Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

/tmp/2kik39qqSw.elf

URLs

Name

Malicious

http://www.billybobbot.com/crawler/)

unknown

Details

Name:	http://www.billybobbot.com/crawler/)
TargetID:	12
From Memory:	true
Current Path:	/tmp/2kik39qqSw.elf
Source:	2kik39qqSw.elf

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
URLs found in memory or binary data	Networking

95.174.91.180:4258

Details

Name:	95.174.91.180:4258
TargetID:	0
From Memory:	false
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

http://www.baidu.com/search/spider.html)

unknown

http://fast.no/support/crawler.asp)

unknown

http://feedback.redkolibri.com/

unknown

http://www.baidu.com/search/spider.htm)

unknown

Domains

Name

Malicious

daisy.ubuntu.com

162.213.35.25

Details

Name:	daisy.ubuntu.com
IP:	162.213.35.25
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

95.174.91.180

unknown

Russian Federation

Details

IP:	95.174.91.180
TargetID:	-1
Country:	Russian Federation
Countrycode:	RUS
ASN number:	44053
ASN name:	UNILINK-ASRU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

185.125.190.26

unknown

United Kingdom

Details

IP:	185.125.190.26
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7fcc1c02a000

page execute read

7fcc1c02a000

page execute read

7fcd244ee000

page read and write

7fcd2500d000

page read and write

556ef47f3000

page read and write

556ef7aba000

page read and write

7fcd24ade000

page read and write

7fcd25136000

page read and write

556ef4599000

page execute read

7ffe0a5f9000

page execute read

556ef6808000

page read and write

7fcd24e2c000

page read and write

556ef7aba000

page read and write

7fcd1c021000

page read and write

7fcd244ee000

page read and write

7fcd24850000

page read and write

7fcd24e2c000

page read and write

7fcd1bfff000

page read and write

7fcd1c021000

page read and write

556ef47ea000

page read and write

556ef47f3000

page read and write

7ffe0a5e7000

page read and write

7fcd25136000

page read and write

7fcc1c039000

page read and write

7fcd1bfff000

page read and write

7fcd2445c000

page read and write

7fcd24c4a000

page read and write

556ef6808000

page read and write

7fcd23c54000

page read and write

7fcd2515a000

page read and write

7fcd24850000

page read and write

7fcd24ade000

page read and write

556ef67f1000

page execute and read and write

7fcd2515a000

page read and write

7ffe0a5e7000

page read and write

7ffe0a5f9000

page execute read

7fcd2519f000

page read and write

7fcd24abb000

page read and write

7fcd2445c000

page read and write

556ef47ea000

page read and write

7fcd24c4a000

page read and write

556ef67f1000

page execute and read and write

7fcd24abb000

page read and write

7fcd23c54000

page read and write

7fcc1c039000

page read and write

7fcc1c033000

page read and write

7fcc1c033000

page read and write

556ef4599000

page execute read

7fcd2519f000

page read and write

7fcd2500d000

page read and write

There are 40 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
2kik39qqSw.elf

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report2kik39qqSw.elf

Processes

URLs

Domains

IPs

Memdumps

IOC Report
2kik39qqSw.elf