IOC Report
na.elf

loading gif

Files

File Path
Type
Category
Malicious
na.elf
ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
initial sample
 malicious
/tmp/qemu-open.gYIaFd (deleted)
data
dropped
/tmp/qemu-open.wB9V57 (deleted)
ASCII text
dropped

Processes

Path
Cmdline
Malicious
/tmp/na.elf
/tmp/na.elf
/tmp/na.elf
-
/tmp/na.elf
-
/tmp/na.elf
-
/bin/sh
sh -c "iptables -A INPUT -p tcp --destination-port 23 -j DROP"
/bin/sh
-
/usr/sbin/iptables
iptables -A INPUT -p tcp --destination-port 23 -j DROP
/tmp/na.elf
-
/bin/sh
sh -c "iptables -A INPUT -p tcp --destination-port 7547 -j DROP"
/bin/sh
-
/usr/sbin/iptables
iptables -A INPUT -p tcp --destination-port 7547 -j DROP
/tmp/na.elf
-
/bin/sh
sh -c "iptables -A INPUT -p tcp --destination-port 5555 -j DROP"
/bin/sh
-
/usr/sbin/iptables
iptables -A INPUT -p tcp --destination-port 5555 -j DROP
/tmp/na.elf
-
/bin/sh
sh -c "iptables -A INPUT -p tcp --destination-port 5358 -j DROP"
/bin/sh
-
/usr/sbin/iptables
iptables -A INPUT -p tcp --destination-port 5358 -j DROP
/tmp/na.elf
-
/bin/sh
sh -c "iptables -D INPUT -j CWMP_CR"
/bin/sh
-
/usr/sbin/iptables
iptables -D INPUT -j CWMP_CR
/tmp/na.elf
-
/bin/sh
sh -c "iptables -X CWMP_CR"
/bin/sh
-
/usr/sbin/iptables
iptables -X CWMP_CR
/tmp/na.elf
-
/bin/sh
sh -c "iptables -I INPUT -p udp --dport 21170 -j ACCEPT"
/bin/sh
-
/usr/sbin/iptables
iptables -I INPUT -p udp --dport 21170 -j ACCEPT
There are 21 hidden processes, click here to show them.

Domains

Name
IP
Malicious
daisy.ubuntu.com
162.213.35.24
router.bittorrent.com
unknown
router.utorrent.com
unknown

Memdumps

Base Address
Regiontype
Protect
Malicious
5557adad2000
page read and write
7f8ac6d07000
page read and write
7f8a40435000
page execute read
5557ac2ab000
page read and write
7f8ac8236000
page read and write
7fffd7a89000
page read and write
7f8ac751d000
page read and write
7f8ac0000000
page read and write
7f8ac81f1000
page read and write
7f8ac7b91000
page read and write
7f8ac750f000
page read and write
7f8ac750f000
page read and write
7f8a40160000
page execute and read and write
7fffd7b10000
page execute read
7f8ac6d07000
page read and write
7f8ac7edf000
page read and write
5557ac294000
page execute and read and write
5557aa004000
page execute read
7fffd7a89000
page read and write
5557aa28c000
page read and write
7f8ac7b6e000
page read and write
5557ac2ab000
page read and write
7f8ac7b91000
page read and write
7f8a4047b000
page read and write
7f8a4047b000
page read and write
7f8ac81f1000
page read and write
7f8ac8236000
page read and write
7f8ac81e9000
page read and write
7f8ac0021000
page read and write
5557adad2000
page read and write
7f8ac77cd000
page read and write
7f8ac7b6e000
page read and write
7f8ac0021000
page read and write
5557aa296000
page read and write
5557adaf2000
page read and write
7f8a40435000
page execute read
7fffd7b10000
page execute read
7f8a40160000
page execute and read and write
7f8ac7bae000
page read and write
7f8ac7bae000
page read and write
5557aa296000
page read and write
5557aa004000
page execute read
7f8ac80c0000
page read and write
5557aa28c000
page read and write
5557ac294000
page execute and read and write
7f8ac0000000
page read and write
7f8ac7edf000
page read and write
7f8ac81e9000
page read and write
7f8ac77cd000
page read and write
7f8ac751d000
page read and write
7f8ac80c0000
page read and write
There are 41 hidden memdumps, click here to show them.