Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Tb0uDdOwyO.elf

ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped

initial sample

Details

Filetype:	ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Entropy:	5.447339529745386
Filename:	Tb0uDdOwyO.elf
Filesize:	101476
MD5:	3e187e6674b0013cefa5b0aee409be68
SHA1:	3789e604f3eb3c3e2fda15ccfab2001d7eed8bf6
SHA256:	4e3ea3385ea84d2ad76cb34eb7188aff681a5a2513b3922f12846dc4d4ba2495
SHA512:	374192d379d1ba43b15e4f59727765e5f670a9e17ad4f8e27824511ca24e6092cc072d4580b746922ba6b2a0bc2e41b7b202aec20b319f8e7902b149ab41ca1d
SSDEEP:	1536:0CTVNyBTWIuKXty/7Ly43jSZdYq21RFGFgOUAqwKZqlzMHLZTJ3627VukOSis:00VNyBj+P1XGFNYwKHjNuk5
Preview:	.ELF....................`.@.4...4.......4. ...(...............@...@. z.. z....................E...E..... ,..........Q.td...............................<...'!......'.......................<...'!... .........9'.. ........................<...'!........... ]9

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Sample deletes itself	Hooking and other Techniques for Hiding and Protection	File Deletion
Enumerates processes within the "proc" file system	Persistence and Installation Behavior	OS Credential Dumping
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample tries to kill a process (SIGKILL)	System Summary
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery

/tmp/qemu-open.BMIFQP (deleted)

data

dropped

Details

File:	/tmp/qemu-open.BMIFQP (deleted)
Category:	dropped
Dump:	qemu-open.BMIFQP (deleted).12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/Tb0uDdOwyO.elf
Type:	data
Entropy:	4.306890595608519
Encrypted:	false
Ssdeep:	3:TgsAR8HJN:TgsAkJN
Size:	30
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

/tmp/Tb0uDdOwyO.elf

/usr/libexec/gnome-session-binary

/bin/sh

/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-rfkill

/usr/libexec/gsd-rfkill

/usr/lib/systemd/systemd

/lib/systemd/systemd-hostnamed

Domains

Name

Malicious

cnc.voidnet.click

94.156.79.77

Details

Name:	cnc.voidnet.click
IP:	94.156.79.77
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

94.156.79.77

cnc.voidnet.click

Bulgaria

Details

IP:	94.156.79.77
TargetID:	-1
Country:	Bulgaria
Countrycode:	BGR
ASN number:	43561
ASN name:	NET1-ASBG
Private:	false
Domain:	cnc.voidnet.click

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

89.190.156.145

unknown

United Kingdom

Details

IP:	89.190.156.145
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	7489
ASN name:	HOSTUS-GLOBAL-ASHostUSHK
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

55c7e9c3d000

page read and write

7f1cbc418000

page execute read

7f1d41728000

page read and write

55c7ed746000

page read and write

55c7e99b5000

page execute read

7ffe45dda000

page execute read

7f1d4023e000

page read and write

55c7ebc45000

page execute and read and write

7f1d41720000

page read and write

55c7ebc5c000

page read and write

7ffe45dc1000

page read and write

7f1d3c021000

page read and write

55c7e9c47000

page read and write

7f1cbc45c000

page read and write

7f1cbc459000

page read and write

7f1d3c000000

page read and write

7f1d415f7000

page read and write

7f1d40a46000

page read and write

7f1d410a5000

page read and write

7f1d4176d000

page read and write

7f1d410e5000

page read and write

7f1d40a54000

page read and write

7f1d40d04000

page read and write

7f1d410c8000

page read and write

7f1d41416000

page read and write

There are 15 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Tb0uDdOwyO.elf

Files

Processes

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportTb0uDdOwyO.elf

Files

Processes

Domains

IPs

Memdumps

IOC Report
Tb0uDdOwyO.elf