Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
linux_amd64.elf
|
ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, Go BuildID=dswDAa3Pa96IQXwzNa8o/zXeywE363AvULETAnPZV/Y154CWzX1GhXLGGi1lo3/d4XVZaM2PDAAY5uysyTh,
stripped
|
initial sample
|
 |
|
|
/etc/32678
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/crontab
|
ASCII text
|
dropped
|
|
|
|
/etc/init.d/linux_kill
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/init.d/ssh
|
POSIX shell script, ASCII text executable
|
dropped
|
|
|
|
/etc/profile.d/bash_config.sh
|
a /bin/sh\n/etc/profile.d/bash_config script, ASCII text executable, with no line terminators
|
dropped
|
|
|
|
/.img
|
a /bin/sh\n/usr/lib/libdlrpcld.so script, ASCII text executable, with no line terminators
|
dropped
|
||
|
/memfd:snapd-env-generator (deleted)
|
ASCII text
|
dropped
|
||
|
/proc/6706/loginuid
|
very short file (no magic)
|
dropped
|
||
|
/run/crond.pid
|
ASCII text
|
dropped
|
||
|
/tmp/#531563 (deleted)
|
ASCII text
|
dropped
|
||
|
/usr/lib/systemd/system/linux.service
|
ASCII text
|
dropped
|
||
|
/var/log/btmp
|
data
|
dropped
|
There are 3 hidden files, click here to show them.
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
/tmp/linux_amd64.elf
|
/tmp/linux_amd64.elf
|
||
|
/tmp/linux_amd64.elf
|
-
|
||
|
/bin/bash
|
/bin/bash -c /etc/32678&
|
||
|
/bin/bash
|
-
|
||
|
/etc/32678
|
/etc/32678
|
||
|
/etc/32678
|
-
|
||
|
/usr/bin/sleep
|
sleep 60
|
||
|
/tmp/linux_amd64.elf
|
-
|
||
|
/usr/sbin/service
|
service crond start
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/basename
|
basename /usr/sbin/service
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/basename
|
basename /usr/sbin/service
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/systemctl
|
systemctl --quiet is-active multi-user.target
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/systemctl
|
systemctl list-unit-files --full --type=socket
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/sed
|
sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p
|
||
|
/usr/bin/systemctl
|
systemctl start crond.service
|
||
|
/tmp/linux_amd64.elf
|
-
|
||
|
/tmp/linux_amd64.elf
|
/tmp/linux_amd64.elf
|
||
|
/tmp/linux_amd64.elf
|
-
|
||
|
/usr/sbin/update-rc.d
|
update-rc.d linux_kill defaults
|
||
|
/usr/sbin/update-rc.d
|
-
|
||
|
/usr/bin/systemctl
|
systemctl daemon-reload
|
||
|
/tmp/linux_amd64.elf
|
-
|
||
|
/bin/bash
|
/bin/bash -c "cd /boot;systemctl daemon-reload;systemctl enable linux.service;systemctl start linux.service;journalctl -xe
--no-pager"
|
||
|
/bin/bash
|
-
|
||
|
/usr/bin/systemctl
|
systemctl daemon-reload
|
||
|
/bin/bash
|
-
|
||
|
/usr/bin/systemctl
|
systemctl enable linux.service
|
||
|
/bin/bash
|
-
|
||
|
/usr/bin/systemctl
|
systemctl start linux.service
|
||
|
/bin/bash
|
-
|
||
|
/usr/bin/journalctl
|
journalctl -xe --no-pager
|
||
|
/tmp/linux_amd64.elf
|
-
|
||
|
/bin/bash
|
/bin/bash -c "cd /boot;ausearch -c 'System.img.conf' --raw | audit2allow -M my-Systemimgconf;semodule -X 300 -i my-Systemimgconf.pp"
|
||
|
/bin/bash
|
-
|
||
|
/bin/bash
|
-
|
||
|
/bin/bash
|
-
|
||
|
/tmp/linux_amd64.elf
|
-
|
||
|
/usr/bin/bash
|
bash -c "echo \"*/1 * * * * root /.img \" >> /etc/crontab"
|
||
|
/tmp/linux_amd64.elf
|
-
|
||
|
/usr/bin/renice
|
renice -20 6272
|
||
|
/tmp/linux_amd64.elf
|
-
|
||
|
/usr/bin/mount
|
mount -o bind /tmp/ /proc/6272
|
||
|
/tmp/linux_amd64.elf
|
-
|
||
|
/usr/sbin/service
|
service cron start
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/basename
|
basename /usr/sbin/service
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/basename
|
basename /usr/sbin/service
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/systemctl
|
systemctl --quiet is-active multi-user.target
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/systemctl
|
systemctl list-unit-files --full --type=socket
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/sed
|
sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p
|
||
|
/usr/bin/systemctl
|
systemctl start cron.service
|
||
|
/tmp/linux_amd64.elf
|
-
|
||
|
/usr/bin/systemctl
|
systemctl start crond.service
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/boot/System.img.config
|
/boot/System.img.config
|
||
|
/boot/System.img.config
|
-
|
||
|
/usr/bin/pkill
|
pkill -9 32678
|
||
|
/boot/System.img.config
|
-
|
||
|
/usr/bin/sh
|
sh -c /etc/32678&
|
||
|
/usr/bin/sh
|
-
|
||
|
/etc/32678
|
/etc/32678
|
||
|
/etc/32678
|
-
|
||
|
/usr/bin/sleep
|
sleep 60
|
||
|
/etc/32678
|
-
|
||
|
/etc/id.services.conf
|
/etc/id.services.conf
|
||
|
/etc/id.services.conf
|
-
|
||
|
/usr/bin/pkill
|
pkill -9 32678
|
||
|
/etc/id.services.conf
|
-
|
||
|
/usr/bin/sh
|
sh -c /etc/32678&
|
||
|
/usr/bin/sh
|
-
|
||
|
/etc/32678
|
/etc/32678
|
||
|
/etc/32678
|
-
|
||
|
/usr/bin/sleep
|
sleep 60
|
||
|
/etc/id.services.conf
|
-
|
||
|
/usr/sbin/service
|
service crond start
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/basename
|
basename /usr/sbin/service
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/basename
|
basename /usr/sbin/service
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/systemctl
|
systemctl --quiet is-active multi-user.target
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/systemctl
|
systemctl list-unit-files --full --type=socket
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/sed
|
sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p
|
||
|
/usr/bin/systemctl
|
systemctl start crond.service
|
||
|
/etc/id.services.conf
|
-
|
||
|
/etc/id.services.conf
|
/etc/id.services.conf
|
||
|
/boot/System.img.config
|
-
|
||
|
/usr/sbin/service
|
service crond start
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/basename
|
basename /usr/sbin/service
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/basename
|
basename /usr/sbin/service
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/systemctl
|
systemctl --quiet is-active multi-user.target
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/systemctl
|
systemctl list-unit-files --full --type=socket
|
||
|
/usr/sbin/service
|
-
|
||
|
/usr/bin/sed
|
sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p
|
||
|
/usr/bin/systemctl
|
systemctl start crond.service
|
||
|
/boot/System.img.config
|
-
|
||
|
/boot/System.img.config
|
/boot/System.img.config
|
||
|
/usr/sbin/sshd
|
-
|
||
|
/usr/sbin/sshd
|
/usr/sbin/sshd -D -R
|
||
|
/usr/lib/udisks2/udisksd
|
-
|
||
|
/usr/sbin/dumpe2fs
|
dumpe2fs -h /dev/dm-0
|
||
|
/usr/sbin/sshd
|
-
|
||
|
/usr/sbin/sshd
|
/usr/sbin/sshd -D -R
|
||
|
/usr/sbin/sshd
|
-
|
||
|
/usr/sbin/sshd
|
-
|
||
|
/usr/sbin/sshd
|
/usr/sbin/sshd -D -R
|
||
|
/usr/sbin/sshd
|
-
|
||
|
/usr/sbin/sshd
|
/usr/sbin/sshd -D -R
|
||
|
/usr/sbin/sshd
|
-
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/sbin/cron
|
/usr/sbin/cron -f
|
||
|
/usr/sbin/cron
|
-
|
||
|
/usr/sbin/cron
|
-
|
||
|
/bin/sh
|
/bin/sh -c "/.img "
|
||
|
/bin/sh
|
-
|
||
|
/usr/sbin/sshd
|
-
|
||
|
/usr/sbin/sshd
|
/usr/sbin/sshd -D -R
|
||
|
/usr/sbin/sshd
|
-
|
||
|
/usr/sbin/sshd
|
-
|
||
|
/usr/sbin/sshd
|
/usr/sbin/sshd -D -R
|
||
|
/usr/sbin/sshd
|
-
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/sbin/cron
|
/usr/sbin/cron -f
|
There are 138 hidden processes, click here to show them.
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://103.135.101.78:808/password.txt
|
103.135.101.78
|
|
|
|
http://www.baidu.com/search/spider.html)
|
unknown
|
||
|
http://search.msn.com/msnbot.htm
|
unknown
|
||
|
http://www.baidu.com/search/spider.html)000102030405060708091011121314151617181920212223242526272829
|
unknown
|
||
|
https://www.so.com/s?q=index
|
unknown
|
||
|
http://help.yahoo.com/help/us/ysearch/slurp)x509:
|
unknown
|
||
|
http://www.google.com/mobile/adsbot.html)
|
unknown
|
||
|
http://www.huaweisymantec.com/cn/IRL/spider)Mozilla/5.0
|
unknown
|
||
|
http://www.baidu.com/search/spider.html)http2:
|
unknown
|
||
|
http://yandex.com/bots)http:
|
unknown
|
||
|
http://www.baidu.com/search/spider.html)Mozilla/5.0
|
unknown
|
||
|
http://www.entireweb.com/about/search_tech/speedy_spider/)text/html
|
unknown
|
||
|
http://www.haosou.com/help/help_3_2.htmlMozilla/5.0
|
unknown
|
||
|
https://www.baidu.com/s?wd=insufficient
|
unknown
|
||
|
http://www.youdao.com/help/webmaster/spider/;)reflect:
|
unknown
|
||
|
https://search.yahoo.com/search?p=illegal
|
unknown
|
There are 6 hidden URLs, click here to show them.
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
aras.liveya.org
|
103.135.101.78
|
||
|
www.google.com
|
142.250.181.100
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
103.135.101.78
|
aras.liveya.org
|
Hong Kong
|
||
|
109.202.202.202
|
unknown
|
Switzerland
|
||
|
91.189.91.43
|
unknown
|
United Kingdom
|
||
|
91.189.91.42
|
unknown
|
United Kingdom
|
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
7f7459031000
|
page read and write
|
|||
|
7ffc63536000
|
page read and write
|
|||
|
7f16b907e000
|
page read and write
|
|||
|
7fd1d4f14000
|
page read and write
|
|||
|
7ffc2b18b000
|
page read and write
|
|||
|
7fff1abc9000
|
page read and write
|
|||
|
691000
|
page execute read
|
|||
|
7f7459110000
|
page read and write
|
|||
|
7ffc99c2a000
|
page read and write
|
|||
|
971000
|
page read and write
|
|||
|
7f192fa95000
|
page read and write
|
|||
|
92f000
|
page read and write
|
|||
|
7f1931e6b000
|
page read and write
|
|||
|
7fff1abe5000
|
page execute read
|
|||
|
971000
|
page read and write
|
|||
|
7f7458bb7000
|
page read and write
|
|||
|
7f16db0af000
|
page read and write
|
|||
|
691000
|
page execute read
|
|||
|
7ffc99c60000
|
page execute read
|
|||
|
7fd1d7764000
|
page read and write
|
|||
|
691000
|
page execute read
|
|||
|
92f000
|
page read and write
|
|||
|
691000
|
page execute read
|
|||
|
7fbe91387000
|
page read and write
|
|||
|
971000
|
page read and write
|
|||
|
7ffcb5f6f000
|
page read and write
|
|||
|
7fbe7cc87000
|
page read and write
|
|||
|
c000400000
|
page read and write
|
|||
|
7f16dd8ff000
|
page read and write
|
|||
|
7f74567e1000
|
page read and write
|
|||
|
92f000
|
page read and write
|
|||
|
7f19323c4000
|
page read and write
|
|||
|
7fd1b2ee3000
|
page read and write
|
|||
|
7fd1d7843000
|
page read and write
|
|||
|
971000
|
page read and write
|
|||
|
7f16c91ff000
|
page read and write
|
|||
|
92f000
|
page read and write
|
|||
|
7ffcb5f75000
|
page execute read
|
|||
|
92f000
|
page read and write
|
|||
|
7fd1d72ea000
|
page read and write
|
|||
|
7f7444931000
|
page read and write
|
|||
|
c000400000
|
page read and write
|
|||
|
c000400000
|
page read and write
|
|||
|
7f16dd485000
|
page read and write
|
|||
|
7ffc6353e000
|
page execute read
|
|||
|
7ffc2b1c5000
|
page execute read
|
|||
|
7fd1c3064000
|
page read and write
|
|||
|
c000400000
|
page read and write
|
|||
|
c000400000
|
page read and write
|
|||
|
7fbe91466000
|
page read and write
|
|||
|
691000
|
page execute read
|
|||
|
971000
|
page read and write
|
|||
|
7f74347b0000
|
page read and write
|
|||
|
7fbe8eb37000
|
page read and write
|
|||
|
7f191dbe5000
|
page read and write
|
|||
|
7f190da64000
|
page read and write
|
|||
|
7f16dd9de000
|
page read and write
|
|||
|
7f19322e5000
|
page read and write
|
|||
|
7fbe6cb06000
|
page read and write
|
|||
|
7fbe90f0d000
|
page read and write
|
There are 50 hidden memdumps, click here to show them.