Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

W7v6a74sWr.elf

ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, not stripped

initial sample

Details

Filetype:	ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, not stripped
Entropy:	6.166935816150178
Filename:	W7v6a74sWr.elf
Filesize:	114714
MD5:	5f47f43b8928e2539b7635c610479d9c
SHA1:	34178435cd506f2088d00fad60301a023e0fa4f1
SHA256:	7a098e8193556a240cb09fc3dc0937e462cc5bb056fbf071a500c1554481e466
SHA512:	bd6c5fc9a5049aee241d4aa10868d09ea7676e512b1de57a8aeac6f5386846a73ec3b9afac0f39046cb0af16024e253209aae611eca96f3ef26b077486a3c643
SSDEEP:	3072:0zST7qhxQeqacWucW0JcWcB4t/JMPFWS7QeX8nxVJ3X3qmmTWzRiRnHC9n:xaxQeqacWucW0JcWcBg/JgkmBX8nfJ3/
Preview:	.ELF.......................D...4..kL.....4. ...(......................[~..[~...... .......[...{...{.......i....... .dt.Q............................NV..a....da.....N^NuNV..J9....f>"y..{. QJ.g.X.#...{.N."y..{. QJ.f.A.....J.g.Hy..{.N.X.........N^NuNV..N^NuN

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Opens /proc/net/* files useful for finding connected devices and routers	Spreading	Remote System Discovery
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
Yara signature match	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
URLs found in memory or binary data	Networking

/tmp/qemu-open.XHKW0W (deleted)

ASCII text

dropped

Details

File:	/tmp/qemu-open.XHKW0W (deleted)
Category:	dropped
Dump:	qemu-open.XHKW0W (deleted).12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/W7v6a74sWr.elf
Type:	ASCII text
Entropy:	3.709552666863289
Encrypted:	false
Ssdeep:	6:iekrEcvwAsE5KlwSd4pzKaV6Lpms/a/1VCxGF:ur+m5MwSdIKaV6L1adVRF
Size:	230
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

/tmp/W7v6a74sWr.elf

/usr/bin/dash

/usr/bin/rm

rm -f /tmp/tmp.rPSYHh9LFE /tmp/tmp.g7XUvJPyc5 /tmp/tmp.IsLb8qviFy

/usr/bin/dash

/usr/bin/rm

rm -f /tmp/tmp.rPSYHh9LFE /tmp/tmp.g7XUvJPyc5 /tmp/tmp.IsLb8qviFy

URLs

Name

Malicious

http://www.billybobbot.com/crawler/)

unknown

Details

Name:	http://www.billybobbot.com/crawler/)
TargetID:	12
From Memory:	true
Current Path:	/tmp/W7v6a74sWr.elf
Source:	W7v6a74sWr.elf

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
URLs found in memory or binary data	Networking

147.185.221.19:30455

Details

Name:	147.185.221.19:30455
TargetID:	0
From Memory:	false
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

http://www.baidu.com/search/spider.html)

unknown

http://fast.no/support/crawler.asp)

unknown

http://feedback.redkolibri.com/

unknown

http://www.baidu.com/search/spider.htm)

unknown

IPs

Domain

Country

Malicious

147.185.221.19

unknown

United States

Details

IP:	147.185.221.19
TargetID:	-1
Country:	United States
Countrycode:	USA
ASN number:	12087
ASN name:	SALSGIVERUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

34.249.145.219

unknown

United States

Details

IP:	34.249.145.219
TargetID:	-1
Country:	United States
Countrycode:	USA
ASN number:	16509
ASN name:	AMAZON-02US
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

109.202.202.202

unknown

Switzerland

Details

IP:	109.202.202.202
TargetID:	-1
Country:	Switzerland
Countrycode:	CHE
ASN number:	13030
ASN name:	INIT7CH
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.43

unknown

United Kingdom

Details

IP:	91.189.91.43
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.42

unknown

United Kingdom

Details

IP:	91.189.91.42
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7f8268017000

page execute read

7f8268017000

page execute read

563eeba18000

page read and write

563eeba20000

page read and write

7f82e8021000

page read and write

7ffeaced6000

page read and write

7f82ee6a6000

page read and write

563eeda1e000

page execute and read and write

7f82ef508000

page read and write

563eeba18000

page read and write

7f82ef878000

page read and write

563eeda1e000

page execute and read and write

563eedab5000

page read and write

7f82ef9a1000

page read and write

7f82ef146000

page read and write

7f82eeeb7000

page read and write

563eeb7e6000

page execute read

563eedab5000

page read and write

7f82e8021000

page read and write

7f82eeeb7000

page read and write

563eeb7e6000

page execute read

7f82ef9ee000

page read and write

7f82ef146000

page read and write

7f82ef878000

page read and write

7f82e8000000

page read and write

7ffeacf1e000

page execute read

7f82ef52d000

page read and write

7f82e8000000

page read and write

563eedd4f000

page read and write

7f82ee6a6000

page read and write

7f82ef9a1000

page read and write

7f8268019000

page read and write

7f82ef52d000

page read and write

7f82eeea9000

page read and write

7f82ef9a9000

page read and write

7f8268019000

page read and write

7f8268020000

page read and write

7f82eeea9000

page read and write

563eeba20000

page read and write

563eedd4f000

page read and write

7f82ef9ee000

page read and write

7ffeacf1e000

page execute read

7ffeaced6000

page read and write

7f82ef9a9000

page read and write

7f82ef508000

page read and write

7f8268020000

page read and write

There are 36 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
W7v6a74sWr.elf

Files

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportW7v6a74sWr.elf

Files

Processes

URLs

IPs

Memdumps

IOC Report
W7v6a74sWr.elf