Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

/tmp/vwkjebwi686.elf

Domains

Name

Malicious

raw.eye-network.ru

213.232.235.18

Details

Name:	raw.eye-network.ru
IP:	213.232.235.18
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Sends malformed DNS queries	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

raw.eye-network.ru. [malformed]

unknown

IPs

Domain

Country

Malicious

213.232.235.18

raw.eye-network.ru

Russian Federation

Details

IP:	213.232.235.18
TargetID:	-1
Country:	Russian Federation
Countrycode:	RUS
ASN number:	39824
ASN name:	ALMANET-ASKZ
Private:	false
Domain:	raw.eye-network.ru

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

109.202.202.202

unknown

Switzerland

Details

IP:	109.202.202.202
TargetID:	-1
Country:	Switzerland
Countrycode:	CHE
ASN number:	13030
ASN name:	INIT7CH
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.43

unknown

United Kingdom

Details

IP:	91.189.91.43
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.42

unknown

United Kingdom

Details

IP:	91.189.91.42
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

805e000

page execute read

Details

Name:	6265.1.0000000008048000.000000000805e000.r-x.sdmp
TargetID:	12
Dumpstage:	process exit
Protect:	page execute read
Base address:	805e000
Size:	90112

Signature Hits	Behavior Group	Mitre Attack
Malicious sample detected (through community Yara rule)	System Summary
Yara detected Mirai	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Okiru	Stealing of Sensitive Information, Remote Access Functionality
Yara signature match	System Summary

8b26000

page read and write

fff06000

page read and write

8068000

page read and write

f7f82000

page execute read

8063000

page read and write

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
vwkjebwi686.elf

Processes

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportvwkjebwi686.elf

Processes

Domains

IPs

Memdumps

IOC Report
vwkjebwi686.elf