Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Okami.i686.elf

ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, not stripped

initial sample

Details

Filetype:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, not stripped
Entropy:	6.3769884712867695
Filename:	Okami.i686.elf
Filesize:	82006
MD5:	50e7142fd0c1638efba43a9a7a9e9302
SHA1:	54dc9733478dd4265c9b2872047ffbad9a09de7a
SHA256:	d16b30e05f57e6f7e1ee9da2daf24abae290b817d63d7429ff4088554a617cc4
SHA512:	8782c834a7b94ba0d99f0fbd49851fbd3d8ca3c45a8a47838b120c39adb7b2df3ef01c8537bbbd42f527be071b68c2e55617a0ce8fd16f86aed3792d14599195
SSDEEP:	1536:3BfDbge/Bexx+4WiM3wuvsCH+qCuGH2PeJi35hqu975Xs3r0OzRPF+jHeN:NDbXBeKlVAdCH+qHE2D35hquvXmr0Ozl
Preview:	.ELF....................h...4...........4. ...(..............................................`...`.......j..........Q.td............................U..S.......w....h....S...[]...$.............U......=.c...t..1....$`.....$`......u........t...$.Z..........c

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Yara signature match	System Summary
Sample and/or dropped files contains symbols with file path information	System Summary
URLs found in memory or binary data	Networking

/run/systemd/resolve/stub-resolv.conf

ASCII text

dropped

Details

File:	/run/systemd/resolve/stub-resolv.conf
Category:	dropped
Dump:	stub-resolv.conf.15.dr
ID:	dr_0
Target ID:	15
Process:	/tmp/Okami.i686.elf
Type:	ASCII text
Entropy:	3.3918926446809334
Encrypted:	false
Ssdeep:	3:KkZRAkd:KaAu
Size:	38
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

/tmp/Okami.i686.elf

URLs

Name

Malicious

http://www.billybobbot.com/crawler/)

unknown

Details

Name:	http://www.billybobbot.com/crawler/)
TargetID:	12
From Memory:	true
Current Path:	/tmp/Okami.i686.elf
Source:	Okami.i686.elf

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
URLs found in memory or binary data	Networking

http://www.baidu.com/search/spider.html)

unknown

http://fast.no/support/crawler.asp)

unknown

http://feedback.redkolibri.com/

unknown

http://www.baidu.com/search/spider.htm)

unknown

IPs

Domain

Country

Malicious

93.123.85.246

unknown

Bulgaria

Details

IP:	93.123.85.246
TargetID:	-1
Country:	Bulgaria
Countrycode:	BGR
ASN number:	43561
ASN name:	NET1-ASBG
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

109.202.202.202

unknown

Switzerland

Details

IP:	109.202.202.202
TargetID:	-1
Country:	Switzerland
Countrycode:	CHE
ASN number:	13030
ASN name:	INIT7CH
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.43

unknown

United Kingdom

Details

IP:	91.189.91.43
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.42

unknown

United Kingdom

Details

IP:	91.189.91.42
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

8056000

page execute read

8056000

page execute read

8056000

page execute read

ff90e000

page read and write

ff90e000

page read and write

f7faf000

page execute read

f7faf000

page execute read

805d000

page read and write

8057000

page read and write

805d000

page read and write

805d000

page read and write

8057000

page read and write

ff90e000

page read and write

8057000

page read and write

f7faf000

page execute read

There are 5 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Okami.i686.elf

Files

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportOkami.i686.elf

Files

Processes

URLs

IPs

Memdumps

IOC Report
Okami.i686.elf