Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

JU8juw0kr0.elf

ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped

initial sample

Details

Filetype:	ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
Entropy:	6.052230684090755
Filename:	JU8juw0kr0.elf
Filesize:	75268
MD5:	d64d515bcf2d91d1a7222e4a5a0ec940
SHA1:	b3db534c6b86da47dfa9a7b55885474acf596a57
SHA256:	a757c63a3b1fd90cd245c9590266906aac0d02712049cb6873f0e2c2adc3b4c9
SHA512:	7e4a991390bb6b9781eb684f761305de599a8eb3b5fa81e77c17d7e869f41ee069c726c39416761502be64e1dbf6254ad4b4f183c72c8dd7c8d07450ab7bc650
SSDEEP:	1536:8GcEk0+/kGoDDBKhjErbwlONGR5znoyhI6SiC:8GcSRMjEPsRnx+
Preview:	.ELF...a..........(.........4...t$......4. ...(.......................................... ... ... ..4....&..........Q.td..................................-...L."...vA..........0@-.\P...0....S.0...P@...0... ....R......0...0...........0... ....R..... 0....S

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Sample deletes itself	Hooking and other Techniques for Hiding and Protection	File Deletion
Enumerates processes within the "proc" file system	Persistence and Installation Behavior	OS Credential Dumping
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample tries to kill a process (SIGKILL)	System Summary
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion

/tmp/qemu-open.TsJKJG (deleted)

data

dropped

Details

File:	/tmp/qemu-open.TsJKJG (deleted)
Category:	dropped
Dump:	qemu-open.TsJKJG (deleted).12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/JU8juw0kr0.elf
Type:	data
Entropy:	4.348394345536403
Encrypted:	false
Ssdeep:	3:TgoNES8HJN:TgoGJN
Size:	30
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

/tmp/JU8juw0kr0.elf

/usr/libexec/gnome-session-binary

/bin/sh

/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-rfkill

/usr/libexec/gsd-rfkill

/usr/lib/systemd/systemd

/lib/systemd/systemd-hostnamed

Domains

Name

Malicious

cnc.voidnet.click

94.156.79.77

Details

Name:	cnc.voidnet.click
IP:	94.156.79.77
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Queries the IP of a very long domain name	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

cnc.voidnet.click.'fNT66a/PV!E(&:?5)I'fTNNPV!a/E@.@@y5,br)I

unknown

cnc.voidnet.click.'fJJPV!a/E<V@@+Y5p('f66

unknown

cnc.voidnet.click.'f66a/PV!E(t:5r)I'fNNPV!a/E@

unknown

cnc.voidnet.click.'fx66a/PV!E(bBj>5)I'fNNPV!a/E@.@@y

unknown

cnc.voidnet.click.'f66a/PV!E(lj5)I'fNNPV!a/E@.@@y.5,a

unknown

IPs

Domain

Country

Malicious

94.156.79.77

cnc.voidnet.click

Bulgaria

Details

IP:	94.156.79.77
TargetID:	-1
Country:	Bulgaria
Countrycode:	BGR
ASN number:	43561
ASN name:	NET1-ASBG
Private:	false
Domain:	cnc.voidnet.click

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

89.190.156.145

unknown

United Kingdom

Details

IP:	89.190.156.145
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	7489
ASN name:	HOSTUS-GLOBAL-ASHostUSHK
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

5561668da000

page execute read

7efefee52000

page read and write

7efeffcb9000

page read and write

7efeffe48000

page read and write

7eff0039d000

page read and write

7efef8021000

page read and write

556166b34000

page read and write

7efdf8029000

page execute read

7efdf8035000

page read and write

7ffdcd3ec000

page read and write

556168b49000

page read and write

7eff00334000

page read and write

7eff00358000

page read and write

7efeffcdc000

page read and write

7ffdcd3f0000

page execute read

556166b2b000

page read and write

55616a049000

page read and write

7efeffa4e000

page read and write

7efdf8032000

page read and write

7efeff6ec000

page read and write

7eff0020b000

page read and write

7eff0002a000

page read and write

556168b32000

page execute and read and write

7efef7fff000

page read and write

7efeff65a000

page read and write

There are 15 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
JU8juw0kr0.elf

Files

Processes

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportJU8juw0kr0.elf

Files

Processes

Domains

IPs

Memdumps

IOC Report
JU8juw0kr0.elf