Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

mips.elf

ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header

initial sample

Details

Filetype:	ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
Entropy:	7.97697258226364
Filename:	mips.elf
Filesize:	78516
MD5:	c9cbc4f314dbf415cf34dd7971dc22c7
SHA1:	8ed4102a89e1229fa4eb6f22da9fee95513850fb
SHA256:	3215448a558148b2aa4829476d8c6f42360dc78d2c31ddfc57442be8c3e989a5
SHA512:	a094a8ac122c40e891490abbdb371ef58a8dda23549dc72d39881357f21b920f907b30ec7026961040715ea0f3ddf8d3864f6c25271b46383ce989f952fbf0ca
SSDEEP:	1536:zfWJ4ESinivfUDCP+pCJcHV9vfOn5gwEhrUxxXM9lGpVJujgdb71RcwUQmZTyS:LW6SnivsDnCJcHVdY5dq59lGpVQjg/R2
Preview:	.ELF.......................@...4.........4. ...(.............................................I...I......................UPX!.d.........7...7.......b.......?.E.h4...@b..) ..].7.....;.1"....J.E....B..ex.(.........M9.......M.8..w..Us..2.[\F.a.n...w.......<..

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Opens /proc/net/* files useful for finding connected devices and routers	Spreading	Remote System Discovery
ELF contains segments with high entropy indicating compressed/encrypted content	Hooking and other Techniques for Hiding and Protection
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
URLs found in memory or binary data	Networking
Writes log files to disk	Persistence and Installation Behavior

/tmp/Infected.log

ASCII text, with CRLF line terminators

dropped

Details

File:	/tmp/Infected.log
Category:	dropped
Dump:	Infected.log.12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/mips.elf
Type:	ASCII text, with CRLF line terminators
Entropy:	4.71112089176799
Encrypted:	false
Ssdeep:	3:xRbQRAZvOWFsZWFBAK8dAuFUJ4gnicMMIVDt8Tovn:xR0qvOfZW8K8djmHicNoDt8kv
Size:	107
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Writes log files to disk	Persistence and Installation Behavior

/tmp/qemu-open.MCHRbp (deleted)

ASCII text

dropped

Details

File:	/tmp/qemu-open.MCHRbp (deleted)
Category:	dropped
Dump:	qemu-open.MCHRbp (deleted).12.dr
ID:	dr_1
Target ID:	12
Process:	/tmp/mips.elf
Type:	ASCII text
Entropy:	3.709552666863289
Encrypted:	false
Ssdeep:	6:iekrEcvwAsE5KlwSd4pzKaV6Lpms/a/1VCxGF:ur+m5MwSdIKaV6L1adVRF
Size:	230
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

/tmp/mips.elf

URLs

Name

Malicious

http://upx.sf.net

unknown

Details

Name:	http://upx.sf.net
TargetID:	12
From Memory:	true
Current Path:	/tmp/mips.elf
Source:	mips.elf

Signature Hits	Behavior Group	Mitre Attack
Sample is packed with UPX	Data Obfuscation	Obfuscated Files or Information
URLs found in memory or binary data	Networking

https://developers.google.com/search/docs/advanced/crawling/overview-google-crawlers)

unknown

http://www.spidersoft.com)

unknown

http://help.yahoo.com/help/us/ysearch/slurp)

unknown

http://www.google.com/bot.html)

unknown

http://www.google.com/mobile/adsbot.html)

unknown

Domains

Name

Malicious

daisy.ubuntu.com

162.213.35.24

IPs

Domain

Country

Malicious

181.214.231.152

unknown

Chile

Details

IP:	181.214.231.152
TargetID:	-1
Country:	Chile
Countrycode:	CHL
ASN number:	61317
ASN name:	ASDETUKhttpwwwheficedcomGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Suricata IDS alerts with low severity for network traffic	Networking
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7f0774454000

page execute read

7f0774454000

page execute read

7f07fbcf0000

page read and write

7f07f4000000

page read and write

7f07fc373000

page read and write

5556038f9000

page read and write

7f07fbd30000

page read and write

7f07f4021000

page read and write

7f07fb691000

page read and write

7f07fc061000

page read and write

7f07f4021000

page read and write

7f07fbcf0000

page read and write

555600032000

page read and write

7f07fb691000

page read and write

7f077449f000

page read and write

7f07fc36b000

page read and write

7fff3f05b000

page read and write

7f07fbd13000

page read and write

7f077449f000

page read and write

7f07fb94f000

page read and write

555602047000

page read and write

7fff3f05b000

page read and write

7f0774180000

page execute and read and write

5555ffda0000

page execute read

7f07fbd30000

page read and write

7f0774180000

page execute and read and write

7f07fc373000

page read and write

555600032000

page read and write

7f07fc3b8000

page read and write

7f07fae89000

page read and write

7f07fc36b000

page read and write

7f07fc242000

page read and write

555602030000

page execute and read and write

7f07fc242000

page read and write

7f07fb69f000

page read and write

7fff3f165000

page execute read

7f07fae89000

page read and write

7f07fb69f000

page read and write

555602030000

page execute and read and write

5556038f9000

page read and write

555600028000

page read and write

555602047000

page read and write

7fff3f165000

page execute read

7f07f4000000

page read and write

7f07fbd13000

page read and write

7f07fb94f000

page read and write

7f07fc061000

page read and write

555600028000

page read and write

5555ffda0000

page execute read

7f07fc3b8000

page read and write

There are 40 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
mips.elf

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportmips.elf

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
mips.elf