IOC Report
na.elf

loading gifFilesProcessesURLsDomainsIPsMemdumps321020102Label

Files

File Path
Type
Category
Malicious
Download
na.elf
ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), statically linked, for GNU/Linux 3.2.0, BuildID[sha1]=bc565f9f2dafc5618defa8eccf705f85712c87da, stripped
initial sample
malicious
/etc/CommId
ASCII text, with no line terminators
dropped
malicious
/usr/sbin/uplugplay
ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), statically linked, for GNU/Linux 3.2.0, BuildID[sha1]=bc565f9f2dafc5618defa8eccf705f85712c87da, stripped
dropped
malicious
/memfd:snapd-env-generator (deleted)
ASCII text
dropped
/proc/5665/task/5666/comm
ASCII text, with no line terminators
dropped
/proc/5665/task/5667/comm
ASCII text, with no line terminators
dropped
/proc/5665/task/5668/comm
ASCII text, with no line terminators
dropped
/usr/lib/systemd/system/uplugplay.service
ASCII text
dropped

Processes

Path
Cmdline
Malicious
/tmp/na.elf
/tmp/na.elf
/tmp/na.elf
-
/bin/sh
sh -c "pgrep na.elf"
/bin/sh
-
/usr/bin/pgrep
pgrep na.elf
/tmp/na.elf
-
/bin/sh
sh -c "pidof na.elf"
/bin/sh
-
/usr/bin/pidof
pidof na.elf
/tmp/na.elf
-
/bin/sh
sh -c "pgrep uplugplay"
/bin/sh
-
/usr/bin/pgrep
pgrep uplugplay
/tmp/na.elf
-
/bin/sh
sh -c "pidof uplugplay"
/bin/sh
-
/usr/bin/pidof
pidof uplugplay
/tmp/na.elf
-
/bin/sh
sh -c "pgrep upnpsetup"
/bin/sh
-
/usr/bin/pgrep
pgrep upnpsetup
/tmp/na.elf
-
/bin/sh
sh -c "pidof upnpsetup"
/bin/sh
-
/usr/bin/pidof
pidof upnpsetup
/tmp/na.elf
-
/bin/sh
sh -c "systemctl daemon-reload"
/bin/sh
-
/usr/bin/systemctl
systemctl daemon-reload
/tmp/na.elf
-
/bin/sh
sh -c "systemctl enable uplugplay.service"
/bin/sh
-
/usr/bin/systemctl
systemctl enable uplugplay.service
/tmp/na.elf
-
/bin/sh
sh -c "systemctl start uplugplay.service"
/bin/sh
-
/usr/bin/systemctl
systemctl start uplugplay.service
/usr/lib/systemd/systemd
-
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/lib/systemd/systemd
-
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/lib/systemd/systemd
-
/usr/sbin/uplugplay
/usr/sbin/uplugplay
/usr/sbin/uplugplay
-
/usr/sbin/uplugplay
-
/bin/sh
sh -c "/usr/sbin/uplugplay -Dcomsvc"
/bin/sh
-
/usr/sbin/uplugplay
/usr/sbin/uplugplay -Dcomsvc
/usr/sbin/uplugplay
-
/bin/sh
sh -c "nslookup p3.feefreepool.net 8.8.8.8"
/bin/sh
-
/usr/bin/nslookup
nslookup p3.feefreepool.net 8.8.8.8
There are 42 hidden processes, click here to show them.

URLs

Name
IP
Malicious
http://p3.feefreepool.net/cgi-bin/prometei.cgihttp://dummy.zero/cgi-bin/prometei.cgihttps://gb7ni5rg
unknown
https://bugs.launchpad.net/ubuntu/
unknown
http://mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.b32.i2p/cgi-bin/prometei.cgi
unknown
http://p3.feefreepool.net/cgi-bin/prometei.cgi
unknown
https://gb7ni5rgeexdcncj.onion/cgi-bin/prometei.cgi
unknown
http://%s/cgi-bin/prometei.cgi
unknown
http://%s/cgi-bin/prometei.cgi?r=0&auth=hash&i=%s&enckey=%shttp://%s/cgi-bin/prometei.cgi%m%d%yxinch
unknown
https://http:///:.onion.i2p.zeroGET
unknown
http://dummy.zero/cgi-bin/prometei.cgi
unknown
http://%s/cgi-bin/prometei.cgi?r=0&auth=hash&i=%s&enckey=%s
unknown

Domains

Name
IP
Malicious
p3.feefreepool.net
88.198.246.242

IPs

IP
Domain
Country
Malicious
88.198.246.242
p3.feefreepool.net
Germany

Memdumps

Base Address
Regiontype
Protect
Malicious
Download
7f5d8526a000
page read and write
malicious
7f5d844d2000
page execute read
malicious
7f5e02621000
page read and write
7f1b22c1c000
page read and write
7f5e0a368000
page read and write
7f5dfe5f8000
page execute and read and write
7f5e08cc0000
page read and write
55c10e58a000
page read and write
7f5e00dfd000
page execute and read and write
55c10c2e3000
page execute read
7f5dffdfb000
page execute and read and write
7f5e005fc000
page execute and read and write
7f1b2224c000
page read and write
7f1b2225a000
page read and write
7f5e08dc4000
page read and write
55c10c56b000
page read and write
7f5e0a23f000
page read and write
562c0a521000
page read and write
7fffcb85c000
page read and write
7f5e09d10000
page read and write
7f5e02600000
page execute and read and write
7f5e01dff000
page execute and read and write
562c0d460000
page read and write
7f1b228ab000
page read and write
55c10f7d1000
page read and write
7f5e08d01000
page read and write
7f5e08d42000
page read and write
562c0a28f000
page execute read
562c0c51f000
page execute and read and write
7f5e037ff000
page execute and read and write
7f5e0a3b5000
page read and write
7f5e015fe000
page execute and read and write
7f5dff5fa000
page execute and read and write
55c10c575000
page read and write
7f1b228eb000
page read and write
7f1b22dfd000
page read and write
7f5e02ffe000
page execute and read and write
7f5e0969c000
page read and write
7f5e09d2d000
page read and write
7f5e0a370000
page read and write
7f5d80049000
page read and write
7f1b22f26000
page read and write
7f5e0a05e000
page read and write
55c10e573000
page execute and read and write
7f5e0968e000
page read and write
7f5e08e86000
page read and write
7f1a9d26a000
page read and write
7f5d844e7000
page read and write
7ffe7cd59000
page execute read
7f5e04021000
page read and write
562c0c536000
page read and write
7f1b22f73000
page read and write
7f1b21a44000
page read and write
7f1b2250a000
page read and write
562c0a517000
page read and write
7f1b228ce000
page read and write
7f5dfedf9000
page execute and read and write
7f5e0994c000
page read and write
7f5dfddf7000
page execute and read and write
7f1b22f2e000
page read and write
7f5e08d83000
page read and write
7f1b1c000000
page read and write
7ffe7cc7d000
page read and write
7f5e09ced000
page read and write
7f1b1c021000
page read and write
7f5d7c046000
page read and write
7f5e04000000
page read and write
7fffcb926000
page execute read
There are 58 hidden memdumps, click here to show them.