Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

IrnO5ZI3En.elf

ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped

initial sample

Details

Filetype:	ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped
Entropy:	5.260021930753812
Filename:	IrnO5ZI3En.elf
Filesize:	125962
MD5:	3c7911b7910ed66e0ce0a91548ec0a6a
SHA1:	bf058494d2e3725f89e175d482044cfe511e692a
SHA256:	88684fe7dee3cb777fc442b27ecd3ce89f0f38922588719f5c7236b281dd9919
SHA512:	3c7c60e91b7a85df6b6ec9e5743e2aed445e29e6482485250ac95ed262071edc710858bb9af22397e171933ffc671aac5b903ca4b684706a3ef2b6daeaac45ca
SSDEEP:	1536:47je1TwGq+f+AM2rK/jeve9eLe8B2rK/4eBmq0GAzQj1l72HBe8EJWfRZrmW+IFj:3ClkB0MZQHiJ6RZrmW+IFB1Dt1hR/
Preview:	.ELF.....................@.....4.........4. ...(....p........@...@...........................@...@....pD..pD..............pD.EpD.EpD......l.........dt.Q.................................................E..<...'......!'.......................<...'......!...

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Opens /proc/net/* files useful for finding connected devices and routers	Spreading	Remote System Discovery
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion
Yara signature match	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
Sample and/or dropped files contains symbols with file path information	System Summary

/tmp/qemu-open.Eblczh (deleted)

ASCII text

dropped

Details

File:	/tmp/qemu-open.Eblczh (deleted)
Category:	dropped
Dump:	qemu-open.Eblczh (deleted).12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/IrnO5ZI3En.elf
Type:	ASCII text
Entropy:	3.709552666863289
Encrypted:	false
Ssdeep:	6:iekrEcvwAsE5KlwSd4pzKaV6Lpms/a/1VCxGF:ur+m5MwSdIKaV6L1adVRF
Size:	230
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

/tmp/IrnO5ZI3En.elf

URLs

Name

Malicious

94.156.8.9:23

Details

Name:	94.156.8.9:23
TargetID:	0
From Memory:	false
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol

Domains

Name

Malicious

daisy.ubuntu.com

162.213.35.24

Details

Name:	daisy.ubuntu.com
IP:	162.213.35.24
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

94.156.8.9

unknown

Bulgaria

Details

IP:	94.156.8.9
TargetID:	-1
Country:	Bulgaria
Countrycode:	BGR
ASN number:	43561
ASN name:	NET1-ASBG
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7f81c8418000

page execute read

7f81c8418000

page execute read

560c643fd000

page read and write

7f824e451000

page read and write

7f824ee21000

page read and write

7f824ee21000

page read and write

7f8248021000

page read and write

7f81c845e000

page read and write

560c64a0a000

page read and write

7f824e45f000

page read and write

7f8248000000

page read and write

7f824f12b000

page read and write

7f824f002000

page read and write

7f824eaf0000

page read and write

7f824e45f000

page read and write

7f824f178000

page read and write

560c623e8000

page read and write

560c623de000

page read and write

7f824e70f000

page read and write

7f824f133000

page read and write

7f81c845e000

page read and write

7ffc91f0c000

page execute read

7f824f002000

page read and write

560c643e6000

page execute and read and write

7f824dc49000

page read and write

560c623de000

page read and write

7ffc91f0c000

page execute read

7f8248000000

page read and write

7ffc91efb000

page read and write

7f824eab0000

page read and write

7f8248021000

page read and write

7f824ead3000

page read and write

560c643e6000

page execute and read and write

560c62156000

page execute read

7f824ead3000

page read and write

7f81c8458000

page read and write

7f81c8458000

page read and write

7f824dc49000

page read and write

7f824f12b000

page read and write

7f824e451000

page read and write

560c64a0a000

page read and write

7f824e70f000

page read and write

7f824f133000

page read and write

560c62156000

page execute read

7f824eab0000

page read and write

560c623e8000

page read and write

560c643fd000

page read and write

7ffc91efb000

page read and write

7f824eaf0000

page read and write

7f824f178000

page read and write

There are 40 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
IrnO5ZI3En.elf

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportIrnO5ZI3En.elf

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
IrnO5ZI3En.elf