IOC Report
na.elf

loading gifFilesProcessesURLsDomainsIPsMemdumps321020102Label

Files

File Path
Type
Category
Malicious
Download
na.elf
ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), statically linked, for GNU/Linux 3.2.0, BuildID[sha1]=bc565f9f2dafc5618defa8eccf705f85712c87da, stripped
initial sample
malicious
/etc/CommId
ASCII text, with no line terminators
dropped
malicious
/usr/sbin/uplugplay
ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), statically linked, for GNU/Linux 3.2.0, BuildID[sha1]=bc565f9f2dafc5618defa8eccf705f85712c87da, stripped
dropped
malicious
/memfd:snapd-env-generator (deleted)
ASCII text
dropped
/proc/6440/task/6441/comm
ASCII text, with no line terminators
dropped
/proc/6440/task/6442/comm
ASCII text, with no line terminators
dropped
/proc/6440/task/6443/comm
ASCII text, with no line terminators
dropped
/usr/lib/systemd/system/uplugplay.service
ASCII text
dropped

Processes

Path
Cmdline
Malicious
/tmp/na.elf
/tmp/na.elf
/tmp/na.elf
-
/bin/sh
sh -c "pgrep na.elf"
/bin/sh
-
/usr/bin/pgrep
pgrep na.elf
/tmp/na.elf
-
/bin/sh
sh -c "pidof na.elf"
/bin/sh
-
/usr/bin/pidof
pidof na.elf
/tmp/na.elf
-
/bin/sh
sh -c "pgrep uplugplay"
/bin/sh
-
/usr/bin/pgrep
pgrep uplugplay
/tmp/na.elf
-
/bin/sh
sh -c "pidof uplugplay"
/bin/sh
-
/usr/bin/pidof
pidof uplugplay
/tmp/na.elf
-
/bin/sh
sh -c "pgrep upnpsetup"
/bin/sh
-
/usr/bin/pgrep
pgrep upnpsetup
/tmp/na.elf
-
/bin/sh
sh -c "pidof upnpsetup"
/bin/sh
-
/usr/bin/pidof
pidof upnpsetup
/tmp/na.elf
-
/bin/sh
sh -c "systemctl daemon-reload"
/bin/sh
-
/usr/bin/systemctl
systemctl daemon-reload
/tmp/na.elf
-
/bin/sh
sh -c "systemctl enable uplugplay.service"
/bin/sh
-
/usr/bin/systemctl
systemctl enable uplugplay.service
/tmp/na.elf
-
/bin/sh
sh -c "systemctl start uplugplay.service"
/bin/sh
-
/usr/bin/systemctl
systemctl start uplugplay.service
/usr/lib/systemd/systemd
-
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/lib/systemd/systemd
-
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/lib/systemd/systemd
-
/usr/sbin/uplugplay
/usr/sbin/uplugplay
/usr/sbin/uplugplay
-
/usr/sbin/uplugplay
-
/bin/sh
sh -c "/usr/sbin/uplugplay -Dcomsvc"
/bin/sh
-
/usr/sbin/uplugplay
/usr/sbin/uplugplay -Dcomsvc
/usr/sbin/uplugplay
-
/bin/sh
sh -c "nslookup p3.feefreepool.net 8.8.8.8"
/bin/sh
-
/usr/bin/nslookup
nslookup p3.feefreepool.net 8.8.8.8
There are 42 hidden processes, click here to show them.

URLs

Name
IP
Malicious
http://p3.feefreepool.net/cgi-bin/prometei.cgihttp://dummy.zero/cgi-bin/prometei.cgihttps://gb7ni5rg
unknown
https://bugs.launchpad.net/ubuntu/
unknown
http://mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.b32.i2p/cgi-bin/prometei.cgi
unknown
http://p3.feefreepool.net/cgi-bin/prometei.cgi
unknown
https://gb7ni5rgeexdcncj.onion/cgi-bin/prometei.cgi
unknown
http://%s/cgi-bin/prometei.cgi
unknown
http://%s/cgi-bin/prometei.cgi?r=0&auth=hash&i=%s&enckey=%shttp://%s/cgi-bin/prometei.cgi%m%d%yxinch
unknown
https://http:///:.onion.i2p.zeroGET
unknown
http://dummy.zero/cgi-bin/prometei.cgi
unknown
http://%s/cgi-bin/prometei.cgi?r=0&auth=hash&i=%s&enckey=%s
unknown

Domains

Name
IP
Malicious
p3.feefreepool.net
88.198.246.242

IPs

IP
Domain
Country
Malicious
88.198.246.242
p3.feefreepool.net
Germany
109.202.202.202
unknown
Switzerland
91.189.91.43
unknown
United Kingdom
91.189.91.42
unknown
United Kingdom

Memdumps

Base Address
Regiontype
Protect
Malicious
Download
7fa5c04d2000
page execute read
malicious
7fa5c126a000
page read and write
malicious
7fa63effe000
page execute and read and write
7fa645f8c000
page read and write
7fa63c5fc000
page execute and read and write
7ffc9329a000
page execute read
7ff99926a000
page read and write
7fa63f7ff000
page execute and read and write
7ffa1e97c000
page read and write
7fa640000000
page read and write
7ffa1e66a000
page read and write
7fa647571000
page read and write
55cf469ae000
page read and write
7ffa18021000
page read and write
7ffa1df58000
page read and write
7ffa1dca8000
page read and write
55c770945000
page read and write
7fa646897000
page read and write
7fa63e600000
page execute and read and write
7ffa1dc9a000
page read and write
55c77094f000
page read and write
7ffa1e2f9000
page read and write
7fa64608f000
page read and write
7fa5bc04a000
page read and write
55cf448be000
page read and write
7fa646f19000
page read and write
7fa646ef6000
page read and write
7fa640021000
page read and write
7fa647448000
page read and write
7fa647267000
page read and write
7ffa1e84b000
page read and write
7ffa1e339000
page read and write
55c772964000
page read and write
7fa63e621000
page read and write
7fa63adf9000
page execute and read and write
7fa645ec9000
page read and write
7fa6468a5000
page read and write
7ffedcdf6000
page execute read
55c7706bd000
page execute read
55c7739ef000
page read and write
55cf468bc000
page execute and read and write
7fa63a5f8000
page execute and read and write
7fa645f4b000
page read and write
7ffa18000000
page read and write
7fa5c04e7000
page read and write
7ffc9321e000
page read and write
7ffa1e9c1000
page read and write
7fa63cdfd000
page execute and read and write
7fa639df7000
page execute and read and write
7fa63bdfb000
page execute and read and write
7ffa1e31c000
page read and write
7ffa1e974000
page read and write
7fa646f36000
page read and write
7ffedcd0b000
page read and write
7fa63ddff000
page execute and read and write
7ffa1d492000
page read and write
7fa5b8049000
page read and write
55c77294d000
page execute and read and write
7fa647579000
page read and write
7fa646b55000
page read and write
7fa6475be000
page read and write
7fa63d5fe000
page execute and read and write
7fa63b5fa000
page execute and read and write
55cf448b4000
page read and write
7fa645f0a000
page read and write
55cf468d3000
page read and write
7fa645fcd000
page read and write
55cf4462c000
page execute read
There are 58 hidden memdumps, click here to show them.