Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

ntpd

ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped

initial sample

Details

Filetype:	ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped
Entropy:	5.043135616657196
Filename:	ntpd
Filesize:	119167
MD5:	bc8137a7fddaa5ae9b9e38ac8fa4a92d
SHA1:	d2133f4ed241159bf1d9ce02a702a9b61f424680
SHA256:	9e512c9f31a19bb2efc1e772d210602b3f383d55cb758bdffc408e80801256f5
SHA512:	feeb43226d2bdbe6a760074ed6db8bad8140bbf0e306f12161def13daee36d2031f64170df13544bba0b65bbabc6d4ec59094a847d773a63991f363416687387
SSDEEP:	1536:/VNy7KEv/VdKnJVIsER/NdhkFGXYQ7/2rKoPFnXoOIeEeFlBEDvA075e+vg8:q3yiz4XoOIe7BMnI8
Preview:	.ELF.....................@.....4...<.....4. ...(....p........@...@...........................@...@....YD..YD..............`..E`..E`....t..j8........dt.Q.................................................E.P<...'......!'.......................<...'..`...!...

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Opens /proc/net/* files useful for finding connected devices and routers	Spreading	Remote System Discovery
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
URLs found in memory or binary data	Networking

/tmp/qemu-open.xqNPAW (deleted)

ASCII text

dropped

Details

File:	/tmp/qemu-open.xqNPAW (deleted)
Category:	dropped
Dump:	qemu-open.xqNPAW (deleted).10.dr
ID:	dr_0
Target ID:	10
Process:	/tmp/ntpd
Type:	ASCII text
Entropy:	3.709552666863289
Encrypted:	false
Ssdeep:	6:iekrEcvwAsE5KlwSd4pzKaV6Lpms/a/1VCxGF:ur+m5MwSdIKaV6L1adVRF
Size:	230
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

/tmp/ntpd

n/a

/tmp/ntpd

n/a

/tmp/ntpd

n/a

/tmp/ntpd

n/a

/tmp/ntpd

n/a

URLs

Name

Malicious

http://45.95.55.12/bins.sh;

unknown

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
ntpd

Files

Processes

URLs

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportntpd

Files

Processes

URLs

IOC Report
ntpd