Linux Analysis Report
mips.elf

Overview

General Information

Sample name: mips.elf
Analysis ID: 1546026
MD5: 3d51a125de4caf7ec75268d61f5473d3
SHA1: 5c2d4addb1a5addc9accb76e36985c85a42a03ac
SHA256: c722507358dceca9733329d2a302547d4b5c2322d2b33604593b45a4ff3e7bf8
Tags: elfuser-abuse_ch
Infos:

Detection

Score: 60
Range: 0 - 100
Whitelisted: false

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Connects to many ports of the same IP (likely port scanning)
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Sample has stripped symbol table
Sample listens on a socket
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: mips.elf Avira: detected
Multi AV Scanner detection for submitted file
Source: mips.elf ReversingLabs: Detection: 15%

Networking
barindex
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 217.28.130.41 ports 17552,22526,19199,19074,25500,4,5,6,9,6945,14546
Source: global traffic TCP traffic: 213.182.204.57 ports 1,3,5,7,12882,15537
Source: global traffic TCP traffic: 193.233.193.45 ports 20168,12055,2340,2050,0,1,2,25493,5
Source: global traffic TCP traffic: 91.149.218.232 ports 5234,20997,4,5,25241,7,9,7549
Source: global traffic TCP traffic: 31.13.248.89 ports 6200,4123,18481,20306,21579,0,2,12835,6,1977
Source: global traffic TCP traffic: 86.107.100.80 ports 18175,22155,1,5,7,8,17849,6417
Source: global traffic TCP traffic: 88.151.195.22 ports 20851,18175,19552,17093,6939,1,5,7,8,15722,14303,11267,5968,1977,13458
Source: global traffic TCP traffic: 91.149.238.18 ports 17552,20168,22056,0,1,14606,4,6
Source: global traffic TCP traffic: 81.29.149.178 ports 1,3,4,8,1916,12431,13448,12722
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.15:57908 -> 31.13.248.89:6200
Source: global traffic TCP traffic: 192.168.2.15:53852 -> 86.107.100.80:18175
Source: global traffic TCP traffic: 192.168.2.15:39784 -> 88.151.195.22:18175
Source: global traffic TCP traffic: 192.168.2.15:34572 -> 91.149.218.232:7549
Source: global traffic TCP traffic: 192.168.2.15:34908 -> 213.182.204.57:15537
Source: global traffic TCP traffic: 192.168.2.15:38110 -> 217.28.130.41:6945
Source: global traffic TCP traffic: 192.168.2.15:52490 -> 193.233.193.45:12055
Source: global traffic TCP traffic: 192.168.2.15:56458 -> 91.149.238.18:14606
Source: global traffic TCP traffic: 192.168.2.15:60058 -> 81.29.149.178:13448
Sample listens on a socket
Source: /tmp/mips.elf (PID: 5523) Socket: 127.0.0.1:1172 Jump to behavior
Source: unknown UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown UDP traffic detected without corresponding DNS query: 137.220.52.23
Source: unknown UDP traffic detected without corresponding DNS query: 137.220.52.23
Source: unknown UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown UDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknown UDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknown UDP traffic detected without corresponding DNS query: 80.152.203.134
Source: unknown UDP traffic detected without corresponding DNS query: 80.152.203.134
Source: unknown UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown UDP traffic detected without corresponding DNS query: 139.84.165.176
Source: unknown UDP traffic detected without corresponding DNS query: 139.84.165.176
Source: unknown UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown UDP traffic detected without corresponding DNS query: 64.176.6.48
Source: unknown UDP traffic detected without corresponding DNS query: 64.176.6.48
Source: unknown UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown UDP traffic detected without corresponding DNS query: 70.34.254.19
Source: unknown UDP traffic detected without corresponding DNS query: 70.34.254.19
Source: unknown UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown UDP traffic detected without corresponding DNS query: 5.161.109.23
Source: unknown UDP traffic detected without corresponding DNS query: 5.161.109.23
Source: unknown UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown UDP traffic detected without corresponding DNS query: 217.160.70.42
Source: unknown UDP traffic detected without corresponding DNS query: 217.160.70.42
Source: unknown UDP traffic detected without corresponding DNS query: 137.220.52.23
Source: unknown UDP traffic detected without corresponding DNS query: 137.220.52.23
Source: unknown UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown UDP traffic detected without corresponding DNS query: 64.176.6.48
Source: unknown UDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknown UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown UDP traffic detected without corresponding DNS query: 139.84.165.176
Source: global traffic DNS traffic detected: DNS query: kingstonwikkerink.dyn
Source: global traffic DNS traffic detected: DNS query: daisy.ubuntu.com
Source: mips.elf, 5525.1.00007f4d74458000.00007f4d7445e000.rw-.sdmp String found in binary or memory: http://hailcocks.ru/wget.sh;
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Source: classification engine Classification label: mal60.troj.linELF@0/0@77/0
Enumerates processes within the "proc" file system
Source: /tmp/mips.elf (PID: 5569) File opened: /proc/5360/cmdline Jump to behavior
Source: /tmp/mips.elf (PID: 5569) File opened: /proc/5650/status Jump to behavior
Source: /tmp/mips.elf (PID: 5569) File opened: /proc/5640/status Jump to behavior
Source: /tmp/mips.elf (PID: 5569) File opened: /proc/5651/status Jump to behavior
Source: /tmp/mips.elf (PID: 5569) File opened: /proc/5641/status Jump to behavior
Source: /tmp/mips.elf (PID: 5569) File opened: /proc/5652/status Jump to behavior
Source: /tmp/mips.elf (PID: 5569) File opened: /proc/5642/status Jump to behavior
Source: /tmp/mips.elf (PID: 5569) File opened: /proc/5653/status Jump to behavior
Source: /tmp/mips.elf (PID: 5569) File opened: /proc/5643/status Jump to behavior
Source: /tmp/mips.elf (PID: 5569) File opened: /proc/5654/status Jump to behavior
Source: /tmp/mips.elf (PID: 5569) File opened: /proc/5644/status Jump to behavior
Source: /tmp/mips.elf (PID: 5569) File opened: /proc/5655/status Jump to behavior
Source: /tmp/mips.elf (PID: 5569) File opened: /proc/5612/status Jump to behavior
Source: /tmp/mips.elf (PID: 5569) File opened: /proc/5645/status Jump to behavior
Source: /tmp/mips.elf (PID: 5569) File opened: /proc/5656/status Jump to behavior
Source: /tmp/mips.elf (PID: 5569) File opened: /proc/5646/status Jump to behavior
Source: /tmp/mips.elf (PID: 5569) File opened: /proc/5657/status Jump to behavior
Source: /tmp/mips.elf (PID: 5569) File opened: /proc/5614/status Jump to behavior
Source: /tmp/mips.elf (PID: 5569) File opened: /proc/5647/status Jump to behavior
Source: /tmp/mips.elf (PID: 5569) File opened: /proc/5615/status Jump to behavior
Source: /tmp/mips.elf (PID: 5569) File opened: /proc/5648/status Jump to behavior
Source: /tmp/mips.elf (PID: 5569) File opened: /proc/5649/status Jump to behavior
Source: /tmp/mips.elf (PID: 5569) File opened: /proc/5617/status Jump to behavior
Source: /tmp/mips.elf (PID: 5526) File opened: /proc/5360/cmdline Jump to behavior
Source: /tmp/mips.elf (PID: 5526) File opened: /proc/5640/status Jump to behavior
Source: /tmp/mips.elf (PID: 5526) File opened: /proc/5641/status Jump to behavior
Source: /tmp/mips.elf (PID: 5526) File opened: /proc/5642/status Jump to behavior
Source: /tmp/mips.elf (PID: 5526) File opened: /proc/5654/status Jump to behavior
Source: /tmp/mips.elf (PID: 5526) File opened: /proc/5655/status Jump to behavior
Source: /tmp/mips.elf (PID: 5526) File opened: /proc/5612/status Jump to behavior
Source: /tmp/mips.elf (PID: 5526) File opened: /proc/5656/status Jump to behavior
Source: /tmp/mips.elf (PID: 5526) File opened: /proc/5657/status Jump to behavior
Source: /tmp/mips.elf (PID: 5526) File opened: /proc/5614/status Jump to behavior
Source: /tmp/mips.elf (PID: 5526) File opened: /proc/5615/status Jump to behavior
Source: /tmp/mips.elf (PID: 5526) File opened: /proc/5571/status Jump to behavior
Source: /tmp/mips.elf (PID: 5526) File opened: /proc/5650/status Jump to behavior
Source: /tmp/mips.elf (PID: 5526) File opened: /proc/5651/status Jump to behavior
Source: /tmp/mips.elf (PID: 5526) File opened: /proc/5652/status Jump to behavior
Source: /tmp/mips.elf (PID: 5526) File opened: /proc/5653/status Jump to behavior
Source: /tmp/mips.elf (PID: 5526) File opened: /proc/320/cmdline Jump to behavior
Source: /tmp/mips.elf (PID: 5526) File opened: /proc/5643/status Jump to behavior
Source: /tmp/mips.elf (PID: 5526) File opened: /proc/5644/status Jump to behavior
Source: /tmp/mips.elf (PID: 5526) File opened: /proc/5645/status Jump to behavior
Source: /tmp/mips.elf (PID: 5526) File opened: /proc/5569/status Jump to behavior
Source: /tmp/mips.elf (PID: 5526) File opened: /proc/5646/status Jump to behavior
Source: /tmp/mips.elf (PID: 5526) File opened: /proc/5603/status Jump to behavior
Source: /tmp/mips.elf (PID: 5526) File opened: /proc/5647/status Jump to behavior
Source: /tmp/mips.elf (PID: 5526) File opened: /proc/5648/status Jump to behavior
Source: /tmp/mips.elf (PID: 5526) File opened: /proc/5649/status Jump to behavior
Source: /tmp/mips.elf (PID: 5526) File opened: /proc/5628/status Jump to behavior
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/mips.elf (PID: 5523) Queries kernel information via 'uname': Jump to behavior
Source: mips.elf, 5523.1.0000563d69221000.0000563d692c9000.rw-.sdmp, mips.elf, 5525.1.0000563d69221000.0000563d692c9000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/mips
Source: mips.elf, 5523.1.00007ffcffb6b000.00007ffcffb8c000.rw-.sdmp, mips.elf, 5525.1.00007ffcffb6b000.00007ffcffb8c000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-mips/tmp/mips.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/mips.elf
Source: mips.elf, 5523.1.00007ffcffb6b000.00007ffcffb8c000.rw-.sdmp, mips.elf, 5525.1.00007ffcffb6b000.00007ffcffb8c000.rw-.sdmp Binary or memory string: /usr/bin/qemu-mips
Source: mips.elf, 5523.1.0000563d69221000.0000563d692c9000.rw-.sdmp, mips.elf, 5525.1.0000563d69221000.0000563d692c9000.rw-.sdmp Binary or memory string: g#i=V `#i=V!/etc/qemu-binfmt/mips
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
217.28.130.41
 unknown United Kingdom
15839 COBWEB-NETGB true
213.182.204.57
 unknown Latvia
9009 M247GB true
193.233.193.45
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU true
31.13.248.89
 unknown Bulgaria
34224 NETERRA-ASBG true
86.107.100.80
 unknown Romania
38995 AMG-ASRO true
88.151.195.22
 unknown Azerbaijan
15723 AZERONLINEAZ true
91.149.238.18
 unknown Poland
41952 MARTON-ASPL true
81.29.149.178
 unknown Switzerland
39616 COMUNICA_IT_SERVICESCH true
91.149.218.232
 kingstonwikkerink.dyn Poland
198401 GECKONET-ASPL true

Contacted Domains

Name IP Active
daisy.ubuntu.com 162.213.35.24 true
kingstonwikkerink.dyn 91.149.218.232 true