IOC Report
.i.elf

loading gifFilesProcessesDomainsIPsMemdumps1010Label

Files

File Path
Type
Category
Malicious
Download
.i.elf
ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
initial sample
malicious
/tmp/qemu-open.FTTWRK (deleted)
data
dropped

Processes

Path
Cmdline
Malicious
/tmp/.i.elf
/tmp/.i.elf
/tmp/.i.elf
-
/tmp/.i.elf
-
/bin/sh
sh -c "iptables -A INPUT -p tcp --destination-port 23 -j DROP"
/bin/sh
-
/usr/sbin/iptables
iptables -A INPUT -p tcp --destination-port 23 -j DROP
/tmp/.i.elf
-
/bin/sh
sh -c "iptables -A INPUT -p tcp --destination-port 7547 -j DROP"
/bin/sh
-
/usr/sbin/iptables
iptables -A INPUT -p tcp --destination-port 7547 -j DROP
/tmp/.i.elf
-
/bin/sh
sh -c "iptables -A INPUT -p tcp --destination-port 5555 -j DROP"
/bin/sh
-
/usr/sbin/iptables
iptables -A INPUT -p tcp --destination-port 5555 -j DROP
/tmp/.i.elf
-
/bin/sh
sh -c "iptables -A INPUT -p tcp --destination-port 5358 -j DROP"
/bin/sh
-
/usr/sbin/iptables
iptables -A INPUT -p tcp --destination-port 5358 -j DROP
/tmp/.i.elf
-
/bin/sh
sh -c "iptables -D INPUT -j CWMP_CR"
/bin/sh
-
/usr/sbin/iptables
iptables -D INPUT -j CWMP_CR
/tmp/.i.elf
-
/bin/sh
sh -c "iptables -X CWMP_CR"
/bin/sh
-
/usr/sbin/iptables
iptables -X CWMP_CR
/tmp/.i.elf
-
/bin/sh
sh -c "iptables -I INPUT -p udp --dport 11002 -j ACCEPT"
/bin/sh
-
/usr/sbin/iptables
iptables -I INPUT -p udp --dport 11002 -j ACCEPT
There are 20 hidden processes, click here to show them.

Domains

Name
IP
Malicious
daisy.ubuntu.com
162.213.35.24
router.bittorrent.com
67.215.246.10
router.utorrent.com
82.221.103.244

IPs

IP
Domain
Country
Malicious
119.34.160.228
unknown
China
189.129.211.64
unknown
Mexico
189.139.172.241
unknown
Mexico
181.42.46.105
unknown
Chile
195.98.68.52
unknown
Russian Federation
31.60.104.7
unknown
Poland
99.240.197.244
unknown
Canada
78.85.4.135
unknown
Russian Federation
14.192.214.208
unknown
Malaysia
80.11.235.118
unknown
France
187.190.166.141
unknown
Mexico
177.52.82.94
unknown
Brazil
79.190.191.74
unknown
Poland
77.172.35.225
unknown
Netherlands
190.56.32.232
unknown
Guatemala
199.45.219.152
unknown
United States
58.241.139.153
unknown
China
190.101.84.250
unknown
Chile
41.193.87.152
unknown
South Africa
5.3.252.254
unknown
Russian Federation
79.177.128.82
unknown
Israel
222.187.254.73
unknown
China
81.101.129.89
unknown
United Kingdom
113.148.125.188
unknown
Japan
144.217.181.115
unknown
Canada
109.94.85.146
unknown
Russian Federation
190.240.69.24
unknown
Colombia
190.193.152.141
unknown
Argentina
117.24.165.173
unknown
China
179.96.135.23
unknown
Brazil
82.221.103.244
router.utorrent.com
Iceland
113.89.244.83
unknown
China
188.2.115.47
unknown
Serbia
148.71.121.183
unknown
Portugal
54.70.174.84
unknown
United States
198.162.193.189
unknown
United States
79.185.46.91
unknown
Poland
176.226.202.11
unknown
Russian Federation
92.16.182.203
unknown
United Kingdom
117.24.165.65
unknown
China
177.52.48.235
unknown
Brazil
91.192.20.140
unknown
Russian Federation
91.121.7.132
unknown
France
2.103.108.201
unknown
United Kingdom
45.238.183.98
unknown
Colombia
82.39.237.234
unknown
United Kingdom
68.226.67.22
unknown
United States
213.94.41.136
unknown
Spain
189.196.45.102
unknown
Mexico
175.204.168.7
unknown
Korea Republic of
54.77.218.23
unknown
United States
144.76.166.157
unknown
Germany
113.26.87.94
unknown
China
79.140.117.203
unknown
Germany
201.188.189.46
unknown
Chile
213.80.212.27
unknown
Russian Federation
124.91.148.108
unknown
China
211.48.88.198
unknown
Korea Republic of
67.215.246.10
router.bittorrent.com
United States
83.222.166.141
unknown
Bulgaria
91.175.39.237
unknown
France
103.199.205.126
unknown
India
106.14.195.230
unknown
China
112.118.83.13
unknown
Hong Kong
91.239.227.43
unknown
unknown
178.247.145.191
unknown
Turkey
98.209.107.208
unknown
United States
82.50.89.36
unknown
Italy
94.68.18.162
unknown
Greece
2.183.108.235
unknown
Iran (ISLAMIC Republic Of)
90.201.53.148
unknown
United Kingdom
188.65.232.39
unknown
Russian Federation
188.255.55.114
unknown
Russian Federation
There are 63 hidden IPs, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
Download
7fc83c434000
page execute read
malicious
7ffeac563000
page read and write
563b0cb70000
page read and write
563b0af64000
page read and write
7fc8c3160000
page read and write
7fc8c311b000
page read and write
563b0af4d000
page execute and read and write
7fc8c2fea000
page read and write
7fc8c2ad8000
page read and write
7fc83c47b000
page read and write
563b08f4f000
page read and write
7fc8bc000000
page read and write
563b08f45000
page read and write
563b08cbd000
page execute read
7fc8c2abb000
page read and write
7fc83c160000
page execute and read and write
7fc8c2447000
page read and write
7fc8c1c31000
page read and write
7fc8c2e09000
page read and write
7fc8c3113000
page read and write
7fc8c2a98000
page read and write
7fc8bc021000
page read and write
7ffeac5fb000
page execute read
7fc8c26f7000
page read and write
7fc8c2439000
page read and write
There are 15 hidden memdumps, click here to show them.