IOC Report
linux_aarch64.elf

Files

File Path

Type

Category

Malicious

linux_aarch64.elf

ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, Go BuildID=p-qnCsvCpziwx1SpyD2u/_QEUImz47GMLE05aSFRk/Ybj99e1GSLjgXcWVw2M1/UybnlT3nZEaLgnM7kiPF, stripped

initial sample

/etc/32676

Bourne-Again shell script, ASCII text executable

dropped

/etc/crontab

ASCII text

dropped

/etc/init.d/acpid

POSIX shell script, ASCII text executable

dropped

/etc/init.d/alsa-utils

POSIX shell script, ASCII text executable

dropped

/etc/init.d/anacron

POSIX shell script, ASCII text executable

dropped

/etc/init.d/apparmor

POSIX shell script, ASCII text executable

dropped

/etc/init.d/apport

POSIX shell script, ASCII text executable

dropped

/etc/init.d/avahi-daemon

POSIX shell script, ASCII text executable

dropped

/etc/init.d/binfmt-support

POSIX shell script, ASCII text executable

dropped

/etc/init.d/bluetooth

POSIX shell script, ASCII text executable

dropped

/etc/init.d/console-setup.sh

POSIX shell script, ASCII text executable

dropped

/etc/init.d/cron

POSIX shell script, ASCII text executable

dropped

/etc/init.d/cryptdisks

POSIX shell script, ASCII text executable

dropped

/etc/init.d/cryptdisks-early

POSIX shell script, ASCII text executable

dropped

/etc/init.d/cups

POSIX shell script, ASCII text executable

dropped

/etc/init.d/cups-browsed

POSIX shell script, ASCII text executable

dropped

/etc/init.d/dbus

POSIX shell script, Unicode text, UTF-8 text executable

dropped

/etc/init.d/gdm3

POSIX shell script, ASCII text executable

dropped

/etc/init.d/hddtemp

POSIX shell script, ASCII text executable

dropped

/etc/init.d/hwclock.sh

POSIX shell script, ASCII text executable

dropped

/etc/init.d/irqbalance

POSIX shell script, ASCII text executable

dropped

/etc/init.d/iscsid

POSIX shell script, ASCII text executable

dropped

/etc/init.d/keyboard-setup.sh

POSIX shell script, ASCII text executable

dropped

/etc/init.d/kmod

POSIX shell script, ASCII text executable

dropped

/etc/init.d/lightdm

POSIX shell script, ASCII text executable

dropped

/etc/init.d/lm-sensors

POSIX shell script, ASCII text executable

dropped

/etc/init.d/lvm2-lvmpolld

POSIX shell script, ASCII text executable

dropped

/etc/init.d/mono-xsp4

POSIX shell script, ASCII text executable

dropped

/etc/init.d/multipath-tools

POSIX shell script, ASCII text executable

dropped

/etc/init.d/open-iscsi

POSIX shell script, ASCII text executable

dropped

/etc/init.d/open-vm-tools

POSIX shell script, ASCII text executable

dropped

/etc/init.d/plymouth

POSIX shell script, ASCII text executable

dropped

/etc/init.d/plymouth-log

POSIX shell script, ASCII text executable

dropped

/etc/init.d/procps

POSIX shell script, ASCII text executable

dropped

/etc/init.d/rsync

POSIX shell script, ASCII text executable

dropped

/etc/init.d/rsyslog

POSIX shell script, ASCII text executable

dropped

/etc/init.d/saned

POSIX shell script, ASCII text executable

dropped

/etc/init.d/screen-cleanup

POSIX shell script, ASCII text executable

dropped

/etc/init.d/spice-vdagent

POSIX shell script, ASCII text executable

dropped

/etc/init.d/ssh

POSIX shell script, ASCII text executable

dropped

/etc/init.d/udev

POSIX shell script, ASCII text executable

dropped

/etc/init.d/ufw

POSIX shell script, ASCII text executable

dropped

/etc/init.d/unattended-upgrades

POSIX shell script, ASCII text executable

dropped

/etc/init.d/uuidd

POSIX shell script, ASCII text executable

dropped

/etc/init.d/x11-common

POSIX shell script, ASCII text executable

dropped

/etc/profile.d/bash_cfg.sh

Bourne-Again shell script, ASCII text executable

dropped

/etc/profile.d/gateway.sh

Bourne-Again shell script, ASCII text executable, with very long lines (913)

dropped

/.mod

Bourne-Again shell script, ASCII text executable

dropped

/etc/.walk

ASCII text

dropped

/memfd:snapd-env-generator (deleted)

ASCII text

dropped

/proc/6407/loginuid

very short file (no magic)

dropped

/proc/6467/loginuid

very short file (no magic)

dropped

/run/crond.pid

ASCII text

dropped

/tmp/qemu-open.b9EEU0 (deleted)

ASCII text

dropped

/usr/lib/systemd/system/quotaoff.service

ASCII text

dropped

There are 46 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

/tmp/linux_aarch64.elf

/tmp/linux_aarch64.elf

/tmp/linux_aarch64.elf

-

/tmp/linux_aarch64.elf

/tmp/linux_aarch64.elf

/tmp/linux_aarch64.elf

-

/bin/bash

/bin/bash -c /etc/32676&

/bin/bash

-

/etc/32676

/etc/32676

/etc/32676

-

/usr/bin/sleep

sleep 60

/etc/32676

-

/etc/32676

-

/usr/bin/sleep

sleep 60

/etc/32676

-

/etc/32676

-

/usr/bin/sleep

sleep 60

/tmp/linux_aarch64.elf

-

/usr/sbin/service

service crond start

/usr/sbin/service

-

/usr/bin/basename

basename /usr/sbin/service

/usr/sbin/service

-

/usr/bin/basename

basename /usr/sbin/service

/usr/sbin/service

-

/usr/bin/systemctl

systemctl --quiet is-active multi-user.target

/usr/sbin/service

-

/usr/sbin/service

-

/usr/bin/systemctl

systemctl list-unit-files --full --type=socket

/usr/sbin/service

-

/usr/bin/sed

sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p

/usr/bin/systemctl

systemctl start crond.service

/tmp/linux_aarch64.elf

-

/bin/bash

/bin/bash -c "cd /boot;systemctl daemon-reload;systemctl enable quotaoff.service;systemctl start quotaoff.service;journalctl -xe --no-pager"

/bin/bash

-

/usr/bin/systemctl

systemctl daemon-reload

/bin/bash

-

/usr/bin/systemctl

systemctl enable quotaoff.service

/bin/bash

-

/usr/bin/systemctl

systemctl start quotaoff.service

/bin/bash

-

/usr/bin/journalctl

journalctl -xe --no-pager

/tmp/linux_aarch64.elf

-

/bin/bash

/bin/bash -c "cd /boot;ausearch -c 'System.mod' --raw | audit2allow -M my-Systemmod;semodule -X 300 -i my-Systemmod.pp"

/bin/bash

-

/bin/bash

-

/bin/bash

-

/tmp/linux_aarch64.elf

-

/bin/bash

/bin/bash -c "echo \"*/1 * * * * root /.mod \" >> /etc/crontab"

/tmp/linux_aarch64.elf

-

/usr/bin/renice

renice -20 6279

/tmp/linux_aarch64.elf

-

/usr/bin/mount

mount -o bind /tmp/ /proc/6279

/tmp/linux_aarch64.elf

-

/usr/sbin/service

service cron start

/usr/sbin/service

-

/usr/bin/basename

basename /usr/sbin/service

/usr/sbin/service

-

/usr/bin/basename

basename /usr/sbin/service

/usr/sbin/service

-

/usr/bin/systemctl

systemctl --quiet is-active multi-user.target

/usr/sbin/service

-

/usr/sbin/service

-

/usr/bin/systemctl

systemctl list-unit-files --full --type=socket

/usr/sbin/service

-

/usr/bin/sed

sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p

/usr/bin/systemctl

systemctl start cron.service

/tmp/linux_aarch64.elf

-

/usr/bin/systemctl

systemctl start crond.service

/usr/lib/systemd/systemd

-

/usr/lib/systemd/system-environment-generators/snapd-env-generator

/usr/lib/systemd/system-environment-generators/snapd-env-generator

/usr/lib/systemd/systemd

-

/usr/lib/systemd/system-environment-generators/snapd-env-generator

/usr/lib/systemd/system-environment-generators/snapd-env-generator

/usr/lib/systemd/systemd

-

/usr/lib/udisks2/udisksd

-

/usr/sbin/dumpe2fs

dumpe2fs -h /dev/dm-0

/usr/lib/systemd/systemd

-

/usr/sbin/cron

/usr/sbin/cron -f

/usr/sbin/cron

-

/usr/sbin/cron

-

/bin/sh

/bin/sh -c "/.mod "

/bin/sh

-

/.mod

/.mod

/.mod

-

/usr/lib/systemd/systemd

-

/usr/sbin/cron

/usr/sbin/cron -f

/usr/sbin/cron

-

/usr/sbin/cron

-

/bin/sh

/bin/sh -c "/.mod "

/bin/sh

-

/.mod

/.mod

/.mod

-

/usr/lib/systemd/systemd

-

/usr/sbin/cron

/usr/sbin/cron -f

There are 81 hidden processes, click here to show them.

Domains

Name

IP

Malicious

wdearas.liveya.org

103.135.101.188

Details

Name:	wdearas.liveya.org
IP:	103.135.101.188
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

www.google.com

172.217.21.36

Details

Name:	www.google.com
IP:	172.217.21.36
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

IP

Domain

Country

Malicious

103.135.101.188

wdearas.liveya.org

Hong Kong

Details

IP:	103.135.101.188
TargetID:	-1
Country:	Hong Kong
Countrycode:	HKG
ASN number:	4842
ASN name:	TH-AS-APTianhaiInfoTechCN
Private:	false
Domain:	wdearas.liveya.org

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

109.202.202.202

unknown

Switzerland

Details

IP:	109.202.202.202
TargetID:	-1
Country:	Switzerland
Countrycode:	CHE
ASN number:	13030
ASN name:	INIT7CH
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.43

unknown

United Kingdom

Details

IP:	91.189.91.43
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.42

unknown

United Kingdom

Details

IP:	91.189.91.42
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

5604bc301000

page read and write

400096c000

page read and write

7f1ae833f000

page read and write

5604b8f09000

page read and write

14000400000

page read and write

233000

page read and write

7f1ae89c1000

page read and write

40011b2000

page read and write

7f1ae7a34000

page read and write

7f1adc021000

page read and write

5604b8f14000

page read and write

7f1ae7a75000

page read and write

7ffcddf6d000

page read and write

40053e2000

page read and write

5604baf12000

page execute and read and write

7f1ad0021000

page read and write

7f1ad8021000

page read and write

7ffcddf75000

page execute read

402516c000

page read and write

7f1ae8b2d000

page read and write

4000861000

page read and write

7f1ae8d0f000

page read and write

7f1ae903d000

page read and write

7f1ae7b37000

page read and write

7f1ae83d1000

page read and write

7f1ae9082000

page read and write

7f1ae9019000

page read and write

7f1ae899e000

page read and write

7f1ae8733000

page read and write

5604b8c8c000

page execute read

1400000b000

page read and write

4000863000

page read and write

5604baf28000

page read and write

4027bd6000

page read and write

1fa000

page read and write

e9000

page execute read

7f1ae0021000

page read and write

7f1ae8ef0000

page read and write

There are 28 hidden memdumps, click here to show them.