Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

mips.elf

ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header

initial sample

Details

Filetype:	ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
Entropy:	7.978707168249988
Filename:	mips.elf
Filesize:	80940
MD5:	16620a7d88d4d4617d10644564b5361c
SHA1:	08b263b47448289cd8fba9bec5e1f0a5f0e3cfb3
SHA256:	8fbf8608d30ce588d2582fc8299fcd95c34cb5f542ab95a2c3fcd6cacf98b190
SHA512:	535c5f805d796f451f587d77d7d64567cf3d42727590146f74dc056e3af5c55befee29c86df1b022ef628f028a898dabda738c09aa21cd647b4e2b53d5def4fc
SSDEEP:	1536:4C1n4dq/5z6uG1IQB92ouu9BDWyj1Y8xrcqv3VJuBKaPgd2wskodoxgZjjXCtk:kap3geSnj6UtvVQQ4T0xgZj+m
Preview:	.ELF...........................4.........4. ...(.............................................I...I.....................jUPX!.h.........K...K.......a.......?.E.h4...@b..) ..].7.....RMZd.#..6..)..#..!........$t..)!.....K\|.bW.L.].QjU..t.....6r..b.?w.....p...

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Opens /proc/net/* files useful for finding connected devices and routers	Spreading	Remote System Discovery
ELF contains segments with high entropy indicating compressed/encrypted content	Hooking and other Techniques for Hiding and Protection	Obfuscated Files or Information
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
URLs found in memory or binary data	Networking
Writes log files to disk	Persistence and Installation Behavior

/tmp/Infected.log

ASCII text, with CRLF line terminators

dropped

Details

File:	/tmp/Infected.log
Category:	dropped
Dump:	Infected.log.12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/mips.elf
Type:	ASCII text, with CRLF line terminators
Entropy:	4.71112089176799
Encrypted:	false
Ssdeep:	3:xRbQRAZvOWFsZWFBAK8dAuFUJ4gnicMMIVDt8Tovn:xR0qvOfZW8K8djmHicNoDt8kv
Size:	107
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Writes log files to disk	Persistence and Installation Behavior

/tmp/qemu-open.7lAA7p (deleted)

ASCII text

dropped

Details

File:	/tmp/qemu-open.7lAA7p (deleted)
Category:	dropped
Dump:	qemu-open.7lAA7p (deleted).12.dr
ID:	dr_1
Target ID:	12
Process:	/tmp/mips.elf
Type:	ASCII text
Entropy:	3.709552666863289
Encrypted:	false
Ssdeep:	6:iekrEcvwAsE5KlwSd4pzKaV6Lpms/a/1VCxGF:ur+m5MwSdIKaV6L1adVRF
Size:	230
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

/tmp/mips.elf

URLs

Name

Malicious

http://upx.sf.net

unknown

Details

Name:	http://upx.sf.net
TargetID:	12
From Memory:	true
Current Path:	/tmp/mips.elf
Source:	mips.elf

Signature Hits	Behavior Group	Mitre Attack
Sample is packed with UPX	Data Obfuscation	Obfuscated Files or Information
URLs found in memory or binary data	Networking

https://developers.google.com/search/docs/advanced/crawling/overview-google-crawlers)

unknown

http://www.spidersoft.com)

unknown

http://help.yahoo.com/help/us/ysearch/slurp)

unknown

http://www.google.com/bot.html)

unknown

http://www.google.com/mobile/adsbot.html)

unknown

IPs

Domain

Country

Malicious

181.214.231.152

unknown

Chile

Details

IP:	181.214.231.152
TargetID:	-1
Country:	Chile
Countrycode:	CHL
ASN number:	61317
ASN name:	ASDETUKhttpwwwheficedcomGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Suricata IDS alerts with low severity for network traffic	Networking
Connects to IPs without corresponding DNS lookups	Networking

109.202.202.202

unknown

Switzerland

Details

IP:	109.202.202.202
TargetID:	-1
Country:	Switzerland
Countrycode:	CHE
ASN number:	13030
ASN name:	INIT7CH
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.43

unknown

United Kingdom

Details

IP:	91.189.91.43
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.42

unknown

United Kingdom

Details

IP:	91.189.91.42
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7fa530458000

page execute read

7fa530458000

page execute read

55ad1ab43000

page read and write

7fa5b0021000

page read and write

7fa5b4ecb000

page read and write

7fa5b0021000

page read and write

7fa5b58e7000

page read and write

55ad1a8b1000

page execute read

7fa5b55dd000

page read and write

7fa5b528f000

page read and write

7fa5b52ac000

page read and write

7fa5b58e7000

page read and write

55ad1cb58000

page read and write

7fff263d4000

page execute read

55ad1ab39000

page read and write

7fa5b55dd000

page read and write

7fa5b57be000

page read and write

7fa5b4c1b000

page read and write

7fff26346000

page read and write

55ad1ab39000

page read and write

55ad1ab43000

page read and write

7fa5b58ef000

page read and write

7fa5b0000000

page read and write

55ad1cb41000

page execute and read and write

7fa5b4405000

page read and write

7fa5b5934000

page read and write

7fff26346000

page read and write

7fa5b4c1b000

page read and write

55ad1e6a7000

page read and write

7fa530180000

page execute and read and write

55ad1a8b1000

page execute read

55ad1cb58000

page read and write

7fa5304a2000

page read and write

55ad1cb41000

page execute and read and write

7fa5b52ac000

page read and write

7fa5b528f000

page read and write

55ad1e6a7000

page read and write

7fa5304a2000

page read and write

7fa530180000

page execute and read and write

7fa5b0000000

page read and write

7fa5b526c000

page read and write

7fa5b57be000

page read and write

7fa5b5934000

page read and write

7fa5b4c0d000

page read and write

7fff263d4000

page execute read

7fa5b4c0d000

page read and write

7fa5b58ef000

page read and write

7fa5b4405000

page read and write

7fa5b4ecb000

page read and write

7fa5b526c000

page read and write

There are 40 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
mips.elf

Files

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportmips.elf

Files

Processes

URLs

IPs

Memdumps

IOC Report
mips.elf