Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

mips.elf

ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped

initial sample

Details

Filetype:	ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped
Entropy:	5.26022744514341
Filename:	mips.elf
Filesize:	125962
MD5:	6531f6110342845a1d1dceafe6d5fa5c
SHA1:	423a03c08aa83981d328f999f408cfe94f7f5a9a
SHA256:	84458e81f5a175bf361a9ff556e7942e38cb34175af6c0365ba0d1f422ef5cec
SHA512:	d737d523939082ee5ee0244f3ebe17d7288b11de54eacb7bd50254d864905ad64c3b5f91aa3ed7b863d40708feda3148ba78a69343d3e84e88428e9a60f6fcae
SSDEEP:	1536:g7je1TYGq+f+A02rKXzeve1eTe8p2rKXIeum9Y0GAzQj1l72HBe+ERLWfRZrmW+i:/a1UW0MZQHoB6RZrmW+IFB1Dt1hR/
Preview:	.ELF.....................@.....4.........4. ...(....p........@...@...........................@...@....pD..pD..............pD.EpD.EpD......l.........dt.Q.................................................E..<...'......!'.......................<...'......!...

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Opens /proc/net/* files useful for finding connected devices and routers	Spreading	Remote System Discovery
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion
Yara signature match	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
Sample and/or dropped files contains symbols with file path information	System Summary

/tmp/qemu-open.Rb1RG0 (deleted)

ASCII text

dropped

Details

File:	/tmp/qemu-open.Rb1RG0 (deleted)
Category:	dropped
Dump:	qemu-open.Rb1RG0 (deleted).12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/mips.elf
Type:	ASCII text
Entropy:	3.709552666863289
Encrypted:	false
Ssdeep:	6:iekrEcvwAsE5KlwSd4pzKaV6Lpms/a/1VCxGF:ur+m5MwSdIKaV6L1adVRF
Size:	230
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

/tmp/mips.elf

URLs

Name

Malicious

150.241.95.250:25565

Details

Name:	150.241.95.250:25565
TargetID:	0
From Memory:	false
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

Domains

Name

Malicious

daisy.ubuntu.com

162.213.35.25

IPs

Domain

Country

Malicious

150.241.95.250

unknown

Spain

Details

IP:	150.241.95.250
TargetID:	-1
Country:	Spain
Countrycode:	ESP
ASN number:	207714
ASN name:	TECNALIAES
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7fe3a8418000

page execute read

7fe3a8418000

page execute read

7fe42dc6b000

page read and write

7fe42e310000

page read and write

7fe428000000

page read and write

7fe42e19a000

page read and write

560bb4513000

page execute read

7fe42dc88000

page read and write

7fe42e19a000

page read and write

7fe42e2cb000

page read and write

560bb47a5000

page read and write

7fe42dc48000

page read and write

7fe3a845e000

page read and write

7fe3a8458000

page read and write

560bb67ba000

page read and write

7fe42d8a7000

page read and write

7fe42e2c3000

page read and write

7fe42d5f7000

page read and write

7ffdaffb7000

page read and write

560bb67a3000

page execute and read and write

7fe42dc88000

page read and write

560bb479b000

page read and write

7fe428000000

page read and write

560bb479b000

page read and write

7fe3a845e000

page read and write

7fe42d5f7000

page read and write

7fe42dfb9000

page read and write

7fe428021000

page read and write

7fe42d5e9000

page read and write

7ffdaffcb000

page execute read

7fe42d8a7000

page read and write

7fe42cde1000

page read and write

560bb67a3000

page execute and read and write

560bb67ba000

page read and write

7fe3a8458000

page read and write

7fe42e2c3000

page read and write

7ffdaffcb000

page execute read

7fe42e310000

page read and write

7fe42dc48000

page read and write

7fe42d5e9000

page read and write

7fe428021000

page read and write

7ffdaffb7000

page read and write

7fe42dfb9000

page read and write

560bb4513000

page execute read

560bb87d9000

page read and write

560bb87d9000

page read and write

7fe42cde1000

page read and write

7fe42dc6b000

page read and write

7fe42e2cb000

page read and write

560bb47a5000

page read and write

There are 40 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
mips.elf

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportmips.elf

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
mips.elf