IOC Report
na.elf

FilesProcessesURLsDomainsIPsMemdumps32101032Label

Files

File Path
Type
Category
Malicious
Download
na.elf
ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header
initial sample
malicious
/etc/CommId
ASCII text, with no line terminators
dropped
malicious
/usr/sbin/uplugplay
ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header
dropped
malicious
/memfd:snapd-env-generator (deleted)
ASCII text
dropped
/usr/lib/systemd/system/uplugplay.service
ASCII text
dropped

Processes

Path
Cmdline
Malicious
/tmp/na.elf
/tmp/na.elf
/tmp/na.elf
-
/bin/sh
sh -c "pgrep na.elf"
/bin/sh
-
/usr/bin/pgrep
pgrep na.elf
/tmp/na.elf
-
/bin/sh
sh -c "pgrep uplugplay"
/bin/sh
-
/usr/bin/pgrep
pgrep uplugplay
/tmp/na.elf
-
/bin/sh
sh -c "pidof uplugplay"
/bin/sh
-
/usr/bin/pidof
pidof uplugplay
/tmp/na.elf
-
/bin/sh
sh -c "pgrep upnpsetup"
/bin/sh
-
/usr/bin/pgrep
pgrep upnpsetup
/tmp/na.elf
-
/bin/sh
sh -c "pidof upnpsetup"
/bin/sh
-
/usr/bin/pidof
pidof upnpsetup
/tmp/na.elf
-
/bin/sh
sh -c "systemctl daemon-reload"
/bin/sh
-
/usr/bin/systemctl
systemctl daemon-reload
/tmp/na.elf
-
/bin/sh
sh -c "systemctl enable uplugplay.service"
/bin/sh
-
/usr/bin/systemctl
systemctl enable uplugplay.service
/tmp/na.elf
-
/bin/sh
sh -c "systemctl start uplugplay.service"
/bin/sh
-
/usr/bin/systemctl
systemctl start uplugplay.service
/usr/lib/systemd/systemd
-
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/lib/systemd/systemd
-
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/lib/systemd/systemd
-
/usr/sbin/uplugplay
/usr/sbin/uplugplay
/usr/sbin/uplugplay
-
/usr/sbin/uplugplay
-
/bin/sh
sh -c "/usr/sbin/uplugplay -Dcomsvc"
/bin/sh
-
/usr/sbin/uplugplay
/usr/sbin/uplugplay -Dcomsvc
/usr/sbin/uplugplay
-
/bin/sh
sh -c hostnamectl
/bin/sh
-
/usr/bin/hostnamectl
hostnamectl
/usr/sbin/uplugplay
-
/bin/sh
sh -c hostnamectl
/bin/sh
-
/usr/bin/hostnamectl
hostnamectl
/usr/sbin/uplugplay
-
/bin/sh
sh -c "dmidecode --type baseboard"
/bin/sh
-
/usr/sbin/dmidecode
dmidecode --type baseboard
/usr/sbin/uplugplay
-
/bin/sh
sh -c uptime
/bin/sh
-
/usr/bin/uptime
uptime
/usr/sbin/uplugplay
-
/bin/sh
sh -c "uname -a"
/bin/sh
-
/usr/bin/uname
uname -a
/usr/sbin/uplugplay
-
/bin/sh
sh -c dmidecode
/bin/sh
-
/usr/sbin/dmidecode
dmidecode
/usr/sbin/uplugplay
-
/bin/sh
sh -c uptime
/bin/sh
-
/usr/bin/uptime
uptime
/usr/sbin/uplugplay
-
/bin/sh
sh -c "uname -a"
/bin/sh
-
/usr/bin/uname
uname -a
/usr/lib/systemd/systemd
-
/lib/systemd/systemd-hostnamed
/lib/systemd/systemd-hostnamed
/usr/bin/dash
-
/usr/bin/rm
rm -f /tmp/tmp.S1wY9tGCVt /tmp/tmp.TWgSy8Ra8I /tmp/tmp.0XNgtrCFs6
/usr/bin/dash
-
/usr/bin/cat
cat /tmp/tmp.S1wY9tGCVt
/usr/bin/dash
-
/usr/bin/head
head -n 10
/usr/bin/dash
-
/usr/bin/tr
tr -d \\000-\\011\\013\\014\\016-\\037
/usr/bin/dash
-
/usr/bin/cut
cut -c -80
/usr/bin/dash
-
/usr/bin/cat
cat /tmp/tmp.S1wY9tGCVt
/usr/bin/dash
-
/usr/bin/head
head -n 10
/usr/bin/dash
-
/usr/bin/tr
tr -d \\000-\\011\\013\\014\\016-\\037
/usr/bin/dash
-
/usr/bin/cut
cut -c -80
/usr/bin/dash
-
/usr/bin/rm
rm -f /tmp/tmp.S1wY9tGCVt /tmp/tmp.TWgSy8Ra8I /tmp/tmp.0XNgtrCFs6
There are 88 hidden processes, click here to show them.

URLs

Name
IP
Malicious
http://152.36.128.18/cgi-bin/p.cgi?r=9&i=Y1B3N2Y000JM5I0P
152.36.128.18
malicious
http://152.36.128.18/cgi-bin/p.cgi?add=aW5mbyB7DQp2NC4wMlZfVW5peDY0DQpnYWxhc3NpYQ0KDQoyeCBJbnRlbChSKSBYZW9uKFIpIFNpbHZlciA0MjEwIENQVSBAIDIuMjBHSHoNCjMwNjQyOTYga0INCnZtd2FyZQ0KDQoNCg0KVWJ1bnR1ICYgMjAuMDQuMiBMVFMgKEZvY2FsIEZvc3NhKSAgJiBidWxsc2V5ZS9zaWQgJiANCg0KL3Vzci9zYmluLw0KIDIzOjUwOjEzIHVwIDEgbWluLCAgMSB1c2VyLCAgbG9hZCBhdmVyYWdlOiAyLjI4LCAwLjk3LCAwLjM2fDE3NDUwMzgyMTMNCiMgZG1pZGVjb2RlIDMuMg0KfQ0K&i=Y1B3N2Y000JM5I0P&h=galassia&enckey=boW+shuEvBzdGZVCvYY9lRTTCxrm/Cj7mmSqy4KvsFg5n3m2cLX0KXuQRzb+8/Y5loqot/LW9Or5C7RGOkL/fdxyXk5BpgxLRKLSovweJMs0eucp8UpyCeVNwroKzt6ngx8bR8F46BcKNNf64tHbtgxjFZrVnSQP9EVk3yn+anM=
152.36.128.18
malicious
http://152.36.128.18/cgi-bin/p.cgihttp://dummy.zero/cgi-bin/prometei.cgihttps://gb7ni5rgeexdcncj.oni
unknown
http://xinbicfea.org/cgi-bin/p.cgi?r=0&auth=hash&i=Y1B3N2Y000JM5I0P&enckey=boW-shuEvBzdGZVCvYY9lRTTCxrm/Cj7mmSqy4KvsFg5n3m2cLX0KXuQRzb-8/Y5loqot/LW9Or5C7RGOkL/fdxyXk5BpgxLRKLSovweJMs0eucp8UpyCeVNwroKzt6ngx8bR8F46BcKNNf64tHbtgxjFZrVnSQP9EVk3yn-anM_
85.214.228.140
http://xinchaobicfea.net/cgi-bin/p.cgi?r=0&auth=hash&i=Y1B3N2Y000JM5I0P&enckey=boW-shuEvBzdGZVCvYY9lRTTCxrm/Cj7mmSqy4KvsFg5n3m2cLX0KXuQRzb-8/Y5loqot/LW9Or5C7RGOkL/fdxyXk5BpgxLRKLSovweJMs0eucp8UpyCeVNwroKzt6ngx8bR8F46BcKNNf64tHbtgxjFZrVnSQP9EVk3yn-anM_
54.170.242.139
http://upx.sf.net
unknown
http://mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.b32.i2p/cgi-bin/prometei.cgi
unknown
https://gb7ni5rgeexdcncj.onion/cgi-bin/prometei.cgi
unknown
http://152.36.128.18/cgi-bin/p.cgi
unknown
http://dummy.zero/cgi-bin/prometei.cgi
unknown
http://152.36.128
unknown
There are 1 hidden URLs, click here to show them.

Domains

Name
IP
Malicious
xinbicfea.org
85.214.228.140
xinchaobicfea.net
54.170.242.139
xinchaobicfea.com
unknown

IPs

IP
Domain
Country
Malicious
152.36.128.18
unknown
United States
malicious
54.171.230.55
unknown
United States
54.170.242.139
xinchaobicfea.net
United States
85.214.228.140
xinbicfea.org
Germany
185.125.190.26
unknown
United Kingdom

Memdumps

Base Address
Regiontype
Protect
Malicious
Download
7f7aa8b16000
page read and write
7f7aa0ffa000
page read and write
7f7aa9317000
page read and write
7f7aa2ffe000
page read and write
7f7aa1ffc000
page read and write
4f9000
page execute read
7f7aa17fb000
page read and write
7ffc6bdd2000
page execute read
19c4000
page read and write
7f7aa27fd000
page read and write
7ffc6bcb2000
page read and write
7f7aa4000000
page read and write
1575000
page read and write
7f7aa37ff000
page read and write
7f7aa07f9000
page read and write
7f7aa4021000
page read and write
There are 6 hidden memdumps, click here to show them.