IOC Report
na.elf

loading gifFilesProcessesURLsDomainsIPsMemdumps321020102Label

Files

File Path
Type
Category
Malicious
Download
na.elf
ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), statically linked, for GNU/Linux 3.2.0, BuildID[sha1]=bc565f9f2dafc5618defa8eccf705f85712c87da, stripped
initial sample
malicious
/etc/CommId
ASCII text, with no line terminators
dropped
malicious
/usr/sbin/uplugplay
ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), statically linked, for GNU/Linux 3.2.0, BuildID[sha1]=bc565f9f2dafc5618defa8eccf705f85712c87da, stripped
dropped
malicious
/memfd:snapd-env-generator (deleted)
ASCII text
dropped
/proc/6428/task/6429/comm
ASCII text, with no line terminators
dropped
/proc/6428/task/6430/comm
ASCII text, with no line terminators
dropped
/proc/6428/task/6431/comm
ASCII text, with no line terminators
dropped
/usr/lib/systemd/system/uplugplay.service
ASCII text
dropped

Processes

Path
Cmdline
Malicious
/tmp/na.elf
/tmp/na.elf
/tmp/na.elf
-
/bin/sh
sh -c "pgrep na.elf"
/bin/sh
-
/usr/bin/pgrep
pgrep na.elf
/tmp/na.elf
-
/bin/sh
sh -c "pidof na.elf"
/bin/sh
-
/usr/bin/pidof
pidof na.elf
/tmp/na.elf
-
/bin/sh
sh -c "pgrep uplugplay"
/bin/sh
-
/usr/bin/pgrep
pgrep uplugplay
/tmp/na.elf
-
/bin/sh
sh -c "pidof uplugplay"
/bin/sh
-
/usr/bin/pidof
pidof uplugplay
/tmp/na.elf
-
/bin/sh
sh -c "pgrep upnpsetup"
/bin/sh
-
/usr/bin/pgrep
pgrep upnpsetup
/tmp/na.elf
-
/bin/sh
sh -c "pidof upnpsetup"
/bin/sh
-
/usr/bin/pidof
pidof upnpsetup
/tmp/na.elf
-
/bin/sh
sh -c "systemctl daemon-reload"
/bin/sh
-
/usr/bin/systemctl
systemctl daemon-reload
/tmp/na.elf
-
/bin/sh
sh -c "systemctl enable uplugplay.service"
/bin/sh
-
/usr/bin/systemctl
systemctl enable uplugplay.service
/tmp/na.elf
-
/bin/sh
sh -c "systemctl start uplugplay.service"
/bin/sh
-
/usr/bin/systemctl
systemctl start uplugplay.service
/usr/lib/systemd/systemd
-
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/lib/systemd/systemd
-
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/lib/systemd/systemd
-
/usr/sbin/uplugplay
/usr/sbin/uplugplay
/usr/sbin/uplugplay
-
/usr/sbin/uplugplay
-
/bin/sh
sh -c "/usr/sbin/uplugplay -Dcomsvc"
/bin/sh
-
/usr/sbin/uplugplay
/usr/sbin/uplugplay -Dcomsvc
/usr/sbin/uplugplay
-
/bin/sh
sh -c "nslookup p3.feefreepool.net 8.8.8.8"
/bin/sh
-
/usr/bin/nslookup
nslookup p3.feefreepool.net 8.8.8.8
There are 42 hidden processes, click here to show them.

URLs

Name
IP
Malicious
http://p3.feefreepool.net/cgi-bin/prometei.cgihttp://dummy.zero/cgi-bin/prometei.cgihttps://gb7ni5rg
unknown
https://bugs.launchpad.net/ubuntu/
unknown
http://mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.b32.i2p/cgi-bin/prometei.cgi
unknown
http://p3.feefreepool.net/cgi-bin/prometei.cgi
unknown
https://gb7ni5rgeexdcncj.onion/cgi-bin/prometei.cgi
unknown
http://%s/cgi-bin/prometei.cgi
unknown
http://%s/cgi-bin/prometei.cgi?r=0&auth=hash&i=%s&enckey=%shttp://%s/cgi-bin/prometei.cgi%m%d%yxinch
unknown
https://http:///:.onion.i2p.zeroGET
unknown
http://dummy.zero/cgi-bin/prometei.cgi
unknown
http://%s/cgi-bin/prometei.cgi?r=0&auth=hash&i=%s&enckey=%s
unknown

Domains

Name
IP
Malicious
p3.feefreepool.net
88.198.246.242

IPs

IP
Domain
Country
Malicious
88.198.246.242
p3.feefreepool.net
Germany
109.202.202.202
unknown
Switzerland
91.189.91.43
unknown
United Kingdom
91.189.91.42
unknown
United Kingdom

Memdumps

Base Address
Regiontype
Protect
Malicious
Download
7efd084d2000
page execute read
malicious
7efd0926a000
page read and write
malicious
7efd83dfb000
page execute and read and write
7efd85dff000
page execute and read and write
7efd845fc000
page execute and read and write
55673ea3f000
page read and write
7efd8fa4b000
page read and write
7efd084e7000
page read and write
7efd904b4000
page read and write
7ffdedaf8000
page execute read
7efd9046f000
page read and write
556740a5e000
page read and write
7efd81df7000
page execute and read and write
55b165169000
page execute read
7fe570949000
page read and write
7efd8fdec000
page read and write
55b167f6c000
page read and write
556741eeb000
page read and write
7fe5702f1000
page read and write
7efd88021000
page read and write
7efd825f8000
page execute and read and write
7efd88000000
page read and write
7efd877ff000
page execute and read and write
7ffdeda33000
page read and write
7efd8fe0f000
page read and write
7efd84dfd000
page execute and read and write
7fe57030e000
page read and write
7fe56fc6f000
page read and write
7ffd979e9000
page execute read
55b1653fb000
page read and write
7efd835fa000
page execute and read and write
7efd8fe2c000
page read and write
7efd86ffe000
page execute and read and write
7efd00046000
page read and write
55b1653f1000
page read and write
7ffd978fa000
page read and write
7fe570996000
page read and write
55b167410000
page read and write
7fe56fc7d000
page read and write
7fe570951000
page read and write
7efd90467000
page read and write
55673e7b7000
page execute read
7fe56f467000
page read and write
55b1673f9000
page execute and read and write
7efd8ee41000
page read and write
7efd8ee82000
page read and write
7efd8f78d000
page read and write
7efd9015d000
page read and write
556740a47000
page execute and read and write
7fe568021000
page read and write
7fe4e926a000
page read and write
7efd86600000
page execute and read and write
7fe568000000
page read and write
55673ea49000
page read and write
7efd86621000
page read and write
7fe57063f000
page read and write
7efd855fe000
page execute and read and write
7fe56ff2d000
page read and write
7efd9033e000
page read and write
7efd82df9000
page execute and read and write
7efd8edbf000
page read and write
7efd8ef85000
page read and write
7fe570820000
page read and write
7efd8eec3000
page read and write
7efd8ee00000
page read and write
7efd8f79b000
page read and write
7fe5702ce000
page read and write
7efd04049000
page read and write
There are 58 hidden memdumps, click here to show them.