Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

UnHAnaAW.x86

ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped

initial sample

Details

Filetype:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
Entropy:	6.372181051106509
Filename:	UnHAnaAW.x86
Filesize:	74512
MD5:	2fbd7450e710106e40f973c15359d94a
SHA1:	981cf3e75f770741b2c8287fd080e0bdd31b17f2
SHA256:	f28f21fb731b222ba26788a21c5d8f9547c55e3a1703204fb634c7cdf12f75b4
SHA512:	5098684ea0b96cd2e663374b7eee3fdece6170c6eca0edecd7e11f17eb198cd97191c572a8e8aeb0876cc8a99ce45962ee82d55ab5baa5ea3cf78a5beecf76e8
SSDEEP:	1536:zyJOnlDu2LkjVvUPYDaGiYPnvMqOyJTtWtSM0dsjB6CifGqhKlK9m8C9nndN:zyJOnlDu2LkjVvUPcSUnk1SZdsjflHl9
Preview:	.ELF....................d...4....!......4. ...(.....................`...`................ ..........@...............Q.td............................U..S.......w....h....#...[]...$.............U......=@....t..5....$......$.......u........t....h`...........

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Sample tries to kill multiple processes (SIGKILL)	System Summary
Enumerates processes within the "proc" file system	Persistence and Installation Behavior	OS Credential Dumping
Sample tries to kill a process (SIGKILL)	System Summary
URLs found in memory or binary data	Networking

/var/cache/motd-news

ASCII text

dropped

Details

File:	/var/cache/motd-news
Category:	dropped
Dump:	motd-news.17.dr
ID:	dr_0
Target ID:	17
Process:	/usr/bin/cut
Type:	ASCII text
Entropy:	4.515771857099866
Encrypted:	false
Ssdeep:	3:P2lnI+5MsqqzNLz+FRNScHUBfRau95++sZzR5woLB1Fh0VTGTl/X5kURn:OZ8uNLzDc0pR75+9Zz/woFmIT52URn
Size:	191
Whitelisted:	false
Reputation:	moderate

Processes

Path

Cmdline

Malicious

/usr/bin/dash

n/a

/usr/bin/cat

cat /tmp/tmp.zD6SFGNQb7

/usr/bin/dash

n/a

/usr/bin/head

head -n 10

/usr/bin/dash

n/a

/usr/bin/tr

tr -d \\000-\\011\\013\\014\\016-\\037

/usr/bin/dash

n/a

/usr/bin/cut

cut -c -80

/usr/bin/dash

n/a

/usr/bin/cat

cat /tmp/tmp.zD6SFGNQb7

/usr/bin/dash

n/a

/usr/bin/head

head -n 10

/usr/bin/dash

n/a

/usr/bin/tr

tr -d \\000-\\011\\013\\014\\016-\\037

/usr/bin/dash

n/a

/usr/bin/cut

cut -c -80

/usr/bin/dash

n/a

/usr/bin/rm

rm -f /tmp/tmp.zD6SFGNQb7 /tmp/tmp.MPIRMYR9iI /tmp/tmp.rMRfKpgfLJ

/tmp/UnHAnaAW.x86

n/a

/tmp/UnHAnaAW.x86

n/a

/tmp/UnHAnaAW.x86

n/a

/tmp/UnHAnaAW.x86

n/a

/tmp/UnHAnaAW.x86

n/a

/tmp/UnHAnaAW.x86

n/a

/tmp/UnHAnaAW.x86

n/a

/tmp/UnHAnaAW.x86

n/a

/tmp/UnHAnaAW.x86

n/a

There are 18 hidden processes, click here to show them.

URLs

Name

Malicious

http://95.181.161.119/bins/x86

unknown

Details

Name:	http://95.181.161.119/bins/x86
TargetID:	28
From Memory:	true
Current Path:	/tmp/UnHAnaAW.x86
Source:	UnHAnaAW.x86

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking

http://schemas.xmlsoap.org/soap/encoding/

unknown

Details

Name:	http://schemas.xmlsoap.org/soap/encoding/
TargetID:	28
From Memory:	true
Current Path:	/tmp/UnHAnaAW.x86
Source:	UnHAnaAW.x86
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

http://95.181.161.119/zyxel.sh;

unknown

Details

Name:	http://95.181.161.119/zyxel.sh;
TargetID:	28
From Memory:	true
Current Path:	/tmp/UnHAnaAW.x86
Source:	UnHAnaAW.x86

Signature Hits	Behavior Group	Mitre Attack
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

https://ubuntu.com/blog/microk8s-memory-optimisation

unknown

Details

Name:	https://ubuntu.com/blog/microk8s-memory-optimisation
TargetID:	17
From Memory:	true
Current Path:	/usr/bin/cut
Source:	motd-news.17.dr
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://192.168.0.14:80/cgi-bin/ViewLog.asp

95.214.234.102

Details

Name:	http://192.168.0.14:80/cgi-bin/ViewLog.asp
IP:	95.214.234.102
TargetID:	-1
From Memory:	false
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

http://schemas.xmlsoap.org/soap/envelope/

unknown

Details

Name:	http://schemas.xmlsoap.org/soap/envelope/
TargetID:	28
From Memory:	true
Current Path:	/tmp/UnHAnaAW.x86
Source:	UnHAnaAW.x86
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

183.162.114.95

unknown

China

41.143.204.132

unknown

Morocco

94.81.248.212

unknown

Italy

85.108.172.24

unknown

Turkey

32.108.18.108

unknown

United States

159.210.217.171

unknown

Italy

128.246.74.142

unknown

Germany

85.246.119.54

unknown

Portugal

95.215.48.43

unknown

Ukraine

94.64.142.135

unknown

Greece

205.9.96.150

unknown

United States

161.172.49.137

unknown

United States

31.199.232.10

unknown

Italy

31.100.145.19

unknown

United Kingdom

85.124.31.216

unknown

Austria

95.51.134.80

unknown

Poland

176.252.26.170

unknown

United Kingdom

197.120.220.111

unknown

Egypt

85.157.241.243

unknown

Finland

85.50.194.182

unknown

Spain

31.59.81.101

unknown

Iran (ISLAMIC Republic Of)

112.252.196.37

unknown

China

207.197.18.234

unknown

United States

85.140.83.179

unknown

Russian Federation

220.116.183.170

unknown

Korea Republic of

94.171.13.63

unknown

Netherlands

62.68.231.179

unknown

Egypt

173.214.157.199

unknown

United States

95.217.66.167

unknown

Germany

112.80.112.4

unknown

China

85.119.64.1

unknown

Turkey

112.168.231.13

unknown

Korea Republic of

48.64.241.50

unknown

United States

62.44.89.188

unknown

United Kingdom

85.218.240.62

unknown

Denmark

85.251.57.32

unknown

Spain

171.226.193.180

unknown

Viet Nam

41.206.191.242

unknown

South Africa

31.220.220.243

unknown

United Kingdom

205.162.203.241

unknown

United States

157.121.78.209

unknown

United States

85.112.35.33

unknown

Russian Federation

94.8.166.137

unknown

United Kingdom

197.252.76.136

unknown

Sudan

95.24.169.220

unknown

Russian Federation

85.196.204.174

unknown

Estonia

94.67.223.113

unknown

Greece

64.157.90.134

unknown

United States

85.205.176.70

unknown

Germany

85.206.15.28

unknown

Lithuania

95.28.117.17

unknown

Russian Federation

94.224.166.163

unknown

Belgium

31.14.164.20

unknown

Syrian Arab Republic

95.51.134.96

unknown

Poland

41.245.154.150

unknown

Nigeria

62.39.77.39

unknown

France

62.40.187.78

unknown

Austria

197.103.64.230

unknown

South Africa

156.115.143.157

unknown

Switzerland

136.21.200.189

unknown

United States

31.91.17.4

unknown

United Kingdom

31.161.195.254

unknown

Netherlands

85.64.123.38

unknown

Israel

94.85.243.31

unknown

Italy

212.8.62.189

unknown

Ukraine

95.215.48.60

unknown

Ukraine

95.94.139.71

unknown

Portugal

94.94.61.76

unknown

Italy

146.55.160.218

unknown

United States

31.46.162.107

unknown

Hungary

90.27.204.130

unknown

France

95.111.20.237

unknown

Bulgaria

62.153.147.111

unknown

Germany

31.143.175.13

unknown

Turkey

104.204.57.212

unknown

United States

157.37.178.135

unknown

India

31.66.126.243

unknown

United Kingdom

104.62.108.192

unknown

United States

112.91.103.34

unknown

China

62.235.224.87

unknown

Belgium

107.10.100.22

unknown

United States

38.199.28.199

unknown

United States

167.171.172.39

unknown

United States

184.105.254.45

unknown

United States

78.141.232.146

unknown

Netherlands

94.175.48.233

unknown

United Kingdom

197.173.180.16

unknown

South Africa

216.28.163.240

unknown

United States

88.189.112.235

unknown

France

39.199.223.197

unknown

Indonesia

88.139.140.68

unknown

France

31.61.72.78

unknown

Poland

62.202.185.171

unknown

Switzerland

95.205.130.87

unknown

Sweden

84.188.59.213

unknown

Germany

99.10.28.94

unknown

United States

78.141.232.150

unknown

Netherlands

94.42.225.74

unknown

Poland

31.137.99.217

unknown

Netherlands

157.184.0.159

unknown

United States

There are 90 hidden IPs, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report

Files

Processes

URLs

IPs