Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

beamer.arm-20211202-2350

ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped

initial sample

/var/cache/man/5250

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/cs/5250

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/cs/index.db.fn15fc

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/da/5250

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/da/index.db.29BtKb

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/de/5250

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/de/index.db.gH21xc

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/es/5250

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/es/index.db.fAEwF9

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/fi/5250

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/fi/index.db.AP6Pmb

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/fr.ISO8859-1/5250

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/fr.ISO8859-1/index.db.bJYhHb

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/fr.UTF-8/5250

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/fr.UTF-8/index.db.QCDdtd

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/fr/5250

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/fr/index.db.NxOGsa

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/hu/5250

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/hu/index.db.jvKUBb

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/id/5250

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/id/index.db.qn4Tcb

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/index.db.xplKtd

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/it/5250

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/it/index.db.J7YTPc

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/ja/5250

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/ja/index.db.prEO39

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/ko/5250

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/ko/index.db.6pReY8

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/nl/5250

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/nl/index.db.yxqfJc

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/pl/5250

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/pl/index.db.Hh43bc

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/pt/5250

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/pt/index.db.reUf8c

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/pt_BR/5250

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/pt_BR/index.db.PERBF9

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/ru/5250

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/ru/index.db.O1FsDa

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/sl/5250

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/sl/index.db.tpVQ1b

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/sr/5250

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/sr/index.db.677rJ9

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/sv/5250

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/sv/index.db.A73Bmc

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/tr/5250

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/tr/index.db.c1Jold

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/zh_CN/5250

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/zh_CN/index.db.lveJjb

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/zh_TW/5250

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/zh_TW/index.db.uAt44b

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/motd-news

ASCII text

dropped

/var/lib/logrotate/status.tmp

ASCII text

dropped

/var/log/cups/access_log.1.gz

gzip compressed data, last modified: Thu Dec 2 23:51:57 2021, from Unix

dropped

/var/log/syslog.1.gz

gzip compressed data, last modified: Thu Dec 2 23:51:57 2021, from Unix

dropped

There are 45 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

/usr/lib/systemd/systemd

n/a

/usr/sbin/logrotate

/usr/sbin/logrotate /etc/logrotate.conf

/usr/sbin/logrotate

n/a

/bin/gzip

/usr/sbin/logrotate

n/a

/bin/sh

sh -c "\n\t\tinvoke-rc.d --quiet cups restart > /dev/null\n" logrotate_script "/var/log/cups/*log "

/bin/sh

n/a

/usr/sbin/invoke-rc.d

invoke-rc.d --quiet cups restart

/usr/sbin/invoke-rc.d

n/a

/sbin/runlevel

/usr/sbin/invoke-rc.d

n/a

/usr/bin/systemctl

systemctl --quiet is-enabled cups.service

/usr/sbin/invoke-rc.d

n/a

/usr/bin/ls

ls /etc/rc[S2345].d/S[0-9][0-9]cups

/usr/sbin/invoke-rc.d

n/a

/usr/bin/systemctl

systemctl --quiet is-active cups.service

/usr/sbin/logrotate

n/a

/bin/gzip

/usr/sbin/logrotate

n/a

/bin/sh

sh -c /usr/lib/rsyslog/rsyslog-rotate logrotate_script /var/log/syslog

/bin/sh

n/a

/usr/lib/rsyslog/rsyslog-rotate

n/a

/usr/bin/systemctl

systemctl kill -s HUP rsyslog.service

/usr/lib/systemd/systemd

n/a

/usr/bin/install

/usr/bin/install -d -o man -g man -m 0755 /var/cache/man

/usr/lib/systemd/systemd

n/a

/usr/bin/find

/usr/bin/find /var/cache/man -type f -name *.gz -atime +6 -delete

/usr/lib/systemd/systemd

n/a

/usr/bin/mandb

/usr/bin/mandb --quiet

/tmp/beamer.arm-20211202-2350

n/a

/tmp/beamer.arm-20211202-2350

n/a

/tmp/beamer.arm-20211202-2350

n/a

/usr/bin/dash

n/a

/usr/bin/cat

cat /tmp/tmp.VpwDfjvPut

/usr/bin/dash

n/a

/usr/bin/head

head -n 10

/usr/bin/dash

n/a

/usr/bin/tr

tr -d \\000-\\011\\013\\014\\016-\\037

/usr/bin/dash

n/a

/usr/bin/cut

cut -c -80

/usr/bin/dash

n/a

/usr/bin/cat

cat /tmp/tmp.VpwDfjvPut

/usr/bin/dash

n/a

/usr/bin/head

head -n 10

/usr/bin/dash

n/a

/usr/bin/tr

tr -d \\000-\\011\\013\\014\\016-\\037

/usr/bin/dash

n/a

/usr/bin/cut

cut -c -80

/usr/bin/dash

n/a

/usr/bin/rm

rm -f /tmp/tmp.VpwDfjvPut /tmp/tmp.4A4ent7tJV /tmp/tmp.Z371bNX7Cf

There are 42 hidden processes, click here to show them.

URLs

Name

Malicious

https://ubuntu.com/blog/microk8s-memory-optimisation

unknown

Details

Name:	https://ubuntu.com/blog/microk8s-memory-optimisation
TargetID:	56
From Memory:	true
Current Path:	/usr/bin/cut
Source:	motd-news.56.dr
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

45.134.225.20

unknown

Germany

Details

IP:	45.134.225.20
TargetID:	-1
Country:	Germany
Countrycode:	DEU
ASN number:	203380
ASN name:	DAINTERNATIONALGROUPGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
Connects to IPs without corresponding DNS lookups	Networking

34.249.145.219

unknown

United States

Details

IP:	34.249.145.219
TargetID:	-1
Country:	United States
Countrycode:	USA
ASN number:	16509
ASN name:	AMAZON-02US
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

109.202.202.202

unknown

Switzerland

Details

IP:	109.202.202.202
TargetID:	-1
Country:	Switzerland
Countrycode:	CHE
ASN number:	13030
ASN name:	INIT7CH
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.43

unknown

United Kingdom

Details

IP:	91.189.91.43
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.42

unknown

United Kingdom

Details

IP:	91.189.91.42
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report

Files

Processes

URLs

IPs