Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
arm6.elf
|
ELF 32-bit LSB executable, ARM, EABI5 version 1 (GNU/Linux), statically linked, no section header
|
initial sample
|
 |
|
|
/boot/system.pub
|
ELF 32-bit LSB executable, ARM, EABI5 version 1 (GNU/Linux), statically linked, no section header
|
dropped
|
|
|
|
/etc/crontab
|
ASCII text
|
dropped
|
|
|
|
/etc/init.d/acpid
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/alsa-utils
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/anacron
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/apparmor
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/apport
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/avahi-daemon
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/binfmt-support
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/bluetooth
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/console-setup.sh
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/cron
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/cryptdisks
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/cryptdisks-early
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/cups
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/cups-browsed
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/dbus
|
POSIX shell script, Unicode text, UTF-8 text executable
|
dropped
|
|
|
|
/etc/init.d/dns-udp4
|
Bourne-Again shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/gdm3
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/hddtemp
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/hwclock.sh
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/irqbalance
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/iscsid
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/keyboard-setup.sh
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/kmod
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/lightdm
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/lm-sensors
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/lvm2-lvmpolld
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/mono-xsp4
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/multipath-tools
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/open-iscsi
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/open-vm-tools
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/plymouth
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/plymouth-log
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/procps
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/rsync
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/rsyslog
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/saned
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/screen-cleanup
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/spice-vdagent
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/ssh
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/udev
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/ufw
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/unattended-upgrades
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/uuidd
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/x11-common
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/profile.d/bash.cfg
|
ELF 32-bit LSB executable, ARM, EABI5 version 1 (GNU/Linux), statically linked, no section header
|
dropped
|
|
|
|
/etc/profile.d/bash.cfg.sh
|
Bourne-Again shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/profile.d/gateway.sh
|
Bourne-Again shell script, ASCII text executable, with very long lines (699)
|
dropped
|
|
|
|
/usr/lib/libgdi.so.0.8.2
|
ELF 32-bit LSB executable, ARM, EABI5 version 1 (GNU/Linux), statically linked, no section header
|
dropped
|
|
|
|
/usr/lib/system.mark
|
ELF 32-bit LSB executable, ARM, EABI5 version 1 (GNU/Linux), statically linked, no section header
|
dropped
|
|
|
|
/.mod
|
Bourne-Again shell script, ASCII text executable
|
dropped
|
||
|
/etc/.cfg
|
ASCII text
|
dropped
|
||
|
/memfd:snapd-env-generator (deleted)
|
ASCII text
|
dropped
|
||
|
/proc/6387/loginuid
|
very short file (no magic)
|
dropped
|
||
|
/proc/6447/loginuid
|
very short file (no magic)
|
dropped
|
||
|
/run/crond.pid
|
ASCII text
|
dropped
|
There are 48 hidden files, click here to show them.
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
/tmp/arm6.elf
|
/tmp/arm6.elf
|
||
|
/tmp/arm6.elf
|
-
|
||
|
/tmp/arm6.elf
|
/tmp/arm6.elf
|
||
|
/tmp/arm6.elf
|
-
|
||
|
/bin/bash
|
/bin/bash -c "cd /boot;systemctl daemon-reload;systemctl enable quotaon.service;systemctl start quotaon.service;journalctl
-xe --no-pager"
|
||
|
/bin/bash
|
-
|
||
|
/usr/bin/systemctl
|
systemctl daemon-reload
|
||
|
/bin/bash
|
-
|
||
|
/usr/bin/systemctl
|
systemctl enable quotaon.service
|
||
|
/bin/bash
|
-
|
||
|
/usr/bin/systemctl
|
systemctl start quotaon.service
|
||
|
/bin/bash
|
-
|
||
|
/usr/bin/journalctl
|
journalctl -xe --no-pager
|
||
|
/tmp/arm6.elf
|
-
|
||
|
/bin/bash
|
/bin/bash -c "cd /boot;ausearch -c 'system.pub' --raw | audit2allow -M my-Systemmod;semodule -X 300 -i my-Systemmod.pp"
|
||
|
/bin/bash
|
-
|
||
|
/bin/bash
|
-
|
||
|
/bin/bash
|
-
|
||
|
/tmp/arm6.elf
|
-
|
||
|
/bin/bash
|
/bin/bash -c "echo \"*/1 * * * * root /.mod \" >> /etc/crontab"
|
||
|
/tmp/arm6.elf
|
-
|
||
|
/usr/sbin/update-rc.d
|
update-rc.d dns-udp4 defaults
|
||
|
/usr/sbin/update-rc.d
|
-
|
||
|
/usr/bin/systemctl
|
systemctl daemon-reload
|
||
|
/tmp/arm6.elf
|
-
|
||
|
/usr/bin/mount
|
mount -o bind /tmp/ /proc/6228
|
||
|
/tmp/arm6.elf
|
-
|
||
|
/usr/sbin/service
|
service cron start
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/basename
|
basename /usr/sbin/service
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/basename
|
basename /usr/sbin/service
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/systemctl
|
systemctl --quiet is-active multi-user.target
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/systemctl
|
systemctl list-unit-files --full --type=socket
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/sed
|
sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p
|
||
|
/usr/bin/systemctl
|
systemctl start cron.service
|
||
|
/tmp/arm6.elf
|
-
|
||
|
/usr/bin/systemctl
|
systemctl start crond.service
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/sbin/cron
|
/usr/sbin/cron -f
|
||
|
/usr/sbin/cron
|
-
|
||
|
/usr/sbin/cron
|
-
|
||
|
/bin/sh
|
/bin/sh -c "/.mod "
|
||
|
/bin/sh
|
-
|
||
|
/.mod
|
/.mod
|
||
|
/.mod
|
-
|
||
|
/usr/lib/libgdi.so.0.8.2
|
/usr/lib/libgdi.so.0.8.2
|
||
|
/usr/lib/libgdi.so.0.8.2
|
-
|
||
|
/usr/lib/libgdi.so.0.8.2
|
/usr/lib/libgdi.so.0.8.2
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/sbin/cron
|
/usr/sbin/cron -f
|
||
|
/usr/sbin/cron
|
-
|
||
|
/usr/sbin/cron
|
-
|
||
|
/bin/sh
|
/bin/sh -c "/.mod "
|
||
|
/bin/sh
|
-
|
||
|
/.mod
|
/.mod
|
||
|
/.mod
|
-
|
||
|
/usr/lib/libgdi.so.0.8.2
|
/usr/lib/libgdi.so.0.8.2
|
||
|
/usr/lib/libgdi.so.0.8.2
|
-
|
||
|
/usr/lib/libgdi.so.0.8.2
|
/usr/lib/libgdi.so.0.8.2
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/sbin/cron
|
/usr/sbin/cron -f
|
There are 64 hidden processes, click here to show them.
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://upx.sf.net
|
unknown
|
|
|
|
http://html4/loose.dtd
|
unknown
|
||
|
http://.css
|
unknown
|
||
|
http://.jpg
|
unknown
|
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
j.xuanxuan1997.com
|
93.123.109.118
|
||
|
www.google.com
|
142.250.185.100
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
93.123.109.118
|
j.xuanxuan1997.com
|
Bulgaria
|
||
|
109.202.202.202
|
unknown
|
Switzerland
|
||
|
91.189.91.43
|
unknown
|
United Kingdom
|
||
|
91.189.91.42
|
unknown
|
United Kingdom
|
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
7f94f0021000
|
page read and write
|
|||
|
7ffcecab1000
|
page read and write
|
|||
|
7f10e39b5000
|
page read and write
|
|||
|
5587a8d58000
|
page read and write
|
|||
|
7fef3531a000
|
page read and write
|
|||
|
7f9603aa0000
|
page read and write
|
|||
|
7fef3518b000
|
page read and write
|
|||
|
7fee24021000
|
page read and write
|
|||
|
7f9603a5b000
|
page read and write
|
|||
|
7f9603151000
|
page read and write
|
|||
|
7f10e4fc2000
|
page read and write
|
|||
|
7f10dbfff000
|
page read and write
|
|||
|
7f96033df000
|
page read and write
|
|||
|
7f515f012000
|
page read and write
|
|||
|
55f859fa7000
|
page execute and read and write
|
|||
|
7f95cc021000
|
page read and write
|
|||
|
7f96033bc000
|
page read and write
|
|||
|
7f95d0524000
|
page read and write
|
|||
|
7f96d7af9000
|
page read and write
|
|||
|
7f96d7ad6000
|
page read and write
|
|||
|
7f515e6d4000
|
page read and write
|
|||
|
561182fc1000
|
page read and write
|
|||
|
7f96c71ab000
|
page read and write
|
|||
|
7f10e4a6d000
|
page read and write
|
|||
|
7f96d7477000
|
page read and write
|
|||
|
7f10e4c4f000
|
page read and write
|
|||
|
561184fc8000
|
page execute and read and write
|
|||
|
7f96d8028000
|
page read and write
|
|||
|
7fee3081a000
|
page read and write
|
|||
|
7f10e4e30000
|
page read and write
|
|||
|
7f10e3974000
|
page read and write
|
|||
|
7f96d7e47000
|
page read and write
|
|||
|
7f95c4021000
|
page read and write
|
|||
|
7f10e4f59000
|
page read and write
|
|||
|
7f515eca1000
|
page read and write
|
|||
|
7f515de3a000
|
page read and write
|
|||
|
7f960372d000
|
page read and write
|
|||
|
7f0fd4021000
|
page read and write
|
|||
|
7f96d7c65000
|
page read and write
|
|||
|
7f94f8021000
|
page read and write
|
|||
|
7f96d6b6c000
|
page read and write
|
|||
|
7f5058c0f000
|
page read and write
|
|||
|
7f51577fe000
|
page read and write
|
|||
|
7fee2c021000
|
page read and write
|
|||
|
7f95c8021000
|
page read and write
|
|||
|
5587aad5f000
|
page execute and read and write
|
|||
|
7f95d02a9000
|
page execute read
|
|||
|
7f515ea36000
|
page read and write
|
|||
|
7f9602452000
|
page read and write
|
|||
|
7f94fc524000
|
page read and write
|
|||
|
55f859fbe000
|
page read and write
|
|||
|
7f515dd78000
|
page read and write
|
|||
|
7f94fcc0f000
|
page read and write
|
|||
|
7f0fdc2a9000
|
page execute read
|
|||
|
55f857fa0000
|
page read and write
|
|||
|
7f10e4901000
|
page read and write
|
|||
|
7f95d081a000
|
page read and write
|
|||
|
7fef34324000
|
page read and write
|
|||
|
7fef271ab000
|
page read and write
|
|||
|
7f94fc856000
|
page read and write
|
|||
|
7f96d8151000
|
page read and write
|
|||
|
7fef356dd000
|
page read and write
|
|||
|
7f5157fff000
|
page read and write
|
|||
|
7f515dd37000
|
page read and write
|
|||
|
7f94fc2a9000
|
page execute read
|
|||
|
7f5158021000
|
page read and write
|
|||
|
7fee28021000
|
page read and write
|
|||
|
7fee30524000
|
page read and write
|
|||
|
7f514f1ab000
|
page read and write
|
|||
|
7f515ecc4000
|
page read and write
|
|||
|
7f960354b000
|
page read and write
|
|||
|
7fff0351b000
|
page read and write
|
|||
|
7f515e642000
|
page read and write
|
|||
|
565368828000
|
page read and write
|
|||
|
7f10e4673000
|
page read and write
|
|||
|
7f9602d5d000
|
page read and write
|
|||
|
7f5058858000
|
page read and write
|
|||
|
565366813000
|
page read and write
|
|||
|
7fef3582a000
|
page read and write
|
|||
|
7f9602def000
|
page read and write
|
|||
|
7fef2f7fe000
|
page read and write
|
|||
|
7fee30c0f000
|
page read and write
|
|||
|
7f10db7fe000
|
page read and write
|
|||
|
55f857d4f000
|
page execute read
|
|||
|
7ffd0f1fc000
|
page execute read
|
|||
|
7f95d0c0f000
|
page read and write
|
|||
|
7f0fdc524000
|
page read and write
|
|||
|
7f96d8175000
|
page read and write
|
|||
|
5653665b9000
|
page execute read
|
|||
|
7fef34f20000
|
page read and write
|
|||
|
7f960390e000
|
page read and write
|
|||
|
7f515f1f3000
|
page read and write
|
|||
|
7ffe5ad57000
|
page execute read
|
|||
|
7ffe5ad0a000
|
page read and write
|
|||
|
562058ed0000
|
page execute and read and write
|
|||
|
7f96cffff000
|
page read and write
|
|||
|
562056c78000
|
page execute read
|
|||
|
562056ed2000
|
page read and write
|
|||
|
7fef3586f000
|
page read and write
|
|||
|
7ffd2cf5f000
|
page execute read
|
|||
|
7fef351ae000
|
page read and write
|
|||
|
5587a8b07000
|
page execute read
|
|||
|
5587abb1f000
|
page read and write
|
|||
|
7f95fb7fe000
|
page read and write
|
|||
|
7f5054021000
|
page read and write
|
|||
|
5611870eb000
|
page read and write
|
|||
|
7f96d7509000
|
page read and write
|
|||
|
7fef30021000
|
page read and write
|
|||
|
7fef354fc000
|
page read and write
|
|||
|
7f10e3a77000
|
page read and write
|
|||
|
5587a8d61000
|
page read and write
|
|||
|
7fff03522000
|
page execute read
|
|||
|
7f10dc021000
|
page read and write
|
|||
|
55f857fa9000
|
page read and write
|
|||
|
7f0fd8021000
|
page read and write
|
|||
|
7f0fdc81a000
|
page read and write
|
|||
|
7fef34b2c000
|
page read and write
|
|||
|
7f96d6c6f000
|
page read and write
|
|||
|
7fee302a9000
|
page execute read
|
|||
|
7ffd2cf2b000
|
page read and write
|
|||
|
562056ec9000
|
page read and write
|
|||
|
7f515ee30000
|
page read and write
|
|||
|
7ffd0f050000
|
page read and write
|
|||
|
7f0fdcc0f000
|
page read and write
|
|||
|
562058ee7000
|
page read and write
|
|||
|
7f10e4311000
|
page read and write
|
|||
|
7f10e427f000
|
page read and write
|
|||
|
7f96d786b000
|
page read and write
|
|||
|
7f10e48de000
|
page read and write
|
|||
|
7fee30856000
|
page read and write
|
|||
|
55f85bb7d000
|
page read and write
|
|||
|
7f515f385000
|
page read and write
|
|||
|
56536680a000
|
page read and write
|
|||
|
7f5050021000
|
page read and write
|
|||
|
7f515f31c000
|
page read and write
|
|||
|
7f96cf7fe000
|
page read and write
|
|||
|
56205a178000
|
page read and write
|
|||
|
7f95fc021000
|
page read and write
|
|||
|
7f96d6bad000
|
page read and write
|
|||
|
7f94fc81a000
|
page read and write
|
|||
|
7fef34221000
|
page read and write
|
|||
|
7f505881a000
|
page read and write
|
|||
|
7f94f4021000
|
page read and write
|
|||
|
7f0fd0021000
|
page read and write
|
|||
|
7f50582a9000
|
page execute read
|
|||
|
7f95fbfff000
|
page read and write
|
|||
|
7ffcecb34000
|
page execute read
|
|||
|
7f96d81ba000
|
page read and write
|
|||
|
561182fca000
|
page read and write
|
|||
|
7f515f340000
|
page read and write
|
|||
|
56536ac14000
|
page read and write
|
|||
|
7f5058524000
|
page read and write
|
|||
|
7fef2ffff000
|
page read and write
|
|||
|
7f10d31ab000
|
page read and write
|
|||
|
7f504c021000
|
page read and write
|
|||
|
7fef35806000
|
page read and write
|
|||
|
7f95f31ab000
|
page read and write
|
|||
|
561184fdf000
|
page read and write
|
|||
|
7f9602555000
|
page read and write
|
|||
|
7fef34262000
|
page read and write
|
|||
|
5587aad76000
|
page read and write
|
|||
|
7f96d0021000
|
page read and write
|
|||
|
7f10e4f7d000
|
page read and write
|
|||
|
7f9603a37000
|
page read and write
|
|||
|
561182d70000
|
page execute read
|
|||
|
7f9602493000
|
page read and write
|
|||
|
7fef34bbe000
|
page read and write
|
|||
|
565368811000
|
page execute and read and write
|
There are 158 hidden memdumps, click here to show them.