Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

QpHMHEg6OQ.elf

ELF 64-bit MSB executable, MIPS, MIPS-III version 1 (SYSV), statically linked, Go BuildID=531EpRgthPZPt3knqoKK/ayf51kNy_prNzbkXr_MN/zxjogFIOCYVVIxufPI04/tQgJURn6GO8NPfNwspcu, stripped

initial sample

Details

Filetype:	ELF 64-bit MSB executable, MIPS, MIPS-III version 1 (SYSV), statically linked, Go BuildID=531EpRgthPZPt3knqoKK/ayf51kNy_prNzbkXr_MN/zxjogFIOCYVVIxufPI04/tQgJURn6GO8NPfNwspcu, stripped
Entropy:	5.36010071783001
Filename:	QpHMHEg6OQ.elf
Filesize:	4786658
MD5:	e97eef55eb472d2ade9bc98b43ba2eec
SHA1:	426529f6ce6e495a669d00a542bc4c7ef3722e53
SHA256:	3df59e66242b59fc077970fa0f3c74d82a24c673394969041133f8bee8c70775
SHA512:	d173b5f3aff15acb0889fe28f1a409540c14d8bd18d1934f17f446b4c6d2bd084c3537705e23271d8e6afda61392fef3c457afdb4ff9964587db17ee02d3e097
SSDEEP:	49152:XralYsYZ/MjJ7fhP2pCQLg1xbnZdY3MnO:Xr9lMjJ7fcjd
Preview:	.ELF...................................@........ ....@.8...@...................@.......@.......@...............................................................d.......d.............................................0.......0.......................1.......2.

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
Found strings which match to known social media urls	Networking
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
URLs found in memory or binary data	Networking

/var/log/btmp

data

dropped

Details

File:	/var/log/btmp
Category:	dropped
Dump:	btmp.23.dr
ID:	dr_1
Target ID:	23
Process:	/usr/sbin/sshd
Type:	data
Entropy:	0.8735982127940438
Encrypted:	false
Ssdeep:	3:DSaDLwbXWXcDltlN2/l:DTMbGsDXm/
Size:	384
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

/tmp/QpHMHEg6OQ.elf

/usr/sbin/sshd

/usr/sbin/sshd -D -R

/usr/sbin/sshd

/usr/sbin/sshd -D -R

/usr/sbin/sshd

/usr/sbin/sshd -D -R

/usr/sbin/sshd

URLs

Name

Malicious

http://www.baidu.com/search/spider.html)

unknown

http://search.msn.com/msnbot.htm

unknown

http://www.baidu.com/search/spider.html)000102030405060708091011121314151617181920212223242526272829

unknown

https://www.so.com/s?q=index

unknown

http://help.yahoo.com/help/us/ysearch/slurp)x509:

unknown

http://www.google.com/mobile/adsbot.html)

unknown

http://www.huaweisymantec.com/cn/IRL/spider)Mozilla/5.0

unknown

http://www.baidu.com/search/spider.html)http2:

unknown

http://yandex.com/bots)http:

unknown

http://www.baidu.com/search/spider.html)Mozilla/5.0

unknown

http://www.entireweb.com/about/search_tech/speedy_spider/)text/html

unknown

http://www.haosou.com/help/help_3_2.htmlMozilla/5.0

unknown

https://www.baidu.com/s?wd=insufficient

unknown

http://www.youdao.com/help/webmaster/spider/;)reflect:

unknown

https://search.yahoo.com/search?p=illegal

unknown

There are 5 hidden URLs, click here to show them.

Domains

Name

Malicious

daisy.ubuntu.com

162.213.35.24

Details

Name:	daisy.ubuntu.com
IP:	162.213.35.24
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

185.125.190.26

unknown

United Kingdom

Details

IP:	185.125.190.26
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

5b2000

page read and write

31f000

page execute read

7f4ffc021000

page read and write

7f500273a000

page read and write

7f5001f24000

page read and write

560fe27af000

page read and write

7f500340e000

page read and write

560fe4aac000

page read and write

7f50030fc000

page read and write

7f5002d8b000

page read and write

7f5002dae000

page read and write

560fe251a000

page execute read

5f2000

page read and write

7f50032dd000

page read and write

7fffca1d6000

page read and write

7f50029ea000

page read and write

7f500272c000

page read and write

560fe27a4000

page read and write

7f5003453000

page read and write

560fe47ae000

page execute and read and write

560fe47c4000

page read and write

7f5002dcb000

page read and write

7f5003406000

page read and write

7fffca1fb000

page execute read

There are 14 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
QpHMHEg6OQ.elf

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportQpHMHEg6OQ.elf

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
QpHMHEg6OQ.elf