Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

bezWhgH7DL.elf

ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, stripped

initial sample

Details

Filetype:	ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, stripped
Entropy:	6.011482866281488
Filename:	bezWhgH7DL.elf
Filesize:	66568
MD5:	83d35720ddf336f71e1702a332c590aa
SHA1:	69e5719152b284a6539d69b9b6e8939c9ba3374c
SHA256:	e589db61d5e1b238c153aab66fa63763c6bf23c795c81e7e6794b7cfb70ff9da
SHA512:	3363e490fff52d218f0d336a3944523f294e44baabe36922bbf52e2e2691c6b6a97fa7dc5787d7a701dab457315b5a26df56efe6a878d6e69c17010a1ed48aa6
SSDEEP:	768:x7QzG79IoInRX1A6+ROMG9/w0YFFjd3A+ZXpPmIeT1LB/0OQjFHibOYvn4w7N3HW:RMo9InnRX1A6+ROMg/wGOYvbmBaC
Preview:	.ELF...........................4...x.....4. ...(.......................................................8...x........dt.Q................................@..(....@.<.................#.....b8..`.....!..... ...@.....".........`......$ ... ...@...........`....

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Enumerates processes within the "proc" file system	Persistence and Installation Behavior	OS Credential Dumping
Sample listens on a socket	Networking
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery

/tmp/qemu-open.WtO6PH (deleted)

ASCII text

dropped

Details

File:	/tmp/qemu-open.WtO6PH (deleted)
Category:	dropped
Dump:	qemu-open.WtO6PH (deleted).16.dr
ID:	dr_0
Target ID:	16
Process:	/tmp/bezWhgH7DL.elf
Type:	ASCII text
Entropy:	3.5699882974477983
Encrypted:	false
Ssdeep:	6:M3gcyNCtXoX6/VUV4cyNCtX8/I9l/VbY/VfKoO/VNfiY/VH:M39yNCt4rVlyNCts/Ihl
Size:	310
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

/tmp/bezWhgH7DL.elf

Domains

Name

Malicious

minuoddos.top

91.92.244.58

Details

Name:	minuoddos.top
IP:	91.92.244.58
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Connects to many ports of the same IP (likely port scanning)	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

91.92.244.58

minuoddos.top

Bulgaria

Details

IP:	91.92.244.58
TargetID:	-1
Country:	Bulgaria
Countrycode:	BGR
ASN number:	34368
ASN name:	THEZONEBG
Private:	false
Domain:	minuoddos.top

Signature Hits	Behavior Group	Mitre Attack
Connects to many ports of the same IP (likely port scanning)	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

185.125.190.26

unknown

United Kingdom

Details

IP:	185.125.190.26
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7f5f4de18000

page read and write

5647ddf66000

page read and write

7f5f4e28c000

page read and write

7f5f4ddf3000

page read and write

5647ddf4f000

page execute and read and write

7f5f4d794000

page read and write

7f5f4e294000

page read and write

7f5e48021000

page execute read

5647ddf4f000

page execute and read and write

5647dbd1a000

page execute read

7f5f4da31000

page read and write

7f5f4d794000

page read and write

7f5f4d7a2000

page read and write

7f5f4de18000

page read and write

7f5f4e2d9000

page read and write

7f5f4ddf3000

page read and write

7f5f4ddf3000

page read and write

7f5f4d794000

page read and write

7f5e48023000

page read and write

7ffcf99f6000

page execute read

5647ddf66000

page read and write

5647ddf4f000

page execute and read and write

5647dbf48000

page read and write

5647dbf51000

page read and write

7f5e48023000

page read and write

7f5f4e163000

page read and write

7f5f4d7a2000

page read and write

7f5e48021000

page execute read

7f5f48021000

page read and write

7ffcf99f6000

page execute read

7f5f48021000

page read and write

5647ded12000

page read and write

7f5f4e294000

page read and write

7f5f48021000

page read and write

7f5f48000000

page read and write

7f5e48022000

page read and write

7f5e48023000

page read and write

7f5f4e2d9000

page read and write

7f5e48022000

page read and write

7f5f4d7a2000

page read and write

7ffcf99f6000

page execute read

7f5e48022000

page read and write

7f5f4e2d9000

page read and write

7ffcf99e8000

page read and write

7f5f4de18000

page read and write

7f5f4cf91000

page read and write

7f5f4da31000

page read and write

7f5f4e163000

page read and write

5647ded12000

page read and write

7f5f4cf91000

page read and write

7f5f4e163000

page read and write

7f5f4da31000

page read and write

5647ded12000

page read and write

7f5f4e28c000

page read and write

5647dbf48000

page read and write

5647dbf51000

page read and write

7ffcf99e8000

page read and write

5647ddf66000

page read and write

7f5e48021000

page execute read

7ffcf99e8000

page read and write

7f5f4e28c000

page read and write

5647dbf48000

page read and write

7f5f4cf91000

page read and write

5647dbf51000

page read and write

5647dbd1a000

page execute read

7f5f4e294000

page read and write

5647dbd1a000

page execute read

7f5f48000000

page read and write

7f5f48000000

page read and write

There are 59 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
bezWhgH7DL.elf

Files

Processes

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportbezWhgH7DL.elf

Files

Processes

Domains

IPs

Memdumps

IOC Report
bezWhgH7DL.elf