Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
linux_amd64.elf
|
ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, Go BuildID=dswDAa3Pa96IQXwzNa8o/zXeywE363AvULETAnPZV/Y154CWzX1GhXLGGi1lo3/d4XVZaM2PDAAY5uysyTh,
stripped
|
initial sample
|
 |
|
|
/etc/32678
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/crontab
|
ASCII text
|
dropped
|
|
|
|
/etc/init.d/linux_kill
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/ssh
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/profile.d/bash_config.sh
|
a /bin/sh\n/etc/profile.d/bash_config script, ASCII text executable, with no line terminators
|
dropped
|
|
|
|
/.img
|
a /bin/sh\n/usr/lib/libdlrpcld.so script, ASCII text executable, with no line terminators
|
dropped
|
||
|
/memfd:snapd-env-generator (deleted)
|
ASCII text
|
dropped
|
||
|
/proc/6666/loginuid
|
very short file (no magic)
|
dropped
|
||
|
/run/crond.pid
|
ASCII text
|
dropped
|
||
|
/tmp/#531563 (deleted)
|
ASCII text
|
dropped
|
||
|
/usr/lib/systemd/system/linux.service
|
ASCII text
|
dropped
|
||
|
/var/log/btmp
|
data
|
dropped
|
There are 3 hidden files, click here to show them.
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
/tmp/linux_amd64.elf
|
/tmp/linux_amd64.elf
|
||
|
/tmp/linux_amd64.elf
|
-
|
||
|
/bin/bash
|
/bin/bash -c /etc/32678&
|
||
|
/bin/bash
|
-
|
||
|
/etc/32678
|
/etc/32678
|
||
|
/etc/32678
|
-
|
||
|
/usr/bin/sleep
|
sleep 60
|
||
|
/tmp/linux_amd64.elf
|
-
|
||
|
/usr/sbin/service
|
service crond start
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/basename
|
basename /usr/sbin/service
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/basename
|
basename /usr/sbin/service
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/systemctl
|
systemctl --quiet is-active multi-user.target
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/systemctl
|
systemctl list-unit-files --full --type=socket
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/sed
|
sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p
|
||
|
/usr/bin/systemctl
|
systemctl start crond.service
|
||
|
/tmp/linux_amd64.elf
|
-
|
||
|
/tmp/linux_amd64.elf
|
/tmp/linux_amd64.elf
|
||
|
/tmp/linux_amd64.elf
|
-
|
||
|
/usr/sbin/update-rc.d
|
update-rc.d linux_kill defaults
|
||
|
/usr/sbin/update-rc.d
|
-
|
||
|
/usr/bin/systemctl
|
systemctl daemon-reload
|
||
|
/tmp/linux_amd64.elf
|
-
|
||
|
/bin/bash
|
/bin/bash -c "cd /boot;systemctl daemon-reload;systemctl enable linux.service;systemctl start linux.service;journalctl -xe
--no-pager"
|
||
|
/bin/bash
|
-
|
||
|
/usr/bin/systemctl
|
systemctl daemon-reload
|
||
|
/bin/bash
|
-
|
||
|
/usr/bin/systemctl
|
systemctl enable linux.service
|
||
|
/bin/bash
|
-
|
||
|
/usr/bin/systemctl
|
systemctl start linux.service
|
||
|
/bin/bash
|
-
|
||
|
/usr/bin/journalctl
|
journalctl -xe --no-pager
|
||
|
/tmp/linux_amd64.elf
|
-
|
||
|
/bin/bash
|
/bin/bash -c "cd /boot;ausearch -c 'System.img.conf' --raw | audit2allow -M my-Systemimgconf;semodule -X 300 -i my-Systemimgconf.pp"
|
||
|
/bin/bash
|
-
|
||
|
/bin/bash
|
-
|
||
|
/bin/bash
|
-
|
||
|
/tmp/linux_amd64.elf
|
-
|
||
|
/usr/bin/bash
|
bash -c "echo \"*/1 * * * * root /.img \" >> /etc/crontab"
|
||
|
/tmp/linux_amd64.elf
|
-
|
||
|
/usr/bin/renice
|
renice -20 6247
|
||
|
/tmp/linux_amd64.elf
|
-
|
||
|
/usr/bin/mount
|
mount -o bind /tmp/ /proc/6247
|
||
|
/tmp/linux_amd64.elf
|
-
|
||
|
/usr/sbin/service
|
service cron start
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/basename
|
basename /usr/sbin/service
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/basename
|
basename /usr/sbin/service
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/systemctl
|
systemctl --quiet is-active multi-user.target
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/systemctl
|
systemctl list-unit-files --full --type=socket
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/sed
|
sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p
|
||
|
/usr/bin/systemctl
|
systemctl start cron.service
|
||
|
/tmp/linux_amd64.elf
|
-
|
||
|
/usr/bin/systemctl
|
systemctl start crond.service
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/boot/System.img.config
|
/boot/System.img.config
|
||
|
/boot/System.img.config
|
-
|
||
|
/usr/bin/pkill
|
pkill -9 32678
|
||
|
/boot/System.img.config
|
-
|
||
|
/usr/bin/sh
|
sh -c /etc/32678&
|
||
|
/usr/bin/sh
|
-
|
||
|
/etc/32678
|
/etc/32678
|
||
|
/etc/32678
|
-
|
||
|
/usr/bin/sleep
|
sleep 60
|
||
|
/etc/32678
|
-
|
||
|
/etc/id.services.conf
|
/etc/id.services.conf
|
||
|
/etc/id.services.conf
|
-
|
||
|
/usr/bin/pkill
|
pkill -9 32678
|
||
|
/etc/id.services.conf
|
-
|
||
|
/usr/bin/sh
|
sh -c /etc/32678&
|
||
|
/usr/bin/sh
|
-
|
||
|
/etc/32678
|
/etc/32678
|
||
|
/etc/32678
|
-
|
||
|
/usr/bin/sleep
|
sleep 60
|
||
|
/etc/id.services.conf
|
-
|
||
|
/usr/sbin/service
|
service crond start
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/basename
|
basename /usr/sbin/service
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/basename
|
basename /usr/sbin/service
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/systemctl
|
systemctl --quiet is-active multi-user.target
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/systemctl
|
systemctl list-unit-files --full --type=socket
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/sed
|
sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p
|
||
|
/usr/bin/systemctl
|
systemctl start crond.service
|
||
|
/etc/id.services.conf
|
-
|
||
|
/etc/id.services.conf
|
/etc/id.services.conf
|
||
|
/boot/System.img.config
|
-
|
||
|
/usr/sbin/service
|
service crond start
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/basename
|
basename /usr/sbin/service
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/basename
|
basename /usr/sbin/service
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/systemctl
|
systemctl --quiet is-active multi-user.target
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/systemctl
|
systemctl list-unit-files --full --type=socket
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/sed
|
sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p
|
||
|
/usr/bin/systemctl
|
systemctl start crond.service
|
||
|
/boot/System.img.config
|
-
|
||
|
/boot/System.img.config
|
/boot/System.img.config
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/sbin/cron
|
/usr/sbin/cron -f
|
||
|
/usr/sbin/cron
|
-
|
||
|
/usr/sbin/cron
|
-
|
||
|
/bin/sh
|
/bin/sh -c "/.img "
|
||
|
/bin/sh
|
-
|
||
|
/usr/sbin/sshd
|
-
|
||
|
/usr/sbin/sshd
|
/usr/sbin/sshd -D -R
|
||
|
/usr/sbin/sshd
|
-
|
||
|
/usr/sbin/sshd
|
/usr/sbin/sshd -D -R
|
||
|
/usr/sbin/sshd
|
-
|
||
|
/usr/sbin/sshd
|
-
|
||
|
/usr/sbin/sshd
|
/usr/sbin/sshd -D -R
|
||
|
/usr/sbin/sshd
|
-
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/sbin/cron
|
/usr/sbin/cron -f
|
||
|
/usr/sbin/sshd
|
-
|
||
|
/usr/sbin/sshd
|
/usr/sbin/sshd -D -R
|
||
|
/usr/sbin/sshd
|
-
|
||
|
/usr/sbin/sshd
|
/usr/sbin/sshd -D -R
|
||
|
/usr/sbin/sshd
|
-
|
||
|
/usr/sbin/sshd
|
-
|
||
|
/usr/sbin/sshd
|
/usr/sbin/sshd -D -R
|
||
|
/usr/sbin/sshd
|
-
|
There are 138 hidden processes, click here to show them.
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://www.baidu.com/search/spider.html)
|
unknown
|
||
|
http://search.msn.com/msnbot.htm
|
unknown
|
||
|
http://149.88.76.121:8088/password.txt
|
149.88.76.121
|
||
|
http://www.baidu.com/search/spider.html)000102030405060708091011121314151617181920212223242526272829
|
unknown
|
||
|
https://www.so.com/s?q=index
|
unknown
|
||
|
http://help.yahoo.com/help/us/ysearch/slurp)x509:
|
unknown
|
||
|
http://www.google.com/mobile/adsbot.html)
|
unknown
|
||
|
http://www.huaweisymantec.com/cn/IRL/spider)Mozilla/5.0
|
unknown
|
||
|
http://www.baidu.com/search/spider.html)http2:
|
unknown
|
||
|
http://yandex.com/bots)http:
|
unknown
|
||
|
http://www.baidu.com/search/spider.html)Mozilla/5.0
|
unknown
|
||
|
http://www.entireweb.com/about/search_tech/speedy_spider/)text/html
|
unknown
|
||
|
http://www.haosou.com/help/help_3_2.htmlMozilla/5.0
|
unknown
|
||
|
https://www.baidu.com/s?wd=insufficient
|
unknown
|
||
|
http://www.youdao.com/help/webmaster/spider/;)reflect:
|
unknown
|
||
|
https://search.yahoo.com/search?p=illegal
|
unknown
|
There are 6 hidden URLs, click here to show them.
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
78789.dns.army
|
149.88.76.121
|
||
|
www.google.com
|
142.250.181.228
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
109.202.202.202
|
unknown
|
Switzerland
|
||
|
149.88.76.121
|
78789.dns.army
|
United States
|
||
|
91.189.91.43
|
unknown
|
United Kingdom
|
||
|
91.189.91.42
|
unknown
|
United Kingdom
|
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
7ffdc2a9a000
|
page execute read
|
|||
|
7f5511986000
|
page read and write
|
|||
|
7f9613c48000
|
page read and write
|
|||
|
7f5536207000
|
page read and write
|
|||
|
c000400000
|
page read and write
|
|||
|
971000
|
page read and write
|
|||
|
7fae6354e000
|
page read and write
|
|||
|
7fa7d5f25000
|
page read and write
|
|||
|
92f000
|
page read and write
|
|||
|
7fc3d8ee3000
|
page read and write
|
|||
|
7fffbb909000
|
page execute read
|
|||
|
7ffcfd3f0000
|
page read and write
|
|||
|
7ffd4f3ed000
|
page execute read
|
|||
|
7fa7c1746000
|
page read and write
|
|||
|
691000
|
page execute read
|
|||
|
7fa7b15c5000
|
page read and write
|
|||
|
7fae8557f000
|
page read and write
|
|||
|
c000400000
|
page read and write
|
|||
|
92f000
|
page read and write
|
|||
|
7fc3b4adc000
|
page read and write
|
|||
|
7f96384c9000
|
page read and write
|
|||
|
7f55339b7000
|
page read and write
|
|||
|
7f96385a8000
|
page read and write
|
|||
|
7fc3d6b0d000
|
page read and write
|
|||
|
7fae87dcf000
|
page read and write
|
|||
|
c000400000
|
page read and write
|
|||
|
691000
|
page execute read
|
|||
|
7fae87eae000
|
page read and write
|
|||
|
c000400000
|
page read and write
|
|||
|
7fa7d35f6000
|
page read and write
|
|||
|
7fffbb8f3000
|
page read and write
|
|||
|
7fa7d59cc000
|
page read and write
|
|||
|
7f5521b07000
|
page read and write
|
|||
|
92f000
|
page read and write
|
|||
|
92f000
|
page read and write
|
|||
|
971000
|
page read and write
|
|||
|
7ffd4f2dc000
|
page read and write
|
|||
|
7fc3d943c000
|
page read and write
|
|||
|
c000400000
|
page read and write
|
|||
|
7f55362e6000
|
page read and write
|
|||
|
7f9635c79000
|
page read and write
|
|||
|
971000
|
page read and write
|
|||
|
7fc3c4c5d000
|
page read and write
|
|||
|
971000
|
page read and write
|
|||
|
7f963804f000
|
page read and write
|
|||
|
971000
|
page read and write
|
|||
|
7ffc4e1cc000
|
page execute read
|
|||
|
7ffdc2a74000
|
page read and write
|
|||
|
691000
|
page execute read
|
|||
|
7fc3d935d000
|
page read and write
|
|||
|
7ffcfd3fd000
|
page execute read
|
|||
|
7f9623dc9000
|
page read and write
|
|||
|
7fa7d5e46000
|
page read and write
|
|||
|
7ffc4e0a8000
|
page read and write
|
|||
|
691000
|
page execute read
|
|||
|
7f5535d8d000
|
page read and write
|
|||
|
92f000
|
page read and write
|
|||
|
7fae736cf000
|
page read and write
|
|||
|
7fae87955000
|
page read and write
|
|||
|
691000
|
page execute read
|
There are 50 hidden memdumps, click here to show them.