Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Download

.i.elf

ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header

initial sample

Details

Filetype:	ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
Entropy:	7.981094611090621
Filename:	.i.elf
Filesize:	84960
MD5:	4e6cf38ca04c64bbbc0de39518340fa3
SHA1:	b43aa81c8fe3f4b520a1c53557c8e477100530e1
SHA256:	a625601d8fe1f59102fcec617bbf4afa1f81ee305d5e8b93822541a65f7ea498
SHA512:	aae55dffe4e5a803d0b392202581f6ffa6c78dc84afcd092b847cf218020c6146959bc522485a2ee2d3dc031bd1b63fac801fc89b6b3efbd357eb2b4a261d27d
SSDEEP:	1536:m3LqE6rUQWzVQR7iAGEcUT5PIi7pLqBNs4LOjcwf4nB6XuzGNy+iSc7tNUZN:mOE6PWo1T5bz4LVMXuzVNScWN
Preview:	.ELF.................... /..4...........4. ...(......................A...A....................G...G...................}l........................_..........?.E.h;....#....3.FR..gcpC....2.*..]8v. .....'..pw...rW.U.S.....(.\|W.H..?#.$0......m.r...U....:...&..

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Opens /proc/net/* files useful for finding connected devices and routers	Spreading	Remote System Discovery
Sample deletes itself	Hooking and other Techniques for Hiding and Protection	File Deletion
Creates hidden files and/or directories	Persistence and Installation Behavior	Hidden Files and Directories
ELF contains segments with high entropy indicating compressed/encrypted content	Hooking and other Techniques for Hiding and Protection	Obfuscated Files or Information
Enumerates processes within the "proc" file system	Persistence and Installation Behavior	OS Credential Dumping
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Reads the 'hosts' file potentially containing internal network hosts	Networking	File and Directory Discovery
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery

/tmp/qemu-open.FTTWRK (deleted)

data

dropped

Details

File:	/tmp/qemu-open.FTTWRK (deleted)
Category:	dropped
Dump:	qemu-open.FTTWRK (deleted).13.dr
ID:	dr_0
Target ID:	13
Process:	/tmp/.i.elf
Type:	data
Entropy:	3.2516291673878226
Encrypted:	false
Ssdeep:	3:TgLxl:TgLj
Size:	12
Whitelisted:	false
Reputation:	moderate

Processes

Path

Cmdline

Malicious

/tmp/.i.elf

/bin/sh

sh -c "iptables -A INPUT -p tcp --destination-port 23 -j DROP"

/bin/sh

/usr/sbin/iptables

iptables -A INPUT -p tcp --destination-port 23 -j DROP

/tmp/.i.elf

/bin/sh

sh -c "iptables -A INPUT -p tcp --destination-port 7547 -j DROP"

/bin/sh

/usr/sbin/iptables

iptables -A INPUT -p tcp --destination-port 7547 -j DROP

/tmp/.i.elf

/bin/sh

sh -c "iptables -A INPUT -p tcp --destination-port 5555 -j DROP"

/bin/sh

/usr/sbin/iptables

iptables -A INPUT -p tcp --destination-port 5555 -j DROP

/tmp/.i.elf

/bin/sh

sh -c "iptables -A INPUT -p tcp --destination-port 5358 -j DROP"

/bin/sh

/usr/sbin/iptables

iptables -A INPUT -p tcp --destination-port 5358 -j DROP

/tmp/.i.elf

/bin/sh

sh -c "iptables -D INPUT -j CWMP_CR"

/bin/sh

/usr/sbin/iptables

iptables -D INPUT -j CWMP_CR

/tmp/.i.elf

/bin/sh

sh -c "iptables -X CWMP_CR"

/bin/sh

/usr/sbin/iptables

iptables -X CWMP_CR

/tmp/.i.elf

/bin/sh

sh -c "iptables -I INPUT -p udp --dport 11002 -j ACCEPT"

/bin/sh

/usr/sbin/iptables

iptables -I INPUT -p udp --dport 11002 -j ACCEPT

There are 20 hidden processes, click here to show them.

Domains

Name

Malicious

daisy.ubuntu.com

162.213.35.24

Details

Name:	daisy.ubuntu.com
IP:	162.213.35.24
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

router.bittorrent.com

67.215.246.10

Details

Name:	router.bittorrent.com
IP:	67.215.246.10
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

router.utorrent.com

82.221.103.244

Details

Name:	router.utorrent.com
IP:	82.221.103.244
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

119.34.160.228

unknown

China

189.129.211.64

unknown

Mexico

189.139.172.241

unknown

Mexico

181.42.46.105

unknown

Chile

195.98.68.52

unknown

Russian Federation

31.60.104.7

unknown

Poland

99.240.197.244

unknown

Canada

78.85.4.135

unknown

Russian Federation

14.192.214.208

unknown

Malaysia

80.11.235.118

unknown

France

187.190.166.141

unknown

Mexico

177.52.82.94

unknown

Brazil

79.190.191.74

unknown

Poland

77.172.35.225

unknown

Netherlands

190.56.32.232

unknown

Guatemala

199.45.219.152

unknown

United States

58.241.139.153

unknown

China

190.101.84.250

unknown

Chile

41.193.87.152

unknown

South Africa

5.3.252.254

unknown

Russian Federation

79.177.128.82

unknown

Israel

222.187.254.73

unknown

China

81.101.129.89

unknown

United Kingdom

113.148.125.188

unknown

Japan

144.217.181.115

unknown

Canada

109.94.85.146

unknown

Russian Federation

190.240.69.24

unknown

Colombia

190.193.152.141

unknown

Argentina

117.24.165.173

unknown

China

179.96.135.23

unknown

Brazil

82.221.103.244

router.utorrent.com

Iceland

113.89.244.83

unknown

China

188.2.115.47

unknown

Serbia

148.71.121.183

unknown

Portugal

54.70.174.84

unknown

United States

198.162.193.189

unknown

United States

79.185.46.91

unknown

Poland

176.226.202.11

unknown

Russian Federation

92.16.182.203

unknown

United Kingdom

117.24.165.65

unknown

China

177.52.48.235

unknown

Brazil

91.192.20.140

unknown

Russian Federation

91.121.7.132

unknown

France

2.103.108.201

unknown

United Kingdom

45.238.183.98

unknown

Colombia

82.39.237.234

unknown

United Kingdom

68.226.67.22

unknown

United States

213.94.41.136

unknown

Spain

189.196.45.102

unknown

Mexico

175.204.168.7

unknown

Korea Republic of

54.77.218.23

unknown

United States

144.76.166.157

unknown

Germany

113.26.87.94

unknown

China

79.140.117.203

unknown

Germany

201.188.189.46

unknown

Chile

213.80.212.27

unknown

Russian Federation

124.91.148.108

unknown

China

211.48.88.198

unknown

Korea Republic of

67.215.246.10

router.bittorrent.com

United States

83.222.166.141

unknown

Bulgaria

91.175.39.237

unknown

France

103.199.205.126

unknown

India

106.14.195.230

unknown

China

112.118.83.13

unknown

Hong Kong

91.239.227.43

unknown

178.247.145.191

unknown

Turkey

98.209.107.208

unknown

United States

82.50.89.36

unknown

Italy

94.68.18.162

unknown

Greece

2.183.108.235

unknown

Iran (ISLAMIC Republic Of)

90.201.53.148

unknown

United Kingdom

188.65.232.39

unknown

Russian Federation

188.255.55.114

unknown

Russian Federation

There are 63 hidden IPs, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

Download

7fc83c434000

page execute read

7ffeac563000

page read and write

563b0cb70000

page read and write

563b0af64000

page read and write

7fc8c3160000

page read and write

7fc8c311b000

page read and write

563b0af4d000

page execute and read and write

7fc8c2fea000

page read and write

7fc8c2ad8000

page read and write

7fc83c47b000

page read and write

563b08f4f000

page read and write

7fc8bc000000

page read and write

563b08f45000

page read and write

563b08cbd000

page execute read

7fc8c2abb000

page read and write

7fc83c160000

page execute and read and write

7fc8c2447000

page read and write

7fc8c1c31000

page read and write

7fc8c2e09000

page read and write

7fc8c3113000

page read and write

7fc8c2a98000

page read and write

7fc8bc021000

page read and write

7ffeac5fb000

page execute read

7fc8c26f7000

page read and write

7fc8c2439000

page read and write

There are 15 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
.i.elf

Files

Processes

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report.i.elf

Files

Processes

Domains

IPs

Memdumps

IOC Report
.i.elf