in memory or binary data	Networking

/tmp/qemu-open.bPfbt9 (deleted)

ASCII text

dropped

Details

File:	/tmp/qemu-open.bPfbt9 (deleted)
Category:	dropped
Dump:	qemu-open.bPfbt9 (deleted).12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/Q3nsFVfbem.elf
Type:	ASCII text
Entropy:	3.709552666863289
Encrypted:	false
Ssdeep:	6:iekrEcvwAsE5KlwSd4pzKaV6Lpms/a/1VCxGF:ur+m5MwSdIKaV6L1adVRF
Size:	230
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

/tmp/Q3nsFVfbem.elf

URLs

Name

Malicious

193.35.18.127:19286

Details

Name:	193.35.18.127:19286
TargetID:	0
From Memory:	false
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

http://www.majestic12.co.uk/bot.php?

unknown

http://majestic12.co.uk/bot.php?

unknown

http://wortschatz.uni-leipzig.de/findlinks/)

unknown

http://code.google.com/appengine;

unknown

http://www.brandwatch.net)

unknown

http://www.mojeek.com/bot.html)

unknown

Domains

Name

Malicious

daisy.ubuntu.com

162.213.35.25

Details

Name:	daisy.ubuntu.com
IP:	162.213.35.25
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

193.35.18.127

unknown

Germany

Details

IP:	193.35.18.127
TargetID:	-1
Country:	Germany
Countrycode:	DEU
ASN number:	41865
ASN name:	BIALLNET-ASPL
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Connects to many ports of the same IP (likely port scanning)	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7f4e8004a000

page execute read

7f4e8004a000

page execute read

7f4f88795000

page read and write

56446bc17000

page execute and read and write

7f4f88a24000

page read and write

7f4e8005c000

page read and write

564469c19000

page read and write

564469c10000

page read and write

7f4f892cc000

page read and write

564469c19000

page read and write

5644699e2000

page execute read

7f4f88e0b000

page read and write

7f4f88de6000

page read and write

7f4f80000000

page read and write

5644699e2000

page execute read

56446d77f000

page read and write

7f4f87f84000

page read and write

7f4f89156000

page read and write

7fff10f56000

page read and write

7f4f88787000

page read and write

7f4f89287000

page read and write

7f4f892cc000

page read and write

7fff10fb9000

page execute read

7fff10fb9000

page execute read

56446d77f000

page read and write

7f4e80064000

page read and write

56446bc2e000

page read and write

7f4e8005c000

page read and write

7f4f88e0b000

page read and write

564469c10000

page read and write

7f4f88de6000

page read and write

7f4f8927f000

page read and write

7f4f88795000

page read and write

7f4f80021000

page read and write

7f4f8927f000

page read and write

7f4f88a24000

page read and write

7f4e80064000

page read and write

56446bc2e000

page read and write

7f4f80021000

page read and write

7f4f89287000

page read and write

7fff10f56000

page read and write

7f4f89156000

page read and write

7f4f80000000

page read and write

56446bc17000

page execute and read and write

7f4f87f84000

page read and write

7f4f88787000

page read and write

There are 36 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Q3nsFVfbem.elf

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportQ3nsFVfbem.elf

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
Q3nsFVfbem.elf