Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

BN34UR6QlT.elf

ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped

initial sample

Details

Filetype:	ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
Entropy:	6.83508423390557
Filename:	BN34UR6QlT.elf
Filesize:	67072
MD5:	66ef61ae742d72b4a385e16e95b078c5
SHA1:	a0d83934a8cbf59724508aee78f9f380e8ea8118
SHA256:	75600ccfde87375df9385bfc70f8153b9926b702446e616076518a6a21037b8d
SHA512:	445fe4f3469b9c85fd6cbc79f6e9cef4f60c242e3783662a709b4f537c9403a486c9c060b4b34fef01858a429d5d9b23054b9b46297869b1714778c077ad7686
SSDEEP:	1536:NatwtVAbFF/lAKuLVGpiKh5knZmU6iCXIvGaPASiC:Nqhbn/ltYVGbhamU6id+QJ
Preview:	.ELF.....................@.4...p.......4. ...(...............@...@...........................A...A.0....&..........Q.td............................././"O.n........#.@........#.*@l....o&O.n...l..............................././.../.a"O.!...n...a.b("...q.

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Sample deletes itself	Hooking and other Techniques for Hiding and Protection	File Deletion
Enumerates processes within the "proc" file system	Persistence and Installation Behavior	OS Credential Dumping
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample tries to kill a process (SIGKILL)	System Summary
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion

/tmp/qemu-open.rpL8fx (deleted)

data

dropped

Details

File:	/tmp/qemu-open.rpL8fx (deleted)
Category:	dropped
Dump:	qemu-open.rpL8fx (deleted).12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/BN34UR6QlT.elf
Type:	data
Entropy:	4.456564762130954
Encrypted:	false
Ssdeep:	3:Tgr4w5L8HJN:TgkCaJN
Size:	30
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

/tmp/BN34UR6QlT.elf

/usr/libexec/gnome-session-binary

/bin/sh

/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-rfkill

/usr/libexec/gsd-rfkill

/usr/lib/systemd/systemd

/lib/systemd/systemd-hostnamed

Domains

Name

Malicious

cnc.voidnet.click

94.156.79.77

Details

Name:	cnc.voidnet.click
IP:	94.156.79.77
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Queries the IP of a very long domain name	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

cnc.voidnet.click.'f66a0PV!E(ju55_v'fNNPV!a0E@-

unknown

cnc.voidnet.click.'f66a0PV!E(9;5^"'fNNPV!a0E@-

unknown

cnc.voidnet.click.'f66a0PV!E(j5SSX'fNNPV!a0E@-

unknown

cnc.voidnet.click.'f<566a0PV!E(:15<'f6NNPV!a0E@-

unknown

cnc.voidnet.click.'fu66a0PV!E(:+5q'fvJJPV!a0E<

unknown

IPs

Domain

Country

Malicious

94.156.79.77

cnc.voidnet.click

Bulgaria

Details

IP:	94.156.79.77
TargetID:	-1
Country:	Bulgaria
Countrycode:	BGR
ASN number:	43561
ASN name:	NET1-ASBG
Private:	false
Domain:	cnc.voidnet.click

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

89.190.156.145

unknown

United Kingdom

Details

IP:	89.190.156.145
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	7489
ASN name:	HOSTUS-GLOBAL-ASHostUSHK
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

55bc27076000

page read and write

7fff9edf3000

page execute read

7f14a44fa000

page read and write

7f14a4138000

page read and write

55bc2908b000

page read and write

7fff9edd9000

page read and write

55bc29074000

page execute and read and write

55bc2a188000

page read and write

7f14a3698000

page read and write

7f14a499b000

page read and write

7f14a451f000

page read and write

7f149c000000

page read and write

7f14a3e9b000

page read and write

7f14a49e0000

page read and write

7f14a3ea9000

page read and write

7f141c414000

page read and write

7f14a486a000

page read and write

7f149c021000

page read and write

7f14a4993000

page read and write

55bc26e58000

page execute read

7f141c410000

page execute read

55bc2706e000

page read and write

7f141c411000

page read and write

There are 13 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
BN34UR6QlT.elf

Files

Processes

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportBN34UR6QlT.elf

Files

Processes

Domains

IPs

Memdumps

IOC Report
BN34UR6QlT.elf