Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Hilix.arm7

ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, with debug_info, not stripped

initial sample

Details

Filetype:	ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, with debug_info, not stripped
Entropy:	6.000368988621463
Filename:	Hilix.arm7
Filesize:	135325
MD5:	b4e8ab5b0bff530fb56ebbd197595820
SHA1:	2efbf3ddbd8b6692bf196a24eec27ae61102b055
SHA256:	36ef791656cda0727c60da0e83e02a78ab4abe7745a4b87eeb6c375000fed84e
SHA512:	e719506a778d479cf8e5d5a9676f6d7e990d65edfeb6a1ce8361569fb01f04ed6e9fa4802831df26b87e2e4ee5af196ac52b8f76c6d2741881d3e0d53ae18627
SSDEEP:	3072:S3APluDpVDV+IORNZmIEpyrkEc5Omoncc+X1O3M/9kDNn:KAPluNVD+2pyrkE0OeX1SM/9kDNn
Preview:	.ELF..............(.........4...X.......4. ...(........pPA..P...P...................................hB..hB..............hB..hB..hB......43..............lB..lB..lB..................Q.td..................................-...L..................@-.,@...0....S

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Sample tries to kill many processes (SIGKILL)	System Summary
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
Enumerates processes within the "proc" file system	Persistence and Installation Behavior	OS Credential Dumping
Sample listens on a socket	Networking
Sample tries to kill a process (SIGKILL)	System Summary
Found detection on Joe Sandbox Cloud Basic with higher score	System Summary
URLs found in memory or binary data	Networking
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion

/proc/5290/oom_score_adj

ASCII text

dropped

Details

File:	/proc/5290/oom_score_adj
Category:	dropped
Dump:	oom_score_adj.22.dr
ID:	dr_0
Target ID:	22
Process:	/usr/sbin/sshd
Type:	ASCII text
Entropy:	1.7924812503605778
Encrypted:	false
Ssdeep:	3:ptn:Dn
Size:	6
Whitelisted:	false
Reputation:	high

/proc/5405/oom_score_adj

ASCII text

dropped

Details

File:	/proc/5405/oom_score_adj
Category:	dropped
Dump:	oom_score_adj.28.dr
ID:	dr_2
Target ID:	28
Process:	/usr/sbin/sshd
Type:	ASCII text
Entropy:	1.7924812503605778
Encrypted:	false
Ssdeep:	3:ptn:Dn
Size:	6
Whitelisted:	false
Reputation:	high

/proc/5407/oom_score_adj

ASCII text

dropped

Details

File:	/proc/5407/oom_score_adj
Category:	dropped
Dump:	oom_score_adj.32.dr
ID:	dr_4
Target ID:	32
Process:	/usr/sbin/sshd
Type:	ASCII text
Entropy:	1.7924812503605778
Encrypted:	false
Ssdeep:	3:ptn:Dn
Size:	6
Whitelisted:	false
Reputation:	high

/run/sshd.pid

ASCII text

dropped

Details

File:	/run/sshd.pid
Category:	dropped
Dump:	sshd.pid.32.dr
ID:	dr_5
Target ID:	32
Process:	/usr/sbin/sshd
Type:	ASCII text
Entropy:	2.321928094887362
Encrypted:	false
Ssdeep:	3:E4v:Ei
Size:	5
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

/tmp/Hilix.arm7

n/a

/tmp/Hilix.arm7

n/a

/tmp/Hilix.arm7

n/a

/tmp/Hilix.arm7

n/a

/tmp/Hilix.arm7

n/a

/tmp/Hilix.arm7

n/a

/tmp/Hilix.arm7

n/a

/tmp/Hilix.arm7

n/a

/tmp/Hilix.arm7

n/a

/tmp/Hilix.arm7

n/a

/tmp/Hilix.arm7

n/a

/tmp/Hilix.arm7

n/a

/tmp/Hilix.arm7

n/a

/tmp/Hilix.arm7

n/a

/tmp/Hilix.arm7

n/a

/tmp/Hilix.arm7

n/a

/tmp/Hilix.arm7

n/a

/tmp/Hilix.arm7

n/a

/tmp/Hilix.arm7

n/a

/usr/lib/systemd/systemd

n/a

/usr/sbin/sshd

/usr/sbin/sshd -t

/usr/lib/systemd/systemd

n/a

/usr/sbin/sshd

/usr/sbin/sshd -D

/usr/lib/systemd/systemd

n/a

/usr/sbin/sshd

/usr/sbin/sshd -t

/usr/lib/systemd/systemd

n/a

/usr/sbin/sshd

/usr/sbin/sshd -D

/usr/lib/systemd/systemd

n/a

/usr/sbin/sshd

/usr/sbin/sshd -t

/usr/lib/systemd/systemd

n/a

/usr/sbin/sshd

/usr/sbin/sshd -D

There are 22 hidden processes, click here to show them.

URLs

Name

Malicious

http://127.0.0.1:52869/picdesc.xml

185.235.182.35

Details

Name:	http://127.0.0.1:52869/picdesc.xml
IP:	185.235.182.35
TargetID:	-1
From Memory:	false
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)	Networking
Connects to many ports of the same IP (likely port scanning)	Networking

http://37.0.9.202/bins/Hilix.mips

unknown

Details

Name:	http://37.0.9.202/bins/Hilix.mips
TargetID:	21058
From Memory:	true
Source:	Hilix.arm7, 5242.1.000000000a5e11bf.00000000a0cfde16.r-x.sdmp

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

http://127.0.0.1:52869/wanipcn.xml

185.235.182.35

Details

Name:	http://127.0.0.1:52869/wanipcn.xml
IP:	185.235.182.35
TargetID:	-1
From Memory:	false
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)	Networking
Connects to many ports of the same IP (likely port scanning)	Networking

http://schemas.xmlsoap.org/soap/encoding/

unknown

Details

Name:	http://schemas.xmlsoap.org/soap/encoding/
TargetID:	21058
From Memory:	true
Source:	Hilix.arm7, 5242.1.000000000a5e11bf.00000000a0cfde16.r-x.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

http://schemas.xmlsoap.org/soap/envelope/

unknown

Details

Name:	http://schemas.xmlsoap.org/soap/envelope/
TargetID:	21058
From Memory:	true
Source:	Hilix.arm7, 5242.1.000000000a5e11bf.00000000a0cfde16.r-x.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

45.104.67.35

unknown

Egypt

45.147.166.20

unknown

Czech Republic

216.78.45.202

unknown

United States

124.31.169.14

unknown

China

91.31.35.104

unknown

Germany

139.74.185.195

unknown

Finland

45.202.220.158

unknown

Seychelles

43.85.41.34

unknown

Japan

45.23.237.231

unknown

United States

122.145.97.123

unknown

Japan

45.44.167.1

unknown

Canada

45.219.30.118

unknown

Morocco

185.231.215.230

unknown

Germany

41.37.180.38

unknown

Egypt

98.48.231.147

unknown

United States

101.160.47.9

unknown

Australia

197.89.97.62

unknown

South Africa

45.12.189.24

unknown

United Kingdom

185.49.104.0

unknown

Iran (ISLAMIC Republic Of)

182.219.78.33

unknown

Korea Republic of

185.15.150.47

unknown

Spain

119.29.176.99

unknown

China

178.206.173.128

unknown

Russian Federation

91.219.76.67

unknown

Netherlands

185.106.118.57

unknown

Russian Federation

185.160.193.237

unknown

Lebanon

41.127.73.178

unknown

South Africa

45.243.89.42

unknown

Egypt

185.60.44.215

unknown

Russian Federation

185.199.179.22

unknown

Switzerland

91.45.165.251

unknown

Germany

91.167.86.166

unknown

France

185.103.6.246

unknown

United Kingdom

185.199.120.216

unknown

Serbia

60.164.193.221

unknown

China

91.120.152.23

unknown

Hungary

141.118.215.7

unknown

Canada

185.106.118.84

unknown

Russian Federation

91.209.253.47

unknown

Saudi Arabia

185.102.172.198

unknown

Netherlands

185.106.118.88

unknown

Russian Federation

185.41.19.241

unknown

Norway

104.6.30.146

unknown

United States

217.244.31.20

unknown

Germany

41.240.109.234

unknown

Sudan

170.69.95.123

unknown

United States

41.117.228.155

unknown

South Africa

91.7.145.16

unknown

Germany

2.199.168.22

unknown

Italy

45.93.168.230

unknown

Iran (ISLAMIC Republic Of)

130.43.171.48

unknown

United Kingdom

202.132.234.94

unknown

Taiwan; Republic of China (ROC)

91.41.176.9

unknown

Germany

91.118.21.130

unknown

Austria

91.179.103.175

unknown

Belgium

91.243.156.169

unknown

Spain

185.19.109.132

unknown

United Kingdom

185.108.193.73

unknown

Russian Federation

41.171.231.152

unknown

South Africa

63.156.139.155

unknown

United States

91.121.98.244

unknown

France

113.63.35.130

unknown

China

91.131.88.122

unknown

Austria

131.85.67.23

unknown

United States

185.25.208.138

unknown

United Kingdom

41.227.43.23

unknown

Tunisia

45.214.217.169

unknown

Zambia

91.136.66.241

unknown

United Kingdom

91.130.62.100

unknown

Austria

197.217.213.27

unknown

Angola

91.21.45.255

unknown

Germany

43.116.248.47

unknown

Japan

197.252.76.102

unknown

Sudan

137.180.202.181

unknown

United States

156.76.237.19

unknown

United States

197.195.100.248

unknown

Egypt

44.214.129.38

unknown

United States

91.158.194.94

unknown

Finland

113.78.107.195

unknown

China

185.113.220.220

unknown

Turkey

197.12.31.221

unknown

Tunisia

45.197.31.32

unknown

Seychelles

185.251.30.158

unknown

Romania

125.231.33.171

unknown

Taiwan; Republic of China (ROC)

156.16.3.236

unknown

91.147.188.148

unknown

Saudi Arabia

45.221.254.62

unknown

Benin

185.10.95.107

unknown

Germany

91.190.247.23

unknown

Germany

35.7.247.69

unknown

United States

185.218.251.226

unknown

France

91.137.158.179

unknown

Hungary

58.8.118.229

unknown

Thailand

23.199.141.103

unknown

United States

160.226.233.255

unknown

South Africa

45.13.195.4

unknown

Russian Federation

173.132.255.217

unknown

United States

73.217.64.0

unknown

United States

185.187.222.109

unknown

Italy

197.144.115.203

unknown

Morocco

There are 90 hidden IPs, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report

Files

Processes

URLs

IPs