Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

tyo2831qq.mips.elf

ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped

initial sample

Details

Filetype:	ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped
Entropy:	5.481663992850583
Filename:	tyo2831qq.mips.elf
Filesize:	212776
MD5:	d9a674fbf18283b2457bed5acf6eeee3
SHA1:	4514cbde77537c8ecff0ed4fa3e8ea8c31eaae63
SHA256:	54fe5560cb69338057594bfdf0911c042c625a22f54ea59d7d3cfd9d4cf09f56
SHA512:	2372bf24f078b4fb282cdaf29b4218e8b6bf1475b0ef2a9bbfa22c054f48636a88bd794d13c408f70b87b5f5b30d9a1e21fcb29bcd002b2cc141568e99192ff5
SSDEEP:	3072:8WP0M+Qz7aFFzo7ksOIaCHA5hPgsz0Fl0mrpy6n9Nn:JpSgGJCHA5hP1mrpy6n9Nn
Preview:	.ELF.....................@.....4...X.....4. ...(....p........@...@...........................@...@...........................C...C...........................C...C..................dt.Q.................................................D'.<...'.&....!'......

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Opens /proc/net/* files useful for finding connected devices and routers	Spreading	Remote System Discovery
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
Yara signature match	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
URLs found in memory or binary data	Networking

/tmp/qemu-open.9vNfwj (deleted)

ASCII text

dropped

Details

File:	/tmp/qemu-open.9vNfwj (deleted)
Category:	dropped
Dump:	qemu-open.9vNfwj (deleted).12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/tyo2831qq.mips.elf
Type:	ASCII text
Entropy:	3.709552666863289
Encrypted:	false
Ssdeep:	6:iekrEcvwAsE5KlwSd4pzKaV6Lpms/a/1VCxGF:ur+m5MwSdIKaV6L1adVRF
Size:	230
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

/tmp/tyo2831qq.mips.elf

URLs

Name

Malicious

109.120.156.253:1780

Details

Name:	109.120.156.253:1780
TargetID:	0
From Memory:	false
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

http://www.baidu.com/search/spider.html)

unknown

http://www.billybobbot.com/crawler/)

unknown

http://fast.no/support/crawler.asp)

unknown

http://feedback.redkolibri.com/

unknown

http://www.baidu.com/search/spider.htm)

unknown

Domains

Name

Malicious

daisy.ubuntu.com

162.213.35.24

IPs

Domain

Country

Malicious

109.120.156.253

unknown

Russian Federation

Details

IP:	109.120.156.253
TargetID:	-1
Country:	Russian Federation
Countrycode:	RUS
ASN number:	30968
ASN name:	INFOBOX-ASInfoboxruAutonomousSystemRU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7f005042a000

page execute read

7f005042a000

page execute read

7f00d68c6000

page read and write

7f00d7477000

page read and write

7f00d75a8000

page read and write

7f00d68d4000

page read and write

7fff241e4000

page execute read

7f00d7296000

page read and write

5655377cc000

page read and write

7fff240a2000

page read and write

7f00d0021000

page read and write

7f00d6f65000

page read and write

7f00d68c6000

page read and write

5655357ad000

page read and write

5655357b7000

page read and write

7f00d6f25000

page read and write

7f00d6b84000

page read and write

565535525000

page execute read

7f00d75ed000

page read and write

7f00d60be000

page read and write

7f00d6f65000

page read and write

7f00d75a0000

page read and write

7f00d68d4000

page read and write

7f00d6f48000

page read and write

7f00d75a0000

page read and write

7f00d6b84000

page read and write

7f00d60be000

page read and write

7f00d6f48000

page read and write

7f00d0000000

page read and write

7f00d75a8000

page read and write

7f00d0021000

page read and write

5655357ad000

page read and write

565535525000

page execute read

7fff241e4000

page execute read

56553973b000

page read and write

7f0050443000

page read and write

7f005043b000

page read and write

5655377b5000

page execute and read and write

7f00d7296000

page read and write

7f00d0000000

page read and write

5655377cc000

page read and write

7f00d7477000

page read and write

56553973b000

page read and write

7fff240a2000

page read and write

5655357b7000

page read and write

5655377b5000

page execute and read and write

7f00d6f25000

page read and write

7f00d75ed000

page read and write

7f0050443000

page read and write

7f005043b000

page read and write

There are 40 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
tyo2831qq.mips.elf

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reporttyo2831qq.mips.elf

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
tyo2831qq.mips.elf