Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

/tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf

/usr/lib/systemd/systemd

/usr/bin/journalctl

/usr/bin/journalctl --smart-relinquish-var

/usr/lib/systemd/systemd

/usr/bin/dbus-daemon

/usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only

/usr/lib/systemd/systemd

/usr/sbin/rsyslogd

/usr/sbin/rsyslogd -n -iNONE

/usr/lib/systemd/systemd

/usr/bin/pulseaudio

/usr/bin/pulseaudio --daemonize=no --log-target=journal

/usr/libexec/gvfsd-fuse

/bin/fusermount

fusermount -u -q -z -- /run/user/1000/gvfs

/usr/lib/systemd/systemd

/lib/systemd/systemd-journald

/usr/lib/systemd/systemd

/usr/bin/dbus-daemon

/usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only

/usr/lib/systemd/systemd

/lib/systemd/systemd-journald

/usr/lib/systemd/systemd

/usr/sbin/rsyslogd

/usr/sbin/rsyslogd -n -iNONE

/usr/lib/systemd/systemd

/usr/bin/dbus-daemon

/usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only

/usr/lib/systemd/systemd

/lib/systemd/systemd-journald

/usr/lib/systemd/systemd

/usr/bin/dbus-daemon

/usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only

/usr/lib/systemd/systemd

/lib/systemd/systemd-journald

/usr/lib/systemd/systemd

/usr/sbin/rsyslogd

/usr/sbin/rsyslogd -n -iNONE

/usr/lib/systemd/systemd

/usr/bin/dbus-daemon

/usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only

/usr/lib/systemd/systemd

/lib/systemd/systemd-journald

/usr/sbin/gdm3

/etc/gdm3/PrimeOff/Default

/usr/sbin/gdm3

/etc/gdm3/PrimeOff/Default

/usr/sbin/gdm3

/etc/gdm3/PrimeOff/Default

/usr/lib/systemd/systemd

/usr/sbin/rsyslogd

/usr/sbin/rsyslogd -n -iNONE

/usr/lib/systemd/systemd

/usr/sbin/rsyslogd

/usr/sbin/rsyslogd -n -iNONE

/usr/lib/systemd/systemd

/usr/bin/gpu-manager

/usr/bin/gpu-manager --log /var/log/gpu-manager.log

/usr/lib/systemd/systemd

/usr/share/gdm/generate-config

/usr/bin/pkill

pkill --signal HUP --uid gdm dconf-service

/usr/lib/systemd/systemd

/usr/bin/gpu-manager

/usr/bin/gpu-manager --log /var/log/gpu-manager.log

/usr/bin/gpu-manager

/bin/sh

sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"

/bin/sh

/usr/lib/systemd/systemd

/usr/share/gdm/generate-config

/usr/bin/pkill

pkill --signal HUP --uid gdm dconf-service

/usr/lib/systemd/systemd

/usr/bin/gpu-manager

/usr/bin/gpu-manager --log /var/log/gpu-manager.log

/usr/bin/gpu-manager

/bin/sh

sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"

/bin/sh

/usr/bin/grep

grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf

/usr/lib/systemd/systemd

/usr/share/gdm/generate-config

/usr/bin/pkill

pkill --signal HUP --uid gdm dconf-service

/usr/lib/systemd/systemd

/usr/bin/gpu-manager

/usr/bin/gpu-manager --log /var/log/gpu-manager.log

/usr/lib/systemd/systemd

/usr/share/gdm/generate-config

/usr/bin/pkill

pkill --signal HUP --uid gdm dconf-service

/usr/lib/systemd/systemd

/usr/bin/gpu-manager

/usr/bin/gpu-manager --log /var/log/gpu-manager.log

/usr/lib/systemd/systemd

/usr/share/gdm/generate-config

/usr/bin/pkill

pkill --signal HUP --uid gdm dconf-service

/usr/lib/systemd/systemd

/bin/plymouth

/bin/plymouth quit

/usr/lib/systemd/systemd

/usr/bin/dbus-daemon

/usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only

There are 79 hidden processes, click here to show them.

Domains

Name

Malicious

kz.adolfhitler.su.V'fW66PV,PV!EH(652)V'f3NNPV!PV,E@@@

unknown

sex.secure-cyber-security.!V'fVVPV,PV!EHH3$W54]sexsecure-cyber-securitys!V'f.JPV!PV,E<@@wFqg#

unknown

sex.secure-cyber-security.V'f66PV,PV!E((4G/3M5Ng/yV'fDVVPV!PV,EHp@@.=3M54ysexsecure-cyber-securitys.'f6)66PV,PV!E((4o/3M5eyV'f*VVP.!PV,EHp@@>,3M54xysexsecure-cyber-securitysV'.66PV,PV!E((4/p3M5eyV'fVVPV!PV,EHq.@>3M54xysexsecure-cyber-securitys..'f&66PV,PV!E((4/g3M5 iyV'fA'VVP.!PV,EHq@@=3M54ysexsecure-cyber-securitysV'.66PV,PV!E((4/`3M5gyV'fJJJPV!PV,E<.@YF]#V'f6

unknown

kz.adolfhitler.su.V'f_66PV,PV!EH(~4{!5HV'fNNPV!PV,E@.@@@5,#kzadolfhitlersunV'f<V66PV,PV!EH(4{

unknown

kz.adolfhitler.su.V'f<V66PV,PV!EH(4{5@V'fWNNPV!PV,E@.@@=5,kzadolfhitlersunV'f66PV,PV!EH(3|5

unknown

kz.adolfhitler.su.V'fjI66PV,PV!EH(~3|E5@V'fTJNNPV!PV,E@.@@H5,}kzadolfhitlersunV'f_66PV,

unknown

kz.adolfhitler.su.V'fe66PV,PV!EH(6f5Oz)V'f/gNNPV!PV,E@C@@

unknown

sex.secure-cyber-security.V'f&66PV,PV!E((4/g3M5 iyV'fA'VVPV!PV,EHq@@.3M54ysexsecure-cyber-securitys.V'f66PV,PV.E((4/`3M5gy

unknown

kz.adolfhitler.su.V'f66PV,PV!EH(6?5y>)V'fPNNPV!PV,E@i@@

unknown

kz.adolfhitler.su.V'f0h66PV,PV!EH(65;I)V'fhJJPV!PV,E<t@@

unknown

kz.adolfhitler.su.xV'f;JJPV!PV,E<7@@XpFaQD.#+xV'f466

unknown

sex.secure-cyber-security.V'fVVPV,PV!EHH3d$W54+dsexsecure-cyber-securitysV'f.JPV!PV,E<@@#F6#H

unknown

kz.adolfhitler.su.V'f66PV,PV!EH(3|5=V'fkJJPV!PV,E<.@@OjF4#jV'f

unknown

security.rebirth-network.su

unknown

sex.secure-cyber-security.V'f66PV,PV!E((4/p3M5eyV'fVVPV!PV,EHq@@.3M54xysexsecure-cyber-securitys.'f&66PV,PV!E((4/g3M5 iyV'fA'VVP.!PV,EHq@@=3M54ysexsecure-cyber-securitysV'.66PV,PV!E((4/`3M5gyV'fJJJPV!PV,E<.@YF]#V'f6

unknown

kz.adolfhitler.su.V'f66PV,PV!EH(~4{n5PV'fNNPV!PV,E@.@@5,Nkzadolf.itlersunV'fjI66PV,PV!EH(~3|E5@V'fTJNNPV.PV,E@P@@H5

unknown

kz.adolfhitler.su.sV'f)NNPV!PV,E@S@@SF^r5,PkzadolfhitlersunxV'f;J

unknown

kz.adolfhitler.su.OV'fNNPV,PV!EH@3$W5,SkzadolfhitlersunOV'fcJ

unknown

kz.adolfhitler.su.dV'fNNPV!PV,E@O@@WD^r5,PkzadolfhitlersuniV'f%N

unknown

sex.secure-cyber-security.V'f66PV,PV!E((4/`3M5gyV'fJJJPV!PV,E<@@.F]#V'f66PV,PV!E((@0.F]P..'fN9BBPV!PV,E4a@@_T[[+T>V48_iV'fY.W.PV!PV,EI@@3;55{securityrebirth-networksu...'fzeWWPV,PV!E(I2T3;55securityrebirth-.etworksuV'ffWWPV!PV,EI@@3;Y55\securityrebirth-network.uV'fWWPV,PV!E(I2T3;5Y5securityrebirth-networksuV'fY.WW.V!PV,EI@@3;)55~securityrebirth-networksu

unknown

kz.adolfhitler.su.iV'f%NNPV!PV,E@P]@@V^r5,sPkzadolfhitlersunmV'fJ

unknown

kz.adolfhitler.su.#V'fNNPV,PV!E(@3L3l5Y,p\kzadolfhitlersus#V'fJJJ

unknown

sex.secure-cyber-security.V'f6)66PV,PV!E((4o/3M5eyV'f*VVPV!PV,EHp@@.,3M54xysexsecure-cyber-securitys.'f66PV,PV!E((4/p3M5eyV'fVVP.!PV,EHq@@>3M54xysexsecure-cyber-securitysV'.&66PV,PV!E((4/g3M5 iyV'fA'VVPV!PV,EHq.@=3M54ysexsecure-cyber-securitys..'f66PV,PV!E((4/`3M5gyV'fJJJP.!PV,E<@@YF]#V'f66

unknown

kz.adolfhitler.su.mV'fJJPV!PV,E<R]@;E '@@<JUPINGnV'f`$NN

unknown

kz.adolfhitler.su.V'fV66PV,PV!EH(65G)V'fNNPV!PV,E@u@@

unknown

There are 15 hidden domains, click here to show them.

IPs

Domain

Country

Malicious

212.70.149.14

unknown

Bulgaria

Details

IP:	212.70.149.14
TargetID:	-1
Country:	Bulgaria
Countrycode:	BGR
ASN number:	208410
ASN name:	INTERNET-HOSTINGBG
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

0.4.0.4

unknown

109.202.202.202

unknown

Switzerland

Details

IP:	109.202.202.202
TargetID:	-1
Country:	Switzerland
Countrycode:	CHE
ASN number:	13030
ASN name:	INIT7CH
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.43

unknown

United Kingdom

Details

IP:	91.189.91.43
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.42

unknown

United Kingdom

Details

IP:	91.189.91.42
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

f12000

page read and write

7fff4bfd2000

page read and write

f14000

page read and write

7fff4bfd2000

page read and write

7fff4bffb000

page execute read

7fff4bfd2000

page read and write

7fff4bffb000

page execute read

f15000

page read and write

416000

page execute read

416000

page execute read

621000

page read and write

416000

page execute read

7fff4bffb000

page execute read

621000

page read and write

f12000

page read and write

7fff4bffb000

page execute read

f12000

page read and write

f12000

page read and write

621000

page read and write

f13000

page read and write

621000

page read and write

7fff4bfd2000

page read and write

416000

page execute read

There are 13 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf

Processes

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportSecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf

Processes

Domains

IPs

Memdumps

IOC Report
SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf