Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Mozi.m

ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped

initial sample

Details

Filetype:	ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Entropy:	6.504782494511512
Filename:	Mozi.m
Filesize:	307960
MD5:	e957309c9cb381574c622b2d2a6798c0
SHA1:	3589d0f624deb034ad2ac15cb1f1f0f0fde10908
SHA256:	54dfe49f5b114030c318eb1be2d86bdcfac3e10d730b08631028f992fc92c9d0
SHA512:	a1abd5f2aba76d3fdfa6404ea4a7b88513b42b9dbe3870ec30f0fba488a06a2db3feea12b4052cd82023d7a810cac16061f4ecf9764beea2260633769de2de67
SSDEEP:	6144:7O/QJHZweEL/NOjCHm7FZZnch5wKSDP99zBa77oNsKqqfPqOJ:78QpZsKCaihDSDP99zBa/HKqoPqOJ
Preview:	.ELF.....................A.h...4.........4. ...(.............@...@...........................C...C....................UPX!.X.....................\....\|.$..ELF..........@.`....4..^h... ...(......<...@......ll.....H.W.`.t.d....dt.Q.....].M............6...

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
Yara signature match	System Summary
URLs found in memory or binary data	Networking

/var/crash/_usr_share_apport_apport-checkreports.1000.crash

ASCII text

dropped

Details

File:	/var/crash/_usr_share_apport_apport-checkreports.1000.crash
Category:	dropped
Dump:	_usr_share_apport_apport-checkreports.1000.crash.14.dr
ID:	dr_0
Target ID:	14
Process:	/usr/share/apport/apport-checkreports
Type:	ASCII text
Entropy:	4.685592697936091
Encrypted:	false
Ssdeep:	192:gIfh25JHJ5NNhfK54aqaG0KRE4rIPIehbM:ZfMXpO5GRERo
Size:	14915
Whitelisted:	false
Reputation:	low

/var/crash/_usr_share_apport_apport-gtk.1000.crash

ASCII text

dropped

Details

File:	/var/crash/_usr_share_apport_apport-gtk.1000.crash
Category:	dropped
Dump:	_usr_share_apport_apport-gtk.1000.crash.20.dr
ID:	dr_1
Target ID:	20
Process:	/usr/share/apport/apport-gtk
Type:	ASCII text
Entropy:	4.507687905583427
Encrypted:	false
Ssdeep:	768:L/X/+/L/Q+z6FlyxNe9Hb8fqCXdrBQKTVv:L/X/+/L/oyxNe9Hb8iCXdrBQKTVv
Size:	47094
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

/tmp/Mozi.m

/usr/bin/qemu-mips /tmp/Mozi.m

/sbin/upstart

n/a

/bin/sh

/bin/sh -e /proc/self/fd/9

/bin/sh

n/a

/bin/date

date

/bin/sh

n/a

/usr/share/apport/apport-checkreports

/usr/bin/python3 /usr/share/apport/apport-checkreports --system

/sbin/upstart

n/a

/bin/sh

/bin/sh -e /proc/self/fd/9

/bin/sh

n/a

/bin/date

date

/bin/sh

n/a

/usr/share/apport/apport-gtk

/usr/bin/python3 /usr/share/apport/apport-gtk

/sbin/upstart

n/a

/bin/sh

/bin/sh -e /proc/self/fd/9

/bin/sh

n/a

/bin/date

date

/bin/sh

n/a

/usr/share/apport/apport-gtk

/usr/bin/python3 /usr/share/apport/apport-gtk

There are 9 hidden processes, click here to show them.

URLs

Name

Malicious

http://%s:%d/bin.sh;chmod

unknown

http://%s:%d/Mozi.m;/tmp/Mozi.m

unknown

http://%s:%d/bin.sh

unknown

http://%s:%d/Mozi.m;

unknown

http://%s:%d/Mozi.m;$

unknown

http://%s:%d/Mozi.m

unknown

http://ipinfo.io/ip

unknown

http://%s:%d/Mozi.a;chmod

unknown

http://schemas.xmlsoap.org/soap/encoding/

unknown

http://purenetworks.com/HNAP1/

unknown

http://schemas.xmlsoap.org/soap/envelope/

unknown

http://upx.sf.net

unknown

http://HTTP/1.1

unknown

http://%s:%d/Mozi.a;sh$

unknown

http://127.0.0.1

unknown

http://baidu.com/%s/%s/%d/%s/%s/%s/%s)

unknown

http://schemas.xmlsoap.org/soap/envelope//

unknown

http://127.0.0.1sendcmd

unknown

There are 8 hidden URLs, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOCReport

Files

Processes

URLs