Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

s54l0GKMh9

ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped

initial sample

Details

Filetype:	ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Entropy:	7.879503677327423
Filename:	s54l0GKMh9
Filesize:	27236
MD5:	1a11fb2e59573ff9c8461a5998496ec4
SHA1:	0ac1b218948da361997a3dbf43859cedf732bc88
SHA256:	874f3a399fb4a6a3c99f86f6417c388b254e206f5bef96fb3b33bc38cac020dd
SHA512:	5d1f6f9c677f0d8c0602cf77d250eef6b2bcaf5b4e0ca02626adb0f0a4fad051c3ebbb101113d88e5d0cdbf6a3d807cbab17706beec43147c472c9c64095d2a9
SSDEEP:	768:w9CUFskb2JgIs/E2+OocrfJiHNjfmQ2q7IoqdB7fPWc:GCrJgHiOJrfwmQrctt
Preview:	.ELF.....................V..4...........4. ...(.....................=i..=i....................E...E....................tUPX!`.......T...T.......T..........?.E.h;....#......b.L#4E..,,....M..D{c....j;.D .A....~.....hE.:.O........L..N.7g..\....R.............

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Sample tries to kill many processes (SIGKILL)	System Summary
Enumerates processes within the "proc" file system	Persistence and Installation Behavior	OS Credential Dumping
Sample listens on a socket	Networking
Sample tries to kill a process (SIGKILL)	System Summary
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
URLs found in memory or binary data	Networking

/proc/4619/oom_score_adj

ASCII text

dropped

Details

File:	/proc/4619/oom_score_adj
Category:	dropped
Dump:	oom_score_adj.16.dr
ID:	dr_0
Target ID:	16
Process:	/usr/sbin/sshd
Type:	ASCII text
Entropy:	1.7924812503605778
Encrypted:	false
Ssdeep:	3:ptn:Dn
Size:	6
Whitelisted:	false
Reputation:	moderate

/proc/4742/oom_score_adj

ASCII text

dropped

Details

File:	/proc/4742/oom_score_adj
Category:	dropped
Dump:	oom_score_adj.32.dr
ID:	dr_3
Target ID:	32
Process:	/usr/sbin/sshd
Type:	ASCII text
Entropy:	1.7924812503605778
Encrypted:	false
Ssdeep:	3:ptn:Dn
Size:	6
Whitelisted:	false
Reputation:	moderate

/proc/4837/oom_score_adj

ASCII text

dropped

Details

File:	/proc/4837/oom_score_adj
Category:	dropped
Dump:	oom_score_adj.46.dr
ID:	dr_6
Target ID:	46
Process:	/usr/sbin/sshd
Type:	ASCII text
Entropy:	1.7924812503605778
Encrypted:	false
Ssdeep:	3:ptn:Dn
Size:	6
Whitelisted:	false
Reputation:	moderate

/run/sshd.pid

ASCII text

dropped

Details

File:	/run/sshd.pid
Category:	dropped
Dump:	sshd.pid.46.dr
ID:	dr_7
Target ID:	46
Process:	/usr/sbin/sshd
Type:	ASCII text
Entropy:	2.321928094887362
Encrypted:	false
Ssdeep:	3:hvn:5n
Size:	5
Whitelisted:	false
Reputation:	low

/var/cache/snapd/sections.VkT7rk09P4mD

ASCII text

dropped

Details

File:	/var/cache/snapd/sections.VkT7rk09P4mD
Category:	dropped
Dump:	sections.VkT7rk09P4mD.44.dr
ID:	dr_5
Target ID:	44
Process:	/usr/lib/snapd/snapd
Type:	ASCII text
Entropy:	4.149772078213831
Encrypted:	false
Ssdeep:	6:+JwAuG+uP2J5I9W6IzvS5/GAEwKnK/JBMlvuNjpeWPnXMISz:J02Jt6W8ce+Oj8WX6
Size:	257
Whitelisted:	false
Reputation:	moderate

/var/cache/snapd/sections.g6T4kvDRndCj

ASCII text

dropped

Details

File:	/var/cache/snapd/sections.g6T4kvDRndCj
Category:	dropped
Dump:	sections.g6T4kvDRndCj.28.dr
ID:	dr_2
Target ID:	28
Process:	/usr/lib/snapd/snapd
Type:	ASCII text
Entropy:	4.149772078213831
Encrypted:	false
Ssdeep:	6:+JwAuG+uP2J5I9W6IzvS5/GAEwKnK/JBMlvuNjpeWPnXMISz:J02Jt6W8ce+Oj8WX6
Size:	257
Whitelisted:	false
Reputation:	moderate

Processes

Path

Cmdline

Malicious

/tmp/s54l0GKMh9

/usr/bin/qemu-mipsel /tmp/s54l0GKMh9

/tmp/s54l0GKMh9

n/a

/tmp/s54l0GKMh9

n/a

/tmp/s54l0GKMh9

n/a

/tmp/s54l0GKMh9

n/a

/tmp/s54l0GKMh9

n/a

/tmp/s54l0GKMh9

n/a

/lib/systemd/systemd

n/a

/usr/sbin/sshd

/usr/sbin/sshd -D

/lib/systemd/systemd

n/a

/usr/sbin/NetworkManager

/usr/sbin/NetworkManager --no-daemon

/lib/systemd/systemd

n/a

/usr/bin/nm-online

/usr/bin/nm-online -s -q --timeout=30

/lib/systemd/systemd

n/a

/usr/lib/NetworkManager/nm-dispatcher

n/a

/etc/NetworkManager/dispatcher.d/01ifupdown

/bin/sh -e /etc/NetworkManager/dispatcher.d/01ifupdown none hostname

/lib/systemd/systemd

n/a

/lib/systemd/systemd-hostnamed

/lib/systemd/systemd

n/a

/usr/lib/snapd/snapd

/lib/systemd/systemd

n/a

/sbin/iscsiadm

/sbin/iscsiadm -k 0 2

/lib/systemd/systemd

n/a

/usr/sbin/sshd

/usr/sbin/sshd -D

/lib/systemd/systemd

n/a

/lib/systemd/systemd-hostnamed

/lib/systemd/systemd

n/a

/usr/lib/snapd/snapd

/lib/systemd/systemd

n/a

/usr/sbin/sshd

/usr/sbin/sshd -D

There are 21 hidden processes, click here to show them.

URLs

Name

Malicious

http://upx.sf.net

unknown

Details

Name:	http://upx.sf.net
TargetID:	8
From Memory:	true
Current Path:	/tmp/s54l0GKMh9
Source:	s54l0GKMh9
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Sample is packed with UPX	Data Obfuscation	Obfuscated Files or Information
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

106.114.147.23

unknown

China

96.203.126.160

unknown

United States

203.210.130.208

unknown

Viet Nam

242.51.200.14

unknown

Reserved

69.79.2.213

unknown

United States

89.133.164.83

unknown

Hungary

47.38.71.139

unknown

United States

218.39.74.160

unknown

Korea Republic of

223.37.188.117

unknown

Korea Republic of

195.15.200.99

unknown

Switzerland

59.89.254.145

unknown

India

44.43.86.40

unknown

United States

94.20.234.131

unknown

Azerbaijan

160.79.21.199

unknown

United States

99.250.223.76

unknown

Canada

109.124.248.94

unknown

Russian Federation

139.240.73.123

unknown

United States

90.54.152.98

unknown

France

252.134.181.234

unknown

Reserved

203.66.61.49

unknown

Taiwan; Republic of China (ROC)

168.236.44.110

unknown

United States

200.209.218.229

unknown

Brazil

151.50.163.103

unknown

Italy

42.50.47.134

unknown

China

252.47.186.21

unknown

Reserved

102.200.137.34

unknown

216.116.80.116

unknown

United States

189.215.130.159

unknown

Mexico

152.136.225.31

unknown

China

198.209.55.33

unknown

United States

60.237.160.8

unknown

Japan

193.169.96.22

unknown

Russian Federation

24.131.135.95

unknown

United States

153.144.115.36

unknown

Japan

23.190.64.85

unknown

United States

167.4.234.142

unknown

United States

103.120.250.186

unknown

India

160.248.62.37

unknown

Japan

5.51.2.160

unknown

France

125.160.53.234

unknown

Indonesia

142.247.130.1

unknown

Saudi Arabia

109.248.108.198

unknown

Russian Federation

250.106.144.35

unknown

Reserved

114.69.243.154

unknown

India

163.189.225.254

unknown

Australia

196.215.73.129

unknown

South Africa

98.101.210.191

unknown

United States

66.66.21.33

unknown

United States

250.76.10.0

unknown

Reserved

147.116.206.235

unknown

United States

188.83.167.211

unknown

Portugal

107.248.194.130

unknown

United States

35.23.30.138

unknown

United States

97.146.192.157

unknown

United States

155.41.128.74

unknown

United States

32.192.89.13

unknown

United States

17.41.75.245

unknown

United States

185.205.152.125

unknown

Poland

157.37.76.71

unknown

India

197.100.167.157

unknown

South Africa

160.232.244.58

unknown

United States

152.150.46.109

unknown

United Kingdom

188.211.223.60

unknown

Iran (ISLAMIC Republic Of)

195.97.85.116

unknown

Greece

200.130.28.164

unknown

Brazil

115.76.248.177

unknown

Viet Nam

217.215.135.185

unknown

Sweden

161.25.164.196

unknown

Chile

223.28.184.116

unknown

Korea Republic of

12.243.182.108

unknown

United States

175.114.50.218

unknown

Korea Republic of

38.95.43.246

unknown

United States

121.165.152.132

unknown

Korea Republic of

180.244.198.4

unknown

Indonesia

176.104.41.175

unknown

Ukraine

101.184.26.83

unknown

Australia

211.40.186.144

unknown

Korea Republic of

16.108.127.103

unknown

United States

32.35.17.51

unknown

United States

121.33.183.226

unknown

China

183.105.180.39

unknown

Korea Republic of

95.240.28.160

unknown

Italy

249.108.201.111

unknown

Reserved

37.35.120.99

unknown

Switzerland

16.111.181.7

unknown

United States

106.199.18.119

unknown

India

245.129.132.24

unknown

Reserved

126.208.173.196

unknown

Japan

85.164.4.5

unknown

Norway

62.122.50.178

unknown

Russian Federation

196.253.231.70

unknown

South Africa

92.242.80.177

unknown

Russian Federation

211.118.236.136

unknown

Korea Republic of

1.58.95.38

unknown

China

124.13.77.47

unknown

Malaysia

218.223.148.221

unknown

Japan

211.188.255.117

unknown

Korea Republic of

89.252.43.211

unknown

Ukraine

102.154.176.208

unknown

Tunisia

147.215.163.231

unknown

France

There are 90 hidden IPs, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOCReport

Files

Processes

URLs

IPs