Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

5TklXu3QQx

ELF 32-bit LSB shared object, ARM, EABI5 version 1 (GNU/Linux), statically linked, stripped

initial sample

Details

Filetype:	ELF 32-bit LSB shared object, ARM, EABI5 version 1 (GNU/Linux), statically linked, stripped
Entropy:	7.999813863668134
Filename:	5TklXu3QQx
Filesize:	1425088
MD5:	e7c802a697bc9c56abcdf3d5f8dd53a5
SHA1:	8fe01876a890ad448b52907d11bdd3e9c2822aaf
SHA256:	e6edd6550600dafb8bfa1349b21026bbcfb9811888c105dc9672d6d197ae8b19
SHA512:	edd597d23b51c947185f5895a512dee18b86d97c157699f8139a71c9e9eedb74f43e2b6888c696edda6187ed180e3cdfdfcc0cb9eeb7d1b51940b8370ef0d00f
SSDEEP:	24576:E4aNweg+U8fIa4OIwP1pmlXmiDozMAdXI5dtzm1fD8bhddZK21stOD:E4aNRU8fIa1pml2ikzMAcK1ah3nKt8
Preview:	.ELF..............(......I_.4...$.......4. ...(...........................I...................I...I.................Q.td.............................M.=UPX!.........&G..TE................?.E.h;.......$........P.y.t.N:5.....0st.t.<..C-c.+^.B~a.&.d........v

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Found strings related to Crypto-Mining	Bitcoin Miner
Sample reads /proc/mounts (often used for finding a writable filesystem)	Persistence and Installation Behavior
ELF contains segments with high entropy indicating compressed/encrypted content	Hooking and other Techniques for Hiding and Protection	Obfuscated Files or Information
Enumerates processes within the "proc" file system	Persistence and Installation Behavior	OS Credential Dumping
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Reads CPU information from /proc indicative of miner or evasive malware	Bitcoin Miner, Malware Analysis System Evasion	System Information Discovery
Reads CPU information from /sys indicative of miner or evasive malware	Bitcoin Miner, Malware Analysis System Evasion
Reads system information from the proc file system	Persistence and Installation Behavior
Reads the 'hosts' file potentially containing internal network hosts	Networking	File and Directory Discovery
Sample listens on a socket	Networking
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
URLs found in memory or binary data	Networking

/var/spool/cron/crontabs/tmp.DB17wd

ASCII text

dropped

Details

File:	/var/spool/cron/crontabs/tmp.DB17wd
Category:	dropped
Dump:	tmp.DB17wd.17.dr
ID:	dr_0
Target ID:	17
Process:	/usr/bin/crontab
Type:	ASCII text
Entropy:	5.224243008231628
Encrypted:	false
Ssdeep:	6:SUrpqoqQjEOP1KmREJOBFQLk10wvZHGMQ5UYLtCFt3HYUQa:8QjHig88JeHLUHYUD
Size:	199
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Sample tries to persist itself using cron	Persistence and Installation Behavior

Processes

Path

Cmdline

Malicious

/tmp/5TklXu3QQx

/usr/bin/qemu-arm /tmp/5TklXu3QQx

/tmp/5TklXu3QQx

/bin/sh

sh -c "crontab -l"

/bin/sh

/usr/bin/crontab

crontab -l

/tmp/5TklXu3QQx

/bin/sh

sh -c "echo \"@reboot /tmp/5TklXu3QQx\" | crontab -"

/bin/sh

/usr/bin/crontab

crontab -

/tmp/5TklXu3QQx

/bin/sh

sh -c "iptables -I INPUT -p tcp --dport 32113 -j ACCEPT"

/bin/sh

/sbin/iptables

iptables -I INPUT -p tcp --dport 32113 -j ACCEPT

/sbin/iptables

/sbin/modprobe

/sbin/modprobe ip_tables

There are 8 hidden processes, click here to show them.

URLs

Name

Malicious

https://gcc.gnu.org/bugs/):

unknown

http://upx.sf.net

unknown

Details

Name:	http://upx.sf.net
TargetID:	8
From Memory:	true
Current Path:	/tmp/5TklXu3QQx
Source:	5TklXu3QQx
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Sample is packed with UPX	Data Obfuscation	Obfuscated Files or Information
URLs found in memory or binary data	Networking

https://xmrig.com/benchmark/%s

unknown

https://xmrig.com/wizard

unknown

https://xmrig.com/wizard%s

unknown

http://download.asyncfox.xyz/download/xmrig.arm7;

unknown

https://xmrig.com/docs/algorithms

unknown

Domains

Name

Malicious

c2.asyncfox.xyz

unknown

Details

Name:	c2.asyncfox.xyz
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Performs DNS queries to domains with low reputation	Networking
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)	Networking
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

xmr-pool.asyncfox.xyz

unknown

Details

Name:	xmr-pool.asyncfox.xyz
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Performs DNS queries to domains with low reputation	Networking
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)	Networking
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

45.95.147.236

unknown

Netherlands

Details

IP:	45.95.147.236
TargetID:	-1
Country:	Netherlands
Countrycode:	NLD
ASN number:	51942
ASN name:	EKMEDIANL
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7fa3a8ca4000

page execute read

7fa3a804c000

page read and write

7fa3ab884000

page read and write

7fa3aa628000

page read and write

7fa3ac125000

page read and write

7fa3acc84000

page read and write

7fa3ac858000

page read and write

7fa3a8023000

page read and write

7fff45984000

page read and write

561824adc000

page read and write

7fa3a8043000

page read and write

561821d27000

page execute read

561821f6e000

page read and write

561821fc0000

page read and write

7fff4599c000

page execute read

7fa3a884e000

page read and write

561823fca000

page read and write

7fa3a801f000

page read and write

7fa3a803d000

page read and write

7fa3a8cea000

page read and write

7fa3a8ce8000

page read and write

561823fbf000

page execute and read and write

7fa3acc6a000

page read and write

7fa3ab667000

page read and write

7fa3aae29000

page read and write

7fa3a804d000

page execute read

7fa3a8049000

page read and write

There are 17 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
5TklXu3QQx

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report5TklXu3QQx

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
5TklXu3QQx