Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Okami.mpsl.elf

ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped

initial sample

Details

Filetype:	ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped
Entropy:	5.298637045513686
Filename:	Okami.mpsl.elf
Filesize:	123181
MD5:	d3c1576e00d018c435e91dbe60b7a9d8
SHA1:	a530409f62ff404a5eaa907240199ae4732d9ec3
SHA256:	82d7788bd1812486f4f18c2917a3507ee90396389a9f801d97087be6ce60338b
SHA512:	071c4c5e8b0a25edc134fe0aa596e862859c44ea4129fcc6368dab30ed60822e8f70f891bafd19952de20745b42a230aa190cbb08487366a338627b94c3db59f
SSDEEP:	3072:lK0Q5Y/cz+oJ5hrqh7BAzRPRx9Fq51uUOypn:lK6/cCoJ5hW12zRPRx9Fq51uUOypn
Preview:	.ELF......................@.4...........4. ...(........p......@...@...........................@...@.(T..(T...............`...`E..`E......m..........Q.td..................................................E....<...'!......'.......................<...'!... ..

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
Yara signature match	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
Sample and/or dropped files contains symbols with file path information	System Summary
URLs found in memory or binary data	Networking

/run/systemd/resolve/stub-resolv.conf

ASCII text

dropped

Details

File:	/run/systemd/resolve/stub-resolv.conf
Category:	dropped
Dump:	stub-resolv.conf.15.dr
ID:	dr_0
Target ID:	15
Process:	/tmp/Okami.mpsl.elf
Type:	ASCII text
Entropy:	3.3918926446809334
Encrypted:	false
Ssdeep:	3:KkZRAkd:KaAu
Size:	38
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

/tmp/Okami.mpsl.elf

URLs

Name

Malicious

http://www.billybobbot.com/crawler/)

unknown

Details

Name:	http://www.billybobbot.com/crawler/)
TargetID:	12
From Memory:	true
Current Path:	/tmp/Okami.mpsl.elf
Source:	Okami.mpsl.elf

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
URLs found in memory or binary data	Networking

http://www.baidu.com/search/spider.html)

unknown

http://fast.no/support/crawler.asp)

unknown

http://feedback.redkolibri.com/

unknown

http://www.baidu.com/search/spider.htm)

unknown

IPs

Domain

Country

Malicious

93.123.85.246

unknown

Bulgaria

Details

IP:	93.123.85.246
TargetID:	-1
Country:	Bulgaria
Countrycode:	BGR
ASN number:	43561
ASN name:	NET1-ASBG
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

109.202.202.202

unknown

Switzerland

Details

IP:	109.202.202.202
TargetID:	-1
Country:	Switzerland
Countrycode:	CHE
ASN number:	13030
ASN name:	INIT7CH
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.43

unknown

United Kingdom

Details

IP:	91.189.91.43
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.42

unknown

United Kingdom

Details

IP:	91.189.91.42
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7fe058416000

page execute read

7fe058416000

page execute read

7fe058416000

page execute read

55d37d434000

page read and write

7fe0deae3000

page read and write

55d37f449000

page read and write

7fe0d8000000

page read and write

7fe0df16b000

page read and write

7fe0d8000000

page read and write

7fe0deaa3000

page read and write

7fe0ddc3c000

page read and write

55d37f449000

page read and write

7fe0df126000

page read and write

55d37f432000

page execute and read and write

55d37d42a000

page read and write

7fe0ddc3c000

page read and write

7fe0de452000

page read and write

7fe05845d000

page read and write

7fe0de702000

page read and write

7fffa59af000

page read and write

7fffa59f5000

page execute read

7fffa59af000

page read and write

7fe0deac6000

page read and write

7fe0deaa3000

page read and write

7fffa59af000

page read and write

55d37d42a000

page read and write

7fe0deae3000

page read and write

7fe0df11e000

page read and write

7fffa59f5000

page execute read

55d37d1a2000

page execute read

7fe0deaa3000

page read and write

55d37d1a2000

page execute read

7fe05845d000

page read and write

55d37d434000

page read and write

7fe0dee14000

page read and write

7fe0d8021000

page read and write

7fe0de444000

page read and write

7fe0df126000

page read and write

7fe0df126000

page read and write

7fe0ddc3c000

page read and write

7fe0deff5000

page read and write

55d37f432000

page execute and read and write

7fe0de452000

page read and write

7fe0de702000

page read and write

55d38105d000

page read and write

7fe0d8021000

page read and write

7fe0de444000

page read and write

7fe0de452000

page read and write

7fffa59f5000

page execute read

55d38105d000

page read and write

7fe0dee14000

page read and write

7fe0deff5000

page read and write

7fe0d8000000

page read and write

7fe058457000

page read and write

7fe0de444000

page read and write

55d37d434000

page read and write

7fe05845d000

page read and write

7fe058457000

page read and write

7fe0deae3000

page read and write

7fe0df11e000

page read and write

7fe058457000

page read and write

7fe0de702000

page read and write

55d38105d000

page read and write

55d37d1a2000

page execute read

7fe0deac6000

page read and write

7fe0d8021000

page read and write

55d37d42a000

page read and write

7fe0dee14000

page read and write

7fe0deff5000

page read and write

55d37f449000

page read and write

7fe0df16b000

page read and write

7fe0df11e000

page read and write

55d37f432000

page execute and read and write

7fe0deac6000

page read and write

7fe0df16b000

page read and write

There are 65 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Okami.mpsl.elf

Files

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportOkami.mpsl.elf

Files

Processes

URLs

IPs

Memdumps

IOC Report
Okami.mpsl.elf