Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

FBI.mpsl.elf

ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped

initial sample

Details

Filetype:	ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Entropy:	5.5672625287709225
Filename:	FBI.mpsl.elf
Filesize:	148432
MD5:	8dc5b73bfbb611eca798e3c241157a07
SHA1:	3af934ec699e37cd31adfb9a5213f5c6ec29fd2f
SHA256:	8749cd66b0c74ba5c8303ad7264485a7db9848b645b8711eddeddd16e1197a69
SHA512:	b2cbf35737a9a706fff22f2e2d3930ee361af2ada22929340fce2d61472e2cd9e90a2fdc044fc81ed4be9e9d526848997512e2e8683f2a5e99c4643b4be745dd
SSDEEP:	1536:hT6XhNDW35hnjMCXvn/vyU08Q+20XIPSZiuA09S9NZw58xSKD8BwH5hspCfN:F6zDW9vp52xa/AOrCYLC5hspCf
Preview:	.ELF......................@.4....@......4. ...(........p......@...@...........................@...@.l...l...............l...l.E.l.E.....xv..........Q.td..................................................F....<...'!......'.......................<...'!... ..

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion
Yara signature match	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
URLs found in memory or binary data	Networking

/run/systemd/resolve/stub-resolv.conf

ASCII text

dropped

Details

File:	/run/systemd/resolve/stub-resolv.conf
Category:	dropped
Dump:	stub-resolv.conf.15.dr
ID:	dr_1
Target ID:	15
Process:	/tmp/FBI.mpsl.elf
Type:	ASCII text
Entropy:	3.3918926446809334
Encrypted:	false
Ssdeep:	24:KaLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLn:KC
Size:	3762
Whitelisted:	false
Reputation:	moderate

Processes

Path

Cmdline

Malicious

/tmp/FBI.mpsl.elf

URLs

Name

Malicious

http://www.baidu.com/search/spider.html)

unknown

http://www.billybobbot.com/crawler/)

unknown

http://fast.no/support/crawler.asp)

unknown

http://feedback.redkolibri.com/

unknown

http://www.baidu.com/search/spider.htm)

unknown

Domains

Name

Malicious

daisy.ubuntu.com

162.213.35.24

IPs

Domain

Country

Malicious

154.213.187.206

unknown

Seychelles

Details

IP:	154.213.187.206
TargetID:	-1
Country:	Seychelles
Countrycode:	SYC
ASN number:	22769
ASN name:	DDOSING-BGP-NETWORKUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

185.125.190.26

unknown

United Kingdom

Details

IP:	185.125.190.26
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7f86ec420000

page execute read

7f86ec420000

page execute read

7f86ec420000

page execute read

7f86ec420000

page execute read

7f86ec420000

page execute read

56179c225000

page execute and read and write

7f87749de000

page read and write

7f8773cc5000

page read and write

7f8774316000

page read and write

7f8774999000

page read and write

56179a21d000

page read and write

56179a21d000

page read and write

7f8774999000

page read and write

56179a21d000

page read and write

7f876c021000

page read and write

56179a227000

page read and write

7f8774999000

page read and write

7f8773f75000

page read and write

7f8773cb7000

page read and write

7f8774991000

page read and write

7f8773f75000

page read and write

7f8774356000

page read and write

7f8774316000

page read and write

7f86ec461000

page read and write

7f8774868000

page read and write

7f8774999000

page read and write

7f8774687000

page read and write

561799f95000

page execute read

561799f95000

page execute read

56179a227000

page read and write

7fff94271000

page read and write

7f876c000000

page read and write

56179c23c000

page read and write

7f8774991000

page read and write

7f8774339000

page read and write

7f8774316000

page read and write

7f8773cc5000

page read and write

7f8773cc5000

page read and write

7fff94271000

page read and write

7f87749de000

page read and write

7f876c000000

page read and write

7f8773cc5000

page read and write

7f8774339000

page read and write

7fff94271000

page read and write

56179c23c000

page read and write

7f86ec467000

page read and write

7f86ec467000

page read and write

7f86ec467000

page read and write

56179c225000

page execute and read and write

7fff94333000

page execute read

7f8773cb7000

page read and write

7f8774356000

page read and write

7f8773f75000

page read and write

7f8774687000

page read and write

56179a21d000

page read and write

56179a227000

page read and write

56179a227000

page read and write

56179c23c000

page read and write

7fff94333000

page execute read

7f87749de000

page read and write

561799f95000

page execute read

561799f95000

page execute read

7f8774356000

page read and write

7f8774339000

page read and write

7f876c021000

page read and write

7f87734af000

page read and write

7f86ec467000

page read and write

7f86ec461000

page read and write

56179d6e7000

page read and write

56179c225000

page execute and read and write

7f8774868000

page read and write

56179c225000

page execute and read and write

7f876c000000

page read and write

7f8773cb7000

page read and write

7f876c000000

page read and write

56179c225000

page execute and read and write

7f8774868000

page read and write

7f86ec461000

page read and write

7f8773f75000

page read and write

56179d6e7000

page read and write

7f8773cc5000

page read and write

7f876c021000

page read and write

7f87734af000

page read and write

7f8774868000

page read and write

7fff94271000

page read and write

7fff94333000

page execute read

7f8774687000

page read and write

7f8774687000

page read and write

7f87734af000

page read and write

7f87734af000

page read and write

56179a227000

page read and write

7fff94333000

page execute read

7fff94333000

page execute read

7f8774991000

page read and write

7f8773cb7000

page read and write

56179d6e7000

page read and write

56179a21d000

page read and write

7f8774356000

page read and write

7f86ec468000

page read and write

7fff94271000

page read and write

7f87749de000

page read and write

56179d6e7000

page read and write

7f8774316000

page read and write

56179c23c000

page read and write

7f8774868000

page read and write

7f8773cb7000

page read and write

7f8774991000

page read and write

7f8774999000

page read and write

56179d6e7000

page read and write

7f87734af000

page read and write

7f876c000000

page read and write

7f86ec468000

page read and write

7f86ec468000

page read and write

7f8774991000

page read and write

7f86ec461000

page read and write

7f86ec468000

page read and write

7f86ec467000

page read and write

7f8774356000

page read and write

7f8774339000

page read and write

56179c23c000

page read and write

561799f95000

page execute read

7f86ec461000

page read and write

7f8774687000

page read and write

7f87749de000

page read and write

7f8774339000

page read and write

7f8774316000

page read and write

7f8773f75000

page read and write

7f876c021000

page read and write

7f876c021000

page read and write

There are 119 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
FBI.mpsl.elf

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportFBI.mpsl.elf

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
FBI.mpsl.elf