Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
cron.elf
|
ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux
2.6.32, BuildID[sha1]=fdb92fd0de3892fc2176220c6694f8eee61d4fa3, stripped
|
initial sample
|
 |
|
|
/root/.config/autostart/gnome3.desktop
|
ASCII text
|
dropped
|
|
|
|
/root/.gnome3/cron.elf
|
ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux
2.6.32, BuildID[sha1]=fdb92fd0de3892fc2176220c6694f8eee61d4fa3, stripped
|
dropped
|
|
|
|
/tmp/_MEIcXSYvg/_cffi_backend.so
|
ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=a8065860edce18a4dc4eef124c5ef5186663c879,
stripped
|
dropped
|
||
|
/tmp/_MEIcXSYvg/_codecs_cn.so
|
ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=514db53237f2feae68b921059fd270fb13189922,
stripped
|
dropped
|
||
|
/tmp/_MEIcXSYvg/_codecs_hk.so
|
ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=97e4ead34d3cee0d9e177d17cfa5b6ce7bd75c9f,
stripped
|
dropped
|
||
|
/tmp/_MEIcXSYvg/_codecs_iso2022.so
|
ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=327305681b550044f7c7d3974bb02e611a5f0d66,
stripped
|
dropped
|
||
|
/tmp/_MEIcXSYvg/_codecs_jp.so
|
ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=de2862cf1c79ce588099c9e88107338eb803b6b4,
stripped
|
dropped
|
||
|
/tmp/_MEIcXSYvg/_codecs_kr.so
|
ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=5f5a1cace8de7365928cd69d9c22f52f019b499d,
stripped
|
dropped
|
||
|
/tmp/_MEIcXSYvg/_codecs_tw.so
|
ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=9c3201f16e000ddb42f5b2b5ba4eb2cb37701577,
stripped
|
dropped
|
||
|
/tmp/_MEIcXSYvg/_ctypes.so
|
ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=9eb871f4b7c1f223cd7928397c52ec239b80d664,
stripped
|
dropped
|
||
|
/tmp/_MEIcXSYvg/_hashlib.so
|
ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=0f3b6573a291ea8cb69408512d6bdab7de25b832,
stripped
|
dropped
|
||
|
/tmp/_MEIcXSYvg/_json.so
|
ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=7465cc284b75613923b1ffde62d40bf513654c26,
stripped
|
dropped
|
||
|
/tmp/_MEIcXSYvg/_multibytecodec.so
|
ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=b3a1858bab7ca02b90b913ccedb9ce5019a489df,
stripped
|
dropped
|
||
|
/tmp/_MEIcXSYvg/_ssl.so
|
ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=566fc01e70b4bb52cc045ec9c932495462369c23,
stripped
|
dropped
|
||
|
/tmp/_MEIcXSYvg/bz2.so
|
ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=666dba81d12c5e460272832aa9823d35642a949c,
stripped
|
dropped
|
||
|
/tmp/_MEIcXSYvg/certifi/cacert.pem
|
ASCII text
|
dropped
|
||
|
/tmp/_MEIcXSYvg/certifi/old_root.pem
|
ASCII text
|
dropped
|
||
|
/tmp/_MEIcXSYvg/certifi/weak.pem
|
ASCII text
|
dropped
|
||
|
/tmp/_MEIcXSYvg/cryptography-2.1.4-py2.7.egg-info/PKG-INFO
|
ASCII text
|
dropped
|
||
|
/tmp/_MEIcXSYvg/cryptography-2.1.4-py2.7.egg-info/dependency_links.txt
|
very short file (no magic)
|
dropped
|
||
|
/tmp/_MEIcXSYvg/cryptography-2.1.4-py2.7.egg-info/not-zip-safe
|
very short file (no magic)
|
dropped
|
||
|
/tmp/_MEIcXSYvg/cryptography-2.1.4-py2.7.egg-info/requires.txt
|
ASCII text
|
dropped
|
||
|
/tmp/_MEIcXSYvg/cryptography-2.1.4-py2.7.egg-info/top_level.txt
|
ASCII text
|
dropped
|
||
|
/tmp/_MEIcXSYvg/cryptography.hazmat.bindings._constant_time.so
|
ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=26260b2f19ee2371e0719b4e5f18680e1737851a,
stripped
|
dropped
|
||
|
/tmp/_MEIcXSYvg/cryptography.hazmat.bindings._openssl.so
|
ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=0ead53b947feba0a793eddad8400ae751a20c5ba,
stripped
|
dropped
|
||
|
/tmp/_MEIcXSYvg/libbz2.so.1.0
|
ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=a4147045409ed969e6f3936f3726726f4719bb40,
stripped
|
dropped
|
||
|
/tmp/_MEIcXSYvg/libcrypto.so.1.1
|
ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=9349f6f4db60009a53cebe1e05c7056992595a36,
stripped
|
dropped
|
||
|
/tmp/_MEIcXSYvg/libexpat.so.1
|
ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=49976d874cc89dfcebf8c5dbf329149bfb40dab5,
stripped
|
dropped
|
||
|
/tmp/_MEIcXSYvg/libffi.so.6
|
ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=3555b5f599c9787dfddbf9e8df6f706b9044d985,
stripped
|
dropped
|
||
|
/tmp/_MEIcXSYvg/libpython2.7.so.1.0
|
ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=8a23a5727eea537355146d8842ad700ee02ac49c,
stripped
|
dropped
|
||
|
/tmp/_MEIcXSYvg/libreadline.so.7
|
ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=a21b81c1855c6444bc915d9331ab19923fa22c66,
stripped
|
dropped
|
||
|
/tmp/_MEIcXSYvg/libssl.so.1.1
|
ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=ca742a427e7aef089b39c4d773c20ea9e074ce8e,
stripped
|
dropped
|
||
|
/tmp/_MEIcXSYvg/libtinfo.so.5
|
ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=d20dc4f7881d9dd170d87fea8eec2a18e4949008,
stripped
|
dropped
|
||
|
/tmp/_MEIcXSYvg/libz.so.1
|
ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=ef3e006dfe3132a41d4d4dc0e407d6ea658e11c4,
stripped
|
dropped
|
||
|
/tmp/_MEIcXSYvg/pyexpat.so
|
ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=1fcab5ed75e10a3179769960716824a2e17cb3dd,
stripped
|
dropped
|
||
|
/tmp/_MEIcXSYvg/readline.so
|
ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=c153df9ee2f261c40fe564523ef2832027b0a8eb,
stripped
|
dropped
|
||
|
/tmp/_MEIcXSYvg/resource.so
|
ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=c69be48495f38778b2cf5753d7227d244f3de847,
stripped
|
dropped
|
||
|
/tmp/_MEIcXSYvg/termios.so
|
ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=8045f1e14355ca6e3ea401dd8e3a49d7142ab8a0,
stripped
|
dropped
|
||
|
/tmp/list.txt
|
ASCII text
|
dropped
|
There are 30 hidden files, click here to show them.
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
/tmp/cron.elf
|
/tmp/cron.elf
|
||
|
/tmp/cron.elf
|
-
|
||
|
/tmp/cron.elf
|
/tmp/cron.elf
|
||
|
/tmp/cron.elf
|
-
|
||
|
/sbin/ldconfig
|
/sbin/ldconfig -p
|
||
|
/sbin/ldconfig.real
|
/sbin/ldconfig.real -p
|
||
|
/tmp/cron.elf
|
-
|
||
|
/bin/sh
|
sh -c "uname -p 2> /dev/null"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/uname
|
uname -p
|
||
|
/tmp/cron.elf
|
-
|
||
|
/bin/sh
|
sh -c "cd; find . -type f > /tmp/list.txt"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/find
|
find . -type f
|
||
|
/tmp/cron.elf
|
-
|
||
|
/bin/sh
|
sh -c "chmod +x /root/.gnome3/cron.elf"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/chmod
|
chmod +x /root/.gnome3/cron.elf
|
||
|
/usr/bin/dash
|
-
|
||
|
/usr/bin/rm
|
rm -f /tmp/tmp.daq1fugtlt /tmp/tmp.DKxxUtkXhW /tmp/tmp.wWDD2OqcVY
|
||
|
/usr/bin/dash
|
-
|
||
|
/usr/bin/rm
|
rm -f /tmp/tmp.daq1fugtlt /tmp/tmp.DKxxUtkXhW /tmp/tmp.wWDD2OqcVY
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/sbin/uuidd
|
/usr/sbin/uuidd --socket-activation
|
There are 14 hidden processes, click here to show them.
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://157.173.198.190:15124/api/root_245842932284287/upload
|
157.173.198.190
|
|
|
|
http://157.173.198.190:15124/api/root_245842932284287/hello
|
157.173.198.190
|
|
|
|
http://python.org/dev/peps/pep-0263/
|
unknown
|
||
|
https://img.shields.io/pypi/v/cryptography.svg
|
unknown
|
||
|
http://www.valicert.com/
|
unknown
|
||
|
http://www.unicode.org/reports/tr44/tr44-4.html).
|
unknown
|
||
|
https://github.com/pyca/cryptography
|
unknown
|
||
|
https://cryptography.io/
|
unknown
|
||
|
https://pypi.python.org/pypi/cryptography/
|
unknown
|
||
|
https://mail.python.org/mailman/listinfo/cryptography-dev
|
unknown
|
||
|
https://codecov.io/github/pyca/cryptography?branch=master
|
unknown
|
||
|
https://codecov.io/github/pyca/cryptography/coverage.svg?branch=master
|
unknown
|
||
|
https://travis-ci.org/pyca/cryptography.svg?branch=master
|
unknown
|
||
|
http://www.unicode.org/reports/tr44/tr44-4.html).xxsubtype
|
unknown
|
||
|
https://travis-ci.org/pyca/cryptography
|
unknown
|
||
|
https://cryptography.io
|
unknown
|
||
|
https://github.com/pyca/cryptography/issues
|
unknown
|
||
|
https://readthedocs.org/projects/cryptography/badge/?version=latest
|
unknown
|
||
|
http://www.chambersign.org
|
unknown
|
||
|
https://cryptography.io/en/latest/installation/
|
unknown
|
There are 10 hidden URLs, click here to show them.
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
157.173.198.190
|
unknown
|
United Kingdom
|
|
|
|
54.171.230.55
|
unknown
|
United States
|
||
|
109.202.202.202
|
unknown
|
Switzerland
|
||
|
91.189.91.43
|
unknown
|
United Kingdom
|
||
|
91.189.91.42
|
unknown
|
United Kingdom
|
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
618000
|
page read and write
|
|||
|
7fd589a7b000
|
page read and write
|
|||
|
7fd589c91000
|
page read and write
|
|||
|
1285000
|
page read and write
|
|||
|
408000
|
page execute read
|
|||
|
7ffccf026000
|
page read and write
|
|||
|
7fd589c6d000
|
page read and write
|
|||
|
7fd589cd6000
|
page read and write
|
|||
|
608000
|
page read and write
|
|||
|
7ffccf0e1000
|
page execute read
|