Linux Analysis Report IOg8XL9P8B

Overview

General Information

Sample Name:	IOg8XL9P8B
Analysis ID:	528746
MD5:	2eb2602703ec59e9118097fea2b3dafa
SHA1:	36224cc924b7a60f94e61ffbeea304d747137e0d
SHA256:	b0e28475774e7e58d75c1fe6a0fef19adcf84ef2a8ff3538a1859100da4f482f
Tags:	32elfmipsMirai
Infos:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Sample tries to kill many processes (SIGKILL)

Deletes all firewall rules

Sample deletes itself

Sample is packed with UPX

Deletes security-related log files

Sample reads /proc/mounts (often used for finding a writable filesystem)

Executes the "kill" or "pkill" command typically used to terminate processes

Sample contains only a LOAD segment without any section mappings

Reads CPU information from /sys indicative of miner or evasive malware

Yara signature match

Executes the "grep" command used to find patterns in files or piped streams

Uses the "uname" system call to query kernel version information (possible evasion)

Enumerates processes within the "proc" file system

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Deletes log files

Creates hidden files and/or directories

Executes the "iptables" command used for managing IP filtering and manipulation

Sample tries to set the executable flag

Executes commands using a shell command-line interpreter

Executes the "rm" command used to delete files or directories

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: IOg8XL9P8B

Virustotal: Detection: 25%

Perma Link

Bitcoin Miner:

Reads CPU information from /sys indicative of miner or evasive malware

Source: /usr/bin/pkill (PID: 5267)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 5274)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 5277)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pulseaudio (PID: 5411)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 5451)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 5554)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior

Networking:

Deletes all firewall rules

Source: /bin/sh (PID: 5261)

Args: iptables -F

Jump to behavior

Sample listens on a socket

Source: /tmp/IOg8XL9P8B (PID: 5230)	Socket: 0.0.0.0::23	Jump to behavior
Source: /usr/sbin/sshd (PID: 5370)	Socket: 0.0.0.0::22	Jump to behavior
Source: /usr/sbin/sshd (PID: 5370)	Socket: [::]::22	Jump to behavior

Executes the "iptables" command used for managing IP filtering and manipulation

Source: /bin/sh (PID: 5294)	Iptables executable: /sbin/iptables -> /sbin/iptables -F			Jump to behavior
Source: /bin/sh (PID: 5295)	Iptables executable: /sbin/iptables -> /sbin/iptables -X			Jump to behavior

Source: IOg8XL9P8B

String found in binary or memory: http://upx.sf.net

System Summary:

Sample tries to kill many processes (SIGKILL)

Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 658, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 720, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 759, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 772, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 789, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 800, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 904, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 1320, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 1334, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 1335, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 1389, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 1463, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 1809, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 1872, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 1888, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 1983, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 2048, result: successful	Jump to behavior

Sample contains only a LOAD segment without any section mappings

Source: LOAD without section mappings

Program segment: 0x100000

Yara signature match

Source: IOg8XL9P8B, type: SAMPLE

Matched rule: SUSP_ELF_LNX_UPX_Compressed_File date = 2018-12-12, author = Florian Roth, description = Detects a suspicious ELF binary with UPX compression, reference = Internal Research, score = 038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4

Sample tries to kill a process (SIGKILL)

Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 658, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 720, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 759, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 772, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 789, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 800, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 904, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 1320, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 1334, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 1335, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 1389, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 1463, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 1809, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 1872, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 1888, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 1983, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 2048, result: successful	Jump to behavior

Source: classification engine

Classification label: mal72.spre.troj.evad.lin@0/9@0/0

Data Obfuscation:

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Persistence and Installation Behavior:

Deletes all firewall rules

Source: /bin/sh (PID: 5261)

Args: iptables -F

Jump to behavior

Sample reads /proc/mounts (often used for finding a writable filesystem)

Source: /bin/fusermount (PID: 5456)

File: /proc/5456/mounts

Jump to behavior

Executes the "kill" or "pkill" command typically used to terminate processes

Source: /bin/sh (PID: 5267)	Pkill executable: /usr/bin/pkill -> pkill -9 busybox	Jump to behavior
Source: /bin/sh (PID: 5274)	Pkill executable: /usr/bin/pkill -> pkill -9 perl	Jump to behavior
Source: /bin/sh (PID: 5277)	Pkill executable: /usr/bin/pkill -> pkill -9 python	Jump to behavior
Source: /usr/share/gdm/generate-config (PID: 5451)	Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service	Jump to behavior
Source: /usr/share/gdm/generate-config (PID: 5554)	Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service	Jump to behavior

Executes the "grep" command used to find patterns in files or piped streams

Source: /bin/sh (PID: 5433)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nvidia[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 5435)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nvidia[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 5437)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.radeon[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 5439)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.radeon[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 5441)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.amdgpu[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 5443)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.amdgpu[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 5447)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nouveau[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 5449)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nouveau[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 5536)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nvidia[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 5538)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nvidia[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 5542)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.radeon[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 5544)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.radeon[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 5546)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.amdgpu[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 5548)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.amdgpu[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 5550)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nouveau[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 5552)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nouveau[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior

Enumerates processes within the "proc" file system

Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1582/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/2033/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/670/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/793/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1579/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1612/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1699/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/674/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1335/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/2028/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/675/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/796/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1334/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1532/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1576/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/797/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/676/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/677/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/2025/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/799/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/910/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/912/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/517/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/759/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/918/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1594/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1349/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/761/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/884/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1389/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1983/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/2038/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/720/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1344/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1465/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1586/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/721/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1463/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/800/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/801/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/847/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1900/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/491/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/2050/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1877/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/2009/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/772/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1599/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/774/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1477/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/654/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/896/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1476/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1872/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/2048/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/655/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1475/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/656/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/777/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/657/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/658/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/419/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/936/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1809/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1494/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1890/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/2062/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1888/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1601/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/420/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1886/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/2018/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1489/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/785/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/2014/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1320/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/788/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/667/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/789/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/904/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1207/exe	Jump to behavior
Source: /usr/bin/pkill (PID: 5274)	File opened: /proc/5263/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5274)	File opened: /proc/5263/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5274)	File opened: /proc/5147/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5274)	File opened: /proc/5147/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5274)	File opened: /proc/1582/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5274)	File opened: /proc/1582/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5274)	File opened: /proc/3088/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5274)	File opened: /proc/3088/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5274)	File opened: /proc/230/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5274)	File opened: /proc/230/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5274)	File opened: /proc/110/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5274)	File opened: /proc/110/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5274)	File opened: /proc/231/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5274)	File opened: /proc/231/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5274)	File opened: /proc/111/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5274)	File opened: /proc/111/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5274)	File opened: /proc/232/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5274)	File opened: /proc/232/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5274)	File opened: /proc/1579/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5274)	File opened: /proc/1579/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5274)	File opened: /proc/112/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5274)	File opened: /proc/112/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5274)	File opened: /proc/233/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5274)	File opened: /proc/233/cmdline	Jump to behavior

Creates hidden files and/or directories

Source: /usr/bin/whoopsie (PID: 5345)

Directory: /nonexistent/.cache

Jump to behavior

Executes the "iptables" command used for managing IP filtering and manipulation

Source: /bin/sh (PID: 5294)	Iptables executable: /sbin/iptables -> /sbin/iptables -F			Jump to behavior
Source: /bin/sh (PID: 5295)	Iptables executable: /sbin/iptables -> /sbin/iptables -X			Jump to behavior

Sample tries to set the executable flag

Source: /usr/bin/whoopsie (PID: 5345)	File: /var/crash (bits: gv usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/sbin/gdm3 (PID: 5489)	File: /var/run/gdm3 (bits: - usr: -x grp: x all: rwx)	Jump to behavior
Source: /usr/sbin/gdm3 (PID: 5489)	File: /var/log/gdm3 (bits: - usr: -x grp: x all: rwx)	Jump to behavior
Source: /usr/sbin/gdm3 (PID: 5560)	File: /var/run/gdm3 (bits: - usr: -x grp: x all: rwx)	Jump to behavior
Source: /usr/sbin/gdm3 (PID: 5560)	File: /var/log/gdm3 (bits: - usr: -x grp: x all: rwx)	Jump to behavior

Executes commands using a shell command-line interpreter

Source: /tmp/IOg8XL9P8B (PID: 5236)	Shell command executed: sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*"	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5250)	Shell command executed: sh -c "rm -rf /var/log/wtmp"	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5253)	Shell command executed: sh -c "rm -rf /tmp/*"	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5256)	Shell command executed: sh -c "rm -rf /bin/netstat"	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5259)	Shell command executed: sh -c "iptables -F"	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5265)	Shell command executed: sh -c "pkill -9 busybox"	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5272)	Shell command executed: sh -c "pkill -9 perl"	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5275)	Shell command executed: sh -c "pkill -9 python"	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5280)	Shell command executed: sh -c "service iptables stop"	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5292)	Shell command executed: sh -c "/sbin/iptables -F; /sbin/iptables -X"	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5296)	Shell command executed: sh -c "service firewalld stop"	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5307)	Shell command executed: sh -c "rm -rf ~/.bash_history"	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5311)	Shell command executed: sh -c "history -c"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5432)	Shell command executed: sh -c "grep -G \"^blacklist.nvidia[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5434)	Shell command executed: sh -c "grep -G \"^blacklist.nvidia[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5436)	Shell command executed: sh -c "grep -G \"^blacklist.radeon[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5438)	Shell command executed: sh -c "grep -G \"^blacklist.radeon[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5440)	Shell command executed: sh -c "grep -G \"^blacklist.amdgpu[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5442)	Shell command executed: sh -c "grep -G \"^blacklist.amdgpu[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5446)	Shell command executed: sh -c "grep -G \"^blacklist.nouveau[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5448)	Shell command executed: sh -c "grep -G \"^blacklist.nouveau[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5535)	Shell command executed: sh -c "grep -G \"^blacklist.nvidia[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5537)	Shell command executed: sh -c "grep -G \"^blacklist.nvidia[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5541)	Shell command executed: sh -c "grep -G \"^blacklist.radeon[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5543)	Shell command executed: sh -c "grep -G \"^blacklist.radeon[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5545)	Shell command executed: sh -c "grep -G \"^blacklist.amdgpu[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5547)	Shell command executed: sh -c "grep -G \"^blacklist.amdgpu[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5549)	Shell command executed: sh -c "grep -G \"^blacklist.nouveau[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5551)	Shell command executed: sh -c "grep -G \"^blacklist.nouveau[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior

Executes the "rm" command used to delete files or directories

Source: /bin/sh (PID: 5238)	Rm executable: /usr/bin/rm -> rm -rf /tmp/IOg8XL9P8B /tmp/config-err-dHT8bZ /tmp/dmesgtail.log /tmp/snap.lxd /tmp/ssh-hOQ5FjG2iVgO /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-c4RYFi /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-gKIF8e /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-gB0a9f /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-APWnLg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-IofUpj /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-AfPZzg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-x0xO0i /tmp/vmware-root_721-4290559889 /var/backups /var/cache /var/crash /var/lib /var/local /var/lock /var/log /var/mail /var/metrics /var/opt /var/run /var/snap /var/spool /var/tmp /var/run/NetworkManager /var/run/acpid.pid /var/run/acpid.socket /var/run/apport.lock /var/run/avahi-daemon /var/run/blkid /var/run/cloud-init /var/run/console-setup /var/run/crond.pid /var/run/crond.reboot /var/run/cryptsetup /var/run/cups /var/run/dbus /var/run/dmeventd-client /var/run/dmeventd-server /var/run/gdm3 /var/run/gdm3.pid /var/run/initctl /var/run/initramfs /var/run/irqbalance /var/run/lock /var/run/log /var/run/lvm /var/run/mlocate.daily.lock /var/run/mono-xsp4 /var/run/mono-xsp4.pid /var/run/motd.d /var/run/mount /var/run/multipathd.pid /var/run/netns /var/run/network /var/run/screen /var/run/sendsigs.omit.d /var/run/shm /var/run/snapd /var/run/snapd-snap.socket /var/run/snapd.socket /var/run/speech-dispatcher /var/run/spice-vdagentd /var/run/sshd /var/run/sshd.pid /var/run/sudo /var/run/systemd /var/run/tmpfiles.d /var/run/udev /var/run/udisks2 /var/run/unattended-upgrades.lock /var/run/user /var/run/utmp /var/run/uuidd /var/run/vmware /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-J6Q1Te /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-srP90f /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-biJ0Gi /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-1jIxdj /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-llmWag /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-X16eHh /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-GpSnaf	Jump to behavior
Source: /bin/sh (PID: 5252)	Rm executable: /usr/bin/rm -> rm -rf /var/log/wtmp	Jump to behavior
Source: /bin/sh (PID: 5255)	Rm executable: /usr/bin/rm -> rm -rf /tmp/*	Jump to behavior
Source: /bin/sh (PID: 5258)	Rm executable: /usr/bin/rm -> rm -rf /bin/netstat	Jump to behavior
Source: /bin/sh (PID: 5310)	Rm executable: /usr/bin/rm -> rm -rf /root/.bash_history	Jump to behavior

Source: /usr/bin/gpu-manager (PID: 5534)

Log file created: /var/log/gpu-manager.log

Jump to dropped file

Source: /usr/sbin/service (PID: 5288)	Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s[a-z]\\s*$/.socket/p			Jump to behavior
Source: /usr/sbin/service (PID: 5304)	Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s[a-z]\\s*$/.socket/p			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Sample deletes itself

Source: /usr/bin/rm (PID: 5238)

File: /tmp/IOg8XL9P8B

Jump to behavior

Malware Analysis System Evasion:

Deletes security-related log files

Source: /usr/bin/rm (PID: 5252)

Truncated file: /var/log/wtmp

Jump to behavior

Reads CPU information from /sys indicative of miner or evasive malware

Source: /usr/bin/pkill (PID: 5267)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 5274)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 5277)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pulseaudio (PID: 5411)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 5451)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 5554)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/IOg8XL9P8B (PID: 5223)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/whoopsie (PID: 5345)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/pulseaudio (PID: 5411)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5431)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5534)	Queries kernel information via 'uname':	Jump to behavior

Deletes log files

Source: /usr/bin/rm (PID: 5252)	Truncated file: /var/log/wtmp	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5431)	Truncated file: /var/log/gpu-manager.log	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5534)	Truncated file: /var/log/gpu-manager.log	Jump to behavior

Source: IOg8XL9P8B, 5223.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmp, IOg8XL9P8B, 5225.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmp, IOg8XL9P8B, 5228.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmp, IOg8XL9P8B, 5230.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmp, IOg8XL9P8B, 5232.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmp, IOg8XL9P8B, 5234.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmp, IOg8XL9P8B, 5320.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmp, IOg8XL9P8B, 5322.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmp, IOg8XL9P8B, 5324.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmp, IOg8XL9P8B, 5326.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/mips
Source: IOg8XL9P8B, 5223.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmp, IOg8XL9P8B, 5225.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmp, IOg8XL9P8B, 5228.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmp, IOg8XL9P8B, 5230.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmp, IOg8XL9P8B, 5232.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmp, IOg8XL9P8B, 5234.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmp, IOg8XL9P8B, 5320.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmp, IOg8XL9P8B, 5322.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmp, IOg8XL9P8B, 5324.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmp, IOg8XL9P8B, 5326.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mips
Source: IOg8XL9P8B, 5230.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmp	Binary or memory string: /usr/bin/vmtoolsd
Source: IOg8XL9P8B, 5230.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmp	Binary or memory string: U!/usr/bin/vmtoolsd!SubjectPublicKeyInfo
Source: IOg8XL9P8B, 5230.1.00000000e66fefc5.000000003a31f38a.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mips/usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd
Source: IOg8XL9P8B, 5223.1.0000000035e46502.00000000ddd7e10a.rw-.sdmp, IOg8XL9P8B, 5225.1.0000000035e46502.00000000ddd7e10a.rw-.sdmp, IOg8XL9P8B, 5228.1.0000000035e46502.00000000ddd7e10a.rw-.sdmp, IOg8XL9P8B, 5230.1.0000000035e46502.00000000ddd7e10a.rw-.sdmp, IOg8XL9P8B, 5232.1.0000000035e46502.00000000ddd7e10a.rw-.sdmp, IOg8XL9P8B, 5234.1.0000000035e46502.00000000ddd7e10a.rw-.sdmp, IOg8XL9P8B, 5320.1.0000000035e46502.00000000ddd7e10a.rw-.sdmp, IOg8XL9P8B, 5322.1.0000000035e46502.00000000ddd7e10a.rw-.sdmp, IOg8XL9P8B, 5324.1.0000000035e46502.00000000ddd7e10a.rw-.sdmp, IOg8XL9P8B, 5326.1.0000000035e46502.00000000ddd7e10a.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-mips/tmp/IOg8XL9P8BSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/IOg8XL9P8B
Source: IOg8XL9P8B, 5223.1.0000000035e46502.00000000ddd7e10a.rw-.sdmp, IOg8XL9P8B, 5225.1.0000000035e46502.00000000ddd7e10a.rw-.sdmp, IOg8XL9P8B, 5228.1.0000000035e46502.00000000ddd7e10a.rw-.sdmp, IOg8XL9P8B, 5230.1.0000000035e46502.00000000ddd7e10a.rw-.sdmp, IOg8XL9P8B, 5232.1.0000000035e46502.00000000ddd7e10a.rw-.sdmp, IOg8XL9P8B, 5234.1.0000000035e46502.00000000ddd7e10a.rw-.sdmp, IOg8XL9P8B, 5320.1.0000000035e46502.00000000ddd7e10a.rw-.sdmp, IOg8XL9P8B, 5322.1.0000000035e46502.00000000ddd7e10a.rw-.sdmp, IOg8XL9P8B, 5324.1.0000000035e46502.00000000ddd7e10a.rw-.sdmp, IOg8XL9P8B, 5326.1.0000000035e46502.00000000ddd7e10a.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mips

Screenshots

No Screenshots

Network Map

No contacted IP infos

AV Detection:

Multi AV Scanner detection for submitted file

Source: IOg8XL9P8B

Virustotal: Detection: 25%

Perma Link

Bitcoin Miner:

Reads CPU information from /sys indicative of miner or evasive malware

Source: /usr/bin/pkill (PID: 5267)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 5274)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 5277)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pulseaudio (PID: 5411)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 5451)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 5554)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior

Networking:

Deletes all firewall rules

Source: /bin/sh (PID: 5261)

Args: iptables -F

Jump to behavior

Sample listens on a socket

Source: /tmp/IOg8XL9P8B (PID: 5230)	Socket: 0.0.0.0::23	Jump to behavior
Source: /usr/sbin/sshd (PID: 5370)	Socket: 0.0.0.0::22	Jump to behavior
Source: /usr/sbin/sshd (PID: 5370)	Socket: [::]::22	Jump to behavior

Executes the "iptables" command used for managing IP filtering and manipulation

Source: /bin/sh (PID: 5294)	Iptables executable: /sbin/iptables -> /sbin/iptables -F			Jump to behavior
Source: /bin/sh (PID: 5295)	Iptables executable: /sbin/iptables -> /sbin/iptables -X			Jump to behavior

Source: IOg8XL9P8B

String found in binary or memory: http://upx.sf.net

System Summary:

Sample tries to kill many processes (SIGKILL)

Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 658, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 720, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 759, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 772, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 789, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 800, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 904, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 1320, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 1334, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 1335, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 1389, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 1463, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 1809, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 1872, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 1888, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 1983, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 2048, result: successful	Jump to behavior

Sample contains only a LOAD segment without any section mappings

Source: LOAD without section mappings

Program segment: 0x100000

Yara signature match

Source: IOg8XL9P8B, type: SAMPLE

Sample tries to kill a process (SIGKILL)

Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 658, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 720, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 759, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 772, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 789, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 800, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 904, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 1320, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 1334, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 1335, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 1389, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 1463, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 1809, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 1872, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 1888, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 1983, result: successful	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	SIGKILL sent: pid: 2048, result: successful	Jump to behavior

Source: classification engine

Classification label: mal72.spre.troj.evad.lin@0/9@0/0

Data Obfuscation:

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Persistence and Installation Behavior:

Deletes all firewall rules

Source: /bin/sh (PID: 5261)

Args: iptables -F

Jump to behavior

Sample reads /proc/mounts (often used for finding a writable filesystem)

Source: /bin/fusermount (PID: 5456)

File: /proc/5456/mounts

Jump to behavior

Executes the "kill" or "pkill" command typically used to terminate processes

Source: /bin/sh (PID: 5267)	Pkill executable: /usr/bin/pkill -> pkill -9 busybox	Jump to behavior
Source: /bin/sh (PID: 5274)	Pkill executable: /usr/bin/pkill -> pkill -9 perl	Jump to behavior
Source: /bin/sh (PID: 5277)	Pkill executable: /usr/bin/pkill -> pkill -9 python	Jump to behavior
Source: /usr/share/gdm/generate-config (PID: 5451)	Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service	Jump to behavior
Source: /usr/share/gdm/generate-config (PID: 5554)	Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service	Jump to behavior

Executes the "grep" command used to find patterns in files or piped streams

Source: /bin/sh (PID: 5433)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nvidia[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 5435)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nvidia[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 5437)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.radeon[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 5439)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.radeon[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 5441)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.amdgpu[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 5443)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.amdgpu[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 5447)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nouveau[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 5449)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nouveau[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 5536)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nvidia[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 5538)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nvidia[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 5542)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.radeon[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 5544)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.radeon[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 5546)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.amdgpu[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 5548)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.amdgpu[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 5550)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nouveau[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 5552)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nouveau[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior

Enumerates processes within the "proc" file system

Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1582/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/2033/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/670/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/793/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1579/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1612/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1699/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/674/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1335/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/2028/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/675/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/796/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1334/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1532/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1576/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/797/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/676/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/677/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/2025/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/799/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/910/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/912/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/517/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/759/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/918/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1594/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1349/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/761/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/884/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1389/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1983/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/2038/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/720/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1344/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1465/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1586/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/721/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1463/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/800/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/801/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/847/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1900/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/491/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/2050/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1877/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/2009/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/772/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1599/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/774/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1477/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/654/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/896/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1476/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1872/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/2048/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/655/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1475/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/656/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/777/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/657/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/658/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/419/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/936/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1809/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1494/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1890/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/2062/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1888/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1601/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/420/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1886/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/2018/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1489/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/785/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/2014/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1320/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/788/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/667/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/789/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/904/exe	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)	File opened: /proc/1207/exe	Jump to behavior
Source: /usr/bin/pkill (PID: 5274)	File opened: /proc/5263/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5274)	File opened: /proc/5263/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5274)	File opened: /proc/5147/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5274)	File opened: /proc/5147/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5274)	File opened: /proc/1582/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5274)	File opened: /proc/1582/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5274)	File opened: /proc/3088/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5274)	File opened: /proc/3088/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5274)	File opened: /proc/230/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5274)	File opened: /proc/230/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5274)	File opened: /proc/110/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5274)	File opened: /proc/110/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5274)	File opened: /proc/231/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5274)	File opened: /proc/231/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5274)	File opened: /proc/111/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5274)	File opened: /proc/111/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5274)	File opened: /proc/232/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5274)	File opened: /proc/232/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5274)	File opened: /proc/1579/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5274)	File opened: /proc/1579/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5274)	File opened: /proc/112/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5274)	File opened: /proc/112/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5274)	File opened: /proc/233/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5274)	File opened: /proc/233/cmdline	Jump to behavior

Creates hidden files and/or directories

Source: /usr/bin/whoopsie (PID: 5345)

Directory: /nonexistent/.cache

Jump to behavior

Executes the "iptables" command used for managing IP filtering and manipulation

Source: /bin/sh (PID: 5294)	Iptables executable: /sbin/iptables -> /sbin/iptables -F			Jump to behavior
Source: /bin/sh (PID: 5295)	Iptables executable: /sbin/iptables -> /sbin/iptables -X			Jump to behavior

Sample tries to set the executable flag

Source: /usr/bin/whoopsie (PID: 5345)	File: /var/crash (bits: gv usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/sbin/gdm3 (PID: 5489)	File: /var/run/gdm3 (bits: - usr: -x grp: x all: rwx)	Jump to behavior
Source: /usr/sbin/gdm3 (PID: 5489)	File: /var/log/gdm3 (bits: - usr: -x grp: x all: rwx)	Jump to behavior
Source: /usr/sbin/gdm3 (PID: 5560)	File: /var/run/gdm3 (bits: - usr: -x grp: x all: rwx)	Jump to behavior
Source: /usr/sbin/gdm3 (PID: 5560)	File: /var/log/gdm3 (bits: - usr: -x grp: x all: rwx)	Jump to behavior

Executes commands using a shell command-line interpreter

Source: /tmp/IOg8XL9P8B (PID: 5236)	Shell command executed: sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*"	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5250)	Shell command executed: sh -c "rm -rf /var/log/wtmp"	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5253)	Shell command executed: sh -c "rm -rf /tmp/*"	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5256)	Shell command executed: sh -c "rm -rf /bin/netstat"	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5259)	Shell command executed: sh -c "iptables -F"	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5265)	Shell command executed: sh -c "pkill -9 busybox"	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5272)	Shell command executed: sh -c "pkill -9 perl"	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5275)	Shell command executed: sh -c "pkill -9 python"	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5280)	Shell command executed: sh -c "service iptables stop"	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5292)	Shell command executed: sh -c "/sbin/iptables -F; /sbin/iptables -X"	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5296)	Shell command executed: sh -c "service firewalld stop"	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5307)	Shell command executed: sh -c "rm -rf ~/.bash_history"	Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5311)	Shell command executed: sh -c "history -c"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5432)	Shell command executed: sh -c "grep -G \"^blacklist.nvidia[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5434)	Shell command executed: sh -c "grep -G \"^blacklist.nvidia[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5436)	Shell command executed: sh -c "grep -G \"^blacklist.radeon[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5438)	Shell command executed: sh -c "grep -G \"^blacklist.radeon[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5440)	Shell command executed: sh -c "grep -G \"^blacklist.amdgpu[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5442)	Shell command executed: sh -c "grep -G \"^blacklist.amdgpu[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5446)	Shell command executed: sh -c "grep -G \"^blacklist.nouveau[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5448)	Shell command executed: sh -c "grep -G \"^blacklist.nouveau[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5535)	Shell command executed: sh -c "grep -G \"^blacklist.nvidia[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5537)	Shell command executed: sh -c "grep -G \"^blacklist.nvidia[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5541)	Shell command executed: sh -c "grep -G \"^blacklist.radeon[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5543)	Shell command executed: sh -c "grep -G \"^blacklist.radeon[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5545)	Shell command executed: sh -c "grep -G \"^blacklist.amdgpu[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5547)	Shell command executed: sh -c "grep -G \"^blacklist.amdgpu[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5549)	Shell command executed: sh -c "grep -G \"^blacklist.nouveau[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5551)	Shell command executed: sh -c "grep -G \"^blacklist.nouveau[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior

Executes the "rm" command used to delete files or directories

Source: /bin/sh (PID: 5238)	Rm executable: /usr/bin/rm -> rm -rf /tmp/IOg8XL9P8B /tmp/config-err-dHT8bZ /tmp/dmesgtail.log /tmp/snap.lxd /tmp/ssh-hOQ5FjG2iVgO /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-c4RYFi /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-gKIF8e /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-gB0a9f /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-APWnLg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-IofUpj /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-AfPZzg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-x0xO0i /tmp/vmware-root_721-4290559889 /var/backups /var/cache /var/crash /var/lib /var/local /var/lock /var/log /var/mail /var/metrics /var/opt /var/run /var/snap /var/spool /var/tmp /var/run/NetworkManager /var/run/acpid.pid /var/run/acpid.socket /var/run/apport.lock /var/run/avahi-daemon /var/run/blkid /var/run/cloud-init /var/run/console-setup /var/run/crond.pid /var/run/crond.reboot /var/run/cryptsetup /var/run/cups /var/run/dbus /var/run/dmeventd-client /var/run/dmeventd-server /var/run/gdm3 /var/run/gdm3.pid /var/run/initctl /var/run/initramfs /var/run/irqbalance /var/run/lock /var/run/log /var/run/lvm /var/run/mlocate.daily.lock /var/run/mono-xsp4 /var/run/mono-xsp4.pid /var/run/motd.d /var/run/mount /var/run/multipathd.pid /var/run/netns /var/run/network /var/run/screen /var/run/sendsigs.omit.d /var/run/shm /var/run/snapd /var/run/snapd-snap.socket /var/run/snapd.socket /var/run/speech-dispatcher /var/run/spice-vdagentd /var/run/sshd /var/run/sshd.pid /var/run/sudo /var/run/systemd /var/run/tmpfiles.d /var/run/udev /var/run/udisks2 /var/run/unattended-upgrades.lock /var/run/user /var/run/utmp /var/run/uuidd /var/run/vmware /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-J6Q1Te /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-srP90f /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-biJ0Gi /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-1jIxdj /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-llmWag /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-X16eHh /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-GpSnaf	Jump to behavior
Source: /bin/sh (PID: 5252)	Rm executable: /usr/bin/rm -> rm -rf /var/log/wtmp	Jump to behavior
Source: /bin/sh (PID: 5255)	Rm executable: /usr/bin/rm -> rm -rf /tmp/*	Jump to behavior
Source: /bin/sh (PID: 5258)	Rm executable: /usr/bin/rm -> rm -rf /bin/netstat	Jump to behavior
Source: /bin/sh (PID: 5310)	Rm executable: /usr/bin/rm -> rm -rf /root/.bash_history	Jump to behavior

Source: /usr/bin/gpu-manager (PID: 5534)

Log file created: /var/log/gpu-manager.log

Jump to dropped file

Source: /usr/sbin/service (PID: 5288)	Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s[a-z]\\s*$/.socket/p			Jump to behavior
Source: /usr/sbin/service (PID: 5304)	Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s[a-z]\\s*$/.socket/p			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Sample deletes itself

Source: /usr/bin/rm (PID: 5238)

File: /tmp/IOg8XL9P8B

Jump to behavior

Malware Analysis System Evasion:

Deletes security-related log files

Source: /usr/bin/rm (PID: 5252)

Truncated file: /var/log/wtmp

Jump to behavior

Reads CPU information from /sys indicative of miner or evasive malware

Source: /usr/bin/pkill (PID: 5267)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 5274)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 5277)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pulseaudio (PID: 5411)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 5451)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 5554)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/IOg8XL9P8B (PID: 5223)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/whoopsie (PID: 5345)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/pulseaudio (PID: 5411)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5431)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5534)	Queries kernel information via 'uname':	Jump to behavior

Deletes log files

Source: /usr/bin/rm (PID: 5252)	Truncated file: /var/log/wtmp	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5431)	Truncated file: /var/log/gpu-manager.log	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5534)	Truncated file: /var/log/gpu-manager.log	Jump to behavior

Source: IOg8XL9P8B, 5223.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmp, IOg8XL9P8B, 5225.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmp, IOg8XL9P8B, 5228.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmp, IOg8XL9P8B, 5230.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmp, IOg8XL9P8B, 5232.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmp, IOg8XL9P8B, 5234.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmp, IOg8XL9P8B, 5320.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmp, IOg8XL9P8B, 5322.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmp, IOg8XL9P8B, 5324.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmp, IOg8XL9P8B, 5326.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/mips
Source: IOg8XL9P8B, 5223.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmp, IOg8XL9P8B, 5225.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmp, IOg8XL9P8B, 5228.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmp, IOg8XL9P8B, 5230.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmp, IOg8XL9P8B, 5232.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmp, IOg8XL9P8B, 5234.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmp, IOg8XL9P8B, 5320.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmp, IOg8XL9P8B, 5322.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmp, IOg8XL9P8B, 5324.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmp, IOg8XL9P8B, 5326.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mips
Source: IOg8XL9P8B, 5230.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmp	Binary or memory string: /usr/bin/vmtoolsd
Source: IOg8XL9P8B, 5230.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmp	Binary or memory string: U!/usr/bin/vmtoolsd!SubjectPublicKeyInfo
Source: IOg8XL9P8B, 5230.1.00000000e66fefc5.000000003a31f38a.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mips/usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd
Source: IOg8XL9P8B, 5223.1.0000000035e46502.00000000ddd7e10a.rw-.sdmp, IOg8XL9P8B, 5225.1.0000000035e46502.00000000ddd7e10a.rw-.sdmp, IOg8XL9P8B, 5228.1.0000000035e46502.00000000ddd7e10a.rw-.sdmp, IOg8XL9P8B, 5230.1.0000000035e46502.00000000ddd7e10a.rw-.sdmp, IOg8XL9P8B, 5232.1.0000000035e46502.00000000ddd7e10a.rw-.sdmp, IOg8XL9P8B, 5234.1.0000000035e46502.00000000ddd7e10a.rw-.sdmp, IOg8XL9P8B, 5320.1.0000000035e46502.00000000ddd7e10a.rw-.sdmp, IOg8XL9P8B, 5322.1.0000000035e46502.00000000ddd7e10a.rw-.sdmp, IOg8XL9P8B, 5324.1.0000000035e46502.00000000ddd7e10a.rw-.sdmp, IOg8XL9P8B, 5326.1.0000000035e46502.00000000ddd7e10a.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-mips/tmp/IOg8XL9P8BSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/IOg8XL9P8B
Source: IOg8XL9P8B, 5223.1.0000000035e46502.00000000ddd7e10a.rw-.sdmp, IOg8XL9P8B, 5225.1.0000000035e46502.00000000ddd7e10a.rw-.sdmp, IOg8XL9P8B, 5228.1.0000000035e46502.00000000ddd7e10a.rw-.sdmp, IOg8XL9P8B, 5230.1.0000000035e46502.00000000ddd7e10a.rw-.sdmp, IOg8XL9P8B, 5232.1.0000000035e46502.00000000ddd7e10a.rw-.sdmp, IOg8XL9P8B, 5234.1.0000000035e46502.00000000ddd7e10a.rw-.sdmp, IOg8XL9P8B, 5320.1.0000000035e46502.00000000ddd7e10a.rw-.sdmp, IOg8XL9P8B, 5322.1.0000000035e46502.00000000ddd7e10a.rw-.sdmp, IOg8XL9P8B, 5324.1.0000000035e46502.00000000ddd7e10a.rw-.sdmp, IOg8XL9P8B, 5326.1.0000000035e46502.00000000ddd7e10a.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mips

ID:	528746
Product:	CloudBasic
Start time:	18:23:21
Start date:	25.11.2021
Sample:	IOg8XL9P8B
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	2eb2602703ec59e9118097fea2b3dafa
SHA1:	36224cc924b7a60f94e61ffbeea304d747137e0d
SHA256:	b0e28475774e7e58d75c1fe6a0fef19adcf84ef2a8ff3538a1859100da4f482f
Filetype:	ELF Executable and Linkable format (Linux) (4029/14) 50.16%

Name	Type	MD5	SHA1	SHA256
/home/saturnino/.config/pulse/ee49dfd4fa47433baee88884e2d7de7c-default-sink	ASCII text	FF001A15CE15CF062A3704CEA2991B5F	B06F6855F376C3245B82212AC73ADED55DFE5DEF	C54830B41ECFA1B6FBDC30397188DDA86B7B200E62AEAC21AE694A6192DCC38A
/home/saturnino/.config/pulse/ee49dfd4fa47433baee88884e2d7de7c-default-source	ASCII text	28FE6435F34B3367707BB1C5D5F6B430	EB8FE2D16BD6BBCCE106C94E4D284543B2573CF6	721A37C69E555799B41D308849E8F8125441883AB021B723FED90A9B744F36C0
/proc/5370/oom_score_adj	ASCII text	CBF282CC55ED0792C33D10003D1F760A	007DD8BD75468E6B7ABA4285E9B267202C7EAEED	FCDBAB99FCC0F4409E5F9D7D6FC497780288B4C441698126BB62832412774D22
/run/sshd.pid	ASCII text	57D80149E6D48D3BB2E5DD63EEBAB2CF	DE6E42464BF89B2A930F505FAE88471846B28713	084420C48881C33BF4FCCC50A5FCA40128EBA306B5B19EF7148426AD2D3F3048
/run/systemd/resolve/stub-resolv.conf	ASCII text	C7EA09D26E26605227076E0514A33038	C3F9736E9AF7BD0885578859A50B205C8FA5FC8E	7E8AD76E0D200E93918CA2E93C99FF8ECD02071953BF1479819DB3AC0DBB6D07
/run/user/1000/pulse/pid	ASCII text	CE8DB100041CB6952214A2697201F14E	F7B9CB9840DF387BE33E9737FC9DCECE73585A7A	198FF7F9D813A6E62397E39E29639DB3499A268947571D5D239D7CBD32E35B2A
/var/log/gpu-manager.log	ASCII text	7B48386106F00126E44F428D0193E1ED	75F652293B2DE03A845A73B678A5CB7E9701A9F4	9F60B5D0D5C6F6CB3892E1687D16333F36E3BD450713B00FDF0B2BB90EC7312C
/var/run/gdm3.pid	ASCII text	AD7FA9E01F9BA9552A2B50ADBDCEEA87	65D4B862F58D4DE40DD11553B2BB27EE5E010C6F	CC11195A89ED44684FF71726BF80D4C1C1F93785FD709D94F7E586641971E782

Linux Analysis Report IOg8XL9P8B

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Bitcoin Miner:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Screenshots

Network Map