Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

/tmp/BQBkS6XgmA.elf

/usr/bin/xfce4-session

/usr/bin/xfdesktop

xfdesktop --display :1.0 --sm-client-id 21e3a5141-81ff-45e8-a564-651b5b7002ba

/usr/bin/xfce4-session

/usr/bin/xfdesktop

xfdesktop --display :1.0 --sm-client-id 21e3a5141-81ff-45e8-a564-651b5b7002ba

/usr/bin/xfce4-session

/usr/bin/xfdesktop

xfdesktop --display :1.0 --sm-client-id 21e3a5141-81ff-45e8-a564-651b5b7002ba

/usr/bin/xfce4-session

/usr/bin/xfdesktop

xfdesktop --display :1.0 --sm-client-id 21e3a5141-81ff-45e8-a564-651b5b7002ba

/usr/bin/xfce4-session

/usr/bin/xfdesktop

xfdesktop --display :1.0 --sm-client-id 21e3a5141-81ff-45e8-a564-651b5b7002ba

There are 3 hidden processes, click here to show them.

Domains

Name

Malicious

aomacamada.ddns.net

203.145.46.240

Details

Name:	aomacamada.ddns.net
IP:	203.145.46.240
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Sends malformed DNS queries	Networking
Uses dynamic DNS services	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

net-killer.ddns.net

203.145.46.240

Details

Name:	net-killer.ddns.net
IP:	203.145.46.240
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Sends malformed DNS queries	Networking
Uses dynamic DNS services	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

net-killer.ooguy.com

203.145.46.240

Details

Name:	net-killer.ooguy.com
IP:	203.145.46.240
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Sends malformed DNS queries	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

aomacamada.ddns.net. [malformed]

unknown

Details

Name:	aomacamada.ddns.net. [malformed]
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for domain / URL	AV Detection
Sends malformed DNS queries	Networking
Uses dynamic DNS services	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

net-killer.ooguy.com. [malformed]

unknown

net-killer.ddns.net. [malformed]

unknown

Details

Name:	net-killer.ddns.net. [malformed]
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Sends malformed DNS queries	Networking
Uses dynamic DNS services	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

Vet-killer.io.v. [malformed]

unknown

domain-botnet.servehttp.com

51.79.217.59

Details

Name:	domain-botnet.servehttp.com
IP:	51.79.217.59
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

203.145.46.240

aomacamada.ddns.net

unknown

Details

IP:	203.145.46.240
TargetID:	-1
ASN number:	9313
ASN name:	ONTHENET-ASNetworkTechnologyAUSTPLAU
Private:	false
Domain:	aomacamada.ddns.net

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

51.79.217.59

domain-botnet.servehttp.com

Canada

Details

IP:	51.79.217.59
TargetID:	-1
Country:	Canada
Countrycode:	CAN
ASN number:	16276
ASN name:	OVHFR
Private:	false
Domain:	domain-botnet.servehttp.com

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

Memdumps

Base Address

Regiontype

Protect

Malicious

8067000

page read and write

f7fe8000

page execute read

95f2000

page read and write

ff9bb000

page read and write

95f2000

page read and write

8063000

page read and write

ff9bb000

page read and write

805e000

page execute read

f7fe8000

page execute read

8063000

page read and write

8067000

page read and write

805e000

page execute read

There are 2 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
BQBkS6XgmA.elf

Processes

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportBQBkS6XgmA.elf

Processes

Domains

IPs

Memdumps

IOC Report
BQBkS6XgmA.elf