Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

z0r0.arm7

ELF 32-bit LSB executable, ARM, EABI4 version 1 (GNU/Linux), statically linked, stripped

initial sample

/var/cache/man/5230

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/cs/5230

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/cs/index.db.ZCcVTE

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/da/5230

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/da/index.db.oJZIzH

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/de/5230

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/de/index.db.UOeQpH

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/es/5230

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/es/index.db.PFMh1F

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/fi/5230

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/fi/index.db.k0WU0D

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/fr.ISO8859-1/5230

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/fr.ISO8859-1/index.db.bczf6E

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/fr.UTF-8/5230

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/fr.UTF-8/index.db.04bzBE

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/fr/5230

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/fr/index.db.DHaOOH

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/hu/5230

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/hu/index.db.87moQE

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/id/5230

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/id/index.db.LIZ3aH

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/index.db.MpWjnE

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/it/5230

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/it/index.db.PvTnTD

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/ja/5230

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/ja/index.db.rb0OgH

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/ko/5230

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/ko/index.db.KU3lGH

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/nl/5230

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/nl/index.db.vCHDAG

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/pl/5230

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/pl/index.db.pGmGPH

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/pt/5230

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/pt/index.db.SE4SoH

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/pt_BR/5230

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/pt_BR/index.db.M7bnKH

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/ru/5230

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/ru/index.db.LNByAG

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/sl/5230

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/sl/index.db.FqxkzH

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/sr/5230

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/sr/index.db.jghL1G

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/sv/5230

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/sv/index.db.7Z4gNE

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/tr/5230

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/tr/index.db.vdr98F

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/zh_CN/5230

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/zh_CN/index.db.FpJ8lG

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/zh_TW/5230

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/cache/man/zh_TW/index.db.wczTAG

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

/var/lib/logrotate/status.tmp

ASCII text

dropped

/var/log/cups/access_log.1.gz

gzip compressed data, last modified: Fri Jan 28 23:10:30 2022, from Unix

dropped

/var/log/syslog.1.gz

gzip compressed data, last modified: Fri Jan 28 23:10:30 2022, from Unix

dropped

There are 44 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

/usr/lib/systemd/systemd

n/a

/usr/sbin/logrotate

/usr/sbin/logrotate /etc/logrotate.conf

/usr/sbin/logrotate

n/a

/bin/gzip

/usr/sbin/logrotate

n/a

/bin/sh

sh -c "\n\t\tinvoke-rc.d --quiet cups restart > /dev/null\n" logrotate_script "/var/log/cups/*log "

/bin/sh

n/a

/usr/sbin/invoke-rc.d

invoke-rc.d --quiet cups restart

/usr/sbin/invoke-rc.d

n/a

/sbin/runlevel

/usr/sbin/invoke-rc.d

n/a

/usr/bin/systemctl

systemctl --quiet is-enabled cups.service

/usr/sbin/invoke-rc.d

n/a

/usr/bin/ls

ls /etc/rc[S2345].d/S[0-9][0-9]cups

/usr/sbin/invoke-rc.d

n/a

/usr/bin/systemctl

systemctl --quiet is-active cups.service

/usr/sbin/logrotate

n/a

/bin/gzip

/usr/sbin/logrotate

n/a

/bin/sh

sh -c /usr/lib/rsyslog/rsyslog-rotate logrotate_script /var/log/syslog

/bin/sh

n/a

/usr/lib/rsyslog/rsyslog-rotate

n/a

/usr/bin/systemctl

systemctl kill -s HUP rsyslog.service

/usr/lib/systemd/systemd

n/a

/usr/bin/install

/usr/bin/install -d -o man -g man -m 0755 /var/cache/man

/usr/lib/systemd/systemd

n/a

/usr/bin/find

/usr/bin/find /var/cache/man -type f -name *.gz -atime +6 -delete

/usr/lib/systemd/systemd

n/a

/usr/bin/mandb

/usr/bin/mandb --quiet

/tmp/z0r0.arm7

There are 21 hidden processes, click here to show them.

URLs

Name

Malicious

http://upx.sf.net

unknown

Details

Name:	http://upx.sf.net
TargetID:	40
From Memory:	true
Current Path:	/tmp/z0r0.arm7
Source:	z0r0.arm7
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Sample is packed with UPX	Data Obfuscation	Obfuscated Files or Information
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

109.202.202.202

unknown

Switzerland

Details

IP:	109.202.202.202
TargetID:	-1
Country:	Switzerland
Countrycode:	CHE
ASN number:	13030
ASN name:	INIT7CH
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.43

unknown

United Kingdom

Details

IP:	91.189.91.43
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.42

unknown

United Kingdom

Details

IP:	91.189.91.42
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report

Files

Processes

URLs

IPs