IOC Report
na.elf

loading gif

Files

File Path
Type
Category
Malicious
na.elf
ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), statically linked, for GNU/Linux 3.2.0, BuildID[sha1]=bc565f9f2dafc5618defa8eccf705f85712c87da, stripped
initial sample
 malicious
/etc/CommId
ASCII text, with no line terminators
dropped
 malicious
/usr/sbin/uplugplay
ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), statically linked, for GNU/Linux 3.2.0, BuildID[sha1]=bc565f9f2dafc5618defa8eccf705f85712c87da, stripped
dropped
 malicious
/memfd:snapd-env-generator (deleted)
ASCII text
dropped
/proc/6368/task/6369/comm
ASCII text, with no line terminators
dropped
/proc/6368/task/6370/comm
ASCII text, with no line terminators
dropped
/proc/6368/task/6371/comm
ASCII text, with no line terminators
dropped
/usr/lib/systemd/system/uplugplay.service
ASCII text
dropped

Processes

Path
Cmdline
Malicious
/tmp/na.elf
/tmp/na.elf
/tmp/na.elf
-
/bin/sh
sh -c "pgrep na.elf"
/bin/sh
-
/usr/bin/pgrep
pgrep na.elf
/tmp/na.elf
-
/bin/sh
sh -c "pidof na.elf"
/bin/sh
-
/usr/bin/pidof
pidof na.elf
/tmp/na.elf
-
/bin/sh
sh -c "pgrep uplugplay"
/bin/sh
-
/usr/bin/pgrep
pgrep uplugplay
/tmp/na.elf
-
/bin/sh
sh -c "pgrep upnpsetup"
/bin/sh
-
/usr/bin/pgrep
pgrep upnpsetup
/tmp/na.elf
-
/bin/sh
sh -c "pidof upnpsetup"
/bin/sh
-
/usr/bin/pidof
pidof upnpsetup
/tmp/na.elf
-
/bin/sh
sh -c "systemctl daemon-reload"
/bin/sh
-
/usr/bin/systemctl
systemctl daemon-reload
/tmp/na.elf
-
/bin/sh
sh -c "systemctl enable uplugplay.service"
/bin/sh
-
/usr/bin/systemctl
systemctl enable uplugplay.service
/tmp/na.elf
-
/bin/sh
sh -c "systemctl start uplugplay.service"
/bin/sh
-
/usr/bin/systemctl
systemctl start uplugplay.service
/usr/lib/systemd/systemd
-
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/lib/systemd/systemd
-
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/lib/systemd/systemd
-
/usr/sbin/uplugplay
/usr/sbin/uplugplay
/usr/sbin/uplugplay
-
/usr/sbin/uplugplay
-
/bin/sh
sh -c "/usr/sbin/uplugplay -Dcomsvc"
/bin/sh
-
/usr/sbin/uplugplay
/usr/sbin/uplugplay -Dcomsvc
/usr/sbin/uplugplay
-
/bin/sh
sh -c "nslookup p3.feefreepool.net 8.8.8.8"
/bin/sh
-
/usr/bin/nslookup
nslookup p3.feefreepool.net 8.8.8.8
There are 38 hidden processes, click here to show them.

URLs

Name
IP
Malicious
http://p3.feefreepool.net/cgi-bin/prometei.cgihttp://dummy.zero/cgi-bin/prometei.cgihttps://gb7ni5rg
unknown
https://bugs.launchpad.net/ubuntu/
unknown
http://mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.b32.i2p/cgi-bin/prometei.cgi
unknown
http://p3.feefreepool.net/cgi-bin/prometei.cgi
unknown
https://gb7ni5rgeexdcncj.onion/cgi-bin/prometei.cgi
unknown
http://%s/cgi-bin/prometei.cgi
unknown
http://%s/cgi-bin/prometei.cgi?r=0&auth=hash&i=%s&enckey=%shttp://%s/cgi-bin/prometei.cgi%m%d%yxinch
unknown
https://http:///:.onion.i2p.zeroGET
unknown
http://dummy.zero/cgi-bin/prometei.cgi
unknown
http://%s/cgi-bin/prometei.cgi?r=0&auth=hash&i=%s&enckey=%s
unknown

Domains

Name
IP
Malicious
p3.feefreepool.net
88.198.246.242

IPs

IP
Domain
Country
Malicious
88.198.246.242
p3.feefreepool.net
Germany
109.202.202.202
unknown
Switzerland
91.189.91.43
unknown
United Kingdom
91.189.91.42
unknown
United Kingdom

Memdumps

Base Address
Regiontype
Protect
Malicious
7f2eb04d2000
page execute read
 malicious
7f2eb126a000
page read and write
 malicious
7fcbed26a000
page read and write
7f2f30021000
page read and write
7fcc72ab1000
page read and write
7f2f30000000
page read and write
7ffee1b05000
page read and write
7ffcb9df0000
page execute read
7ffcb9dda000
page read and write
55e1e3c0a000
page read and write
7f2f38ec3000
page read and write
7fcc73156000
page read and write
55f2ad9b5000
page read and write
7f2f37c29000
page read and write
7f2f37b25000
page read and write
55f2ad723000
page execute read
7f2f2c5fc000
page execute and read and write
55f2af9b3000
page execute and read and write
55f2afbdc000
page read and write
7f2f38b52000
page read and write
55f2af9ca000
page read and write
7f2f2e600000
page execute and read and write
7f2eac061000
page read and write
7f2f38b92000
page read and write
7f2f391cd000
page read and write
7fcc6c000000
page read and write
7fcc72ace000
page read and write
55f2ad9ab000
page read and write
7f2eb04e7000
page read and write
7fcc7243d000
page read and write
7f2f37be8000
page read and write
7f2f390a4000
page read and write
7fcc71c27000
page read and write
7f2f38b75000
page read and write
7f2f37ba7000
page read and write
7f2f2e621000
page read and write
7f2f2f7ff000
page execute and read and write
7f2f2effe000
page execute and read and write
7f2f2adf9000
page execute and read and write
7f2f2d5fe000
page execute and read and write
55e1df8d8000
page execute read
7fcc73109000
page read and write
7f2f2b5fa000
page execute and read and write
7ffee1b3e000
page execute read
7fcc6c021000
page read and write
7fcc7242f000
page read and write
55e1dfb6a000
page read and write
7fcc73111000
page read and write
7fcc72dff000
page read and write
7f2f391d5000
page read and write
7f2f38501000
page read and write
7fcc72a8e000
page read and write
55e1e1b7f000
page read and write
7f2f387b1000
page read and write
7f2f37ceb000
page read and write
7f2f37b66000
page read and write
7fcc72fe0000
page read and write
7f2f2cdfd000
page execute and read and write
7f2f384f3000
page read and write
7f2f3921a000
page read and write
7fcc726ed000
page read and write
55e1dfb60000
page read and write
55e1e1b68000
page execute and read and write
7f2f2ddff000
page execute and read and write
7f2f2bdfb000
page execute and read and write
7f2ea8021000
page read and write
There are 56 hidden memdumps, click here to show them.