IOC Report
na.elf

loading gifFilesProcessesURLsDomainsIPsMemdumps321020102Label

Files

File Path
Type
Category
Malicious
Download
na.elf
ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), statically linked, for GNU/Linux 3.2.0, BuildID[sha1]=bc565f9f2dafc5618defa8eccf705f85712c87da, stripped
initial sample
malicious
/etc/CommId
ASCII text, with no line terminators
dropped
malicious
/usr/sbin/uplugplay
ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), statically linked, for GNU/Linux 3.2.0, BuildID[sha1]=bc565f9f2dafc5618defa8eccf705f85712c87da, stripped
dropped
malicious
/memfd:snapd-env-generator (deleted)
ASCII text
dropped
/proc/6425/task/6426/comm
ASCII text, with no line terminators
dropped
/proc/6425/task/6427/comm
ASCII text, with no line terminators
dropped
/proc/6425/task/6428/comm
ASCII text, with no line terminators
dropped
/usr/lib/systemd/system/uplugplay.service
ASCII text
dropped

Processes

Path
Cmdline
Malicious
/tmp/na.elf
/tmp/na.elf
/tmp/na.elf
-
/bin/sh
sh -c "pgrep na.elf"
/bin/sh
-
/usr/bin/pgrep
pgrep na.elf
/tmp/na.elf
-
/bin/sh
sh -c "pidof na.elf"
/bin/sh
-
/usr/bin/pidof
pidof na.elf
/tmp/na.elf
-
/bin/sh
sh -c "pgrep uplugplay"
/bin/sh
-
/usr/bin/pgrep
pgrep uplugplay
/tmp/na.elf
-
/bin/sh
sh -c "pidof uplugplay"
/bin/sh
-
/usr/bin/pidof
pidof uplugplay
/tmp/na.elf
-
/bin/sh
sh -c "pgrep upnpsetup"
/bin/sh
-
/usr/bin/pgrep
pgrep upnpsetup
/tmp/na.elf
-
/bin/sh
sh -c "pidof upnpsetup"
/bin/sh
-
/usr/bin/pidof
pidof upnpsetup
/tmp/na.elf
-
/bin/sh
sh -c "systemctl daemon-reload"
/bin/sh
-
/usr/bin/systemctl
systemctl daemon-reload
/tmp/na.elf
-
/bin/sh
sh -c "systemctl enable uplugplay.service"
/bin/sh
-
/usr/bin/systemctl
systemctl enable uplugplay.service
/tmp/na.elf
-
/bin/sh
sh -c "systemctl start uplugplay.service"
/bin/sh
-
/usr/bin/systemctl
systemctl start uplugplay.service
/usr/lib/systemd/systemd
-
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/lib/systemd/systemd
-
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/lib/systemd/systemd
-
/usr/sbin/uplugplay
/usr/sbin/uplugplay
/usr/sbin/uplugplay
-
/usr/sbin/uplugplay
-
/bin/sh
sh -c "/usr/sbin/uplugplay -Dcomsvc"
/bin/sh
-
/usr/sbin/uplugplay
/usr/sbin/uplugplay -Dcomsvc
/usr/sbin/uplugplay
-
/bin/sh
sh -c "nslookup p3.feefreepool.net 8.8.8.8"
/bin/sh
-
/usr/bin/nslookup
nslookup p3.feefreepool.net 8.8.8.8
There are 42 hidden processes, click here to show them.

URLs

Name
IP
Malicious
http://p3.feefreepool.net/cgi-bin/prometei.cgihttp://dummy.zero/cgi-bin/prometei.cgihttps://gb7ni5rg
unknown
https://bugs.launchpad.net/ubuntu/
unknown
http://mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.b32.i2p/cgi-bin/prometei.cgi
unknown
http://p3.feefreepool.net/cgi-bin/prometei.cgi
unknown
https://gb7ni5rgeexdcncj.onion/cgi-bin/prometei.cgi
unknown
http://%s/cgi-bin/prometei.cgi
unknown
http://%s/cgi-bin/prometei.cgi?r=0&auth=hash&i=%s&enckey=%shttp://%s/cgi-bin/prometei.cgi%m%d%yxinch
unknown
https://http:///:.onion.i2p.zeroGET
unknown
http://dummy.zero/cgi-bin/prometei.cgi
unknown
http://%s/cgi-bin/prometei.cgi?r=0&auth=hash&i=%s&enckey=%s
unknown

Domains

Name
IP
Malicious
p3.feefreepool.net
88.198.246.242

IPs

IP
Domain
Country
Malicious
88.198.246.242
p3.feefreepool.net
Germany
109.202.202.202
unknown
Switzerland
91.189.91.43
unknown
United Kingdom
91.189.91.42
unknown
United Kingdom

Memdumps

Base Address
Regiontype
Protect
Malicious
Download
7f53d84d2000
page execute read
malicious
7f53d926a000
page read and write
malicious
7f8f5a6da000
page read and write
7f545f9ad000
page read and write
7f8f5a803000
page read and write
555f16652000
page read and write
56447b3a5000
page execute read
7f8ed526a000
page read and write
555f16648000
page read and write
56447b637000
page read and write
7f54609da000
page read and write
7f53d4032000
page read and write
7f8f59321000
page read and write
7f54610a2000
page read and write
7ffd889e8000
page execute read
555f19fef000
page read and write
7f545fb73000
page read and write
56447b62d000
page read and write
7f5460d4b000
page read and write
7f8f5a850000
page read and write
7f5460f2c000
page read and write
7f545fa70000
page read and write
7ffd01337000
page execute read
7f545fa2f000
page read and write
7f5458021000
page read and write
7f5461055000
page read and write
7f8f59de7000
page read and write
7f8f5a1c8000
page read and write
7f53d84e7000
page read and write
7f5456600000
page execute and read and write
7f53d0062000
page read and write
7f8f5a188000
page read and write
555f18667000
page read and write
7f8f54000000
page read and write
7f54525f8000
page execute and read and write
7f5456621000
page read and write
7f8f54021000
page read and write
7f8f59b37000
page read and write
7f5453dfb000
page execute and read and write
7f54535fa000
page execute and read and write
7f8f59b29000
page read and write
7ffd889b5000
page read and write
7f5452df9000
page execute and read and write
7f545f9ee000
page read and write
7f54545fc000
page execute and read and write
56447d64c000
page read and write
555f163c0000
page execute read
7f5454dfd000
page execute and read and write
7f546037b000
page read and write
7f5458000000
page read and write
7f54555fe000
page execute and read and write
7f5460a1a000
page read and write
7f5455dff000
page execute and read and write
7f8f5a80b000
page read and write
7f546105d000
page read and write
7f5460639000
page read and write
555f18650000
page execute and read and write
7f5460389000
page read and write
56447d635000
page execute and read and write
7f8f5a4f9000
page read and write
7f5451df7000
page execute and read and write
7f54577ff000
page execute and read and write
56447dcbf000
page read and write
7f8f5a1ab000
page read and write
7ffd01302000
page read and write
7f54609fd000
page read and write
7f5456ffe000
page execute and read and write
7f545fab1000
page read and write
There are 58 hidden memdumps, click here to show them.