Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

HJcwHwiVEJ.elf

ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped

initial sample

Details

Filetype:	ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped
Entropy:	5.4058452815528275
Filename:	HJcwHwiVEJ.elf
Filesize:	144442
MD5:	cf1c00fa6d1793472bb523269f6cce7a
SHA1:	4de67b3e5bbbb1582a1f1505a4d77f63778927cd
SHA256:	1ad10837831bebb472dae733e267a49979c96263de6fa985f97471ead8bc9222
SHA512:	ee8c0370fca7c3ca670d2ecf039f398df9b08023dc36097290cbd16152b4e1e3baa8a90788214bcf3dc9ebf0c00a53922f7cb78ae0fb295187eb67c7a96d9467
SSDEEP:	3072:sGGNZfCos2pA4FCP5hvikTam0/5ApYADn:hACyK40P5hvi9m0/5ASADn
Preview:	.ELF.....................@.....4.........4. ...(....p........@...@...........................@...@...........................B...B.........x...............D.B.D.B.D................dt.Q.................................................C(.<...'.(....!'......

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Opens /proc/net/* files useful for finding connected devices and routers	Spreading	Remote System Discovery
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion
Yara signature match	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
URLs found in memory or binary data	Networking

/tmp/qemu-open.fvVdqc (deleted)

ASCII text

dropped

Details

File:	/tmp/qemu-open.fvVdqc (deleted)
Category:	dropped
Dump:	qemu-open.fvVdqc (deleted).12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/HJcwHwiVEJ.elf
Type:	ASCII text
Entropy:	3.709552666863289
Encrypted:	false
Ssdeep:	6:iekrEcvwAsE5KlwSd4pzKaV6Lpms/a/1VCxGF:ur+m5MwSdIKaV6L1adVRF
Size:	230
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

/tmp/HJcwHwiVEJ.elf

URLs

Name

Malicious

http://www.billybobbot.com/crawler/)

unknown

Details

Name:	http://www.billybobbot.com/crawler/)
TargetID:	12
From Memory:	true
Current Path:	/tmp/HJcwHwiVEJ.elf
Source:	HJcwHwiVEJ.elf

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
URLs found in memory or binary data	Networking

158.160.8.110:4258

Details

Name:	158.160.8.110:4258
TargetID:	0
From Memory:	false
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

http://www.baidu.com/search/spider.html)

unknown

http://fast.no/support/crawler.asp)

unknown

http://feedback.redkolibri.com/

unknown

http://www.baidu.com/search/spider.htm)

unknown

IPs

Domain

Country

Malicious

158.160.8.110

unknown

Venezuela

Details

IP:	158.160.8.110
TargetID:	-1
Country:	Venezuela
Countrycode:	VEN
ASN number:	721
ASN name:	DNIC-ASBLK-00721-00726US
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

109.202.202.202

unknown

Switzerland

Details

IP:	109.202.202.202
TargetID:	-1
Country:	Switzerland
Countrycode:	CHE
ASN number:	13030
ASN name:	INIT7CH
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.43

unknown

United Kingdom

Details

IP:	91.189.91.43
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.42

unknown

United Kingdom

Details

IP:	91.189.91.42
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7fc7e841a000

page execute read

7fc7e841a000

page execute read

7fc7e8433000

page read and write

7ffc4d3ea000

page execute read

7fc87110b000

page read and write

7fc7e8433000

page read and write

7fc870aab000

page read and write

7fc871150000

page read and write

7ffc4d3ea000

page execute read

563151a6a000

page read and write

7fc871103000

page read and write

563151a53000

page execute and read and write

7fc870ac8000

page read and write

7ffc4d2d5000

page read and write

7fc870429000

page read and write

7fc868000000

page read and write

563152934000

page read and write

7fc870a88000

page read and write

7fc868021000

page read and write

56314fa4b000

page read and write

56314fa55000

page read and write

7fc7e842b000

page read and write

7fc868000000

page read and write

7fc870fda000

page read and write

7fc870429000

page read and write

7fc8706e7000

page read and write

56314f7c3000

page execute read

563151a6a000

page read and write

56314fa55000

page read and write

7fc870df9000

page read and write

56314fa4b000

page read and write

7fc870437000

page read and write

7fc86fc21000

page read and write

7fc870aab000

page read and write

7fc87110b000

page read and write

7fc871103000

page read and write

7ffc4d2d5000

page read and write

56314f7c3000

page execute read

7fc870a88000

page read and write

7fc870437000

page read and write

7fc870df9000

page read and write

7fc871150000

page read and write

7fc870fda000

page read and write

7fc870ac8000

page read and write

7fc86fc21000

page read and write

7fc7e842b000

page read and write

7fc868021000

page read and write

563151a53000

page execute and read and write

563152934000

page read and write

7fc8706e7000

page read and write

There are 40 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
HJcwHwiVEJ.elf

Files

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportHJcwHwiVEJ.elf

Files

Processes

URLs

IPs

Memdumps

IOC Report
HJcwHwiVEJ.elf