Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

qnW5l5Iegw

ELF 32-bit LSB shared object, ARM, EABI5 version 1 (GNU/Linux), statically linked, stripped

initial sample

Details

Filetype:	ELF 32-bit LSB shared object, ARM, EABI5 version 1 (GNU/Linux), statically linked, stripped
Entropy:	7.999822022561568
Filename:	qnW5l5Iegw
Filesize:	1280020
MD5:	bb4eee24d6f69698c8acc8e472feecd3
SHA1:	214a44c96c85563d391329a37cf7ee155c727d3d
SHA256:	e7d8b915ad94182702f678e78a5b8552ff1c2515a7651b775646d145ba4b1186
SHA512:	461dad26264132408980c14a3256637cd21e9d22e5dd8d145919220da87fe37a58c3d8a7b768d8ac56311fca7958b740cc56083e08ec95f94c869d133dd4eef8
SSDEEP:	24576:vVDH1SCPK772iIfWAaF5F/MvkNKIStg91xue27yygrxUB69wNzI5R5XmEZF:9Ddu1mNa3FM+KIStcX0Vgrx7wNzIUEZF
Preview:	.ELF..............(.....\|2R.4...x.......4. ...(.........................h.>......@............>...>..............@..Q.td.............................M.=UPX!........T.<...:................?.E.h;.......$.....>.......x"z^..d..Dg.....>.H.N..#o>.R{&.}....&..$.

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Found strings related to Crypto-Mining	Bitcoin Miner
Sample reads /proc/mounts (often used for finding a writable filesystem)	Persistence and Installation Behavior
ELF contains segments with high entropy indicating compressed/encrypted content	Hooking and other Techniques for Hiding and Protection	Obfuscated Files or Information
Enumerates processes within the "proc" file system	Persistence and Installation Behavior	OS Credential Dumping
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Reads CPU information from /proc indicative of miner or evasive malware	Bitcoin Miner, Malware Analysis System Evasion	System Information Discovery
Reads CPU information from /sys indicative of miner or evasive malware	Bitcoin Miner, Malware Analysis System Evasion
Reads system information from the proc file system	Persistence and Installation Behavior
Reads the 'hosts' file potentially containing internal network hosts	Networking	File and Directory Discovery
Sample listens on a socket	Networking
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
URLs found in memory or binary data	Networking

/var/spool/cron/crontabs/tmp.Wl5qG5

ASCII text

dropped

Details

File:	/var/spool/cron/crontabs/tmp.Wl5qG5
Category:	dropped
Dump:	tmp.Wl5qG5.21.dr
ID:	dr_0
Target ID:	21
Process:	/usr/bin/crontab
Type:	ASCII text
Entropy:	5.207819892230921
Encrypted:	false
Ssdeep:	6:SUrpqoqQjEOP1KmREJOBFQLk0R+UBMvZHGMQ5UYLtCFt3HYDg:8QjHig89RGJeHLUHY8
Size:	199
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Sample tries to persist itself using cron	Persistence and Installation Behavior

Processes

Path

Cmdline

Malicious

/tmp/qnW5l5Iegw

/bin/sh

sh -c "crontab -l"

/bin/sh

/usr/bin/crontab

crontab -l

/tmp/qnW5l5Iegw

/bin/sh

sh -c "echo \"@reboot /tmp/qnW5l5Iegw\" | crontab -"

/bin/sh

/usr/bin/crontab

crontab -

/tmp/qnW5l5Iegw

/bin/sh

sh -c "iptables -I INPUT -p tcp --dport 47067 -j ACCEPT"

/bin/sh

/usr/sbin/iptables

iptables -I INPUT -p tcp --dport 47067 -j ACCEPT

/usr/bin/dash

/usr/bin/rm

rm -f /tmp/tmp.lxN0S8N9yT /tmp/tmp.nGqllcajKz /tmp/tmp.A4tJ7ptlel

/usr/bin/dash

/usr/bin/rm

rm -f /tmp/tmp.lxN0S8N9yT /tmp/tmp.nGqllcajKz /tmp/tmp.A4tJ7ptlel

There are 10 hidden processes, click here to show them.

URLs

Name

Malicious

https://gcc.gnu.org/bugs/):

unknown

http://upx.sf.net

unknown

Details

Name:	http://upx.sf.net
TargetID:	12
From Memory:	true
Current Path:	/tmp/qnW5l5Iegw
Source:	qnW5l5Iegw
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Sample is packed with UPX	Data Obfuscation	Obfuscated Files or Information
URLs found in memory or binary data	Networking

https://xmrig.com/wizard

unknown

https://xmrig.com/wizard%s

unknown

http://download.asyncfox.xyz/download/xmrig.arm7;

unknown

https://xmrig.com/docs/algorithms

unknown

Domains

Name

Malicious

c2.asyncfox.xyz

unknown

Details

Name:	c2.asyncfox.xyz
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Performs DNS queries to domains with low reputation	Networking
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)	Networking
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

xmr-pool.asyncfox.xyz

unknown

Details

Name:	xmr-pool.asyncfox.xyz
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Performs DNS queries to domains with low reputation	Networking
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)	Networking
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

34.249.145.219

unknown

United States

Details

IP:	34.249.145.219
TargetID:	-1
Country:	United States
Countrycode:	USA
ASN number:	16509
ASN name:	AMAZON-02US
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

45.95.147.236

unknown

Netherlands

Details

IP:	45.95.147.236
TargetID:	-1
Country:	Netherlands
Countrycode:	NLD
ASN number:	51942
ASN name:	EKMEDIANL
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

109.202.202.202

unknown

Switzerland

Details

IP:	109.202.202.202
TargetID:	-1
Country:	Switzerland
Countrycode:	CHE
ASN number:	13030
ASN name:	INIT7CH
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.43

unknown

United Kingdom

Details

IP:	91.189.91.43
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.42

unknown

United Kingdom

Details

IP:	91.189.91.42
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7f7f472d8000

page read and write

7f7f47e89000

page execute read

55b47ec68000

page read and write

7f7f48021000

page read and write

7f7f47ada000

page read and write

7f7f4c487000

page read and write

7f7f4cd21000

page read and write

7f7f47ec3000

page read and write

7f7f4d47d000

page read and write

55b480c6f000

page execute and read and write

7f7f4d2ee000

page read and write

7f7f4d840000

page read and write

55b480c86000

page read and write

7f7f4d98d000

page read and write

7ffd1d559000

page execute read

7ffd1d41e000

page read and write

7f7f4d65f000

page read and write

7f7f4d969000

page read and write

7f7f4d9d2000

page read and write

7f7f4d311000

page read and write

7f7f472d3000

page read and write

7f7f472ce000

page read and write

55b47ec71000

page read and write

7f7f4d083000

page read and write

55b481f1b000

page read and write

7f7f472d9000

page execute read

7f7f472a4000

page read and write

7f7f4cc8f000

page read and write

55b47ea17000

page execute read

There are 19 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
qnW5l5Iegw

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportqnW5l5Iegw

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
qnW5l5Iegw