Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
linux_ppc64el.elf
|
ELF 64-bit LSB executable, 64-bit PowerPC or cisco 7500, OpenPOWER ELF V2 ABI, version 1 (SYSV), statically linked, Go BuildID=Y52nvXRmmagZPlBTD-aN/NAr5Akn8HWwmUdYC_fAB/CpqR8sVX_ghDLQQPm5P-/GAtPsar0-LeUP45KvIBJ,
stripped
|
initial sample
|
 |
|
|
/boot/System.img.config
|
ELF 64-bit LSB executable, 64-bit PowerPC or cisco 7500, OpenPOWER ELF V2 ABI, version 1 (SYSV), statically linked, Go BuildID=Y52nvXRmmagZPlBTD-aN/NAr5Akn8HWwmUdYC_fAB/CpqR8sVX_ghDLQQPm5P-/GAtPsar0-LeUP45KvIBJ,
stripped
|
dropped
|
|
|
|
/etc/32678
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/id.services.conf
|
ELF 64-bit LSB executable, 64-bit PowerPC or cisco 7500, OpenPOWER ELF V2 ABI, version 1 (SYSV), statically linked, Go BuildID=Y52nvXRmmagZPlBTD-aN/NAr5Akn8HWwmUdYC_fAB/CpqR8sVX_ghDLQQPm5P-/GAtPsar0-LeUP45KvIBJ,
stripped
|
dropped
|
|
|
|
/etc/init.d/linux_kill
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/memfd:snapd-env-generator (deleted)
|
ASCII text
|
dropped
|
||
|
/tmp/qemu-open.0lVY39 (deleted)
|
ASCII text
|
dropped
|
||
|
/tmp/qemu-open.0utOWb (deleted)
|
ASCII text
|
dropped
|
||
|
/tmp/qemu-open.2XcNfa (deleted)
|
ASCII text
|
dropped
|
||
|
/tmp/qemu-open.3TchF8 (deleted)
|
ASCII text
|
dropped
|
||
|
/tmp/qemu-open.47zsTa (deleted)
|
ASCII text
|
dropped
|
||
|
/tmp/qemu-open.7RtYha (deleted)
|
ASCII text
|
dropped
|
||
|
/tmp/qemu-open.7ufIb9 (deleted)
|
ASCII text
|
dropped
|
||
|
/tmp/qemu-open.8ac428 (deleted)
|
ASCII text
|
dropped
|
||
|
/tmp/qemu-open.9gi6V9 (deleted)
|
ASCII text
|
dropped
|
||
|
/tmp/qemu-open.DoIUS7 (deleted)
|
ASCII text
|
dropped
|
||
|
/tmp/qemu-open.EM99t8 (deleted)
|
ASCII text
|
dropped
|
||
|
/tmp/qemu-open.GWYcub (deleted)
|
ASCII text
|
dropped
|
||
|
/tmp/qemu-open.IK52Fb (deleted)
|
ASCII text
|
dropped
|
||
|
/tmp/qemu-open.KBwJd8 (deleted)
|
ASCII text
|
dropped
|
||
|
/tmp/qemu-open.RuzPjc (deleted)
|
ASCII text
|
dropped
|
||
|
/tmp/qemu-open.Vv9Bwa (deleted)
|
ASCII text
|
dropped
|
||
|
/tmp/qemu-open.YA7549 (deleted)
|
ASCII text
|
dropped
|
||
|
/tmp/qemu-open.ZDVBi9 (deleted)
|
ASCII text
|
dropped
|
||
|
/tmp/qemu-open.athKA9 (deleted)
|
ASCII text
|
dropped
|
||
|
/tmp/qemu-open.c4IWL8 (deleted)
|
ASCII text
|
dropped
|
||
|
/tmp/qemu-open.g5Ysw8 (deleted)
|
ASCII text
|
dropped
|
||
|
/tmp/qemu-open.i17Hbb (deleted)
|
ASCII text
|
dropped
|
||
|
/tmp/qemu-open.i76MTa (deleted)
|
ASCII text
|
dropped
|
||
|
/tmp/qemu-open.iDGec9 (deleted)
|
ASCII text
|
dropped
|
||
|
/tmp/qemu-open.k0YN07 (deleted)
|
ASCII text
|
dropped
|
||
|
/tmp/qemu-open.owQ7ta (deleted)
|
ASCII text
|
dropped
|
||
|
/tmp/qemu-open.r6b4o9 (deleted)
|
ASCII text
|
dropped
|
||
|
/tmp/qemu-open.rQm068 (deleted)
|
ASCII text
|
dropped
|
||
|
/tmp/qemu-open.sAYifb (deleted)
|
ASCII text
|
dropped
|
||
|
/tmp/qemu-open.sXjU99 (deleted)
|
ASCII text
|
dropped
|
||
|
/tmp/qemu-open.vtExu8 (deleted)
|
ASCII text
|
dropped
|
||
|
/usr/lib/systemd/system/linux.service
|
ASCII text
|
dropped
|
||
|
/var/log/btmp
|
data
|
dropped
|
There are 29 hidden files, click here to show them.
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
/tmp/linux_ppc64el.elf
|
/tmp/linux_ppc64el.elf
|
||
|
/tmp/linux_ppc64el.elf
|
-
|
||
|
/bin/bash
|
/bin/bash -c /etc/32678&
|
||
|
/bin/bash
|
-
|
||
|
/etc/32678
|
/etc/32678
|
||
|
/etc/32678
|
-
|
||
|
/usr/bin/sleep
|
sleep 60
|
||
|
/tmp/linux_ppc64el.elf
|
-
|
||
|
/usr/sbin/service
|
service crond start
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/basename
|
basename /usr/sbin/service
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/basename
|
basename /usr/sbin/service
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/systemctl
|
systemctl --quiet is-active multi-user.target
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/systemctl
|
systemctl list-unit-files --full --type=socket
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/sed
|
sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p
|
||
|
/usr/bin/systemctl
|
systemctl start crond.service
|
||
|
/tmp/linux_ppc64el.elf
|
-
|
||
|
/tmp/linux_ppc64el.elf
|
/tmp/linux_ppc64el.elf
|
||
|
/tmp/linux_ppc64el.elf
|
-
|
||
|
/usr/sbin/update-rc.d
|
update-rc.d linux_kill defaults
|
||
|
/usr/sbin/update-rc.d
|
-
|
||
|
/usr/bin/systemctl
|
systemctl daemon-reload
|
||
|
/tmp/linux_ppc64el.elf
|
-
|
||
|
/bin/bash
|
/bin/bash -c "cd /boot;systemctl daemon-reload;systemctl enable linux.service;systemctl start linux.service;journalctl -xe
--no-pager"
|
||
|
/bin/bash
|
-
|
||
|
/usr/bin/systemctl
|
systemctl daemon-reload
|
||
|
/bin/bash
|
-
|
||
|
/usr/bin/systemctl
|
systemctl enable linux.service
|
||
|
/bin/bash
|
-
|
||
|
/usr/bin/systemctl
|
systemctl start linux.service
|
||
|
/bin/bash
|
-
|
||
|
/usr/bin/journalctl
|
journalctl -xe --no-pager
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/boot/System.img.config
|
/boot/System.img.config
|
||
|
/boot/System.img.config
|
-
|
||
|
/usr/bin/pkill
|
pkill -9 32678
|
||
|
/boot/System.img.config
|
-
|
||
|
/usr/bin/sh
|
sh -c /etc/32678&
|
||
|
/usr/bin/sh
|
-
|
||
|
/etc/32678
|
/etc/32678
|
||
|
/etc/32678
|
-
|
||
|
/usr/bin/sleep
|
sleep 60
|
||
|
/etc/32678
|
-
|
||
|
/etc/id.services.conf
|
/etc/id.services.conf
|
||
|
/etc/id.services.conf
|
-
|
||
|
/usr/bin/pkill
|
pkill -9 32678
|
||
|
/etc/id.services.conf
|
-
|
||
|
/usr/bin/sh
|
sh -c /etc/32678&
|
||
|
/usr/bin/sh
|
-
|
||
|
/etc/32678
|
/etc/32678
|
||
|
/etc/32678
|
-
|
||
|
/usr/bin/sleep
|
sleep 60
|
||
|
/etc/id.services.conf
|
-
|
||
|
/usr/sbin/service
|
service crond start
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/basename
|
basename /usr/sbin/service
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/basename
|
basename /usr/sbin/service
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/systemctl
|
systemctl --quiet is-active multi-user.target
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/systemctl
|
systemctl list-unit-files --full --type=socket
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/sed
|
sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p
|
||
|
/usr/bin/systemctl
|
systemctl start crond.service
|
||
|
/etc/id.services.conf
|
-
|
||
|
/etc/id.services.conf
|
/etc/id.services.conf
|
||
|
/boot/System.img.config
|
-
|
||
|
/usr/sbin/service
|
service crond start
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/basename
|
basename /usr/sbin/service
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/basename
|
basename /usr/sbin/service
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/systemctl
|
systemctl --quiet is-active multi-user.target
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/systemctl
|
systemctl list-unit-files --full --type=socket
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/sed
|
sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p
|
||
|
/usr/bin/systemctl
|
systemctl start crond.service
|
||
|
/boot/System.img.config
|
-
|
||
|
/boot/System.img.config
|
/boot/System.img.config
|
||
|
/usr/sbin/sshd
|
-
|
||
|
/usr/sbin/sshd
|
/usr/sbin/sshd -D -R
|
||
|
/usr/sbin/sshd
|
-
|
||
|
/usr/sbin/sshd
|
/usr/sbin/sshd -D -R
|
||
|
/usr/sbin/sshd
|
-
|
||
|
/usr/sbin/sshd
|
/usr/sbin/sshd -D -R
|
||
|
/usr/sbin/sshd
|
-
|
||
|
/usr/sbin/sshd
|
-
|
||
|
/usr/sbin/sshd
|
/usr/sbin/sshd -D -R
|
||
|
/usr/sbin/sshd
|
-
|
||
|
/usr/sbin/sshd
|
-
|
||
|
/usr/sbin/sshd
|
/usr/sbin/sshd -D -R
|
||
|
/usr/sbin/sshd
|
-
|
||
|
/usr/sbin/sshd
|
/usr/sbin/sshd -D -R
|
||
|
/usr/sbin/sshd
|
-
|
||
|
/usr/sbin/sshd
|
-
|
||
|
/usr/sbin/sshd
|
/usr/sbin/sshd -D -R
|
||
|
/usr/sbin/sshd
|
-
|
||
|
/usr/sbin/sshd
|
-
|
||
|
/usr/sbin/sshd
|
/usr/sbin/sshd -D -R
|
||
|
/usr/sbin/sshd
|
-
|
There are 106 hidden processes, click here to show them.
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://103.135.101.78:808/password.txt
|
103.135.101.78
|
|
|
|
http://www.baidu.com/search/spider.html)
|
unknown
|
||
|
http://search.msn.com/msnbot.htm
|
unknown
|
||
|
http://www.baidu.com/search/spider.html)000102030405060708091011121314151617181920212223242526272829
|
unknown
|
||
|
https://www.so.com/s?q=index
|
unknown
|
||
|
http://help.yahoo.com/help/us/ysearch/slurp)x509:
|
unknown
|
||
|
http://www.google.com/mobile/adsbot.html)
|
unknown
|
||
|
http://www.huaweisymantec.com/cn/IRL/spider)Mozilla/5.0
|
unknown
|
||
|
http://www.baidu.com/search/spider.html)http2:
|
unknown
|
||
|
http://yandex.com/bots)http:
|
unknown
|
||
|
http://www.baidu.com/search/spider.html)Mozilla/5.0
|
unknown
|
||
|
http://www.entireweb.com/about/search_tech/speedy_spider/)text/html
|
unknown
|
||
|
http://www.haosou.com/help/help_3_2.htmlMozilla/5.0
|
unknown
|
||
|
https://www.baidu.com/s?wd=insufficient
|
unknown
|
||
|
http://www.youdao.com/help/webmaster/spider/;)reflect:
|
unknown
|
||
|
https://search.yahoo.com/search?p=illegal
|
unknown
|
There are 6 hidden URLs, click here to show them.
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
aras.liveya.org
|
103.135.101.78
|
|
|
|
www.google.com
|
142.250.181.100
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
103.135.101.78
|
aras.liveya.org
|
Hong Kong
|
|
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
535000
|
page read and write
|
|||
|
40052e2000
|
page read and write
|
|||
|
7fc5af077000
|
page read and write
|
|||
|
7f4b54021000
|
page read and write
|
|||
|
26d000
|
page execute read
|
|||
|
56139fad6000
|
page read and write
|
|||
|
7f180b77b000
|
page read and write
|
|||
|
7f1d2e184000
|
page read and write
|
|||
|
535000
|
page read and write
|
|||
|
7f4b44021000
|
page read and write
|
|||
|
7f3536b1e000
|
page read and write
|
|||
|
7f3536f92000
|
page read and write
|
|||
|
4000862000
|
page read and write
|
|||
|
7f3535c97000
|
page read and write
|
|||
|
7fc5a0021000
|
page read and write
|
|||
|
26d000
|
page execute read
|
|||
|
7fc5a8021000
|
page read and write
|
|||
|
55d948cb5000
|
page execute and read and write
|
|||
|
7f180cb79000
|
page read and write
|
|||
|
7fc5afbae000
|
page read and write
|
|||
|
7f4b586d0000
|
page read and write
|
|||
|
7f4b59ad6000
|
page read and write
|
|||
|
55d946cb7000
|
page read and write
|
|||
|
4ed000
|
page read and write
|
|||
|
7f4b50021000
|
page read and write
|
|||
|
c00000b000
|
page read and write
|
|||
|
4ed000
|
page read and write
|
|||
|
4000862000
|
page read and write
|
|||
|
7f4b58fd6000
|
page read and write
|
|||
|
7f180b87e000
|
page read and write
|
|||
|
7f1d2ec6e000
|
page read and write
|
|||
|
7f1d2d973000
|
page read and write
|
|||
|
7f180b7bc000
|
page read and write
|
|||
|
7fc5ae763000
|
page read and write
|
|||
|
7ffeff79f000
|
page execute read
|
|||
|
4000862000
|
page read and write
|
|||
|
7f1d2d8b1000
|
page read and write
|
|||
|
56139c1fd000
|
page execute read
|
|||
|
7f1804021000
|
page read and write
|
|||
|
7f1d2e7d5000
|
page read and write
|
|||
|
7fc5ae7a4000
|
page read and write
|
|||
|
40274d2000
|
page read and write
|
|||
|
7ffe5d945000
|
page execute read
|
|||
|
7f353649a000
|
page read and write
|
|||
|
7ffd69e66000
|
page read and write
|
|||
|
5585a2a30000
|
page execute read
|
|||
|
55b404d90000
|
page read and write
|
|||
|
7f180c08f000
|
page read and write
|
|||
|
4001192000
|
page read and write
|
|||
|
c00000b000
|
page read and write
|
|||
|
7f4b5965a000
|
page read and write
|
|||
|
26d000
|
page execute read
|
|||
|
4000862000
|
page read and write
|
|||
|
7f4b59ace000
|
page read and write
|
|||
|
559ab63dc000
|
page execute read
|
|||
|
7ffeff604000
|
page read and write
|
|||
|
c000400000
|
page read and write
|
|||
|
40052e2000
|
page read and write
|
|||
|
7f1d2ec76000
|
page read and write
|
|||
|
559ab866b000
|
page execute and read and write
|
|||
|
55b406b6b000
|
page read and write
|
|||
|
40274d2000
|
page read and write
|
|||
|
4ed000
|
page read and write
|
|||
|
7f1d2ecbb000
|
page read and write
|
|||
|
7f4b59273000
|
page read and write
|
|||
|
7f3536f9a000
|
page read and write
|
|||
|
55d946a26000
|
page execute read
|
|||
|
7ffd69f9d000
|
page execute read
|
|||
|
7f180c705000
|
page read and write
|
|||
|
7f3536fdf000
|
page read and write
|
|||
|
c000400000
|
page read and write
|
|||
|
7fc5af306000
|
page read and write
|
|||
|
c00000b000
|
page read and write
|
|||
|
55d94ab81000
|
page read and write
|
|||
|
7f1d2e413000
|
page read and write
|
|||
|
7f180cb81000
|
page read and write
|
|||
|
c000053000
|
page read and write
|
|||
|
559ab8681000
|
page read and write
|
|||
|
7f17f4021000
|
page read and write
|
|||
|
7fc5afb61000
|
page read and write
|
|||
|
c00003b000
|
page read and write
|
|||
|
4001192000
|
page read and write
|
|||
|
c00003b000
|
page read and write
|
|||
|
7f3536e69000
|
page read and write
|
|||
|
7fc598021000
|
page read and write
|
|||
|
535000
|
page read and write
|
|||
|
7f3528021000
|
page read and write
|
|||
|
7f1d28021000
|
page read and write
|
|||
|
7f1d24021000
|
page read and write
|
|||
|
535000
|
page read and write
|
|||
|
5585a5c74000
|
page read and write
|
|||
|
c000400000
|
page read and write
|
|||
|
4000968000
|
page read and write
|
|||
|
7fff85198000
|
page execute read
|
|||
|
7f1d2e7fa000
|
page read and write
|
|||
|
7f4b587d3000
|
page read and write
|
|||
|
7f180c31e000
|
page read and write
|
|||
|
56139e48c000
|
page execute and read and write
|
|||
|
56139c485000
|
page read and write
|
|||
|
c00004b000
|
page read and write
|
|||
|
26d000
|
page execute read
|
|||
|
56139c48e000
|
page read and write
|
|||
|
7f17fc021000
|
page read and write
|
|||
|
4000968000
|
page read and write
|
|||
|
7fc59c021000
|
page read and write
|
|||
|
7f4b59b1b000
|
page read and write
|
|||
|
7fff85037000
|
page read and write
|
|||
|
559ab6664000
|
page read and write
|
|||
|
7f3535b94000
|
page read and write
|
|||
|
55b402aeb000
|
page execute read
|
|||
|
7f4b59635000
|
page read and write
|
|||
|
4000862000
|
page read and write
|
|||
|
4ed000
|
page read and write
|
|||
|
535000
|
page read and write
|
|||
|
5585a2cc1000
|
page read and write
|
|||
|
26d000
|
page execute read
|
|||
|
7f4b599a5000
|
page read and write
|
|||
|
7f1d2e176000
|
page read and write
|
|||
|
7ffe5d80b000
|
page read and write
|
|||
|
40052e2000
|
page read and write
|
|||
|
7fc5af6ed000
|
page read and write
|
|||
|
7fc5afa38000
|
page read and write
|
|||
|
5585a2cb8000
|
page read and write
|
|||
|
40274d2000
|
page read and write
|
|||
|
7f3520021000
|
page read and write
|
|||
|
7f4b4c021000
|
page read and write
|
|||
|
7f4b58fe4000
|
page read and write
|
|||
|
4000968000
|
page read and write
|
|||
|
7f3536737000
|
page read and write
|
|||
|
7fc5ae722000
|
page read and write
|
|||
|
4ed000
|
page read and write
|
|||
|
7f180c6e0000
|
page read and write
|
|||
|
4001192000
|
page read and write
|
|||
|
7fc5afb69000
|
page read and write
|
|||
|
7f3535bd5000
|
page read and write
|
|||
|
559ab9a98000
|
page read and write
|
|||
|
5585a4cd5000
|
page read and write
|
|||
|
c000400000
|
page read and write
|
|||
|
55d946cae000
|
page read and write
|
|||
|
7f180c081000
|
page read and write
|
|||
|
40052e2000
|
page read and write
|
|||
|
7fc5af069000
|
page read and write
|
|||
|
c00000b000
|
page read and write
|
|||
|
56139e4a2000
|
page read and write
|
|||
|
7fc5af6c8000
|
page read and write
|
|||
|
4001192000
|
page read and write
|
|||
|
c000053000
|
page read and write
|
|||
|
7f35364a8000
|
page read and write
|
|||
|
7f1d18021000
|
page read and write
|
|||
|
7f1d20021000
|
page read and write
|
|||
|
7fffe63cf000
|
page execute read
|
|||
|
7f3530021000
|
page read and write
|
|||
|
c000400000
|
page read and write
|
|||
|
7f1d2d870000
|
page read and write
|
|||
|
40052e2000
|
page read and write
|
|||
|
7f180cbc6000
|
page read and write
|
|||
|
7fffe6321000
|
page read and write
|
|||
|
c00000b000
|
page read and write
|
|||
|
7f180ca50000
|
page read and write
|
|||
|
4000968000
|
page read and write
|
|||
|
7f1800021000
|
page read and write
|
|||
|
7f4b58711000
|
page read and write
|
|||
|
7fc5a4021000
|
page read and write
|
|||
|
55b402d7c000
|
page read and write
|
|||
|
55d948ccb000
|
page read and write
|
|||
|
7fc5ae866000
|
page read and write
|
|||
|
55b402d73000
|
page read and write
|
|||
|
7f3536af9000
|
page read and write
|
|||
|
7f352c021000
|
page read and write
|
|||
|
4027512000
|
page read and write
|
|||
|
4001192000
|
page read and write
|
|||
|
4027512000
|
page read and write
|
|||
|
559ab666d000
|
page read and write
|
|||
|
55b404d7a000
|
page execute and read and write
|
|||
|
5585a4cbf000
|
page execute and read and write
|
|||
|
4000968000
|
page read and write
|
|||
|
7f1d2eb45000
|
page read and write
|
There are 167 hidden memdumps, click here to show them.