Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

T8gCMqaA72.elf

ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, with debug_info, not stripped

initial sample

Details

Filetype:	ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, with debug_info, not stripped
Entropy:	5.989800720284336
Filename:	T8gCMqaA72.elf
Filesize:	127170
MD5:	30a33e0bd5241ce82c2620dc887ed4f5
SHA1:	8f7e946ffeb2233b0c5968ee690a38c0cf349c9a
SHA256:	c1c0c3f6b34b74957cae48904043931675d1c3e0d3606dc791083263938978db
SHA512:	2ecca0cc55d269679b896be1bb2be87300be80e7b2bcc2f55a115c31944ac2332591f8225d8ecc7cb8391afbe059f26f2d380741e89c9f446b67ec485c033db4
SSDEEP:	3072:EOqwW3NEI4VvLiphaH9HcIqmPwAw85YIn:tq/qvLiphaH9HBqmPwAw8CIn
Preview:	.ELF...........................4...$.....4. ...(......................yL..yL...........................t..v................H...H...H................dt.Q................................@..(....@.L.................#.....ax..`.....!....."`..@.....".........`

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Opens /proc/net/* files useful for finding connected devices and routers	Spreading	Remote System Discovery
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion
Yara signature match	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
URLs found in memory or binary data	Networking

/tmp/qemu-open.nKkZ9i (deleted)

ASCII text

dropped

Details

File:	/tmp/qemu-open.nKkZ9i (deleted)
Category:	dropped
Dump:	qemu-open.nKkZ9i (deleted).12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/T8gCMqaA72.elf
Type:	ASCII text
Entropy:	3.709552666863289
Encrypted:	false
Ssdeep:	6:iekrEcvwAsE5KlwSd4pzKaV6Lpms/a/1VCxGF:ur+m5MwSdIKaV6L1adVRF
Size:	230
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

/tmp/T8gCMqaA72.elf

URLs

Name

Malicious

http://www.billybobbot.com/crawler/)

unknown

Details

Name:	http://www.billybobbot.com/crawler/)
TargetID:	12
From Memory:	true
Current Path:	/tmp/T8gCMqaA72.elf
Source:	T8gCMqaA72.elf

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
URLs found in memory or binary data	Networking

95.174.91.180:4258

Details

Name:	95.174.91.180:4258
TargetID:	0
From Memory:	false
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

http://www.baidu.com/search/spider.html)

unknown

http://fast.no/support/crawler.asp)

unknown

http://feedback.redkolibri.com/

unknown

http://www.baidu.com/search/spider.htm)

unknown

Domains

Name

Malicious

daisy.ubuntu.com

162.213.35.24

Details

Name:	daisy.ubuntu.com
IP:	162.213.35.24
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

95.174.91.180

unknown

Russian Federation

Details

IP:	95.174.91.180
TargetID:	-1
Country:	Russian Federation
Countrycode:	RUS
ASN number:	44053
ASN name:	UNILINK-ASRU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7f2450029000

page execute read

7f2450029000

page execute read

7f2555abe000

page read and write

55a5d0051000

page read and write

7f2554fcc000

page read and write

55a5d2058000

page execute and read and write

7f2550021000

page read and write

7f245003a000

page read and write

7f2450042000

page read and write

7f2555642000

page read and write

7ffe52ce1000

page read and write

7ffe52d40000

page execute read

7f25547bb000

page read and write

55a5d005a000

page read and write

7f2555642000

page read and write

7f255525b000

page read and write

55a5d39b9000

page read and write

7f2555abe000

page read and write

7f25547bb000

page read and write

55a5d206f000

page read and write

7f255561d000

page read and write

55a5d0051000

page read and write

7f245003a000

page read and write

7f255598d000

page read and write

55a5d206f000

page read and write

55a5cfe23000

page execute read

7f255598d000

page read and write

7ffe52ce1000

page read and write

7f2550021000

page read and write

55a5d005a000

page read and write

7f2554fbe000

page read and write

7f2555b03000

page read and write

7f255561d000

page read and write

7f2554fbe000

page read and write

7f255525b000

page read and write

7f2550000000

page read and write

7f2555b03000

page read and write

55a5d2058000

page execute and read and write

55a5cfe23000

page execute read

7f2555ab6000

page read and write

55a5d39b9000

page read and write

7f2554fcc000

page read and write

7f2555ab6000

page read and write

7f2550000000

page read and write

7f2450042000

page read and write

7ffe52d40000

page execute read

There are 36 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
T8gCMqaA72.elf

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportT8gCMqaA72.elf

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
T8gCMqaA72.elf