IOC Report
na.elf

loading gifFilesProcessesURLsDomainsIPsMemdumps321020102Label

Files

File Path
Type
Category
Malicious
Download
na.elf
ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), statically linked, for GNU/Linux 3.2.0, BuildID[sha1]=bc565f9f2dafc5618defa8eccf705f85712c87da, stripped
initial sample
 malicious
/etc/CommId
ASCII text, with no line terminators
dropped
 malicious
/usr/sbin/uplugplay
ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), statically linked, for GNU/Linux 3.2.0, BuildID[sha1]=bc565f9f2dafc5618defa8eccf705f85712c87da, stripped
dropped
 malicious
/memfd:snapd-env-generator (deleted)
ASCII text
dropped
/proc/6428/task/6429/comm
ASCII text, with no line terminators
dropped
/proc/6428/task/6430/comm
ASCII text, with no line terminators
dropped
/proc/6428/task/6431/comm
ASCII text, with no line terminators
dropped
/usr/lib/systemd/system/uplugplay.service
ASCII text
dropped

Processes

Path
Cmdline
Malicious
/tmp/na.elf
/tmp/na.elf
/tmp/na.elf
-
/bin/sh
sh -c "pgrep na.elf"
/bin/sh
-
/usr/bin/pgrep
pgrep na.elf
/tmp/na.elf
-
/bin/sh
sh -c "pgrep uplugplay"
/bin/sh
-
/usr/bin/pgrep
pgrep uplugplay
/tmp/na.elf
-
/bin/sh
sh -c "pidof uplugplay"
/bin/sh
-
/usr/bin/pidof
pidof uplugplay
/tmp/na.elf
-
/bin/sh
sh -c "pgrep upnpsetup"
/bin/sh
-
/usr/bin/pgrep
pgrep upnpsetup
/tmp/na.elf
-
/bin/sh
sh -c "pidof upnpsetup"
/bin/sh
-
/usr/bin/pidof
pidof upnpsetup
/tmp/na.elf
-
/bin/sh
sh -c "systemctl daemon-reload"
/bin/sh
-
/usr/bin/systemctl
systemctl daemon-reload
/tmp/na.elf
-
/bin/sh
sh -c "systemctl enable uplugplay.service"
/bin/sh
-
/usr/bin/systemctl
systemctl enable uplugplay.service
/tmp/na.elf
-
/bin/sh
sh -c "systemctl start uplugplay.service"
/bin/sh
-
/usr/bin/systemctl
systemctl start uplugplay.service
/usr/lib/systemd/systemd
-
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/lib/systemd/systemd
-
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/lib/systemd/systemd
-
/usr/sbin/uplugplay
/usr/sbin/uplugplay
/usr/sbin/uplugplay
-
/usr/sbin/uplugplay
-
/bin/sh
sh -c "/usr/sbin/uplugplay -Dcomsvc"
/bin/sh
-
/usr/sbin/uplugplay
/usr/sbin/uplugplay -Dcomsvc
/usr/sbin/uplugplay
-
/bin/sh
sh -c "nslookup p3.feefreepool.net 8.8.8.8"
/bin/sh
-
/usr/bin/nslookup
nslookup p3.feefreepool.net 8.8.8.8
There are 38 hidden processes, click here to show them.

URLs

Name
IP
Malicious
http://p3.feefreepool.net/cgi-bin/prometei.cgihttp://dummy.zero/cgi-bin/prometei.cgihttps://gb7ni5rg
unknown
https://bugs.launchpad.net/ubuntu/
unknown
http://mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.b32.i2p/cgi-bin/prometei.cgi
unknown
http://p3.feefreepool.net/cgi-bin/prometei.cgi
unknown
https://gb7ni5rgeexdcncj.onion/cgi-bin/prometei.cgi
unknown
http://%s/cgi-bin/prometei.cgi
unknown
http://%s/cgi-bin/prometei.cgi?r=0&auth=hash&i=%s&enckey=%shttp://%s/cgi-bin/prometei.cgi%m%d%yxinch
unknown
https://http:///:.onion.i2p.zeroGET
unknown
http://dummy.zero/cgi-bin/prometei.cgi
unknown
http://%s/cgi-bin/prometei.cgi?r=0&auth=hash&i=%s&enckey=%s
unknown

Domains

Name
IP
Malicious
p3.feefreepool.net
88.198.246.242

IPs

IP
Domain
Country
Malicious
88.198.246.242
p3.feefreepool.net
Germany
109.202.202.202
unknown
Switzerland
91.189.91.43
unknown
United Kingdom
91.189.91.42
unknown
United Kingdom

Memdumps

Base Address
Regiontype
Protect
Malicious
Download
7fc39c4d2000
page execute read
 malicious
7fc39d26a000
page read and write
 malicious
7ffca53d4000
page execute read
563f46d97000
page execute and read and write
7fc41c021000
page read and write
7f78a0a70000
page read and write
7fc416df9000
page execute and read and write
7f78a0d20000
page read and write
7f78a0a62000
page read and write
7f78a1432000
page read and write
7fc423436000
page read and write
7f78a1613000
page read and write
55f36a41c000
page read and write
55f3683fd000
page read and write
7f789c021000
page read and write
7fc41a621000
page read and write
7fc41affe000
page execute and read and write
563f44d8f000
page read and write
55f36b1cf000
page read and write
7fc4230e8000
page read and write
7fc423617000
page read and write
7fc42211a000
page read and write
7ffca930d000
page execute read
7fc422a66000
page read and write
7fc418dfd000
page execute and read and write
7fc419dff000
page execute and read and write
7fc4195fe000
page execute and read and write
7fc41c000000
page read and write
563f44d99000
page read and write
7f78a1789000
page read and write
7fc41a600000
page execute and read and write
7fc423748000
page read and write
7fc42378d000
page read and write
7fc4220d9000
page read and write
7fc394021000
page read and write
7fc4175fa000
page execute and read and write
7fc417dfb000
page execute and read and write
7fc398062000
page read and write
7fc423105000
page read and write
7f78a1101000
page read and write
563f44b07000
page execute read
7fc422d24000
page read and write
7f78a10c1000
page read and write
7fc41b7ff000
page execute and read and write
7ffca530d000
page read and write
7f78a025a000
page read and write
7fc423740000
page read and write
7ffca92a1000
page read and write
55f368407000
page read and write
7fc39c4e7000
page read and write
7fc42225e000
page read and write
7fc4185fc000
page execute and read and write
563f46dae000
page read and write
7f78a1744000
page read and write
7fc4230c5000
page read and write
7f781d26a000
page read and write
7fc42215b000
page read and write
55f36a405000
page execute and read and write
55f368175000
page execute read
7f789c000000
page read and write
7f78a173c000
page read and write
7fc422a74000
page read and write
7fc42219c000
page read and write
563f482f4000
page read and write
7f78a10e4000
page read and write
There are 55 hidden memdumps, click here to show them.