Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
qkdjdjj888.arm7.elf
|
ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, with debug_info, not stripped
|
initial sample
|
 |
|
|
/run/systemd/resolve/stub-resolv.conf
|
ASCII text
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
/tmp/qkdjdjj888.arm7.elf
|
/tmp/qkdjdjj888.arm7.elf
|
||
|
/tmp/qkdjdjj888.arm7.elf
|
-
|
||
|
/tmp/qkdjdjj888.arm7.elf
|
-
|
||
|
/tmp/qkdjdjj888.arm7.elf
|
-
|
||
|
/tmp/qkdjdjj888.arm7.elf
|
-
|
||
|
/bin/sh
|
/bin/sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/rm
|
rm -rf /tmp/config-err-8GMGF7 /tmp/dmesgtail.log /tmp/hsperfdata_root /tmp/qkdjdjj888.arm7.elf /tmp/snap-private-tmp /tmp/snap.lxd
/tmp/ssh-oCVxfzsbTQaT /tmp/systemd-private-d76496b72bf2487abe78ff63f093d446-ModemManager.service-gKnN3f /tmp/systemd-private-d76496b72bf2487abe78ff63f093d446-colord.service-ttuwai
/tmp/systemd-private-d76496b72bf2487abe78ff63f093d446-fwupd.service-5zAd2i /tmp/systemd-private-d76496b72bf2487abe78ff63f093d446-switcheroo-control.service-2Gilej
/tmp/systemd-private-d76496b72bf2487abe78ff63f093d446-systemd-logind.service-Nw8Bch /tmp/systemd-private-d76496b72bf2487abe78ff63f093d446-systemd-resolved.service-b6o3kh
/tmp/systemd-private-d76496b72bf2487abe78ff63f093d446-systemd-timedated.service-kBQCFf /tmp/systemd-private-d76496b72bf2487abe78ff63f093d446-upower.service-70vK5e
/tmp/vmware-root_724-2965906890 /var/backups /var/cache /var/crash /var/lib /var/local /var/lock /var/log /var/mail /var/metrics
/var/opt /var/run /var/snap /var/spool /var/tmp /var/run/NetworkManager /var/run/acpid.pid /var/run/acpid.socket /var/run/apport.lock
/var/run/avahi-daemon /var/run/blkid /var/run/cloud-init /var/run/console-setup /var/run/crond.pid /var/run/crond.reboot /var/run/cryptsetup
/var/run/cups /var/run/dbus /var/run/dmeventd-client /var/run/dmeventd-server /var/run/gdm3 /var/run/gdm3.pid /var/run/initctl
/var/run/initramfs /var/run/irqbalance /var/run/lock /var/run/log /var/run/lvm /var/run/mono-xsp4 /var/run/mono-xsp4.pid /var/run/motd.d
/var/run/mount /var/run/multipathd.pid /var/run/netns /var/run/network /var/run/screen /var/run/sendsigs.omit.d /var/run/shm
/var/run/snapd /var/run/snapd-snap.socket /var/run/snapd.socket /var/run/speech-dispatcher /var/run/spice-vdagentd /var/run/sshd
/var/run/sshd.pid /var/run/sudo /var/run/systemd /var/run/tmpfiles.d /var/run/udev /var/run/udisks2 /var/run/user /var/run/utmp
/var/run/uuidd /var/run/vmware /var/tmp/systemd-private-d76496b72bf2487abe78ff63f093d446-ModemManager.service-8RZKbg /var/tmp/systemd-private-d76496b72bf2487abe78ff63f093d446-colord.service-i36c6f
/var/tmp/systemd-private-d76496b72bf2487abe78ff63f093d446-fwupd.service-Bzpwlj /var/tmp/systemd-private-d76496b72bf2487abe78ff63f093d446-switcheroo-control.service-HC2Noh
/var/tmp/systemd-private-d76496b72bf2487abe78ff63f093d446-systemd-logind.service-IgPdPh /var/tmp/systemd-private-d76496b72bf2487abe78ff63f093d446-systemd-resolved.service-VqRX8h
/var/tmp/systemd-private-d76496b72bf2487abe78ff63f093d446-systemd-timedated.service-a8UKGf /var/tmp/systemd-private-d76496b72bf2487abe78ff63f093d446-upower.service-aLITRg
|
||
|
/tmp/qkdjdjj888.arm7.elf
|
-
|
||
|
/bin/sh
|
/bin/sh -c "rm -rf /var/log/wtmp"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/rm
|
rm -rf /var/log/wtmp
|
||
|
/tmp/qkdjdjj888.arm7.elf
|
-
|
||
|
/bin/sh
|
/bin/sh -c "rm -rf ~/.bash_history"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/rm
|
rm -rf /root/.bash_history
|
||
|
/tmp/qkdjdjj888.arm7.elf
|
-
|
||
|
/bin/sh
|
/bin/sh -c "history -c;history -w"
|
||
|
/tmp/qkdjdjj888.arm7.elf
|
-
|
||
|
/bin/sh
|
/bin/sh -c "rm -rf /tmp/*"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/rm
|
rm -rf /tmp/*
|
||
|
/tmp/qkdjdjj888.arm7.elf
|
-
|
||
|
/bin/sh
|
/bin/sh -c "history -c"
|
||
|
/tmp/qkdjdjj888.arm7.elf
|
-
|
||
|
/bin/sh
|
/bin/sh -c "rm -rf /bin/netstat"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/rm
|
rm -rf /bin/netstat
|
||
|
/tmp/qkdjdjj888.arm7.elf
|
-
|
||
|
/bin/sh
|
/bin/sh -c "history -w"
|
||
|
/tmp/qkdjdjj888.arm7.elf
|
-
|
||
|
/bin/sh
|
/bin/sh -c "pkill -9 busybox"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/pkill
|
pkill -9 busybox
|
||
|
/tmp/qkdjdjj888.arm7.elf
|
-
|
||
|
/bin/sh
|
/bin/sh -c "pkill -9 perl"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/pkill
|
pkill -9 perl
|
||
|
/tmp/qkdjdjj888.arm7.elf
|
-
|
||
|
/bin/sh
|
/bin/sh -c "service iptables stop"
|
||
|
/bin/sh
|
-
|
||
|
/usr/sbin/service
|
service iptables stop
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/basename
|
basename /usr/sbin/service
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/basename
|
basename /usr/sbin/service
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/systemctl
|
systemctl --quiet is-active multi-user.target
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/systemctl
|
systemctl list-unit-files --full --type=socket
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/sed
|
sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p
|
||
|
/usr/bin/systemctl
|
systemctl stop iptables.service
|
||
|
/tmp/qkdjdjj888.arm7.elf
|
-
|
||
|
/bin/sh
|
/bin/sh -c "/sbin/iptables -F;/sbin/iptables -X"
|
||
|
/bin/sh
|
-
|
||
|
/sbin/iptables
|
/sbin/iptables -F
|
||
|
/bin/sh
|
-
|
||
|
/sbin/iptables
|
/sbin/iptables -X
|
||
|
/tmp/qkdjdjj888.arm7.elf
|
-
|
||
|
/bin/sh
|
/bin/sh -c "service firewalld stop"
|
||
|
/bin/sh
|
-
|
||
|
/usr/sbin/service
|
service firewalld stop
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/basename
|
basename /usr/sbin/service
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/basename
|
basename /usr/sbin/service
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/systemctl
|
systemctl --quiet is-active multi-user.target
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/systemctl
|
systemctl list-unit-files --full --type=socket
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/sed
|
sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p
|
||
|
/usr/bin/systemctl
|
systemctl stop firewalld.service
|
There are 66 hidden processes, click here to show them.
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
31.172.80.237:999
|
|
||
|
http://www.baidu.com/search/spider.html)
|
unknown
|
||
|
http://31.172.80.237/qkdjdjj22.sh
|
unknown
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
31.172.80.237
|
unknown
|
Germany
|
|
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
7f1b54043000
|
page execute read
|
|
||
|
7f1b54043000
|
page execute read
|
|
||
|
7f1b54043000
|
page execute read
|
|
||
|
7f1b54043000
|
page execute read
|
|
||
|
7f1c5a15a000
|
page read and write
|
|||
|
7f1c59b02000
|
page read and write
|
|||
|
7f1c58c78000
|
page read and write
|
|||
|
557603ea7000
|
page read and write
|
|||
|
7f1c5a17e000
|
page read and write
|
|||
|
557601c38000
|
page execute read
|
|||
|
7f1b5404c000
|
page read and write
|
|||
|
7f1c58c78000
|
page read and write
|
|||
|
7f1c59874000
|
page read and write
|
|||
|
7f1c53fff000
|
page read and write
|
|||
|
7ffe665d6000
|
page execute read
|
|||
|
557603e90000
|
page execute and read and write
|
|||
|
7f1b54055000
|
page read and write
|
|||
|
557601e89000
|
page read and write
|
|||
|
7f1c59480000
|
page read and write
|
|||
|
7f1c59512000
|
page read and write
|
|||
|
557601e92000
|
page read and write
|
|||
|
7f1b54054000
|
page read and write
|
|||
|
557601e92000
|
page read and write
|
|||
|
7f1c5a1c3000
|
page read and write
|
|||
|
7f1c59adf000
|
page read and write
|
|||
|
7ffe665d6000
|
page execute read
|
|||
|
7ffe665d6000
|
page execute read
|
|||
|
557601e89000
|
page read and write
|
|||
|
7f1c5a031000
|
page read and write
|
|||
|
7ffe66597000
|
page read and write
|
|||
|
7f1c53fff000
|
page read and write
|
|||
|
7f1c59b02000
|
page read and write
|
|||
|
7f1c53fff000
|
page read and write
|
|||
|
7f1c53fff000
|
page read and write
|
|||
|
7f1c5a17e000
|
page read and write
|
|||
|
557601c38000
|
page execute read
|
|||
|
7f1c59e50000
|
page read and write
|
|||
|
557601e92000
|
page read and write
|
|||
|
7f1c54021000
|
page read and write
|
|||
|
7f1c59c6e000
|
page read and write
|
|||
|
7ffe665d6000
|
page execute read
|
|||
|
7f1c59874000
|
page read and write
|
|||
|
7f1c58c78000
|
page read and write
|
|||
|
7f1c59512000
|
page read and write
|
|||
|
7f1c59480000
|
page read and write
|
|||
|
557601c38000
|
page execute read
|
|||
|
557604f24000
|
page read and write
|
|||
|
557603ea7000
|
page read and write
|
|||
|
7f1c5a17e000
|
page read and write
|
|||
|
7f1c59adf000
|
page read and write
|
|||
|
557604f45000
|
page read and write
|
|||
|
557604f45000
|
page read and write
|
|||
|
7f1c59c6e000
|
page read and write
|
|||
|
7f1b5404c000
|
page read and write
|
|||
|
7f1c59c6e000
|
page read and write
|
|||
|
7f1c59480000
|
page read and write
|
|||
|
557604f4b000
|
page read and write
|
|||
|
557604f45000
|
page read and write
|
|||
|
7f1c59c6e000
|
page read and write
|
|||
|
7ffe66597000
|
page read and write
|
|||
|
557604f24000
|
page read and write
|
|||
|
7f1b5404c000
|
page read and write
|
|||
|
557601e92000
|
page read and write
|
|||
|
7f1c59b02000
|
page read and write
|
|||
|
7f1b54054000
|
page read and write
|
|||
|
7ffe66597000
|
page read and write
|
|||
|
7f1c5a17e000
|
page read and write
|
|||
|
7f1c59480000
|
page read and write
|
|||
|
557601c38000
|
page execute read
|
|||
|
557604f24000
|
page read and write
|
|||
|
7f1b54054000
|
page read and write
|
|||
|
557603e90000
|
page execute and read and write
|
|||
|
7f1b5404c000
|
page read and write
|
|||
|
7f1c5a031000
|
page read and write
|
|||
|
7f1c59adf000
|
page read and write
|
|||
|
7f1c59874000
|
page read and write
|
|||
|
7f1c54021000
|
page read and write
|
|||
|
7f1b54054000
|
page read and write
|
|||
|
7f1c5a1c3000
|
page read and write
|
|||
|
7f1c5a031000
|
page read and write
|
|||
|
7f1c59e50000
|
page read and write
|
|||
|
7f1c5a1c3000
|
page read and write
|
|||
|
7f1c54021000
|
page read and write
|
|||
|
7f1c59e50000
|
page read and write
|
|||
|
7f1c5a15a000
|
page read and write
|
|||
|
557601e89000
|
page read and write
|
|||
|
7ffe66597000
|
page read and write
|
|||
|
557603ea7000
|
page read and write
|
|||
|
7f1c59adf000
|
page read and write
|
|||
|
7f1c5a031000
|
page read and write
|
|||
|
7f1c58c78000
|
page read and write
|
|||
|
557603ea7000
|
page read and write
|
|||
|
557601e89000
|
page read and write
|
|||
|
7f1c59512000
|
page read and write
|
|||
|
7f1c5a1c3000
|
page read and write
|
|||
|
7f1c59512000
|
page read and write
|
|||
|
7f1c5a15a000
|
page read and write
|
|||
|
557603e90000
|
page execute and read and write
|
|||
|
7f1c5a15a000
|
page read and write
|
|||
|
7f1c59e50000
|
page read and write
|
|||
|
557603e90000
|
page execute and read and write
|
|||
|
7f1c59b02000
|
page read and write
|
|||
|
7f1c59874000
|
page read and write
|
|||
|
7f1c54021000
|
page read and write
|
There are 94 hidden memdumps, click here to show them.