Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

KHSQ48GkGn

ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped

initial sample

Details

Filetype:	ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Entropy:	5.532720047701684
Filename:	KHSQ48GkGn
Filesize:	77284
MD5:	905f7222e4cc69941935cdef4fa16246
SHA1:	84210b6c2c580b67c433e56c0d41831ce17bdd74
SHA256:	cd091f9f91f748395e30fa49ed2c4fc9e68247d5e9ae08982d5a2fb3ed074280
SHA512:	248640416fb1fe7276cd1f1d05c3fc444e5aff292103ebb95032abf5af1fe012a49756a36406f00d6dc5c10f01fcc7134cea28f266ac0af9581d489c1f7b7d6c
SSDEEP:	1536:aVNzbOfVDFKxJrilJTlzE0eGT2oBjnknutbjopj/Mf8bI3mC:aVdbS8rivlzE0eGT2oB4KjopzM0LC
Preview:	.ELF.....................@.`...4..+......4. ...(.............@...@....%0..%0..............%4.E%4.E%4.......\........dt.Q............................<...'......!'.......................<...'......!... ....'9... ......................<...'......!........'9.

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Sample tries to kill many processes (SIGKILL)	System Summary
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
Enumerates processes within the "proc" file system	Persistence and Installation Behavior	OS Credential Dumping
Sample listens on a socket	Networking
Sample tries to kill a process (SIGKILL)	System Summary
Found detection on Joe Sandbox Cloud Basic with higher score	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
URLs found in memory or binary data	Networking

/proc/5282/oom_score_adj

ASCII text

dropped

Details

File:	/proc/5282/oom_score_adj
Category:	dropped
Dump:	oom_score_adj.22.dr
ID:	dr_0
Target ID:	22
Process:	/usr/sbin/sshd
Type:	ASCII text
Entropy:	1.7924812503605778
Encrypted:	false
Ssdeep:	3:ptn:Dn
Size:	6
Whitelisted:	false
Reputation:	high

/run/sshd.pid

ASCII text

dropped

Details

File:	/run/sshd.pid
Category:	dropped
Dump:	sshd.pid.22.dr
ID:	dr_1
Target ID:	22
Process:	/usr/sbin/sshd
Type:	ASCII text
Entropy:	1.9219280948873623
Encrypted:	false
Ssdeep:	3:CF:CF
Size:	5
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

/tmp/KHSQ48GkGn

n/a

/tmp/KHSQ48GkGn

n/a

/tmp/KHSQ48GkGn

n/a

/tmp/KHSQ48GkGn

n/a

/tmp/KHSQ48GkGn

n/a

/tmp/KHSQ48GkGn

n/a

/tmp/KHSQ48GkGn

n/a

/tmp/KHSQ48GkGn

n/a

/usr/lib/systemd/systemd

n/a

/usr/sbin/sshd

/usr/sbin/sshd -t

/usr/lib/systemd/systemd

n/a

/usr/sbin/sshd

/usr/sbin/sshd -D

There are 3 hidden processes, click here to show them.

URLs

Name

Malicious

http://127.0.0.1:52869/picdesc.xml

45.33.240.241

Details

Name:	http://127.0.0.1:52869/picdesc.xml
IP:	45.33.240.241
TargetID:	-1
From Memory:	false
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)	Networking

http://37.0.9.202/bins/Hilix.mips

unknown

Details

Name:	http://37.0.9.202/bins/Hilix.mips
TargetID:	21048
From Memory:	true
Source:	KHSQ48GkGn, 5238.1.00000000114beee1.000000004c983291.r-x.sdmp

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
Multi AV Scanner detection for domain / URL	AV Detection
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

http://127.0.0.1:52869/wanipcn.xml

185.71.66.16

Details

Name:	http://127.0.0.1:52869/wanipcn.xml
IP:	185.71.66.16
TargetID:	-1
From Memory:	false
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)	Networking

http://schemas.xmlsoap.org/soap/encoding/

unknown

Details

Name:	http://schemas.xmlsoap.org/soap/encoding/
TargetID:	21048
From Memory:	true
Source:	KHSQ48GkGn, 5238.1.00000000114beee1.000000004c983291.r-x.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

http://schemas.xmlsoap.org/soap/envelope/

unknown

Details

Name:	http://schemas.xmlsoap.org/soap/envelope/
TargetID:	21048
From Memory:	true
Source:	KHSQ48GkGn, 5238.1.00000000114beee1.000000004c983291.r-x.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

85.5.0.31

unknown

Switzerland

91.140.176.176

unknown

Kuwait

156.158.98.11

unknown

Tanzania United Republic of

45.131.150.244

unknown

Hungary

107.112.85.166

unknown

United States

132.31.235.152

unknown

United States

45.196.195.162

unknown

Seychelles

185.149.136.56

unknown

Luxembourg

185.249.62.132

unknown

United Kingdom

170.38.145.59

unknown

Malaysia

185.169.213.25

unknown

Germany

91.205.183.109

unknown

Russian Federation

185.142.235.90

unknown

Iran (ISLAMIC Republic Of)

156.114.82.8

unknown

Netherlands

156.144.112.175

unknown

United States

91.242.75.160

unknown

Moldova Republic of

91.181.131.206

unknown

Belgium

185.96.90.189

unknown

Denmark

91.53.180.247

unknown

Germany

41.37.180.38

unknown

Egypt

45.96.249.240

unknown

Egypt

99.73.84.185

unknown

United States

191.109.65.152

unknown

Colombia

45.172.252.178

unknown

Brazil

45.118.249.131

unknown

Hong Kong

187.230.235.180

unknown

Mexico

45.255.85.14

unknown

China

85.126.133.227

unknown

Austria

185.35.202.49

unknown

Norway

45.172.252.173

unknown

Brazil

45.173.189.209

unknown

Brazil

185.53.235.150

unknown

Russian Federation

207.24.250.131

unknown

United States

91.198.46.44

unknown

Russian Federation

23.224.58.148

unknown

United States

185.167.210.139

unknown

Czech Republic

45.196.195.141

unknown

Seychelles

199.212.31.185

unknown

Canada

185.122.183.95

unknown

Germany

45.242.108.18

unknown

Egypt

59.253.101.44

unknown

China

185.231.215.241

unknown

Germany

45.79.143.153

unknown

United States

91.11.116.160

unknown

Germany

45.224.65.249

unknown

Brazil

185.234.46.239

unknown

Germany

185.246.165.84

unknown

Greece

197.39.177.21

unknown

Egypt

185.58.180.30

unknown

Slovenia

154.181.133.50

unknown

Egypt

45.7.164.141

unknown

Brazil

185.51.254.84

unknown

United Kingdom

220.94.246.139

unknown

Korea Republic of

91.142.10.20

unknown

Latvia

79.69.90.139

unknown

United Kingdom

91.108.31.247

unknown

United Kingdom

45.221.254.36

unknown

Benin

91.228.141.143

unknown

Romania

91.74.182.160

unknown

United Arab Emirates

91.196.209.249

unknown

Spain

45.181.208.42

unknown

Brazil

185.188.24.204

unknown

Italy

54.87.50.158

unknown

United States

185.91.208.160

unknown

Azerbaijan

185.169.47.106

unknown

Italy

115.164.29.141

unknown

Malaysia

166.255.95.155

unknown

United States

45.187.4.115

unknown

185.41.197.151

unknown

Russian Federation

91.140.204.28

unknown

Kuwait

41.140.123.128

unknown

Morocco

4.210.184.215

unknown

United States

20.193.115.4

unknown

United States

142.139.130.131

unknown

Canada

45.9.143.88

unknown

Russian Federation

152.53.40.69

unknown

United States

91.201.104.36

unknown

Russian Federation

45.181.208.55

unknown

Brazil

185.187.222.179

unknown

Italy

61.141.69.229

unknown

China

91.120.116.253

unknown

Hungary

188.103.181.60

unknown

Germany

91.100.152.122

unknown

Denmark

185.25.208.132

unknown

United Kingdom

91.119.249.18

unknown

Austria

45.144.98.124

unknown

United Kingdom

143.50.98.191

unknown

Austria

45.253.148.4

unknown

China

45.227.105.111

unknown

Brazil

91.5.46.33

unknown

Germany

41.6.4.185

unknown

South Africa

185.222.2.230

unknown

Austria

185.113.156.34

unknown

Portugal

45.104.92.39

unknown

Egypt

41.176.104.145

unknown

Egypt

197.160.66.227

unknown

Egypt

73.60.156.200

unknown

United States

185.203.74.221

unknown

Switzerland

161.111.188.83

unknown

Spain

131.239.204.208

unknown

United States

There are 90 hidden IPs, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report

Files

Processes

URLs

IPs