Loading ...

Play interactive tourEdit tour

Analysis Report miori.x86

Overview

General Information

Sample Name:miori.x86
Analysis ID:299750
MD5:16f1df0c0423d9051950cf1b41b8be3a
SHA1:f14bb83ca8f11d0b036d12ec55e3fb798af935ae
SHA256:2255867bf2dc5a97f5d62258ad99749f6138f8d706f43966380c5a1a1f0038b1

Detection

Miori
Score:68
Range:0 - 100
Whitelisted:false

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Miori
Machine Learning detection for sample
Creates hidden files and/or directories
Executes the "grep" command used to find patterns in files or piped streams
Executes the "mkdir" command used to create folders
Executes the "mktemp" command used to create a temporary unique file name
Executes the "rm" command used to delete files or directories
Executes the "sleep" command used to delay execution and potentially evade sandboxes
Sample has stripped symbol table
Sample listens on a socket

Classification

Startup

  • system is lnxubuntu1
  • dash New Fork (PID: 3192, Parent: 3191)
  • sed (PID: 3192, Parent: 3191, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -n "/^DNS=/ { s/^DNS=/nameserver /; p}" /run/systemd/netif/state /run/systemd/netif/leases/*
  • dash New Fork (PID: 3193, Parent: 3191)
  • sort (PID: 3193, Parent: 3191, MD5: fb4c334af5810c835b37ec2ec14a35bd) Arguments: sort -u
  • dash New Fork (PID: 3194, Parent: 2522)
  • sleep (PID: 3194, Parent: 2522, MD5: e9887f1d8cae3dc50b4cbac09435a162) Arguments: sleep 1
  • dash New Fork (PID: 3222, Parent: 3221)
  • sed (PID: 3222, Parent: 3221, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -n "/^DNS=/ { s/^DNS=/nameserver /; p}" /run/systemd/netif/state /run/systemd/netif/leases/*
  • dash New Fork (PID: 3223, Parent: 3221)
  • sort (PID: 3223, Parent: 3221, MD5: fb4c334af5810c835b37ec2ec14a35bd) Arguments: sort -u
  • dash New Fork (PID: 3230, Parent: 2522)
  • sleep (PID: 3230, Parent: 2522, MD5: e9887f1d8cae3dc50b4cbac09435a162) Arguments: sleep 1
  • dash New Fork (PID: 3250, Parent: 3249)
  • sed (PID: 3250, Parent: 3249, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -n "/^DNS=/ { s/^DNS=/nameserver /; p}" /run/systemd/netif/state /run/systemd/netif/leases/*
  • dash New Fork (PID: 3251, Parent: 3249)
  • sort (PID: 3251, Parent: 3249, MD5: fb4c334af5810c835b37ec2ec14a35bd) Arguments: sort -u
  • dash New Fork (PID: 3252, Parent: 2522)
  • sleep (PID: 3252, Parent: 2522, MD5: e9887f1d8cae3dc50b4cbac09435a162) Arguments: sleep 1
  • dash New Fork (PID: 3278, Parent: 3277)
  • sed (PID: 3278, Parent: 3277, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -n "/^DNS=/ { s/^DNS=/nameserver /; p}" /run/systemd/netif/state /run/systemd/netif/leases/*
  • dash New Fork (PID: 3279, Parent: 3277)
  • sort (PID: 3279, Parent: 3277, MD5: fb4c334af5810c835b37ec2ec14a35bd) Arguments: sort -u
  • dash New Fork (PID: 3283, Parent: 2522)
  • sleep (PID: 3283, Parent: 2522, MD5: e9887f1d8cae3dc50b4cbac09435a162) Arguments: sleep 1
  • dash New Fork (PID: 3306, Parent: 3305)
  • sed (PID: 3306, Parent: 3305, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -n "/^DNS=/ { s/^DNS=/nameserver /; p}" /run/systemd/netif/state /run/systemd/netif/leases/*
  • dash New Fork (PID: 3307, Parent: 3305)
  • sort (PID: 3307, Parent: 3305, MD5: fb4c334af5810c835b37ec2ec14a35bd) Arguments: sort -u
  • dash New Fork (PID: 3308, Parent: 2522)
  • sleep (PID: 3308, Parent: 2522, MD5: e9887f1d8cae3dc50b4cbac09435a162) Arguments: sleep 1
  • dash New Fork (PID: 3334, Parent: 3333)
  • sed (PID: 3334, Parent: 3333, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -n "/^DNS=/ { s/^DNS=/nameserver /; p}" /run/systemd/netif/state /run/systemd/netif/leases/*
  • dash New Fork (PID: 3335, Parent: 3333)
  • sort (PID: 3335, Parent: 3333, MD5: fb4c334af5810c835b37ec2ec14a35bd) Arguments: sort -u
  • dash New Fork (PID: 3348, Parent: 2522)
  • sleep (PID: 3348, Parent: 2522, MD5: e9887f1d8cae3dc50b4cbac09435a162) Arguments: sleep 1
  • dash New Fork (PID: 3362, Parent: 3361)
  • sed (PID: 3362, Parent: 3361, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -n "/^DNS=/ { s/^DNS=/nameserver /; p}" /run/systemd/netif/state /run/systemd/netif/leases/*
  • dash New Fork (PID: 3363, Parent: 3361)
  • sort (PID: 3363, Parent: 3361, MD5: fb4c334af5810c835b37ec2ec14a35bd) Arguments: sort -u
  • dash New Fork (PID: 3379, Parent: 2522)
  • sleep (PID: 3379, Parent: 2522, MD5: e9887f1d8cae3dc50b4cbac09435a162) Arguments: sleep 1
  • dash New Fork (PID: 3390, Parent: 3389)
  • sed (PID: 3390, Parent: 3389, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -n "/^DNS=/ { s/^DNS=/nameserver /; p}" /run/systemd/netif/state /run/systemd/netif/leases/*
  • dash New Fork (PID: 3391, Parent: 3389)
  • sort (PID: 3391, Parent: 3389, MD5: fb4c334af5810c835b37ec2ec14a35bd) Arguments: sort -u
  • dash New Fork (PID: 3405, Parent: 2522)
  • sleep (PID: 3405, Parent: 2522, MD5: e9887f1d8cae3dc50b4cbac09435a162) Arguments: sleep 1
  • dash New Fork (PID: 3418, Parent: 3417)
  • sed (PID: 3418, Parent: 3417, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -n "/^DNS=/ { s/^DNS=/nameserver /; p}" /run/systemd/netif/state /run/systemd/netif/leases/*
  • dash New Fork (PID: 3419, Parent: 3417)
  • sort (PID: 3419, Parent: 3417, MD5: fb4c334af5810c835b37ec2ec14a35bd) Arguments: sort -u
  • dash New Fork (PID: 3420, Parent: 2522)
  • sleep (PID: 3420, Parent: 2522, MD5: e9887f1d8cae3dc50b4cbac09435a162) Arguments: sleep 1
  • dash New Fork (PID: 3446, Parent: 3445)
  • sed (PID: 3446, Parent: 3445, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -n "/^DNS=/ { s/^DNS=/nameserver /; p}" /run/systemd/netif/state /run/systemd/netif/leases/*
  • dash New Fork (PID: 3447, Parent: 3445)
  • sort (PID: 3447, Parent: 3445, MD5: fb4c334af5810c835b37ec2ec14a35bd) Arguments: sort -u
  • dash New Fork (PID: 3462, Parent: 2522)
  • sleep (PID: 3462, Parent: 2522, MD5: e9887f1d8cae3dc50b4cbac09435a162) Arguments: sleep 1
  • miori.x86 (PID: 3483, Parent: 3132, MD5: 16f1df0c0423d9051950cf1b41b8be3a) Arguments: /tmp/miori.x86
  • dash New Fork (PID: 3495, Parent: 3494)
  • sed (PID: 3495, Parent: 3494, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -n "/^DNS=/ { s/^DNS=/nameserver /; p}" /run/systemd/netif/state /run/systemd/netif/leases/*
  • dash New Fork (PID: 3496, Parent: 3494)
  • sort (PID: 3496, Parent: 3494, MD5: fb4c334af5810c835b37ec2ec14a35bd) Arguments: sort -u
  • dash New Fork (PID: 3497, Parent: 2522)
  • sleep (PID: 3497, Parent: 2522, MD5: e9887f1d8cae3dc50b4cbac09435a162) Arguments: sleep 1
  • dash New Fork (PID: 3523, Parent: 3522)
  • sed (PID: 3523, Parent: 3522, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -n "/^DNS=/ { s/^DNS=/nameserver /; p}" /run/systemd/netif/state /run/systemd/netif/leases/*
  • dash New Fork (PID: 3524, Parent: 3522)
  • sort (PID: 3524, Parent: 3522, MD5: fb4c334af5810c835b37ec2ec14a35bd) Arguments: sort -u
  • dash New Fork (PID: 3538, Parent: 2522)
  • sleep (PID: 3538, Parent: 2522, MD5: e9887f1d8cae3dc50b4cbac09435a162) Arguments: sleep 1
  • dash New Fork (PID: 3551, Parent: 3550)
  • sed (PID: 3551, Parent: 3550, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -n "/^DNS=/ { s/^DNS=/nameserver /; p}" /run/systemd/netif/state /run/systemd/netif/leases/*
  • dash New Fork (PID: 3552, Parent: 3550)
  • sort (PID: 3552, Parent: 3550, MD5: fb4c334af5810c835b37ec2ec14a35bd) Arguments: sort -u
  • dash New Fork (PID: 3564, Parent: 2522)
  • sleep (PID: 3564, Parent: 2522, MD5: e9887f1d8cae3dc50b4cbac09435a162) Arguments: sleep 1
  • dash New Fork (PID: 3578, Parent: 2522)
  • sed (PID: 3578, Parent: 2522, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -n "/^DOMAINS=/ { s/^.*=/search /; p}" /run/systemd/netif/state
  • dash New Fork (PID: 3579, Parent: 2522)
  • resolvconf (PID: 3579, Parent: 2522, MD5: unknown) Arguments: /bin/sh /sbin/resolvconf -a networkd
    • mkdir (PID: 3580, Parent: 3579, MD5: a97f666f21c85ec62ea47d022263ef41) Arguments: mkdir -p /run/resolvconf/interface
    • resolvconf New Fork (PID: 3593, Parent: 3579)
      • sed (PID: 3594, Parent: 3593, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -e s/#.*$// -e s/[[:blank:]]\\+$// -e s/^[[:blank:]]\\+// -e "s/[[:blank:]]\\+/ /g" -e "/^nameserver/!b ENDOFCYCLE" -e "s/$/ /" -e "s/\\([:. ]\\)0\\+/\\10/g" -e "s/\\([:. ]\\)0\\([123456789abcdefABCDEF][[:xdigit:]]*\\)/\\1\\2/g" -e "/::/b ENDOFCYCLE; s/ \\(0[: ]\\)\\+/ ::/" -e "/::/b ENDOFCYCLE; s/:\\(0[: ]\\)\\+/::/" -e ": ENDOFCYCLE" -
      • sed (PID: 3595, Parent: 3593, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -e s/[[:blank:]]\\+$// -e /^$/d
  • dash New Fork (PID: 3629, Parent: 2079)
  • mkdir (PID: 3629, Parent: 2079, MD5: a97f666f21c85ec62ea47d022263ef41) Arguments: mkdir -p /home/user/.cache/logrotate
  • dash New Fork (PID: 3630, Parent: 2079)
  • mkdir (PID: 3630, Parent: 2079, MD5: a97f666f21c85ec62ea47d022263ef41) Arguments: mkdir -p /home/user/.cache/upstart
  • dash New Fork (PID: 3633, Parent: 2079)
  • egrep (PID: 3633, Parent: 2079, MD5: ef55d1537377114cc24cdc398fbdd930) Arguments: /bin/sh /bin/egrep [^[:print:]] /home/user/.cache/logrotate/status
  • grep (PID: 3633, Parent: 2079, MD5: fc9b0a0ff848b35b3716768695bf2427) Arguments: grep -E [^[:print:]] /home/user/.cache/logrotate/status
  • dash New Fork (PID: 3660, Parent: 2079)
  • mktemp (PID: 3660, Parent: 2079, MD5: 91cf2e2a84f3b49fdecdd8b631902009) Arguments: mktemp
  • dash New Fork (PID: 3661, Parent: 2079)
  • cat (PID: 3661, Parent: 2079, MD5: efa10d52f37361f2e3a5d22742f0fcc4) Arguments: cat
  • dash New Fork (PID: 3662, Parent: 2079)
  • logrotate (PID: 3662, Parent: 2079, MD5: d0eaf9942936032d217478b93e9cd4b1) Arguments: logrotate -s /home/user/.cache/logrotate/status /tmp/tmp.qVg8y2CCEq
    • gzip (PID: 3664, Parent: 3662, MD5: 25ea567880cec4ac02e7a77ad304e3c6) Arguments: /bin/gzip
    • gzip (PID: 3721, Parent: 3662, MD5: 25ea567880cec4ac02e7a77ad304e3c6) Arguments: /bin/gzip
    • gzip (PID: 3737, Parent: 3662, MD5: 25ea567880cec4ac02e7a77ad304e3c6) Arguments: /bin/gzip
    • gzip (PID: 3738, Parent: 3662, MD5: 25ea567880cec4ac02e7a77ad304e3c6) Arguments: /bin/gzip
    • gzip (PID: 3739, Parent: 3662, MD5: 25ea567880cec4ac02e7a77ad304e3c6) Arguments: /bin/gzip
    • gzip (PID: 3745, Parent: 3662, MD5: 25ea567880cec4ac02e7a77ad304e3c6) Arguments: /bin/gzip
    • gzip (PID: 3752, Parent: 3662, MD5: 25ea567880cec4ac02e7a77ad304e3c6) Arguments: /bin/gzip
  • dash New Fork (PID: 3780, Parent: 2079)
  • rm (PID: 3780, Parent: 2079, MD5: b79876063d894c449856cca508ecca7f) Arguments: rm -f /tmp/tmp.qVg8y2CCEq
  • cleanup

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
miori.x86JoeSecurity_MioriYara detected MioriJoe Security

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Antivirus / Scanner detection for submitted sampleShow sources
    Source: miori.x86Avira: detected
    Multi AV Scanner detection for submitted fileShow sources
    Source: miori.x86Virustotal: Detection: 58%Perma Link
    Source: miori.x86ReversingLabs: Detection: 54%
    Machine Learning detection for sampleShow sources
    Source: miori.x86Joe Sandbox ML: detected
    Source: /tmp/miori.x86 (PID: 3483)Socket: 127.0.0.1::12121
    Source: miori.x86String found in binary or memory: https://root_senpai.selly.store/
    Source: ELF static info symbol of initial sample.symtab present: no
    Source: classification engineClassification label: mal68.troj.linX86@0/9@0/0
    Source: /bin/mkdir (PID: 3629)Directory: .cache
    Source: /bin/mkdir (PID: 3630)Directory: .cache
    Source: /bin/egrep (PID: 3633)Grep executable: /bin/grep -> grep -E [^[:print:]] /home/user/.cache/logrotate/status
    Source: /sbin/resolvconf (PID: 3580)Mkdir executable: /bin/mkdir -> mkdir -p /run/resolvconf/interface
    Source: /bin/dash (PID: 3629)Mkdir executable: /bin/mkdir -> mkdir -p /home/user/.cache/logrotate
    Source: /bin/dash (PID: 3630)Mkdir executable: /bin/mkdir -> mkdir -p /home/user/.cache/upstart
    Source: /bin/dash (PID: 3660)Mktemp executable: /bin/mktemp -> mktemp
    Source: /bin/dash (PID: 3780)Rm executable: /bin/rm -> rm -f /tmp/tmp.qVg8y2CCEq
    Source: /bin/dash (PID: 3194)Sleep executable: /bin/sleep -> sleep 1
    Source: /bin/dash (PID: 3230)Sleep executable: /bin/sleep -> sleep 1
    Source: /bin/dash (PID: 3252)Sleep executable: /bin/sleep -> sleep 1
    Source: /bin/dash (PID: 3283)Sleep executable: /bin/sleep -> sleep 1
    Source: /bin/dash (PID: 3308)Sleep executable: /bin/sleep -> sleep 1
    Source: /bin/dash (PID: 3348)Sleep executable: /bin/sleep -> sleep 1
    Source: /bin/dash (PID: 3379)Sleep executable: /bin/sleep -> sleep 1
    Source: /bin/dash (PID: 3405)Sleep executable: /bin/sleep -> sleep 1
    Source: /bin/dash (PID: 3420)Sleep executable: /bin/sleep -> sleep 1
    Source: /bin/dash (PID: 3462)Sleep executable: /bin/sleep -> sleep 1
    Source: /bin/dash (PID: 3497)Sleep executable: /bin/sleep -> sleep 1
    Source: /bin/dash (PID: 3538)Sleep executable: /bin/sleep -> sleep 1
    Source: /bin/dash (PID: 3564)Sleep executable: /bin/sleep -> sleep 1

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionHidden Files and Directories1OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsFile Deletion1LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Number of created Files
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 299750 Sample: miori.x86 Startdate: 18/10/2020 Architecture: LINUX Score: 68 35 Antivirus / Scanner detection for submitted sample 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 Yara detected Miori 2->39 41 Machine Learning detection for sample 2->41 7 dash logrotate 2->7         started        9 dash resolvconf 2->9         started        11 dash sleep miori.x86 2->11         started        13 45 other processes 2->13 process3 process4 15 logrotate gzip 7->15         started        17 logrotate gzip 7->17         started        19 logrotate gzip 7->19         started        27 4 other processes 7->27 21 resolvconf 9->21         started        23 resolvconf mkdir 9->23         started        25 miori.x86 11->25         started        process5 29 resolvconf sed 21->29         started        31 resolvconf sed 21->31         started        33 miori.x86 25->33         started       

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    miori.x8658%VirustotalBrowse
    miori.x8655%ReversingLabsLinux.Trojan.Mirai
    miori.x86100%AviraLINUX/Mirai.woaap
    miori.x86100%Joe Sandbox ML

    Dropped Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    https://root_senpai.selly.store/0%VirustotalBrowse
    https://root_senpai.selly.store/0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://root_senpai.selly.store/miori.x86false
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    low

    Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox Version:30.0.0 Red Diamond
    Analysis ID:299750
    Start date:18.10.2020
    Start time:09:12:22
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 6m 37s
    Hypervisor based Inspection enabled:false
    Report type:full
    Sample file name:miori.x86
    Cookbook file name:defaultlinuxfilecookbook.jbs
    Analysis system description:Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171)
    Detection:MAL
    Classification:mal68.troj.linX86@0/9@0/0


    Runtime Messages

    Command:/tmp/miori.x86
    Exit Code:0
    Exit Code Info:
    Killed:False
    Standard Output:
    miori remastered infection successful!! if u wanna see source here: https://root_senpai.selly.store/
    Standard Error:

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASN

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    /home/user/.cache/logrotate/status.tmp
    Process:/usr/sbin/logrotate
    File Type:ASCII text
    Category:dropped
    Size (bytes):1080
    Entropy (8bit):4.83908314963637
    Encrypted:false
    SSDEEP:24:fOeWfnS8JWfnraFLWfnw7WfnDvGTEbYMHtW8MF8iQlEwWfnRvY:2elIsInGHtWbFL8sA
    MD5:BF25DF8514A02CE19347BB4556BF4883
    SHA1:D10FDCBA8A43F5CC29675759D6AAE4939289CDA3
    SHA-256:8B5006093797AEDD7972B325ECE4238CFC8D8B63D1E677552DCD9FF044E92CDE
    SHA-512:2B7558C3EC42FE66AF87D4315234EA75C1CBB6FDF22F1C9AC1146402B034A39DEFF52D09035F8D1BCD36B561C68568E6ED407356FECECF23F77BE1ECD3E3D13C
    Malicious:false
    Reputation:low
    Preview: logrotate state -- version 2."/home/user/.cache/upstart/indicator-application.log" 2018-5-7-11:38:22."/home/user/.cache/upstart/indicator-sound.log" 2018-5-7-10:33:19."/home/user/.cache/upstart/indicator-session.log" 2018-5-7-11:38:22."/home/user/.cache/upstart/dbus.log" 2020-10-18-11:13:8."/home/user/.cache/upstart/gnome-keyring-ssh.log" 2020-10-18-11:13:8."/home/user/.cache/upstart/indicator-bluetooth.log" 2018-5-7-11:38:22."/home/user/.cache/upstart/indicator-datetime.log" 2018-5-7-11:38:22."/home/user/.cache/upstart/startxfce4.log" 2020-10-18-11:13:8."/home/user/.cache/upstart/update-notifier-release.log" 2020-10-18-11:13:8."/home/user/.cache/upstart/ssh-agent.log" 2020-10-18-11:13:8."/home/user/.cache/upstart/update-notifier-crash-_var_crash__usr_bin_blueman-applet.0.crash.log" 2018-5-7-10:33:19."/home/user/.cache/upstart/indicator-keyboard.log" 2018-5-7-10:33:19."/home/user/.cache/upstart/upstart-event-bridge.log" 2020-10-18-11:13:8."/home/user/.cache/upstart/indicator-power.log"
    /home/user/.cache/upstart/dbus.log.1.gz
    Process:/bin/gzip
    File Type:Sun Oct 18 07:12:27 2020, from Unix
    Category:dropped
    Size (bytes):267
    Entropy (8bit):7.171941321262491
    Encrypted:false
    SSDEEP:6:XWYlQuom0gW0F46ASWpC8t0BEP80ryEbjL+swraiuWRGI:XW/nLT0F48WUTBEEAJPyROi0I
    MD5:1194F1AF2D4ECC5D7294B96C1076ADC2
    SHA1:74CFDAB4E36E10021651AF42B101C8E4B785F167
    SHA-256:0FBB5934229F08AD78E173602508338ECEEEDD7A4A08306E5437C380A12E6E66
    SHA-512:97B1B41F879D2A1966DF79D327A49769156F81699F46630A05F85D1997CC78C1F0C5861142D6DA83CE04E800C55AEFAB437D2D3769647127CD83D26C2276F277
    Malicious:false
    Reputation:low
    Preview: ......_.....N.0...H.Co.E*w.E.8.MbL....EMc.;...3........._~..?.....i....=./(...,........9[....p,......!..p..ANb.e..0....(.y...K...N..<.x..i."+.j=.tfpl..=Ee...."....|`..zb*..KKQ.|Yz..nK!......'"T..f=G=.....s.#.N...eOD....s...u....h@..+...j...P.......A.S.....
    /home/user/.cache/upstart/gnome-keyring-ssh.log.1.gz
    Process:/bin/gzip
    File Type:Mon Jul 27 09:05:22 2020, from Unix
    Category:dropped
    Size (bytes):99
    Entropy (8bit):6.129257882662173
    Encrypted:false
    SSDEEP:3:FtPaGuofByOJ9+JbgcpuvfIMGddoffEwZW/l:XPa25NrQbgYuoMBfMsGl
    MD5:2B8D9549C00943FB9FFC73FD80E6AC1A
    SHA1:E6348E8BB25396F0542E7E74AE30AF03F48E237E
    SHA-256:606AE477FACBE88A7BF8C1718AE0259E50487BB5F98B80F0E2895DD799BBE858
    SHA-512:C2CA8D2DFC0B0E28FDB3E94EF2BE74D7D663E9943EE55D03F9F8C8E1425AC4C0C07391020DEE0931EC9967185BDD75BDA438BC413DDBC6AB18D2EF28388C9D59
    Malicious:false
    Reputation:moderate, very likely benign file
    Preview: ......_....... ....;t...!.@....-.....+B..X.%.J.>..`..jA....:-i.8...i7..f..+....@jB.X.y.OK..Y...
    /home/user/.cache/upstart/gpg-agent.log.1.gz
    Process:/bin/gzip
    File Type:Mon Jul 27 09:05:26 2020, from Unix
    Category:dropped
    Size (bytes):109
    Entropy (8bit):6.285347714840308
    Encrypted:false
    SSDEEP:3:Ft+KspyDBmKyr7JtqZioTFBkdMl/:X+KspyDB94JtYPk+
    MD5:13A3054AF030A536BDA784F022481B4C
    SHA1:062CEC7C61E642887CE10970A7353066C4283DFD
    SHA-256:0D9475D2511F0A2C555242326C2D4EB69E4456726BDDB84913B95EC59F8FDCF6
    SHA-512:EB0A9DDC9D084934F42DF3AC9FE92CE534A841B38F6008774F29788EEFEC4FD22BFE12570B30558A351755347E92742C867B3B65E0616294146C390FB60A3388
    Malicious:false
    Reputation:moderate, very likely benign file
    Preview: ......_.......0....=l...E.C....p&.....fX.L..Wt...)*.*...e.X.......).Fj+.,."E..5f......X.K..w...........
    /home/user/.cache/upstart/ssh-agent.log.1.gz
    Process:/bin/gzip
    File Type:Mon Jul 27 09:05:22 2020, from Unix
    Category:dropped
    Size (bytes):60
    Entropy (8bit):5.121567004295788
    Encrypted:false
    SSDEEP:3:FtPa5qBO0YYLB0trI1mlwdn:XPa5W2Yt02g6n
    MD5:32CF70DC61DECD8DFBC64EB2F2529FAC
    SHA1:DAC70D15E4E11407299DC63AAA6774A2393C2316
    SHA-256:5F46EF0AAB4AD28F5384537011EDB096F22592BE4EA83194C1A52A11ECAD51D5
    SHA-512:D89B691D4403CB3B836F4B50795046DE26AC588D2C03020EC9B944B97259DD7ED759509229E92B601C5050F2A43DCAFA0D098E2EE5E324A56F69E1EE4BB35E87
    Malicious:false
    Reputation:moderate, very likely benign file
    Preview: ......_..+...MLO.+Q(.././(J.-.I,*.Q((.ON-.V024.......["(...
    /home/user/.cache/upstart/startxfce4.log.1.gz
    Process:/bin/gzip
    File Type:Sun Oct 18 09:12:51 2020, from Unix
    Category:dropped
    Size (bytes):1151
    Entropy (8bit):7.83913025501126
    Encrypted:false
    SSDEEP:24:XY+BojMnJnBU5Lk9eIEtZHE9LYIOzgczACtLQ1vzKpDk/aR:XY+iI9u5LCEtFE9LBOzjACEKQA
    MD5:4F4D1C1BE6416606A5566C13F94D8525
    SHA1:D5B473E3CD46830B0E2A6CEC9019CF81B0372C77
    SHA-256:7CB87FCC58FF82177F8479BD9F1D55F2F641C7519D4880149F0E58ACA3A2BDEC
    SHA-512:67BF66B9A76B4172280F48762A58707124A7A5F3B4EF713948060549D41591785556067B00DB7608D8C1F1ECB8C09C88910C5A03B5FF500AC6F82F4C505CDA7D
    Malicious:false
    Reputation:low
    Preview: ......._...V.n.8....?....d;.M.t#....i'...@Ke..D...V.~....9...s. ..W.{E...7.u}..?.~:J...<.3...w..t...)L..`.....R..z.T.fi...g....%7...s......1\...`%......T.._.e.Ln.}.0.......y.@K...$us...;A..jH..`.gt2."1.i..I_.X....h'....(.Q.k........oW..Z1.g...n...U.....B..-......k.$..t.K.v.`.c...~..nKU&.,"J]X..:.-.n.#j..uoq........Y%Y.=G.O..w...?.]@..U...$.Y....7..7s......u:8.K.....pc..-.g)c..KH@.j.m...9._X.S..4...).O.-.k>...&.....N....L.L.:3.W5.f(^...v.~......}.3bE.O......5......<.4y..4.{..3q.R*u..5b'..e+.'.....R.5... X.[..%...}k..kf@H.J../...!r5...*P..$...p..R..a<HG..w..n.$..r.....f,_V.\.x:g.N$f.4.?p3"y.y.).......m....]...x.i..1....3...^.Z....6}......\...A(y..#.g..a...@........Rc.....8Z..f..tHf.^"%........(i...[..Q....6.t4......+"..l.E!..9..$..V.S..h.H..F....BF..Q..d.y.<a..H..../..U.I.]0.9.h...c.J.;....p;.<.I6k....Y.:..9..>......^...w.4..e..K..u...i.DPIg.........rP.....;....>..).(.+*.....E.p..W$....<;..vE\P..*.l.^S....e.>.1|.v.K...EK.B....;...uZPG.8.:J.&.....@
    /home/user/.cache/upstart/update-notifier-release.log.1.gz
    Process:/bin/gzip
    File Type:Mon Jul 27 09:05:22 2020, from Unix
    Category:dropped
    Size (bytes):73
    Entropy (8bit):5.311208593298957
    Encrypted:false
    SSDEEP:3:FtPacK82rsFX+TP4P2gt:XPacf2rNWt
    MD5:6B9C8B79E6508C02BCACF1C11363D3BC
    SHA1:F450E69D5A258FCF4D89E7CDB1FBD7EEC5E19A77
    SHA-256:735DFDFE533A05589BFDC9044627395F29312064CFBA09CCB60E010AEC692411
    SHA-512:AAE4EF554245D1419335B80EA6ED0E357FCC7032BF991D4808B8A2E09F671BA318B7EF0A8824FA334D6B51EF7104351461814D1EE096D357305914A83380CC35
    Malicious:false
    Reputation:moderate, very likely benign file
    Preview: ......_.....S.*.Q02W04.20.22Rpv..Q0202P.K-W(J.IM,NUH,K..IL.I.......5...
    /home/user/.cache/upstart/upstart-event-bridge.log.1.gz
    Process:/bin/gzip
    File Type:Mon Jul 27 09:05:22 2020, from Unix
    Category:dropped
    Size (bytes):68
    Entropy (8bit):5.395998870534845
    Encrypted:false
    SSDEEP:3:FtPa5wG0BMPWNLPgXseOBMky:XPa5wG+OQP4OBMV
    MD5:1395D405968C76307CBA75C5DDC9CA19
    SHA1:C36CEE03E5DF12FBFB57A5EBCEAE329B41AFA1F7
    SHA-256:33785027CEE82E878434593B532FE1DF25D46676379757272C1E15C9AADD3B1F
    SHA-512:09CAB8DFF495DA9ED715C94E9F24B0C5C40CF0BC8C1B0DEEFB90C54081020AD80AF51636ADCBA368980E2C69119697A65E2E4AC5B834E0F08F88AEA52EFDA257
    Malicious:false
    Reputation:moderate, very likely benign file
    Preview: ......_..+-(.I,*.M-K.+.M*.LIOU(.././(J....(...'...+..X..r......3...
    /tmp/tmp.qVg8y2CCEq
    Process:/bin/cat
    File Type:ASCII text
    Category:dropped
    Size (bytes):141
    Entropy (8bit):3.7760909131289533
    Encrypted:false
    SSDEEP:3:PgWA0uU95y/1aF/g2FFXwyyVDoGeRqcOAvC:PgWl195y9aF/g2FFgfNepvK
    MD5:46261223A62EF65D03C70F15EE935267
    SHA1:E9102D8808BA6E171405F1830BD7C6B8179C9BF2
    SHA-256:DFECC8990014230F50FBAD269AD523A74D16CFB455065EC8D9041764D684C239
    SHA-512:380CFA479D6DB2361DCE6A52A516ECBA4D5CCE647299A87C3C3ED5887DB929C81A0F970097E6CF02C11440BCE87299D611B01CE56CF9AF09DCFBBA14249E9AF9
    Malicious:false
    Reputation:moderate, very likely benign file
    Preview: "/home/user/.cache/upstart/*.log" {. hourly. missingok. rotate 7. compress. notifempty. nocreate.}.

    Static File Info

    General

    File type:ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
    Entropy (8bit):5.7083895416890575
    TrID:
    • ELF Executable and Linkable format (generic) (4004/1) 100.00%
    File name:miori.x86
    File size:33952
    MD5:16f1df0c0423d9051950cf1b41b8be3a
    SHA1:f14bb83ca8f11d0b036d12ec55e3fb798af935ae
    SHA256:2255867bf2dc5a97f5d62258ad99749f6138f8d706f43966380c5a1a1f0038b1
    SHA512:bfbc790416b778dab58f93cdd341f17212615ea04b32a9d3bfa70eaa2bae812d6b125f25e04b2434d47ad020dced311824e8f575eabf39188586350b81c866d1
    SSDEEP:384:8nvKJjYJCINgrNECNnAHCd5atKOP/j0mcgejmjCskPex+uuwp/muirQW1X/kGLjZ:8nCkB2NEmAH1/jzyE/9sVvo4fAa
    File Content Preview:.ELF..............>.......@.....@....... ...........@.8...@.......................@.......@......t.......t................................P.......P.............h...............Q.td....................................................H...._....jh..H........

    Static ELF Info

    ELF header

    Class:ELF64
    Data:2's complement, little endian
    Version:1 (current)
    Machine:Advanced Micro Devices X86-64
    Version Number:0x1
    Type:EXEC (Executable file)
    OS/ABI:UNIX - System V
    ABI Version:0
    Entry Point Address:0x400194
    Flags:0x0
    ELF Header Size:64
    Program Header Offset:64
    Program Header Size:56
    Number of Program Headers:3
    Section Header Offset:33312
    Section Header Size:64
    Number of Section Headers:10
    Header String Table Index:9

    Sections

    NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
    NULL0x00x00x00x00x0000
    .initPROGBITS0x4000e80xe80x130x00x6AX001
    .textPROGBITS0x4001000x1000x68960x00x6AX0016
    .finiPROGBITS0x4069960x69960xe0x00x6AX001
    .rodataPROGBITS0x4069c00x69c00xa400x00x2A0032
    .ctorsPROGBITS0x5080000x80000x100x00x3WA008
    .dtorsPROGBITS0x5080100x80100x100x00x3WA008
    .dataPROGBITS0x5080400x80400x1a00x00x3WA0032
    .bssNOBITS0x5081e00x81e00xdd880x00x3WA0032
    .shstrtabSTRTAB0x00x81e00x3e0x00x0001

    Program Segments

    TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeFlagsFlags DescriptionAlignProg InterpreterSection Mappings
    LOAD0x00x4000000x4000000x74000x74000x5R E0x100000.init .text .fini .rodata
    LOAD0x80000x5080000x5080000x1e00xdf680x6RW 0x100000.ctors .dtors .data .bss
    GNU_STACK0x00x00x00x00x00x6RW 0x8

    Network Behavior

    No network behavior found

    System Behavior