Linux Analysis Report 4ljhdTTyiA

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: 4ljhdTTyiA

Avira: detected

Antivirus detection for dropped file

Source: /usr/bin/gqczobuacc	Avira: detection malicious, Label: LINUX/Xorddos.cona
Source: /usr/bin/jjltawydwf	Avira: detection malicious, Label: LINUX/Xorddos.cona
Source: /usr/bin/rlyjyybyum	Avira: detection malicious, Label: LINUX/Xorddos.cona
Source: /usr/bin/ouhdchrbdz	Avira: detection malicious, Label: LINUX/Xorddos.cona
Source: /usr/bin/tjdqviitkh	Avira: detection malicious, Label: LINUX/Xorddos.cona
Source: /usr/bin/nyavevzqtw	Avira: detection malicious, Label: LINUX/Xorddos.cona
Source: /lib/libudev.so	Avira: detection malicious, Label: LINUX/Xorddos.cona
Source: /usr/bin/ctrygxclrx	Avira: detection malicious, Label: LINUX/Xorddos.cona
Source: /usr/bin/aspbnnkmso	Avira: detection malicious, Label: LINUX/Xorddos.cona
Source: /usr/bin/fcxqfstrdm	Avira: detection malicious, Label: LINUX/Xorddos.cona
Source: /usr/bin/uoewtvxqdd	Avira: detection malicious, Label: LINUX/Xorddos.cona
Source: /usr/bin/dxeguomyxc	Avira: detection malicious, Label: LINUX/Xorddos.cona
Source: /usr/bin/lgnmbyzzlq	Avira: detection malicious, Label: LINUX/Xorddos.cona

Multi AV Scanner detection for submitted file

Source: 4ljhdTTyiA	Virustotal: Detection: 66%			Perma Link
Source: 4ljhdTTyiA	Metadefender: Detection: 62%			Perma Link
Source: 4ljhdTTyiA	ReversingLabs: Detection: 72%

Machine Learning detection for dropped file

Source: /usr/bin/gqczobuacc	Joe Sandbox ML: detected
Source: /usr/bin/jjltawydwf	Joe Sandbox ML: detected
Source: /usr/bin/rlyjyybyum	Joe Sandbox ML: detected
Source: /usr/bin/ouhdchrbdz	Joe Sandbox ML: detected
Source: /usr/bin/tjdqviitkh	Joe Sandbox ML: detected
Source: /usr/bin/nyavevzqtw	Joe Sandbox ML: detected
Source: /lib/libudev.so	Joe Sandbox ML: detected
Source: /usr/bin/ctrygxclrx	Joe Sandbox ML: detected
Source: /usr/bin/aspbnnkmso	Joe Sandbox ML: detected
Source: /usr/bin/fcxqfstrdm	Joe Sandbox ML: detected
Source: /usr/bin/uoewtvxqdd	Joe Sandbox ML: detected
Source: /usr/bin/dxeguomyxc	Joe Sandbox ML: detected
Source: /usr/bin/lgnmbyzzlq	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 4ljhdTTyiA

Joe Sandbox ML: detected

Bitcoin Miner:

Reads CPU information from /proc indicative of miner or evasive malware

Source: /tmp/4ljhdTTyiA (PID: 4554)

Reads CPU info from proc file: /proc/cpuinfo

Jump to behavior

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2021022 ET TROJAN Wapack Labs Sinkhole DNS Reply 8.8.8.8:53 -> 192.168.2.20:44091
Source: Traffic	Snort IDS: 2021336 ET TROJAN DDoS.XOR Checkin via HTTP 192.168.2.20:50586 -> 23.253.46.64:80
Source: Traffic	Snort IDS: 2020381 ET TROJAN DDoS.XOR Checkin 192.168.2.20:39688 -> 204.11.56.48:53
Source: Traffic	Snort IDS: 2020381 ET TROJAN DDoS.XOR Checkin 192.168.2.20:40742 -> 104.161.25.33:53

Detected non-DNS traffic on DNS port

Source: global traffic	TCP traffic: 192.168.2.20:39688 -> 204.11.56.48:53
Source: global traffic	TCP traffic: 192.168.2.20:40742 -> 104.161.25.33:53

Downloads files from webservers via HTTP

Source: global traffic

HTTP traffic detected: GET /config.rar HTTP/1.1Accept: */*Accept-Language: zh-cnUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)Host: aaa.dsaj2a.orgConnection: Keep-Alive

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: aaa.dsaj2a.org

Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable)

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/7.5X-Powered-By: ASP.NETDate: Mon, 19 Jul 2021 22:23:38 GMTContent-Length: 1245Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68 31 3e 53 65 72 76

URLs found in memory or binary data

Source: 4ljhdTTyiA, 4551.1.00000000ff9cc000.00000000ff9ed000.rw-.sdmp	String found in binary or memory: http://aaa.dsaj2a.org/config.rar
Source: 4ljhdTTyiA, 4551.1.00000000ff9cc000.00000000ff9ed000.rw-.sdmp, 4ljhdTTyiA, 4555.1.00000000ff9cc000.00000000ff9ed000.rw-.sdmp, 4ljhdTTyiA, 4655.1.00000000ff9cc000.00000000ff9ed000.rw-.sdmp, 4ljhdTTyiA, 4713.1.00000000ff9cc000.00000000ff9ed000.rw-.sdmp, 4ljhdTTyiA, 4768.1.00000000ff9cc000.00000000ff9ed000.rw-.sdmp, 4ljhdTTyiA, 4823.1.00000000ff9cc000.00000000ff9ed000.rw-.sdmp, 4ljhdTTyiA, 4878.1.00000000ff9cc000.00000000ff9ed000.rw-.sdmp, 4ljhdTTyiA, 4933.1.00000000ff9cc000.00000000ff9ed000.rw-.sdmp, 4ljhdTTyiA, 4988.1.00000000ff9cc000.00000000ff9ed000.rw-.sdmp, 4ljhdTTyiA, 5043.1.00000000ff9cc000.00000000ff9ed000.rw-.sdmp, 4ljhdTTyiA, 5100.1.00000000ff9cc000.00000000ff9ed000.rw-.sdmp, 4ljhdTTyiA, 5155.1.00000000ff9cc000.00000000ff9ed000.rw-.sdmp, 4ljhdTTyiA, 5210.1.00000000ff9cc000.00000000ff9ed000.rw-.sdmp, 4ljhdTTyiA, 5265.1.00000000ff9cc000.00000000ff9ed000.rw-.sdmp, 4ljhdTTyiA, 5320.1.00000000ff9cc000.00000000ff9ed000.rw-.sdmp, 4ljhdTTyiA, 5375.1.00000000ff9cc000.00000000ff9ed000.rw-.sdmp, 4ljhdTTyiA, 5430.1.00000000ff9cc000.00000000ff9ed000.rw-.sdmp, 4ljhdTTyiA, 5485.1.00000000ff9cc000.00000000ff9ed000.rw-.sdmp, 4ljhdTTyiA, 5540.1.00000000ff9cc000.00000000ff9ed000.rw-.sdmp	String found in binary or memory: http://aaa.dsaj2a.org/config.rar7.com:53
Source: 4ljhdTTyiA, 4551.1.0000000008048000.00000000080cf000.r-x.sdmp	String found in binary or memory: http://www.gnu.org/software/libc/bugs.html

DDoS:

Yara detected XorDDoS Bot

Source: Yara match	File source: 4ljhdTTyiA, type: SAMPLE
Source: Yara match	File source: 5232.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4812.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5320.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4666.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5100.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4856.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4867.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5144.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4768.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5166.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4845.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5298.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4757.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5496.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5188.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5032.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5309.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5408.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4933.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4889.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4790.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5342.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4724.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5331.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4834.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5518.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4944.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5529.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4556.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4878.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4922.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5287.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5276.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5122.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4735.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4900.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4677.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5076.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4977.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5353.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5419.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5452.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5043.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5375.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5254.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4911.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4699.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4555.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5386.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4746.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4988.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5087.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5021.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4578.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4713.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4966.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5199.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5397.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5210.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5430.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5243.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5221.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5485.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4999.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4801.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5133.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5441.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4688.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5463.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5265.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5551.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5065.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4655.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5054.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5474.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4823.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4551.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5111.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5507.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5364.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4955.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5010.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5540.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5177.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5155.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4779.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 4ljhdTTyiA PID: 5054, type: MEMORY
Source: Yara match	File source: Process Memory Space: 4ljhdTTyiA PID: 5507, type: MEMORY
Source: Yara match	File source: /usr/bin/nyavevzqtw, type: DROPPED
Source: Yara match	File source: /usr/bin/uoewtvxqdd, type: DROPPED
Source: Yara match	File source: /usr/bin/dxeguomyxc, type: DROPPED
Source: Yara match	File source: /usr/bin/jjltawydwf, type: DROPPED
Source: Yara match	File source: /lib/libudev.so, type: DROPPED
Source: Yara match	File source: /usr/bin/ctrygxclrx, type: DROPPED
Source: Yara match	File source: /usr/bin/rlyjyybyum, type: DROPPED
Source: Yara match	File source: /usr/bin/tjdqviitkh, type: DROPPED
Source: Yara match	File source: /usr/bin/fcxqfstrdm, type: DROPPED
Source: Yara match	File source: /usr/bin/aspbnnkmso, type: DROPPED
Source: Yara match	File source: /usr/bin/ouhdchrbdz, type: DROPPED
Source: Yara match	File source: /usr/bin/lgnmbyzzlq, type: DROPPED
Source: Yara match	File source: /usr/bin/gqczobuacc, type: DROPPED

System Summary:

Malicious sample detected (through community Yara rule)

Source: 4ljhdTTyiA, type: SAMPLE	Matched rule: Rule to detect XOR DDos infection Author: Akamai CSIRT
Source: /usr/bin/uoewtvxqdd, type: DROPPED	Matched rule: Rule to detect XOR DDos infection Author: Akamai CSIRT
Source: /usr/bin/dxeguomyxc, type: DROPPED	Matched rule: Rule to detect XOR DDos infection Author: Akamai CSIRT
Source: /usr/bin/jjltawydwf, type: DROPPED	Matched rule: Rule to detect XOR DDos infection Author: Akamai CSIRT
Source: /lib/libudev.so, type: DROPPED	Matched rule: Rule to detect XOR DDos infection Author: Akamai CSIRT
Source: /usr/bin/ctrygxclrx, type: DROPPED	Matched rule: Rule to detect XOR DDos infection Author: Akamai CSIRT
Source: /usr/bin/rlyjyybyum, type: DROPPED	Matched rule: Rule to detect XOR DDos infection Author: Akamai CSIRT
Source: /usr/bin/tjdqviitkh, type: DROPPED	Matched rule: Rule to detect XOR DDos infection Author: Akamai CSIRT
Source: /usr/bin/fcxqfstrdm, type: DROPPED	Matched rule: Rule to detect XOR DDos infection Author: Akamai CSIRT
Source: /usr/bin/aspbnnkmso, type: DROPPED	Matched rule: Rule to detect XOR DDos infection Author: Akamai CSIRT
Source: /usr/bin/ouhdchrbdz, type: DROPPED	Matched rule: Rule to detect XOR DDos infection Author: Akamai CSIRT
Source: /usr/bin/lgnmbyzzlq, type: DROPPED	Matched rule: Rule to detect XOR DDos infection Author: Akamai CSIRT
Source: /usr/bin/gqczobuacc, type: DROPPED	Matched rule: Rule to detect XOR DDos infection Author: Akamai CSIRT

Yara signature match

Source: 4ljhdTTyiA, type: SAMPLE	Matched rule: XOR_DDosv1 author = Akamai CSIRT, description = Rule to detect XOR DDos infection
Source: /usr/bin/uoewtvxqdd, type: DROPPED	Matched rule: XOR_DDosv1 author = Akamai CSIRT, description = Rule to detect XOR DDos infection
Source: /usr/bin/dxeguomyxc, type: DROPPED	Matched rule: XOR_DDosv1 author = Akamai CSIRT, description = Rule to detect XOR DDos infection
Source: /usr/bin/jjltawydwf, type: DROPPED	Matched rule: XOR_DDosv1 author = Akamai CSIRT, description = Rule to detect XOR DDos infection
Source: /lib/libudev.so, type: DROPPED	Matched rule: XOR_DDosv1 author = Akamai CSIRT, description = Rule to detect XOR DDos infection
Source: /usr/bin/ctrygxclrx, type: DROPPED	Matched rule: XOR_DDosv1 author = Akamai CSIRT, description = Rule to detect XOR DDos infection
Source: /usr/bin/rlyjyybyum, type: DROPPED	Matched rule: XOR_DDosv1 author = Akamai CSIRT, description = Rule to detect XOR DDos infection
Source: /usr/bin/tjdqviitkh, type: DROPPED	Matched rule: XOR_DDosv1 author = Akamai CSIRT, description = Rule to detect XOR DDos infection
Source: /usr/bin/fcxqfstrdm, type: DROPPED	Matched rule: XOR_DDosv1 author = Akamai CSIRT, description = Rule to detect XOR DDos infection
Source: /usr/bin/aspbnnkmso, type: DROPPED	Matched rule: XOR_DDosv1 author = Akamai CSIRT, description = Rule to detect XOR DDos infection
Source: /usr/bin/ouhdchrbdz, type: DROPPED	Matched rule: XOR_DDosv1 author = Akamai CSIRT, description = Rule to detect XOR DDos infection
Source: /usr/bin/lgnmbyzzlq, type: DROPPED	Matched rule: XOR_DDosv1 author = Akamai CSIRT, description = Rule to detect XOR DDos infection
Source: /usr/bin/gqczobuacc, type: DROPPED	Matched rule: XOR_DDosv1 author = Akamai CSIRT, description = Rule to detect XOR DDos infection

Classification label

Source: classification engine

Classification label: mal100.troj.evad.lin@0/21@5/0

Data Obfuscation:

PID-file does not contain an ASCII number

Source: /tmp/4ljhdTTyiA (PID: 4554)

/run/gcc.pid: gwbbeuannjaetwafyolmnmkmuwlnwvcf

Jump to behavior

Persistence and Installation Behavior:

Sample tries to persist itself using System V runlevels

Source: /tmp/4ljhdTTyiA (PID: 4554)	File: /etc/rc1.d/S904ljhdTTyiA -> /etc/init.d/4ljhdTTyiA			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File: /etc/rc2.d/S904ljhdTTyiA -> /etc/init.d/4ljhdTTyiA			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File: /etc/rc3.d/S904ljhdTTyiA -> /etc/init.d/4ljhdTTyiA			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File: /etc/rc4.d/S904ljhdTTyiA -> /etc/init.d/4ljhdTTyiA			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File: /etc/rc5.d/S904ljhdTTyiA -> /etc/init.d/4ljhdTTyiA			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File: /etc/rc.d/rc1.d/S904ljhdTTyiA -> /etc/init.d/4ljhdTTyiA			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File: /etc/rc.d/rc2.d/S904ljhdTTyiA -> /etc/init.d/4ljhdTTyiA			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File: /etc/rc.d/rc3.d/S904ljhdTTyiA -> /etc/init.d/4ljhdTTyiA			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File: /etc/rc.d/rc4.d/S904ljhdTTyiA -> /etc/init.d/4ljhdTTyiA			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File: /etc/rc.d/rc5.d/S904ljhdTTyiA -> /etc/init.d/4ljhdTTyiA			Jump to behavior
Source: /usr/lib/insserv/insserv (PID: 4609)	File: /etc/rc1.d/S014ljhdTTyiA -> ../init.d/4ljhdTTyiA			Jump to behavior
Source: /usr/lib/insserv/insserv (PID: 4609)	File: /etc/rc2.d/S014ljhdTTyiA -> ../init.d/4ljhdTTyiA			Jump to behavior
Source: /usr/lib/insserv/insserv (PID: 4609)	File: /etc/rc3.d/S014ljhdTTyiA -> ../init.d/4ljhdTTyiA			Jump to behavior
Source: /usr/lib/insserv/insserv (PID: 4609)	File: /etc/rc4.d/S014ljhdTTyiA -> ../init.d/4ljhdTTyiA			Jump to behavior
Source: /usr/lib/insserv/insserv (PID: 4609)	File: /etc/rc5.d/S014ljhdTTyiA -> ../init.d/4ljhdTTyiA			Jump to behavior

Sample tries to persist itself using cron

Source: /tmp/4ljhdTTyiA (PID: 4554)	File: /etc/cron.hourly/gcc.sh			Jump to behavior
Source: /bin/dash (PID: 4590)	File: /etc/crontab			Jump to behavior
Source: /bin/sed (PID: 4592)	File: /etc/crontab			Jump to behavior

Enumerates processes within the "proc" file system

Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/4690/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/4770/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/1065/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/3485/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/3484/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/1062/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/3482/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/3481/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/1060/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/550/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/1017/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/1059/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/3479/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/3512/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/3477/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/1452/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/3432/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/3632/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/3678/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/3518/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/1339/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/4726/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/4803/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/4781/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/3497/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/3133/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/3452/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/3496/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/1072/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/3491/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/3527/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/1/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/3525/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/1346/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/3524/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/3601/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/3523/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/1024/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/1145/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/3488/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/3565/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/3289/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/3443/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/4657/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/3606/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/2516/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/4737/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/4814/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/4792/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/4475/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/1363/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/3541/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/1362/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/3463/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/2251/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/3262/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/1084/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/3380/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/496/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/3611/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/3377/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/1155/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/1078/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/535/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/4701/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/4669/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/1119/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/3616/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/4748/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/1091/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/3790/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/3791/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/2386/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/3310/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/3431/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/3596/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/3473/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/3550/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/1095/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/3625/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/1688/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/3502/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/3546/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/3303/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/3501/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/3545/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/1443/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/3467/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/3543/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/4679/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/3308/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/3429/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/4517/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/4715/fd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File opened: /proc/4759/fd			Jump to behavior

Executes the "systemctl" command used for controlling the systemd system and service manager

Source: /usr/sbin/update-rc.d (PID: 4646)

Systemctl executable: /bin/systemctl -> systemctl daemon-reload

Jump to behavior

Reads system information from the proc file system

Source: /tmp/4ljhdTTyiA (PID: 4554)	Reads from proc file: /proc/stat			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	Reads from proc file: /proc/meminfo			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	Reads from proc file: /proc/cpuinfo			Jump to behavior

Writes ELF files to disk

Source: /tmp/4ljhdTTyiA (PID: 4554)	File written: /lib/libudev.so			Jump to dropped file
Source: /tmp/4ljhdTTyiA (PID: 4554)	File written: /usr/bin/jjltawydwf			Jump to dropped file
Source: /tmp/4ljhdTTyiA (PID: 4554)	File written: /usr/bin/ouhdchrbdz			Jump to dropped file
Source: /tmp/4ljhdTTyiA (PID: 4554)	File written: /usr/bin/fcxqfstrdm			Jump to dropped file
Source: /tmp/4ljhdTTyiA (PID: 4554)	File written: /usr/bin/dxeguomyxc			Jump to dropped file
Source: /tmp/4ljhdTTyiA (PID: 4554)	File written: /usr/bin/ctrygxclrx			Jump to dropped file
Source: /tmp/4ljhdTTyiA (PID: 4554)	File written: /usr/bin/gqczobuacc			Jump to dropped file
Source: /tmp/4ljhdTTyiA (PID: 4554)	File written: /usr/bin/uoewtvxqdd			Jump to dropped file
Source: /tmp/4ljhdTTyiA (PID: 4554)	File written: /usr/bin/rlyjyybyum			Jump to dropped file
Source: /tmp/4ljhdTTyiA (PID: 4554)	File written: /usr/bin/tjdqviitkh			Jump to dropped file
Source: /tmp/4ljhdTTyiA (PID: 4554)	File written: /usr/bin/aspbnnkmso			Jump to dropped file
Source: /tmp/4ljhdTTyiA (PID: 4554)	File written: /usr/bin/lgnmbyzzlq			Jump to dropped file
Source: /tmp/4ljhdTTyiA (PID: 4554)	File written: /usr/bin/nyavevzqtw			Jump to dropped file

Writes crontab like entries to files to /var or /etc typically for achieving persistence

Source: /bin/sed (PID: 4592)

Crontab like entry written: /etc/sed4RcMLw

Jump to dropped file

Writes shell script file to disk with an unusual file extension

Source: /tmp/4ljhdTTyiA (PID: 4554)

Writes shell script file to disk with an unusual file extension: /etc/init.d/4ljhdTTyiA

Jump to dropped file

Writes shell script files to disk

Source: /tmp/4ljhdTTyiA (PID: 4554)

Shell script file created: /etc/cron.hourly/gcc.sh

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Drops files in suspicious directories

Source: /tmp/4ljhdTTyiA (PID: 4554)	File: /etc/init.d/4ljhdTTyiA			Jump to dropped file
Source: /tmp/4ljhdTTyiA (PID: 4554)	File: /usr/bin/jjltawydwf			Jump to dropped file
Source: /tmp/4ljhdTTyiA (PID: 4554)	File: /usr/bin/ouhdchrbdz			Jump to dropped file
Source: /tmp/4ljhdTTyiA (PID: 4554)	File: /usr/bin/fcxqfstrdm			Jump to dropped file
Source: /tmp/4ljhdTTyiA (PID: 4554)	File: /usr/bin/dxeguomyxc			Jump to dropped file
Source: /tmp/4ljhdTTyiA (PID: 4554)	File: /usr/bin/ctrygxclrx			Jump to dropped file
Source: /tmp/4ljhdTTyiA (PID: 4554)	File: /usr/bin/gqczobuacc			Jump to dropped file
Source: /tmp/4ljhdTTyiA (PID: 4554)	File: /usr/bin/uoewtvxqdd			Jump to dropped file
Source: /tmp/4ljhdTTyiA (PID: 4554)	File: /usr/bin/rlyjyybyum			Jump to dropped file
Source: /tmp/4ljhdTTyiA (PID: 4554)	File: /usr/bin/tjdqviitkh			Jump to dropped file
Source: /tmp/4ljhdTTyiA (PID: 4554)	File: /usr/bin/aspbnnkmso			Jump to dropped file
Source: /tmp/4ljhdTTyiA (PID: 4554)	File: /usr/bin/lgnmbyzzlq			Jump to dropped file
Source: /tmp/4ljhdTTyiA (PID: 4554)	File: /usr/bin/nyavevzqtw			Jump to dropped file
Source: /usr/lib/insserv/insserv (PID: 4609)	File: /etc/init.d/.depend.boot			Jump to dropped file
Source: /usr/lib/insserv/insserv (PID: 4609)	File: /etc/init.d/.depend.start			Jump to dropped file
Source: /usr/lib/insserv/insserv (PID: 4609)	File: /etc/init.d/.depend.stop			Jump to dropped file

Sample deletes itself

Source: /tmp/4ljhdTTyiA (PID: 4554)	File: /usr/bin/jjltawydwf			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File: /usr/bin/ouhdchrbdz			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File: /usr/bin/fcxqfstrdm			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File: /usr/bin/dxeguomyxc			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File: /usr/bin/ctrygxclrx			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File: /usr/bin/gqczobuacc			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File: /usr/bin/uoewtvxqdd			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File: /usr/bin/rlyjyybyum			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File: /usr/bin/tjdqviitkh			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File: /usr/bin/aspbnnkmso			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File: /usr/bin/lgnmbyzzlq			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File: /usr/bin/nyavevzqtw			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File: /usr/bin/tstbdpivhl			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File: /usr/bin/lndoiatrux			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File: /usr/bin/nefhkhnwwh			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File: /usr/bin/bjhmdsecwa			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File: /usr/bin/otvvhyamws			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File: /usr/bin/aysistkyqn			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File: /usr/bin/flwslywqdx			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File: /usr/bin/neofzderab			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File: /usr/bin/yxfexdyggl			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File: /usr/bin/taocfwkdjv			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File: /usr/bin/vhplhrsffz			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File: /usr/bin/vdaqfdcrtx			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File: /usr/bin/vyvijtmtnz			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File: /usr/bin/vggdimllrz			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File: /usr/bin/dowmukqhnk			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File: /usr/bin/ejrpibbjio			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File: /usr/bin/ztfvwcbmzm			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	File: /usr/bin/getzgxvgyl			Jump to behavior
Source: /usr/bin/jjltawydwf (PID: 4657)	File: /usr/bin/jjltawydwf			Jump to behavior
Source: /usr/bin/jjltawydwf (PID: 4669)	File: /usr/bin/jjltawydwf			Jump to behavior
Source: /usr/bin/jjltawydwf (PID: 4679)	File: /usr/bin/jjltawydwf			Jump to behavior
Source: /usr/bin/jjltawydwf (PID: 4690)	File: /usr/bin/jjltawydwf			Jump to behavior
Source: /usr/bin/jjltawydwf (PID: 4701)	File: /usr/bin/jjltawydwf			Jump to behavior
Source: /usr/bin/ouhdchrbdz (PID: 4715)	File: /usr/bin/ouhdchrbdz			Jump to behavior
Source: /usr/bin/ouhdchrbdz (PID: 4726)	File: /usr/bin/ouhdchrbdz			Jump to behavior
Source: /usr/bin/ouhdchrbdz (PID: 4737)	File: /usr/bin/ouhdchrbdz			Jump to behavior
Source: /usr/bin/ouhdchrbdz (PID: 4748)	File: /usr/bin/ouhdchrbdz			Jump to behavior
Source: /usr/bin/ouhdchrbdz (PID: 4759)	File: /usr/bin/ouhdchrbdz			Jump to behavior
Source: /usr/bin/fcxqfstrdm (PID: 4770)	File: /usr/bin/fcxqfstrdm			Jump to behavior
Source: /usr/bin/fcxqfstrdm (PID: 4781)	File: /usr/bin/fcxqfstrdm			Jump to behavior
Source: /usr/bin/fcxqfstrdm (PID: 4792)	File: /usr/bin/fcxqfstrdm			Jump to behavior
Source: /usr/bin/fcxqfstrdm (PID: 4803)	File: /usr/bin/fcxqfstrdm			Jump to behavior
Source: /usr/bin/fcxqfstrdm (PID: 4814)	File: /usr/bin/fcxqfstrdm			Jump to behavior
Source: /usr/bin/dxeguomyxc (PID: 4825)	File: /usr/bin/dxeguomyxc			Jump to behavior
Source: /usr/bin/dxeguomyxc (PID: 4836)	File: /usr/bin/dxeguomyxc			Jump to behavior
Source: /usr/bin/dxeguomyxc (PID: 4847)	File: /usr/bin/dxeguomyxc			Jump to behavior
Source: /usr/bin/dxeguomyxc (PID: 4859)	File: /usr/bin/dxeguomyxc			Jump to behavior
Source: /usr/bin/dxeguomyxc (PID: 4869)	File: /usr/bin/dxeguomyxc			Jump to behavior
Source: /usr/bin/ctrygxclrx (PID: 4880)	File: /usr/bin/ctrygxclrx			Jump to behavior
Source: /usr/bin/ctrygxclrx (PID: 4891)	File: /usr/bin/ctrygxclrx			Jump to behavior
Source: /usr/bin/ctrygxclrx (PID: 4902)	File: /usr/bin/ctrygxclrx			Jump to behavior
Source: /usr/bin/ctrygxclrx (PID: 4913)	File: /usr/bin/ctrygxclrx			Jump to behavior
Source: /usr/bin/ctrygxclrx (PID: 4924)	File: /usr/bin/ctrygxclrx			Jump to behavior
Source: /usr/bin/gqczobuacc (PID: 4935)	File: /usr/bin/gqczobuacc			Jump to behavior
Source: /usr/bin/gqczobuacc (PID: 4946)	File: /usr/bin/gqczobuacc			Jump to behavior
Source: /usr/bin/gqczobuacc (PID: 4957)	File: /usr/bin/gqczobuacc			Jump to behavior
Source: /usr/bin/gqczobuacc (PID: 4968)	File: /usr/bin/gqczobuacc			Jump to behavior
Source: /usr/bin/gqczobuacc (PID: 4979)	File: /usr/bin/gqczobuacc			Jump to behavior
Source: /usr/bin/uoewtvxqdd (PID: 4990)	File: /usr/bin/uoewtvxqdd			Jump to behavior
Source: /usr/bin/uoewtvxqdd (PID: 5001)	File: /usr/bin/uoewtvxqdd			Jump to behavior
Source: /usr/bin/uoewtvxqdd (PID: 5012)	File: /usr/bin/uoewtvxqdd			Jump to behavior
Source: /usr/bin/uoewtvxqdd (PID: 5023)	File: /usr/bin/uoewtvxqdd			Jump to behavior
Source: /usr/bin/uoewtvxqdd (PID: 5034)	File: /usr/bin/uoewtvxqdd			Jump to behavior
Source: /usr/bin/rlyjyybyum (PID: 5045)	File: /usr/bin/rlyjyybyum			Jump to behavior
Source: /usr/bin/rlyjyybyum (PID: 5056)	File: /usr/bin/rlyjyybyum			Jump to behavior
Source: /usr/bin/rlyjyybyum (PID: 5067)	File: /usr/bin/rlyjyybyum			Jump to behavior
Source: /usr/bin/rlyjyybyum (PID: 5078)	File: /usr/bin/rlyjyybyum			Jump to behavior
Source: /usr/bin/rlyjyybyum (PID: 5089)	File: /usr/bin/rlyjyybyum			Jump to behavior
Source: /usr/bin/tjdqviitkh (PID: 5102)	File: /usr/bin/tjdqviitkh			Jump to behavior
Source: /usr/bin/tjdqviitkh (PID: 5113)	File: /usr/bin/tjdqviitkh			Jump to behavior
Source: /usr/bin/tjdqviitkh (PID: 5124)	File: /usr/bin/tjdqviitkh			Jump to behavior
Source: /usr/bin/tjdqviitkh (PID: 5135)	File: /usr/bin/tjdqviitkh			Jump to behavior
Source: /usr/bin/tjdqviitkh (PID: 5146)	File: /usr/bin/tjdqviitkh			Jump to behavior
Source: /usr/bin/aspbnnkmso (PID: 5157)	File: /usr/bin/aspbnnkmso			Jump to behavior
Source: /usr/bin/aspbnnkmso (PID: 5168)	File: /usr/bin/aspbnnkmso			Jump to behavior
Source: /usr/bin/aspbnnkmso (PID: 5179)	File: /usr/bin/aspbnnkmso			Jump to behavior
Source: /usr/bin/aspbnnkmso (PID: 5190)	File: /usr/bin/aspbnnkmso			Jump to behavior
Source: /usr/bin/aspbnnkmso (PID: 5201)	File: /usr/bin/aspbnnkmso			Jump to behavior
Source: /usr/bin/lgnmbyzzlq (PID: 5212)	File: /usr/bin/lgnmbyzzlq			Jump to behavior
Source: /usr/bin/lgnmbyzzlq (PID: 5223)	File: /usr/bin/lgnmbyzzlq			Jump to behavior
Source: /usr/bin/lgnmbyzzlq (PID: 5234)	File: /usr/bin/lgnmbyzzlq			Jump to behavior
Source: /usr/bin/lgnmbyzzlq (PID: 5245)	File: /usr/bin/lgnmbyzzlq			Jump to behavior
Source: /usr/bin/lgnmbyzzlq (PID: 5256)	File: /usr/bin/lgnmbyzzlq			Jump to behavior
Source: /usr/bin/nyavevzqtw (PID: 5267)	File: /usr/bin/nyavevzqtw			Jump to behavior
Source: /usr/bin/nyavevzqtw (PID: 5278)	File: /usr/bin/nyavevzqtw			Jump to behavior
Source: /usr/bin/nyavevzqtw (PID: 5289)	File: /usr/bin/nyavevzqtw			Jump to behavior
Source: /usr/bin/nyavevzqtw (PID: 5300)	File: /usr/bin/nyavevzqtw			Jump to behavior
Source: /usr/bin/nyavevzqtw (PID: 5311)	File: /usr/bin/nyavevzqtw			Jump to behavior
Source: /usr/bin/tstbdpivhl (PID: 5322)	File: /usr/bin/tstbdpivhl			Jump to behavior
Source: /usr/bin/tstbdpivhl (PID: 5333)	File: /usr/bin/tstbdpivhl			Jump to behavior
Source: /usr/bin/tstbdpivhl (PID: 5345)	File: /usr/bin/tstbdpivhl			Jump to behavior
Source: /usr/bin/tstbdpivhl (PID: 5355)	File: /usr/bin/tstbdpivhl			Jump to behavior
Source: /usr/bin/tstbdpivhl (PID: 5366)	File: /usr/bin/tstbdpivhl			Jump to behavior
Source: /usr/bin/lndoiatrux (PID: 5377)	File: /usr/bin/lndoiatrux			Jump to behavior
Source: /usr/bin/lndoiatrux (PID: 5388)	File: /usr/bin/lndoiatrux			Jump to behavior
Source: /usr/bin/lndoiatrux (PID: 5399)	File: /usr/bin/lndoiatrux			Jump to behavior
Source: /usr/bin/lndoiatrux (PID: 5410)	File: /usr/bin/lndoiatrux			Jump to behavior
Source: /usr/bin/lndoiatrux (PID: 5421)	File: /usr/bin/lndoiatrux			Jump to behavior
Source: /usr/bin/nefhkhnwwh (PID: 5432)	File: /usr/bin/nefhkhnwwh			Jump to behavior
Source: /usr/bin/nefhkhnwwh (PID: 5443)	File: /usr/bin/nefhkhnwwh			Jump to behavior
Source: /usr/bin/nefhkhnwwh (PID: 5454)	File: /usr/bin/nefhkhnwwh			Jump to behavior
Source: /usr/bin/nefhkhnwwh (PID: 5465)	File: /usr/bin/nefhkhnwwh			Jump to behavior
Source: /usr/bin/nefhkhnwwh (PID: 5476)	File: /usr/bin/nefhkhnwwh			Jump to behavior
Source: /usr/bin/bjhmdsecwa (PID: 5487)	File: /usr/bin/bjhmdsecwa			Jump to behavior
Source: /usr/bin/bjhmdsecwa (PID: 5498)	File: /usr/bin/bjhmdsecwa			Jump to behavior
Source: /usr/bin/bjhmdsecwa (PID: 5509)	File: /usr/bin/bjhmdsecwa			Jump to behavior
Source: /usr/bin/bjhmdsecwa (PID: 5520)	File: /usr/bin/bjhmdsecwa			Jump to behavior
Source: /usr/bin/bjhmdsecwa (PID: 5531)	File: /usr/bin/bjhmdsecwa			Jump to behavior
Source: /usr/bin/otvvhyamws (PID: 5542)	File: /usr/bin/otvvhyamws			Jump to behavior
Source: /usr/bin/otvvhyamws (PID: 5553)	File: /usr/bin/otvvhyamws			Jump to behavior
Source: /usr/bin/otvvhyamws (PID: 5565)	File: /usr/bin/otvvhyamws			Jump to behavior
Source: /usr/bin/otvvhyamws (PID: 5568)	File: /usr/bin/otvvhyamws			Jump to behavior
Source: /usr/bin/otvvhyamws (PID: 5572)	File: /usr/bin/otvvhyamws			Jump to behavior
Source: /usr/bin/aysistkyqn (PID: 5598)	File: /usr/bin/aysistkyqn			Jump to behavior
Source: /usr/bin/aysistkyqn (PID: 5601)	File: /usr/bin/aysistkyqn			Jump to behavior
Source: /usr/bin/aysistkyqn (PID: 5605)	File: /usr/bin/aysistkyqn			Jump to behavior
Source: /usr/bin/aysistkyqn (PID: 5611)	File: /usr/bin/aysistkyqn			Jump to behavior
Source: /usr/bin/aysistkyqn (PID: 5615)	File: /usr/bin/aysistkyqn			Jump to behavior
Source: /usr/bin/flwslywqdx (PID: 5653)	File: /usr/bin/flwslywqdx			Jump to behavior
Source: /usr/bin/flwslywqdx (PID: 5656)	File: /usr/bin/flwslywqdx			Jump to behavior
Source: /usr/bin/flwslywqdx (PID: 5661)	File: /usr/bin/flwslywqdx			Jump to behavior
Source: /usr/bin/flwslywqdx (PID: 5668)	File: /usr/bin/flwslywqdx			Jump to behavior
Source: /usr/bin/flwslywqdx (PID: 5677)	File: /usr/bin/flwslywqdx			Jump to behavior
Source: /usr/bin/neofzderab (PID: 5710)	File: /usr/bin/neofzderab			Jump to behavior
Source: /usr/bin/neofzderab (PID: 5714)	File: /usr/bin/neofzderab			Jump to behavior
Source: /usr/bin/neofzderab (PID: 5719)	File: /usr/bin/neofzderab			Jump to behavior
Source: /usr/bin/neofzderab (PID: 5725)	File: /usr/bin/neofzderab			Jump to behavior
Source: /usr/bin/neofzderab (PID: 5732)	File: /usr/bin/neofzderab			Jump to behavior
Source: /usr/bin/yxfexdyggl (PID: 5765)	File: /usr/bin/yxfexdyggl			Jump to behavior
Source: /usr/bin/yxfexdyggl (PID: 5769)	File: /usr/bin/yxfexdyggl			Jump to behavior
Source: /usr/bin/yxfexdyggl (PID: 5775)	File: /usr/bin/yxfexdyggl			Jump to behavior
Source: /usr/bin/yxfexdyggl (PID: 5779)	File: /usr/bin/yxfexdyggl			Jump to behavior
Source: /usr/bin/yxfexdyggl (PID: 5784)	File: /usr/bin/yxfexdyggl			Jump to behavior
Source: /usr/bin/taocfwkdjv (PID: 5820)	File: /usr/bin/taocfwkdjv			Jump to behavior
Source: /usr/bin/taocfwkdjv (PID: 5824)	File: /usr/bin/taocfwkdjv			Jump to behavior
Source: /usr/bin/taocfwkdjv (PID: 5830)	File: /usr/bin/taocfwkdjv			Jump to behavior
Source: /usr/bin/taocfwkdjv (PID: 5834)	File: /usr/bin/taocfwkdjv			Jump to behavior
Source: /usr/bin/taocfwkdjv (PID: 5839)	File: /usr/bin/taocfwkdjv			Jump to behavior
Source: /usr/bin/vhplhrsffz (PID: 5875)	File: /usr/bin/vhplhrsffz			Jump to behavior
Source: /usr/bin/vhplhrsffz (PID: 5878)	File: /usr/bin/vhplhrsffz			Jump to behavior
Source: /usr/bin/vhplhrsffz (PID: 5882)	File: /usr/bin/vhplhrsffz			Jump to behavior
Source: /usr/bin/vhplhrsffz (PID: 5887)	File: /usr/bin/vhplhrsffz			Jump to behavior
Source: /usr/bin/vhplhrsffz (PID: 5895)	File: /usr/bin/vhplhrsffz			Jump to behavior
Source: /usr/bin/vdaqfdcrtx (PID: 5930)	File: /usr/bin/vdaqfdcrtx			Jump to behavior
Source: /usr/bin/vdaqfdcrtx (PID: 5933)	File: /usr/bin/vdaqfdcrtx			Jump to behavior
Source: /usr/bin/vdaqfdcrtx (PID: 5938)	File: /usr/bin/vdaqfdcrtx			Jump to behavior
Source: /usr/bin/vdaqfdcrtx (PID: 5945)	File: /usr/bin/vdaqfdcrtx			Jump to behavior
Source: /usr/bin/vdaqfdcrtx (PID: 5949)	File: /usr/bin/vdaqfdcrtx			Jump to behavior
Source: /usr/bin/vyvijtmtnz (PID: 5985)	File: /usr/bin/vyvijtmtnz			Jump to behavior
Source: /usr/bin/vyvijtmtnz (PID: 5989)	File: /usr/bin/vyvijtmtnz			Jump to behavior
Source: /usr/bin/vyvijtmtnz (PID: 5994)	File: /usr/bin/vyvijtmtnz			Jump to behavior
Source: /usr/bin/vyvijtmtnz (PID: 6001)	File: /usr/bin/vyvijtmtnz			Jump to behavior
Source: /usr/bin/vyvijtmtnz (PID: 6008)	File: /usr/bin/vyvijtmtnz			Jump to behavior
Source: /usr/bin/vggdimllrz (PID: 6040)	File: /usr/bin/vggdimllrz			Jump to behavior
Source: /usr/bin/vggdimllrz (PID: 6044)	File: /usr/bin/vggdimllrz			Jump to behavior
Source: /usr/bin/vggdimllrz (PID: 6050)	File: /usr/bin/vggdimllrz			Jump to behavior
Source: /usr/bin/vggdimllrz (PID: 6055)	File: /usr/bin/vggdimllrz			Jump to behavior
Source: /usr/bin/vggdimllrz (PID: 6062)	File: /usr/bin/vggdimllrz			Jump to behavior
Source: /usr/bin/dowmukqhnk (PID: 6095)	File: /usr/bin/dowmukqhnk			Jump to behavior
Source: /usr/bin/dowmukqhnk (PID: 6098)	File: /usr/bin/dowmukqhnk			Jump to behavior
Source: /usr/bin/dowmukqhnk (PID: 6104)	File: /usr/bin/dowmukqhnk			Jump to behavior
Source: /usr/bin/dowmukqhnk (PID: 6110)	File: /usr/bin/dowmukqhnk			Jump to behavior
Source: /usr/bin/dowmukqhnk (PID: 6118)	File: /usr/bin/dowmukqhnk			Jump to behavior
Source: /usr/bin/ejrpibbjio (PID: 6150)	File: /usr/bin/ejrpibbjio			Jump to behavior
Source: /usr/bin/ejrpibbjio (PID: 6153)	File: /usr/bin/ejrpibbjio			Jump to behavior
Source: /usr/bin/ejrpibbjio (PID: 6157)	File: /usr/bin/ejrpibbjio			Jump to behavior
Source: /usr/bin/ejrpibbjio (PID: 6163)	File: /usr/bin/ejrpibbjio			Jump to behavior
Source: /usr/bin/ejrpibbjio (PID: 6169)	File: /usr/bin/ejrpibbjio			Jump to behavior
Source: /usr/bin/ztfvwcbmzm (PID: 6221)	File: /usr/bin/ztfvwcbmzm			Jump to behavior
Source: /usr/bin/ztfvwcbmzm (PID: 6223)	File: /usr/bin/ztfvwcbmzm			Jump to behavior
Source: /usr/bin/ztfvwcbmzm (PID: 6222)	File: /usr/bin/ztfvwcbmzm			Jump to behavior
Source: /usr/bin/ztfvwcbmzm (PID: 6225)	File: /usr/bin/ztfvwcbmzm			Jump to behavior
Source: /usr/bin/ztfvwcbmzm (PID: 6226)	File: /usr/bin/ztfvwcbmzm			Jump to behavior

Drops files with innocent-looking names

Source: /tmp/4ljhdTTyiA (PID: 4554)	Path: /etc/cron.hourly/gcc.sh			Jump to dropped file
Source: /tmp/4ljhdTTyiA (PID: 4554)	Path: /run/gcc.pid			Jump to dropped file

Malware Analysis System Evasion:

Reads CPU information from /proc indicative of miner or evasive malware

Source: /tmp/4ljhdTTyiA (PID: 4554)

Reads CPU info from proc file: /proc/cpuinfo

Jump to behavior

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/4ljhdTTyiA (PID: 4551)	Queries kernel information via 'uname':			Jump to behavior
Source: /tmp/4ljhdTTyiA (PID: 4554)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/jjltawydwf (PID: 4656)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/jjltawydwf (PID: 4667)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/jjltawydwf (PID: 4678)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/jjltawydwf (PID: 4689)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/jjltawydwf (PID: 4700)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/ouhdchrbdz (PID: 4714)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/ouhdchrbdz (PID: 4725)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/ouhdchrbdz (PID: 4736)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/ouhdchrbdz (PID: 4747)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/ouhdchrbdz (PID: 4758)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/fcxqfstrdm (PID: 4769)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/fcxqfstrdm (PID: 4780)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/fcxqfstrdm (PID: 4791)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/fcxqfstrdm (PID: 4802)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/fcxqfstrdm (PID: 4813)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/dxeguomyxc (PID: 4824)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/dxeguomyxc (PID: 4835)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/dxeguomyxc (PID: 4846)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/dxeguomyxc (PID: 4857)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/dxeguomyxc (PID: 4868)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/ctrygxclrx (PID: 4879)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/ctrygxclrx (PID: 4890)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/ctrygxclrx (PID: 4901)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/ctrygxclrx (PID: 4912)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/ctrygxclrx (PID: 4923)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/gqczobuacc (PID: 4934)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/gqczobuacc (PID: 4945)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/gqczobuacc (PID: 4956)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/gqczobuacc (PID: 4967)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/gqczobuacc (PID: 4978)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/uoewtvxqdd (PID: 4989)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/uoewtvxqdd (PID: 5000)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/uoewtvxqdd (PID: 5011)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/uoewtvxqdd (PID: 5022)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/uoewtvxqdd (PID: 5033)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/rlyjyybyum (PID: 5044)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/rlyjyybyum (PID: 5055)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/rlyjyybyum (PID: 5066)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/rlyjyybyum (PID: 5077)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/rlyjyybyum (PID: 5088)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/tjdqviitkh (PID: 5101)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/tjdqviitkh (PID: 5112)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/tjdqviitkh (PID: 5123)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/tjdqviitkh (PID: 5134)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/tjdqviitkh (PID: 5145)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/aspbnnkmso (PID: 5156)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/aspbnnkmso (PID: 5167)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/aspbnnkmso (PID: 5178)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/aspbnnkmso (PID: 5189)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/aspbnnkmso (PID: 5200)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/lgnmbyzzlq (PID: 5211)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/lgnmbyzzlq (PID: 5222)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/lgnmbyzzlq (PID: 5233)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/lgnmbyzzlq (PID: 5244)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/lgnmbyzzlq (PID: 5255)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/nyavevzqtw (PID: 5266)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/nyavevzqtw (PID: 5277)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/nyavevzqtw (PID: 5288)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/nyavevzqtw (PID: 5299)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/nyavevzqtw (PID: 5310)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/tstbdpivhl (PID: 5321)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/tstbdpivhl (PID: 5332)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/tstbdpivhl (PID: 5343)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/tstbdpivhl (PID: 5354)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/tstbdpivhl (PID: 5365)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/lndoiatrux (PID: 5376)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/lndoiatrux (PID: 5387)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/lndoiatrux (PID: 5398)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/lndoiatrux (PID: 5409)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/lndoiatrux (PID: 5420)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/nefhkhnwwh (PID: 5431)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/nefhkhnwwh (PID: 5442)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/nefhkhnwwh (PID: 5453)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/nefhkhnwwh (PID: 5464)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/nefhkhnwwh (PID: 5475)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/bjhmdsecwa (PID: 5486)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/bjhmdsecwa (PID: 5497)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/bjhmdsecwa (PID: 5508)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/bjhmdsecwa (PID: 5519)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/bjhmdsecwa (PID: 5530)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/otvvhyamws (PID: 5541)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/otvvhyamws (PID: 5552)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/otvvhyamws (PID: 5563)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/otvvhyamws (PID: 5566)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/otvvhyamws (PID: 5569)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/aysistkyqn (PID: 5596)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/aysistkyqn (PID: 5599)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/aysistkyqn (PID: 5602)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/aysistkyqn (PID: 5607)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/aysistkyqn (PID: 5613)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/flwslywqdx (PID: 5651)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/flwslywqdx (PID: 5654)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/flwslywqdx (PID: 5658)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/flwslywqdx (PID: 5663)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/flwslywqdx (PID: 5670)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/neofzderab (PID: 5708)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/neofzderab (PID: 5711)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/neofzderab (PID: 5715)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/neofzderab (PID: 5721)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/neofzderab (PID: 5727)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/yxfexdyggl (PID: 5763)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/yxfexdyggl (PID: 5766)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/yxfexdyggl (PID: 5771)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/yxfexdyggl (PID: 5776)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/yxfexdyggl (PID: 5781)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/taocfwkdjv (PID: 5818)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/taocfwkdjv (PID: 5821)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/taocfwkdjv (PID: 5825)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/taocfwkdjv (PID: 5829)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/taocfwkdjv (PID: 5836)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/vhplhrsffz (PID: 5873)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/vhplhrsffz (PID: 5876)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/vhplhrsffz (PID: 5879)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/vhplhrsffz (PID: 5883)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/vhplhrsffz (PID: 5889)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/vdaqfdcrtx (PID: 5928)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/vdaqfdcrtx (PID: 5931)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/vdaqfdcrtx (PID: 5935)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/vdaqfdcrtx (PID: 5940)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/vdaqfdcrtx (PID: 5947)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/vyvijtmtnz (PID: 5983)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/vyvijtmtnz (PID: 5986)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/vyvijtmtnz (PID: 5990)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/vyvijtmtnz (PID: 5995)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/vyvijtmtnz (PID: 6003)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/vggdimllrz (PID: 6038)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/vggdimllrz (PID: 6041)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/vggdimllrz (PID: 6046)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/vggdimllrz (PID: 6052)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/vggdimllrz (PID: 6059)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/dowmukqhnk (PID: 6093)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/dowmukqhnk (PID: 6096)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/dowmukqhnk (PID: 6100)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/dowmukqhnk (PID: 6106)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/dowmukqhnk (PID: 6113)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/ejrpibbjio (PID: 6148)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/ejrpibbjio (PID: 6151)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/ejrpibbjio (PID: 6154)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/ejrpibbjio (PID: 6159)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/ejrpibbjio (PID: 6166)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/ztfvwcbmzm (PID: 6213)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/ztfvwcbmzm (PID: 6215)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/ztfvwcbmzm (PID: 6217)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/ztfvwcbmzm (PID: 6219)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/ztfvwcbmzm (PID: 6224)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/getzgxvgyl (PID: 6268)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/getzgxvgyl (PID: 6270)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/getzgxvgyl (PID: 6273)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/getzgxvgyl (PID: 6277)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/getzgxvgyl (PID: 6282)	Queries kernel information via 'uname':			Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: .depend.boot.20.dr	Binary or memory string: qemu-kvm: mountkernfs.sh udev
Source: 4ljhdTTyiA, 4713.1.0000000008960000.0000000008982000.rw-.sdmp	Binary or memory string: /usr/bin/vmtoolsd
Source: 4ljhdTTyiA, 4713.1.0000000008960000.0000000008982000.rw-.sdmp	Binary or memory string: /usr/bin/vmtoolsdt/1.ref4a75b2e6e8e8a55aab94da/system.journal
Source: .depend.boot.20.dr	Binary or memory string: TARGETS = console-setup resolvconf alsa-utils mountkernfs.sh ufw plymouth-log hostname.sh lm-sensors screen-cleanup pppd-dns apparmor x11-common udev keyboard-setup mountdevsubfs.sh brltty procps qemu-kvm cryptdisks cryptdisks-early hwclock.sh open-iscsi networking iscsid checkroot.sh lvm2 urandom checkfs.sh mountall.sh mountall-bootclean.sh bootmisc.sh kmod mountnfs.sh checkroot-bootclean.sh mountnfs-bootclean.sh

Remote Access Functionality:

Yara detected XorDDoS Bot

Source: Yara match	File source: 4ljhdTTyiA, type: SAMPLE
Source: Yara match	File source: 5232.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4812.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5320.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4666.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5100.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4856.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4867.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5144.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4768.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5166.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4845.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5298.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4757.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5496.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5188.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5032.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5309.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5408.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4933.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4889.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4790.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5342.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4724.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5331.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4834.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5518.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4944.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5529.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4556.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4878.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4922.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5287.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5276.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5122.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4735.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4900.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4677.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5076.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4977.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5353.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5419.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5452.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5043.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5375.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5254.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4911.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4699.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4555.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5386.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4746.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4988.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5087.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5021.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4578.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4713.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4966.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5199.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5397.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5210.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5430.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5243.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5221.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5485.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4999.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4801.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5133.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5441.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4688.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5463.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5265.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5551.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5065.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4655.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5054.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5474.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4823.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4551.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5111.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5507.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5364.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4955.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5010.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5540.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5177.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5155.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 4779.1.0000000008048000.00000000080cf000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 4ljhdTTyiA PID: 5054, type: MEMORY
Source: Yara match	File source: Process Memory Space: 4ljhdTTyiA PID: 5507, type: MEMORY
Source: Yara match	File source: /usr/bin/nyavevzqtw, type: DROPPED
Source: Yara match	File source: /usr/bin/uoewtvxqdd, type: DROPPED
Source: Yara match	File source: /usr/bin/dxeguomyxc, type: DROPPED
Source: Yara match	File source: /usr/bin/jjltawydwf, type: DROPPED
Source: Yara match	File source: /lib/libudev.so, type: DROPPED
Source: Yara match	File source: /usr/bin/ctrygxclrx, type: DROPPED
Source: Yara match	File source: /usr/bin/rlyjyybyum, type: DROPPED
Source: Yara match	File source: /usr/bin/tjdqviitkh, type: DROPPED
Source: Yara match	File source: /usr/bin/fcxqfstrdm, type: DROPPED
Source: Yara match	File source: /usr/bin/aspbnnkmso, type: DROPPED
Source: Yara match	File source: /usr/bin/ouhdchrbdz, type: DROPPED
Source: Yara match	File source: /usr/bin/lgnmbyzzlq, type: DROPPED
Source: Yara match	File source: /usr/bin/gqczobuacc, type: DROPPED