Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

mJ4CsuZhyr.elf

ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, with debug_info, not stripped

initial sample

Details

Filetype:	ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, with debug_info, not stripped
Entropy:	5.976534457405022
Filename:	mJ4CsuZhyr.elf
Filesize:	157306
MD5:	1d2f0ac632691ad9306d80d4ca255a68
SHA1:	e2d4891dcb940486b836134c2db0ecad2b5cd234
SHA256:	a93baabdfac2c9c92059075ff04c0d74da65c6f00b84f5e880792ecf9b71aac8
SHA512:	4df6d61f5cb207bdffad0fe10404de9eed92cc2345887d3253f56a6e971825234e6c526541e41695baef57ea48c8eb1f99b597079a9a319cc7f8d5196c2d071d
SSDEEP:	3072:30MUdehIVNTkaGGiuM1BB6+5rhW+cqLMa/mCGM/9zODF9z+:30MUMhWdkaGGiuM1D6gWdSMa/mrM/9GK
Preview:	.ELF..............(.........4...,.......4. ...(........p.n...........................................p...p...............p...p...p......L3...............p...p...p..................Q.td..................................-...L..................@-.,@...0....S

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Sample deletes itself	Hooking and other Techniques for Hiding and Protection	File Deletion
Enumerates processes within the "proc" file system	Persistence and Installation Behavior	OS Credential Dumping
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample and/or dropped files contains symbols with suspicious names	System Summary	Masquerading
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion

/tmp/qemu-open.eDFJ3P (deleted)

data

dropped

Details

File:	/tmp/qemu-open.eDFJ3P (deleted)
Category:	dropped
Dump:	qemu-open.eDFJ3P (deleted).12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/mJ4CsuZhyr.elf
Type:	data
Entropy:	4.32323142879762
Encrypted:	false
Ssdeep:	3:TgSzqObdHJN:TgSz7bFJN
Size:	30
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

/tmp/mJ4CsuZhyr.elf

Domains

Name

Malicious

cnc.voidnet.click

94.156.79.77

Details

Name:	cnc.voidnet.click
IP:	94.156.79.77
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Queries the IP of a very long domain name	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

cnc.voidnet.click.'f!p66a/PV!E(*:5we))'fpNNPV!a/E@7

unknown

cnc.voidnet.click.'f66a/PV!E(9O5?)'fZNNPV!a/E@8.@@/.5,.cncvoidnetclickn'f

unknown

cnc.voidnet.click.'f66a/PV!E(:+5sp-)'f}NNPV!a/E@7

unknown

cnc.voidnet.click.'fm66a/PV!E(G7j6I5o)'f"nNNPV!a/E@7

unknown

cnc.voidnet.click.'f66a/PV!E($:}5)'fJJPV!a/E<.@@(^OM^%K|+'f,JJa/PV!E<@6^OM^.,%n9|+'f=-BBPV!a/E4m@@(^OM^%`,

unknown

IPs

Domain

Country

Malicious

94.156.79.77

cnc.voidnet.click

Bulgaria

Details

IP:	94.156.79.77
TargetID:	-1
Country:	Bulgaria
Countrycode:	BGR
ASN number:	43561
ASN name:	NET1-ASBG
Private:	false
Domain:	cnc.voidnet.click

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

Memdumps

Base Address

Regiontype

Protect

Malicious

561cc9565000

page execute read

7ffe390cd000

page execute read

7eff36383000

page read and write

7eff35a45000

page read and write

7ffe3906f000

page read and write

7efe3002f000

page execute read

561cc97b6000

page read and write

561cc97bf000

page read and write

561ccd734000

page read and write

7eff36564000

page read and write

7eff35da7000

page read and write

7eff366f6000

page read and write

7eff36035000

page read and write

7eff351ab000

page read and write

7eff30021000

page read and write

7eff3668d000

page read and write

7eff361a1000

page read and write

7eff359b3000

page read and write

561ccb7bd000

page execute and read and write

7eff36012000

page read and write

561ccb7d4000

page read and write

7efe3003c000

page read and write

7eff366b1000

page read and write

7efe30037000

page read and write

7eff2ffff000

page read and write

There are 15 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
mJ4CsuZhyr.elf

Files

Processes

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportmJ4CsuZhyr.elf

Files

Processes

Domains

IPs

Memdumps

IOC Report
mJ4CsuZhyr.elf