Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

mzdWUcvUU2.elf

ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped

initial sample

Details

Filetype:	ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped
Entropy:	5.353119921997735
Filename:	mzdWUcvUU2.elf
Filesize:	181137
MD5:	e4a521fa4ced1859f5f853271a22fb3c
SHA1:	c75ccbbe2b7d0e3db5e87b73e606159c14c53ff7
SHA256:	b0c23a25a0eba05d0bb0c947e0badfc10b67b7f00ce4020fa0c3c43f85e5b3a4
SHA512:	43c07f6360642b739569d78630f80a6e6403f155daed4e27fed3118ffe8f0d552928fcd8cdcdf1ac1706f47d9314a51ff1b3c5fd856b85994f641cb3190663f2
SSDEEP:	3072:PKn3FSO7m16k9DfF1sHEENZYuW3amB0v4vnaNu:ynmgXNZY3qmB0v4vnaNu
Preview:	.ELF.....................@.....4..]......4. ...(....p........@...@...........................@...@........................ ..C ..C .......\|p.............. D.C D.C D................dt.Q.................................................C.0<...'..D...!'......

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Opens /proc/net/* files useful for finding connected devices and routers	Spreading	Remote System Discovery
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion
Yara signature match	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery

/tmp/qemu-open.veEX00 (deleted)

ASCII text

dropped

Details

File:	/tmp/qemu-open.veEX00 (deleted)
Category:	dropped
Dump:	qemu-open.veEX00 (deleted).16.dr
ID:	dr_0
Target ID:	16
Process:	/tmp/mzdWUcvUU2.elf
Type:	ASCII text
Entropy:	3.709552666863289
Encrypted:	false
Ssdeep:	6:iekrEcvwAsE5KlwSd4pzKaV6Lpms/a/1VCxGF:ur+m5MwSdIKaV6L1adVRF
Size:	230
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

/usr/bin/dash

/usr/bin/rm

rm -f /tmp/tmp.rvUodmgBFz /tmp/tmp.kbcm3CnpXc /tmp/tmp.ntMrqaC4IJ

/usr/bin/dash

/usr/bin/rm

rm -f /tmp/tmp.rvUodmgBFz /tmp/tmp.kbcm3CnpXc /tmp/tmp.ntMrqaC4IJ

/tmp/mzdWUcvUU2.elf

IPs

Domain

Country

Malicious

109.202.202.202

unknown

Switzerland

Details

IP:	109.202.202.202
TargetID:	-1
Country:	Switzerland
Countrycode:	CHE
ASN number:	13030
ASN name:	INIT7CH
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

64.23.184.217

unknown

United States

Details

IP:	64.23.184.217
TargetID:	-1
Country:	United States
Countrycode:	USA
ASN number:	3064
ASN name:	AFFINITY-FTLUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.43

unknown

United Kingdom

Details

IP:	91.189.91.43
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.42

unknown

United Kingdom

Details

IP:	91.189.91.42
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7f148c422000

page execute read

7f148c422000

page execute read

7f148c422000

page execute read

55846e3c4000

page read and write

7f15135c4000

page read and write

7f1513c47000

page read and write

7f15135c4000

page read and write

7f1513b16000

page read and write

7f15135e7000

page read and write

7f1513935000

page read and write

7f1513604000

page read and write

7f1512f73000

page read and write

7ffd520e3000

page read and write

7f1513935000

page read and write

5584703c2000

page execute and read and write

7f1512f73000

page read and write

7f1513c8c000

page read and write

7f1512f65000

page read and write

7f1512f73000

page read and write

5584703d9000

page read and write

55846e3c4000

page read and write

55846e3ba000

page read and write

5584703c2000

page execute and read and write

7f150c000000

page read and write

7ffd520e3000

page read and write

7ffd5215e000

page execute read

7f148c433000

page read and write

55846e3ba000

page read and write

558470b9c000

page read and write

7ffd5215e000

page execute read

7f1513223000

page read and write

7f15135c4000

page read and write

7f1513c3f000

page read and write

7f1513c8c000

page read and write

7f1513c3f000

page read and write

7f148c433000

page read and write

7f1513223000

page read and write

55846e132000

page execute read

7f15135e7000

page read and write

7f150c021000

page read and write

7f1513604000

page read and write

7f151275d000

page read and write

7f148c433000

page read and write

5584703d9000

page read and write

558470bbd000

page read and write

558470b9c000

page read and write

55846e3c4000

page read and write

7f1513604000

page read and write

7f148c43c000

page read and write

55846e3ba000

page read and write

7f1513c47000

page read and write

7f1513b16000

page read and write

7f15135e7000

page read and write

7f1513223000

page read and write

5584703c2000

page execute and read and write

55846e132000

page execute read

7f1512f65000

page read and write

55846e132000

page execute read

7f148c43c000

page read and write

7f1512f65000

page read and write

7f1513c3f000

page read and write

7f150c021000

page read and write

7f1513935000

page read and write

558470bbd000

page read and write

7f148c43c000

page read and write

7f150c000000

page read and write

7f1513c47000

page read and write

7f1513c8c000

page read and write

558470bbd000

page read and write

7f151275d000

page read and write

7f150c000000

page read and write

7f1513b16000

page read and write

7f151275d000

page read and write

7ffd5215e000

page execute read

7f150c021000

page read and write

7ffd520e3000

page read and write

5584703d9000

page read and write

There are 67 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
mzdWUcvUU2.elf

Files

Processes

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportmzdWUcvUU2.elf

Files

Processes

IPs

Memdumps

IOC Report
mzdWUcvUU2.elf