Linux Analysis Report
SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf

Overview

General Information

Sample name:	SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf
Analysis ID:	1430164
MD5:	bb08c43e8047acfe9c49af768a8998b8
SHA1:	5cd38d59e8cc458a29a0ba167dbbd66b3e4ea6eb
SHA256:	daad91ca9dd7cf5a4ce54847d7e7ec2f829d5145099930af3f728af644c34697
Tags:	elf
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Queries the IP of a very long domain name

Sample deletes itself

Sample reads /proc/mounts (often used for finding a writable filesystem)

Sample tries to kill multiple processes (SIGKILL)

Connects to many different domains

Deletes log files

Detected TCP or UDP traffic on non-standard ports

ELF contains segments with high entropy indicating compressed/encrypted content

Executes commands using a shell command-line interpreter

Executes the "grep" command used to find patterns in files or piped streams

Executes the "kill" or "pkill" command typically used to terminate processes

Reads CPU information from /sys indicative of miner or evasive malware

Reads the 'hosts' file potentially containing internal network hosts

Sample contains only a LOAD segment without any section mappings

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf	ReversingLabs: Detection: 39%
Source: SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf	Virustotal: Detection: 9%			Perma Link

Reads CPU information from /sys indicative of miner or evasive malware

Source: /usr/bin/pkill (PID: 5507)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 5515)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 5518)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior

Networking

Queries the IP of a very long domain name

Source: unknown	DNS traffic detected: query: siegheil.hiter.su.V'fj66a/PV!EH(5pE5pV'fNNPV!a/E@
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.V'f66a/PV!EH(4q45V'fNNPV!a/E@
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.V'f66a/PV!EH(5p)5qV'f,NNPV!a/E@
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.V'fvw66a/PV!EH(3r5,MV'f]xNNPV!a/E@
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.V'f%66a/PV!EH(4q5Ky.V'fJJPV!a/E<.@@gF&dV'f66a
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.V'fc66a/PV!E((k5D5j$nV'fdNNPV!a/E@w.@@ub5,nsiegheilhitersun..'f66a/PV!E((r5D5b`DnV'fNNP.!a/E@wD@@u5,nsiegheilhitersunV'f6
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.V'f66a/PV!E((r5D5b`DnV'fNNPV!a/E@w.@@u5,nsiegheilhitersunV'f6
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.V'f66a/PV!E((4E5tnV'fNNPV!a/E@w.@@u5,nsiegheilhitersunV'fv6.a/PV!E((4E5xn
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.V'fv66a/PV!E((4E5xnV'fwNNPV!a/E@w.@@u5,nsiegheilhitersunV'f!66
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.V'f!66a/PV!E((4E5=nV'fJJPV!a/E<j.@@4F3" V'f66a/PV!E((@0F3"P.'fvNNPV!a/E@N@@2=5,~mWssiegheilhitersu.V'fJ^66a/PV!EH(3Jr=5WsV'f_NNPV!a/E@N
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.V'fJ^66a/PV!EH(3Jr=5WsV'f_NNPV!a/E@N
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.V'f,566a/PV!EH(2KY=5WsV'f5NNPV!a/E@N
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.V'f66a/PV!EH(2KH=5<\WsV'fNNPV!a/E@N
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.V'f66a/PV!EH(2K<=5WsV'fNNPV!a/E@N
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.V'fMm66a/PV!EH(2K=5WsV'fnJJPV!a/E<
Source: unknown	DNS traffic detected: query: sex.secure-cyber-security.V'f466a/PV!EH(rv5tl]V'f=VVPV!a/EH@@
Source: unknown	DNS traffic detected: query: sex.secure-cyber-security.V'f\66a/PV!EH(hvnT5tG]V'fVVPV!a/EH@@
Source: unknown	DNS traffic detected: query: sex.secure-cyber-security.V'fr66a/PV!EH(tm5Y]V'fsVVPV!a/EH@@
Source: unknown	DNS traffic detected: query: sex.secure-cyber-security.V'f66a/PV!EH(@v{5d`]V'fVVPV!a/EH0@@
Source: unknown	DNS traffic detected: query: sex.secure-cyber-security.V'fz#66a/PV!EH(<vb5]V'f8%JJPV!a/E<@@.
Source: unknown	DNS traffic detected: query: sex.secure-cyber-security.V'fVVa/PV!EHHs3$W54#<sexsecure-cyber-securitysV'f~.VPV!a/EH3@@8@$W754<sexsecure-cyber-securit.sV'f5VVa/PV!EHH3$W574V<sexsecure-cyber-securitysV'f7VV
Source: unknown	DNS traffic detected: query: sex.secure-cyber-security.V'f5VVa/PV!EHH3$W574V<sexsecure-cyber-securitysV'f7.VPV!a/EH\@@8$W54<sexsecure-cyber-securit.sV'fVVa/PV!EHH3$W54.<sexsecure-cyber-securitysV'fhVV
Source: unknown	DNS traffic detected: query: sex.secure-cyber-security.V'fVVa/PV!EHH3$W54.<sexsecure-cyber-securitysV'fh.VPV!a/EHq@@8$W54"<sexsecure-cyber-securit.sV'fVVa/PV!EHH3$W54!<sexsecure-cyber-securitysV'f[VV
Source: unknown	DNS traffic detected: query: sex.secure-cyber-security.V'fVVa/PV!EHH3$W54!<sexsecure-cyber-securitysV'f[.VPV!a/EH@@7$W54~<sexsecure-cyber-securit.sV'f=7VVa/PV!EHH3$W54W}<sexsecure-cyber-securitysV'f$8JJ
Source: unknown	DNS traffic detected: query: sex.secure-cyber-security.V'f=7VVa/PV!EHH3$W54W}<sexsecure-cyber-securitysV'f$8.JPV!a/E<6@@FbtH}p
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.V'fM66a/PV!E((m4C5IV'fNNNPV!a/E@x@@.5,$siegheilhitersusV'f66a/PV!E((n4C5
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.V'f66a/PV!E((n4C5V'fNNPV!a/E@x@@.&5,siegheilhitersusV'fP66a/PV!E((y4C5&d
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.V'fP66a/PV!E((y4C5&dV'fNNPV!a/E@x@@.}5,G_siegheilhitersusV'f5a66a/PV!E((5B5
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.V'f5a66a/PV!E((5B5V'faNNPV!a/E@x@@.{(5,siegheilhitersusV'fE66a/PV!E((5B5(?
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.V'fE66a/PV!E((5B5(?V'fJJPV!a/E<@@.F2V'f66a/PV.E((@0F2

Connects to many different domains

Source: unknown

Network traffic detected: DNS query count 31

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.13:42668 -> 212.70.149.14:35342
Source: global traffic	TCP traffic: 192.168.2.13:40674 -> 212.70.149.10:35342

Reads the 'hosts' file potentially containing internal network hosts

Source: /usr/sbin/rsyslogd (PID: 5493)

Reads hosts file: /etc/hosts

Jump to behavior

Sample listens on a socket

Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5425)

Socket: 127.0.0.1::8345

Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 54.247.62.1
Source: unknown	TCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknown	TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown	TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown	TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown	TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown	TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown	TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown	TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown	TCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknown	UDP traffic detected without corresponding DNS query: 94.16.114.254
Source: unknown	UDP traffic detected without corresponding DNS query: 94.16.114.254
Source: unknown	UDP traffic detected without corresponding DNS query: 94.16.114.254
Source: unknown	UDP traffic detected without corresponding DNS query: 94.16.114.254
Source: unknown	UDP traffic detected without corresponding DNS query: 94.16.114.254
Source: unknown	UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown	UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown	UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown	UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown	UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown	UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown	UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown	UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown	UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown	UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown	UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown	UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown	UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown	UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown	UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown	UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown	UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown	UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown	UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown	UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown	UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown	UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown	UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown	UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown	UDP traffic detected without corresponding DNS query: 134.195.4.2

Source: unknown

DNS traffic detected: queries for: security.rebirth-network.su

Source: unknown	Network traffic detected: HTTP traffic on port 57218 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57218
Source: unknown	Network traffic detected: HTTP traffic on port 48202 -> 443

System Summary

Sample tries to kill multiple processes (SIGKILL)

Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 1 (init), result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 490, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 660, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 726, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 727, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 765, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 767, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 778, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 780, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 783, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 790, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 795, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 800, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 1400, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 1410, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 1411, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 1432, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 1475, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 1565, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 1805, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 2926, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 2935, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 2936, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 2970, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 3069, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 3122, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 3132, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 3589, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 3764, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5266, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5409, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5410, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5432, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5434, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5436, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5438, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5458, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5472, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5473, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5477, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5480, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5481, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5485, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5486, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5487, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5488, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5489, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5490, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5491, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5492, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5493, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5497, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5498, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5501, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5503, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5506, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5507, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5510, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5511, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5513, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5514, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5515, result: no such process	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5516, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5517, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5519, result: successful	Jump to behavior

Sample contains only a LOAD segment without any section mappings

Source: LOAD without section mappings

Program segment: 0x400000

Sample tries to kill a process (SIGKILL)

Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 1 (init), result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 490, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 660, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 726, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 727, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 765, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 767, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 778, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 780, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 783, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 790, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 795, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 800, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 1400, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 1410, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 1411, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 1432, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 1475, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 1565, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 1805, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 2926, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 2935, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 2936, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 2970, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 3069, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 3122, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 3132, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 3589, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 3764, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5266, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5409, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5410, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5432, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5434, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5436, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5438, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5458, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5472, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5473, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5477, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5480, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5481, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5485, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5486, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5487, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5488, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5489, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5490, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5491, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5492, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5493, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5497, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5498, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5501, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5503, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5506, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5507, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5510, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5511, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5513, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5514, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5515, result: no such process	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5516, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5517, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5519, result: successful	Jump to behavior

Source: classification engine

Classification label: mal64.spre.troj.evad.linELF@0/0@36/0

Persistence and Installation Behavior

Sample reads /proc/mounts (often used for finding a writable filesystem)

Source: /bin/fusermount (PID: 5474)

File: /proc/5474/mounts

Jump to behavior

Executes commands using a shell command-line interpreter

Source: /usr/bin/gpu-manager (PID: 5499)	Shell command executed: sh -c "grep -G \"^blacklist.nvidia[[:space:]]$\" /etc/modprobe.d/*.conf"			Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5504)	Shell command executed: sh -c "grep -G \"^blacklist.nvidia[[:space:]]$\" /etc/modprobe.d/*.conf"			Jump to behavior

Executes the "grep" command used to find patterns in files or piped streams

Source: /bin/sh (PID: 5505)

Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf

Jump to behavior

Executes the "kill" or "pkill" command typically used to terminate processes

Source: /usr/share/gdm/generate-config (PID: 5502)	Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service	Jump to behavior
Source: /usr/share/gdm/generate-config (PID: 5507)	Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service	Jump to behavior
Source: /usr/share/gdm/generate-config (PID: 5512)	Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service	Jump to behavior
Source: /usr/share/gdm/generate-config (PID: 5515)	Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service	Jump to behavior
Source: /usr/share/gdm/generate-config (PID: 5518)	Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Sample deletes itself

Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5425)

File: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf

Jump to behavior

ELF contains segments with high entropy indicating compressed/encrypted content

Source: SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf	Submission file: segment LOAD with 7.9024 entropy (max. 8.0)
Source: SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf	Submission file: segment LOAD with 7.9572 entropy (max. 8.0)

Deletes log files

Source: /usr/bin/gpu-manager (PID: 5498)	Truncated file: /var/log/gpu-manager.log	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5503)	Truncated file: /var/log/gpu-manager.log	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5513)	Truncated file: /var/log/gpu-manager.log	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5516)	Truncated file: /var/log/gpu-manager.log	Jump to behavior

Reads CPU information from /sys indicative of miner or evasive malware

Source: /usr/bin/pkill (PID: 5507)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 5515)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 5518)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5425)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 5493)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 5497)	Queries kernel information via 'uname':	Jump to behavior

Source: SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf, 5436.1.000055ba334e9000.000055ba33598000.rw-.sdmp	Binary or memory string: U/mipsel/tmp/vmware-root_727-4290690966
Source: SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf, 5436.1.000055ba334e9000.000055ba33598000.rw-.sdmp	Binary or memory string: /mipsel/tmp/vmware-root_727-4290690966
Source: SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf, 5425.1.000055ba334e9000.000055ba33598000.rw-.sdmp, SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf, 5432.1.000055ba334e9000.000055ba33598000.rw-.sdmp, SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf, 5434.1.000055ba334e9000.000055ba33598000.rw-.sdmp, SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf, 5436.1.000055ba334e9000.000055ba33598000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mipsel
Source: SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf, 5436.1.000055ba334e9000.000055ba33598000.rw-.sdmp	Binary or memory string: U1/tmp/vmware-root_727-42906909661mips32r6-generic-mips-cpuQ@&R3
Source: SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf, 5436.1.00007f69e8430000.00007f69e843c000.rw-.sdmp	Binary or memory string: vmware-root_727-4290690966
Source: SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf, 5436.1.000055ba334e9000.000055ba33598000.rw-.sdmp	Binary or memory string: /tmp/vmware-root_727-4290690966
Source: SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf, 5436.1.00007f69e843c000.00007f69e843f000.rw-.sdmp	Binary or memory string: a/tmp/systemd-private-fe424f1b0f85425093f40a37100b81c4-colord.service-PB7Ovfa1/tmp/vmware-root_727-4290690966
Source: SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf, 5425.1.00007fff6d9e8000.00007fff6da09000.rw-.sdmp, SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf, 5432.1.00007fff6d9e8000.00007fff6da09000.rw-.sdmp, SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf, 5434.1.00007fff6d9e8000.00007fff6da09000.rw-.sdmp, SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf, 5436.1.00007fff6d9e8000.00007fff6da09000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-mipsel/tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf
Source: SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf, 5425.1.000055ba334e9000.000055ba33598000.rw-.sdmp, SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf, 5432.1.000055ba334e9000.000055ba33598000.rw-.sdmp, SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf, 5434.1.000055ba334e9000.000055ba33598000.rw-.sdmp, SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf, 5436.1.000055ba334e9000.000055ba33598000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/mipsel
Source: SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf, 5425.1.00007fff6d9e8000.00007fff6da09000.rw-.sdmp, SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf, 5432.1.00007fff6d9e8000.00007fff6da09000.rw-.sdmp, SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf, 5434.1.00007fff6d9e8000.00007fff6da09000.rw-.sdmp, SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf, 5436.1.00007fff6d9e8000.00007fff6da09000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mipsel

Screenshots

No Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
212.70.149.14	unknown	Bulgaria	208410	INTERNET-HOSTINGBG	false
212.70.149.10	security.rebirth-network.su	Bulgaria	208410	INTERNET-HOSTINGBG	false
185.125.190.26	unknown	United Kingdom	41231	CANONICAL-ASGB	false
54.247.62.1	unknown	United States	16509	AMAZON-02US	false

Contacted Domains

Name	IP	Active
security.rebirth-network.su	212.70.149.10	true
sex.secure-cyber-security.V'f\66a/PV!EH(hvnT5tG]V'fVVPV!a/EH@@	unknown	unknown
sex.secure-cyber-security.V'f=7VVa/PV!EHH3$W54W}<sexsecure-cyber-securitysV'f$8.JPV!a/E<6@@FbtH}p	unknown	unknown
siegheil.hiter.su.V'f66a/PV!E((r5D5b`DnV'fNNPV!a/E@w.@@u5,nsiegheilhitersunV'f6	unknown	unknown
siegheil.hiter.su.V'fM66a/PV!E((m4C5IV'fNNNPV!a/E@x@@.5,$siegheilhitersusV'f66a/PV!E((n4C5	unknown	unknown
siegheil.hiter.su.V'fP66a/PV!E((y4C5&dV'fNNPV!a/E@x@@.}5,G_siegheilhitersusV'f5a66a/PV!E((5B5	unknown	unknown
siegheil.hiter.su.V'fvw66a/PV!EH(3r5,MV'f]xNNPV!a/E@	unknown	unknown
sex.secure-cyber-security.V'fVVa/PV!EHH3$W54.<sexsecure-cyber-securitysV'fh.VPV!a/EHq@@8$W54"<sexsecure-cyber-securit.sV'fVVa/PV!EHH3$W54!<sexsecure-cyber-securitysV'f[VV	unknown	unknown
siegheil.hiter.su.V'f%66a/PV!EH(4q5Ky.V'fJJPV!a/E<.@@gF&dV'f66a	unknown	unknown
siegheil.hiter.su.V'fMm66a/PV!EH(2K=5WsV'fnJJPV!a/E<	unknown	unknown
siegheil.hiter.su.V'fJ^66a/PV!EH(3Jr=5WsV'f_NNPV!a/E@N	unknown	unknown
sex.secure-cyber-security.V'f5VVa/PV!EHH3$W574V<sexsecure-cyber-securitysV'f7.VPV!a/EH\@@8$W54<sexsecure-cyber-securit.sV'fVVa/PV!EHH3$W54.<sexsecure-cyber-securitysV'fhVV	unknown	unknown
sex.secure-cyber-security.V'fr66a/PV!EH(tm5Y]V'fsVVPV!a/EH@@	unknown	unknown
siegheil.hiter.su.V'f!66a/PV!E((4E5=nV'fJJPV!a/E<j.@@4F3" V'f66a/PV!E((@0F3"P.'fvNNPV!a/E@N@@2=5,~mWssiegheilhitersu.V'fJ^66a/PV!EH(3Jr=5WsV'f_NNPV!a/E@N	unknown	unknown
siegheil.hiter.su.V'fj66a/PV!EH(5pE5pV'fNNPV!a/E@	unknown	unknown
siegheil.hiter.su.V'fE66a/PV!E((5B5(?V'fJJPV!a/E<@@.F2V'f66a/PV.E((@0F2	unknown	unknown
sex.secure-cyber-security.V'fz#66a/PV!EH(<vb5]V'f8%JJPV!a/E<@@.	unknown	unknown
siegheil.hiter.su.V'f66a/PV!E((4E5tnV'fNNPV!a/E@w.@@u5,nsiegheilhitersunV'fv6.a/PV!E((4E5xn	unknown	unknown
siegheil.hiter.su.V'f66a/PV!EH(5p)5qV'f,NNPV!a/E@	unknown	unknown
siegheil.hiter.su.V'f,566a/PV!EH(2KY=5WsV'f5NNPV!a/E@N	unknown	unknown
siegheil.hiter.su.V'f66a/PV!E((n4C5V'fNNPV!a/E@x@@.&5,siegheilhitersusV'fP66a/PV!E((y4C5&d	unknown	unknown
sex.secure-cyber-security.V'f66a/PV!EH(@v{5d`]V'fVVPV!a/EH0@@	unknown	unknown
siegheil.hiter.su.V'f66a/PV!EH(2KH=5<\WsV'fNNPV!a/E@N	unknown	unknown
siegheil.hiter.su.V'f66a/PV!EH(2K<=5WsV'fNNPV!a/E@N	unknown	unknown
sex.secure-cyber-security.V'fVVa/PV!EHHs3$W54#<sexsecure-cyber-securitysV'f~.VPV!a/EH3@@8@$W754<sexsecure-cyber-securit.sV'f5VVa/PV!EHH3$W574V<sexsecure-cyber-securitysV'f7VV	unknown	unknown
sex.secure-cyber-security.V'fVVa/PV!EHH3$W54!<sexsecure-cyber-securitysV'f[.VPV!a/EH@@7$W54~<sexsecure-cyber-securit.sV'f=7VVa/PV!EHH3$W54W}<sexsecure-cyber-securitysV'f$8JJ	unknown	unknown
siegheil.hiter.su.V'f66a/PV!EH(4q45V'fNNPV!a/E@	unknown	unknown
siegheil.hiter.su.V'fv66a/PV!E((4E5xnV'fwNNPV!a/E@w.@@u5,nsiegheilhitersunV'f!66	unknown	unknown
sex.secure-cyber-security.V'f466a/PV!EH(rv5tl]V'f=VVPV!a/EH@@	unknown	unknown
siegheil.hiter.su.V'fc66a/PV!E((k5D5j$nV'fdNNPV!a/E@w.@@ub5,nsiegheilhitersun..'f66a/PV!E((r5D5b`DnV'fNNP.!a/E@wD@@u5,nsiegheilhitersunV'f6	unknown	unknown
siegheil.hiter.su.V'f5a66a/PV!E((5B5V'faNNPV!a/E@x@@.{(5,siegheilhitersusV'fE66a/PV!E((5B5(?	unknown	unknown

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf	ReversingLabs: Detection: 39%
Source: SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf	Virustotal: Detection: 9%			Perma Link

Reads CPU information from /sys indicative of miner or evasive malware

Source: /usr/bin/pkill (PID: 5507)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 5515)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 5518)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior

Networking

Queries the IP of a very long domain name

Source: unknown	DNS traffic detected: query: siegheil.hiter.su.V'fj66a/PV!EH(5pE5pV'fNNPV!a/E@
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.V'f66a/PV!EH(4q45V'fNNPV!a/E@
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.V'f66a/PV!EH(5p)5qV'f,NNPV!a/E@
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.V'fvw66a/PV!EH(3r5,MV'f]xNNPV!a/E@
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.V'f%66a/PV!EH(4q5Ky.V'fJJPV!a/E<.@@gF&dV'f66a
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.V'fc66a/PV!E((k5D5j$nV'fdNNPV!a/E@w.@@ub5,nsiegheilhitersun..'f66a/PV!E((r5D5b`DnV'fNNP.!a/E@wD@@u5,nsiegheilhitersunV'f6
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.V'f66a/PV!E((r5D5b`DnV'fNNPV!a/E@w.@@u5,nsiegheilhitersunV'f6
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.V'f66a/PV!E((4E5tnV'fNNPV!a/E@w.@@u5,nsiegheilhitersunV'fv6.a/PV!E((4E5xn
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.V'fv66a/PV!E((4E5xnV'fwNNPV!a/E@w.@@u5,nsiegheilhitersunV'f!66
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.V'f!66a/PV!E((4E5=nV'fJJPV!a/E<j.@@4F3" V'f66a/PV!E((@0F3"P.'fvNNPV!a/E@N@@2=5,~mWssiegheilhitersu.V'fJ^66a/PV!EH(3Jr=5WsV'f_NNPV!a/E@N
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.V'fJ^66a/PV!EH(3Jr=5WsV'f_NNPV!a/E@N
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.V'f,566a/PV!EH(2KY=5WsV'f5NNPV!a/E@N
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.V'f66a/PV!EH(2KH=5<\WsV'fNNPV!a/E@N
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.V'f66a/PV!EH(2K<=5WsV'fNNPV!a/E@N
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.V'fMm66a/PV!EH(2K=5WsV'fnJJPV!a/E<
Source: unknown	DNS traffic detected: query: sex.secure-cyber-security.V'f466a/PV!EH(rv5tl]V'f=VVPV!a/EH@@
Source: unknown	DNS traffic detected: query: sex.secure-cyber-security.V'f\66a/PV!EH(hvnT5tG]V'fVVPV!a/EH@@
Source: unknown	DNS traffic detected: query: sex.secure-cyber-security.V'fr66a/PV!EH(tm5Y]V'fsVVPV!a/EH@@
Source: unknown	DNS traffic detected: query: sex.secure-cyber-security.V'f66a/PV!EH(@v{5d`]V'fVVPV!a/EH0@@
Source: unknown	DNS traffic detected: query: sex.secure-cyber-security.V'fz#66a/PV!EH(<vb5]V'f8%JJPV!a/E<@@.
Source: unknown	DNS traffic detected: query: sex.secure-cyber-security.V'fVVa/PV!EHHs3$W54#<sexsecure-cyber-securitysV'f~.VPV!a/EH3@@8@$W754<sexsecure-cyber-securit.sV'f5VVa/PV!EHH3$W574V<sexsecure-cyber-securitysV'f7VV
Source: unknown	DNS traffic detected: query: sex.secure-cyber-security.V'f5VVa/PV!EHH3$W574V<sexsecure-cyber-securitysV'f7.VPV!a/EH\@@8$W54<sexsecure-cyber-securit.sV'fVVa/PV!EHH3$W54.<sexsecure-cyber-securitysV'fhVV
Source: unknown	DNS traffic detected: query: sex.secure-cyber-security.V'fVVa/PV!EHH3$W54.<sexsecure-cyber-securitysV'fh.VPV!a/EHq@@8$W54"<sexsecure-cyber-securit.sV'fVVa/PV!EHH3$W54!<sexsecure-cyber-securitysV'f[VV
Source: unknown	DNS traffic detected: query: sex.secure-cyber-security.V'fVVa/PV!EHH3$W54!<sexsecure-cyber-securitysV'f[.VPV!a/EH@@7$W54~<sexsecure-cyber-securit.sV'f=7VVa/PV!EHH3$W54W}<sexsecure-cyber-securitysV'f$8JJ
Source: unknown	DNS traffic detected: query: sex.secure-cyber-security.V'f=7VVa/PV!EHH3$W54W}<sexsecure-cyber-securitysV'f$8.JPV!a/E<6@@FbtH}p
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.V'fM66a/PV!E((m4C5IV'fNNNPV!a/E@x@@.5,$siegheilhitersusV'f66a/PV!E((n4C5
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.V'f66a/PV!E((n4C5V'fNNPV!a/E@x@@.&5,siegheilhitersusV'fP66a/PV!E((y4C5&d
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.V'fP66a/PV!E((y4C5&dV'fNNPV!a/E@x@@.}5,G_siegheilhitersusV'f5a66a/PV!E((5B5
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.V'f5a66a/PV!E((5B5V'faNNPV!a/E@x@@.{(5,siegheilhitersusV'fE66a/PV!E((5B5(?
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.V'fE66a/PV!E((5B5(?V'fJJPV!a/E<@@.F2V'f66a/PV.E((@0F2

Connects to many different domains

Source: unknown

Network traffic detected: DNS query count 31

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.13:42668 -> 212.70.149.14:35342
Source: global traffic	TCP traffic: 192.168.2.13:40674 -> 212.70.149.10:35342

Reads the 'hosts' file potentially containing internal network hosts

Source: /usr/sbin/rsyslogd (PID: 5493)

Reads hosts file: /etc/hosts

Jump to behavior

Sample listens on a socket

Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5425)

Socket: 127.0.0.1::8345

Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 54.247.62.1
Source: unknown	TCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknown	TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown	TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown	TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown	TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown	TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown	TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown	TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown	TCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknown	UDP traffic detected without corresponding DNS query: 94.16.114.254
Source: unknown	UDP traffic detected without corresponding DNS query: 94.16.114.254
Source: unknown	UDP traffic detected without corresponding DNS query: 94.16.114.254
Source: unknown	UDP traffic detected without corresponding DNS query: 94.16.114.254
Source: unknown	UDP traffic detected without corresponding DNS query: 94.16.114.254
Source: unknown	UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown	UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown	UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown	UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown	UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown	UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown	UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown	UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown	UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown	UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown	UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown	UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown	UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown	UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown	UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown	UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown	UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown	UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown	UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown	UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown	UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown	UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown	UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown	UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown	UDP traffic detected without corresponding DNS query: 134.195.4.2

Source: unknown

DNS traffic detected: queries for: security.rebirth-network.su

Source: unknown	Network traffic detected: HTTP traffic on port 57218 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57218
Source: unknown	Network traffic detected: HTTP traffic on port 48202 -> 443

System Summary

Sample tries to kill multiple processes (SIGKILL)

Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 1 (init), result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 490, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 660, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 726, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 727, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 765, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 767, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 778, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 780, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 783, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 790, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 795, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 800, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 1400, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 1410, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 1411, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 1432, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 1475, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 1565, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 1805, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 2926, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 2935, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 2936, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 2970, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 3069, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 3122, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 3132, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 3589, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 3764, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5266, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5409, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5410, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5432, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5434, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5436, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5438, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5458, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5472, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5473, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5477, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5480, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5481, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5485, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5486, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5487, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5488, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5489, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5490, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5491, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5492, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5493, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5497, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5498, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5501, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5503, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5506, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5507, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5510, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5511, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5513, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5514, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5515, result: no such process	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5516, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5517, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5519, result: successful	Jump to behavior

Sample contains only a LOAD segment without any section mappings

Source: LOAD without section mappings

Program segment: 0x400000

Sample tries to kill a process (SIGKILL)

Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 1 (init), result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 490, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 660, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 726, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 727, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 765, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 767, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 778, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 780, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 783, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 790, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 795, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 800, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 1400, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 1410, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 1411, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 1432, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 1475, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 1565, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 1805, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 2926, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 2935, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 2936, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 2970, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 3069, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 3122, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 3132, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 3589, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 3764, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5266, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5409, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5410, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5432, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5434, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5436, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5438, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5458, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5472, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5473, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5477, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5480, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5481, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5485, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5486, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5487, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5488, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5489, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5490, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5491, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5492, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5493, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5497, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5498, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5501, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5503, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5506, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5507, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5510, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5511, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5513, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5514, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5515, result: no such process	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5516, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5517, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5430)	SIGKILL sent: pid: 5519, result: successful	Jump to behavior

Source: classification engine

Classification label: mal64.spre.troj.evad.linELF@0/0@36/0

Persistence and Installation Behavior

Sample reads /proc/mounts (often used for finding a writable filesystem)

Source: /bin/fusermount (PID: 5474)

File: /proc/5474/mounts

Jump to behavior

Executes commands using a shell command-line interpreter

Source: /usr/bin/gpu-manager (PID: 5499)	Shell command executed: sh -c "grep -G \"^blacklist.nvidia[[:space:]]$\" /etc/modprobe.d/*.conf"			Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5504)	Shell command executed: sh -c "grep -G \"^blacklist.nvidia[[:space:]]$\" /etc/modprobe.d/*.conf"			Jump to behavior

Executes the "grep" command used to find patterns in files or piped streams

Source: /bin/sh (PID: 5505)

Jump to behavior

Executes the "kill" or "pkill" command typically used to terminate processes

Source: /usr/share/gdm/generate-config (PID: 5502)	Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service	Jump to behavior
Source: /usr/share/gdm/generate-config (PID: 5507)	Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service	Jump to behavior
Source: /usr/share/gdm/generate-config (PID: 5512)	Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service	Jump to behavior
Source: /usr/share/gdm/generate-config (PID: 5515)	Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service	Jump to behavior
Source: /usr/share/gdm/generate-config (PID: 5518)	Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Sample deletes itself

Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5425)

File: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf

Jump to behavior

ELF contains segments with high entropy indicating compressed/encrypted content

Source: SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf	Submission file: segment LOAD with 7.9024 entropy (max. 8.0)
Source: SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf	Submission file: segment LOAD with 7.9572 entropy (max. 8.0)

Deletes log files

Source: /usr/bin/gpu-manager (PID: 5498)	Truncated file: /var/log/gpu-manager.log	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5503)	Truncated file: /var/log/gpu-manager.log	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5513)	Truncated file: /var/log/gpu-manager.log	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5516)	Truncated file: /var/log/gpu-manager.log	Jump to behavior

Reads CPU information from /sys indicative of miner or evasive malware

Source: /usr/bin/pkill (PID: 5507)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 5515)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 5518)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf (PID: 5425)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 5493)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 5497)	Queries kernel information via 'uname':	Jump to behavior

Source: SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf, 5436.1.000055ba334e9000.000055ba33598000.rw-.sdmp	Binary or memory string: U/mipsel/tmp/vmware-root_727-4290690966
Source: SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf, 5436.1.000055ba334e9000.000055ba33598000.rw-.sdmp	Binary or memory string: /mipsel/tmp/vmware-root_727-4290690966
Source: SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf, 5425.1.000055ba334e9000.000055ba33598000.rw-.sdmp, SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf, 5432.1.000055ba334e9000.000055ba33598000.rw-.sdmp, SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf, 5434.1.000055ba334e9000.000055ba33598000.rw-.sdmp, SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf, 5436.1.000055ba334e9000.000055ba33598000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mipsel
Source: SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf, 5436.1.000055ba334e9000.000055ba33598000.rw-.sdmp	Binary or memory string: U1/tmp/vmware-root_727-42906909661mips32r6-generic-mips-cpuQ@&R3
Source: SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf, 5436.1.00007f69e8430000.00007f69e843c000.rw-.sdmp	Binary or memory string: vmware-root_727-4290690966
Source: SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf, 5436.1.000055ba334e9000.000055ba33598000.rw-.sdmp	Binary or memory string: /tmp/vmware-root_727-4290690966
Source: SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf, 5436.1.00007f69e843c000.00007f69e843f000.rw-.sdmp	Binary or memory string: a/tmp/systemd-private-fe424f1b0f85425093f40a37100b81c4-colord.service-PB7Ovfa1/tmp/vmware-root_727-4290690966
Source: SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf, 5425.1.00007fff6d9e8000.00007fff6da09000.rw-.sdmp, SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf, 5432.1.00007fff6d9e8000.00007fff6da09000.rw-.sdmp, SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf, 5434.1.00007fff6d9e8000.00007fff6da09000.rw-.sdmp, SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf, 5436.1.00007fff6d9e8000.00007fff6da09000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-mipsel/tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf
Source: SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf, 5425.1.000055ba334e9000.000055ba33598000.rw-.sdmp, SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf, 5432.1.000055ba334e9000.000055ba33598000.rw-.sdmp, SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf, 5434.1.000055ba334e9000.000055ba33598000.rw-.sdmp, SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf, 5436.1.000055ba334e9000.000055ba33598000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/mipsel
Source: SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf, 5425.1.00007fff6d9e8000.00007fff6da09000.rw-.sdmp, SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf, 5432.1.00007fff6d9e8000.00007fff6da09000.rw-.sdmp, SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf, 5434.1.00007fff6d9e8000.00007fff6da09000.rw-.sdmp, SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf, 5436.1.00007fff6d9e8000.00007fff6da09000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mipsel

ID:	1430164
Product:	CloudBasic
Start time:	08:33:47
Start date:	23.04.2024
Sample:	SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	bb08c43e8047acfe9c49af768a8998b8
SHA1:	5cd38d59e8cc458a29a0ba167dbbd66b3e4ea6eb
SHA256:	daad91ca9dd7cf5a4ce54847d7e7ec2f829d5145099930af3f728af644c34697
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Linux Analysis Report
SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Bitcoin Miner

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

Linux Analysis Report SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Bitcoin Miner

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

Linux Analysis Report
SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf