Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

/tmp/skid.x86.elf

/usr/libexec/gnome-session-binary

/bin/sh

/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-sharing

/usr/libexec/gsd-sharing

/usr/libexec/gnome-session-binary

/bin/sh

/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-wacom

/usr/libexec/gsd-wacom

/usr/lib/systemd/systemd

/usr/lib/upower/upowerd

/usr/libexec/gnome-session-binary

/bin/sh

/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-keyboard

/usr/libexec/gsd-keyboard

/usr/libexec/gnome-session-binary

/bin/sh

/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-color

/usr/libexec/gsd-color

/usr/libexec/gnome-session-binary

/bin/sh

/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-print-notifications

/usr/libexec/gsd-print-notifications

/usr/libexec/gnome-session-binary

/bin/sh

/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-rfkill

/usr/libexec/gsd-rfkill

/usr/libexec/gnome-session-binary

/bin/sh

/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-smartcard

/usr/libexec/gsd-smartcard

/usr/libexec/gnome-session-binary

/bin/sh

/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-datetime

/usr/libexec/gsd-datetime

/usr/libexec/gnome-session-binary

/bin/sh

/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-media-keys

/usr/libexec/gsd-media-keys

/usr/libexec/gvfsd-fuse

/bin/fusermount

fusermount -u -q -z -- /run/user/1000/gvfs

/usr/libexec/gnome-session-binary

/bin/sh

/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-screensaver-proxy

/usr/libexec/gsd-screensaver-proxy

/usr/libexec/gnome-session-binary

/bin/sh

/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-a11y-settings

/usr/libexec/gsd-a11y-settings

/usr/libexec/gnome-session-binary

/bin/sh

/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-sound

/usr/libexec/gsd-sound

/usr/bin/xfce4-panel

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 6 12582920 systray "Notification Area" "Area where notification icons appear"

/usr/libexec/gnome-session-binary

/bin/sh

/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping

/usr/libexec/gsd-housekeeping

/usr/bin/xfce4-panel

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libstatusnotifier.so 7 12582921 statusnotifier "Status Notifier Plugin" "Provides a panel area for status notifier items (application indicators)"

/usr/bin/xfce4-panel

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libpulseaudio-plugin.so 8 12582922 pulseaudio "PulseAudio Plugin" "Adjust the audio volume of the PulseAudio sound system"

/usr/libexec/gnome-session-binary

/bin/sh

/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-power

/usr/libexec/gsd-power

/usr/bin/xfce4-panel

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libxfce4powermanager.so 9 12582923 power-manager-plugin "Power Manager Plugin" "Display the battery levels of your devices and control the brightness of your display"

/usr/bin/xfce4-panel

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libnotification-plugin.so 10 12582924 notification-plugin "Notification Plugin" "Notification plugin for the Xfce panel"

/usr/bin/xfce4-panel

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0

/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libactions.so 14 12582925 actions "Action Buttons" "Log out, lock or other system actions"

/usr/lib/systemd/systemd

/usr/lib/upower/upowerd

/usr/bin/dbus-daemon

/usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd

/usr/sbin/gdm3

/etc/gdm3/PrimeOff/Default

/usr/sbin/gdm3

/etc/gdm3/PrimeOff/Default

/usr/bin/dbus-daemon

/usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd

/usr/bin/dbus-daemon

/usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd

/usr/lib/systemd/systemd

/usr/lib/x86_64-linux-gnu/xfce4/notifyd/xfce4-notifyd

/usr/lib/systemd/systemd

/usr/lib/upower/upowerd

/usr/lib/systemd/systemd

/usr/lib/upower/upowerd

/usr/lib/systemd/systemd

/lib/systemd/systemd-user-runtime-dir

/lib/systemd/systemd-user-runtime-dir stop 127

/usr/bin/dbus-daemon

/usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd

There are 75 hidden processes, click here to show them.

URLs

Name

Malicious

http://schemas.xmlsoap.org/soap/encoding/

unknown

Details

Name:	http://schemas.xmlsoap.org/soap/encoding/
TargetID:	12
From Memory:	true
Current Path:	/tmp/skid.x86.elf
Source:	skid.x86.elf
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

http://schemas.xmlsoap.org/soap/envelope/

unknown

Details

Name:	http://schemas.xmlsoap.org/soap/envelope/
TargetID:	12
From Memory:	true
Current Path:	/tmp/skid.x86.elf
Source:	skid.x86.elf
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

Domains

Name

Malicious

9wg0dstmud.pirate

2.58.95.134

Details

Name:	9wg0dstmud.pirate
IP:	2.58.95.134
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

197.128.22.103

unknown

Morocco

197.231.215.3

unknown

197.130.162.10

unknown

Morocco

153.198.67.43

unknown

Japan

157.229.105.50

unknown

United States

157.82.48.228

unknown

Japan

157.57.242.69

unknown

United States

197.19.253.193

unknown

Tunisia

197.59.229.29

unknown

Egypt

138.15.239.4

unknown

United States

157.215.239.61

unknown

United States

197.76.213.117

unknown

South Africa

41.108.83.77

unknown

Algeria

187.27.7.220

unknown

Brazil

197.160.244.183

unknown

Egypt

41.227.18.69

unknown

Tunisia

197.234.167.179

unknown

South Africa

197.71.86.140

unknown

South Africa

197.60.107.98

unknown

Egypt

157.194.39.12

unknown

United States

41.198.207.244

unknown

South Africa

41.230.97.182

unknown

Tunisia

197.73.219.208

unknown

South Africa

197.102.233.94

unknown

South Africa

197.166.142.54

unknown

Egypt

197.224.41.182

unknown

Mauritius

19.242.1.180

unknown

United States

157.227.65.47

unknown

Australia

41.142.174.167

unknown

Morocco

157.146.162.192

unknown

United States

81.113.214.158

unknown

Italy

41.35.57.84

unknown

Egypt

157.41.214.252

unknown

India

186.178.176.191

unknown

Ecuador

109.49.178.67

unknown

Portugal

208.32.74.190

unknown

United States

41.122.213.82

unknown

South Africa

41.17.0.106

unknown

South Africa

142.133.143.202

unknown

Canada

197.43.51.120

unknown

Egypt

121.229.221.149

unknown

China

157.37.178.134

unknown

India

41.39.124.167

unknown

Egypt

41.8.13.52

unknown

South Africa

41.92.37.101

unknown

Morocco

197.40.144.185

unknown

Egypt

41.165.243.16

unknown

South Africa

41.149.186.125

unknown

South Africa

190.207.174.24

unknown

Venezuela

157.182.20.36

unknown

United States

157.57.242.31

unknown

United States

197.224.41.174

unknown

Mauritius

126.111.87.243

unknown

Japan

197.71.86.123

unknown

South Africa

41.95.85.7

unknown

Sudan

197.33.36.84

unknown

Egypt

41.215.11.64

unknown

Kenya

157.220.202.152

unknown

United States

197.202.110.238

unknown

Algeria

41.57.232.97

unknown

Ghana

41.143.104.78

unknown

Morocco

167.216.36.47

unknown

United States

197.116.212.219

unknown

Algeria

203.96.78.220

unknown

New Zealand

70.30.247.10

unknown

Canada

197.144.115.218

unknown

Morocco

41.66.91.118

unknown

South Africa

157.251.170.240

unknown

United States

45.99.51.242

unknown

Egypt

157.179.150.128

unknown

Thailand

41.105.231.143

unknown

Algeria

197.190.12.229

unknown

Ghana

157.245.211.184

unknown

United States

157.0.158.249

unknown

China

197.75.183.131

unknown

South Africa

119.225.95.94

unknown

Australia

41.165.243.73

unknown

South Africa

41.41.152.229

unknown

Egypt

205.234.68.103

unknown

United States

41.177.92.59

unknown

South Africa

157.220.202.173

unknown

United States

157.42.153.20

unknown

India

171.204.24.105

unknown

United States

157.157.15.93

unknown

Iceland

197.108.43.37

unknown

South Africa

197.16.42.185

unknown

Tunisia

106.94.227.22

unknown

China

140.13.164.141

unknown

United States

197.237.248.102

unknown

Kenya

157.227.65.11

unknown

Australia

197.76.213.166

unknown

South Africa

109.154.121.220

unknown

United Kingdom

41.138.141.98

unknown

Mauritania

222.60.154.248

unknown

China

41.76.191.203

unknown

Kenya

41.242.158.86

unknown

41.41.152.233

unknown

Egypt

157.176.156.241

unknown

United States

41.104.241.214

unknown

Algeria

201.79.172.50

unknown

Brazil

There are 90 hidden IPs, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

41e000

page execute read

41e000

page execute read

91b000

page read and write

52f000

page read and write

527000

page read and write

91c000

page read and write

52f000

page read and write

7ffd21947000

page read and write

91b000

page read and write

7ffd21947000

page read and write

7ffd2196a000

page execute read

527000

page read and write

7ffd2196a000

page execute read

There are 3 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
skid.x86.elf

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportskid.x86.elf

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
skid.x86.elf