Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

QVorHPgh3b.elf

initial sample

Details

Entropy:	5.489730563923757
Filename:	QVorHPgh3b.elf
Filesize:	214648
MD5:	479a59d369b590829900787ec24f57c2
SHA1:	80b7168501a5ce3133c45c7b0c1806b28df37240
SHA256:	6700fd45772662f76aed607a2549250c2e3c00da716b28d0de74e442cfe722ea
SHA512:	c26a8ec70c343d9aae7a0be4a26c7d0eb08e93a4d373dc7e114bf223eec08f494dec2b91e7bf630dde94781f96a972580a1bb97f6bc04147556cf5a6c6163a85
SSDEEP:	3072:DXG975JM8kUdxUSlS5Pj+yqu5/Zqay+R9ask0QcYb/5hhC1cmrpy6n9Nn:DWYCzcYb/5hhBmrpy6n9Nn
Preview:	.ELF.....................@.....4.........4. ...(....p........@...@...........................@...@.....P...P.................C...C.........................D.C.D.C.D................dt.Q.................................................D.P<...'.-d...!'......

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Opens /proc/net/* files useful for finding connected devices and routers	Spreading	Remote System Discovery
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion
Yara signature match	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
URLs found in memory or binary data	Networking

/tmp/qemu-open.UIx9yw (deleted)

ASCII text

dropped

Details

File:	/tmp/qemu-open.UIx9yw (deleted)
Category:	dropped
Dump:	qemu-open.UIx9yw (deleted).12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/QVorHPgh3b.elf
Type:	ASCII text
Entropy:	3.709552666863289
Encrypted:	false
Ssdeep:	6:iekrEcvwAsE5KlwSd4pzKaV6Lpms/a/1VCxGF:ur+m5MwSdIKaV6L1adVRF
Size:	230
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

/tmp/QVorHPgh3b.elf

URLs

Name

Malicious

http://www.billybobbot.com/crawler/)

unknown

Details

Name:	http://www.billybobbot.com/crawler/)
TargetID:	12
From Memory:	true
Current Path:	/tmp/QVorHPgh3b.elf
Source:	QVorHPgh3b.elf

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
URLs found in memory or binary data	Networking

93.123.85.78:55

Details

Name:	93.123.85.78:55
TargetID:	0
From Memory:	false
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

http://www.baidu.com/search/spider.html)

unknown

http://fast.no/support/crawler.asp)

unknown

http://feedback.redkolibri.com/

unknown

http://www.baidu.com/search/spider.htm)

unknown

Domains

Name

Malicious

daisy.ubuntu.com

162.213.35.25

Details

Name:	daisy.ubuntu.com
IP:	162.213.35.25
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

93.123.85.78

unknown

Bulgaria

Details

IP:	93.123.85.78
TargetID:	-1
Country:	Bulgaria
Countrycode:	BGR
ASN number:	43561
ASN name:	NET1-ASBG
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7febf442a000

page execute read

7febf442a000

page execute read

55742fa48000

page execute read

7fec7b804000

page read and write

7fec7bba5000

page read and write

7fec7bbc8000

page read and write

55742fcd0000

page read and write

7fec74000000

page read and write

7fec7bbc8000

page read and write

7fec7c228000

page read and write

55742fa48000

page execute read

7fec7c0f7000

page read and write

7febf443c000

page read and write

557431cef000

page read and write

7fec7bf16000

page read and write

557431cd8000

page execute and read and write

557431cef000

page read and write

7fec74021000

page read and write

7fec7b546000

page read and write

7fec7c0f7000

page read and write

7fec7bf16000

page read and write

7fec74021000

page read and write

55742fcda000

page read and write

557433aa0000

page read and write

7febf443c000

page read and write

557431cd8000

page execute and read and write

7fec7b554000

page read and write

7fec7b554000

page read and write

7fec74000000

page read and write

7ffd9a703000

page execute read

7fec7c220000

page read and write

7fec7c228000

page read and write

7fec7c26d000

page read and write

7fec7b546000

page read and write

7febf4444000

page read and write

7ffd9a703000

page execute read

557433aa0000

page read and write

7fec7ad3e000

page read and write

55742fcda000

page read and write

7fec7ad3e000

page read and write

7fec7c220000

page read and write

7fec7bbe5000

page read and write

7fec7bba5000

page read and write

7ffd9a6d4000

page read and write

7fec7c26d000

page read and write

7fec7b804000

page read and write

7febf4444000

page read and write

7ffd9a6d4000

page read and write

7fec7bbe5000

page read and write

55742fcd0000

page read and write

There are 40 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
QVorHPgh3b.elf

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportQVorHPgh3b.elf

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
QVorHPgh3b.elf