Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

.i.elf

ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header

initial sample

Details

Filetype:	ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
Entropy:	7.979850173471488
Filename:	.i.elf
Filesize:	84924
MD5:	edb0737ad091e1e415225a9121dab251
SHA1:	7e4af7ae0dc4dc07752da474890da36a0ff490ae
SHA256:	cfe81bddf104355b6364bbbeef6bcd9a70b92ea1724b479406f5bf49d1333d1d
SHA512:	24fc3a43908e50c142905cfa6e64e6ebb2782dff27cecf96bbe4910b9331c74832e215c74c2ca1470618d93952b516ddaef31ff710581a22a57dd1771e5f9a77
SSDEEP:	1536:yYI0ARqw1qAEW67UIWi7M8gmfmJo0WgswnD6Efyq8PxlRkp2K3/J1V+uBNI:yYI0ARqw1qAEv7UIFM8oJorFquyjkRke
Preview:	.ELF....................../....4.........4. ...(......................Bd..Bd.................G...G.................................................^.......?.E.h4...@b..) ..]..0...a.t<..mc.zy/..>..!c...gM\<j..W`xD'..}...\..].j.L.u...S..i...../..F...@`..'k.

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Opens /proc/net/* files useful for finding connected devices and routers	Spreading	Remote System Discovery
Sample deletes itself	Hooking and other Techniques for Hiding and Protection	File Deletion
Creates hidden files and/or directories	Persistence and Installation Behavior	Hidden Files and Directories
ELF contains segments with high entropy indicating compressed/encrypted content	Hooking and other Techniques for Hiding and Protection	Obfuscated Files or Information
Enumerates processes within the "proc" file system	Persistence and Installation Behavior	OS Credential Dumping
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Reads the 'hosts' file potentially containing internal network hosts	Networking	File and Directory Discovery
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion

/tmp/qemu-open.Toqlb3 (deleted)

ASCII text

dropped

Details

File:	/tmp/qemu-open.Toqlb3 (deleted)
Category:	dropped
Dump:	qemu-open.Toqlb3 (deleted).13.dr
ID:	dr_0
Target ID:	13
Process:	/tmp/.i.elf
Type:	ASCII text
Entropy:	3.709552666863289
Encrypted:	false
Ssdeep:	6:iekrEcvwAsE5KlwSd4pzKaV6Lpms/a/1VCxGF:ur+m5MwSdIKaV6L1adVRF
Size:	230
Whitelisted:	false
Reputation:	high

/tmp/qemu-open.YHx8X9 (deleted)

data

dropped

Details

File:	/tmp/qemu-open.YHx8X9 (deleted)
Category:	dropped
Dump:	qemu-open.YHx8X9 (deleted).14.dr
ID:	dr_1
Target ID:	14
Process:	/tmp/.i.elf
Type:	data
Entropy:	3.2516291673878226
Encrypted:	false
Ssdeep:	3:TgLxl:TgLj
Size:	12
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

/tmp/.i.elf

/bin/sh

sh -c "iptables -A INPUT -p tcp --destination-port 23 -j DROP"

/bin/sh

/usr/sbin/iptables

iptables -A INPUT -p tcp --destination-port 23 -j DROP

/tmp/.i.elf

/bin/sh

sh -c "iptables -A INPUT -p tcp --destination-port 7547 -j DROP"

/bin/sh

/usr/sbin/iptables

iptables -A INPUT -p tcp --destination-port 7547 -j DROP

/tmp/.i.elf

/bin/sh

sh -c "iptables -A INPUT -p tcp --destination-port 5555 -j DROP"

/bin/sh

/usr/sbin/iptables

iptables -A INPUT -p tcp --destination-port 5555 -j DROP

/tmp/.i.elf

/bin/sh

sh -c "iptables -A INPUT -p tcp --destination-port 5358 -j DROP"

/bin/sh

/usr/sbin/iptables

iptables -A INPUT -p tcp --destination-port 5358 -j DROP

/tmp/.i.elf

/bin/sh

sh -c "iptables -D INPUT -j CWMP_CR"

/bin/sh

/usr/sbin/iptables

iptables -D INPUT -j CWMP_CR

/tmp/.i.elf

/bin/sh

sh -c "iptables -X CWMP_CR"

/bin/sh

/usr/sbin/iptables

iptables -X CWMP_CR

/tmp/.i.elf

/bin/sh

sh -c "iptables -I INPUT -p udp --dport 27986 -j ACCEPT"

/bin/sh

/usr/sbin/iptables

iptables -I INPUT -p udp --dport 27986 -j ACCEPT

There are 21 hidden processes, click here to show them.

Domains

Name

Malicious

router.bittorrent.com

unknown

router.utorrent.com

unknown

IPs

Domain

Country

Malicious

109.202.202.202

unknown

Switzerland

Details

IP:	109.202.202.202
TargetID:	-1
Country:	Switzerland
Countrycode:	CHE
ASN number:	13030
ASN name:	INIT7CH
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.43

unknown

United Kingdom

Details

IP:	91.189.91.43
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.42

unknown

United Kingdom

Details

IP:	91.189.91.42
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

561067ce5000

page read and write

7ff0fc160000

page execute and read and write

7ff182c57000

page read and write

7ff18346d000

page read and write

7ffccd4d4000

page execute read

561067ce5000

page read and write

7ff183afe000

page read and write

7ff17c000000

page read and write

7ff0fc47b000

page read and write

7ff18346d000

page read and write

7ff18345f000

page read and write

7ff0fc47b000

page read and write

7ff183afe000

page read and write

561064217000

page execute read

7ff18371d000

page read and write

7ff184141000

page read and write

5610664a7000

page execute and read and write

7ff184010000

page read and write

7ff17c021000

page read and write

7ff0fc435000

page execute read

7ff183abe000

page read and write

56106449f000

page read and write

5610664be000

page read and write

5610664be000

page read and write

7ff184186000

page read and write

7ff17c021000

page read and write

7ff184139000

page read and write

7ffccd4be000

page read and write

7ff0fc160000

page execute and read and write

7ffccd4be000

page read and write

56106449f000

page read and write

5610644a9000

page read and write

7ff184141000

page read and write

561067d05000

page read and write

7ff184010000

page read and write

7ff18345f000

page read and write

7ff183e2f000

page read and write

7ff18371d000

page read and write

5610664a7000

page execute and read and write

7ff184139000

page read and write

7ff183ae1000

page read and write

7ff184186000

page read and write

7ff183abe000

page read and write

7ff183e2f000

page read and write

5610644a9000

page read and write

561064217000

page execute read

7ff0fc435000

page execute read

7ff183ae1000

page read and write

7ff17c000000

page read and write

7ff182c57000

page read and write

7ffccd4d4000

page execute read

There are 41 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
.i.elf

Files

Processes

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report.i.elf

Files

Processes

Domains

IPs

Memdumps

IOC Report
.i.elf