Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

hidakibest.mips.elf

ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped

initial sample

Details

Filetype:	ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped
Entropy:	5.40581622186805
Filename:	hidakibest.mips.elf
Filesize:	144442
MD5:	a19235f98fbb6e1954ca0c6461cc51e3
SHA1:	6c5db7576216aebc4c0a4fd3d4a4bf9cd5a46b2a
SHA256:	d38b2dfbb0d25eee7ad645ad161e59db04acd24cc3afd7534b53de2d40399236
SHA512:	5844381f4dd95b95142df789404006ddd0f3f634bbdfc366905bc8e6b2a6374c74ec70e7d3097147b01a07cc685a16c81622ed1fd2693419530ae47c790f3803
SSDEEP:	3072:sGGNZfCos2pA4FC+5hvikTam0/5ApYADn:hACyK40+5hvi9m0/5ASADn
Preview:	.ELF.....................@.....4.........4. ...(....p........@...@...........................@...@...........................B...B.........x...............D.B.D.B.D................dt.Q.................................................C(.<...'.(....!'......

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Opens /proc/net/* files useful for finding connected devices and routers	Spreading	Remote System Discovery
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
Yara signature match	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
URLs found in memory or binary data	Networking

/tmp/qemu-open.YJ04ga (deleted)

ASCII text

dropped

Details

File:	/tmp/qemu-open.YJ04ga (deleted)
Category:	dropped
Dump:	qemu-open.YJ04ga (deleted).12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/hidakibest.mips.elf
Type:	ASCII text
Entropy:	3.709552666863289
Encrypted:	false
Ssdeep:	6:iekrEcvwAsE5KlwSd4pzKaV6Lpms/a/1VCxGF:ur+m5MwSdIKaV6L1adVRF
Size:	230
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

/tmp/hidakibest.mips.elf

URLs

Name

Malicious

62.109.28.31:4258

Details

Name:	62.109.28.31:4258
TargetID:	0
From Memory:	false
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

http://www.baidu.com/search/spider.html)

unknown

http://www.billybobbot.com/crawler/)

unknown

http://fast.no/support/crawler.asp)

unknown

http://feedback.redkolibri.com/

unknown

http://www.baidu.com/search/spider.htm)

unknown

Domains

Name

Malicious

daisy.ubuntu.com

162.213.35.24

IPs

Domain

Country

Malicious

62.109.28.31

unknown

Russian Federation

Details

IP:	62.109.28.31
TargetID:	-1
Country:	Russian Federation
Countrycode:	RUS
ASN number:	29182
ASN name:	THEFIRST-ASRU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7f2e8c41a000

page execute read

7f2e8c41a000

page execute read

561eea59d000

page execute read

7f2f1183a000

page read and write

561eee855000

page read and write

7f2f112e8000

page read and write

7fff751be000

page execute read

7f2f0c000000

page read and write

7f2f10c89000

page read and write

7f2f10481000

page read and write

7f2f11328000

page read and write

7f2e8c433000

page read and write

7f2f1196b000

page read and write

7fff7519f000

page read and write

7f2f112e8000

page read and write

561eec844000

page read and write

7f2f119b0000

page read and write

561eea82f000

page read and write

7f2e8c42b000

page read and write

7f2f11963000

page read and write

561eea825000

page read and write

7f2f1130b000

page read and write

561eee855000

page read and write

7f2f10c97000

page read and write

7f2f1196b000

page read and write

7f2f11328000

page read and write

561eec82d000

page execute and read and write

561eea59d000

page execute read

7f2e8c42b000

page read and write

7f2f1183a000

page read and write

561eea82f000

page read and write

561eec82d000

page execute and read and write

7f2f10f47000

page read and write

7f2f1130b000

page read and write

7f2f11659000

page read and write

7f2f10481000

page read and write

7fff751be000

page execute read

7fff7519f000

page read and write

7f2f11963000

page read and write

7f2f11659000

page read and write

7f2f10c97000

page read and write

561eea825000

page read and write

7f2f0c021000

page read and write

7f2f10f47000

page read and write

7f2f10c89000

page read and write

7f2f0c000000

page read and write

561eec844000

page read and write

7f2f0c021000

page read and write

7f2f119b0000

page read and write

7f2e8c433000

page read and write

There are 40 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
hidakibest.mips.elf

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reporthidakibest.mips.elf

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
hidakibest.mips.elf