Edit tour

Linux Analysis Report
C1Dd84tB3n.elf

Overview

General Information

Sample name:	C1Dd84tB3n.elf renamed because original name is a hash value
Original sample name:	614535d91c815dc05beef2f10224e069.elf
Analysis ID:	1430909
MD5:	614535d91c815dc05beef2f10224e069
SHA1:	de5eb9772e7bf8087fecebb2c74ee998408be61e
SHA256:	8495237ddf43196df79fcfb9a5d8a7a5fd5a14e2d9012b5d7bee000dad10da75
Tags:	64elfgafgyt
Infos:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Connects to many ports of the same IP (likely port scanning)

Machine Learning detection for sample

Reads system files that contain records of logged in users

Sample tries to kill multiple processes (SIGKILL)

Creates hidden files and/or directories

Detected TCP or UDP traffic on non-standard ports

Executes commands using a shell command-line interpreter

Executes the "grep" command used to find patterns in files or piped streams

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample has stripped symbol table

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Sample tries to set the executable flag

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses the "uname" system call to query kernel version information (possible evasion)

Yara signature match

Classification

Analysis Advice

All HTTP servers contacted by the sample do not answer. The sample is likely an old dropper which does no longer work.

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1430909
Start date and time:	2024-04-24 10:58:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	C1Dd84tB3n.elf renamed because original name is a hash value
Original Sample Name:	614535d91c815dc05beef2f10224e069.elf
Detection:	MAL
Classification:	mal72.spre.troj.linELF@0/12@3/0

Warnings

Connection to analysis system has been lost, crash info: Unknown

Process Tree

system is lnxubuntu20

C1Dd84tB3n.elf (PID: 5506, Parent: 5429, MD5: 614535d91c815dc05beef2f10224e069) Arguments: /tmp/C1Dd84tB3n.elf

C1Dd84tB3n.elf New Fork (PID: 5507, Parent: 5506)

C1Dd84tB3n.elf New Fork (PID: 5508, Parent: 5506)

udisksd New Fork (PID: 5514, Parent: 803)

dumpe2fs (PID: 5514, Parent: 803, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

gnome-session-binary New Fork (PID: 5551, Parent: 1383)

sh (PID: 5551, Parent: 1383, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-wacom

gsd-wacom (PID: 5551, Parent: 1383, MD5: 13778dd1a23a4e94ddc17ac9caa4fcc1) Arguments: /usr/libexec/gsd-wacom

udisksd New Fork (PID: 5569, Parent: 803)

dumpe2fs (PID: 5569, Parent: 803, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

systemd New Fork (PID: 5574, Parent: 1)

upowerd (PID: 5574, Parent: 1, MD5: 1253eea2fe5fe4017069664284e326cd) Arguments: /usr/lib/upower/upowerd

xfce4-panel New Fork (PID: 5585, Parent: 3172)

wrapper-2.0 (PID: 5585, Parent: 3172, MD5: ac0b8a906f359a8ae102244738682e76) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 6 12582920 systray "Notification Area" "Area where notification icons appear"

gnome-session-binary New Fork (PID: 5595, Parent: 1383)

sh (PID: 5595, Parent: 1383, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-keyboard

gsd-keyboard (PID: 5595, Parent: 1383, MD5: 8e288fd17c80bb0a1148b964b2ac2279) Arguments: /usr/libexec/gsd-keyboard

xfce4-panel New Fork (PID: 5597, Parent: 3172)

wrapper-2.0 (PID: 5597, Parent: 3172, MD5: ac0b8a906f359a8ae102244738682e76) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libstatusnotifier.so 7 12582921 statusnotifier "Status Notifier Plugin" "Provides a panel area for status notifier items (application indicators)"

xfce4-panel New Fork (PID: 5614, Parent: 3172)

wrapper-2.0 (PID: 5614, Parent: 3172, MD5: ac0b8a906f359a8ae102244738682e76) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libxfce4powermanager.so 9 12582923 power-manager-plugin "Power Manager Plugin" "Display the battery levels of your devices and control the brightness of your display"

gnome-session-binary New Fork (PID: 5615, Parent: 1383)

sh (PID: 5615, Parent: 1383, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-smartcard

gsd-smartcard (PID: 5615, Parent: 1383, MD5: ea1fbd7f62e4cd0331eae2ef754ee605) Arguments: /usr/libexec/gsd-smartcard

xfce4-panel New Fork (PID: 5630, Parent: 3172)

udisksd New Fork (PID: 5634, Parent: 803)

dumpe2fs (PID: 5634, Parent: 803, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

gnome-session-binary New Fork (PID: 5639, Parent: 1383)

sh (PID: 5639, Parent: 1383, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-sharing

gsd-sharing (PID: 5639, Parent: 1383, MD5: e29d9025d98590fbb69f89fdbd4438b3) Arguments: /usr/libexec/gsd-sharing

gnome-session-binary New Fork (PID: 5640, Parent: 1383)

sh (PID: 5640, Parent: 1383, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-rfkill

gsd-rfkill (PID: 5640, Parent: 1383, MD5: 88a16a3c0aba1759358c06215ecfb5cc) Arguments: /usr/libexec/gsd-rfkill

gdm-session-worker New Fork (PID: 5641, Parent: 2946)

Default (PID: 5641, Parent: 2946, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PostSession/Default

gnome-session-binary New Fork (PID: 5642, Parent: 1383)

sh (PID: 5642, Parent: 1383, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-media-keys

gsd-media-keys (PID: 5642, Parent: 1383, MD5: a425448c135afb4b8bfd79cc0b6b74da) Arguments: /usr/libexec/gsd-media-keys

gdm3 New Fork (PID: 5643, Parent: 1289)

Default (PID: 5643, Parent: 1289, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default

gnome-session-binary New Fork (PID: 5644, Parent: 1383)

sh (PID: 5644, Parent: 1383, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-print-notifications

gsd-print-notifications (PID: 5644, Parent: 1383, MD5: 71539698aa691718cee775d6b9450ae2) Arguments: /usr/libexec/gsd-print-notifications

gsd-print-notifications New Fork (PID: 5821, Parent: 5644)

gsd-print-notifications New Fork (PID: 5822, Parent: 5821)

gsd-printer (PID: 5822, Parent: 1, MD5: 7995828cf98c315fd55f2ffb3b22384d) Arguments: /usr/libexec/gsd-printer

gnome-session-binary New Fork (PID: 5646, Parent: 1383)

sh (PID: 5646, Parent: 1383, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-color

gsd-color (PID: 5646, Parent: 1383, MD5: ac2861ad93ce047283e8e87cefef9a19) Arguments: /usr/libexec/gsd-color

gnome-session-binary New Fork (PID: 5647, Parent: 1383)

sh (PID: 5647, Parent: 1383, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-screensaver-proxy

gsd-screensaver-proxy (PID: 5647, Parent: 1383, MD5: 77e309450c87dceee43f1a9e50cc0d02) Arguments: /usr/libexec/gsd-screensaver-proxy

udisksd New Fork (PID: 5649, Parent: 803)

dumpe2fs (PID: 5649, Parent: 803, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

gnome-session-binary New Fork (PID: 5650, Parent: 1383)

sh (PID: 5650, Parent: 1383, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-a11y-settings

gsd-a11y-settings (PID: 5650, Parent: 1383, MD5: 18e243d2cf30ecee7ea89d1462725c5c) Arguments: /usr/libexec/gsd-a11y-settings

gnome-session-binary New Fork (PID: 5651, Parent: 1383)

sh (PID: 5651, Parent: 1383, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping

gsd-housekeeping (PID: 5651, Parent: 1383, MD5: b55f3394a84976ddb92a2915e5d76914) Arguments: /usr/libexec/gsd-housekeeping

gnome-session-binary New Fork (PID: 5652, Parent: 1383)

sh (PID: 5652, Parent: 1383, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-sound

gsd-sound (PID: 5652, Parent: 1383, MD5: 4c7d3fb993463337b4a0eb5c80c760ee) Arguments: /usr/libexec/gsd-sound

gnome-session-binary New Fork (PID: 5655, Parent: 1383)

sh (PID: 5655, Parent: 1383, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-power

gsd-power (PID: 5655, Parent: 1383, MD5: 28b8e1b43c3e7f1db6741ea1ecd978b7) Arguments: /usr/libexec/gsd-power

Xorg New Fork (PID: 5658, Parent: 1371)

sh (PID: 5658, Parent: 1371, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "\"/usr/bin/xkbcomp\" -w 1 \"-R/usr/share/X11/xkb\" -xkm \"-\" -em1 \"The XKEYBOARD keymap compiler (xkbcomp) reports:\" -emp \"> \" -eml \"Errors from xkbcomp are not fatal to the X server\" \"/tmp/server-0.xkm\""

sh New Fork (PID: 5662, Parent: 5658)

xkbcomp (PID: 5662, Parent: 5658, MD5: c5f953aec4c00d2a1cc27acb75d62c9b) Arguments: /usr/bin/xkbcomp -w 1 -R/usr/share/X11/xkb -xkm - -em1 "The XKEYBOARD keymap compiler (xkbcomp) reports:" -emp "> " -eml "Errors from xkbcomp are not fatal to the X server" /tmp/server-0.xkm

systemd New Fork (PID: 5690, Parent: 1)

systemd-hostnamed (PID: 5690, Parent: 1, MD5: 2cc8a5576629a2d5bd98e49a4b8bef65) Arguments: /lib/systemd/systemd-hostnamed

systemd New Fork (PID: 5828, Parent: 1)

systemd-user-runtime-dir (PID: 5828, Parent: 1, MD5: d55f4b0847f88131dbcfb07435178e54) Arguments: /lib/systemd/systemd-user-runtime-dir stop 1000

dbus-daemon New Fork (PID: 5830, Parent: 5829)

false (PID: 5830, Parent: 5829, MD5: 3177546c74e4f0062909eae43d948bfc) Arguments: /bin/false

Xorg New Fork (PID: 5837, Parent: 1371)

sh (PID: 5837, Parent: 1371, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "\"/usr/bin/xkbcomp\" -w 1 \"-R/usr/share/X11/xkb\" -xkm \"-\" -em1 \"The XKEYBOARD keymap compiler (xkbcomp) reports:\" -emp \"> \" -eml \"Errors from xkbcomp are not fatal to the X server\" \"/tmp/server-0.xkm\""

sh New Fork (PID: 5838, Parent: 5837)

xkbcomp (PID: 5838, Parent: 5837, MD5: c5f953aec4c00d2a1cc27acb75d62c9b) Arguments: /usr/bin/xkbcomp -w 1 -R/usr/share/X11/xkb -xkm - -em1 "The XKEYBOARD keymap compiler (xkbcomp) reports:" -emp "> " -eml "Errors from xkbcomp are not fatal to the X server" /tmp/server-0.xkm

systemd New Fork (PID: 5870, Parent: 1)

colord (PID: 5870, Parent: 1, MD5: 70861d1b2818c9279cd4a5c9035dac1f) Arguments: /usr/libexec/colord

colord New Fork (PID: 5896, Parent: 5870)

colord-sane (PID: 5896, Parent: 5870, MD5: 5f98d754a07bf1385c3ff001cde3882e) Arguments: /usr/libexec/colord-sane

systemd New Fork (PID: 5872, Parent: 1)

accounts-daemon (PID: 5872, Parent: 1, MD5: 01a899e3fb5e7e434bea1290255a1f30) Arguments: /usr/lib/accountsservice/accounts-daemon

accounts-daemon New Fork (PID: 5885, Parent: 5872)

language-validate (PID: 5885, Parent: 5872, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /usr/share/language-tools/language-validate en_US.UTF-8

language-validate New Fork (PID: 5886, Parent: 5885)

language-options (PID: 5886, Parent: 5885, MD5: 16a21f464119ea7fad1d3660de963637) Arguments: /usr/share/language-tools/language-options

language-options New Fork (PID: 5887, Parent: 5886)

sh (PID: 5887, Parent: 5886, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "locale -a | grep -F .utf8 "

sh New Fork (PID: 5888, Parent: 5887)

locale (PID: 5888, Parent: 5887, MD5: c72a78792469db86d91369c9057f20d2) Arguments: locale -a

sh New Fork (PID: 5889, Parent: 5887)

grep (PID: 5889, Parent: 5887, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -F .utf8

systemd New Fork (PID: 5900, Parent: 1)

systemd-localed (PID: 5900, Parent: 1, MD5: 1244af9646256d49594f2a8203329aa9) Arguments: /lib/systemd/systemd-localed

gdm3 New Fork (PID: 6031, Parent: 1289)

Default (PID: 6031, Parent: 1289, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default

gdm3 New Fork (PID: 6032, Parent: 1289)

Default (PID: 6032, Parent: 1289, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default

systemd New Fork (PID: 6039, Parent: 1)

systemd-user-runtime-dir (PID: 6039, Parent: 1, MD5: d55f4b0847f88131dbcfb07435178e54) Arguments: /lib/systemd/systemd-user-runtime-dir stop 127

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
C1Dd84tB3n.elf	Linux_Trojan_Gafgyt_9e9530a7	unknown	unknown	0x6d30:$a: F6 48 63 FF B8 36 00 00 00 0F 05 48 3D 00 F0 FF FF 48 89 C3
C1Dd84tB3n.elf	Linux_Trojan_Gafgyt_807911a2	unknown	unknown	0x751f:$a: FE 48 39 F3 0F 94 C2 48 83 F9 FF 0F 94 C0 84 D0 74 16 4B 8D
C1Dd84tB3n.elf	Linux_Trojan_Gafgyt_d4227dbf	unknown	unknown	0x45be:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00 0x46cc:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
C1Dd84tB3n.elf	Linux_Trojan_Gafgyt_d996d335	unknown	unknown	0x9cae:$a: D0 EB 0F 40 38 37 75 04 48 89 F8 C3 49 FF C8 48 FF C7 4D 85 C0
C1Dd84tB3n.elf	Linux_Trojan_Gafgyt_620087b9	unknown	unknown	0x70df:$a: 48 89 D8 48 83 C8 01 EB 04 48 8B 76 10 48 3B 46 08 72 F6 48 8B
C1Dd84tB3n.elf	Linux_Trojan_Gafgyt_33b4111a	unknown	unknown	0x73aa:$a: C1 83 E1 0F 74 1A B8 10 00 00 00 48 29 C8 48 8D 0C 02 48 89 DA 48
C1Dd84tB3n.elf	Linux_Trojan_Mirai_1e0c5ce0	unknown	unknown	0x8d7:$a: 4C 24 54 31 F6 41 B8 04 00 00 00 BA 03 00 00 00 C7 44 24 54 01 00
C1Dd84tB3n.elf	Linux_Trojan_Mirai_520deeb8	unknown	unknown	0x34a:$a: ED 48 89 44 24 30 44 89 6C 24 10 7E 47 48 89 C1 44 89 E8 44
C1Dd84tB3n.elf	Linux_Trojan_Mirai_6a77af0f	unknown	unknown	0x31bf:$a: 31 D1 89 0F 48 83 C7 04 85 F6 7E 3B 44 89 C8 45 89 D1 45 89 C2 41
C1Dd84tB3n.elf	Linux_Trojan_Mirai_01e4a728	unknown	unknown	0x44d:$a: 44 24 23 48 8B 6C 24 28 83 F9 01 4A 8D 14 20 0F B6 02 88 45 08
C1Dd84tB3n.elf	Linux_Trojan_Mirai_e0cf29e2	unknown	unknown	0x2032:$a: 83 FE 01 76 12 0F B7 07 83 EE 02 48 83 C7 02 48 01 C2 83 FE 01
Click to see the 6 entries

Memory Dumps

Source	Rule	Description	Author	Strings
5507.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Gafgyt_9e9530a7	unknown	unknown	0x6d30:$a: F6 48 63 FF B8 36 00 00 00 0F 05 48 3D 00 F0 FF FF 48 89 C3
5507.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Gafgyt_807911a2	unknown	unknown	0x751f:$a: FE 48 39 F3 0F 94 C2 48 83 F9 FF 0F 94 C0 84 D0 74 16 4B 8D
5507.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Gafgyt_d4227dbf	unknown	unknown	0x45be:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00 0x46cc:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
5507.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Gafgyt_d996d335	unknown	unknown	0x9cae:$a: D0 EB 0F 40 38 37 75 04 48 89 F8 C3 49 FF C8 48 FF C7 4D 85 C0
5507.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Gafgyt_620087b9	unknown	unknown	0x70df:$a: 48 89 D8 48 83 C8 01 EB 04 48 8B 76 10 48 3B 46 08 72 F6 48 8B
5507.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Gafgyt_33b4111a	unknown	unknown	0x73aa:$a: C1 83 E1 0F 74 1A B8 10 00 00 00 48 29 C8 48 8D 0C 02 48 89 DA 48
5507.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Mirai_1e0c5ce0	unknown	unknown	0x8d7:$a: 4C 24 54 31 F6 41 B8 04 00 00 00 BA 03 00 00 00 C7 44 24 54 01 00
5507.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Mirai_520deeb8	unknown	unknown	0x34a:$a: ED 48 89 44 24 30 44 89 6C 24 10 7E 47 48 89 C1 44 89 E8 44
5507.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Mirai_6a77af0f	unknown	unknown	0x31bf:$a: 31 D1 89 0F 48 83 C7 04 85 F6 7E 3B 44 89 C8 45 89 D1 45 89 C2 41
5507.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Mirai_01e4a728	unknown	unknown	0x44d:$a: 44 24 23 48 8B 6C 24 28 83 F9 01 4A 8D 14 20 0F B6 02 88 45 08
5507.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Mirai_e0cf29e2	unknown	unknown	0x2032:$a: 83 FE 01 76 12 0F B7 07 83 EE 02 48 83 C7 02 48 01 C2 83 FE 01
5508.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Gafgyt_9e9530a7	unknown	unknown	0x6d30:$a: F6 48 63 FF B8 36 00 00 00 0F 05 48 3D 00 F0 FF FF 48 89 C3
5508.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Gafgyt_807911a2	unknown	unknown	0x751f:$a: FE 48 39 F3 0F 94 C2 48 83 F9 FF 0F 94 C0 84 D0 74 16 4B 8D
5508.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Gafgyt_d4227dbf	unknown	unknown	0x45be:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00 0x46cc:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
5508.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Gafgyt_d996d335	unknown	unknown	0x9cae:$a: D0 EB 0F 40 38 37 75 04 48 89 F8 C3 49 FF C8 48 FF C7 4D 85 C0
5508.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Gafgyt_620087b9	unknown	unknown	0x70df:$a: 48 89 D8 48 83 C8 01 EB 04 48 8B 76 10 48 3B 46 08 72 F6 48 8B
5508.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Gafgyt_33b4111a	unknown	unknown	0x73aa:$a: C1 83 E1 0F 74 1A B8 10 00 00 00 48 29 C8 48 8D 0C 02 48 89 DA 48
5508.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Mirai_1e0c5ce0	unknown	unknown	0x8d7:$a: 4C 24 54 31 F6 41 B8 04 00 00 00 BA 03 00 00 00 C7 44 24 54 01 00
5508.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Mirai_520deeb8	unknown	unknown	0x34a:$a: ED 48 89 44 24 30 44 89 6C 24 10 7E 47 48 89 C1 44 89 E8 44
5508.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Mirai_6a77af0f	unknown	unknown	0x31bf:$a: 31 D1 89 0F 48 83 C7 04 85 F6 7E 3B 44 89 C8 45 89 D1 45 89 C2 41
5508.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Mirai_01e4a728	unknown	unknown	0x44d:$a: 44 24 23 48 8B 6C 24 28 83 F9 01 4A 8D 14 20 0F B6 02 88 45 08
5508.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Mirai_e0cf29e2	unknown	unknown	0x2032:$a: 83 FE 01 76 12 0F B7 07 83 EE 02 48 83 C7 02 48 01 C2 83 FE 01
5506.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Gafgyt_9e9530a7	unknown	unknown	0x6d30:$a: F6 48 63 FF B8 36 00 00 00 0F 05 48 3D 00 F0 FF FF 48 89 C3
5506.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Gafgyt_807911a2	unknown	unknown	0x751f:$a: FE 48 39 F3 0F 94 C2 48 83 F9 FF 0F 94 C0 84 D0 74 16 4B 8D
5506.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Gafgyt_d4227dbf	unknown	unknown	0x45be:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00 0x46cc:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
5506.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Gafgyt_d996d335	unknown	unknown	0x9cae:$a: D0 EB 0F 40 38 37 75 04 48 89 F8 C3 49 FF C8 48 FF C7 4D 85 C0
5506.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Gafgyt_620087b9	unknown	unknown	0x70df:$a: 48 89 D8 48 83 C8 01 EB 04 48 8B 76 10 48 3B 46 08 72 F6 48 8B
5506.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Gafgyt_33b4111a	unknown	unknown	0x73aa:$a: C1 83 E1 0F 74 1A B8 10 00 00 00 48 29 C8 48 8D 0C 02 48 89 DA 48
5506.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Mirai_1e0c5ce0	unknown	unknown	0x8d7:$a: 4C 24 54 31 F6 41 B8 04 00 00 00 BA 03 00 00 00 C7 44 24 54 01 00
5506.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Mirai_520deeb8	unknown	unknown	0x34a:$a: ED 48 89 44 24 30 44 89 6C 24 10 7E 47 48 89 C1 44 89 E8 44
5506.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Mirai_6a77af0f	unknown	unknown	0x31bf:$a: 31 D1 89 0F 48 83 C7 04 85 F6 7E 3B 44 89 C8 45 89 D1 45 89 C2 41
5506.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Mirai_01e4a728	unknown	unknown	0x44d:$a: 44 24 23 48 8B 6C 24 28 83 F9 01 4A 8D 14 20 0F B6 02 88 45 08
5506.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Mirai_e0cf29e2	unknown	unknown	0x2032:$a: 83 FE 01 76 12 0F B7 07 83 EE 02 48 83 C7 02 48 01 C2 83 FE 01
Click to see the 28 entries

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: C1Dd84tB3n.elf

Virustotal: Detection: 53%

Perma Link

Machine Learning detection for sample

Source: C1Dd84tB3n.elf

Joe Sandbox ML: detected

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 185.196.9.5 ports 1,2,3,5,7,51237

Source: global traffic

TCP traffic: 192.168.2.14:50164 -> 185.196.9.5:51237

Source: /tmp/C1Dd84tB3n.elf (PID: 5506)

Socket: 127.0.0.1::6628

Jump to behavior

Source: global traffic

TCP traffic: 192.168.2.14:46540 -> 185.125.190.26:443

Source: unknown	TCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.125.190.26

Source: unknown

DNS traffic detected: queries for: fdh32fsdfhs.shop

Source: unknown

Network traffic detected: HTTP traffic on port 46540 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: C1Dd84tB3n.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
Source: C1Dd84tB3n.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
Source: C1Dd84tB3n.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
Source: C1Dd84tB3n.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
Source: C1Dd84tB3n.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
Source: C1Dd84tB3n.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
Source: C1Dd84tB3n.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_1e0c5ce0 Author: unknown
Source: C1Dd84tB3n.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_520deeb8 Author: unknown
Source: C1Dd84tB3n.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_6a77af0f Author: unknown
Source: C1Dd84tB3n.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_01e4a728 Author: unknown
Source: C1Dd84tB3n.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_e0cf29e2 Author: unknown
Source: 5507.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
Source: 5507.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
Source: 5507.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
Source: 5507.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
Source: 5507.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
Source: 5507.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
Source: 5507.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_1e0c5ce0 Author: unknown
Source: 5507.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_520deeb8 Author: unknown
Source: 5507.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_6a77af0f Author: unknown
Source: 5507.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_01e4a728 Author: unknown
Source: 5507.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_e0cf29e2 Author: unknown
Source: 5508.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
Source: 5508.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
Source: 5508.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
Source: 5508.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
Source: 5508.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
Source: 5508.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
Source: 5508.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_1e0c5ce0 Author: unknown
Source: 5508.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_520deeb8 Author: unknown
Source: 5508.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_6a77af0f Author: unknown
Source: 5508.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_01e4a728 Author: unknown
Source: 5508.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_e0cf29e2 Author: unknown
Source: 5506.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
Source: 5506.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
Source: 5506.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
Source: 5506.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
Source: 5506.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
Source: 5506.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
Source: 5506.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_1e0c5ce0 Author: unknown
Source: 5506.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_520deeb8 Author: unknown
Source: 5506.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_6a77af0f Author: unknown
Source: 5506.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_01e4a728 Author: unknown
Source: 5506.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_e0cf29e2 Author: unknown

Sample tries to kill multiple processes (SIGKILL)

Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 795, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 800, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 803, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 1314, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 1364, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 1369, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 1371, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 1383, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 1394, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 1560, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 1564, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 1567, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 1577, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 1588, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 1593, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 1610, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 1630, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 1633, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 1635, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 1638, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 1639, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 1640, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 1642, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 1647, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 1650, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 1653, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 1655, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 1659, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 1661, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 1683, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 1712, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 1717, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 2946, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 2997, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 2999, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 3120, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 3129, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 3134, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 3142, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 3147, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 3184, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 3187, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 3188, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 3189, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 3190, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 3193, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 3207, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 3215, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 3235, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 3245, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 3246, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 3268, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 3304, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 3319, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 3329, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 3341, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 3353, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 3361, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 3392, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 3398, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 3402, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 3406, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 3412, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 3420, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 3425, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 3690, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 5583, result: successful	Jump to behavior

Source: Initial sample	String containing 'busybox' found: /bin/busybox
Source: Initial sample	String containing 'busybox' found: /proc/self/exe/bin/busybox/proc/%d/etc/systmp.d/proc/%s/lib/systemd/usr/lib/systemd/systemd/usr/lib/openssh/sftp-server/sys/system/dvr/main/usr/mnt/mtd/org/userfs/home/process/net_process/var/tmp/sonia/usr/sbin/usr/bin/mnt/gm/bin/var/Sofia/usr/sbin/sshd/usr/sbin/ntpd/usr/sbin/cupsd/usr/lib/apt/methods/http/usr/sbin/crond/usr/sbin/rsyslogd/usr/sbin/inetd/usr/sbin/dnsmasq/usr/bin/DVRServer/usr/bin/DVRShell/usr/bin/DVRControl/usr/bin/DVRRemoteAgent/usr/bin/DVRNetService/usr/libexec/openssh/sftp-server]

Source: ELF static info symbol of initial sample

.symtab present: no

Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 795, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 800, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 803, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 1314, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 1364, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 1369, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 1371, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 1383, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 1394, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 1560, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 1564, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 1567, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 1577, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 1588, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 1593, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 1610, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 1630, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 1633, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 1635, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 1638, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 1639, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 1640, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 1642, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 1647, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 1650, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 1653, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 1655, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 1659, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 1661, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 1683, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 1712, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 1717, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 2946, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 2997, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 2999, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 3120, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 3129, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 3134, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 3142, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 3147, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 3184, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 3187, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 3188, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 3189, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 3190, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 3193, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 3207, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 3215, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 3235, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 3245, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 3246, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 3268, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 3304, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 3319, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 3329, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 3341, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 3353, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 3361, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 3392, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 3398, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 3402, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 3406, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 3412, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 3420, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 3425, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 3690, result: successful	Jump to behavior
Source: /tmp/C1Dd84tB3n.elf (PID: 5507)	SIGKILL sent: pid: 5583, result: successful	Jump to behavior

Source: C1Dd84tB3n.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
Source: C1Dd84tB3n.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
Source: C1Dd84tB3n.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
Source: C1Dd84tB3n.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
Source: C1Dd84tB3n.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
Source: C1Dd84tB3n.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
Source: C1Dd84tB3n.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_1e0c5ce0 reference_sample = 5b1f95840caebf9721bf318126be27085ec08cf7881ec64a884211a934351c2d, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 8e45538b59f9c9b8bc49661069044900c8199e487714c715c1b1f970fd528e3b, id = 1e0c5ce0-3b76-4da4-8bed-2e5036b6ce79, last_modified = 2021-09-16
Source: C1Dd84tB3n.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_520deeb8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f4dfd1d76e07ff875eedfe0ef4f861bee1e4d8e66d68385f602f29cc35e30cca, id = 520deeb8-cbc0-4225-8d23-adba5e040471, last_modified = 2021-09-16
Source: C1Dd84tB3n.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_6a77af0f os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 4e436f509e7e732e3d0326bcbdde555bba0653213ddf31b43cfdfbe16abb0016, id = 6a77af0f-31fa-4793-82aa-10b065ba1ec0, last_modified = 2021-09-16
Source: C1Dd84tB3n.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_01e4a728 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = d90477364982bdc6cd22079c245d866454475749f762620273091f2fab73c196, id = 01e4a728-7c1c-479b-aed0-cb76d64dbb02, last_modified = 2021-09-16
Source: C1Dd84tB3n.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_e0cf29e2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3f124c3c9f124264dfbbcca1e4b4d7cfcf3274170d4bf8966b6559045873948f, id = e0cf29e2-88d7-4aa4-b60a-c24626f2b246, last_modified = 2021-09-16
Source: 5507.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
Source: 5507.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
Source: 5507.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
Source: 5507.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
Source: 5507.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
Source: 5507.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
Source: 5507.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_1e0c5ce0 reference_sample = 5b1f95840caebf9721bf318126be27085ec08cf7881ec64a884211a934351c2d, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 8e45538b59f9c9b8bc49661069044900c8199e487714c715c1b1f970fd528e3b, id = 1e0c5ce0-3b76-4da4-8bed-2e5036b6ce79, last_modified = 2021-09-16
Source: 5507.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_520deeb8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f4dfd1d76e07ff875eedfe0ef4f861bee1e4d8e66d68385f602f29cc35e30cca, id = 520deeb8-cbc0-4225-8d23-adba5e040471, last_modified = 2021-09-16
Source: 5507.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_6a77af0f os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 4e436f509e7e732e3d0326bcbdde555bba0653213ddf31b43cfdfbe16abb0016, id = 6a77af0f-31fa-4793-82aa-10b065ba1ec0, last_modified = 2021-09-16
Source: 5507.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_01e4a728 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = d90477364982bdc6cd22079c245d866454475749f762620273091f2fab73c196, id = 01e4a728-7c1c-479b-aed0-cb76d64dbb02, last_modified = 2021-09-16
Source: 5507.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_e0cf29e2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3f124c3c9f124264dfbbcca1e4b4d7cfcf3274170d4bf8966b6559045873948f, id = e0cf29e2-88d7-4aa4-b60a-c24626f2b246, last_modified = 2021-09-16
Source: 5508.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
Source: 5508.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
Source: 5508.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
Source: 5508.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
Source: 5508.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
Source: 5508.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
Source: 5508.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_1e0c5ce0 reference_sample = 5b1f95840caebf9721bf318126be27085ec08cf7881ec64a884211a934351c2d, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 8e45538b59f9c9b8bc49661069044900c8199e487714c715c1b1f970fd528e3b, id = 1e0c5ce0-3b76-4da4-8bed-2e5036b6ce79, last_modified = 2021-09-16
Source: 5508.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_520deeb8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f4dfd1d76e07ff875eedfe0ef4f861bee1e4d8e66d68385f602f29cc35e30cca, id = 520deeb8-cbc0-4225-8d23-adba5e040471, last_modified = 2021-09-16
Source: 5508.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_6a77af0f os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 4e436f509e7e732e3d0326bcbdde555bba0653213ddf31b43cfdfbe16abb0016, id = 6a77af0f-31fa-4793-82aa-10b065ba1ec0, last_modified = 2021-09-16
Source: 5508.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_01e4a728 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = d90477364982bdc6cd22079c245d866454475749f762620273091f2fab73c196, id = 01e4a728-7c1c-479b-aed0-cb76d64dbb02, last_modified = 2021-09-16
Source: 5508.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_e0cf29e2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3f124c3c9f124264dfbbcca1e4b4d7cfcf3274170d4bf8966b6559045873948f, id = e0cf29e2-88d7-4aa4-b60a-c24626f2b246, last_modified = 2021-09-16
Source: 5506.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
Source: 5506.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
Source: 5506.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
Source: 5506.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
Source: 5506.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
Source: 5506.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
Source: 5506.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_1e0c5ce0 reference_sample = 5b1f95840caebf9721bf318126be27085ec08cf7881ec64a884211a934351c2d, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 8e45538b59f9c9b8bc49661069044900c8199e487714c715c1b1f970fd528e3b, id = 1e0c5ce0-3b76-4da4-8bed-2e5036b6ce79, last_modified = 2021-09-16
Source: 5506.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_520deeb8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f4dfd1d76e07ff875eedfe0ef4f861bee1e4d8e66d68385f602f29cc35e30cca, id = 520deeb8-cbc0-4225-8d23-adba5e040471, last_modified = 2021-09-16
Source: 5506.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_6a77af0f os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 4e436f509e7e732e3d0326bcbdde555bba0653213ddf31b43cfdfbe16abb0016, id = 6a77af0f-31fa-4793-82aa-10b065ba1ec0, last_modified = 2021-09-16
Source: 5506.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_01e4a728 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = d90477364982bdc6cd22079c245d866454475749f762620273091f2fab73c196, id = 01e4a728-7c1c-479b-aed0-cb76d64dbb02, last_modified = 2021-09-16
Source: 5506.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_e0cf29e2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3f124c3c9f124264dfbbcca1e4b4d7cfcf3274170d4bf8966b6559045873948f, id = e0cf29e2-88d7-4aa4-b60a-c24626f2b246, last_modified = 2021-09-16

Source: classification engine

Classification label: mal72.spre.troj.linELF@0/12@3/0

Source: /usr/libexec/gsd-wacom (PID: 5551)	Directory: /var/lib/gdm3/.Xdefaults	Jump to behavior
Source: /usr/libexec/gsd-wacom (PID: 5551)	Directory: /var/lib/gdm3/.Xdefaults-galassia	Jump to behavior
Source: /usr/lib/upower/upowerd (PID: 5574)	Directory: <invalid fd (12)>/..	Jump to behavior
Source: /usr/lib/upower/upowerd (PID: 5574)	Directory: <invalid fd (11)>/..	Jump to behavior
Source: /usr/libexec/gsd-keyboard (PID: 5595)	Directory: /var/lib/gdm3/.Xdefaults	Jump to behavior
Source: /usr/libexec/gsd-keyboard (PID: 5595)	Directory: /var/lib/gdm3/.Xdefaults-galassia	Jump to behavior
Source: /usr/libexec/gsd-rfkill (PID: 5640)	Directory: <invalid fd (9)>/..	Jump to behavior
Source: /usr/libexec/gsd-rfkill (PID: 5640)	Directory: <invalid fd (8)>/..	Jump to behavior
Source: /usr/libexec/gsd-media-keys (PID: 5642)	Directory: /var/lib/gdm3/.Xdefaults	Jump to behavior
Source: /usr/libexec/gsd-media-keys (PID: 5642)	Directory: /var/lib/gdm3/.Xdefaults-galassia	Jump to behavior
Source: /usr/libexec/gsd-media-keys (PID: 5642)	Directory: /usr/share/locale/en_US.UTF-8/LC_MESSAGES/.mo	Jump to behavior
Source: /usr/libexec/gsd-media-keys (PID: 5642)	Directory: /usr/share/locale/en_US.utf8/LC_MESSAGES/.mo	Jump to behavior
Source: /usr/libexec/gsd-media-keys (PID: 5642)	Directory: /usr/share/locale/en_US/LC_MESSAGES/.mo	Jump to behavior
Source: /usr/libexec/gsd-media-keys (PID: 5642)	Directory: /usr/share/locale/en.UTF-8/LC_MESSAGES/.mo	Jump to behavior
Source: /usr/libexec/gsd-media-keys (PID: 5642)	Directory: /usr/share/locale/en.utf8/LC_MESSAGES/.mo	Jump to behavior
Source: /usr/libexec/gsd-media-keys (PID: 5642)	Directory: /usr/share/locale/en/LC_MESSAGES/.mo	Jump to behavior
Source: /usr/libexec/gsd-media-keys (PID: 5642)	Directory: /usr/share/locale-langpack/en_US.UTF-8/LC_MESSAGES/.mo	Jump to behavior
Source: /usr/libexec/gsd-media-keys (PID: 5642)	Directory: /usr/share/locale-langpack/en_US.utf8/LC_MESSAGES/.mo	Jump to behavior
Source: /usr/libexec/gsd-media-keys (PID: 5642)	Directory: /usr/share/locale-langpack/en_US/LC_MESSAGES/.mo	Jump to behavior
Source: /usr/libexec/gsd-media-keys (PID: 5642)	Directory: /usr/share/locale-langpack/en.UTF-8/LC_MESSAGES/.mo	Jump to behavior
Source: /usr/libexec/gsd-media-keys (PID: 5642)	Directory: /usr/share/locale-langpack/en.utf8/LC_MESSAGES/.mo	Jump to behavior
Source: /usr/libexec/gsd-media-keys (PID: 5642)	Directory: /usr/share/locale-langpack/en/LC_MESSAGES/.mo	Jump to behavior
Source: /usr/libexec/gsd-color (PID: 5646)	Directory: /var/lib/gdm3/.Xdefaults	Jump to behavior
Source: /usr/libexec/gsd-color (PID: 5646)	Directory: /var/lib/gdm3/.Xdefaults-galassia	Jump to behavior
Source: /usr/libexec/gsd-power (PID: 5655)	Directory: /var/lib/gdm3/.Xdefaults	Jump to behavior
Source: /usr/libexec/gsd-power (PID: 5655)	Directory: /var/lib/gdm3/.Xdefaults-galassia	Jump to behavior
Source: /lib/systemd/systemd-hostnamed (PID: 5690)	Directory: <invalid fd (10)>/..	Jump to behavior
Source: /usr/libexec/colord (PID: 5870)	Directory: /var/lib/colord/.cache	Jump to behavior
Source: /usr/lib/accountsservice/accounts-daemon (PID: 5872)	Directory: /var/lib/gdm3/.pam_environment	Jump to behavior
Source: /usr/lib/accountsservice/accounts-daemon (PID: 5872)	Directory: /root/.cache	Jump to behavior

Source: /usr/lib/xorg/Xorg (PID: 5658)	Shell command executed: sh -c "\"/usr/bin/xkbcomp\" -w 1 \"-R/usr/share/X11/xkb\" -xkm \"-\" -em1 \"The XKEYBOARD keymap compiler (xkbcomp) reports:\" -emp \"> \" -eml \"Errors from xkbcomp are not fatal to the X server\" \"/tmp/server-0.xkm\""	Jump to behavior
Source: /usr/lib/xorg/Xorg (PID: 5837)	Shell command executed: sh -c "\"/usr/bin/xkbcomp\" -w 1 \"-R/usr/share/X11/xkb\" -xkm \"-\" -em1 \"The XKEYBOARD keymap compiler (xkbcomp) reports:\" -emp \"> \" -eml \"Errors from xkbcomp are not fatal to the X server\" \"/tmp/server-0.xkm\""	Jump to behavior
Source: /usr/share/language-tools/language-options (PID: 5887)	Shell command executed: sh -c "locale -a \| grep -F .utf8 "	Jump to behavior

Source: /bin/sh (PID: 5889)

Grep executable: /usr/bin/grep -> grep -F .utf8

Jump to behavior

Source: /usr/lib/accountsservice/accounts-daemon (PID: 5872)	File: /var/lib/AccountsService/icons (bits: - usr: rx grp: rwx all: rwx)			Jump to behavior
Source: /usr/lib/accountsservice/accounts-daemon (PID: 5872)	File: /var/lib/AccountsService/users (bits: - usr: - grp: - all: rwx)			Jump to behavior

Source: /tmp/C1Dd84tB3n.elf (PID: 5508)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/libexec/gsd-wacom (PID: 5551)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/libexec/gsd-keyboard (PID: 5595)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/libexec/gsd-smartcard (PID: 5615)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/libexec/gsd-media-keys (PID: 5642)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/libexec/gsd-color (PID: 5646)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/libexec/gsd-power (PID: 5655)	Queries kernel information via 'uname':	Jump to behavior
Source: /lib/systemd/systemd-hostnamed (PID: 5690)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/libexec/colord-sane (PID: 5896)	Queries kernel information via 'uname':	Jump to behavior

Language, Device and Operating System Detection

Reads system files that contain records of logged in users

Source: /usr/lib/accountsservice/accounts-daemon (PID: 5872)

Logged in records file read: /var/log/wtmp

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	Windows Management Instrumentation	1 Scripting	Path Interception	1 File and Directory Permissions Modification	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 Service Stop
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Hidden Files and Directories	LSASS Memory	1 System Owner/User Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
C1Dd84tB3n.elf	54%	Virustotal		Browse
C1Dd84tB3n.elf	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
fdh32fsdfhs.shop	14%	Virustotal		Browse

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
daisy.ubuntu.com	162.213.35.25	true	false		high
fdh32fsdfhs.shop	185.196.9.5	true	true	14%, Virustotal, Browse	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.125.190.26	unknown	United Kingdom		41231	CANONICAL-ASGB	false
185.196.9.5	fdh32fsdfhs.shop	Switzerland		42624	SIMPLECARRIERCH	true

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
185.125.190.26	73wSOh7A9P.elf	Get hash	malicious	Unknown	Browse
	az9a0rNKvy.elf	Get hash	malicious	Mirai, Okiru	Browse
	SecuriteInfo.com.Linux.Mirai.8362.8829.19078.elf	Get hash	malicious	Mirai	Browse
	SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf	Get hash	malicious	Unknown	Browse
	jdsfl.arm7.elf	Get hash	malicious	Unknown	Browse
	.Sx86.elf	Get hash	malicious	Unknown	Browse
	t8WeXq3mvS.elf	Get hash	malicious	Gafgyt	Browse
	HfcQmQis2J.elf	Get hash	malicious	Unknown	Browse
	OO1vDl4L4r.elf	Get hash	malicious	Unknown	Browse
	tajma.mips-20240422-0536.elf	Get hash	malicious	Mirai, Okiru	Browse
185.196.9.5	C6CM5vjm9f.elf	Get hash	malicious	Unknown	Browse
	tGUvOmucT1.elf	Get hash	malicious	Mirai	Browse
	HuQOCdLGIt.elf	Get hash	malicious	Mirai	Browse
	5KlVl7Ufq8.elf	Get hash	malicious	Mirai	Browse
	AK8vX17uEL.elf	Get hash	malicious	Mirai	Browse
	CroOWhXyZW.elf	Get hash	malicious	Mirai	Browse
	MuYUVx7f12.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	pr8MgL5lZ7.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	H9zfx95Tb5.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	PqyrXWg453.elf	Get hash	malicious	Gafgyt, Mirai	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
daisy.ubuntu.com	73wSOh7A9P.elf	Get hash	malicious	Unknown	Browse	162.213.35.24
	74GlZU5V6w.elf	Get hash	malicious	Mirai, Okiru	Browse	162.213.35.24
	MXkNrG1YOu.elf	Get hash	malicious	Unknown	Browse	162.213.35.24
	Q6UPC68I9N.elf	Get hash	malicious	Mirai, Okiru	Browse	162.213.35.24
	KwFkwV5uzG.elf	Get hash	malicious	Unknown	Browse	162.213.35.25
	ygshcdTGkk.elf	Get hash	malicious	Mirai, Okiru	Browse	162.213.35.24
	SRBrxtK5ge.elf	Get hash	malicious	Mirai, Okiru	Browse	162.213.35.25
	az9a0rNKvy.elf	Get hash	malicious	Mirai, Okiru	Browse	162.213.35.25
	2QufQlF1Rv.elf	Get hash	malicious	Unknown	Browse	162.213.35.24
	1mHUcsxKG6.elf	Get hash	malicious	Mirai	Browse	162.213.35.25
fdh32fsdfhs.shop	C6CM5vjm9f.elf	Get hash	malicious	Unknown	Browse	185.196.9.5
	tGUvOmucT1.elf	Get hash	malicious	Mirai	Browse	185.196.9.5
	HuQOCdLGIt.elf	Get hash	malicious	Mirai	Browse	185.196.9.5
	5KlVl7Ufq8.elf	Get hash	malicious	Mirai	Browse	185.196.9.5
	AK8vX17uEL.elf	Get hash	malicious	Mirai	Browse	185.196.9.5
	CroOWhXyZW.elf	Get hash	malicious	Mirai	Browse	185.196.9.5

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SIMPLECARRIERCH	zlONcFaXkc.exe	Get hash	malicious	PureLog Stealer, Xmrig, zgRAT	Browse	185.196.10.233
	KxgGGaiW3E.exe	Get hash	malicious	Quasar	Browse	185.196.10.233
	23xCOZerXg.exe	Get hash	malicious	PureLog Stealer, Xmrig, zgRAT	Browse	185.196.10.233
	KPn7VgIWQj.exe	Get hash	malicious	PureLog Stealer, Xmrig, zgRAT	Browse	185.196.10.233
	YZPS3Bfyza.exe	Get hash	malicious	Quasar	Browse	185.196.10.233
	YZPS3Bfyza.exe	Get hash	malicious	Quasar	Browse	185.196.10.233
	SecuriteInfo.com.Trojan.PackedNET.2147.11643.5777.exe	Get hash	malicious	PureLog Stealer, Xmrig, zgRAT	Browse	185.196.10.233
	4KwjQMqbmm.exe	Get hash	malicious	PureLog Stealer, Xmrig, zgRAT	Browse	185.196.10.233
	dekont.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	185.196.11.12
	U8fPEL1Gwi.exe	Get hash	malicious	PureLog Stealer, Xmrig, zgRAT	Browse	185.196.10.233
CANONICAL-ASGB	jssKanl7bD.elf	Get hash	malicious	Mirai, Okiru	Browse	91.189.91.42
	eI5fTcq2no.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	73wSOh7A9P.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	e9NxPUbA9r.elf	Get hash	malicious	Mirai, Okiru	Browse	91.189.91.42
	F17oc0pNHk.elf	Get hash	malicious	Mirai, Okiru	Browse	91.189.91.42
	1HoxbBh9mb.elf	Get hash	malicious	Mirai, Okiru	Browse	91.189.91.42
	V06ANR64H4.elf	Get hash	malicious	Mirai, Okiru	Browse	91.189.91.42
	DI3Zukrm4Y.elf	Get hash	malicious	Mirai, Okiru	Browse	91.189.91.42
	WINSx8yLsb.elf	Get hash	malicious	Mirai, Okiru	Browse	91.189.91.42
	Rubify.arm.elf	Get hash	malicious	Mirai	Browse	91.189.91.42

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

/run/user/127/dconf/user

Download File

Process:	/usr/libexec/gsd-power
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	93B885ADFE0DA089CDF634904FD59F71
SHA1:	5BA93C9DB0CFF93F52B521D7420E43F6EDA2784F
SHA-256:	6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D
SHA-512:	B8244D028981D693AF7B456AF8EFA4CAD63D282E19FF14942C246E50D9351D22704A802A71C3580B6370DE4CEB293C324A8423342557D4E5C38438F0E36910EE
Malicious:	false
Reputation:	high, very likely benign file
Preview:	.

/tmp/server-0.xkm

Download File

Process:	/usr/bin/xkbcomp
File Type:	Compiled XKB Keymap: lsb, version 15
Category:	dropped
Size (bytes):	12060
Entropy (8bit):	4.8492493153178975
Encrypted:	false
SSDEEP:	192:tDyb2zOmnECQmwTVFfLaSLus4UVcqLkjoqdD//HJeCQ1+JdDx0s2T:tDyAxvYhFf+S6tUzmp7/1MJ
MD5:	B4E3EB0B8B6B0FC1F46740C573E18D86
SHA1:	7D35426357695EBA77850757E8939A62DCEFF2D1
SHA-256:	7951135CC89A6E89493E3A9997C3D9054439459F8BFCE3DDEC76B943DA79FA91
SHA-512:	8196A23E2B5E525A5581562A2D7F2EE4FF5B694FEF3E218206D52EA9BFE80600BB0C6AA8968CA58E93E1AAD478FA05E157D08DB6D4D1224DDEA6754E377BE001
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.mkx..............D.......................h.......<.....P.@%.......&......D.......NumLock.....Alt.....LevelThree..LAlt....RAlt....RControl....LControl....ScrollLock..LevelFive...AltGr...Meta....Super...Hyper...........evdev+aliases(qwerty)...!.....ESC.AE01AE02AE03AE04AE05AE06AE07AE08AE09AE10AE11AE12BKSPTAB.AD01AD02AD03AD04AD05AD06AD07AD08AD09AD10AD11AD12RTRNLCTLAC01AC02AC03AC04AC05AC06AC07AC08AC09AC10AC11TLDELFSHBKSLAB01AB02AB03AB04AB05AB06AB07AB08AB09AB10RTSHKPMULALTSPCECAPSFK01FK02FK03FK04FK05FK06FK07FK08FK09FK10NMLKSCLKKP7.KP8.KP9.KPSUKP4.KP5.KP6.KPADKP1.KP2.KP3.KP0.KPDLLVL3....LSGTFK11FK12AB11KATAHIRAHENKHKTGMUHEJPCMKPENRCTLKPDVPRSCRALTLNFDHOMEUP..PGUPLEFTRGHTEND.DOWNPGDNINS.DELEI120MUTEVOL-VOL+POWRKPEQI126PAUSI128I129HNGLHJCVAE13LWINRWINCOMPSTOPAGAIPROPUNDOFRNTCOPYOPENPASTFINDCUT.HELPI147I148I149I150I151I152I153I154I155I156I157I158I159I160I161I162I163I164I165I166I167I168I169I170I171I172I173I174I175I176I177I178I179I180I181I182I183I184I185I186I187I188I189I190FK13FK14FK15FK16FK17FK18

/var/lib/AccountsService/users/gdm.T77PM2

Download File

Process:	/usr/lib/accountsservice/accounts-daemon
File Type:	ASCII text
Category:	dropped
Size (bytes):	51
Entropy (8bit):	4.647628037922664
Encrypted:	false
SSDEEP:	3:urCLnT+PzKLrAan4R8AKn:gI+zKLrAa4M
MD5:	071DABFEAD25B35D415780C2CFA55287
SHA1:	ED08D2B2FC77EF256FF9196934A55CFE4AE1B8E3
SHA-256:	E778170EDFD4C9871EFF24F592FF7A23D2A08A86479A6B14E42AF5FC1094416C
SHA-512:	8FBC64B76E1916570726BE87A2E9FBF7BDD1B07AB64A4A007EF20846273D416C04B32F8D2B923F1FDAA82BA729F2668A402DF608F4852E7676F67247A2666668
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	[User].Icon=/var/lib/gdm3/.face.SystemAccount=true.

Static File Info

General

File type:	ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.257903473191838
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	C1Dd84tB3n.elf
File size:	51'264 bytes
MD5:	614535d91c815dc05beef2f10224e069
SHA1:	de5eb9772e7bf8087fecebb2c74ee998408be61e
SHA256:	8495237ddf43196df79fcfb9a5d8a7a5fd5a14e2d9012b5d7bee000dad10da75
SHA512:	89ad7001d59fb28a1b46279ef489a6d302f0f18e11b3b5575b65790d045f48bbf3bb6602894f176e94e41ad2dc32bee1b088687f0e6b503edcbfcba6f9d56463
SSDEEP:	768:nHHqmdDSodln8muwq4roeuZ7YvK3VfoRYjGbWnaWUohyye43egkE6I2jvk:HKmdDSodl8mqnZsvIfurWnaEyyOr
TLSH:	67334A07B96280FDC5ADC17847BAB639CD3374BE027976AA33D4FA3A6D49D211E5D800
File Content Preview:	.ELF..............>.......@.....@...................@.8...@.......................@.......@...............................................P.......P..............1..............Q.td....................................................H...._........H........

Static ELF Info

ELF header
Class:	ELF64
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Advanced Micro Devices X86-64
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x400194
Flags:	0x0
ELF Header Size:	64
Program Header Offset:	64
Program Header Size:	56
Number of Program Headers:	3
Section Header Offset:	50624
Section Header Size:	64
Number of Section Headers:	10
Header String Table Index:	9

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x4000e8	0xe8	0x13	0x0	0x6	AX	1
.text	PROGBITS	0x400100	0x100	0xa006	0x0	0x6	AX	16
.fini	PROGBITS	0x40a106	0xa106	0xe	0x0	0x6	AX	1
.rodata	PROGBITS	0x40a120	0xa120	0x1f70	0x0	0x2	A	32
.ctors	PROGBITS	0x50c098	0xc098	0x10	0x0	0x3	WA	8
.dtors	PROGBITS	0x50c0a8	0xc0a8	0x10	0x0	0x3	WA	8
.data	PROGBITS	0x50c0c0	0xc0c0	0x4c0	0x0	0x3	WA	32
.bss	NOBITS	0x50c580	0xc580	0x2ce8	0x0	0x3	WA	32
.shstrtab	STRTAB	0x0	0xc580	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x400000	0x400000	0xc090	0xc090	6.3586	0x5	R E	0x100000	.init .text .fini .rodata
LOAD	0xc098	0x50c098	0x50c098	0x4e8	0x31d0	2.3223	0x6	RW	0x100000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x8

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 24, 2024 10:58:47.803306103 CEST	50164	51237	192.168.2.14	185.196.9.5
Apr 24, 2024 10:58:48.109540939 CEST	51237	50164	185.196.9.5	192.168.2.14
Apr 24, 2024 10:58:48.109625101 CEST	50164	51237	192.168.2.14	185.196.9.5
Apr 24, 2024 10:58:56.763092041 CEST	46540	443	192.168.2.14	185.125.190.26
Apr 24, 2024 10:59:27.226093054 CEST	46540	443	192.168.2.14	185.125.190.26

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 24, 2024 10:58:47.483983994 CEST	51576	53	192.168.2.14	8.8.8.8
Apr 24, 2024 10:58:47.803009033 CEST	53	51576	8.8.8.8	192.168.2.14
Apr 24, 2024 10:58:54.759167910 CEST	47522	53	192.168.2.14	8.8.8.8
Apr 24, 2024 10:58:54.759259939 CEST	42929	53	192.168.2.14	8.8.8.8
Apr 24, 2024 10:58:54.929150105 CEST	53	47522	8.8.8.8	192.168.2.14
Apr 24, 2024 10:58:54.930186987 CEST	53	42929	8.8.8.8	192.168.2.14

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Apr 24, 2024 10:58:54.898296118 CEST	192.168.2.14	192.168.2.1	827a	(Port unreachable)	Destination Unreachable
Apr 24, 2024 11:00:14.924045086 CEST	192.168.2.14	192.168.2.1	827a	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 24, 2024 10:58:47.483983994 CEST	192.168.2.14	8.8.8.8	0xded8	Standard query (0)	fdh32fsdfhs.shop	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:58:54.759167910 CEST	192.168.2.14	8.8.8.8	0xf481	Standard query (0)	daisy.ubuntu.com	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:58:54.759259939 CEST	192.168.2.14	8.8.8.8	0x45c0	Standard query (0)	daisy.ubuntu.com	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Apr 24, 2024 10:58:47.803009033 CEST	8.8.8.8	192.168.2.14	0xded8	No error (0)	fdh32fsdfhs.shop	185.196.9.5	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:58:54.929150105 CEST	8.8.8.8	192.168.2.14	0xf481	No error (0)	daisy.ubuntu.com	162.213.35.25	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:58:54.929150105 CEST	8.8.8.8	192.168.2.14	0xf481	No error (0)	daisy.ubuntu.com	162.213.35.24	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: C1Dd84tB3n.elf PID: 5506, Parent PID: 5429

General

Start time (UTC):	08:58:46
Start date (UTC):	24/04/2024
Path:	/tmp/C1Dd84tB3n.elf
Arguments:	/tmp/C1Dd84tB3n.elf
File size:	51264 bytes
MD5 hash:	614535d91c815dc05beef2f10224e069

Chronological Activities

Analysis Process: C1Dd84tB3n.elf PID: 5507, Parent PID: 5506

General

Start time (UTC):	08:58:46
Start date (UTC):	24/04/2024
Path:	/tmp/C1Dd84tB3n.elf
Arguments:	-
File size:	51264 bytes
MD5 hash:	614535d91c815dc05beef2f10224e069

Chronological Activities

Analysis Process: C1Dd84tB3n.elf PID: 5508, Parent PID: 5506

General

Start time (UTC):	08:58:46
Start date (UTC):	24/04/2024
Path:	/tmp/C1Dd84tB3n.elf
Arguments:	-
File size:	51264 bytes
MD5 hash:	614535d91c815dc05beef2f10224e069

Chronological Activities

Analysis Process: udisksd PID: 5514, Parent PID: 803

General

Start time (UTC):	08:58:46
Start date (UTC):	24/04/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Chronological Activities

Analysis Process: dumpe2fs PID: 5514, Parent PID: 803

General

Start time (UTC):	08:58:46
Start date (UTC):	24/04/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Chronological Activities

Analysis Process: gnome-session-binary PID: 5551, Parent PID: 1383

General

Start time (UTC):	08:58:46
Start date (UTC):	24/04/2024
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Chronological Activities

Analysis Process: sh PID: 5551, Parent PID: 1383

General

Start time (UTC):	08:58:46
Start date (UTC):	24/04/2024
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-wacom
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gsd-wacom PID: 5551, Parent PID: 1383

General

Start time (UTC):	08:58:47
Start date (UTC):	24/04/2024
Path:	/usr/libexec/gsd-wacom
Arguments:	/usr/libexec/gsd-wacom
File size:	39520 bytes
MD5 hash:	13778dd1a23a4e94ddc17ac9caa4fcc1

Chronological Activities

Analysis Process: udisksd PID: 5569, Parent PID: 803

General

Start time (UTC):	08:58:46
Start date (UTC):	24/04/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Chronological Activities

Analysis Process: dumpe2fs PID: 5569, Parent PID: 803

General

Start time (UTC):	08:58:46
Start date (UTC):	24/04/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Chronological Activities

Analysis Process: systemd PID: 5574, Parent PID: 1

General

Start time (UTC):	08:58:47
Start date (UTC):	24/04/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: upowerd PID: 5574, Parent PID: 1

General

Start time (UTC):	08:58:47
Start date (UTC):	24/04/2024
Path:	/usr/lib/upower/upowerd
Arguments:	/usr/lib/upower/upowerd
File size:	260328 bytes
MD5 hash:	1253eea2fe5fe4017069664284e326cd

Chronological Activities

Analysis Process: xfce4-panel PID: 5585, Parent PID: 3172

General

Start time (UTC):	08:58:47
Start date (UTC):	24/04/2024
Path:	/usr/bin/xfce4-panel
Arguments:	-
File size:	375768 bytes
MD5 hash:	a15b657c7d54ac1385f1f15004ea6784

Chronological Activities

Analysis Process: wrapper-2.0 PID: 5585, Parent PID: 3172

General

Start time (UTC):	08:58:47
Start date (UTC):	24/04/2024
Path:	/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
Arguments:	/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 6 12582920 systray "Notification Area" "Area where notification icons appear"
File size:	35136 bytes
MD5 hash:	ac0b8a906f359a8ae102244738682e76

Chronological Activities

Analysis Process: gnome-session-binary PID: 5595, Parent PID: 1383

General

Start time (UTC):	08:58:47
Start date (UTC):	24/04/2024
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Chronological Activities

Analysis Process: sh PID: 5595, Parent PID: 1383

General

Start time (UTC):	08:58:47
Start date (UTC):	24/04/2024
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-keyboard
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gsd-keyboard PID: 5595, Parent PID: 1383

General

Start time (UTC):	08:58:47
Start date (UTC):	24/04/2024
Path:	/usr/libexec/gsd-keyboard
Arguments:	/usr/libexec/gsd-keyboard
File size:	39760 bytes
MD5 hash:	8e288fd17c80bb0a1148b964b2ac2279

Chronological Activities

Analysis Process: xfce4-panel PID: 5597, Parent PID: 3172

General

Start time (UTC):	08:58:47
Start date (UTC):	24/04/2024
Path:	/usr/bin/xfce4-panel
Arguments:	-
File size:	375768 bytes
MD5 hash:	a15b657c7d54ac1385f1f15004ea6784

Chronological Activities

Analysis Process: wrapper-2.0 PID: 5597, Parent PID: 3172

General

Start time (UTC):	08:58:47
Start date (UTC):	24/04/2024
Path:	/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
Arguments:	/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libstatusnotifier.so 7 12582921 statusnotifier "Status Notifier Plugin" "Provides a panel area for status notifier items (application indicators)"
File size:	35136 bytes
MD5 hash:	ac0b8a906f359a8ae102244738682e76

Chronological Activities

Analysis Process: xfce4-panel PID: 5614, Parent PID: 3172

General

Start time (UTC):	08:58:47
Start date (UTC):	24/04/2024
Path:	/usr/bin/xfce4-panel
Arguments:	-
File size:	375768 bytes
MD5 hash:	a15b657c7d54ac1385f1f15004ea6784

Chronological Activities

Analysis Process: wrapper-2.0 PID: 5614, Parent PID: 3172

General

Start time (UTC):	08:58:47
Start date (UTC):	24/04/2024
Path:	/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
Arguments:	/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libxfce4powermanager.so 9 12582923 power-manager-plugin "Power Manager Plugin" "Display the battery levels of your devices and control the brightness of your display"
File size:	35136 bytes
MD5 hash:	ac0b8a906f359a8ae102244738682e76

Chronological Activities

Analysis Process: gnome-session-binary PID: 5615, Parent PID: 1383

General

Start time (UTC):	08:58:47
Start date (UTC):	24/04/2024
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Chronological Activities

Analysis Process: sh PID: 5615, Parent PID: 1383

General

Start time (UTC):	08:58:47
Start date (UTC):	24/04/2024
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-smartcard
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gsd-smartcard PID: 5615, Parent PID: 1383

General

Start time (UTC):	08:58:47
Start date (UTC):	24/04/2024
Path:	/usr/libexec/gsd-smartcard
Arguments:	/usr/libexec/gsd-smartcard
File size:	109152 bytes
MD5 hash:	ea1fbd7f62e4cd0331eae2ef754ee605

Chronological Activities

Analysis Process: xfce4-panel PID: 5630, Parent PID: 3172

General

Start time (UTC):	08:58:47
Start date (UTC):	24/04/2024
Path:	/usr/bin/xfce4-panel
Arguments:	-
File size:	375768 bytes
MD5 hash:	a15b657c7d54ac1385f1f15004ea6784

Chronological Activities

Analysis Process: udisksd PID: 5634, Parent PID: 803

General

Start time (UTC):	08:58:47
Start date (UTC):	24/04/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Chronological Activities

Analysis Process: dumpe2fs PID: 5634, Parent PID: 803

General

Start time (UTC):	08:58:47
Start date (UTC):	24/04/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Chronological Activities

Analysis Process: gnome-session-binary PID: 5639, Parent PID: 1383

General

Start time (UTC):	08:58:47
Start date (UTC):	24/04/2024
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Chronological Activities

Analysis Process: sh PID: 5639, Parent PID: 1383

General

Start time (UTC):	08:58:47
Start date (UTC):	24/04/2024
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-sharing
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gsd-sharing PID: 5639, Parent PID: 1383

General

Start time (UTC):	08:58:47
Start date (UTC):	24/04/2024
Path:	/usr/libexec/gsd-sharing
Arguments:	/usr/libexec/gsd-sharing
File size:	35424 bytes
MD5 hash:	e29d9025d98590fbb69f89fdbd4438b3

Chronological Activities

Analysis Process: gnome-session-binary PID: 5640, Parent PID: 1383

General

Start time (UTC):	08:58:47
Start date (UTC):	24/04/2024
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Chronological Activities

Analysis Process: sh PID: 5640, Parent PID: 1383

General

Start time (UTC):	08:58:47
Start date (UTC):	24/04/2024
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-rfkill
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gsd-rfkill PID: 5640, Parent PID: 1383

General

Start time (UTC):	08:58:47
Start date (UTC):	24/04/2024
Path:	/usr/libexec/gsd-rfkill
Arguments:	/usr/libexec/gsd-rfkill
File size:	51808 bytes
MD5 hash:	88a16a3c0aba1759358c06215ecfb5cc

Chronological Activities

Analysis Process: gdm-session-worker PID: 5641, Parent PID: 2946

General

Start time (UTC):	08:58:47
Start date (UTC):	24/04/2024
Path:	/usr/lib/gdm3/gdm-session-worker
Arguments:	-
File size:	293360 bytes
MD5 hash:	692243754bd9f38fe9bd7e230b5c060a

Chronological Activities

Analysis Process: Default PID: 5641, Parent PID: 2946

General

Start time (UTC):	08:58:47
Start date (UTC):	24/04/2024
Path:	/etc/gdm3/PostSession/Default
Arguments:	/etc/gdm3/PostSession/Default
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gnome-session-binary PID: 5642, Parent PID: 1383

General

Start time (UTC):	08:58:47
Start date (UTC):	24/04/2024
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Chronological Activities

Analysis Process: sh PID: 5642, Parent PID: 1383

General

Start time (UTC):	08:58:47
Start date (UTC):	24/04/2024
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-media-keys
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gsd-media-keys PID: 5642, Parent PID: 1383

General

Start time (UTC):	08:58:47
Start date (UTC):	24/04/2024
Path:	/usr/libexec/gsd-media-keys
Arguments:	/usr/libexec/gsd-media-keys
File size:	232936 bytes
MD5 hash:	a425448c135afb4b8bfd79cc0b6b74da

Chronological Activities

Analysis Process: gdm3 PID: 5643, Parent PID: 1289

General

Start time (UTC):	08:58:47
Start date (UTC):	24/04/2024
Path:	/usr/sbin/gdm3
Arguments:	-
File size:	453296 bytes
MD5 hash:	2492e2d8d34f9377e3e530a61a15674f

Chronological Activities

Analysis Process: Default PID: 5643, Parent PID: 1289

General

Start time (UTC):	08:58:47
Start date (UTC):	24/04/2024
Path:	/etc/gdm3/PrimeOff/Default
Arguments:	/etc/gdm3/PrimeOff/Default
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gnome-session-binary PID: 5644, Parent PID: 1383

General

Start time (UTC):	08:58:47
Start date (UTC):	24/04/2024
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Chronological Activities

Analysis Process: sh PID: 5644, Parent PID: 1383

General

Start time (UTC):	08:58:47
Start date (UTC):	24/04/2024
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-print-notifications
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gsd-print-notifications PID: 5644, Parent PID: 1383

General

Start time (UTC):	08:58:47
Start date (UTC):	24/04/2024
Path:	/usr/libexec/gsd-print-notifications
Arguments:	/usr/libexec/gsd-print-notifications
File size:	51840 bytes
MD5 hash:	71539698aa691718cee775d6b9450ae2

Chronological Activities

Analysis Process: gsd-print-notifications PID: 5821, Parent PID: 5644

General

Start time (UTC):	08:58:52
Start date (UTC):	24/04/2024
Path:	/usr/libexec/gsd-print-notifications
Arguments:	-
File size:	51840 bytes
MD5 hash:	71539698aa691718cee775d6b9450ae2

Chronological Activities

Analysis Process: gsd-print-notifications PID: 5822, Parent PID: 5821

General

Start time (UTC):	08:58:52
Start date (UTC):	24/04/2024
Path:	/usr/libexec/gsd-print-notifications
Arguments:	-
File size:	51840 bytes
MD5 hash:	71539698aa691718cee775d6b9450ae2

Chronological Activities

Analysis Process: gsd-printer PID: 5822, Parent PID: 1

General

Start time (UTC):	08:58:53
Start date (UTC):	24/04/2024
Path:	/usr/libexec/gsd-printer
Arguments:	/usr/libexec/gsd-printer
File size:	31120 bytes
MD5 hash:	7995828cf98c315fd55f2ffb3b22384d

Chronological Activities

Analysis Process: gnome-session-binary PID: 5646, Parent PID: 1383

General

Start time (UTC):	08:58:47
Start date (UTC):	24/04/2024
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Chronological Activities

Analysis Process: sh PID: 5646, Parent PID: 1383

General

Start time (UTC):	08:58:47
Start date (UTC):	24/04/2024
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-color
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gsd-color PID: 5646, Parent PID: 1383

General

Start time (UTC):	08:58:47
Start date (UTC):	24/04/2024
Path:	/usr/libexec/gsd-color
Arguments:	/usr/libexec/gsd-color
File size:	92832 bytes
MD5 hash:	ac2861ad93ce047283e8e87cefef9a19

Chronological Activities

Analysis Process: gnome-session-binary PID: 5647, Parent PID: 1383

General

Start time (UTC):	08:58:47
Start date (UTC):	24/04/2024
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Chronological Activities

Analysis Process: sh PID: 5647, Parent PID: 1383

General

Start time (UTC):	08:58:47
Start date (UTC):	24/04/2024
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-screensaver-proxy
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gsd-screensaver-proxy PID: 5647, Parent PID: 1383

General

Start time (UTC):	08:58:47
Start date (UTC):	24/04/2024
Path:	/usr/libexec/gsd-screensaver-proxy
Arguments:	/usr/libexec/gsd-screensaver-proxy
File size:	27232 bytes
MD5 hash:	77e309450c87dceee43f1a9e50cc0d02

Chronological Activities

Analysis Process: udisksd PID: 5649, Parent PID: 803

General

Start time (UTC):	08:58:47
Start date (UTC):	24/04/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Chronological Activities

Analysis Process: dumpe2fs PID: 5649, Parent PID: 803

General

Start time (UTC):	08:58:47
Start date (UTC):	24/04/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Chronological Activities

Analysis Process: gnome-session-binary PID: 5650, Parent PID: 1383

General

Start time (UTC):	08:58:47
Start date (UTC):	24/04/2024
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Chronological Activities

Analysis Process: sh PID: 5650, Parent PID: 1383

General

Start time (UTC):	08:58:47
Start date (UTC):	24/04/2024
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-a11y-settings
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gsd-a11y-settings PID: 5650, Parent PID: 1383

General

Start time (UTC):	08:58:48
Start date (UTC):	24/04/2024
Path:	/usr/libexec/gsd-a11y-settings
Arguments:	/usr/libexec/gsd-a11y-settings
File size:	23056 bytes
MD5 hash:	18e243d2cf30ecee7ea89d1462725c5c

Chronological Activities

Analysis Process: gnome-session-binary PID: 5651, Parent PID: 1383

General

Start time (UTC):	08:58:47
Start date (UTC):	24/04/2024
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Chronological Activities

Analysis Process: sh PID: 5651, Parent PID: 1383

General

Start time (UTC):	08:58:47
Start date (UTC):	24/04/2024
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gsd-housekeeping PID: 5651, Parent PID: 1383

General

Start time (UTC):	08:58:48
Start date (UTC):	24/04/2024
Path:	/usr/libexec/gsd-housekeeping
Arguments:	/usr/libexec/gsd-housekeeping
File size:	51840 bytes
MD5 hash:	b55f3394a84976ddb92a2915e5d76914

Chronological Activities

Analysis Process: gnome-session-binary PID: 5652, Parent PID: 1383

General

Start time (UTC):	08:58:48
Start date (UTC):	24/04/2024
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Chronological Activities

Analysis Process: sh PID: 5652, Parent PID: 1383

General

Start time (UTC):	08:58:48
Start date (UTC):	24/04/2024
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-sound
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gsd-sound PID: 5652, Parent PID: 1383

General

Start time (UTC):	08:58:48
Start date (UTC):	24/04/2024
Path:	/usr/libexec/gsd-sound
Arguments:	/usr/libexec/gsd-sound
File size:	31248 bytes
MD5 hash:	4c7d3fb993463337b4a0eb5c80c760ee

Chronological Activities

Analysis Process: gnome-session-binary PID: 5655, Parent PID: 1383

General

Start time (UTC):	08:58:48
Start date (UTC):	24/04/2024
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Chronological Activities

Analysis Process: sh PID: 5655, Parent PID: 1383

General

Start time (UTC):	08:58:48
Start date (UTC):	24/04/2024
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-power
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gsd-power PID: 5655, Parent PID: 1383

General

Start time (UTC):	08:58:49
Start date (UTC):	24/04/2024
Path:	/usr/libexec/gsd-power
Arguments:	/usr/libexec/gsd-power
File size:	88672 bytes
MD5 hash:	28b8e1b43c3e7f1db6741ea1ecd978b7

Chronological Activities

Analysis Process: Xorg PID: 5658, Parent PID: 1371

General

Start time (UTC):	08:58:48
Start date (UTC):	24/04/2024
Path:	/usr/lib/xorg/Xorg
Arguments:	-
File size:	2448840 bytes
MD5 hash:	730cf4c45a7ee8bea88abf165463b7f8

Chronological Activities

Analysis Process: sh PID: 5658, Parent PID: 1371

General

Start time (UTC):	08:58:48
Start date (UTC):	24/04/2024
Path:	/bin/sh
Arguments:	sh -c "\"/usr/bin/xkbcomp\" -w 1 \"-R/usr/share/X11/xkb\" -xkm \"-\" -em1 \"The XKEYBOARD keymap compiler (xkbcomp) reports:\" -emp \"> \" -eml \"Errors from xkbcomp are not fatal to the X server\" \"/tmp/server-0.xkm\""
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5662, Parent PID: 5658

General

Start time (UTC):	08:58:49
Start date (UTC):	24/04/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: xkbcomp PID: 5662, Parent PID: 5658

General

Start time (UTC):	08:58:49
Start date (UTC):	24/04/2024
Path:	/usr/bin/xkbcomp
Arguments:	/usr/bin/xkbcomp -w 1 -R/usr/share/X11/xkb -xkm - -em1 "The XKEYBOARD keymap compiler (xkbcomp) reports:" -emp "> " -eml "Errors from xkbcomp are not fatal to the X server" /tmp/server-0.xkm
File size:	217184 bytes
MD5 hash:	c5f953aec4c00d2a1cc27acb75d62c9b

Chronological Activities

Analysis Process: systemd PID: 5690, Parent PID: 1

General

Start time (UTC):	08:58:52
Start date (UTC):	24/04/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: systemd-hostnamed PID: 5690, Parent PID: 1

General

Start time (UTC):	08:58:52
Start date (UTC):	24/04/2024
Path:	/lib/systemd/systemd-hostnamed
Arguments:	/lib/systemd/systemd-hostnamed
File size:	35040 bytes
MD5 hash:	2cc8a5576629a2d5bd98e49a4b8bef65

Chronological Activities

Analysis Process: systemd PID: 5828, Parent PID: 1

General

Start time (UTC):	08:58:53
Start date (UTC):	24/04/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: systemd-user-runtime-dir PID: 5828, Parent PID: 1

General

Start time (UTC):	08:58:53
Start date (UTC):	24/04/2024
Path:	/lib/systemd/systemd-user-runtime-dir
Arguments:	/lib/systemd/systemd-user-runtime-dir stop 1000
File size:	22672 bytes
MD5 hash:	d55f4b0847f88131dbcfb07435178e54

Chronological Activities

Analysis Process: dbus-daemon PID: 5830, Parent PID: 5829

General

Start time (UTC):	08:58:54
Start date (UTC):	24/04/2024
Path:	/usr/bin/dbus-daemon
Arguments:	-
File size:	249032 bytes
MD5 hash:	3089d47e3f3ab84cd81c48fd406d7a8c

Chronological Activities

Analysis Process: false PID: 5830, Parent PID: 5829

General

Start time (UTC):	08:58:54
Start date (UTC):	24/04/2024
Path:	/bin/false
Arguments:	/bin/false
File size:	39256 bytes
MD5 hash:	3177546c74e4f0062909eae43d948bfc

Chronological Activities

Analysis Process: Xorg PID: 5837, Parent PID: 1371

General

Start time (UTC):	08:58:56
Start date (UTC):	24/04/2024
Path:	/usr/lib/xorg/Xorg
Arguments:	-
File size:	2448840 bytes
MD5 hash:	730cf4c45a7ee8bea88abf165463b7f8

Chronological Activities

Analysis Process: sh PID: 5837, Parent PID: 1371

General

Start time (UTC):	08:58:56
Start date (UTC):	24/04/2024
Path:	/bin/sh
Arguments:	sh -c "\"/usr/bin/xkbcomp\" -w 1 \"-R/usr/share/X11/xkb\" -xkm \"-\" -em1 \"The XKEYBOARD keymap compiler (xkbcomp) reports:\" -emp \"> \" -eml \"Errors from xkbcomp are not fatal to the X server\" \"/tmp/server-0.xkm\""
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5838, Parent PID: 5837

General

Start time (UTC):	08:58:56
Start date (UTC):	24/04/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: xkbcomp PID: 5838, Parent PID: 5837

General

Start time (UTC):	08:58:56
Start date (UTC):	24/04/2024
Path:	/usr/bin/xkbcomp
Arguments:	/usr/bin/xkbcomp -w 1 -R/usr/share/X11/xkb -xkm - -em1 "The XKEYBOARD keymap compiler (xkbcomp) reports:" -emp "> " -eml "Errors from xkbcomp are not fatal to the X server" /tmp/server-0.xkm
File size:	217184 bytes
MD5 hash:	c5f953aec4c00d2a1cc27acb75d62c9b

Chronological Activities

Analysis Process: systemd PID: 5870, Parent PID: 1

General

Start time (UTC):	08:59:01
Start date (UTC):	24/04/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: colord PID: 5870, Parent PID: 1

General

Start time (UTC):	08:59:01
Start date (UTC):	24/04/2024
Path:	/usr/libexec/colord
Arguments:	/usr/libexec/colord
File size:	346632 bytes
MD5 hash:	70861d1b2818c9279cd4a5c9035dac1f

Chronological Activities

Analysis Process: colord PID: 5896, Parent PID: 5870

General

Start time (UTC):	08:59:09
Start date (UTC):	24/04/2024
Path:	/usr/libexec/colord
Arguments:	-
File size:	346632 bytes
MD5 hash:	70861d1b2818c9279cd4a5c9035dac1f

Chronological Activities

Analysis Process: colord-sane PID: 5896, Parent PID: 5870

General

Start time (UTC):	08:59:09
Start date (UTC):	24/04/2024
Path:	/usr/libexec/colord-sane
Arguments:	/usr/libexec/colord-sane
File size:	18736 bytes
MD5 hash:	5f98d754a07bf1385c3ff001cde3882e

Chronological Activities

Analysis Process: systemd PID: 5872, Parent PID: 1

General

Start time (UTC):	08:59:02
Start date (UTC):	24/04/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: accounts-daemon PID: 5872, Parent PID: 1

General

Start time (UTC):	08:59:02
Start date (UTC):	24/04/2024
Path:	/usr/lib/accountsservice/accounts-daemon
Arguments:	/usr/lib/accountsservice/accounts-daemon
File size:	203192 bytes
MD5 hash:	01a899e3fb5e7e434bea1290255a1f30

Chronological Activities

Analysis Process: accounts-daemon PID: 5885, Parent PID: 5872

General

Start time (UTC):	08:59:04
Start date (UTC):	24/04/2024
Path:	/usr/lib/accountsservice/accounts-daemon
Arguments:	-
File size:	203192 bytes
MD5 hash:	01a899e3fb5e7e434bea1290255a1f30

Chronological Activities

Analysis Process: language-validate PID: 5885, Parent PID: 5872

General

Start time (UTC):	08:59:04
Start date (UTC):	24/04/2024
Path:	/usr/share/language-tools/language-validate
Arguments:	/usr/share/language-tools/language-validate en_US.UTF-8
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: language-validate PID: 5886, Parent PID: 5885

General

Start time (UTC):	08:59:04
Start date (UTC):	24/04/2024
Path:	/usr/share/language-tools/language-validate
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: language-options PID: 5886, Parent PID: 5885

General

Start time (UTC):	08:59:04
Start date (UTC):	24/04/2024
Path:	/usr/share/language-tools/language-options
Arguments:	/usr/share/language-tools/language-options
File size:	3478464 bytes
MD5 hash:	16a21f464119ea7fad1d3660de963637

Chronological Activities

Analysis Process: language-options PID: 5887, Parent PID: 5886

General

Start time (UTC):	08:59:04
Start date (UTC):	24/04/2024
Path:	/usr/share/language-tools/language-options
Arguments:	-
File size:	3478464 bytes
MD5 hash:	16a21f464119ea7fad1d3660de963637

Chronological Activities

Analysis Process: sh PID: 5887, Parent PID: 5886

General

Start time (UTC):	08:59:04
Start date (UTC):	24/04/2024
Path:	/bin/sh
Arguments:	sh -c "locale -a \| grep -F .utf8 "
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5888, Parent PID: 5887

General

Start time (UTC):	08:59:04
Start date (UTC):	24/04/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: locale PID: 5888, Parent PID: 5887

General

Start time (UTC):	08:59:04
Start date (UTC):	24/04/2024
Path:	/usr/bin/locale
Arguments:	locale -a
File size:	58944 bytes
MD5 hash:	c72a78792469db86d91369c9057f20d2

Chronological Activities

Analysis Process: sh PID: 5889, Parent PID: 5887

General

Start time (UTC):	08:59:04
Start date (UTC):	24/04/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: grep PID: 5889, Parent PID: 5887

General

Start time (UTC):	08:59:04
Start date (UTC):	24/04/2024
Path:	/usr/bin/grep
Arguments:	grep -F .utf8
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Chronological Activities

Analysis Process: systemd PID: 5900, Parent PID: 1

General

Start time (UTC):	08:59:09
Start date (UTC):	24/04/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: systemd-localed PID: 5900, Parent PID: 1

General

Start time (UTC):	08:59:09
Start date (UTC):	24/04/2024
Path:	/lib/systemd/systemd-localed
Arguments:	/lib/systemd/systemd-localed
File size:	43232 bytes
MD5 hash:	1244af9646256d49594f2a8203329aa9

Chronological Activities

Analysis Process: gdm3 PID: 6031, Parent PID: 1289

General

Start time (UTC):	08:59:10
Start date (UTC):	24/04/2024
Path:	/usr/sbin/gdm3
Arguments:	-
File size:	453296 bytes
MD5 hash:	2492e2d8d34f9377e3e530a61a15674f

Chronological Activities

Analysis Process: Default PID: 6031, Parent PID: 1289

General

Start time (UTC):	08:59:10
Start date (UTC):	24/04/2024
Path:	/etc/gdm3/PrimeOff/Default
Arguments:	/etc/gdm3/PrimeOff/Default
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gdm3 PID: 6032, Parent PID: 1289

General

Start time (UTC):	08:59:11
Start date (UTC):	24/04/2024
Path:	/usr/sbin/gdm3
Arguments:	-
File size:	453296 bytes
MD5 hash:	2492e2d8d34f9377e3e530a61a15674f

Chronological Activities

Analysis Process: Default PID: 6032, Parent PID: 1289

General

Start time (UTC):	08:59:11
Start date (UTC):	24/04/2024
Path:	/etc/gdm3/PrimeOff/Default
Arguments:	/etc/gdm3/PrimeOff/Default
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: systemd PID: 6039, Parent PID: 1

General

Start time (UTC):	08:59:20
Start date (UTC):	24/04/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: systemd-user-runtime-dir PID: 6039, Parent PID: 1

General

Start time (UTC):	08:59:20
Start date (UTC):	24/04/2024
Path:	/lib/systemd/systemd-user-runtime-dir
Arguments:	/lib/systemd/systemd-user-runtime-dir stop 127
File size:	22672 bytes
MD5 hash:	d55f4b0847f88131dbcfb07435178e54

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.
Tactics:	Impact
Data Sources:	Command: Command Execution, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Termination, Service: Service Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report C1Dd84tB3n.elf

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Warnings

Process Tree

Yara Signatures

Initial Sample

Memory Dumps

Snort Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/run/user/127/dconf/user

/tmp/server-0.xkm

/var/lib/AccountsService/users/gdm.T77PM2

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: C1Dd84tB3n.elf PID: 5506, Parent PID: 5429

General

Chronological Activities

Analysis Process: C1Dd84tB3n.elf PID: 5507, Parent PID: 5506

General

Chronological Activities

Analysis Process: C1Dd84tB3n.elf PID: 5508, Parent PID: 5506

General

Chronological Activities

Analysis Process: udisksd PID: 5514, Parent PID: 803

General

Chronological Activities

Analysis Process: dumpe2fs PID: 5514, Parent PID: 803

General

Chronological Activities

Analysis Process: gnome-session-binary PID: 5551, Parent PID: 1383

Linux Analysis Report
C1Dd84tB3n.elf