Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Y04kc90KjB.elf

ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, stripped

initial sample

Details

Filetype:	ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, stripped
Entropy:	6.208112429158695
Filename:	Y04kc90KjB.elf
Filesize:	85248
MD5:	3269d259e15e21443a2e1e7e83d45e45
SHA1:	d74f28ae8f403a5ff336986d5cead17b6eb4390a
SHA256:	130c8fc7a6e5e3a0f3bd8c2bbf231af16a478603706d7f670f3eb0f0742d78ad
SHA512:	cbdb8b3dde63e2ab4c18e18d9f496db71789ef221a43d83ef364bc8297bfa127ecdf1c434e2eaf2cc9e6f1c61e4de5453509d29bc9a7ea237a300fb49abfaf64
SSDEEP:	1536:41LJvCyEpMADod2480ydtklqtfCYi5Y4Tjr/ZDLl+xUwwCF:WLJqpmADod2iydtkVYoYG5l+xbZF
Preview:	.ELF.......................D...4..Kp.....4. ...(......................F...F....... .......G...g...g....0..%....... .dt.Q............................NV..a....da.... N^NuNV..J9..k0f>"y..g. QJ.g.X.#...g.N."y..g. QJ.f.A.....J.g.Hy..F.N.X.......k0N^NuNV..N^NuN

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Sample deletes itself	Hooking and other Techniques for Hiding and Protection	File Deletion
Enumerates processes within the "proc" file system	Persistence and Installation Behavior	OS Credential Dumping
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample tries to kill a process (SIGKILL)	System Summary
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery

/tmp/qemu-open.zrLeXM (deleted)

data

dropped

Details

File:	/tmp/qemu-open.zrLeXM (deleted)
Category:	dropped
Dump:	qemu-open.zrLeXM (deleted).12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/Y04kc90KjB.elf
Type:	data
Entropy:	4.481727678869737
Encrypted:	false
Ssdeep:	3:TgXQ0NloHJN:TgXQ03aJN
Size:	30
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

/tmp/Y04kc90KjB.elf

/usr/libexec/gnome-session-binary

/bin/sh

/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-rfkill

/usr/libexec/gsd-rfkill

/usr/lib/systemd/systemd

/lib/systemd/systemd-hostnamed

Domains

Name

Malicious

cnc.voidnet.click

94.156.79.77

Details

Name:	cnc.voidnet.click
IP:	94.156.79.77
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

94.156.79.77

cnc.voidnet.click

Bulgaria

Details

IP:	94.156.79.77
TargetID:	-1
Country:	Bulgaria
Countrycode:	BGR
ASN number:	43561
ASN name:	NET1-ASBG
Private:	false
Domain:	cnc.voidnet.click

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

89.190.156.145

unknown

United Kingdom

Details

IP:	89.190.156.145
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	7489
ASN name:	HOSTUS-GLOBAL-ASHostUSHK
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7fcf52cc8000

page read and write

7fcf53038000

page read and write

7fcf52ced000

page read and write

7fcecc01b000

page read and write

7fcf4c021000

page read and write

7fcf531ae000

page read and write

55bebfef9000

page execute read

7fcf52677000

page read and write

7fcecc016000

page execute read

7ffec0482000

page read and write

7fcf51e66000

page read and write

55bec012b000

page read and write

7fcf53169000

page read and write

7fcf52906000

page read and write

55bec0133000

page read and write

7fcf52669000

page read and write

7fcf53161000

page read and write

55bec2433000

page read and write

7fcf4c000000

page read and write

7ffec04f5000

page execute read

7fcecc018000

page read and write

55bec21c8000

page read and write

55bec2131000

page execute and read and write

There are 13 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Y04kc90KjB.elf

Files

Processes

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportY04kc90KjB.elf

Files

Processes

Domains

IPs

Memdumps

IOC Report
Y04kc90KjB.elf