Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

la.bot.mips.elf

ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped

initial sample

Details

Filetype:	ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Entropy:	5.542475658306265
Filename:	la.bot.mips.elf
Filesize:	119380
MD5:	eb2140c2a27a612cba4ca30a6ff6be44
SHA1:	60b9050203f8af755de78099c66d5b3a3b33c42c
SHA256:	076d9140d21be0aae71c067ffe17a9451a2a9dcd818d1593cb417f8c0cef2cf7
SHA512:	d5c3e35caaaa855bd2a70b72277262dff49bda99379da76f02e3aeb7e42d75e1ec8588d1927f0836e71804f640308218b475ba7315b36eec512c2a7571a1ee05
SSDEEP:	3072:95epXWSsUkNsGnv9AMSIZktanq8XQDeQngt2:9AU1btgkt2
Preview:	.ELF.....................@.`...4...L.....4. ...(.............@...@...........................E...E........sh........dt.Q............................<...'.I....!'.......................<...'.I....!... ....'9... ......................<...'.Ih...!........'9.

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Deletes system log files	Hooking and other Techniques for Hiding and Protection	Indicator Removal
Sample tries to access files in /etc/config/ (typical for OpenWRT routers)	Data Obfuscation
Sample tries to kill multiple processes (SIGKILL)	System Summary	Service Stop
Creates hidden files and/or directories	Persistence and Installation Behavior	Hidden Files and Directories
Enumerates processes within the "proc" file system	Persistence and Installation Behavior	OS Credential Dumping
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample listens on a socket	Networking
Sample tries to kill a process (SIGKILL)	System Summary
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
URLs found in memory or binary data	Networking

/heavens.txt

ASCII text, with no line terminators

dropped

Details

File:	/heavens.txt
Category:	dropped
Dump:	heavens.txt.15.dr
ID:	dr_0
Target ID:	15
Process:	/tmp/la.bot.mips.elf
Type:	ASCII text, with no line terminators
Entropy:	4.104536948901685
Encrypted:	false
Ssdeep:	3:XX6RivErqLw54zFE0iRJpZLWFqSYoJFiBOKK7FTxPh:H6wcmLk4zFHyBRST4OR7FT5h
Size:	141
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

/tmp/la.bot.mips.elf

URLs

Name

Malicious

http:///wget.sh

unknown

Details

Name:	http:///wget.sh
TargetID:	16
From Memory:	true
Current Path:	/tmp/la.bot.mips.elf
Source:	la.bot.mips.elf
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

http:///curl.sh

unknown

Details

Name:	http:///curl.sh
TargetID:	16
From Memory:	true
Current Path:	/tmp/la.bot.mips.elf
Source:	la.bot.mips.elf
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

161.14.156.173

unknown

United States

177.124.47.172

unknown

Brazil

72.145.97.22

unknown

United States

154.19.248.89

unknown

United States

73.36.135.15

unknown

United States

11.20.104.253

unknown

United States

119.138.206.87

unknown

China

85.63.22.39

unknown

Spain

5.247.74.119

unknown

Saudi Arabia

69.26.108.173

unknown

United States

165.48.186.217

unknown

United States

14.171.224.163

unknown

Viet Nam

27.236.97.159

unknown

Korea Republic of

213.205.110.191

unknown

France

135.192.61.43

unknown

United States

75.74.122.207

unknown

United States

131.131.196.120

unknown

United States

215.35.109.52

unknown

United States

147.225.148.111

unknown

United States

164.31.144.239

unknown

Germany

74.94.224.71

unknown

United States

107.175.186.126

unknown

United States

138.0.16.71

unknown

Brazil

1.244.222.99

unknown

Korea Republic of

67.135.214.51

unknown

United States

166.198.243.95

unknown

United States

155.3.52.141

unknown

Canada

214.148.121.75

unknown

United States

184.249.18.225

unknown

United States

138.44.194.85

unknown

Australia

88.12.190.208

unknown

Spain

18.241.133.128

unknown

United States

210.169.92.99

unknown

Japan

52.115.41.219

unknown

United States

141.184.26.107

unknown

United States

194.222.106.7

unknown

United Kingdom

65.30.111.58

unknown

United States

76.59.34.35

unknown

United States

32.134.148.75

unknown

United States

182.254.94.240

unknown

China

76.229.163.198

unknown

United States

30.131.47.192

unknown

United States

92.106.121.216

unknown

Switzerland

119.245.93.60

unknown

Japan

8.119.112.135

unknown

United States

205.43.194.22

unknown

United States

70.215.243.121

unknown

United States

193.148.241.17

unknown

Spain

112.75.50.127

unknown

China

39.234.22.22

unknown

Indonesia

123.225.6.189

unknown

Japan

136.201.101.220

unknown

Ireland

113.106.27.182

unknown

China

54.246.239.48

unknown

United States

184.135.135.87

unknown

United States

139.147.38.173

unknown

United States

85.159.23.28

unknown

Ireland

213.3.84.132

unknown

Switzerland

128.5.19.98

unknown

United States

196.144.15.13

unknown

Egypt

177.26.213.149

unknown

Brazil

179.59.174.225

unknown

Bolivia

86.1.38.202

unknown

United Kingdom

53.132.72.204

unknown

Germany

153.87.199.182

unknown

United States

8.103.134.198

unknown

United States

222.150.214.189

unknown

Japan

4.170.86.75

unknown

United States

78.19.12.5

unknown

Ireland

154.189.233.96

unknown

Egypt

117.2.18.21

unknown

Viet Nam

111.219.2.225

unknown

Korea Republic of

164.198.99.172

unknown

United States

54.135.139.215

unknown

United States

26.180.148.193

unknown

United States

49.46.248.34

unknown

India

87.120.71.123

unknown

Bulgaria

19.187.92.236

unknown

United States

4.161.250.90

unknown

United States

222.171.118.30

unknown

China

90.101.135.59

unknown

France

100.190.80.50

unknown

United States

199.21.58.145

unknown

United States

188.98.94.105

unknown

Germany

185.217.103.98

unknown

Saudi Arabia

31.194.82.11

unknown

Italy

202.22.208.169

unknown

Japan

156.207.108.91

unknown

Egypt

126.84.46.137

unknown

Japan

37.114.236.104

unknown

Iran (ISLAMIC Republic Of)

58.140.76.105

unknown

Korea Republic of

75.78.72.105

unknown

United States

32.194.103.206

unknown

United States

136.209.217.245

unknown

United States

123.183.83.93

unknown

China

202.65.164.14

unknown

New Zealand

86.159.49.2

unknown

United Kingdom

134.149.200.53

unknown

United States

83.122.168.87

unknown

Iran (ISLAMIC Republic Of)

9.1.136.15

unknown

United States

There are 90 hidden IPs, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

7f3a1441c000

page execute read

7f3a14467000

page read and write

55bebedb4000

page read and write

7f3a9bf71000

page read and write

55bebedbe000

page read and write

7f3a9b8e0000

page read and write

7f3a9c5ac000

page read and write

55bec0dbc000

page execute and read and write

7f3a9b8d2000

page read and write

55bec2d7b000

page read and write

7f3a9b0ca000

page read and write

55bec0dd3000

page read and write

7f3a94000000

page read and write

7ffc840b2000

page execute read

7f3a9c5f9000

page read and write

7f3a9bf54000

page read and write

7f3a9bf31000

page read and write

7f3a94021000

page read and write

7ffc84023000

page read and write

7f3a9bb90000

page read and write

55bebeb2c000

page execute read

7f3a9c2a2000

page read and write

7f3a9c483000

page read and write

7f3a1445d000

page read and write

7f3a9c5b4000

page read and write

There are 15 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
la.bot.mips.elf

Files

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportla.bot.mips.elf

Files

Processes

URLs

IPs

Memdumps

IOC Report
la.bot.mips.elf