Loading ...

Play interactive tourEdit tour

Linux Analysis Report IOg8XL9P8B

Overview

General Information

Sample Name:IOg8XL9P8B
Analysis ID:528746
MD5:2eb2602703ec59e9118097fea2b3dafa
SHA1:36224cc924b7a60f94e61ffbeea304d747137e0d
SHA256:b0e28475774e7e58d75c1fe6a0fef19adcf84ef2a8ff3538a1859100da4f482f
Tags:32elfmipsMirai
Infos:

Detection

Score:72
Range:0 - 100
Whitelisted:false

Signatures

Multi AV Scanner detection for submitted file
Sample tries to kill many processes (SIGKILL)
Deletes all firewall rules
Sample deletes itself
Sample is packed with UPX
Deletes security-related log files
Sample reads /proc/mounts (often used for finding a writable filesystem)
Executes the "kill" or "pkill" command typically used to terminate processes
Sample contains only a LOAD segment without any section mappings
Reads CPU information from /sys indicative of miner or evasive malware
Yara signature match
Executes the "grep" command used to find patterns in files or piped streams
Uses the "uname" system call to query kernel version information (possible evasion)
Enumerates processes within the "proc" file system
Sample listens on a socket
Sample tries to kill a process (SIGKILL)
Deletes log files
Creates hidden files and/or directories
Executes the "iptables" command used for managing IP filtering and manipulation
Sample tries to set the executable flag
Executes commands using a shell command-line interpreter
Executes the "rm" command used to delete files or directories

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures
Static ELF header machine description suggests that the sample might not execute correctly on this machine

General Information

Joe Sandbox Version:34.0.0 Boulder Opal
Analysis ID:528746
Start date:25.11.2021
Start time:18:23:21
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 9m 51s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:IOg8XL9P8B
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Detection:MAL
Classification:mal72.spre.troj.evad.lin@0/9@0/0
Warnings:
Show All
  • Connection to analysis system has been lost, crash info: Unknown

Process Tree

  • system is lnxubuntu20
  • IOg8XL9P8B (PID: 5223, Parent: 5115, MD5: 0083f1f0e77be34ad27f849842bbb00c) Arguments: /tmp/IOg8XL9P8B
    • IOg8XL9P8B New Fork (PID: 5228, Parent: 5223)
      • IOg8XL9P8B New Fork (PID: 5232, Parent: 5228)
        • IOg8XL9P8B New Fork (PID: 5234, Parent: 5232)
          • sh (PID: 5236, Parent: 5234, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*"
            • sh New Fork (PID: 5238, Parent: 5236)
            • rm (PID: 5238, Parent: 5236, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /tmp/IOg8XL9P8B /tmp/config-err-dHT8bZ /tmp/dmesgtail.log /tmp/snap.lxd /tmp/ssh-hOQ5FjG2iVgO /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-c4RYFi /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-gKIF8e /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-gB0a9f /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-APWnLg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-IofUpj /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-AfPZzg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-x0xO0i /tmp/vmware-root_721-4290559889 /var/backups /var/cache /var/crash /var/lib /var/local /var/lock /var/log /var/mail /var/metrics /var/opt /var/run /var/snap /var/spool /var/tmp /var/run/NetworkManager /var/run/acpid.pid /var/run/acpid.socket /var/run/apport.lock /var/run/avahi-daemon /var/run/blkid /var/run/cloud-init /var/run/console-setup /var/run/crond.pid /var/run/crond.reboot /var/run/cryptsetup /var/run/cups /var/run/dbus /var/run/dmeventd-client /var/run/dmeventd-server /var/run/gdm3 /var/run/gdm3.pid /var/run/initctl /var/run/initramfs /var/run/irqbalance /var/run/lock /var/run/log /var/run/lvm /var/run/mlocate.daily.lock /var/run/mono-xsp4 /var/run/mono-xsp4.pid /var/run/motd.d /var/run/mount /var/run/multipathd.pid /var/run/netns /var/run/network /var/run/screen /var/run/sendsigs.omit.d /var/run/shm /var/run/snapd /var/run/snapd-snap.socket /var/run/snapd.socket /var/run/speech-dispatcher /var/run/spice-vdagentd /var/run/sshd /var/run/sshd.pid /var/run/sudo /var/run/systemd /var/run/tmpfiles.d /var/run/udev /var/run/udisks2 /var/run/unattended-upgrades.lock /var/run/user /var/run/utmp /var/run/uuidd /var/run/vmware /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-J6Q1Te /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-srP90f /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-biJ0Gi /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-1jIxdj /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-llmWag /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-X16eHh /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-GpSnaf
          • sh (PID: 5250, Parent: 5234, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /var/log/wtmp"
            • sh New Fork (PID: 5252, Parent: 5250)
            • rm (PID: 5252, Parent: 5250, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /var/log/wtmp
          • sh (PID: 5253, Parent: 5234, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /tmp/*"
            • sh New Fork (PID: 5255, Parent: 5253)
            • rm (PID: 5255, Parent: 5253, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /tmp/*
          • sh (PID: 5256, Parent: 5234, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /bin/netstat"
            • sh New Fork (PID: 5258, Parent: 5256)
            • rm (PID: 5258, Parent: 5256, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /bin/netstat
          • sh (PID: 5259, Parent: 5234, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "iptables -F"
            • sh New Fork (PID: 5261, Parent: 5259)
            • iptables (PID: 5261, Parent: 5259, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -F
          • sh (PID: 5265, Parent: 5234, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 busybox"
            • sh New Fork (PID: 5267, Parent: 5265)
            • pkill (PID: 5267, Parent: 5265, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 busybox
          • sh (PID: 5272, Parent: 5234, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 perl"
            • sh New Fork (PID: 5274, Parent: 5272)
            • pkill (PID: 5274, Parent: 5272, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 perl
          • sh (PID: 5275, Parent: 5234, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 python"
            • sh New Fork (PID: 5277, Parent: 5275)
            • pkill (PID: 5277, Parent: 5275, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 python
          • sh (PID: 5280, Parent: 5234, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "service iptables stop"
            • sh New Fork (PID: 5282, Parent: 5280)
            • service (PID: 5282, Parent: 5280, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: service iptables stop
              • service New Fork (PID: 5283, Parent: 5282)
              • basename (PID: 5283, Parent: 5282, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service
              • service New Fork (PID: 5284, Parent: 5282)
              • basename (PID: 5284, Parent: 5282, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service
              • service New Fork (PID: 5285, Parent: 5282)
              • systemctl (PID: 5285, Parent: 5282, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl --quiet is-active multi-user.target
              • service New Fork (PID: 5286, Parent: 5282)
                • service New Fork (PID: 5287, Parent: 5286)
                • systemctl (PID: 5287, Parent: 5286, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl list-unit-files --full --type=socket
                • service New Fork (PID: 5288, Parent: 5286)
                • sed (PID: 5288, Parent: 5286, MD5: 885062561f66aa1d4af4c54b9e7cc81a) Arguments: sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p
            • systemctl (PID: 5282, Parent: 5280, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl stop iptables.service
          • sh (PID: 5292, Parent: 5234, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "/sbin/iptables -F; /sbin/iptables -X"
            • sh New Fork (PID: 5294, Parent: 5292)
            • iptables (PID: 5294, Parent: 5292, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: /sbin/iptables -F
            • sh New Fork (PID: 5295, Parent: 5292)
            • iptables (PID: 5295, Parent: 5292, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: /sbin/iptables -X
          • sh (PID: 5296, Parent: 5234, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "service firewalld stop"
            • sh New Fork (PID: 5298, Parent: 5296)
            • service (PID: 5298, Parent: 5296, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: service firewalld stop
              • service New Fork (PID: 5299, Parent: 5298)
              • basename (PID: 5299, Parent: 5298, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service
              • service New Fork (PID: 5300, Parent: 5298)
              • basename (PID: 5300, Parent: 5298, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service
              • service New Fork (PID: 5301, Parent: 5298)
              • systemctl (PID: 5301, Parent: 5298, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl --quiet is-active multi-user.target
              • service New Fork (PID: 5302, Parent: 5298)
                • service New Fork (PID: 5303, Parent: 5302)
                • systemctl (PID: 5303, Parent: 5302, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl list-unit-files --full --type=socket
                • service New Fork (PID: 5304, Parent: 5302)
                • sed (PID: 5304, Parent: 5302, MD5: 885062561f66aa1d4af4c54b9e7cc81a) Arguments: sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p
            • systemctl (PID: 5298, Parent: 5296, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl stop firewalld.service
          • sh (PID: 5307, Parent: 5234, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf ~/.bash_history"
            • sh New Fork (PID: 5310, Parent: 5307)
            • rm (PID: 5310, Parent: 5307, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /root/.bash_history
          • sh (PID: 5311, Parent: 5234, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "history -c"
  • systemd New Fork (PID: 5345, Parent: 1)
  • whoopsie (PID: 5345, Parent: 1, MD5: d3a6915d0e7398fb4c89a037c13959c8) Arguments: /usr/bin/whoopsie -f
  • systemd New Fork (PID: 5369, Parent: 1)
  • sshd (PID: 5369, Parent: 1, MD5: dbca7a6bbf7bf57fedac243d4b2cb340) Arguments: /usr/sbin/sshd -t
  • systemd New Fork (PID: 5370, Parent: 1)
  • sshd (PID: 5370, Parent: 1, MD5: dbca7a6bbf7bf57fedac243d4b2cb340) Arguments: /usr/sbin/sshd -D
  • gdm3 New Fork (PID: 5375, Parent: 1320)
  • Default (PID: 5375, Parent: 1320, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default
  • gdm3 New Fork (PID: 5378, Parent: 1320)
  • Default (PID: 5378, Parent: 1320, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default
  • systemd New Fork (PID: 5397, Parent: 1)
  • accounts-daemon (PID: 5397, Parent: 1, MD5: 01a899e3fb5e7e434bea1290255a1f30) Arguments: /usr/lib/accountsservice/accounts-daemon
  • systemd New Fork (PID: 5411, Parent: 1860)
  • pulseaudio (PID: 5411, Parent: 1860, MD5: 0c3b4c789d8ffb12b25507f27e14c186) Arguments: /usr/bin/pulseaudio --daemonize=no --log-target=journal
  • systemd New Fork (PID: 5431, Parent: 1)
  • gpu-manager (PID: 5431, Parent: 1, MD5: 8fae9dd5dd67e1f33d873089c2fd8761) Arguments: /usr/bin/gpu-manager --log /var/log/gpu-manager.log
    • sh (PID: 5432, Parent: 5431, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"
      • sh New Fork (PID: 5433, Parent: 5432)
      • grep (PID: 5433, Parent: 5432, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
    • sh (PID: 5434, Parent: 5431, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"
      • sh New Fork (PID: 5435, Parent: 5434)
      • grep (PID: 5435, Parent: 5434, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
    • sh (PID: 5436, Parent: 5431, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf"
      • sh New Fork (PID: 5437, Parent: 5436)
      • grep (PID: 5437, Parent: 5436, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
    • sh (PID: 5438, Parent: 5431, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf"
      • sh New Fork (PID: 5439, Parent: 5438)
      • grep (PID: 5439, Parent: 5438, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
    • sh (PID: 5440, Parent: 5431, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /etc/modprobe.d/*.conf"
      • sh New Fork (PID: 5441, Parent: 5440)
      • grep (PID: 5441, Parent: 5440, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*amdgpu[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
    • sh (PID: 5442, Parent: 5431, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /lib/modprobe.d/*.conf"
      • sh New Fork (PID: 5443, Parent: 5442)
      • grep (PID: 5443, Parent: 5442, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*amdgpu[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
    • sh (PID: 5446, Parent: 5431, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /etc/modprobe.d/*.conf"
      • sh New Fork (PID: 5447, Parent: 5446)
      • grep (PID: 5447, Parent: 5446, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*nouveau[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
    • sh (PID: 5448, Parent: 5431, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /lib/modprobe.d/*.conf"
      • sh New Fork (PID: 5449, Parent: 5448)
      • grep (PID: 5449, Parent: 5448, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*nouveau[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
  • systemd New Fork (PID: 5450, Parent: 1)
  • generate-config (PID: 5450, Parent: 1, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /usr/share/gdm/generate-config
    • pkill (PID: 5451, Parent: 5450, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill --signal HUP --uid gdm dconf-service
  • systemd New Fork (PID: 5453, Parent: 1)
  • gdm-wait-for-drm (PID: 5453, Parent: 1, MD5: 82043ba752c6930b4e6aaea2f7747545) Arguments: /usr/lib/gdm3/gdm-wait-for-drm
  • fusermount (PID: 5456, Parent: 2038, MD5: 576a1b135c82bdcbc97a91acea900566) Arguments: fusermount -u -q -z -- /run/user/1000/gvfs
  • systemd New Fork (PID: 5465, Parent: 1)
  • systemd-user-runtime-dir (PID: 5465, Parent: 1, MD5: d55f4b0847f88131dbcfb07435178e54) Arguments: /lib/systemd/systemd-user-runtime-dir stop 1000
  • systemd New Fork (PID: 5489, Parent: 1)
  • gdm3 (PID: 5489, Parent: 1, MD5: 2492e2d8d34f9377e3e530a61a15674f) Arguments: /usr/sbin/gdm3
  • systemd New Fork (PID: 5534, Parent: 1)
  • gpu-manager (PID: 5534, Parent: 1, MD5: 8fae9dd5dd67e1f33d873089c2fd8761) Arguments: /usr/bin/gpu-manager --log /var/log/gpu-manager.log
    • sh (PID: 5535, Parent: 5534, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"
      • sh New Fork (PID: 5536, Parent: 5535)
      • grep (PID: 5536, Parent: 5535, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
    • sh (PID: 5537, Parent: 5534, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"
      • sh New Fork (PID: 5538, Parent: 5537)
      • grep (PID: 5538, Parent: 5537, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
    • sh (PID: 5541, Parent: 5534, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf"
      • sh New Fork (PID: 5542, Parent: 5541)
      • grep (PID: 5542, Parent: 5541, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
    • sh (PID: 5543, Parent: 5534, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf"
      • sh New Fork (PID: 5544, Parent: 5543)
      • grep (PID: 5544, Parent: 5543, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
    • sh (PID: 5545, Parent: 5534, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /etc/modprobe.d/*.conf"
      • sh New Fork (PID: 5546, Parent: 5545)
      • grep (PID: 5546, Parent: 5545, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*amdgpu[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
    • sh (PID: 5547, Parent: 5534, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /lib/modprobe.d/*.conf"
      • sh New Fork (PID: 5548, Parent: 5547)
      • grep (PID: 5548, Parent: 5547, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*amdgpu[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
    • sh (PID: 5549, Parent: 5534, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /etc/modprobe.d/*.conf"
      • sh New Fork (PID: 5550, Parent: 5549)
      • grep (PID: 5550, Parent: 5549, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*nouveau[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
    • sh (PID: 5551, Parent: 5534, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /lib/modprobe.d/*.conf"
      • sh New Fork (PID: 5552, Parent: 5551)
      • grep (PID: 5552, Parent: 5551, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*nouveau[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
  • systemd New Fork (PID: 5553, Parent: 1)
  • generate-config (PID: 5553, Parent: 1, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /usr/share/gdm/generate-config
    • pkill (PID: 5554, Parent: 5553, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill --signal HUP --uid gdm dconf-service
  • systemd New Fork (PID: 5555, Parent: 1)
  • gdm-wait-for-drm (PID: 5555, Parent: 1, MD5: 82043ba752c6930b4e6aaea2f7747545) Arguments: /usr/lib/gdm3/gdm-wait-for-drm
  • systemd New Fork (PID: 5560, Parent: 1)
  • gdm3 (PID: 5560, Parent: 1, MD5: 2492e2d8d34f9377e3e530a61a15674f) Arguments: /usr/sbin/gdm3
  • cleanup

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
IOg8XL9P8BSUSP_ELF_LNX_UPX_Compressed_FileDetects a suspicious ELF binary with UPX compressionFlorian Roth
  • 0xc440:$s1: PROT_EXEC|PROT_WRITE failed.
  • 0xc4af:$s2: $Id: UPX
  • 0xc460:$s3: $Info: This file is packed with the UPX executable packer

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: IOg8XL9P8BVirustotal: Detection: 25%Perma Link
Source: /usr/bin/pkill (PID: 5267)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
Source: /usr/bin/pkill (PID: 5274)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
Source: /usr/bin/pkill (PID: 5277)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
Source: /usr/bin/pulseaudio (PID: 5411)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
Source: /usr/bin/pkill (PID: 5451)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
Source: /usr/bin/pkill (PID: 5554)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior

Networking:

barindex
Deletes all firewall rulesShow sources
Source: /bin/sh (PID: 5261)Args: iptables -FJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)Socket: 0.0.0.0::23Jump to behavior
Source: /usr/sbin/sshd (PID: 5370)Socket: 0.0.0.0::22Jump to behavior
Source: /usr/sbin/sshd (PID: 5370)Socket: [::]::22Jump to behavior
Source: /bin/sh (PID: 5294)Iptables executable: /sbin/iptables -> /sbin/iptables -FJump to behavior
Source: /bin/sh (PID: 5295)Iptables executable: /sbin/iptables -> /sbin/iptables -XJump to behavior
Source: IOg8XL9P8BString found in binary or memory: http://upx.sf.net

System Summary:

barindex
Sample tries to kill many processes (SIGKILL)Show sources
Source: /tmp/IOg8XL9P8B (PID: 5230)SIGKILL sent: pid: 658, result: successfulJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)SIGKILL sent: pid: 720, result: successfulJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)SIGKILL sent: pid: 759, result: successfulJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)SIGKILL sent: pid: 772, result: successfulJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)SIGKILL sent: pid: 789, result: successfulJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)SIGKILL sent: pid: 800, result: successfulJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)SIGKILL sent: pid: 904, result: successfulJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)SIGKILL sent: pid: 936, result: successfulJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)SIGKILL sent: pid: 1320, result: successfulJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)SIGKILL sent: pid: 1334, result: successfulJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)SIGKILL sent: pid: 1335, result: successfulJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)SIGKILL sent: pid: 1389, result: successfulJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)SIGKILL sent: pid: 1463, result: successfulJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)SIGKILL sent: pid: 1809, result: successfulJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)SIGKILL sent: pid: 1872, result: successfulJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)SIGKILL sent: pid: 1888, result: successfulJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)SIGKILL sent: pid: 1983, result: successfulJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)SIGKILL sent: pid: 2048, result: successfulJump to behavior
Source: LOAD without section mappingsProgram segment: 0x100000
Source: IOg8XL9P8B, type: SAMPLEMatched rule: SUSP_ELF_LNX_UPX_Compressed_File date = 2018-12-12, author = Florian Roth, description = Detects a suspicious ELF binary with UPX compression, reference = Internal Research, score = 038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4
Source: /tmp/IOg8XL9P8B (PID: 5230)SIGKILL sent: pid: 658, result: successfulJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)SIGKILL sent: pid: 720, result: successfulJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)SIGKILL sent: pid: 759, result: successfulJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)SIGKILL sent: pid: 772, result: successfulJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)SIGKILL sent: pid: 789, result: successfulJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)SIGKILL sent: pid: 800, result: successfulJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)SIGKILL sent: pid: 904, result: successfulJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)SIGKILL sent: pid: 936, result: successfulJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)SIGKILL sent: pid: 1320, result: successfulJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)SIGKILL sent: pid: 1334, result: successfulJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)SIGKILL sent: pid: 1335, result: successfulJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)SIGKILL sent: pid: 1389, result: successfulJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)SIGKILL sent: pid: 1463, result: successfulJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)SIGKILL sent: pid: 1809, result: successfulJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)SIGKILL sent: pid: 1872, result: successfulJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)SIGKILL sent: pid: 1888, result: successfulJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)SIGKILL sent: pid: 1983, result: successfulJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)SIGKILL sent: pid: 2048, result: successfulJump to behavior
Source: classification engineClassification label: mal72.spre.troj.evad.lin@0/9@0/0

Data Obfuscation:

barindex
Sample is packed with UPXShow sources
Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sampleString containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Persistence and Installation Behavior:

barindex
Deletes all firewall rulesShow sources
Source: /bin/sh (PID: 5261)Args: iptables -FJump to behavior
Sample reads /proc/mounts (often used for finding a writable filesystem)Show sources
Source: /bin/fusermount (PID: 5456)File: /proc/5456/mountsJump to behavior
Source: /bin/sh (PID: 5267)Pkill executable: /usr/bin/pkill -> pkill -9 busyboxJump to behavior
Source: /bin/sh (PID: 5274)Pkill executable: /usr/bin/pkill -> pkill -9 perlJump to behavior
Source: /bin/sh (PID: 5277)Pkill executable: /usr/bin/pkill -> pkill -9 pythonJump to behavior
Source: /usr/share/gdm/generate-config (PID: 5451)Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-serviceJump to behavior
Source: /usr/share/gdm/generate-config (PID: 5554)Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-serviceJump to behavior
Source: /bin/sh (PID: 5433)Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.confJump to behavior
Source: /bin/sh (PID: 5435)Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.confJump to behavior
Source: /bin/sh (PID: 5437)Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.confJump to behavior
Source: /bin/sh (PID: 5439)Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.confJump to behavior
Source: /bin/sh (PID: 5441)Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.confJump to behavior
Source: /bin/sh (PID: 5443)Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.confJump to behavior
Source: /bin/sh (PID: 5447)Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.confJump to behavior
Source: /bin/sh (PID: 5449)Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.confJump to behavior
Source: /bin/sh (PID: 5536)Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.confJump to behavior
Source: /bin/sh (PID: 5538)Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.confJump to behavior
Source: /bin/sh (PID: 5542)Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.confJump to behavior
Source: /bin/sh (PID: 5544)Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.confJump to behavior
Source: /bin/sh (PID: 5546)Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.confJump to behavior
Source: /bin/sh (PID: 5548)Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.confJump to behavior
Source: /bin/sh (PID: 5550)Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.confJump to behavior
Source: /bin/sh (PID: 5552)Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.confJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/1582/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/2033/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/670/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/793/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/1579/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/1612/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/1699/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/674/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/1335/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/2028/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/675/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/796/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/1334/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/1532/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/1576/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/797/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/676/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/677/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/2025/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/799/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/910/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/912/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/517/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/759/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/918/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/1594/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/1349/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/761/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/884/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/1389/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/1983/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/2038/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/720/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/1344/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/1465/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/1586/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/721/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/1463/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/800/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/801/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/847/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/1900/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/491/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/2050/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/1877/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/2009/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/772/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/1599/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/774/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/1477/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/654/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/896/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/1476/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/1872/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/2048/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/655/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/1475/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/656/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/777/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/657/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/658/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/419/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/936/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/1809/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/1494/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/1890/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/2062/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/1888/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/1601/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/420/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/1886/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/2018/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/1489/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/785/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/2014/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/1320/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/788/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/667/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/789/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/904/exeJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5230)File opened: /proc/1207/exeJump to behavior
Source: /usr/bin/pkill (PID: 5274)File opened: /proc/5263/statusJump to behavior
Source: /usr/bin/pkill (PID: 5274)File opened: /proc/5263/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5274)File opened: /proc/5147/statusJump to behavior
Source: /usr/bin/pkill (PID: 5274)File opened: /proc/5147/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5274)File opened: /proc/1582/statusJump to behavior
Source: /usr/bin/pkill (PID: 5274)File opened: /proc/1582/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5274)File opened: /proc/3088/statusJump to behavior
Source: /usr/bin/pkill (PID: 5274)File opened: /proc/3088/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5274)File opened: /proc/230/statusJump to behavior
Source: /usr/bin/pkill (PID: 5274)File opened: /proc/230/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5274)File opened: /proc/110/statusJump to behavior
Source: /usr/bin/pkill (PID: 5274)File opened: /proc/110/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5274)File opened: /proc/231/statusJump to behavior
Source: /usr/bin/pkill (PID: 5274)File opened: /proc/231/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5274)File opened: /proc/111/statusJump to behavior
Source: /usr/bin/pkill (PID: 5274)File opened: /proc/111/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5274)File opened: /proc/232/statusJump to behavior
Source: /usr/bin/pkill (PID: 5274)File opened: /proc/232/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5274)File opened: /proc/1579/statusJump to behavior
Source: /usr/bin/pkill (PID: 5274)File opened: /proc/1579/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5274)File opened: /proc/112/statusJump to behavior
Source: /usr/bin/pkill (PID: 5274)File opened: /proc/112/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5274)File opened: /proc/233/statusJump to behavior
Source: /usr/bin/pkill (PID: 5274)File opened: /proc/233/cmdlineJump to behavior
Source: /usr/bin/whoopsie (PID: 5345)Directory: /nonexistent/.cacheJump to behavior
Source: /bin/sh (PID: 5294)Iptables executable: /sbin/iptables -> /sbin/iptables -FJump to behavior
Source: /bin/sh (PID: 5295)Iptables executable: /sbin/iptables -> /sbin/iptables -XJump to behavior
Source: /usr/bin/whoopsie (PID: 5345)File: /var/crash (bits: gv usr: rwx grp: rwx all: rwx)Jump to behavior
Source: /usr/sbin/gdm3 (PID: 5489)File: /var/run/gdm3 (bits: - usr: -x grp: x all: rwx)Jump to behavior
Source: /usr/sbin/gdm3 (PID: 5489)File: /var/log/gdm3 (bits: - usr: -x grp: x all: rwx)Jump to behavior
Source: /usr/sbin/gdm3 (PID: 5560)File: /var/run/gdm3 (bits: - usr: -x grp: x all: rwx)Jump to behavior
Source: /usr/sbin/gdm3 (PID: 5560)File: /var/log/gdm3 (bits: - usr: -x grp: x all: rwx)Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5236)Shell command executed: sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*"Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5250)Shell command executed: sh -c "rm -rf /var/log/wtmp"Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5253)Shell command executed: sh -c "rm -rf /tmp/*"Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5256)Shell command executed: sh -c "rm -rf /bin/netstat"Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5259)Shell command executed: sh -c "iptables -F"Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5265)Shell command executed: sh -c "pkill -9 busybox"Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5272)Shell command executed: sh -c "pkill -9 perl"Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5275)Shell command executed: sh -c "pkill -9 python"Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5280)Shell command executed: sh -c "service iptables stop"Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5292)Shell command executed: sh -c "/sbin/iptables -F; /sbin/iptables -X"Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5296)Shell command executed: sh -c "service firewalld stop"Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5307)Shell command executed: sh -c "rm -rf ~/.bash_history"Jump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5311)Shell command executed: sh -c "history -c"Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5432)Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5434)Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5436)Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf"Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5438)Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf"Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5440)Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /etc/modprobe.d/*.conf"Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5442)Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /lib/modprobe.d/*.conf"Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5446)Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /etc/modprobe.d/*.conf"Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5448)Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /lib/modprobe.d/*.conf"Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5535)Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5537)Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5541)Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf"Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5543)Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf"Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5545)Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /etc/modprobe.d/*.conf"Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5547)Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /lib/modprobe.d/*.conf"Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5549)Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /etc/modprobe.d/*.conf"Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5551)Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /lib/modprobe.d/*.conf"Jump to behavior
Source: /bin/sh (PID: 5238)Rm executable: /usr/bin/rm -> rm -rf /tmp/IOg8XL9P8B /tmp/config-err-dHT8bZ /tmp/dmesgtail.log /tmp/snap.lxd /tmp/ssh-hOQ5FjG2iVgO /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-c4RYFi /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-gKIF8e /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-gB0a9f /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-APWnLg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-IofUpj /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-AfPZzg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-x0xO0i /tmp/vmware-root_721-4290559889 /var/backups /var/cache /var/crash /var/lib /var/local /var/lock /var/log /var/mail /var/metrics /var/opt /var/run /var/snap /var/spool /var/tmp /var/run/NetworkManager /var/run/acpid.pid /var/run/acpid.socket /var/run/apport.lock /var/run/avahi-daemon /var/run/blkid /var/run/cloud-init /var/run/console-setup /var/run/crond.pid /var/run/crond.reboot /var/run/cryptsetup /var/run/cups /var/run/dbus /var/run/dmeventd-client /var/run/dmeventd-server /var/run/gdm3 /var/run/gdm3.pid /var/run/initctl /var/run/initramfs /var/run/irqbalance /var/run/lock /var/run/log /var/run/lvm /var/run/mlocate.daily.lock /var/run/mono-xsp4 /var/run/mono-xsp4.pid /var/run/motd.d /var/run/mount /var/run/multipathd.pid /var/run/netns /var/run/network /var/run/screen /var/run/sendsigs.omit.d /var/run/shm /var/run/snapd /var/run/snapd-snap.socket /var/run/snapd.socket /var/run/speech-dispatcher /var/run/spice-vdagentd /var/run/sshd /var/run/sshd.pid /var/run/sudo /var/run/systemd /var/run/tmpfiles.d /var/run/udev /var/run/udisks2 /var/run/unattended-upgrades.lock /var/run/user /var/run/utmp /var/run/uuidd /var/run/vmware /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-J6Q1Te /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-srP90f /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-biJ0Gi /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-1jIxdj /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-llmWag /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-X16eHh /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-GpSnafJump to behavior
Source: /bin/sh (PID: 5252)Rm executable: /usr/bin/rm -> rm -rf /var/log/wtmpJump to behavior
Source: /bin/sh (PID: 5255)Rm executable: /usr/bin/rm -> rm -rf /tmp/*Jump to behavior
Source: /bin/sh (PID: 5258)Rm executable: /usr/bin/rm -> rm -rf /bin/netstatJump to behavior
Source: /bin/sh (PID: 5310)Rm executable: /usr/bin/rm -> rm -rf /root/.bash_historyJump to behavior
Source: /usr/bin/gpu-manager (PID: 5534)Log file created: /var/log/gpu-manager.logJump to dropped file
Source: /usr/sbin/service (PID: 5288)Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/pJump to behavior
Source: /usr/sbin/service (PID: 5304)Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/pJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Sample deletes itselfShow sources
Source: /usr/bin/rm (PID: 5238)File: /tmp/IOg8XL9P8BJump to behavior

Malware Analysis System Evasion:

barindex
Deletes security-related log filesShow sources
Source: /usr/bin/rm (PID: 5252)Truncated file: /var/log/wtmpJump to behavior
Source: /usr/bin/pkill (PID: 5267)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
Source: /usr/bin/pkill (PID: 5274)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
Source: /usr/bin/pkill (PID: 5277)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
Source: /usr/bin/pulseaudio (PID: 5411)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
Source: /usr/bin/pkill (PID: 5451)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
Source: /usr/bin/pkill (PID: 5554)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
Source: /tmp/IOg8XL9P8B (PID: 5223)Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/whoopsie (PID: 5345)Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/pulseaudio (PID: 5411)Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5431)Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5534)Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/rm (PID: 5252)Truncated file: /var/log/wtmpJump to behavior
Source: /usr/bin/gpu-manager (PID: 5431)Truncated file: /var/log/gpu-manager.logJump to behavior
Source: /usr/bin/gpu-manager (PID: 5534)Truncated file: /var/log/gpu-manager.logJump to behavior
Source: IOg8XL9P8B, 5223.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmp, IOg8XL9P8B, 5225.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmp, IOg8XL9P8B, 5228.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmp, IOg8XL9P8B, 5230.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmp, IOg8XL9P8B, 5232.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmp, IOg8XL9P8B, 5234.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmp, IOg8XL9P8B, 5320.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmp, IOg8XL9P8B, 5322.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmp, IOg8XL9P8B, 5324.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmp, IOg8XL9P8B, 5326.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/mips
Source: IOg8XL9P8B, 5223.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmp, IOg8XL9P8B, 5225.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmp, IOg8XL9P8B, 5228.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmp, IOg8XL9P8B, 5230.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmp, IOg8XL9P8B, 5232.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmp, IOg8XL9P8B, 5234.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmp, IOg8XL9P8B, 5320.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmp, IOg8XL9P8B, 5322.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmp, IOg8XL9P8B, 5324.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmp, IOg8XL9P8B, 5326.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/mips
Source: IOg8XL9P8B, 5230.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmpBinary or memory string: /usr/bin/vmtoolsd
Source: IOg8XL9P8B, 5230.1.000000006ec05eaa.00000000e66fefc5.rw-.sdmpBinary or memory string: U!/usr/bin/vmtoolsd!SubjectPublicKeyInfo
Source: IOg8XL9P8B, 5230.1.00000000e66fefc5.000000003a31f38a.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/mips/usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd
Source: IOg8XL9P8B, 5223.1.0000000035e46502.00000000ddd7e10a.rw-.sdmp, IOg8XL9P8B, 5225.1.0000000035e46502.00000000ddd7e10a.rw-.sdmp, IOg8XL9P8B, 5228.1.0000000035e46502.00000000ddd7e10a.rw-.sdmp, IOg8XL9P8B, 5230.1.0000000035e46502.00000000ddd7e10a.rw-.sdmp, IOg8XL9P8B, 5232.1.0000000035e46502.00000000ddd7e10a.rw-.sdmp, IOg8XL9P8B, 5234.1.0000000035e46502.00000000ddd7e10a.rw-.sdmp, IOg8XL9P8B, 5320.1.0000000035e46502.00000000ddd7e10a.rw-.sdmp, IOg8XL9P8B, 5322.1.0000000035e46502.00000000ddd7e10a.rw-.sdmp, IOg8XL9P8B, 5324.1.0000000035e46502.00000000ddd7e10a.rw-.sdmp, IOg8XL9P8B, 5326.1.0000000035e46502.00000000ddd7e10a.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-mips/tmp/IOg8XL9P8BSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/IOg8XL9P8B
Source: IOg8XL9P8B, 5223.1.0000000035e46502.00000000ddd7e10a.rw-.sdmp, IOg8XL9P8B, 5225.1.0000000035e46502.00000000ddd7e10a.rw-.sdmp, IOg8XL9P8B, 5228.1.0000000035e46502.00000000ddd7e10a.rw-.sdmp, IOg8XL9P8B, 5230.1.0000000035e46502.00000000ddd7e10a.rw-.sdmp, IOg8XL9P8B, 5232.1.0000000035e46502.00000000ddd7e10a.rw-.sdmp, IOg8XL9P8B, 5234.1.0000000035e46502.00000000ddd7e10a.rw-.sdmp, IOg8XL9P8B, 5320.1.0000000035e46502.00000000ddd7e10a.rw-.sdmp, IOg8XL9P8B, 5322.1.0000000035e46502.00000000ddd7e10a.rw-.sdmp, IOg8XL9P8B, 5324.1.0000000035e46502.00000000ddd7e10a.rw-.sdmp, IOg8XL9P8B, 5326.1.0000000035e46502.00000000ddd7e10a.rw-.sdmpBinary or memory string: /usr/bin/qemu-mips

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsCommand and Scripting Interpreter1Path InterceptionPath InterceptionFile and Directory Permissions Modification1OS Credential Dumping1Security Software Discovery11Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScripting1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemorySystem Network Configuration Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Scripting1Security Account ManagerFile and Directory Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Hidden Files and Directories1NTDSSystem Information Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonDisable or Modify System Firewall1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsIndicator Removal on Host11DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobFile Deletion11Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 528746 Sample: IOg8XL9P8B Startdate: 25/11/2021 Architecture: LINUX Score: 72 107 Multi AV Scanner detection for submitted file 2->107 109 Sample is packed with UPX 2->109 12 IOg8XL9P8B 2->12         started        14 systemd gpu-manager 2->14         started        16 systemd gpu-manager 2->16         started        18 15 other processes 2->18 process3 signatures4 21 IOg8XL9P8B 12->21         started        23 IOg8XL9P8B 12->23         started        25 gpu-manager sh 14->25         started        27 gpu-manager sh 14->27         started        29 gpu-manager sh 14->29         started        33 5 other processes 14->33 31 gpu-manager sh 16->31         started        35 7 other processes 16->35 111 Sample reads /proc/mounts (often used for finding a writable filesystem) 18->111 37 2 other processes 18->37 process5 process6 39 IOg8XL9P8B 21->39         started        41 IOg8XL9P8B 21->41         started        44 sh grep 25->44         started        46 sh grep 27->46         started        48 sh grep 29->48         started        50 sh grep 31->50         started        52 sh grep 33->52         started        54 4 other processes 33->54 56 7 other processes 35->56 signatures7 58 IOg8XL9P8B 39->58         started        119 Sample tries to kill many processes (SIGKILL) 41->119 process8 process9 60 IOg8XL9P8B sh 58->60         started        62 IOg8XL9P8B sh 58->62         started        64 IOg8XL9P8B sh 58->64         started        66 12 other processes 58->66 process10 68 sh rm 60->68         started        71 sh rm 62->71         started        73 sh iptables 64->73         started        75 sh service systemctl 66->75         started        77 sh service systemctl 66->77         started        79 sh rm 66->79         started        81 9 other processes 66->81 signatures11 113 Sample deletes itself 68->113 115 Deletes security-related log files 71->115 117 Deletes all firewall rules 73->117 83 service 75->83         started        85 service basename 75->85         started        87 service basename 75->87         started        89 service systemctl 75->89         started        91 service 77->91         started        93 service basename 77->93         started        95 service basename 77->95         started        97 service systemctl 77->97         started        process12 process13 99 service systemctl 83->99         started        101 service sed 83->101         started        103 service systemctl 91->103         started        105 service sed 91->105         started       

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
IOg8XL9P8B25%VirustotalBrowse

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://upx.sf.netIOg8XL9P8Bfalse
    high

    Contacted IPs

    No contacted IP infos

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASN

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    /home/saturnino/.config/pulse/ee49dfd4fa47433baee88884e2d7de7c-default-sink
    Process:/usr/bin/pulseaudio
    File Type:ASCII text
    Category:dropped
    Size (bytes):10
    Entropy (8bit):2.9219280948873623
    Encrypted:false
    SSDEEP:3:5bkPn:pkP
    MD5:FF001A15CE15CF062A3704CEA2991B5F
    SHA1:B06F6855F376C3245B82212AC73ADED55DFE5DEF
    SHA-256:C54830B41ECFA1B6FBDC30397188DDA86B7B200E62AEAC21AE694A6192DCC38A
    SHA-512:65EBF7C31F6F65713CE01B38A112E97D0AE64A6BD1DA40CE4C1B998F10CD3912EE1A48BB2B279B24493062118AAB3B8753742E2AF28E56A31A7AAB27DE80E7BF
    Malicious:false
    Reputation:moderate, very likely benign file
    Preview: auto_null.
    /home/saturnino/.config/pulse/ee49dfd4fa47433baee88884e2d7de7c-default-source
    Process:/usr/bin/pulseaudio
    File Type:ASCII text
    Category:dropped
    Size (bytes):18
    Entropy (8bit):3.4613201402110088
    Encrypted:false
    SSDEEP:3:5bkrIZsXvn:pkckv
    MD5:28FE6435F34B3367707BB1C5D5F6B430
    SHA1:EB8FE2D16BD6BBCCE106C94E4D284543B2573CF6
    SHA-256:721A37C69E555799B41D308849E8F8125441883AB021B723FED90A9B744F36C0
    SHA-512:6B6AB7C0979629D0FEF6BE47C5C6BCC367EDD0AAE3FC973F4DE2FD5F0A819C89E7656DB65D453B1B5398E54012B27EDFE02894AD87A7E0AF3A9C5F2EB24A9919
    Malicious:false
    Reputation:moderate, very likely benign file
    Preview: auto_null.monitor.
    /proc/5370/oom_score_adj
    Process:/usr/sbin/sshd
    File Type:ASCII text
    Category:dropped
    Size (bytes):6
    Entropy (8bit):1.7924812503605778
    Encrypted:false
    SSDEEP:3:ptn:Dn
    MD5:CBF282CC55ED0792C33D10003D1F760A
    SHA1:007DD8BD75468E6B7ABA4285E9B267202C7EAEED
    SHA-256:FCDBAB99FCC0F4409E5F9D7D6FC497780288B4C441698126BB62832412774D22
    SHA-512:4643A8675D213C7DA35CC0C2BFB3B6F20324F9C48AEA7BA79F470615698C9A0CEFDA45CAA1957FC29110EE746BC8458AB8AB1E43EB513912A5E1E8858812CC00
    Malicious:false
    Reputation:high, very likely benign file
    Preview: -1000.
    /run/sshd.pid
    Process:/usr/sbin/sshd
    File Type:ASCII text
    Category:dropped
    Size (bytes):5
    Entropy (8bit):2.321928094887362
    Encrypted:false
    SSDEEP:3:DSF:E
    MD5:57D80149E6D48D3BB2E5DD63EEBAB2CF
    SHA1:DE6E42464BF89B2A930F505FAE88471846B28713
    SHA-256:084420C48881C33BF4FCCC50A5FCA40128EBA306B5B19EF7148426AD2D3F3048
    SHA-512:E0510DCA67D4E216F62E0E018437C4FAD1AF014E81938E89D1558098FDF1C18F0FDE9843869FEDB3CE25F3A9C3C8AA3F838A432185B02C25A69AB290663ED92E
    Malicious:false
    Reputation:low
    Preview: 5370.
    /run/systemd/resolve/stub-resolv.conf
    Process:/tmp/IOg8XL9P8B
    File Type:ASCII text
    Category:dropped
    Size (bytes):38
    Entropy (8bit):3.3918926446809334
    Encrypted:false
    SSDEEP:3:KkZRAkd:KaAu
    MD5:C7EA09D26E26605227076E0514A33038
    SHA1:C3F9736E9AF7BD0885578859A50B205C8FA5FC8E
    SHA-256:7E8AD76E0D200E93918CA2E93C99FF8ECD02071953BF1479819DB3AC0DBB6D07
    SHA-512:17D0088725EB9991E9EB82E8A3DE0878E45E6F394BBC2AD260AA59C786FF0AD565E145E21256425D1C0ABE15F3ECB402EBB0A6A5E1C2D5BA7A4D95EC93A2861F
    Malicious:false
    Reputation:moderate, very likely benign file
    Preview: nameserver 8.8.8.8.nameserver 8.8.4.4.
    /run/user/1000/pulse/pid
    Process:/usr/bin/pulseaudio
    File Type:ASCII text
    Category:dropped
    Size (bytes):5
    Entropy (8bit):1.9219280948873623
    Encrypted:false
    SSDEEP:3:E9n:E9n
    MD5:CE8DB100041CB6952214A2697201F14E
    SHA1:F7B9CB9840DF387BE33E9737FC9DCECE73585A7A
    SHA-256:198FF7F9D813A6E62397E39E29639DB3499A268947571D5D239D7CBD32E35B2A
    SHA-512:023256E9DD73DF8216F1AB6AEA38AF9CC99822EE2D2BF0037DFBC133EC5BEAA116D4D93C845485D3F6AED6E3F95C22B4698E2BAA5543C270DDE413E2757D4C0B
    Malicious:false
    Reputation:low
    Preview: 5411.
    /var/log/gpu-manager.log
    Process:/usr/bin/gpu-manager
    File Type:ASCII text
    Category:dropped
    Size (bytes):1515
    Entropy (8bit):4.825813629825568
    Encrypted:false
    SSDEEP:24:wPXXX9uV6BNu3WDF3GF3XFFxFFed2uk2HUvJlfWkpPpx7uvvAdow9555Ro7uRkoT:wPXXXe6vejpeC2HUR5WkpPpcvAdow959
    MD5:7B48386106F00126E44F428D0193E1ED
    SHA1:75F652293B2DE03A845A73B678A5CB7E9701A9F4
    SHA-256:9F60B5D0D5C6F6CB3892E1687D16333F36E3BD450713B00FDF0B2BB90EC7312C
    SHA-512:57D0856EC65558B4A843A4696B644AC3E80B3EA0E6EC1C2FAC7A00015B96EBB2CC30967EB8DEFC3E648E59AC6882F6A4F69468D4B6CD0FD60F9F343C206DBFBC
    Malicious:false
    Preview: log_file: /var/log/gpu-manager.log.last_boot_file: /var/lib/ubuntu-drivers-common/last_gfx_boot.new_boot_file: /var/lib/ubuntu-drivers-common/last_gfx_boot.can't access /run/u-d-c-nvidia-was-loaded file.can't get module info via kmodcan't access /opt/amdgpu-pro/bin/amdgpu-pro-px.Looking for nvidia modules in /lib/modules/5.4.0-72-generic/kernel.Looking for nvidia modules in /lib/modules/5.4.0-72-generic/updates/dkms.Looking for amdgpu modules in /lib/modules/5.4.0-72-generic/kernel.Looking for amdgpu modules in /lib/modules/5.4.0-72-generic/updates/dkms.Is nvidia loaded? no.Was nvidia unloaded? no.Is nvidia blacklisted? no.Is intel loaded? no.Is radeon loaded? no.Is radeon blacklisted? no.Is amdgpu loaded? no.Is amdgpu blacklisted? no.Is amdgpu versioned? no.Is amdgpu pro stack? no.Is nouveau loaded? no.Is nouveau blacklisted? no.Is nvidia kernel module available? no.Is amdgpu kernel module available? no.Vendor/Device Id: 15ad:405.BusID "PCI:0@0:15:0".Is boot vga? yes.Error: can't acce
    /var/run/gdm3.pid
    Process:/usr/sbin/gdm3
    File Type:ASCII text
    Category:dropped
    Size (bytes):5
    Entropy (8bit):1.9219280948873623
    Encrypted:false
    SSDEEP:3:FTF:pF
    MD5:AD7FA9E01F9BA9552A2B50ADBDCEEA87
    SHA1:65D4B862F58D4DE40DD11553B2BB27EE5E010C6F
    SHA-256:CC11195A89ED44684FF71726BF80D4C1C1F93785FD709D94F7E586641971E782
    SHA-512:BAEF301CAB7BF17FC76CD190046264E88BF3C667779BBD4603BF1F186370D4D1FA719AB5C76F12765082750296E4F799BCC4B2600AEA7CD636E92B54B312C9FB
    Malicious:false
    Preview: 5560.

    Static File Info

    General

    File type:ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
    Entropy (8bit):7.957051234330903
    TrID:
    • ELF Executable and Linkable format (Linux) (4029/14) 50.16%
    • ELF Executable and Linkable format (generic) (4004/1) 49.84%
    File name:IOg8XL9P8B
    File size:52492
    MD5:2eb2602703ec59e9118097fea2b3dafa
    SHA1:36224cc924b7a60f94e61ffbeea304d747137e0d
    SHA256:b0e28475774e7e58d75c1fe6a0fef19adcf84ef2a8ff3538a1859100da4f482f
    SHA512:316467e1ee812308e374200bf4a09096bd853adc61ea93b00166b49d6a037ca73a27d1c2a6be9d0fa75e52e9686763b1e1b3bbd740271a676cd6896d952470f0
    SSDEEP:1536:fpNnywIp5HUFW2U0jMUroVfZbvoREVJuX:JwSF9U0jMUroVfVoREVQX
    File Content Preview:.ELF...........................4.........4. ...(.............................................F...F......................UPX!.d.........(...(.......U.......?.E.h4...@b..) ..]....E..K...j.I.......2l.....u.....l..L..Y =.Mg.."/d\.Z.!'.....2`..o,...F..........

    Static ELF Info

    ELF header

    Class:ELF32
    Data:2's complement, big endian
    Version:1 (current)
    Machine:MIPS R3000
    Version Number:0x1
    Type:EXEC (Executable file)
    OS/ABI:UNIX - System V
    ABI Version:0
    Entry Point Address:0x10b890
    Flags:0x1007
    ELF Header Size:52
    Program Header Offset:52
    Program Header Size:32
    Number of Program Headers:2
    Section Header Offset:0
    Section Header Size:40
    Number of Section Headers:0
    Header String Table Index:0

    Program Segments

    TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
    LOAD0x00x1000000x1000000xcbd40xcbd44.07510x5R E0x10000
    LOAD0xe4ec0x46e4ec0x46e4ec0x00x00.00000x6RW 0x10000

    Network Behavior

    No network behavior found

    System Behavior