Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

ZzpHJ5sMvC.elf

ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped

initial sample

Details

Filetype:	ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped
Entropy:	5.4173972420700025
Filename:	ZzpHJ5sMvC.elf
Filesize:	144438
MD5:	d6bad7130a22948b5d5de02f333515d0
SHA1:	0d6a404be37365576ea50ee6e6cb954264c3d087
SHA256:	e78fc5c12dda75bad2cb782453bec1460a0e812442f84dd1491c39cd5aec54af
SHA512:	9fe497a43ccd62b094d1284905ea3ac78bce9384c3552f963a10c141942db733d3ebad5bbaf7ec9c9982b2fce5a199d5fc9052200f4a9ef13e6fbdb9455b7440
SSDEEP:	1536:OfHzdMHmSu/72iytyo267WkDH7U/egag5tnpNDsI7kRiZrAU/l25h2IHFKKHsGlM:oUBKGCtp9sINZrR25h2Ss6mC/5ApYADn
Preview:	.ELF.....................@.....4.........4. ...(....p........@...@...........................@...@.....P...P.................B...B.........x...............D.B.D.B.D................dt.Q.................................................C(.<...'.(....!'......

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Opens /proc/net/* files useful for finding connected devices and routers	Spreading	Remote System Discovery
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion
Yara signature match	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
URLs found in memory or binary data	Networking

/tmp/qemu-open.74mhou (deleted)

ASCII text

dropped

Details

File:	/tmp/qemu-open.74mhou (deleted)
Category:	dropped
Dump:	qemu-open.74mhou (deleted).12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/ZzpHJ5sMvC.elf
Type:	ASCII text
Entropy:	3.709552666863289
Encrypted:	false
Ssdeep:	6:iekrEcvwAsE5KlwSd4pzKaV6Lpms/a/1VCxGF:ur+m5MwSdIKaV6L1adVRF
Size:	230
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

/tmp/ZzpHJ5sMvC.elf

URLs

Name

Malicious

http://www.billybobbot.com/crawler/)

unknown

Details

Name:	http://www.billybobbot.com/crawler/)
TargetID:	12
From Memory:	true
Current Path:	/tmp/ZzpHJ5sMvC.elf
Source:	ZzpHJ5sMvC.elf

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
URLs found in memory or binary data	Networking

147.185.221.19:30455

Details

Name:	147.185.221.19:30455
TargetID:	0
From Memory:	false
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

http://www.baidu.com/search/spider.html)

unknown

http://fast.no/support/crawler.asp)

unknown

http://feedback.redkolibri.com/

unknown

http://www.baidu.com/search/spider.htm)

unknown

Domains

Name

Malicious

daisy.ubuntu.com

162.213.35.25

Details

Name:	daisy.ubuntu.com
IP:	162.213.35.25
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

147.185.221.19

unknown

United States

Details

IP:	147.185.221.19
TargetID:	-1
Country:	United States
Countrycode:	USA
ASN number:	12087
ASN name:	SALSGIVERUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7f294441a000

page execute read

7f294441a000

page execute read

7f29c4021000

page read and write

5630c8772000

page execute and read and write

7f29ca983000

page read and write

5630c8772000

page execute and read and write

5630c6774000

page read and write

7ffd3862d000

page read and write

5630c930b000

page read and write

5630c676a000

page read and write

7ffd386fe000

page execute read

7f29c4021000

page read and write

7ffd3862d000

page read and write

7f29c9fc1000

page read and write

7f2944433000

page read and write

7f29c97ab000

page read and write

5630c676a000

page read and write

7f29ca271000

page read and write

7f29cab64000

page read and write

7f29cacda000

page read and write

7f29c4000000

page read and write

7f29cac95000

page read and write

7f29c9fc1000

page read and write

7f294442b000

page read and write

7f29ca635000

page read and write

7f29cab64000

page read and write

7f29ca983000

page read and write

5630c930b000

page read and write

7ffd386fe000

page execute read

7f29c97ab000

page read and write

7f29ca271000

page read and write

7f29cacda000

page read and write

7f29ca635000

page read and write

7f29ca612000

page read and write

7f29cac8d000

page read and write

5630c64e2000

page execute read

5630c64e2000

page execute read

5630c6774000

page read and write

7f29ca652000

page read and write

7f29ca612000

page read and write

7f29cac8d000

page read and write

7f29c9fb3000

page read and write

5630c8789000

page read and write

7f29cac95000

page read and write

7f29c9fb3000

page read and write

7f29ca652000

page read and write

7f294442b000

page read and write

7f2944433000

page read and write

5630c8789000

page read and write

7f29c4000000

page read and write

There are 40 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
ZzpHJ5sMvC.elf

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportZzpHJ5sMvC.elf

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
ZzpHJ5sMvC.elf