Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

8awpc7GpMh.elf

ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped

initial sample

Details

Filetype:	ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
Entropy:	6.058742415929094
Filename:	8awpc7GpMh.elf
Filesize:	77640
MD5:	d2f4649a29914aef2505a171786dcd36
SHA1:	808005bd1c9bfd18ff6eb930672273adb1509de4
SHA256:	159497c764b01330a7b101f88480d261ed9447639e54fc0fa0c7837ec1cd122b
SHA512:	4cb9d9d9be1571ca104a1aaf03d63c3410d43b0c20776afe487a8f3693365531dcc7c5c2f5da4352164abf8aaab2196480e54d87bc8da24f542c3447e12c36be
SSDEEP:	1536:Dwfv0c9K043hiw66vn/OMIuztV+wlOqtKTmIWSSPaNltRqSiC:DwfvKJmMN6ehU
Preview:	.ELF...a..........(.........4....-......4. ...(.....................@)..@)..............D)..D)..D)..4....&..........Q.td..................................-...L."....D..........0@-.\P...0....S.0...P@...0... ....R......0...0...........0... ....R..... 0....S

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Sample deletes itself	Hooking and other Techniques for Hiding and Protection	File Deletion
Enumerates processes within the "proc" file system	Persistence and Installation Behavior	OS Credential Dumping
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample tries to kill a process (SIGKILL)	System Summary
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion

/tmp/qemu-open.4zRZeD (deleted)

data

dropped

Details

File:	/tmp/qemu-open.4zRZeD (deleted)
Category:	dropped
Dump:	qemu-open.4zRZeD (deleted).12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/8awpc7GpMh.elf
Type:	data
Entropy:	4.256564762130954
Encrypted:	false
Ssdeep:	3:TgdgSP+NiHJN:TgdgS2NkJN
Size:	30
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

/tmp/8awpc7GpMh.elf

/usr/libexec/gnome-session-binary

/bin/sh

/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-rfkill

/usr/libexec/gsd-rfkill

/usr/lib/systemd/systemd

/lib/systemd/systemd-hostnamed

Domains

Name

Malicious

cnc.voidnet.click

94.156.79.77

Details

Name:	cnc.voidnet.click
IP:	94.156.79.77
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Queries the IP of a very long domain name	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

cnc.voidnet.click.''f66PV,PV!E(9(w5#Fw%''fNNPV!PV,E@

unknown

cnc.voidnet.click.''f<66PV,PV!E(nj5?H[%''fNNPV!PV,E@

unknown

cnc.voidnet.click.''fhi66PV,PV!E(Pj,52$h%''fiNNPV!PV,E@

unknown

cnc.voidnet.click.''fT66PV,PV!E(*jR5W%''fmJJPV!PV,E<

unknown

cnc.voidnet.click.''f466PV,PV!E(:Y5W+C%''fh5NNPV!PV,E@

unknown

IPs

Domain

Country

Malicious

94.156.79.77

cnc.voidnet.click

Bulgaria

Details

IP:	94.156.79.77
TargetID:	-1
Country:	Bulgaria
Countrycode:	BGR
ASN number:	43561
ASN name:	NET1-ASBG
Private:	false
Domain:	cnc.voidnet.click

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

109.202.202.202

unknown

Switzerland

Details

IP:	109.202.202.202
TargetID:	-1
Country:	Switzerland
Countrycode:	CHE
ASN number:	13030
ASN name:	INIT7CH
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

89.190.156.145

unknown

United Kingdom

Details

IP:	89.190.156.145
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	7489
ASN name:	HOSTUS-GLOBAL-ASHostUSHK
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.43

unknown

United Kingdom

Details

IP:	91.189.91.43
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.42

unknown

United Kingdom

Details

IP:	91.189.91.42
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7ffe4d67d000

page read and write

563374f07000

page execute and read and write

7fc51ffff000

page read and write

563372f00000

page read and write

7fc520021000

page read and write

7fc52946e000

page read and write

7fc5294d7000

page read and write

7fc528e16000

page read and write

7fc528b88000

page read and write

563374f1e000

page read and write

7fc528826000

page read and write

7fc42002a000

page execute read

7fc528f82000

page read and write

7fc529492000

page read and write

7fc529345000

page read and write

563376180000

page read and write

7ffe4d6a7000

page execute read

7fc529164000

page read and write

7fc528794000

page read and write

563372caf000

page execute read

7fc420032000

page read and write

7fc527f8c000

page read and write

563372f09000

page read and write

7fc528df3000

page read and write

7fc420035000

page read and write

There are 15 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
8awpc7GpMh.elf

Files

Processes

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report8awpc7GpMh.elf

Files

Processes

Domains

IPs

Memdumps

IOC Report
8awpc7GpMh.elf