Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

FwLad7Fxwv.elf

ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped

initial sample

Details

Filetype:	ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Entropy:	5.556730856469953
Filename:	FwLad7Fxwv.elf
Filesize:	79448
MD5:	413fedc45da2ad408f91fe2d6ecc830a
SHA1:	4d78c79c811b3fd8b9f1ee2c6c57e8e2d5508dfd
SHA256:	f80cd3259f269a6a1b266178c8d3cb9b4d5774427a67371d382adcffa53f98af
SHA512:	c2ac239058687cba7cbb1f68a35ef568be8d74f8e7966c8e803a1d5ba09ced3689e842c04bcaa576a61bcdf93d4bb23febf0a146d8d5c34279b8663a66c60bd1
SSDEEP:	1536:ldZeohW9uklAIYyBBAn/+aUZ0Z8FABk9i8k4:lDeohW9ukfO+aUZ0A7k
Preview:	.ELF....................`.@.4...(4......4. ...(...............@...@..%...%...............%...%E..%E.0...L0..........Q.td...............................<...'!......'.......................<...'!... .........9'.. ........................<...'!.............9

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Sample deletes itself	Hooking and other Techniques for Hiding and Protection	File Deletion
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion
Yara signature match	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery

/tmp/qemu-open.AaDJZI (deleted)

data

dropped

Details

File:	/tmp/qemu-open.AaDJZI (deleted)
Category:	dropped
Dump:	qemu-open.AaDJZI (deleted).12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/FwLad7Fxwv.elf
Type:	data
Entropy:	4.323231428797621
Encrypted:	false
Ssdeep:	3:Tgupo/ANloHJN:Tgupo/ilaJN
Size:	30
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

/tmp/FwLad7Fxwv.elf

Domains

Name

Malicious

kovey.mezo-api.xyz

45.131.111.219

Details

Name:	kovey.mezo-api.xyz
IP:	45.131.111.219
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Performs DNS queries to domains with low reputation	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

45.131.111.219

kovey.mezo-api.xyz

Germany

Details

IP:	45.131.111.219
TargetID:	-1
Country:	Germany
Countrycode:	DEU
ASN number:	398373
ASN name:	SERVERDESTROYERSUS
Private:	false
Domain:	kovey.mezo-api.xyz

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

109.202.202.202

unknown

Switzerland

Details

IP:	109.202.202.202
TargetID:	-1
Country:	Switzerland
Countrycode:	CHE
ASN number:	13030
ASN name:	INIT7CH
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.43

unknown

United Kingdom

Details

IP:	91.189.91.43
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.42

unknown

United Kingdom

Details

IP:	91.189.91.42
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7f3000413000

page execute read

7f30852c2000

page read and write

5584a63d1000

page read and write

7f3085012000

page read and write

7f3080021000

page read and write

5584a3423000

page read and write

5584a5442000

page read and write

5584a319b000

page execute read

7f3080000000

page read and write

7f3085663000

page read and write

7f3085ce6000

page read and write

7f3085686000

page read and write

7f30856a3000

page read and write

7ffe50ab7000

page read and write

7f3000454000

page read and write

7f3000457000

page read and write

7f3085cde000

page read and write

7f3085004000

page read and write

7f30859d4000

page read and write

7f30847fc000

page read and write

5584a342d000

page read and write

7f3085d2b000

page read and write

5584a542b000

page execute and read and write

7ffe50b67000

page execute read

7f3085bb5000

page read and write

There are 15 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
FwLad7Fxwv.elf

Files

Processes

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportFwLad7Fxwv.elf

Files

Processes

Domains

IPs

Memdumps

IOC Report
FwLad7Fxwv.elf