Linux Analysis Report seWzsbHlCC

Overview

General Information

Sample Name: seWzsbHlCC
Analysis ID: 528748
MD5: 4a3e4fcf840711d95a782a1aa01a3758
SHA1: 1debbe3bda8a84261eee99edc5f672165a44813d
SHA256: 8797bac4f4912bf412e4dc586f0747c0161de7b3ebd0e680eb814be4e20a7b39
Tags: 32armelfmirai
Infos:

Detection

Mirai
Score: 88
Range: 0 - 100
Whitelisted: false

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Mirai
Sample tries to kill many processes (SIGKILL)
Deletes all firewall rules
Connects to many ports of the same IP (likely port scanning)
Sample deletes itself
Sample is packed with UPX
Uses known network protocols on non-standard ports
Deletes security-related log files
Sample reads /proc/mounts (often used for finding a writable filesystem)
Executes the "kill" or "pkill" command typically used to terminate processes
Sample contains only a LOAD segment without any section mappings
Reads CPU information from /sys indicative of miner or evasive malware
Yara signature match
Executes the "grep" command used to find patterns in files or piped streams
Uses the "uname" system call to query kernel version information (possible evasion)
Enumerates processes within the "proc" file system
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Detected TCP or UDP traffic on non-standard ports
Sample listens on a socket
Sample tries to kill a process (SIGKILL)
Deletes log files
Creates hidden files and/or directories
Executes the "iptables" command used for managing IP filtering and manipulation
Sample tries to set the executable flag
Executes commands using a shell command-line interpreter
Executes the "rm" command used to delete files or directories

Classification

Bitcoin Miner:

barindex
Reads CPU information from /sys indicative of miner or evasive malware
Source: /usr/bin/pkill (PID: 5310) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5319) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5322) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pulseaudio (PID: 5446) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5489) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5573) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 61.219.57.213:23 -> 192.168.2.23:53708
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 61.219.57.213:23 -> 192.168.2.23:53708
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 77.87.103.137:23 -> 192.168.2.23:47396
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 77.87.103.137:23 -> 192.168.2.23:47396
Source: Traffic Snort IDS: 716 INFO TELNET access 194.143.250.195:23 -> 192.168.2.23:41828
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 61.219.57.213:23 -> 192.168.2.23:54054
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 61.219.57.213:23 -> 192.168.2.23:54054
Source: Traffic Snort IDS: 716 INFO TELNET access 178.207.239.204:23 -> 192.168.2.23:45398
Source: Traffic Snort IDS: 716 INFO TELNET access 178.207.239.204:23 -> 192.168.2.23:45468
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 76.169.48.96:23 -> 192.168.2.23:50794
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 76.169.48.96:23 -> 192.168.2.23:50794
Source: Traffic Snort IDS: 716 INFO TELNET access 178.207.239.204:23 -> 192.168.2.23:45490
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 77.87.103.137:23 -> 192.168.2.23:47822
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 77.87.103.137:23 -> 192.168.2.23:47822
Source: Traffic Snort IDS: 716 INFO TELNET access 178.207.239.204:23 -> 192.168.2.23:45522
Source: Traffic Snort IDS: 716 INFO TELNET access 178.207.239.204:23 -> 192.168.2.23:45554
Source: Traffic Snort IDS: 716 INFO TELNET access 178.207.239.204:23 -> 192.168.2.23:45580
Source: Traffic Snort IDS: 716 INFO TELNET access 178.207.239.204:23 -> 192.168.2.23:45620
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 61.219.57.213:23 -> 192.168.2.23:54472
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 61.219.57.213:23 -> 192.168.2.23:54472
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 85.146.97.48:23 -> 192.168.2.23:46744
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 85.146.97.48:23 -> 192.168.2.23:46744
Source: Traffic Snort IDS: 716 INFO TELNET access 178.207.239.204:23 -> 192.168.2.23:45676
Source: Traffic Snort IDS: 716 INFO TELNET access 112.220.106.138:23 -> 192.168.2.23:41804
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 77.87.103.137:23 -> 192.168.2.23:48002
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 77.87.103.137:23 -> 192.168.2.23:48002
Source: Traffic Snort IDS: 716 INFO TELNET access 178.207.239.204:23 -> 192.168.2.23:45724
Source: Traffic Snort IDS: 716 INFO TELNET access 178.207.239.204:23 -> 192.168.2.23:45788
Source: Traffic Snort IDS: 716 INFO TELNET access 178.207.239.204:23 -> 192.168.2.23:45882
Source: Traffic Snort IDS: 716 INFO TELNET access 178.207.239.204:23 -> 192.168.2.23:45928
Source: Traffic Snort IDS: 716 INFO TELNET access 178.207.239.204:23 -> 192.168.2.23:45994
Source: Traffic Snort IDS: 716 INFO TELNET access 175.194.147.65:23 -> 192.168.2.23:43294
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 76.169.48.96:23 -> 192.168.2.23:51298
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 76.169.48.96:23 -> 192.168.2.23:51298
Source: Traffic Snort IDS: 716 INFO TELNET access 178.207.239.204:23 -> 192.168.2.23:46030
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 61.219.57.213:23 -> 192.168.2.23:54838
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 61.219.57.213:23 -> 192.168.2.23:54838
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 77.87.103.137:23 -> 192.168.2.23:48334
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 77.87.103.137:23 -> 192.168.2.23:48334
Source: Traffic Snort IDS: 716 INFO TELNET access 194.143.250.195:23 -> 192.168.2.23:42712
Source: Traffic Snort IDS: 716 INFO TELNET access 178.207.239.204:23 -> 192.168.2.23:46070
Source: Traffic Snort IDS: 716 INFO TELNET access 178.207.239.204:23 -> 192.168.2.23:46116
Source: Traffic Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:43186 -> 83.139.79.220:23
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 219.241.49.161:23 -> 192.168.2.23:47276
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 219.241.49.161:23 -> 192.168.2.23:47276
Source: Traffic Snort IDS: 716 INFO TELNET access 178.207.239.204:23 -> 192.168.2.23:46168
Source: Traffic Snort IDS: 716 INFO TELNET access 178.207.239.204:23 -> 192.168.2.23:46192
Deletes all firewall rules
Source: /bin/sh (PID: 5304) Args: iptables -F Jump to behavior
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 194.85.250.141 ports 45601,0,1,4,5,6
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43188
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43194
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43206
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43214
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43222
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43236
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43246
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43254
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43264
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43272
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43282
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43290
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43296
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43304
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43314
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43318
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43322
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43326
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43334
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43342
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43352
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43370
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43390
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43408
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43422
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43438
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43452
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43462
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57916
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57924
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57932
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57948
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57964
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57976
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57998
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58022
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58042
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58068
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58092
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58116
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58136
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58150
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58164
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58172
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58180
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58184
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58192
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58198
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58210
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58218
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58222
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58228
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58234
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58238
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58242
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58248
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.23:53396 -> 194.85.250.141:45601
Sample listens on a socket
Source: /tmp/seWzsbHlCC (PID: 5278) Socket: 0.0.0.0::23 Jump to behavior
Source: /usr/sbin/sshd (PID: 5408) Socket: 0.0.0.0::22 Jump to behavior
Source: /usr/sbin/sshd (PID: 5408) Socket: [::]::22 Jump to behavior
Executes the "iptables" command used for managing IP filtering and manipulation
Source: /bin/sh (PID: 5336) Iptables executable: /sbin/iptables -> /sbin/iptables -F Jump to behavior
Source: /bin/sh (PID: 5337) Iptables executable: /sbin/iptables -> /sbin/iptables -X Jump to behavior
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 185.174.86.135
Source: unknown TCP traffic detected without corresponding DNS query: 147.145.201.135
Source: unknown TCP traffic detected without corresponding DNS query: 101.172.161.173
Source: unknown TCP traffic detected without corresponding DNS query: 165.249.86.132
Source: unknown TCP traffic detected without corresponding DNS query: 157.68.78.60
Source: unknown TCP traffic detected without corresponding DNS query: 85.105.184.86
Source: unknown TCP traffic detected without corresponding DNS query: 77.124.17.46
Source: unknown TCP traffic detected without corresponding DNS query: 206.204.80.87
Source: unknown TCP traffic detected without corresponding DNS query: 216.148.132.203
Source: unknown TCP traffic detected without corresponding DNS query: 207.140.150.1
Source: unknown TCP traffic detected without corresponding DNS query: 109.215.13.121
Source: unknown TCP traffic detected without corresponding DNS query: 95.23.32.192
Source: unknown TCP traffic detected without corresponding DNS query: 144.148.82.187
Source: unknown TCP traffic detected without corresponding DNS query: 41.147.213.38
Source: unknown TCP traffic detected without corresponding DNS query: 17.179.94.217
Source: unknown TCP traffic detected without corresponding DNS query: 48.121.4.250
Source: unknown TCP traffic detected without corresponding DNS query: 170.171.137.68
Source: unknown TCP traffic detected without corresponding DNS query: 122.35.156.9
Source: unknown TCP traffic detected without corresponding DNS query: 123.183.200.233
Source: unknown TCP traffic detected without corresponding DNS query: 90.131.136.159
Source: unknown TCP traffic detected without corresponding DNS query: 140.154.149.1
Source: unknown TCP traffic detected without corresponding DNS query: 35.75.90.209
Source: unknown TCP traffic detected without corresponding DNS query: 206.177.180.146
Source: unknown TCP traffic detected without corresponding DNS query: 113.184.204.137
Source: unknown TCP traffic detected without corresponding DNS query: 34.121.250.0
Source: unknown TCP traffic detected without corresponding DNS query: 65.22.59.61
Source: unknown TCP traffic detected without corresponding DNS query: 111.196.65.29
Source: unknown TCP traffic detected without corresponding DNS query: 114.93.66.26
Source: unknown TCP traffic detected without corresponding DNS query: 66.4.96.250
Source: unknown TCP traffic detected without corresponding DNS query: 120.142.202.163
Source: unknown TCP traffic detected without corresponding DNS query: 44.196.192.32
Source: unknown TCP traffic detected without corresponding DNS query: 1.45.214.176
Source: unknown TCP traffic detected without corresponding DNS query: 88.123.62.136
Source: unknown TCP traffic detected without corresponding DNS query: 123.12.14.8
Source: unknown TCP traffic detected without corresponding DNS query: 60.173.87.20
Source: unknown TCP traffic detected without corresponding DNS query: 148.216.197.233
Source: unknown TCP traffic detected without corresponding DNS query: 62.26.241.157
Source: unknown TCP traffic detected without corresponding DNS query: 180.19.155.94
Source: unknown TCP traffic detected without corresponding DNS query: 185.140.46.7
Source: unknown TCP traffic detected without corresponding DNS query: 152.64.186.78
Source: unknown TCP traffic detected without corresponding DNS query: 67.187.89.149
Source: unknown TCP traffic detected without corresponding DNS query: 141.115.0.49
Source: unknown TCP traffic detected without corresponding DNS query: 9.137.234.67
Source: unknown TCP traffic detected without corresponding DNS query: 156.47.130.141
Source: unknown TCP traffic detected without corresponding DNS query: 165.146.155.109
Source: unknown TCP traffic detected without corresponding DNS query: 218.132.15.181
Source: unknown TCP traffic detected without corresponding DNS query: 119.7.98.20
Source: unknown TCP traffic detected without corresponding DNS query: 163.148.235.64
Source: unknown TCP traffic detected without corresponding DNS query: 169.231.176.193
Source: unknown TCP traffic detected without corresponding DNS query: 209.108.255.11
Source: seWzsbHlCC String found in binary or memory: http://upx.sf.net
Source: unknown DNS traffic detected: queries for: daisy.ubuntu.com

System Summary:

barindex
Sample tries to kill many processes (SIGKILL)
Source: /tmp/seWzsbHlCC (PID: 5278) SIGKILL sent: pid: 658, result: successful Jump to behavior
Source: /tmp/seWzsbHlCC (PID: 5278) SIGKILL sent: pid: 720, result: successful Jump to behavior
Source: /tmp/seWzsbHlCC (PID: 5278) SIGKILL sent: pid: 759, result: successful Jump to behavior
Source: /tmp/seWzsbHlCC (PID: 5278) SIGKILL sent: pid: 772, result: successful Jump to behavior
Source: /tmp/seWzsbHlCC (PID: 5278) SIGKILL sent: pid: 789, result: successful Jump to behavior
Source: /tmp/seWzsbHlCC (PID: 5278) SIGKILL sent: pid: 800, result: successful Jump to behavior
Source: /tmp/seWzsbHlCC (PID: 5278) SIGKILL sent: pid: 904, result: successful Jump to behavior
Source: /tmp/seWzsbHlCC (PID: 5278) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: /tmp/seWzsbHlCC (PID: 5278) SIGKILL sent: pid: 1320, result: successful Jump to behavior
Source: /tmp/seWzsbHlCC (PID: 5278) SIGKILL sent: pid: 1334, result: successful Jump to behavior
Source: /tmp/seWzsbHlCC (PID: 5278) SIGKILL sent: pid: 1335, result: successful Jump to behavior
Source: /tmp/seWzsbHlCC (PID: 5278) SIGKILL sent: pid: 1389, result: successful Jump to behavior
Source: /tmp/seWzsbHlCC (PID: 5278) SIGKILL sent: pid: 1809, result: successful Jump to behavior
Source: /tmp/seWzsbHlCC (PID: 5278) SIGKILL sent: pid: 1872, result: successful Jump to behavior
Source: /tmp/seWzsbHlCC (PID: 5278) SIGKILL sent: pid: 1888, result: successful Jump to behavior
Source: /tmp/seWzsbHlCC (PID: 5278) SIGKILL sent: pid: 2048, result: successful Jump to behavior
Sample contains only a LOAD segment without any section mappings
Source: LOAD without section mappings Program segment: 0x8000
Yara signature match
Source: seWzsbHlCC, type: SAMPLE Matched rule: SUSP_ELF_LNX_UPX_Compressed_File date = 2018-12-12, author = Florian Roth, description = Detects a suspicious ELF binary with UPX compression, reference = Internal Research, score = 038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4
Sample tries to kill a process (SIGKILL)
Source: /tmp/seWzsbHlCC (PID: 5278) SIGKILL sent: pid: 658, result: successful Jump to behavior
Source: /tmp/seWzsbHlCC (PID: 5278) SIGKILL sent: pid: 720, result: successful Jump to behavior
Source: /tmp/seWzsbHlCC (PID: 5278) SIGKILL sent: pid: 759, result: successful Jump to behavior
Source: /tmp/seWzsbHlCC (PID: 5278) SIGKILL sent: pid: 772, result: successful Jump to behavior
Source: /tmp/seWzsbHlCC (PID: 5278) SIGKILL sent: pid: 789, result: successful Jump to behavior
Source: /tmp/seWzsbHlCC (PID: 5278) SIGKILL sent: pid: 800, result: successful Jump to behavior
Source: /tmp/seWzsbHlCC (PID: 5278) SIGKILL sent: pid: 904, result: successful Jump to behavior
Source: /tmp/seWzsbHlCC (PID: 5278) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: /tmp/seWzsbHlCC (PID: 5278) SIGKILL sent: pid: 1320, result: successful Jump to behavior
Source: /tmp/seWzsbHlCC (PID: 5278) SIGKILL sent: pid: 1334, result: successful Jump to behavior
Source: /tmp/seWzsbHlCC (PID: 5278) SIGKILL sent: pid: 1335, result: successful Jump to behavior
Source: /tmp/seWzsbHlCC (PID: 5278) SIGKILL sent: pid: 1389, result: successful Jump to behavior
Source: /tmp/seWzsbHlCC (PID: 5278) SIGKILL sent: pid: 1809, result: successful Jump to behavior
Source: /tmp/seWzsbHlCC (PID: 5278) SIGKILL sent: pid: 1872, result: successful Jump to behavior
Source: /tmp/seWzsbHlCC (PID: 5278) SIGKILL sent: pid: 1888, result: successful Jump to behavior
Source: /tmp/seWzsbHlCC (PID: 5278) SIGKILL sent: pid: 2048, result: successful Jump to behavior
Source: classification engine Classification label: mal88.spre.troj.evad.lin@0/9@2/0

Data Obfuscation:

barindex
Sample is packed with UPX
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Persistence and Installation Behavior:

barindex
Deletes all firewall rules
Source: /bin/sh (PID: 5304) Args: iptables -F Jump to behavior
Sample reads /proc/mounts (often used for finding a writable filesystem)
Source: /bin/fusermount (PID: 5494) File: /proc/5494/mounts Jump to behavior
Executes the "kill" or "pkill" command typically used to terminate processes
Source: /bin/sh (PID: 5310) Pkill executable: /usr/bin/pkill -> pkill -9 busybox Jump to behavior
Source: /bin/sh (PID: 5319) Pkill executable: /usr/bin/pkill -> pkill -9 perl Jump to behavior
Source: /bin/sh (PID: 5322) Pkill executable: /usr/bin/pkill -> pkill -9 python Jump to behavior
Source: /usr/share/gdm/generate-config (PID: 5489) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service Jump to behavior
Source: /usr/share/gdm/generate-config (PID: 5573) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service Jump to behavior
Executes the "grep" command used to find patterns in files or piped streams
Source: /bin/sh (PID: 5473) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 5475) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 5477) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 5479) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 5481) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 5483) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 5485) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 5487) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 5556) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 5558) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 5560) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 5562) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 5564) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 5566) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 5569) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 5571) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Enumerates processes within the "proc" file system
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/5382/status Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/5382/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/3088/status Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/3088/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/230/status Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/230/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/110/status Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/110/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/231/status Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/231/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/111/status Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/111/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/232/status Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/232/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/112/status Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/112/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/233/status Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/233/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/1699/status Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/1699/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/113/status Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/113/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/234/status Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/234/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/114/status Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/114/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/235/status Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/235/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/1334/status Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/1334/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/115/status Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/115/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/236/status Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/236/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/116/status Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/116/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/237/status Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/237/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/117/status Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/117/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/118/status Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/118/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/910/status Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/910/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/119/status Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/119/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/912/status Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/912/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/10/status Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/10/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/11/status Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/11/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/918/status Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/918/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/12/status Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/12/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/5152/status Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/5152/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/13/status Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/13/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/14/status Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/14/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/15/status Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/15/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/16/status Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/16/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/17/status Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/17/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/18/status Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/18/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/120/status Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/120/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/121/status Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/121/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/1349/status Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/1349/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/1/status Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/1/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/122/status Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/122/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/243/status Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/243/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/123/status Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/123/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/2/status Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/2/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/124/status Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/124/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/3/status Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/3/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/4/status Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/4/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/125/status Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/125/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/126/status Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/126/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/1344/status Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/1344/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/127/status Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/127/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/6/status Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/6/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/248/status Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/248/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/128/status Jump to behavior
Source: /usr/bin/pkill (PID: 5573) File opened: /proc/128/cmdline Jump to behavior
Creates hidden files and/or directories
Source: /usr/bin/whoopsie (PID: 5382) Directory: /nonexistent/.cache Jump to behavior
Executes the "iptables" command used for managing IP filtering and manipulation
Source: /bin/sh (PID: 5336) Iptables executable: /sbin/iptables -> /sbin/iptables -F Jump to behavior
Source: /bin/sh (PID: 5337) Iptables executable: /sbin/iptables -> /sbin/iptables -X Jump to behavior
Sample tries to set the executable flag
Source: /usr/bin/whoopsie (PID: 5382) File: /var/crash (bits: gv usr: rwx grp: rwx all: rwx) Jump to behavior
Source: /usr/sbin/gdm3 (PID: 5510) File: /var/run/gdm3 (bits: - usr: -x grp: x all: rwx) Jump to behavior
Source: /usr/sbin/gdm3 (PID: 5510) File: /var/log/gdm3 (bits: - usr: -x grp: x all: rwx) Jump to behavior
Source: /usr/sbin/gdm3 (PID: 5582) File: /var/run/gdm3 (bits: - usr: -x grp: x all: rwx) Jump to behavior
Source: /usr/sbin/gdm3 (PID: 5582) File: /var/log/gdm3 (bits: - usr: -x grp: x all: rwx) Jump to behavior
Executes commands using a shell command-line interpreter
Source: /tmp/seWzsbHlCC (PID: 5284) Shell command executed: sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*" Jump to behavior
Source: /tmp/seWzsbHlCC (PID: 5293) Shell command executed: sh -c "rm -rf /var/log/wtmp" Jump to behavior
Source: /tmp/seWzsbHlCC (PID: 5296) Shell command executed: sh -c "rm -rf /tmp/*" Jump to behavior
Source: /tmp/seWzsbHlCC (PID: 5299) Shell command executed: sh -c "rm -rf /bin/netstat" Jump to behavior
Source: /tmp/seWzsbHlCC (PID: 5302) Shell command executed: sh -c "iptables -F" Jump to behavior
Source: /tmp/seWzsbHlCC (PID: 5308) Shell command executed: sh -c "pkill -9 busybox" Jump to behavior
Source: /tmp/seWzsbHlCC (PID: 5317) Shell command executed: sh -c "pkill -9 perl" Jump to behavior
Source: /tmp/seWzsbHlCC (PID: 5320) Shell command executed: sh -c "pkill -9 python" Jump to behavior
Source: /tmp/seWzsbHlCC (PID: 5325) Shell command executed: sh -c "service iptables stop" Jump to behavior
Source: /tmp/seWzsbHlCC (PID: 5334) Shell command executed: sh -c "/sbin/iptables -F; /sbin/iptables -X" Jump to behavior
Source: /tmp/seWzsbHlCC (PID: 5338) Shell command executed: sh -c "service firewalld stop" Jump to behavior
Source: /tmp/seWzsbHlCC (PID: 5349) Shell command executed: sh -c "rm -rf ~/.bash_history" Jump to behavior
Source: /tmp/seWzsbHlCC (PID: 5352) Shell command executed: sh -c "history -c" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5472) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5474) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5476) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5478) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5480) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5482) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5484) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5486) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5555) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5557) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5559) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5561) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5563) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5565) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5568) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5570) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Executes the "rm" command used to delete files or directories
Source: /bin/sh (PID: 5286) Rm executable: /usr/bin/rm -> rm -rf /tmp/config-err-dHT8bZ /tmp/dmesgtail.log /tmp/seWzsbHlCC /tmp/snap.lxd /tmp/ssh-hOQ5FjG2iVgO /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-c4RYFi /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-gKIF8e /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-gB0a9f /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-APWnLg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-IofUpj /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-AfPZzg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-x0xO0i /tmp/vmware-root_721-4290559889 /var/backups /var/cache /var/crash /var/lib /var/local /var/lock /var/log /var/mail /var/metrics /var/opt /var/run /var/snap /var/spool /var/tmp /var/run/NetworkManager /var/run/acpid.pid /var/run/acpid.socket /var/run/apport.lock /var/run/avahi-daemon /var/run/blkid /var/run/cloud-init /var/run/console-setup /var/run/crond.pid /var/run/crond.reboot /var/run/cryptsetup /var/run/cups /var/run/dbus /var/run/dmeventd-client /var/run/dmeventd-server /var/run/gdm3 /var/run/gdm3.pid /var/run/initctl /var/run/initramfs /var/run/irqbalance /var/run/lock /var/run/log /var/run/lvm /var/run/mlocate.daily.lock /var/run/mono-xsp4 /var/run/mono-xsp4.pid /var/run/motd.d /var/run/mount /var/run/multipathd.pid /var/run/netns /var/run/network /var/run/screen /var/run/sendsigs.omit.d /var/run/shm /var/run/snapd /var/run/snapd-snap.socket /var/run/snapd.socket /var/run/speech-dispatcher /var/run/spice-vdagentd /var/run/sshd /var/run/sshd.pid /var/run/sudo /var/run/systemd /var/run/tmpfiles.d /var/run/udev /var/run/udisks2 /var/run/unattended-upgrades.lock /var/run/user /var/run/utmp /var/run/uuidd /var/run/vmware /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-J6Q1Te /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-srP90f /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-biJ0Gi /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-1jIxdj /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-llmWag /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-X16eHh /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-GpSnaf Jump to behavior
Source: /bin/sh (PID: 5295) Rm executable: /usr/bin/rm -> rm -rf /var/log/wtmp Jump to behavior
Source: /bin/sh (PID: 5298) Rm executable: /usr/bin/rm -> rm -rf /tmp/* Jump to behavior
Source: /bin/sh (PID: 5301) Rm executable: /usr/bin/rm -> rm -rf /bin/netstat Jump to behavior
Source: /bin/sh (PID: 5351) Rm executable: /usr/bin/rm -> rm -rf /root/.bash_history Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5554) Log file created: /var/log/gpu-manager.log Jump to dropped file
Source: /usr/sbin/service (PID: 5333) Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p Jump to behavior
Source: /usr/sbin/service (PID: 5346) Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Sample deletes itself
Source: /usr/bin/rm (PID: 5286) File: /tmp/seWzsbHlCC Jump to behavior
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43188
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43194
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43206
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43214
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43222
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43236
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43246
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43254
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43264
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43272
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43282
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43290
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43296
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43304
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43314
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43318
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43322
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43326
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43334
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43342
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43352
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43370
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43390
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43408
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43422
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43438
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43452
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43462
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57916
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57924
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57932
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57948
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57964
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57976
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57998
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58022
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58042
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58068
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58092
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58116
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58136
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58150
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58164
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58172
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58180
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58184
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58192
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58198
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58210
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58218
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58222
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58228
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58234
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58238
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58242
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58248

Malware Analysis System Evasion:

barindex
Deletes security-related log files
Source: /usr/bin/rm (PID: 5295) Truncated file: /var/log/wtmp Jump to behavior
Reads CPU information from /sys indicative of miner or evasive malware
Source: /usr/bin/pkill (PID: 5310) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5319) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5322) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pulseaudio (PID: 5446) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5489) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5573) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/seWzsbHlCC (PID: 5271) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/whoopsie (PID: 5382) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/pulseaudio (PID: 5446) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5471) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5554) Queries kernel information via 'uname': Jump to behavior
Deletes log files
Source: /usr/bin/rm (PID: 5295) Truncated file: /var/log/wtmp Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5471) Truncated file: /var/log/gpu-manager.log Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5554) Truncated file: /var/log/gpu-manager.log Jump to behavior
Source: seWzsbHlCC, 5271.1.00000000360bfc1e.00000000b0787897.rw-.sdmp, seWzsbHlCC, 5273.1.00000000360bfc1e.00000000b0787897.rw-.sdmp, seWzsbHlCC, 5275.1.00000000360bfc1e.00000000b0787897.rw-.sdmp, seWzsbHlCC, 5278.1.00000000360bfc1e.00000000b0787897.rw-.sdmp, seWzsbHlCC, 5280.1.00000000360bfc1e.00000000b0787897.rw-.sdmp, seWzsbHlCC, 5282.1.00000000360bfc1e.00000000b0787897.rw-.sdmp Binary or memory string: Vx86_64/usr/bin/qemu-arm/tmp/seWzsbHlCCSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/seWzsbHlCC
Source: seWzsbHlCC, 5271.1.000000006c8a81d0.000000004040623b.rw-.sdmp, seWzsbHlCC, 5273.1.000000006c8a81d0.000000004040623b.rw-.sdmp, seWzsbHlCC, 5275.1.000000006c8a81d0.000000004040623b.rw-.sdmp, seWzsbHlCC, 5278.1.000000006c8a81d0.000000004040623b.rw-.sdmp, seWzsbHlCC, 5280.1.000000006c8a81d0.000000004040623b.rw-.sdmp, seWzsbHlCC, 5282.1.000000006c8a81d0.000000004040623b.rw-.sdmp Binary or memory string: U!/etc/qemu-binfmt/arm
Source: seWzsbHlCC, 5278.1.000000004040623b.00000000812fe279.rw-.sdmp Binary or memory string: /usr/bin/vmtoolsd
Source: seWzsbHlCC, 5278.1.000000004040623b.00000000812fe279.rw-.sdmp Binary or memory string: !/proc/1586/exe0!/usr/bin/vmtoolsd1P
Source: seWzsbHlCC, 5271.1.000000006c8a81d0.000000004040623b.rw-.sdmp, seWzsbHlCC, 5273.1.000000006c8a81d0.000000004040623b.rw-.sdmp, seWzsbHlCC, 5275.1.000000006c8a81d0.000000004040623b.rw-.sdmp, seWzsbHlCC, 5278.1.000000006c8a81d0.000000004040623b.rw-.sdmp, seWzsbHlCC, 5280.1.000000006c8a81d0.000000004040623b.rw-.sdmp, seWzsbHlCC, 5282.1.000000006c8a81d0.000000004040623b.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/arm
Source: seWzsbHlCC, 5271.1.00000000360bfc1e.00000000b0787897.rw-.sdmp, seWzsbHlCC, 5273.1.00000000360bfc1e.00000000b0787897.rw-.sdmp, seWzsbHlCC, 5275.1.00000000360bfc1e.00000000b0787897.rw-.sdmp, seWzsbHlCC, 5278.1.00000000360bfc1e.00000000b0787897.rw-.sdmp, seWzsbHlCC, 5280.1.00000000360bfc1e.00000000b0787897.rw-.sdmp, seWzsbHlCC, 5282.1.00000000360bfc1e.00000000b0787897.rw-.sdmp Binary or memory string: /usr/bin/qemu-arm

Stealing of Sensitive Information:

barindex
Yara detected Mirai
Source: Yara match File source: dump.pcap, type: PCAP

Remote Access Functionality:

barindex
Yara detected Mirai
Source: Yara match File source: dump.pcap, type: PCAP

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
125.42.146.103
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
70.181.35.187
 unknown United States
22773 ASN-CXA-ALL-CCI-22773-RDCUS false
207.202.194.215
 unknown United States
2044 IINET-2044US false
78.161.56.209
 unknown Turkey
9121 TTNETTR false
1.183.129.29
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
154.157.137.159
 unknown Kenya
36926 CKL1-ASNKE false
129.140.169.249
 unknown Malawi
37440 Airtel-MW false
63.198.166.79
 unknown United States
7018 ATT-INTERNET4US false
181.213.135.162
 unknown Brazil
28573 CLAROSABR false
190.73.147.200
 unknown Venezuela
8048 CANTVServiciosVenezuelaVE false
2.93.45.7
 unknown Russian Federation
8402 CORBINA-ASOJSCVimpelcomRU false
188.74.238.42
 unknown Romania
60741 MIZA-ASRO false
37.248.66.119
 unknown Poland
8374 PLUSNETPlusnetworkoperatorinPolandPL false
151.93.49.118
 unknown Italy
1267 ASN-WINDTREIUNETEU false
8.28.61.5
 unknown United States
64279 TFSLAOCUS false
200.83.48.33
 unknown Chile
22047 VTRBANDAANCHASACL false
155.254.17.225
 unknown United States
397423 TIER-NETUS false
19.187.8.243
 unknown United States
3 MIT-GATEWAYSUS false
150.217.104.194
 unknown Italy
137 ASGARRConsortiumGARREU false
122.105.197.216
 unknown Australia
4804 MPX-ASMicroplexPTYLTDAU false
179.254.251.220
 unknown Brazil
8167 BrasilTelecomSA-FilialDistritoFederalBR false
98.19.126.248
 unknown United States
7029 WINDSTREAMUS false
93.87.57.223
 unknown Serbia
8400 TELEKOM-ASRS false
99.177.214.190
 unknown United States
7018 ATT-INTERNET4US false
165.139.128.251
 unknown United States
11686 ENAUS false
47.207.214.207
 unknown United States
5650 FRONTIER-FRTRUS false
169.97.116.2
 unknown United States
37611 AfrihostZA false
184.242.62.164
 unknown United States
10507 SPCSUS false
115.165.146.158
 unknown Japan 9365 ITSCOMitscommunicationsIncJP false
182.134.184.52
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
86.73.60.242
 unknown France
15557 LDCOMNETFR false
47.166.238.203
 unknown United States
5650 FRONTIER-FRTRUS false
216.81.216.18
 unknown United States
11320 LIGHTEDGE-AS-02US false
110.132.116.231
 unknown Japan 9824 JTCL-JP-ASJupiterTelecommunicationCoLtdJP false
5.127.54.104
 unknown Iran (ISLAMIC Republic Of)
44244 IRANCELL-ASIR false
18.45.73.155
 unknown United States
3 MIT-GATEWAYSUS false
112.54.85.168
 unknown China
24444 CMNET-V4SHANDONG-AS-APShandongMobileCommunicationCompany false
174.207.243.210
 unknown United States
22394 CELLCOUS false
207.48.168.24
 unknown United States
3561 CENTURYLINK-LEGACY-SAVVISUS false
1.141.94.214
 unknown Australia
1221 ASN-TELSTRATelstraCorporationLtdAU false
206.89.242.95
 unknown United States
3549 LVLT-3549US false
74.221.73.184
 unknown United States
29979 PWN-ASBLKUS false
38.83.60.43
 unknown United States
174 COGENT-174US false
46.161.206.75
 unknown Syrian Arab Republic
29256 INT-PDN-STE-ASSTEPDNInternalASSY false
171.84.126.231
 unknown China
4808 CHINA169-BJChinaUnicomBeijingProvinceNetworkCN false
112.140.228.143
 unknown Korea Republic of
18318 SPEEDON-AS-KRLGHelloVisionCorpKR false
166.59.141.111
 unknown United States
3377 MCI-ASNUS false
20.220.220.250
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
177.201.217.219
 unknown Brazil
8167 BrasilTelecomSA-FilialDistritoFederalBR false
42.134.246.139
 unknown China
4249 LILLY-ASUS false
43.11.77.239
 unknown Japan 4249 LILLY-ASUS false
93.254.32.66
 unknown Germany
3320 DTAGInternetserviceprovideroperationsDE false
35.59.121.11
 unknown United States
36375 UMICH-AS-5US false
39.223.215.28
 unknown Indonesia
23693 TELKOMSEL-ASN-IDPTTelekomunikasiSelularID false
65.92.251.70
 unknown Canada
577 BACOMCA false
63.182.214.13
 unknown United States
1239 SPRINTLINKUS false
135.174.27.61
 unknown United States
14962 NCR-252US false
124.57.70.69
 unknown Korea Republic of
17858 POWERVIS-AS-KRLGPOWERCOMMKR false
122.32.33.208
 unknown Korea Republic of
17858 POWERVIS-AS-KRLGPOWERCOMMKR false
44.44.171.245
 unknown United States
7377 UCSDUS false
197.222.122.203
 unknown Egypt
37069 MOBINILEG false
205.173.0.246
 unknown United States
21633 DOI-NBC-NETUS false
202.41.22.160
 unknown India
10225 NETTLINX-IN-APNettlinxLimitedIN false
163.112.152.93
 unknown France
17816 CHINA169-GZChinaUnicomIPnetworkChina169Guangdongprovi false
19.52.128.103
 unknown United States
3 MIT-GATEWAYSUS false
57.157.134.55
 unknown Belgium
2686 ATGS-MMD-ASUS false
210.74.100.133
 unknown China
4808 CHINA169-BJChinaUnicomBeijingProvinceNetworkCN false
223.216.178.39
 unknown Japan 4713 OCNNTTCommunicationsCorporationJP false
174.127.145.127
 unknown United States
11404 AS-WAVE-1US false
203.14.250.15
 unknown Australia
9328 DATACOM-AUDATACOMSYSTEMSAUPTYLTDAU false
39.85.149.204
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
220.221.217.83
 unknown Japan 4713 OCNNTTCommunicationsCorporationJP false
32.135.39.52
 unknown United States
2686 ATGS-MMD-ASUS false
210.115.6.130
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR false
144.187.229.91
 unknown United States
22562 CSC-IGN-EMEAUS false
72.46.16.140
 unknown United States
62833 HUDSONFIBERNETUS false
208.236.99.194
 unknown United States
4208 THE-ISERV-COMPANYUS false
96.94.23.175
 unknown United States
7922 COMCAST-7922US false
40.62.7.72
 unknown United States
4249 LILLY-ASUS false
117.157.129.101
 unknown China
9808 CMNET-GDGuangdongMobileCommunicationCoLtdCN false
58.51.227.57
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
176.83.195.186
 unknown Spain
3352 TELEFONICA_DE_ESPANAES false
131.2.49.7
 unknown United States
61458 GOBIERNOAUTONOMOMUNICIPALDELAPAZBO false
20.130.139.144
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
104.15.73.68
 unknown United States
7018 ATT-INTERNET4US false
47.53.48.241
 unknown United States
30722 VODAFONE-IT-ASNIT false
125.32.16.88
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
134.197.162.8
 unknown United States
3851 NSHE-NEVADANETUS false
146.181.229.218
 unknown United States
786 JANETJiscServicesLimitedGB false
78.253.216.102
 unknown France
12322 PROXADFR false
178.141.254.107
 unknown Russian Federation
44677 MTS-KRV-ASRU false
108.7.134.33
 unknown United States
701 UUNETUS false
143.183.65.250
 unknown United States
4983 INTEL-SC-ASUS false
4.209.69.186
 unknown United States
3356 LEVEL3US false
187.129.233.71
 unknown Mexico
28283 AdylnetTelecomBR false
160.120.31.151
 unknown Cote D'ivoire
29571 ORANGE-COTE-IVOIRECI false
216.227.170.102
 unknown United States
174 COGENT-174US false
153.47.23.88
 unknown United States
19512 LYONDELLUS false
205.153.15.235
 unknown United States
209 CENTURYLINK-US-LEGACY-QWESTUS false
34.99.239.143
 unknown United States
15169 GOOGLEUS false

Contacted Domains

Name IP Active
daisy.ubuntu.com 162.213.33.132 true