IOC Report
na.elf

loading gifFilesProcessesURLsDomainsIPsMemdumps321020102Label

Files

File Path
Type
Category
Malicious
Download
na.elf
ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), statically linked, for GNU/Linux 3.2.0, BuildID[sha1]=bc565f9f2dafc5618defa8eccf705f85712c87da, stripped
initial sample
 malicious
/etc/CommId
ASCII text, with no line terminators
dropped
 malicious
/usr/sbin/uplugplay
ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), statically linked, for GNU/Linux 3.2.0, BuildID[sha1]=bc565f9f2dafc5618defa8eccf705f85712c87da, stripped
dropped
 malicious
/memfd:snapd-env-generator (deleted)
ASCII text
dropped
/proc/6405/task/6406/comm
ASCII text, with no line terminators
dropped
/proc/6405/task/6407/comm
ASCII text, with no line terminators
dropped
/proc/6405/task/6408/comm
ASCII text, with no line terminators
dropped
/usr/lib/systemd/system/uplugplay.service
ASCII text
dropped

Processes

Path
Cmdline
Malicious
/tmp/na.elf
/tmp/na.elf
/tmp/na.elf
-
/bin/sh
sh -c "pgrep na.elf"
/bin/sh
-
/usr/bin/pgrep
pgrep na.elf
/tmp/na.elf
-
/bin/sh
sh -c "pgrep uplugplay"
/bin/sh
-
/usr/bin/pgrep
pgrep uplugplay
/tmp/na.elf
-
/bin/sh
sh -c "pidof uplugplay"
/bin/sh
-
/usr/bin/pidof
pidof uplugplay
/tmp/na.elf
-
/bin/sh
sh -c "pgrep upnpsetup"
/bin/sh
-
/usr/bin/pgrep
pgrep upnpsetup
/tmp/na.elf
-
/bin/sh
sh -c "pidof upnpsetup"
/bin/sh
-
/usr/bin/pidof
pidof upnpsetup
/tmp/na.elf
-
/bin/sh
sh -c "systemctl daemon-reload"
/bin/sh
-
/usr/bin/systemctl
systemctl daemon-reload
/tmp/na.elf
-
/bin/sh
sh -c "systemctl enable uplugplay.service"
/bin/sh
-
/usr/bin/systemctl
systemctl enable uplugplay.service
/tmp/na.elf
-
/bin/sh
sh -c "systemctl start uplugplay.service"
/bin/sh
-
/usr/bin/systemctl
systemctl start uplugplay.service
/usr/lib/systemd/systemd
-
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/lib/systemd/systemd
-
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/lib/systemd/systemd
-
/usr/sbin/uplugplay
/usr/sbin/uplugplay
/usr/sbin/uplugplay
-
/usr/sbin/uplugplay
-
/bin/sh
sh -c "/usr/sbin/uplugplay -Dcomsvc"
/bin/sh
-
/usr/sbin/uplugplay
/usr/sbin/uplugplay -Dcomsvc
/usr/sbin/uplugplay
-
/bin/sh
sh -c "nslookup p3.feefreepool.net 8.8.8.8"
/bin/sh
-
/usr/bin/nslookup
nslookup p3.feefreepool.net 8.8.8.8
There are 38 hidden processes, click here to show them.

URLs

Name
IP
Malicious
http://p3.feefreepool.net/cgi-bin/prometei.cgihttp://dummy.zero/cgi-bin/prometei.cgihttps://gb7ni5rg
unknown
https://bugs.launchpad.net/ubuntu/
unknown
http://mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.b32.i2p/cgi-bin/prometei.cgi
unknown
http://p3.feefreepool.net/cgi-bin/prometei.cgi
unknown
https://gb7ni5rgeexdcncj.onion/cgi-bin/prometei.cgi
unknown
http://%s/cgi-bin/prometei.cgi
unknown
http://%s/cgi-bin/prometei.cgi?r=0&auth=hash&i=%s&enckey=%shttp://%s/cgi-bin/prometei.cgi%m%d%yxinch
unknown
https://http:///:.onion.i2p.zeroGET
unknown
http://dummy.zero/cgi-bin/prometei.cgi
unknown
http://%s/cgi-bin/prometei.cgi?r=0&auth=hash&i=%s&enckey=%s
unknown

Domains

Name
IP
Malicious
p3.feefreepool.net
88.198.246.242

IPs

IP
Domain
Country
Malicious
88.198.246.242
p3.feefreepool.net
Germany
109.202.202.202
unknown
Switzerland
91.189.91.43
unknown
United Kingdom
91.189.91.42
unknown
United Kingdom

Memdumps

Base Address
Regiontype
Protect
Malicious
Download
7fd51526a000
page read and write
 malicious
7fd5144d2000
page execute read
 malicious
7fd592621000
page read and write
7fe6e312c000
page read and write
7fe6e276a000
page read and write
7fd59b5b8000
page read and write
7fd5915fe000
page execute and read and write
7fd510062000
page read and write
7fd59a5a9000
page read and write
7fd59bc10000
page read and write
7fd594000000
page read and write
7fd594021000
page read and write
7fd59b906000
page read and write
7fd5905fc000
page execute and read and write
55c2f2c81000
page execute read
7fd592600000
page execute and read and write
7fd59bc5d000
page read and write
7fd59af44000
page read and write
7fff95f65000
page read and write
7fd59bae7000
page read and write
7fd5144e7000
page read and write
7fe6e2dbb000
page read and write
55c2f4f28000
page read and write
7fd591dff000
page execute and read and write
7fe6e275c000
page read and write
7fd59b5d5000
page read and write
7fd59b595000
page read and write
557345063000
page read and write
7fd58f5fa000
page execute and read and write
7fd59a72e000
page read and write
7fff95faf000
page execute read
7fd59a62b000
page read and write
7fe6e330d000
page read and write
7fe6dc021000
page read and write
7fe6e1f54000
page read and write
7fd59a5ea000
page read and write
5573435b1000
page execute and read and write
55c2f2f13000
page read and write
5573415a9000
page read and write
7fd50c021000
page read and write
7fe6e3436000
page read and write
7fe6e2dde000
page read and write
557341321000
page execute read
7fd5937ff000
page execute and read and write
7fe6e3483000
page read and write
55c2f4f11000
page execute and read and write
7fe6e343e000
page read and write
7fd592ffe000
page execute and read and write
5573435c8000
page read and write
7fd59bc18000
page read and write
7fd59a66c000
page read and write
7fd590dfd000
page execute and read and write
7fd58edf9000
page execute and read and write
5573415b3000
page read and write
7ffcfaf31000
page read and write
7fe6dc000000
page read and write
7fd58fdfb000
page execute and read and write
55c2f6d06000
page read and write
7fe65d26a000
page read and write
7fd59b1f4000
page read and write
7fe6e2a1a000
page read and write
55c2f2f09000
page read and write
7ffcfaf59000
page execute read
7fd59af36000
page read and write
7fe6e2dfb000
page read and write
There are 55 hidden memdumps, click here to show them.