Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

.i.elf

ELF 32-bit LSB executable, ARM, EABI5 version 1 (GNU/Linux), statically linked, no section header

initial sample

Details

Filetype:	ELF 32-bit LSB executable, ARM, EABI5 version 1 (GNU/Linux), statically linked, no section header
Entropy:	7.990822940503946
Filename:	.i.elf
Filesize:	80280
MD5:	e5940168886f77e0511035238d976b0a
SHA1:	ebe648b8cbd999844e725915e00aad00011a9f4c
SHA256:	c92d81d7adca77fda2be2826610ac3fbd0d35bfc917534397dd8660621a2b471
SHA512:	a5631261114adfb213db5009a11dd1254030b4045151922c3ff029eac0ee7cc14b1a83c2343d99e43cb90267e1a1604b15da950180a02f6302e387986d96dc31
SSDEEP:	1536:87vbq1lGAXSEYQjbChaAU2yU23M51DjZgSQAvcYkFtZTjzBhta:8D+CAXFYQChaAUk5ljnQsso
Preview:	.ELF..............(......'..4...........4. ...(......................7...7.............................................c........................i..........?.E.h;....#..$..O.%.......y.A.U"......-R..e....<l>=).!...O........u.....`o..*ziy"......R..~@....x2'_

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Opens /proc/net/* files useful for finding connected devices and routers	Spreading	Remote System Discovery
Sample deletes itself	Hooking and other Techniques for Hiding and Protection	File Deletion
Creates hidden files and/or directories	Persistence and Installation Behavior	Hidden Files and Directories
ELF contains segments with high entropy indicating compressed/encrypted content	Hooking and other Techniques for Hiding and Protection	Obfuscated Files or Information
Enumerates processes within the "proc" file system	Persistence and Installation Behavior	OS Credential Dumping
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Reads the 'hosts' file potentially containing internal network hosts	Networking	File and Directory Discovery
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery

/tmp/qemu-open.2H0wOg (deleted)

data

dropped

Details

File:	/tmp/qemu-open.2H0wOg (deleted)
Category:	dropped
Dump:	qemu-open.2H0wOg (deleted).13.dr
ID:	dr_0
Target ID:	13
Process:	/tmp/.i.elf
Type:	data
Entropy:	3.2516291673878226
Encrypted:	false
Ssdeep:	3:TgLxl:TgLj
Size:	12
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

/tmp/.i.elf

/bin/sh

/bin/sh -c "iptables -A INPUT -p tcp --destination-port 23 -j DROP"

/bin/sh

/usr/sbin/iptables

iptables -A INPUT -p tcp --destination-port 23 -j DROP

/tmp/.i.elf

/bin/sh

/bin/sh -c "iptables -A INPUT -p tcp --destination-port 7547 -j DROP"

/bin/sh

/usr/sbin/iptables

iptables -A INPUT -p tcp --destination-port 7547 -j DROP

/tmp/.i.elf

/bin/sh

/bin/sh -c "iptables -A INPUT -p tcp --destination-port 5555 -j DROP"

/bin/sh

/usr/sbin/iptables

iptables -A INPUT -p tcp --destination-port 5555 -j DROP

/tmp/.i.elf

/bin/sh

/bin/sh -c "iptables -A INPUT -p tcp --destination-port 5358 -j DROP"

/bin/sh

/usr/sbin/iptables

iptables -A INPUT -p tcp --destination-port 5358 -j DROP

/tmp/.i.elf

/bin/sh

/bin/sh -c "iptables -D INPUT -j CWMP_CR"

/bin/sh

/usr/sbin/iptables

iptables -D INPUT -j CWMP_CR

/tmp/.i.elf

/bin/sh

/bin/sh -c "iptables -X CWMP_CR"

/bin/sh

/usr/sbin/iptables

iptables -X CWMP_CR

/tmp/.i.elf

/bin/sh

/bin/sh -c "iptables -I INPUT -p udp --dport 27986 -j ACCEPT"

/bin/sh

/usr/sbin/iptables

iptables -I INPUT -p udp --dport 27986 -j ACCEPT

There are 20 hidden processes, click here to show them.

Domains

Name

Malicious

router.bittorrent.com

unknown

router.utorrent.com

unknown

IPs

Domain

Country

Malicious

109.202.202.202

unknown

Switzerland

Details

IP:	109.202.202.202
TargetID:	-1
Country:	Switzerland
Countrycode:	CHE
ASN number:	13030
ASN name:	INIT7CH
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.43

unknown

United Kingdom

Details

IP:	91.189.91.43
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.42

unknown

United Kingdom

Details

IP:	91.189.91.42
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7fde00953000

page read and write

55e983a11000

page read and write

7fddfc021000

page read and write

7ffd8675c000

page read and write

55e981505000

page read and write

7fde017dd000

page read and write

55e9814fc000

page read and write

7fde01e59000

page read and write

7fde01949000

page read and write

7fde0115b000

page read and write

7fdcfc062000

page read and write

7ffd867aa000

page execute read

7fde017ba000

page read and write

7fde011ed000

page read and write

7fddfbfff000

page read and write

55e9812ab000

page execute read

55e98351a000

page read and write

7fdcfc080000

page execute and read and write

7fdcfc049000

page execute read

55e983503000

page execute and read and write

7fde01e35000

page read and write

7fde01d0c000

page read and write

7fde01e9e000

page read and write

7fde0154f000

page read and write

7fde01b2b000

page read and write

There are 15 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
.i.elf

Files

Processes

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report.i.elf

Files

Processes

Domains

IPs

Memdumps

IOC Report
.i.elf