Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
arm5.elf
|
ELF 32-bit LSB executable, ARM, EABI5 version 1 (GNU/Linux), statically linked, no section header
|
initial sample
|
 |
|
|
/boot/system.pub
|
ELF 32-bit LSB executable, ARM, EABI5 version 1 (GNU/Linux), statically linked, no section header
|
dropped
|
|
|
|
/etc/crontab
|
ASCII text
|
dropped
|
|
|
|
/etc/init.d/acpid
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/alsa-utils
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/anacron
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/apparmor
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/apport
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/avahi-daemon
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/binfmt-support
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/bluetooth
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/console-setup.sh
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/cron
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/cryptdisks
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/cryptdisks-early
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/cups
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/cups-browsed
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/dbus
|
POSIX shell script, Unicode text, UTF-8 text executable
|
dropped
|
|
|
|
/etc/init.d/dns-udp4
|
Bourne-Again shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/gdm3
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/hddtemp
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/hwclock.sh
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/irqbalance
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/iscsid
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/keyboard-setup.sh
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/kmod
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/lightdm
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/lm-sensors
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/lvm2-lvmpolld
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/mono-xsp4
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/multipath-tools
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/open-iscsi
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/open-vm-tools
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/plymouth
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/plymouth-log
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/procps
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/rsync
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/rsyslog
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/saned
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/screen-cleanup
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/spice-vdagent
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/ssh
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/udev
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/ufw
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/unattended-upgrades
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/uuidd
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/x11-common
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/profile.d/bash.cfg
|
ELF 32-bit LSB executable, ARM, EABI5 version 1 (GNU/Linux), statically linked, no section header
|
dropped
|
|
|
|
/etc/profile.d/bash.cfg.sh
|
Bourne-Again shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/profile.d/gateway.sh
|
Bourne-Again shell script, ASCII text executable, with very long lines (699)
|
dropped
|
|
|
|
/usr/lib/libgdi.so.0.8.2
|
ELF 32-bit LSB executable, ARM, EABI5 version 1 (GNU/Linux), statically linked, no section header
|
dropped
|
|
|
|
/usr/lib/system.mark
|
ELF 32-bit LSB executable, ARM, EABI5 version 1 (GNU/Linux), statically linked, no section header
|
dropped
|
|
|
|
/.mod
|
Bourne-Again shell script, ASCII text executable
|
dropped
|
||
|
/etc/.cfg
|
ASCII text
|
dropped
|
||
|
/memfd:snapd-env-generator (deleted)
|
ASCII text
|
dropped
|
||
|
/proc/5601/loginuid
|
very short file (no magic)
|
dropped
|
||
|
/proc/5657/loginuid
|
very short file (no magic)
|
dropped
|
||
|
/run/crond.pid
|
ASCII text
|
dropped
|
There are 48 hidden files, click here to show them.
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
/tmp/arm5.elf
|
/tmp/arm5.elf
|
||
|
/tmp/arm5.elf
|
-
|
||
|
/tmp/arm5.elf
|
/tmp/arm5.elf
|
||
|
/tmp/arm5.elf
|
-
|
||
|
/bin/bash
|
/bin/bash -c "cd /boot;systemctl daemon-reload;systemctl enable quotaon.service;systemctl start quotaon.service;journalctl
-xe --no-pager"
|
||
|
/bin/bash
|
-
|
||
|
/usr/bin/systemctl
|
systemctl daemon-reload
|
||
|
/bin/bash
|
-
|
||
|
/usr/bin/systemctl
|
systemctl enable quotaon.service
|
||
|
/bin/bash
|
-
|
||
|
/usr/bin/systemctl
|
systemctl start quotaon.service
|
||
|
/bin/bash
|
-
|
||
|
/usr/bin/journalctl
|
journalctl -xe --no-pager
|
||
|
/tmp/arm5.elf
|
-
|
||
|
/bin/bash
|
/bin/bash -c "cd /boot;ausearch -c 'system.pub' --raw | audit2allow -M my-Systemmod;semodule -X 300 -i my-Systemmod.pp"
|
||
|
/bin/bash
|
-
|
||
|
/bin/bash
|
-
|
||
|
/bin/bash
|
-
|
||
|
/tmp/arm5.elf
|
-
|
||
|
/bin/bash
|
/bin/bash -c "echo \"*/1 * * * * root /.mod \" >> /etc/crontab"
|
||
|
/tmp/arm5.elf
|
-
|
||
|
/usr/sbin/update-rc.d
|
update-rc.d dns-udp4 defaults
|
||
|
/usr/sbin/update-rc.d
|
-
|
||
|
/usr/bin/systemctl
|
systemctl daemon-reload
|
||
|
/tmp/arm5.elf
|
-
|
||
|
/usr/bin/mount
|
mount -o bind /tmp/ /proc/5439
|
||
|
/tmp/arm5.elf
|
-
|
||
|
/usr/sbin/service
|
service cron start
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/basename
|
basename /usr/sbin/service
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/basename
|
basename /usr/sbin/service
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/systemctl
|
systemctl --quiet is-active multi-user.target
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/systemctl
|
systemctl list-unit-files --full --type=socket
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/sed
|
sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p
|
||
|
/usr/bin/systemctl
|
systemctl start cron.service
|
||
|
/tmp/arm5.elf
|
-
|
||
|
/usr/bin/systemctl
|
systemctl start crond.service
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/sbin/cron
|
/usr/sbin/cron -f
|
||
|
/usr/sbin/cron
|
-
|
||
|
/usr/sbin/cron
|
-
|
||
|
/bin/sh
|
/bin/sh -c "/.mod "
|
||
|
/bin/sh
|
-
|
||
|
/.mod
|
/.mod
|
||
|
/.mod
|
-
|
||
|
/usr/lib/libgdi.so.0.8.2
|
/usr/lib/libgdi.so.0.8.2
|
||
|
/usr/lib/libgdi.so.0.8.2
|
-
|
||
|
/usr/lib/libgdi.so.0.8.2
|
/usr/lib/libgdi.so.0.8.2
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/sbin/cron
|
/usr/sbin/cron -f
|
||
|
/usr/sbin/cron
|
-
|
||
|
/usr/sbin/cron
|
-
|
||
|
/bin/sh
|
/bin/sh -c "/.mod "
|
||
|
/bin/sh
|
-
|
||
|
/.mod
|
/.mod
|
||
|
/.mod
|
-
|
||
|
/usr/lib/libgdi.so.0.8.2
|
/usr/lib/libgdi.so.0.8.2
|
||
|
/usr/lib/libgdi.so.0.8.2
|
-
|
||
|
/usr/lib/libgdi.so.0.8.2
|
/usr/lib/libgdi.so.0.8.2
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/sbin/cron
|
/usr/sbin/cron -f
|
There are 64 hidden processes, click here to show them.
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://upx.sf.net
|
unknown
|
|
|
|
http://html4/loose.dtd
|
unknown
|
||
|
http://.css
|
unknown
|
||
|
http://.jpg
|
unknown
|
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
j.xuanxuan1997.com
|
93.123.109.118
|
||
|
www.google.com
|
142.250.186.164
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
93.123.109.118
|
j.xuanxuan1997.com
|
Bulgaria
|
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
7fd6d71ab000
|
page read and write
|
|||
|
7f943c212000
|
page read and write
|
|||
|
7fff28d66000
|
page read and write
|
|||
|
7f4810021000
|
page read and write
|
|||
|
7fd6e934f000
|
page read and write
|
|||
|
557a17305000
|
page read and write
|
|||
|
7f491e31d000
|
page read and write
|
|||
|
7fc938bbd000
|
page read and write
|
|||
|
7f943c7df000
|
page read and write
|
|||
|
55bd3b6b7000
|
page read and write
|
|||
|
55f20a242000
|
page read and write
|
|||
|
7fc9271ab000
|
page read and write
|
|||
|
7f943c180000
|
page read and write
|
|||
|
7f48182ad000
|
page execute read
|
|||
|
7f491ef19000
|
page read and write
|
|||
|
7f491e25b000
|
page read and write
|
|||
|
55bd3b6c0000
|
page read and write
|
|||
|
7fd6e879e000
|
page read and write
|
|||
|
55bd3d6d5000
|
page read and write
|
|||
|
7f933481a000
|
page read and write
|
|||
|
561404112000
|
page execute and read and write
|
|||
|
7f8019e43000
|
page read and write
|
|||
|
7fc9387c9000
|
page read and write
|
|||
|
7fc937eff000
|
page read and write
|
|||
|
561401eba000
|
page execute read
|
|||
|
7f9334524000
|
page read and write
|
|||
|
7f481881a000
|
page read and write
|
|||
|
7f491f313000
|
page read and write
|
|||
|
7f93342ad000
|
page execute read
|
|||
|
7f8019d1a000
|
page read and write
|
|||
|
7fc938e28000
|
page read and write
|
|||
|
7ffea4fda000
|
page read and write
|
|||
|
7f4814021000
|
page read and write
|
|||
|
7fff28ddb000
|
page execute read
|
|||
|
7fd6e8e20000
|
page read and write
|
|||
|
7fc93885b000
|
page read and write
|
|||
|
7f491f6d6000
|
page read and write
|
|||
|
5610aa191000
|
page read and write
|
|||
|
557a1730e000
|
page read and write
|
|||
|
7f4917fff000
|
page read and write
|
|||
|
557a1930c000
|
page execute and read and write
|
|||
|
5610ac1a6000
|
page read and write
|
|||
|
7f801889f000
|
page read and write
|
|||
|
557a19323000
|
page read and write
|
|||
|
7fd5e0524000
|
page read and write
|
|||
|
7fd5e081a000
|
page read and write
|
|||
|
7fc9394a3000
|
page read and write
|
|||
|
7f491f1a7000
|
page read and write
|
|||
|
7f7f14524000
|
page read and write
|
|||
|
7ffcea5a0000
|
page execute read
|
|||
|
7f8019957000
|
page read and write
|
|||
|
7f4918021000
|
page read and write
|
|||
|
7f942b1ab000
|
page read and write
|
|||
|
5610ae2cb000
|
page read and write
|
|||
|
7f800b1ab000
|
page read and write
|
|||
|
7fc92f7fe000
|
page read and write
|
|||
|
7fd6e9478000
|
page read and write
|
|||
|
7f7f08021000
|
page read and write
|
|||
|
7f491e21a000
|
page read and write
|
|||
|
7fd6e8f8c000
|
page read and write
|
|||
|
7f80191fb000
|
page read and write
|
|||
|
7f7f14c0f000
|
page read and write
|
|||
|
55f20a22b000
|
page execute and read and write
|
|||
|
7f80137fe000
|
page read and write
|
|||
|
7ffcea476000
|
page read and write
|
|||
|
55f207fd3000
|
page execute read
|
|||
|
7f801885e000
|
page read and write
|
|||
|
7fc938e4b000
|
page read and write
|
|||
|
7fd5e02ad000
|
page execute read
|
|||
|
7f943c574000
|
page read and write
|
|||
|
7fc830524000
|
page read and write
|
|||
|
7f943c802000
|
page read and write
|
|||
|
7fffde51a000
|
page read and write
|
|||
|
7fd6e7e93000
|
page read and write
|
|||
|
7fc83081a000
|
page read and write
|
|||
|
7fc930021000
|
page read and write
|
|||
|
5610ac18f000
|
page execute and read and write
|
|||
|
7f491eb25000
|
page read and write
|
|||
|
7fc93950c000
|
page read and write
|
|||
|
7fd6e916e000
|
page read and write
|
|||
|
7fffee85d000
|
page read and write
|
|||
|
7f943c96e000
|
page read and write
|
|||
|
7f8014021000
|
page read and write
|
|||
|
557a1a3b8000
|
page read and write
|
|||
|
7fc92ffff000
|
page read and write
|
|||
|
7f8013fff000
|
page read and write
|
|||
|
7f9434021000
|
page read and write
|
|||
|
7f943b8b6000
|
page read and write
|
|||
|
7f80197eb000
|
page read and write
|
|||
|
7fc824021000
|
page read and write
|
|||
|
561404129000
|
page read and write
|
|||
|
7fd6e7f96000
|
page read and write
|
|||
|
7fd5dc021000
|
page read and write
|
|||
|
7fd5d8021000
|
page read and write
|
|||
|
7fd6e949c000
|
page read and write
|
|||
|
7fc938fb7000
|
page read and write
|
|||
|
7fd6e8dfd000
|
page read and write
|
|||
|
7f491ebb7000
|
page read and write
|
|||
|
7fd6dffff000
|
page read and write
|
|||
|
7fd6e0021000
|
page read and write
|
|||
|
7f8019169000
|
page read and write
|
|||
|
7fd6e8b92000
|
page read and write
|
|||
|
7f491f184000
|
page read and write
|
|||
|
7f94337fe000
|
page read and write
|
|||
|
7fd6df7fe000
|
page read and write
|
|||
|
7f9433fff000
|
page read and write
|
|||
|
7fc93937a000
|
page read and write
|
|||
|
7fc937fc1000
|
page read and write
|
|||
|
7f943cec3000
|
page read and write
|
|||
|
7fd5e0850000
|
page read and write
|
|||
|
7fc828021000
|
page read and write
|
|||
|
7f491f823000
|
page read and write
|
|||
|
7fd5e0c0f000
|
page read and write
|
|||
|
7fffde5e7000
|
page execute read
|
|||
|
7f943cd31000
|
page read and write
|
|||
|
7f491f4f5000
|
page read and write
|
|||
|
7fd6e8830000
|
page read and write
|
|||
|
7f490f1ab000
|
page read and write
|
|||
|
7fffee8f5000
|
page execute read
|
|||
|
7fc8302ad000
|
page execute read
|
|||
|
7f8019b39000
|
page read and write
|
|||
|
7f943ce5a000
|
page read and write
|
|||
|
7f4818c0f000
|
page read and write
|
|||
|
7fc939199000
|
page read and write
|
|||
|
7f8019e67000
|
page read and write
|
|||
|
7f943b978000
|
page read and write
|
|||
|
561402114000
|
page read and write
|
|||
|
7f7f10021000
|
page read and write
|
|||
|
7f8018961000
|
page read and write
|
|||
|
7f9328021000
|
page read and write
|
|||
|
7f9334c0f000
|
page read and write
|
|||
|
7f943cb50000
|
page read and write
|
|||
|
5610a9f37000
|
page execute read
|
|||
|
557a170b4000
|
page execute read
|
|||
|
55f20abe6000
|
page read and write
|
|||
|
5610aa188000
|
page read and write
|
|||
|
7ffea4fff000
|
page execute read
|
|||
|
55bd3b466000
|
page execute read
|
|||
|
7f80197c8000
|
page read and write
|
|||
|
55bd3eed3000
|
page read and write
|
|||
|
55f208224000
|
page read and write
|
|||
|
55f20822d000
|
page read and write
|
|||
|
7fc82c021000
|
page read and write
|
|||
|
7fd6e94e1000
|
page read and write
|
|||
|
561405986000
|
page read and write
|
|||
|
7f7f142ad000
|
page execute read
|
|||
|
7f932c021000
|
page read and write
|
|||
|
7f8019eac000
|
page read and write
|
|||
|
7f7f1481a000
|
page read and write
|
|||
|
7fc937ebe000
|
page read and write
|
|||
|
56140210b000
|
page read and write
|
|||
|
7f49177fe000
|
page read and write
|
|||
|
7f9330021000
|
page read and write
|
|||
|
7f491f7ff000
|
page read and write
|
|||
|
7f801955d000
|
page read and write
|
|||
|
7fc9394c7000
|
page read and write
|
|||
|
55bd3d6be000
|
page execute and read and write
|
|||
|
7fd6e7ed4000
|
page read and write
|
|||
|
7f943ce7e000
|
page read and write
|
|||
|
7fd5d4021000
|
page read and write
|
|||
|
7f943b875000
|
page read and write
|
|||
|
7fc830c0f000
|
page read and write
|
|||
|
7f7f0c021000
|
page read and write
|
|||
|
7f480c021000
|
page read and write
|
|||
|
7f491f868000
|
page read and write
|
|||
|
7f4818524000
|
page read and write
|
There are 156 hidden memdumps, click here to show them.