Linux Analysis Report
XHYKEGTtfq.elf

ID:	1430906
Product:	CloudBasic
Start time:	10:57:06
Start date:	24.04.2024
Sample:	XHYKEGTtfq.elf
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	73b136cb342e7a64855905830cdf0c0b
SHA1:	87c0098d9c86435194231c2f5623a7e8c488a861
SHA256:	c860d081fb8cfed28d01b054bf1611c295a6d307537563ad02650cc94c280746
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Name	Type	MD5	SHA1	SHA256

AV Detection

Source: XHYKEGTtfq.elf

Virustotal: Detection: 11%

Perma Link

Bitcoin Miner

Source: /usr/bin/pkill (PID: 5509)	Reads CPU info from /sys: /sys/devices/system/cpu/online			Jump to behavior
Source: /usr/bin/pkill (PID: 5517)	Reads CPU info from /sys: /sys/devices/system/cpu/online			Jump to behavior

Networking

Source: global traffic

TCP traffic: 192.168.2.13:42674 -> 212.70.149.14:35342

Source: /tmp/XHYKEGTtfq.elf (PID: 5432)

Socket: 127.0.0.1::8345

Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown	TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown	TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown	TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown	TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown	TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown	TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown	TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown	TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown	TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown	TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown	TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown	TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown	TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown	TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown	TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 51.77.149.139
Source: unknown	UDP traffic detected without corresponding DNS query: 51.77.149.139
Source: unknown	UDP traffic detected without corresponding DNS query: 51.77.149.139
Source: unknown	UDP traffic detected without corresponding DNS query: 51.77.149.139
Source: unknown	UDP traffic detected without corresponding DNS query: 51.77.149.139
Source: unknown	UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown	UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown	UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown	UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown	UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown	UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown	UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown	UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown	UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown	UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 51.254.162.59
Source: unknown	UDP traffic detected without corresponding DNS query: 51.254.162.59
Source: unknown	UDP traffic detected without corresponding DNS query: 51.254.162.59
Source: unknown	UDP traffic detected without corresponding DNS query: 51.254.162.59
Source: unknown	UDP traffic detected without corresponding DNS query: 51.254.162.59
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 51.77.149.139
Source: unknown	UDP traffic detected without corresponding DNS query: 51.77.149.139
Source: unknown	UDP traffic detected without corresponding DNS query: 51.77.149.139
Source: unknown	UDP traffic detected without corresponding DNS query: 51.77.149.139
Source: unknown	UDP traffic detected without corresponding DNS query: 51.77.149.139
Source: unknown	UDP traffic detected without corresponding DNS query: 94.16.114.254
Source: unknown	UDP traffic detected without corresponding DNS query: 94.16.114.254

System Summary

Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 1 (init), result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 490, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 660, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 726, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 727, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 765, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 767, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 778, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 780, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 783, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 790, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 795, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 800, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 936, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 1400, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 1410, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 1411, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 1432, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 1475, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 1565, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 1805, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 2926, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 2935, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 2936, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 2970, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 3069, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 3122, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 3132, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 3772, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5272, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5415, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5416, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5438, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5440, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5441, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5444, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5461, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5478, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5480, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5484, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5485, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5486, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5490, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5491, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5492, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5493, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5494, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5495, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5496, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5497, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5498, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5499, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5502, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5505, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5507, result: no such process			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5508, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5510, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5511, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5512, result: no such process			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5513, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5514, result: no such process			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5515, result: no such process			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5516, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5517, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5518, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5519, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5521, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5522, result: successful			Jump to behavior

Source: LOAD without section mappings

Program segment: 0x10000000

Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 1 (init), result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 490, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 660, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 726, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 727, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 765, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 767, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 778, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 780, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 783, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 790, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 795, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 800, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 936, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 1400, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 1410, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 1411, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 1432, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 1475, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 1565, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 1805, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 2926, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 2935, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 2936, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 2970, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 3069, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 3122, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 3132, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 3772, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5272, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5415, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5416, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5438, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5440, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5441, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5444, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5461, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5478, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5480, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5484, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5485, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5486, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5490, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5491, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5492, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5493, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5494, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5495, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5496, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5497, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5498, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5499, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5502, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5505, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5507, result: no such process			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5508, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5510, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5511, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5512, result: no such process			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5513, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5514, result: no such process			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5515, result: no such process			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5516, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5517, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5518, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5519, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5521, result: successful			Jump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)	SIGKILL sent: pid: 5522, result: successful			Jump to behavior

Source: classification engine

Classification label: mal60.spre.troj.evad.linELF@0/0@0/0

Persistence and Installation Behavior

Source: /bin/fusermount (PID: 5479)

File: /proc/5479/mounts

Jump to behavior

Source: /usr/bin/gpu-manager (PID: 5506)	Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"			Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5514)	Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"			Jump to behavior

Source: /bin/sh (PID: 5507)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf			Jump to behavior
Source: /bin/sh (PID: 5515)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf			Jump to behavior

Source: /usr/share/gdm/generate-config (PID: 5509)	Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service			Jump to behavior
Source: /usr/share/gdm/generate-config (PID: 5512)	Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service			Jump to behavior
Source: /usr/share/gdm/generate-config (PID: 5517)	Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service			Jump to behavior
Source: /usr/share/gdm/generate-config (PID: 5520)	Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service			Jump to behavior
Source: /usr/share/gdm/generate-config (PID: 5523)	Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Source: /tmp/XHYKEGTtfq.elf (PID: 5432)

File: /tmp/XHYKEGTtfq.elf

Jump to behavior

Source: XHYKEGTtfq.elf	Submission file: segment LOAD with 7.8829 entropy (max. 8.0)
Source: XHYKEGTtfq.elf	Submission file: segment LOAD with 7.972 entropy (max. 8.0)

Malware Analysis System Evasion

Source: /usr/bin/gpu-manager (PID: 5505)	Truncated file: /var/log/gpu-manager.log			Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5510)	Truncated file: /var/log/gpu-manager.log			Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5513)	Truncated file: /var/log/gpu-manager.log			Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5521)	Truncated file: /var/log/gpu-manager.log			Jump to behavior

Source: /usr/bin/pkill (PID: 5509)	Reads CPU info from /sys: /sys/devices/system/cpu/online			Jump to behavior
Source: /usr/bin/pkill (PID: 5517)	Reads CPU info from /sys: /sys/devices/system/cpu/online			Jump to behavior

Source: /tmp/XHYKEGTtfq.elf (PID: 5432)

Queries kernel information via 'uname':

Jump to behavior

Source: XHYKEGTtfq.elf, 5441.1.00005585d9d4f000.00005585d9e20000.rw-.sdmp	Binary or memory string: /ppc/tmp/vmware-root_727-4290690966
Source: XHYKEGTtfq.elf, 5432.1.00005585d9d4f000.00005585d9e20000.rw-.sdmp	Binary or memory string: !/etc/qemu-binfmt/ppc11!hotpluggableq
Source: XHYKEGTtfq.elf, 5441.1.00007f7dac035000.00007f7dac038000.rw-.sdmp	Binary or memory string: 1/tmp/vmware-root_727-4290690966
Source: XHYKEGTtfq.elf, 5438.1.00005585d9d4f000.00005585d9e20000.rw-.sdmp, XHYKEGTtfq.elf, 5440.1.00005585d9d4f000.00005585d9e20000.rw-.sdmp, XHYKEGTtfq.elf, 5441.1.00005585d9d4f000.00005585d9e20000.rw-.sdmp	Binary or memory string: !/etc/qemu-binfmt/ppc1
Source: XHYKEGTtfq.elf, 5432.1.00007ffe423d8000.00007ffe423f9000.rw-.sdmp, XHYKEGTtfq.elf, 5438.1.00007ffe423d8000.00007ffe423f9000.rw-.sdmp, XHYKEGTtfq.elf, 5440.1.00007ffe423d8000.00007ffe423f9000.rw-.sdmp, XHYKEGTtfq.elf, 5441.1.00007ffe423d8000.00007ffe423f9000.rw-.sdmp	Binary or memory string: =x86_64/usr/bin/qemu-ppc/tmp/XHYKEGTtfq.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/XHYKEGTtfq.elf
Source: XHYKEGTtfq.elf, 5441.1.00005585d9d4f000.00005585d9e20000.rw-.sdmp	Binary or memory string: U1/tmp/vmware-root_727-4290690966
Source: XHYKEGTtfq.elf, 5432.1.00005585d9d4f000.00005585d9e20000.rw-.sdmp, XHYKEGTtfq.elf, 5438.1.00005585d9d4f000.00005585d9e20000.rw-.sdmp, XHYKEGTtfq.elf, 5440.1.00005585d9d4f000.00005585d9e20000.rw-.sdmp, XHYKEGTtfq.elf, 5441.1.00005585d9d4f000.00005585d9e20000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/ppc
Source: XHYKEGTtfq.elf, 5441.1.00007f7dac02a000.00007f7dac035000.rw-.sdmp	Binary or memory string: vmware-root_727-4290690966
Source: XHYKEGTtfq.elf, 5441.1.00007f7dac035000.00007f7dac038000.rw-.sdmp	Binary or memory string: 0a/tmp/systemd-private-fe424f1b0f85425093f40a37100b81c4-colord.service-PB7Ovfa1/tmp/vmware-root_727-4290690966
Source: XHYKEGTtfq.elf, 5432.1.00007ffe423d8000.00007ffe423f9000.rw-.sdmp, XHYKEGTtfq.elf, 5438.1.00007ffe423d8000.00007ffe423f9000.rw-.sdmp, XHYKEGTtfq.elf, 5440.1.00007ffe423d8000.00007ffe423f9000.rw-.sdmp, XHYKEGTtfq.elf, 5441.1.00007ffe423d8000.00007ffe423f9000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-ppc
Source: XHYKEGTtfq.elf, 5441.1.00005585d9d4f000.00005585d9e20000.rw-.sdmp	Binary or memory string: /tmp/vmware-root_727-4290690966
Source: XHYKEGTtfq.elf, 5441.1.00005585d9d4f000.00005585d9e20000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/ppc/tmp/systemd-private-fe424f1b0f85425093f40a37100b81c4-upower.service-VKEayg
Source: XHYKEGTtfq.elf, 5441.1.00005585d9d4f000.00005585d9e20000.rw-.sdmp	Binary or memory string: U/ppc/tmp/vmware-root_727-42906909665425093f40a37100b81c1/tmp/snap-private-tmp/snap.lxd/tmp