Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
na.elf
|
ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), statically linked, for GNU/Linux 3.2.0, BuildID[sha1]=bc565f9f2dafc5618defa8eccf705f85712c87da,
stripped
|
initial sample
|
 |
|
|
/etc/CommId
|
ASCII text, with no line terminators
|
dropped
|
|
|
|
/usr/sbin/uplugplay
|
ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), statically linked, for GNU/Linux 3.2.0, BuildID[sha1]=bc565f9f2dafc5618defa8eccf705f85712c87da,
stripped
|
dropped
|
|
|
|
/memfd:snapd-env-generator (deleted)
|
ASCII text
|
dropped
|
||
|
/proc/5589/task/5590/comm
|
ASCII text, with no line terminators
|
dropped
|
||
|
/proc/5589/task/5591/comm
|
ASCII text, with no line terminators
|
dropped
|
||
|
/proc/5589/task/5592/comm
|
ASCII text, with no line terminators
|
dropped
|
||
|
/usr/lib/systemd/system/uplugplay.service
|
ASCII text
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
/usr/bin/dash
|
-
|
||
|
/usr/bin/rm
|
rm -f /tmp/tmp.XmsbVG8o0i /tmp/tmp.JqYqK9RsE9 /tmp/tmp.UtEERizVFO
|
||
|
/usr/bin/dash
|
-
|
||
|
/usr/bin/rm
|
rm -f /tmp/tmp.XmsbVG8o0i /tmp/tmp.JqYqK9RsE9 /tmp/tmp.UtEERizVFO
|
||
|
/tmp/na.elf
|
/tmp/na.elf
|
||
|
/tmp/na.elf
|
-
|
||
|
/bin/sh
|
sh -c "pgrep na.elf"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/pgrep
|
pgrep na.elf
|
||
|
/tmp/na.elf
|
-
|
||
|
/bin/sh
|
sh -c "pidof na.elf"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/pidof
|
pidof na.elf
|
||
|
/tmp/na.elf
|
-
|
||
|
/bin/sh
|
sh -c "pgrep uplugplay"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/pgrep
|
pgrep uplugplay
|
||
|
/tmp/na.elf
|
-
|
||
|
/bin/sh
|
sh -c "pidof uplugplay"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/pidof
|
pidof uplugplay
|
||
|
/tmp/na.elf
|
-
|
||
|
/bin/sh
|
sh -c "pgrep upnpsetup"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/pgrep
|
pgrep upnpsetup
|
||
|
/tmp/na.elf
|
-
|
||
|
/bin/sh
|
sh -c "pidof upnpsetup"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/pidof
|
pidof upnpsetup
|
||
|
/tmp/na.elf
|
-
|
||
|
/bin/sh
|
sh -c "systemctl daemon-reload"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/systemctl
|
systemctl daemon-reload
|
||
|
/tmp/na.elf
|
-
|
||
|
/bin/sh
|
sh -c "systemctl enable uplugplay.service"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/systemctl
|
systemctl enable uplugplay.service
|
||
|
/tmp/na.elf
|
-
|
||
|
/bin/sh
|
sh -c "systemctl start uplugplay.service"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/systemctl
|
systemctl start uplugplay.service
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/sbin/uplugplay
|
/usr/sbin/uplugplay
|
||
|
/usr/sbin/uplugplay
|
-
|
||
|
/usr/sbin/uplugplay
|
-
|
||
|
/bin/sh
|
sh -c "/usr/sbin/uplugplay -Dcomsvc"
|
||
|
/bin/sh
|
-
|
||
|
/usr/sbin/uplugplay
|
/usr/sbin/uplugplay -Dcomsvc
|
||
|
/usr/sbin/uplugplay
|
-
|
||
|
/bin/sh
|
sh -c "nslookup p3.feefreepool.net 8.8.8.8"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/nslookup
|
nslookup p3.feefreepool.net 8.8.8.8
|
There are 46 hidden processes, click here to show them.
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://p3.feefreepool.net/cgi-bin/prometei.cgihttp://dummy.zero/cgi-bin/prometei.cgihttps://gb7ni5rg
|
unknown
|
||
|
https://bugs.launchpad.net/ubuntu/
|
unknown
|
||
|
http://mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.b32.i2p/cgi-bin/prometei.cgi
|
unknown
|
||
|
http://p3.feefreepool.net/cgi-bin/prometei.cgi
|
unknown
|
||
|
https://gb7ni5rgeexdcncj.onion/cgi-bin/prometei.cgi
|
unknown
|
||
|
http://%s/cgi-bin/prometei.cgi
|
unknown
|
||
|
http://%s/cgi-bin/prometei.cgi?r=0&auth=hash&i=%s&enckey=%shttp://%s/cgi-bin/prometei.cgi%m%d%yxinch
|
unknown
|
||
|
https://http:///:.onion.i2p.zeroGET
|
unknown
|
||
|
http://dummy.zero/cgi-bin/prometei.cgi
|
unknown
|
||
|
http://%s/cgi-bin/prometei.cgi?r=0&auth=hash&i=%s&enckey=%s
|
unknown
|
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
p3.feefreepool.net
|
88.198.246.242
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
88.198.246.242
|
p3.feefreepool.net
|
Germany
|
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
7fe0984d2000
|
page execute read
|
|
||
|
7fe09926a000
|
page read and write
|
|
||
|
7fe118021000
|
page read and write
|
|||
|
7fe090090000
|
page read and write
|
|||
|
7fe1155fe000
|
page execute and read and write
|
|||
|
7fe1207d7000
|
page read and write
|
|||
|
7ff3d639a000
|
page read and write
|
|||
|
7fe115dff000
|
page execute and read and write
|
|||
|
7fe1135fa000
|
page execute and read and write
|
|||
|
55dbce088000
|
page read and write
|
|||
|
7fe1145fc000
|
page execute and read and write
|
|||
|
55dbcab19000
|
page read and write
|
|||
|
7fe120163000
|
page read and write
|
|||
|
55dbccb38000
|
page read and write
|
|||
|
7ff3d5e88000
|
page read and write
|
|||
|
7ffd7abd5000
|
page execute read
|
|||
|
7fe111df7000
|
page execute and read and write
|
|||
|
7ff3d6510000
|
page read and write
|
|||
|
7fe116621000
|
page read and write
|
|||
|
7fe118000000
|
page read and write
|
|||
|
7ff3d0000000
|
page read and write
|
|||
|
7ff3d64c3000
|
page read and write
|
|||
|
7fe120413000
|
page read and write
|
|||
|
7fe120b25000
|
page read and write
|
|||
|
7fe120e37000
|
page read and write
|
|||
|
55fb3b76f000
|
page read and write
|
|||
|
55fb3d78e000
|
page read and write
|
|||
|
7fe11f746000
|
page read and write
|
|||
|
7ffdfb183000
|
page execute read
|
|||
|
7ff35126a000
|
page read and write
|
|||
|
7fe120d06000
|
page read and write
|
|||
|
7fe1177ff000
|
page execute and read and write
|
|||
|
7fe120155000
|
page read and write
|
|||
|
7fe11f787000
|
page read and write
|
|||
|
7fe11f7c8000
|
page read and write
|
|||
|
7ff3d0021000
|
page read and write
|
|||
|
7fe1207b4000
|
page read and write
|
|||
|
7ffd7aa0f000
|
page read and write
|
|||
|
7fe11f94d000
|
page read and write
|
|||
|
7fe112df9000
|
page execute and read and write
|
|||
|
7ff3d57f7000
|
page read and write
|
|||
|
7ffdfb0f1000
|
page read and write
|
|||
|
7ff3d64cb000
|
page read and write
|
|||
|
7ff3d61b9000
|
page read and write
|
|||
|
7ff3d5e48000
|
page read and write
|
|||
|
55dbccb21000
|
page execute and read and write
|
|||
|
7fe116600000
|
page execute and read and write
|
|||
|
7ff3d5e6b000
|
page read and write
|
|||
|
7fe11f84a000
|
page read and write
|
|||
|
55fb3b4e7000
|
page execute read
|
|||
|
7fe120e7c000
|
page read and write
|
|||
|
7fe113dfb000
|
page execute and read and write
|
|||
|
55fb3e864000
|
page read and write
|
|||
|
7fe120e2f000
|
page read and write
|
|||
|
55fb3b779000
|
page read and write
|
|||
|
55dbcab23000
|
page read and write
|
|||
|
7fe114dfd000
|
page execute and read and write
|
|||
|
7fe1125f8000
|
page execute and read and write
|
|||
|
55fb3d777000
|
page execute and read and write
|
|||
|
7fe1207f4000
|
page read and write
|
|||
|
7fe0984e7000
|
page read and write
|
|||
|
7fe11f88b000
|
page read and write
|
|||
|
7fe116ffe000
|
page execute and read and write
|
|||
|
55dbca891000
|
page execute read
|
|||
|
7ff3d4fe1000
|
page read and write
|
|||
|
7fe11f809000
|
page read and write
|
|||
|
7ff3d5aa7000
|
page read and write
|
|||
|
7fe094021000
|
page read and write
|
|||
|
7ff3d57e9000
|
page read and write
|
There are 59 hidden memdumps, click here to show them.