IOC Report
VefqQeU0Xt

Files

File Path

Type

Category

Malicious

VefqQeU0Xt

ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped

initial sample

Details

Filetype:	ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
Entropy:	5.802220381620875
Filename:	VefqQeU0Xt
Filesize:	37884
MD5:	b8ec31b1eff948abc9e797eb796d10cb
SHA1:	5590da71a98232aa873143780f4f9e36e1a8359a
SHA256:	f67ac47d33f3681cd957585c4338c43e939eb5fc0d8da4ac84aa33ccf52fcb1e
SHA512:	43662da6d6b544a3e34409b1e52f0147a4f74a27e3592d057f3913e888001ba1c8e8f2322ccd87eab2a56ff7d5926431d603b9be1807f68133b5a03ef8b43b0c
SSDEEP:	768:ZUcgPbzj5HoD2ogElo5fEFUsduP5KZ7m8LIZkk:Gcg8oDfYduxy7x
Preview:	.ELF...a..........(.........4...l.......4. ...(.....................................................,...............Q.td..................................-...L.".... ..........0@-.\P...0....S.0...P@...0... ....R......0...0...........0... ....R..... 0....S

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Sample listens on a socket	Networking
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery

/tmp/tmp.EQLgjCNBFD

ASCII text

dropped

Details

File:	/tmp/tmp.EQLgjCNBFD
Category:	dropped
Dump:	tmp.EQLgjCNBFD.48.dr
ID:	dr_2
Target ID:	48
Process:	/usr/bin/wget
Type:	ASCII text
Entropy:	4.515771857099866
Encrypted:	false
Ssdeep:	3:P2lnI+5MsqqzNLz+FRNScHUBfRau95++sZzR5woLB1Fh0VTGTl/X5kURn:OZ8uNLzDc0pR75+9Zz/woFmIT52URn
Size:	191
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Executes the "rm" command used to delete files or directories	Persistence and Installation Behavior	File Deletion

/tmp/tmp.ONisxp5pqw

UTF-8 Unicode text

dropped

Details

File:	/tmp/tmp.ONisxp5pqw
Category:	dropped
Dump:	tmp.ONisxp5pqw.48.dr
ID:	dr_1
Target ID:	48
Process:	/usr/bin/wget
Type:	UTF-8 Unicode text
Entropy:	4.945181413004465
Encrypted:	false
Ssdeep:	6:HXB9GAYLEHKLG13/3xg7F/uZCHKLGZgM/Tt5RhgZDl7jzisnfJvXWG9iFua4kpa5:HRoTL6OM48QTt5Rh0isBPWGwzG
Size:	494
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Executes the "rm" command used to delete files or directories	Persistence and Installation Behavior	File Deletion

/tmp/tmp.ZtXsY8H9DY

ASCII text

dropped

Details

File:	/tmp/tmp.ZtXsY8H9DY
Category:	dropped
Dump:	tmp.ZtXsY8H9DY.37.dr
ID:	dr_0
Target ID:	37
Process:	/usr/bin/cloud-id
Type:	ASCII text
Entropy:	1.9219280948873623
Encrypted:	false
Ssdeep:	3:x:x
Size:	5
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Executes the "rm" command used to delete files or directories	Persistence and Installation Behavior	File Deletion

/var/cache/motd-news

ASCII text

dropped

Details

File:	/var/cache/motd-news
Category:	dropped
Dump:	motd-news.70.dr
ID:	dr_3
Target ID:	70
Process:	/usr/bin/cut
Type:	ASCII text
Entropy:	4.515771857099866
Encrypted:	false
Ssdeep:	3:P2lnI+5MsqqzNLz+FRNScHUBfRau95++sZzR5woLB1Fh0VTGTl/X5kURn:OZ8uNLzDc0pR75+9Zz/woFmIT52URn
Size:	191
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

/usr/lib/systemd/systemd

n/a

/etc/update-motd.d/50-motd-news

/etc/update-motd.d/50-motd-news --force

/etc/update-motd.d/50-motd-news

n/a

/usr/bin/mktemp

mktemp

/etc/update-motd.d/50-motd-news

n/a

/usr/bin/mktemp

mktemp

/etc/update-motd.d/50-motd-news

n/a

/usr/bin/mktemp

mktemp

/etc/update-motd.d/50-motd-news

n/a

/etc/update-motd.d/50-motd-news

n/a

/usr/bin/dpkg

dpkg -l wget

/usr/bin/dpkg-query

dpkg-query --list -- wget

/etc/update-motd.d/50-motd-news

n/a

/usr/bin/awk

awk "$1 == \"ii\" { print($3); exit(0); }"

/etc/update-motd.d/50-motd-news

n/a

/etc/update-motd.d/50-motd-news

n/a

/etc/update-motd.d/50-motd-news

n/a

/usr/bin/sed

sed -e "s/ /\\//g"

/etc/update-motd.d/50-motd-news

n/a

/usr/bin/uname

uname -o

/etc/update-motd.d/50-motd-news

n/a

/usr/bin/uname

uname -r

/etc/update-motd.d/50-motd-news

n/a

/usr/bin/uname

uname -m

/etc/update-motd.d/50-motd-news

n/a

/usr/bin/uname

uname -m

/etc/update-motd.d/50-motd-news

n/a

/etc/update-motd.d/50-motd-news

n/a

/usr/bin/grep

grep -m1 "^model name" /proc/cpuinfo

/etc/update-motd.d/50-motd-news

n/a

/usr/bin/sed

sed -e "s/.*: //" -e s:\\s\\+:/:g

/etc/update-motd.d/50-motd-news

n/a

/usr/bin/cloud-id

/usr/bin/cloud-id

/usr/bin/cloud-id

n/a

/usr/bin/uname

uname -p

/etc/update-motd.d/50-motd-news

n/a

/etc/update-motd.d/50-motd-news

n/a

/usr/bin/cut

cut -c -40 /tmp/tmp.ZtXsY8H9DY

/etc/update-motd.d/50-motd-news

n/a

/usr/bin/tr

tr -c -d [:alnum:]

/etc/update-motd.d/50-motd-news

n/a

/usr/bin/wget

wget --timeout 60 -U "wget/1.20.3-1ubuntu1 Ubuntu/20.04.2/LTS GNU/Linux/5.4.0-72-generic/x86_64 Intel(R)/Xeon(R)/Silver/4210/CPU/@/2.20GHz cloud_id/none" -O- --content-on-error https://motd.ubuntu.com

/etc/update-motd.d/50-motd-news

n/a

/usr/bin/cat

cat /tmp/tmp.EQLgjCNBFD

/etc/update-motd.d/50-motd-news

n/a

/usr/bin/head

head -n 10

/etc/update-motd.d/50-motd-news

n/a

/usr/bin/tr

tr -d \\000-\\011\\013\\014\\016-\\037

/etc/update-motd.d/50-motd-news

n/a

/usr/bin/cut

cut -c -80

/etc/update-motd.d/50-motd-news

n/a

/usr/bin/cat

cat /tmp/tmp.EQLgjCNBFD

/etc/update-motd.d/50-motd-news

n/a

/usr/bin/head

head -n 10

/etc/update-motd.d/50-motd-news

n/a

/usr/bin/tr

tr -d \\000-\\011\\013\\014\\016-\\037

/etc/update-motd.d/50-motd-news

n/a

/usr/bin/cut

cut -c -80

/etc/update-motd.d/50-motd-news

n/a

/usr/bin/rm

rm -f /tmp/tmp.EQLgjCNBFD /tmp/tmp.ONisxp5pqw /tmp/tmp.ZtXsY8H9DY

/tmp/VefqQeU0Xt

/tmp/VefqQeU0Xt

/tmp/VefqQeU0Xt

n/a

/tmp/VefqQeU0Xt

n/a

There are 53 hidden processes, click here to show them.

URLs

Name

IP

Malicious

https://motd.ubuntu.com/

unknown

https://ubuntu.com/blog/microk8s-memory-optimisation

unknown

IPs

IP

Domain

Country

Malicious

98.205.175.119

unknown

United States

74.105.231.151

unknown

United States

15.142.60.68

unknown

United States

56.101.167.101

unknown

United States

21.86.198.60

unknown

United States

126.47.246.73

unknown

Japan

128.5.96.104

unknown

United States

92.210.207.233

unknown

Germany

251.38.253.40

unknown

Reserved

209.31.34.220

unknown

United States

189.138.184.246

unknown

Mexico

79.115.120.145

unknown

Romania

115.35.234.224

unknown

China

179.52.79.6

unknown

Dominican Republic

44.60.239.46

unknown

United States

175.36.15.194

unknown

Australia

217.151.153.64

unknown

Germany

47.190.69.170

unknown

United States

242.80.21.17

unknown

Reserved

1.45.73.121

unknown

China

43.106.254.183

unknown

Japan

188.54.137.99

unknown

Saudi Arabia

89.164.32.20

unknown

Croatia (LOCAL Name: Hrvatska)

251.176.62.50

unknown

Reserved

169.205.233.129

unknown

United States

199.241.205.94

unknown

United States

107.72.240.241

unknown

United States

180.63.191.8

unknown

Japan

15.196.180.215

unknown

United States

152.120.53.132

unknown

United States

66.186.165.62

unknown

United States

188.194.118.74

unknown

Germany

146.189.60.206

unknown

United States

15.152.172.29

unknown

United States

61.235.174.146

unknown

China

12.245.37.186

unknown

United States

151.65.106.122

unknown

Italy

106.162.29.233

unknown

Japan

66.1.102.108

unknown

United States

220.249.23.189

unknown

China

167.8.217.28

unknown

United States

48.184.111.104

unknown

United States

197.132.217.115

unknown

Egypt

169.202.199.165

unknown

South Africa

182.82.174.104

unknown

China

134.18.244.239

unknown

Australia

196.247.60.225

unknown

Seychelles

145.131.223.72

unknown

Netherlands

91.44.2.107

unknown

Germany

86.86.132.45

unknown

Netherlands

112.20.205.10

unknown

China

199.209.36.222

unknown

United States

134.12.55.229

unknown

United States

157.168.230.20

unknown

Switzerland

253.216.122.239

unknown

Reserved

131.127.120.80

unknown

United States

166.146.116.6

unknown

United States

153.15.14.86

unknown

Norway

53.193.209.203

unknown

Germany

58.167.228.180

unknown

Australia

177.72.19.16

unknown

unknown

80.33.186.77

unknown

Spain

212.137.210.222

unknown

United Kingdom

203.137.219.160

unknown

Japan

212.222.240.70

unknown

United Kingdom

69.181.177.29

unknown

United States

152.130.163.46

unknown

United States

17.3.87.29

unknown

United States

217.46.188.101

unknown

United Kingdom

27.59.44.110

unknown

India

65.13.253.121

unknown

United States

56.25.161.4

unknown

United States

1.119.157.21

unknown

China

184.118.230.138

unknown

United States

193.207.211.160

unknown

Italy

204.235.126.14

unknown

United States

119.90.12.105

unknown

China

61.130.143.143

unknown

China

57.254.163.62

unknown

Belgium

22.180.220.222

unknown

United States

22.216.57.76

unknown

United States

200.19.1.255

unknown

Brazil

130.41.40.1

unknown

United States

16.128.90.16

unknown

United States

18.232.167.114

unknown

United States

129.234.12.157

unknown

United Kingdom

211.127.141.254

unknown

Japan

218.69.20.117

unknown

China

133.59.142.56

unknown

Japan

11.226.204.223

unknown

United States

48.166.50.111

unknown

United States

84.185.121.75

unknown

Germany

3.89.7.218

unknown

United States

161.81.250.8

unknown

Hong Kong

59.55.32.214

unknown

China

150.223.227.59

unknown

China

54.2.225.241

unknown

United States

240.253.190.20

unknown

Reserved

75.179.52.87

unknown

United States

27.167.147.1

unknown

Korea Republic of

There are 90 hidden IPs, click here to show them.