Loading ...

Play interactive tourEdit tour

Linux Analysis Report seWzsbHlCC

Overview

General Information

Sample Name:seWzsbHlCC
Analysis ID:528748
MD5:4a3e4fcf840711d95a782a1aa01a3758
SHA1:1debbe3bda8a84261eee99edc5f672165a44813d
SHA256:8797bac4f4912bf412e4dc586f0747c0161de7b3ebd0e680eb814be4e20a7b39
Tags:32armelfmirai
Infos:

Detection

Mirai
Score:88
Range:0 - 100
Whitelisted:false

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Mirai
Sample tries to kill many processes (SIGKILL)
Deletes all firewall rules
Connects to many ports of the same IP (likely port scanning)
Sample deletes itself
Sample is packed with UPX
Uses known network protocols on non-standard ports
Deletes security-related log files
Sample reads /proc/mounts (often used for finding a writable filesystem)
Executes the "kill" or "pkill" command typically used to terminate processes
Sample contains only a LOAD segment without any section mappings
Reads CPU information from /sys indicative of miner or evasive malware
Yara signature match
Executes the "grep" command used to find patterns in files or piped streams
Uses the "uname" system call to query kernel version information (possible evasion)
Enumerates processes within the "proc" file system
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Detected TCP or UDP traffic on non-standard ports
Sample listens on a socket
Sample tries to kill a process (SIGKILL)
Deletes log files
Creates hidden files and/or directories
Executes the "iptables" command used for managing IP filtering and manipulation
Sample tries to set the executable flag
Executes commands using a shell command-line interpreter
Executes the "rm" command used to delete files or directories

Classification

Analysis Advice

All HTTP servers contacted by the sample do not answer. Likely the sample is an old dropper which does no longer work
Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures
Static ELF header machine description suggests that the sample might not execute correctly on this machine

General Information

Joe Sandbox Version:34.0.0 Boulder Opal
Analysis ID:528748
Start date:25.11.2021
Start time:18:28:37
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 10m 10s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:seWzsbHlCC
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Detection:MAL
Classification:mal88.spre.troj.evad.lin@0/9@2/0
Warnings:
Show All
  • Connection to analysis system has been lost, crash info: Unknown
  • Report size exceeded maximum capacity and may have missing network information.
  • VT rate limit hit for: /opt/package/joesandbox/database/analysis/528748/sample/seWzsbHlCC

Process Tree

  • system is lnxubuntu20
  • seWzsbHlCC (PID: 5271, Parent: 5122, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/seWzsbHlCC
    • seWzsbHlCC New Fork (PID: 5275, Parent: 5271)
      • seWzsbHlCC New Fork (PID: 5280, Parent: 5275)
        • seWzsbHlCC New Fork (PID: 5282, Parent: 5280)
          • sh (PID: 5284, Parent: 5282, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*"
            • sh New Fork (PID: 5286, Parent: 5284)
            • rm (PID: 5286, Parent: 5284, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /tmp/config-err-dHT8bZ /tmp/dmesgtail.log /tmp/seWzsbHlCC /tmp/snap.lxd /tmp/ssh-hOQ5FjG2iVgO /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-c4RYFi /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-gKIF8e /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-gB0a9f /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-APWnLg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-IofUpj /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-AfPZzg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-x0xO0i /tmp/vmware-root_721-4290559889 /var/backups /var/cache /var/crash /var/lib /var/local /var/lock /var/log /var/mail /var/metrics /var/opt /var/run /var/snap /var/spool /var/tmp /var/run/NetworkManager /var/run/acpid.pid /var/run/acpid.socket /var/run/apport.lock /var/run/avahi-daemon /var/run/blkid /var/run/cloud-init /var/run/console-setup /var/run/crond.pid /var/run/crond.reboot /var/run/cryptsetup /var/run/cups /var/run/dbus /var/run/dmeventd-client /var/run/dmeventd-server /var/run/gdm3 /var/run/gdm3.pid /var/run/initctl /var/run/initramfs /var/run/irqbalance /var/run/lock /var/run/log /var/run/lvm /var/run/mlocate.daily.lock /var/run/mono-xsp4 /var/run/mono-xsp4.pid /var/run/motd.d /var/run/mount /var/run/multipathd.pid /var/run/netns /var/run/network /var/run/screen /var/run/sendsigs.omit.d /var/run/shm /var/run/snapd /var/run/snapd-snap.socket /var/run/snapd.socket /var/run/speech-dispatcher /var/run/spice-vdagentd /var/run/sshd /var/run/sshd.pid /var/run/sudo /var/run/systemd /var/run/tmpfiles.d /var/run/udev /var/run/udisks2 /var/run/unattended-upgrades.lock /var/run/user /var/run/utmp /var/run/uuidd /var/run/vmware /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-J6Q1Te /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-srP90f /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-biJ0Gi /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-1jIxdj /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-llmWag /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-X16eHh /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-GpSnaf
          • sh (PID: 5293, Parent: 5282, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /var/log/wtmp"
            • sh New Fork (PID: 5295, Parent: 5293)
            • rm (PID: 5295, Parent: 5293, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /var/log/wtmp
          • sh (PID: 5296, Parent: 5282, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /tmp/*"
            • sh New Fork (PID: 5298, Parent: 5296)
            • rm (PID: 5298, Parent: 5296, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /tmp/*
          • sh (PID: 5299, Parent: 5282, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /bin/netstat"
            • sh New Fork (PID: 5301, Parent: 5299)
            • rm (PID: 5301, Parent: 5299, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /bin/netstat
          • sh (PID: 5302, Parent: 5282, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "iptables -F"
            • sh New Fork (PID: 5304, Parent: 5302)
            • iptables (PID: 5304, Parent: 5302, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -F
          • sh (PID: 5308, Parent: 5282, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 busybox"
            • sh New Fork (PID: 5310, Parent: 5308)
            • pkill (PID: 5310, Parent: 5308, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 busybox
          • sh (PID: 5317, Parent: 5282, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 perl"
            • sh New Fork (PID: 5319, Parent: 5317)
            • pkill (PID: 5319, Parent: 5317, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 perl
          • sh (PID: 5320, Parent: 5282, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 python"
            • sh New Fork (PID: 5322, Parent: 5320)
            • pkill (PID: 5322, Parent: 5320, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 python
          • sh (PID: 5325, Parent: 5282, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "service iptables stop"
            • sh New Fork (PID: 5327, Parent: 5325)
            • service (PID: 5327, Parent: 5325, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: service iptables stop
              • service New Fork (PID: 5328, Parent: 5327)
              • basename (PID: 5328, Parent: 5327, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service
              • service New Fork (PID: 5329, Parent: 5327)
              • basename (PID: 5329, Parent: 5327, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service
              • service New Fork (PID: 5330, Parent: 5327)
              • systemctl (PID: 5330, Parent: 5327, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl --quiet is-active multi-user.target
              • service New Fork (PID: 5331, Parent: 5327)
                • service New Fork (PID: 5332, Parent: 5331)
                • systemctl (PID: 5332, Parent: 5331, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl list-unit-files --full --type=socket
                • service New Fork (PID: 5333, Parent: 5331)
                • sed (PID: 5333, Parent: 5331, MD5: 885062561f66aa1d4af4c54b9e7cc81a) Arguments: sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p
            • systemctl (PID: 5327, Parent: 5325, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl stop iptables.service
          • sh (PID: 5334, Parent: 5282, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "/sbin/iptables -F; /sbin/iptables -X"
            • sh New Fork (PID: 5336, Parent: 5334)
            • iptables (PID: 5336, Parent: 5334, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: /sbin/iptables -F
            • sh New Fork (PID: 5337, Parent: 5334)
            • iptables (PID: 5337, Parent: 5334, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: /sbin/iptables -X
          • sh (PID: 5338, Parent: 5282, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "service firewalld stop"
            • sh New Fork (PID: 5340, Parent: 5338)
            • service (PID: 5340, Parent: 5338, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: service firewalld stop
              • service New Fork (PID: 5341, Parent: 5340)
              • basename (PID: 5341, Parent: 5340, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service
              • service New Fork (PID: 5342, Parent: 5340)
              • basename (PID: 5342, Parent: 5340, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service
              • service New Fork (PID: 5343, Parent: 5340)
              • systemctl (PID: 5343, Parent: 5340, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl --quiet is-active multi-user.target
              • service New Fork (PID: 5344, Parent: 5340)
                • service New Fork (PID: 5345, Parent: 5344)
                • systemctl (PID: 5345, Parent: 5344, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl list-unit-files --full --type=socket
                • service New Fork (PID: 5346, Parent: 5344)
                • sed (PID: 5346, Parent: 5344, MD5: 885062561f66aa1d4af4c54b9e7cc81a) Arguments: sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p
            • systemctl (PID: 5340, Parent: 5338, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl stop firewalld.service
          • sh (PID: 5349, Parent: 5282, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf ~/.bash_history"
            • sh New Fork (PID: 5351, Parent: 5349)
            • rm (PID: 5351, Parent: 5349, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /root/.bash_history
          • sh (PID: 5352, Parent: 5282, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "history -c"
  • systemd New Fork (PID: 5382, Parent: 1)
  • whoopsie (PID: 5382, Parent: 1, MD5: d3a6915d0e7398fb4c89a037c13959c8) Arguments: /usr/bin/whoopsie -f
  • systemd New Fork (PID: 5407, Parent: 1)
  • sshd (PID: 5407, Parent: 1, MD5: dbca7a6bbf7bf57fedac243d4b2cb340) Arguments: /usr/sbin/sshd -t
  • systemd New Fork (PID: 5408, Parent: 1)
  • sshd (PID: 5408, Parent: 1, MD5: dbca7a6bbf7bf57fedac243d4b2cb340) Arguments: /usr/sbin/sshd -D
  • gdm3 New Fork (PID: 5413, Parent: 1320)
  • Default (PID: 5413, Parent: 1320, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default
  • gdm3 New Fork (PID: 5414, Parent: 1320)
  • Default (PID: 5414, Parent: 1320, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default
  • systemd New Fork (PID: 5417, Parent: 1)
  • accounts-daemon (PID: 5417, Parent: 1, MD5: 01a899e3fb5e7e434bea1290255a1f30) Arguments: /usr/lib/accountsservice/accounts-daemon
  • systemd New Fork (PID: 5446, Parent: 1860)
  • pulseaudio (PID: 5446, Parent: 1860, MD5: 0c3b4c789d8ffb12b25507f27e14c186) Arguments: /usr/bin/pulseaudio --daemonize=no --log-target=journal
  • systemd New Fork (PID: 5471, Parent: 1)
  • gpu-manager (PID: 5471, Parent: 1, MD5: 8fae9dd5dd67e1f33d873089c2fd8761) Arguments: /usr/bin/gpu-manager --log /var/log/gpu-manager.log
    • sh (PID: 5472, Parent: 5471, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"
      • sh New Fork (PID: 5473, Parent: 5472)
      • grep (PID: 5473, Parent: 5472, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
    • sh (PID: 5474, Parent: 5471, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"
      • sh New Fork (PID: 5475, Parent: 5474)
      • grep (PID: 5475, Parent: 5474, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
    • sh (PID: 5476, Parent: 5471, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf"
      • sh New Fork (PID: 5477, Parent: 5476)
      • grep (PID: 5477, Parent: 5476, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
    • sh (PID: 5478, Parent: 5471, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf"
      • sh New Fork (PID: 5479, Parent: 5478)
      • grep (PID: 5479, Parent: 5478, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
    • sh (PID: 5480, Parent: 5471, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /etc/modprobe.d/*.conf"
      • sh New Fork (PID: 5481, Parent: 5480)
      • grep (PID: 5481, Parent: 5480, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*amdgpu[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
    • sh (PID: 5482, Parent: 5471, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /lib/modprobe.d/*.conf"
      • sh New Fork (PID: 5483, Parent: 5482)
      • grep (PID: 5483, Parent: 5482, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*amdgpu[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
    • sh (PID: 5484, Parent: 5471, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /etc/modprobe.d/*.conf"
      • sh New Fork (PID: 5485, Parent: 5484)
      • grep (PID: 5485, Parent: 5484, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*nouveau[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
    • sh (PID: 5486, Parent: 5471, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /lib/modprobe.d/*.conf"
      • sh New Fork (PID: 5487, Parent: 5486)
      • grep (PID: 5487, Parent: 5486, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*nouveau[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
  • systemd New Fork (PID: 5488, Parent: 1)
  • generate-config (PID: 5488, Parent: 1, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /usr/share/gdm/generate-config
    • pkill (PID: 5489, Parent: 5488, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill --signal HUP --uid gdm dconf-service
  • systemd New Fork (PID: 5492, Parent: 1)
  • gdm-wait-for-drm (PID: 5492, Parent: 1, MD5: 82043ba752c6930b4e6aaea2f7747545) Arguments: /usr/lib/gdm3/gdm-wait-for-drm
  • fusermount (PID: 5494, Parent: 2038, MD5: 576a1b135c82bdcbc97a91acea900566) Arguments: fusermount -u -q -z -- /run/user/1000/gvfs
  • systemd New Fork (PID: 5502, Parent: 1)
  • systemd-user-runtime-dir (PID: 5502, Parent: 1, MD5: d55f4b0847f88131dbcfb07435178e54) Arguments: /lib/systemd/systemd-user-runtime-dir stop 1000
  • systemd New Fork (PID: 5510, Parent: 1)
  • gdm3 (PID: 5510, Parent: 1, MD5: 2492e2d8d34f9377e3e530a61a15674f) Arguments: /usr/sbin/gdm3
  • systemd New Fork (PID: 5554, Parent: 1)
  • gpu-manager (PID: 5554, Parent: 1, MD5: 8fae9dd5dd67e1f33d873089c2fd8761) Arguments: /usr/bin/gpu-manager --log /var/log/gpu-manager.log
    • sh (PID: 5555, Parent: 5554, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"
      • sh New Fork (PID: 5556, Parent: 5555)
      • grep (PID: 5556, Parent: 5555, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
    • sh (PID: 5557, Parent: 5554, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"
      • sh New Fork (PID: 5558, Parent: 5557)
      • grep (PID: 5558, Parent: 5557, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
    • sh (PID: 5559, Parent: 5554, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf"
      • sh New Fork (PID: 5560, Parent: 5559)
      • grep (PID: 5560, Parent: 5559, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
    • sh (PID: 5561, Parent: 5554, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf"
      • sh New Fork (PID: 5562, Parent: 5561)
      • grep (PID: 5562, Parent: 5561, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
    • sh (PID: 5563, Parent: 5554, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /etc/modprobe.d/*.conf"
      • sh New Fork (PID: 5564, Parent: 5563)
      • grep (PID: 5564, Parent: 5563, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*amdgpu[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
    • sh (PID: 5565, Parent: 5554, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /lib/modprobe.d/*.conf"
      • sh New Fork (PID: 5566, Parent: 5565)
      • grep (PID: 5566, Parent: 5565, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*amdgpu[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
    • sh (PID: 5568, Parent: 5554, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /etc/modprobe.d/*.conf"
      • sh New Fork (PID: 5569, Parent: 5568)
      • grep (PID: 5569, Parent: 5568, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*nouveau[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
    • sh (PID: 5570, Parent: 5554, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /lib/modprobe.d/*.conf"
      • sh New Fork (PID: 5571, Parent: 5570)
      • grep (PID: 5571, Parent: 5570, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*nouveau[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
  • systemd New Fork (PID: 5572, Parent: 1)
  • generate-config (PID: 5572, Parent: 1, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /usr/share/gdm/generate-config
    • pkill (PID: 5573, Parent: 5572, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill --signal HUP --uid gdm dconf-service
  • systemd New Fork (PID: 5576, Parent: 1)
  • gdm-wait-for-drm (PID: 5576, Parent: 1, MD5: 82043ba752c6930b4e6aaea2f7747545) Arguments: /usr/lib/gdm3/gdm-wait-for-drm
  • systemd New Fork (PID: 5582, Parent: 1)
  • gdm3 (PID: 5582, Parent: 1, MD5: 2492e2d8d34f9377e3e530a61a15674f) Arguments: /usr/sbin/gdm3
  • cleanup

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
seWzsbHlCCSUSP_ELF_LNX_UPX_Compressed_FileDetects a suspicious ELF binary with UPX compressionFlorian Roth
  • 0xb6c8:$s1: PROT_EXEC|PROT_WRITE failed.
  • 0xb737:$s2: $Id: UPX
  • 0xb6e8:$s3: $Info: This file is packed with the UPX executable packer

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Mirai_12Yara detected MiraiJoe Security

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results
    Source: /usr/bin/pkill (PID: 5310)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
    Source: /usr/bin/pkill (PID: 5319)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
    Source: /usr/bin/pkill (PID: 5322)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
    Source: /usr/bin/pulseaudio (PID: 5446)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
    Source: /usr/bin/pkill (PID: 5489)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
    Source: /usr/bin/pkill (PID: 5573)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior

    Networking:

    barindex
    Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 61.219.57.213:23 -> 192.168.2.23:53708
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 61.219.57.213:23 -> 192.168.2.23:53708
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 77.87.103.137:23 -> 192.168.2.23:47396
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 77.87.103.137:23 -> 192.168.2.23:47396
    Source: TrafficSnort IDS: 716 INFO TELNET access 194.143.250.195:23 -> 192.168.2.23:41828
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 61.219.57.213:23 -> 192.168.2.23:54054
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 61.219.57.213:23 -> 192.168.2.23:54054
    Source: TrafficSnort IDS: 716 INFO TELNET access 178.207.239.204:23 -> 192.168.2.23:45398
    Source: TrafficSnort IDS: 716 INFO TELNET access 178.207.239.204:23 -> 192.168.2.23:45468
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 76.169.48.96:23 -> 192.168.2.23:50794
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 76.169.48.96:23 -> 192.168.2.23:50794
    Source: TrafficSnort IDS: 716 INFO TELNET access 178.207.239.204:23 -> 192.168.2.23:45490
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 77.87.103.137:23 -> 192.168.2.23:47822
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 77.87.103.137:23 -> 192.168.2.23:47822
    Source: TrafficSnort IDS: 716 INFO TELNET access 178.207.239.204:23 -> 192.168.2.23:45522
    Source: TrafficSnort IDS: 716 INFO TELNET access 178.207.239.204:23 -> 192.168.2.23:45554
    Source: TrafficSnort IDS: 716 INFO TELNET access 178.207.239.204:23 -> 192.168.2.23:45580
    Source: TrafficSnort IDS: 716 INFO TELNET access 178.207.239.204:23 -> 192.168.2.23:45620
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 61.219.57.213:23 -> 192.168.2.23:54472
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 61.219.57.213:23 -> 192.168.2.23:54472
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 85.146.97.48:23 -> 192.168.2.23:46744
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 85.146.97.48:23 -> 192.168.2.23:46744
    Source: TrafficSnort IDS: 716 INFO TELNET access 178.207.239.204:23 -> 192.168.2.23:45676
    Source: TrafficSnort IDS: 716 INFO TELNET access 112.220.106.138:23 -> 192.168.2.23:41804
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 77.87.103.137:23 -> 192.168.2.23:48002
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 77.87.103.137:23 -> 192.168.2.23:48002
    Source: TrafficSnort IDS: 716 INFO TELNET access 178.207.239.204:23 -> 192.168.2.23:45724
    Source: TrafficSnort IDS: 716 INFO TELNET access 178.207.239.204:23 -> 192.168.2.23:45788
    Source: TrafficSnort IDS: 716 INFO TELNET access 178.207.239.204:23 -> 192.168.2.23:45882
    Source: TrafficSnort IDS: 716 INFO TELNET access 178.207.239.204:23 -> 192.168.2.23:45928
    Source: TrafficSnort IDS: 716 INFO TELNET access 178.207.239.204:23 -> 192.168.2.23:45994
    Source: TrafficSnort IDS: 716 INFO TELNET access 175.194.147.65:23 -> 192.168.2.23:43294
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 76.169.48.96:23 -> 192.168.2.23:51298
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 76.169.48.96:23 -> 192.168.2.23:51298
    Source: TrafficSnort IDS: 716 INFO TELNET access 178.207.239.204:23 -> 192.168.2.23:46030
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 61.219.57.213:23 -> 192.168.2.23:54838
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 61.219.57.213:23 -> 192.168.2.23:54838
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 77.87.103.137:23 -> 192.168.2.23:48334
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 77.87.103.137:23 -> 192.168.2.23:48334
    Source: TrafficSnort IDS: 716 INFO TELNET access 194.143.250.195:23 -> 192.168.2.23:42712
    Source: TrafficSnort IDS: 716 INFO TELNET access 178.207.239.204:23 -> 192.168.2.23:46070
    Source: TrafficSnort IDS: 716 INFO TELNET access 178.207.239.204:23 -> 192.168.2.23:46116
    Source: TrafficSnort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:43186 -> 83.139.79.220:23
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 219.241.49.161:23 -> 192.168.2.23:47276
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 219.241.49.161:23 -> 192.168.2.23:47276
    Source: TrafficSnort IDS: 716 INFO TELNET access 178.207.239.204:23 -> 192.168.2.23:46168
    Source: TrafficSnort IDS: 716 INFO TELNET access 178.207.239.204:23 -> 192.168.2.23:46192
    Deletes all firewall rulesShow sources
    Source: /bin/sh (PID: 5304)Args: iptables -FJump to behavior
    Connects to many ports of the same IP (likely port scanning)Show sources
    Source: global trafficTCP traffic: 194.85.250.141 ports 45601,0,1,4,5,6
    Uses known network protocols on non-standard portsShow sources
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 43188
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 43194
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 43206
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 43214
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 43222
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 43236
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 43246
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 43254
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 43264
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 43272
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 43282
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 43290
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 43296
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 43304
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 43314
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 43318
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 43322
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 43326
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 43334
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 43342
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 43352
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 43370
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 43390
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 43408
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 43422
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 43438
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 43452
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 43462
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 57916
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 57924
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 57932
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 57948
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 57964
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 57976
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 57998
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 58022
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 58042
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 58068
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 58092
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 58116
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 58136
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 58150
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 58164
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 58172
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 58180
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 58184
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 58192
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 58198
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 58210
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 58218
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 58222
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 58228
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 58234
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 58238
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 58242
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 58248
    Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
    Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
    Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
    Source: global trafficTCP traffic: 192.168.2.23:53396 -> 194.85.250.141:45601
    Source: /tmp/seWzsbHlCC (PID: 5278)Socket: 0.0.0.0::23Jump to behavior
    Source: /usr/sbin/sshd (PID: 5408)Socket: 0.0.0.0::22Jump to behavior
    Source: /usr/sbin/sshd (PID: 5408)Socket: [::]::22Jump to behavior
    Source: /bin/sh (PID: 5336)Iptables executable: /sbin/iptables -> /sbin/iptables -FJump to behavior
    Source: /bin/sh (PID: 5337)Iptables executable: /sbin/iptables -> /sbin/iptables -XJump to behavior
    Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443
    Source: unknownTCP traffic detected without corresponding DNS query: 185.174.86.135
    Source: unknownTCP traffic detected without corresponding DNS query: 147.145.201.135
    Source: unknownTCP traffic detected without corresponding DNS query: 101.172.161.173
    Source: unknownTCP traffic detected without corresponding DNS query: 165.249.86.132
    Source: unknownTCP traffic detected without corresponding DNS query: 157.68.78.60
    Source: unknownTCP traffic detected without corresponding DNS query: 85.105.184.86
    Source: unknownTCP traffic detected without corresponding DNS query: 77.124.17.46
    Source: unknownTCP traffic detected without corresponding DNS query: 206.204.80.87
    Source: unknownTCP traffic detected without corresponding DNS query: 216.148.132.203
    Source: unknownTCP traffic detected without corresponding DNS query: 207.140.150.1
    Source: unknownTCP traffic detected without corresponding DNS query: 109.215.13.121
    Source: unknownTCP traffic detected without corresponding DNS query: 95.23.32.192
    Source: unknownTCP traffic detected without corresponding DNS query: 144.148.82.187
    Source: unknownTCP traffic detected without corresponding DNS query: 41.147.213.38
    Source: unknownTCP traffic detected without corresponding DNS query: 17.179.94.217
    Source: unknownTCP traffic detected without corresponding DNS query: 48.121.4.250
    Source: unknownTCP traffic detected without corresponding DNS query: 170.171.137.68
    Source: unknownTCP traffic detected without corresponding DNS query: 122.35.156.9
    Source: unknownTCP traffic detected without corresponding DNS query: 123.183.200.233
    Source: unknownTCP traffic detected without corresponding DNS query: 90.131.136.159
    Source: unknownTCP traffic detected without corresponding DNS query: 140.154.149.1
    Source: unknownTCP traffic detected without corresponding DNS query: 35.75.90.209
    Source: unknownTCP traffic detected without corresponding DNS query: 206.177.180.146
    Source: unknownTCP traffic detected without corresponding DNS query: 113.184.204.137
    Source: unknownTCP traffic detected without corresponding DNS query: 34.121.250.0
    Source: unknownTCP traffic detected without corresponding DNS query: 65.22.59.61
    Source: unknownTCP traffic detected without corresponding DNS query: 111.196.65.29
    Source: unknownTCP traffic detected without corresponding DNS query: 114.93.66.26
    Source: unknownTCP traffic detected without corresponding DNS query: 66.4.96.250
    Source: unknownTCP traffic detected without corresponding DNS query: 120.142.202.163
    Source: unknownTCP traffic detected without corresponding DNS query: 44.196.192.32
    Source: unknownTCP traffic detected without corresponding DNS query: 1.45.214.176
    Source: unknownTCP traffic detected without corresponding DNS query: 88.123.62.136
    Source: unknownTCP traffic detected without corresponding DNS query: 123.12.14.8
    Source: unknownTCP traffic detected without corresponding DNS query: 60.173.87.20
    Source: unknownTCP traffic detected without corresponding DNS query: 148.216.197.233
    Source: unknownTCP traffic detected without corresponding DNS query: 62.26.241.157
    Source: unknownTCP traffic detected without corresponding DNS query: 180.19.155.94
    Source: unknownTCP traffic detected without corresponding DNS query: 185.140.46.7
    Source: unknownTCP traffic detected without corresponding DNS query: 152.64.186.78
    Source: unknownTCP traffic detected without corresponding DNS query: 67.187.89.149
    Source: unknownTCP traffic detected without corresponding DNS query: 141.115.0.49
    Source: unknownTCP traffic detected without corresponding DNS query: 9.137.234.67
    Source: unknownTCP traffic detected without corresponding DNS query: 156.47.130.141
    Source: unknownTCP traffic detected without corresponding DNS query: 165.146.155.109
    Source: unknownTCP traffic detected without corresponding DNS query: 218.132.15.181
    Source: unknownTCP traffic detected without corresponding DNS query: 119.7.98.20
    Source: unknownTCP traffic detected without corresponding DNS query: 163.148.235.64
    Source: unknownTCP traffic detected without corresponding DNS query: 169.231.176.193
    Source: unknownTCP traffic detected without corresponding DNS query: 209.108.255.11
    Source: seWzsbHlCCString found in binary or memory: http://upx.sf.net
    Source: unknownDNS traffic detected: queries for: daisy.ubuntu.com

    System Summary:

    barindex
    Sample tries to kill many processes (SIGKILL)Show sources
    Source: /tmp/seWzsbHlCC (PID: 5278)SIGKILL sent: pid: 658, result: successfulJump to behavior
    Source: /tmp/seWzsbHlCC (PID: 5278)SIGKILL sent: pid: 720, result: successfulJump to behavior
    Source: /tmp/seWzsbHlCC (PID: 5278)SIGKILL sent: pid: 759, result: successfulJump to behavior
    Source: /tmp/seWzsbHlCC (PID: 5278)SIGKILL sent: pid: 772, result: successfulJump to behavior
    Source: /tmp/seWzsbHlCC (PID: 5278)SIGKILL sent: pid: 789, result: successfulJump to behavior
    Source: /tmp/seWzsbHlCC (PID: 5278)SIGKILL sent: pid: 800, result: successfulJump to behavior
    Source: /tmp/seWzsbHlCC (PID: 5278)SIGKILL sent: pid: 904, result: successfulJump to behavior
    Source: /tmp/seWzsbHlCC (PID: 5278)SIGKILL sent: pid: 936, result: successfulJump to behavior
    Source: /tmp/seWzsbHlCC (PID: 5278)SIGKILL sent: pid: 1320, result: successfulJump to behavior
    Source: /tmp/seWzsbHlCC (PID: 5278)SIGKILL sent: pid: 1334, result: successfulJump to behavior
    Source: /tmp/seWzsbHlCC (PID: 5278)SIGKILL sent: pid: 1335, result: successfulJump to behavior
    Source: /tmp/seWzsbHlCC (PID: 5278)SIGKILL sent: pid: 1389, result: successfulJump to behavior
    Source: /tmp/seWzsbHlCC (PID: 5278)SIGKILL sent: pid: 1809, result: successfulJump to behavior
    Source: /tmp/seWzsbHlCC (PID: 5278)SIGKILL sent: pid: 1872, result: successfulJump to behavior
    Source: /tmp/seWzsbHlCC (PID: 5278)SIGKILL sent: pid: 1888, result: successfulJump to behavior
    Source: /tmp/seWzsbHlCC (PID: 5278)SIGKILL sent: pid: 2048, result: successfulJump to behavior
    Source: LOAD without section mappingsProgram segment: 0x8000
    Source: seWzsbHlCC, type: SAMPLEMatched rule: SUSP_ELF_LNX_UPX_Compressed_File date = 2018-12-12, author = Florian Roth, description = Detects a suspicious ELF binary with UPX compression, reference = Internal Research, score = 038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4
    Source: /tmp/seWzsbHlCC (PID: 5278)SIGKILL sent: pid: 658, result: successfulJump to behavior
    Source: /tmp/seWzsbHlCC (PID: 5278)SIGKILL sent: pid: 720, result: successfulJump to behavior
    Source: /tmp/seWzsbHlCC (PID: 5278)SIGKILL sent: pid: 759, result: successfulJump to behavior
    Source: /tmp/seWzsbHlCC (PID: 5278)SIGKILL sent: pid: 772, result: successfulJump to behavior
    Source: /tmp/seWzsbHlCC (PID: 5278)SIGKILL sent: pid: 789, result: successfulJump to behavior
    Source: /tmp/seWzsbHlCC (PID: 5278)SIGKILL sent: pid: 800, result: successfulJump to behavior
    Source: /tmp/seWzsbHlCC (PID: 5278)SIGKILL sent: pid: 904, result: successfulJump to behavior
    Source: /tmp/seWzsbHlCC (PID: 5278)SIGKILL sent: pid: 936, result: successfulJump to behavior
    Source: /tmp/seWzsbHlCC (PID: 5278)SIGKILL sent: pid: 1320, result: successfulJump to behavior
    Source: /tmp/seWzsbHlCC (PID: 5278)SIGKILL sent: pid: 1334, result: successfulJump to behavior
    Source: /tmp/seWzsbHlCC (PID: 5278)SIGKILL sent: pid: 1335, result: successfulJump to behavior
    Source: /tmp/seWzsbHlCC (PID: 5278)SIGKILL sent: pid: 1389, result: successfulJump to behavior
    Source: /tmp/seWzsbHlCC (PID: 5278)SIGKILL sent: pid: 1809, result: successfulJump to behavior
    Source: /tmp/seWzsbHlCC (PID: 5278)SIGKILL sent: pid: 1872, result: successfulJump to behavior
    Source: /tmp/seWzsbHlCC (PID: 5278)SIGKILL sent: pid: 1888, result: successfulJump to behavior
    Source: /tmp/seWzsbHlCC (PID: 5278)SIGKILL sent: pid: 2048, result: successfulJump to behavior
    Source: classification engineClassification label: mal88.spre.troj.evad.lin@0/9@2/0

    Data Obfuscation:

    barindex
    Sample is packed with UPXShow sources
    Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
    Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
    Source: initial sampleString containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

    Persistence and Installation Behavior:

    barindex
    Deletes all firewall rulesShow sources
    Source: /bin/sh (PID: 5304)Args: iptables -FJump to behavior
    Sample reads /proc/mounts (often used for finding a writable filesystem)Show sources
    Source: /bin/fusermount (PID: 5494)File: /proc/5494/mountsJump to behavior
    Source: /bin/sh (PID: 5310)Pkill executable: /usr/bin/pkill -> pkill -9 busyboxJump to behavior
    Source: /bin/sh (PID: 5319)Pkill executable: /usr/bin/pkill -> pkill -9 perlJump to behavior
    Source: /bin/sh (PID: 5322)Pkill executable: /usr/bin/pkill -> pkill -9 pythonJump to behavior
    Source: /usr/share/gdm/generate-config (PID: 5489)Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-serviceJump to behavior
    Source: /usr/share/gdm/generate-config (PID: 5573)Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-serviceJump to behavior
    Source: /bin/sh (PID: 5473)Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.confJump to behavior
    Source: /bin/sh (PID: 5475)Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.confJump to behavior
    Source: /bin/sh (PID: 5477)Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.confJump to behavior
    Source: /bin/sh (PID: 5479)Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.confJump to behavior
    Source: /bin/sh (PID: 5481)Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.confJump to behavior
    Source: /bin/sh (PID: 5483)Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.confJump to behavior
    Source: /bin/sh (PID: 5485)Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.confJump to behavior
    Source: /bin/sh (PID: 5487)Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.confJump to behavior
    Source: /bin/sh (PID: 5556)Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.confJump to behavior
    Source: /bin/sh (PID: 5558)Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.confJump to behavior
    Source: /bin/sh (PID: 5560)Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.confJump to behavior
    Source: /bin/sh (PID: 5562)Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.confJump to behavior
    Source: /bin/sh (PID: 5564)Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.confJump to behavior
    Source: /bin/sh (PID: 5566)Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.confJump to behavior
    Source: /bin/sh (PID: 5569)Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.confJump to behavior
    Source: /bin/sh (PID: 5571)Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.confJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/5382/statusJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/5382/cmdlineJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/3088/statusJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/3088/cmdlineJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/230/statusJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/230/cmdlineJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/110/statusJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/110/cmdlineJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/231/statusJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/231/cmdlineJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/111/statusJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/111/cmdlineJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/232/statusJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/232/cmdlineJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/112/statusJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/112/cmdlineJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/233/statusJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/233/cmdlineJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/1699/statusJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/1699/cmdlineJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/113/statusJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/113/cmdlineJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/234/statusJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/234/cmdlineJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/114/statusJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/114/cmdlineJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/235/statusJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/235/cmdlineJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/1334/statusJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/1334/cmdlineJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/115/statusJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/115/cmdlineJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/236/statusJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/236/cmdlineJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/116/statusJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/116/cmdlineJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/237/statusJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/237/cmdlineJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/117/statusJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/117/cmdlineJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/118/statusJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/118/cmdlineJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/910/statusJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/910/cmdlineJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/119/statusJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/119/cmdlineJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/912/statusJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/912/cmdlineJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/10/statusJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/10/cmdlineJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/11/statusJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/11/cmdlineJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/918/statusJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/918/cmdlineJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/12/statusJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/12/cmdlineJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/5152/statusJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/5152/cmdlineJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/13/statusJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/13/cmdlineJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/14/statusJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/14/cmdlineJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/15/statusJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/15/cmdlineJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/16/statusJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/16/cmdlineJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/17/statusJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/17/cmdlineJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/18/statusJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/18/cmdlineJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/120/statusJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/120/cmdlineJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/121/statusJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/121/cmdlineJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/1349/statusJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/1349/cmdlineJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/1/statusJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/1/cmdlineJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/122/statusJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/122/cmdlineJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/243/statusJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/243/cmdlineJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/123/statusJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/123/cmdlineJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/2/statusJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/2/cmdlineJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/124/statusJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/124/cmdlineJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/3/statusJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/3/cmdlineJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/4/statusJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/4/cmdlineJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/125/statusJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/125/cmdlineJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/126/statusJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/126/cmdlineJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/1344/statusJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/1344/cmdlineJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/127/statusJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/127/cmdlineJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/6/statusJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/6/cmdlineJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/248/statusJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/248/cmdlineJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/128/statusJump to behavior
    Source: /usr/bin/pkill (PID: 5573)File opened: /proc/128/cmdlineJump to behavior
    Source: /usr/bin/whoopsie (PID: 5382)Directory: /nonexistent/.cacheJump to behavior
    Source: /bin/sh (PID: 5336)Iptables executable: /sbin/iptables -> /sbin/iptables -FJump to behavior
    Source: /bin/sh (PID: 5337)Iptables executable: /sbin/iptables -> /sbin/iptables -XJump to behavior
    Source: /usr/bin/whoopsie (PID: 5382)File: /var/crash (bits: gv usr: rwx grp: rwx all: rwx)Jump to behavior
    Source: /usr/sbin/gdm3 (PID: 5510)File: /var/run/gdm3 (bits: - usr: -x grp: x all: rwx)Jump to behavior
    Source: /usr/sbin/gdm3 (PID: 5510)File: /var/log/gdm3 (bits: - usr: -x grp: x all: rwx)Jump to behavior
    Source: /usr/sbin/gdm3 (PID: 5582)File: /var/run/gdm3 (bits: - usr: -x grp: x all: rwx)Jump to behavior
    Source: /usr/sbin/gdm3 (PID: 5582)File: /var/log/gdm3 (bits: - usr: -x grp: x all: rwx)Jump to behavior
    Source: /tmp/seWzsbHlCC (PID: 5284)Shell command executed: sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*"Jump to behavior
    Source: /tmp/seWzsbHlCC (PID: 5293)Shell command executed: sh -c "rm -rf /var/log/wtmp"Jump to behavior
    Source: /tmp/seWzsbHlCC (PID: 5296)Shell command executed: sh -c "rm -rf /tmp/*"Jump to behavior
    Source: /tmp/seWzsbHlCC (PID: 5299)Shell command executed: sh -c "rm -rf /bin/netstat"Jump to behavior
    Source: /tmp/seWzsbHlCC (PID: 5302)Shell command executed: sh -c "iptables -F"Jump to behavior
    Source: /tmp/seWzsbHlCC (PID: 5308)Shell command executed: sh -c "pkill -9 busybox"Jump to behavior
    Source: /tmp/seWzsbHlCC (PID: 5317)Shell command executed: sh -c "pkill -9 perl"Jump to behavior
    Source: /tmp/seWzsbHlCC (PID: 5320)Shell command executed: sh -c "pkill -9 python"Jump to behavior
    Source: /tmp/seWzsbHlCC (PID: 5325)Shell command executed: sh -c "service iptables stop"Jump to behavior
    Source: /tmp/seWzsbHlCC (PID: 5334)Shell command executed: sh -c "/sbin/iptables -F; /sbin/iptables -X"Jump to behavior
    Source: /tmp/seWzsbHlCC (PID: 5338)Shell command executed: sh -c "service firewalld stop"Jump to behavior
    Source: /tmp/seWzsbHlCC (PID: 5349)Shell command executed: sh -c "rm -rf ~/.bash_history"Jump to behavior
    Source: /tmp/seWzsbHlCC (PID: 5352)Shell command executed: sh -c "history -c"Jump to behavior
    Source: /usr/bin/gpu-manager (PID: 5472)Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"Jump to behavior
    Source: /usr/bin/gpu-manager (PID: 5474)Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"Jump to behavior
    Source: /usr/bin/gpu-manager (PID: 5476)Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf"Jump to behavior
    Source: /usr/bin/gpu-manager (PID: 5478)Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf"Jump to behavior
    Source: /usr/bin/gpu-manager (PID: 5480)Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /etc/modprobe.d/*.conf"Jump to behavior
    Source: /usr/bin/gpu-manager (PID: 5482)Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /lib/modprobe.d/*.conf"Jump to behavior
    Source: /usr/bin/gpu-manager (PID: 5484)Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /etc/modprobe.d/*.conf"Jump to behavior
    Source: /usr/bin/gpu-manager (PID: 5486)Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /lib/modprobe.d/*.conf"Jump to behavior
    Source: /usr/bin/gpu-manager (PID: 5555)Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"Jump to behavior
    Source: /usr/bin/gpu-manager (PID: 5557)Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"Jump to behavior
    Source: /usr/bin/gpu-manager (PID: 5559)Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf"Jump to behavior
    Source: /usr/bin/gpu-manager (PID: 5561)Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf"Jump to behavior
    Source: /usr/bin/gpu-manager (PID: 5563)Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /etc/modprobe.d/*.conf"Jump to behavior
    Source: /usr/bin/gpu-manager (PID: 5565)Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /lib/modprobe.d/*.conf"Jump to behavior
    Source: /usr/bin/gpu-manager (PID: 5568)Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /etc/modprobe.d/*.conf"Jump to behavior
    Source: /usr/bin/gpu-manager (PID: 5570)Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /lib/modprobe.d/*.conf"Jump to behavior
    Source: /bin/sh (PID: 5286)Rm executable: /usr/bin/rm -> rm -rf /tmp/config-err-dHT8bZ /tmp/dmesgtail.log /tmp/seWzsbHlCC /tmp/snap.lxd /tmp/ssh-hOQ5FjG2iVgO /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-c4RYFi /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-gKIF8e /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-gB0a9f /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-APWnLg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-IofUpj /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-AfPZzg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-x0xO0i /tmp/vmware-root_721-4290559889 /var/backups /var/cache /var/crash /var/lib /var/local /var/lock /var/log /var/mail /var/metrics /var/opt /var/run /var/snap /var/spool /var/tmp /var/run/NetworkManager /var/run/acpid.pid /var/run/acpid.socket /var/run/apport.lock /var/run/avahi-daemon /var/run/blkid /var/run/cloud-init /var/run/console-setup /var/run/crond.pid /var/run/crond.reboot /var/run/cryptsetup /var/run/cups /var/run/dbus /var/run/dmeventd-client /var/run/dmeventd-server /var/run/gdm3 /var/run/gdm3.pid /var/run/initctl /var/run/initramfs /var/run/irqbalance /var/run/lock /var/run/log /var/run/lvm /var/run/mlocate.daily.lock /var/run/mono-xsp4 /var/run/mono-xsp4.pid /var/run/motd.d /var/run/mount /var/run/multipathd.pid /var/run/netns /var/run/network /var/run/screen /var/run/sendsigs.omit.d /var/run/shm /var/run/snapd /var/run/snapd-snap.socket /var/run/snapd.socket /var/run/speech-dispatcher /var/run/spice-vdagentd /var/run/sshd /var/run/sshd.pid /var/run/sudo /var/run/systemd /var/run/tmpfiles.d /var/run/udev /var/run/udisks2 /var/run/unattended-upgrades.lock /var/run/user /var/run/utmp /var/run/uuidd /var/run/vmware /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-J6Q1Te /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-srP90f /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-biJ0Gi /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-1jIxdj /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-llmWag /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-X16eHh /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-GpSnafJump to behavior
    Source: /bin/sh (PID: 5295)Rm executable: /usr/bin/rm -> rm -rf /var/log/wtmpJump to behavior
    Source: /bin/sh (PID: 5298)Rm executable: /usr/bin/rm -> rm -rf /tmp/*Jump to behavior
    Source: /bin/sh (PID: 5301)Rm executable: /usr/bin/rm -> rm -rf /bin/netstatJump to behavior
    Source: /bin/sh (PID: 5351)Rm executable: /usr/bin/rm -> rm -rf /root/.bash_historyJump to behavior
    Source: /usr/bin/gpu-manager (PID: 5554)Log file created: /var/log/gpu-manager.logJump to dropped file
    Source: /usr/sbin/service (PID: 5333)Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/pJump to behavior
    Source: /usr/sbin/service (PID: 5346)Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/pJump to behavior

    Hooking and other Techniques for Hiding and Protection:

    barindex
    Sample deletes itselfShow sources
    Source: /usr/bin/rm (PID: 5286)File: /tmp/seWzsbHlCCJump to behavior
    Uses known network protocols on non-standard portsShow sources
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 43188
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 43194
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 43206
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 43214
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 43222
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 43236
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 43246
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 43254
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 43264
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 43272
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 43282
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 43290
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 43296
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 43304
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 43314
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 43318
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 43322
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 43326
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 43334
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 43342
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 43352
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 43370
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 43390
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 43408
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 43422
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 43438
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 43452
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 43462
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 57916
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 57924
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 57932
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 57948
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 57964
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 57976
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 57998
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 58022
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 58042
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 58068
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 58092
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 58116
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 58136
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 58150
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 58164
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 58172
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 58180
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 58184
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 58192
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 58198
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 58210
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 58218
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 58222
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 58228
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 58234
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 58238
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 58242
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 58248

    Malware Analysis System Evasion:

    barindex
    Deletes security-related log filesShow sources
    Source: /usr/bin/rm (PID: 5295)Truncated file: /var/log/wtmpJump to behavior
    Source: /usr/bin/pkill (PID: 5310)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
    Source: /usr/bin/pkill (PID: 5319)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
    Source: /usr/bin/pkill (PID: 5322)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
    Source: /usr/bin/pulseaudio (PID: 5446)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
    Source: /usr/bin/pkill (PID: 5489)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
    Source: /usr/bin/pkill (PID: 5573)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
    Source: /tmp/seWzsbHlCC (PID: 5271)Queries kernel information via 'uname': Jump to behavior
    Source: /usr/bin/whoopsie (PID: 5382)Queries kernel information via 'uname': Jump to behavior
    Source: /usr/bin/pulseaudio (PID: 5446)Queries kernel information via 'uname': Jump to behavior
    Source: /usr/bin/gpu-manager (PID: 5471)Queries kernel information via 'uname': Jump to behavior
    Source: /usr/bin/gpu-manager (PID: 5554)Queries kernel information via 'uname': Jump to behavior
    Source: /usr/bin/rm (PID: 5295)Truncated file: /var/log/wtmpJump to behavior
    Source: /usr/bin/gpu-manager (PID: 5471)Truncated file: /var/log/gpu-manager.logJump to behavior
    Source: /usr/bin/gpu-manager (PID: 5554)Truncated file: /var/log/gpu-manager.logJump to behavior
    Source: seWzsbHlCC, 5271.1.00000000360bfc1e.00000000b0787897.rw-.sdmp, seWzsbHlCC, 5273.1.00000000360bfc1e.00000000b0787897.rw-.sdmp, seWzsbHlCC, 5275.1.00000000360bfc1e.00000000b0787897.rw-.sdmp, seWzsbHlCC, 5278.1.00000000360bfc1e.00000000b0787897.rw-.sdmp, seWzsbHlCC, 5280.1.00000000360bfc1e.00000000b0787897.rw-.sdmp, seWzsbHlCC, 5282.1.00000000360bfc1e.00000000b0787897.rw-.sdmpBinary or memory string: Vx86_64/usr/bin/qemu-arm/tmp/seWzsbHlCCSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/seWzsbHlCC
    Source: seWzsbHlCC, 5271.1.000000006c8a81d0.000000004040623b.rw-.sdmp, seWzsbHlCC, 5273.1.000000006c8a81d0.000000004040623b.rw-.sdmp, seWzsbHlCC, 5275.1.000000006c8a81d0.000000004040623b.rw-.sdmp, seWzsbHlCC, 5278.1.000000006c8a81d0.000000004040623b.rw-.sdmp, seWzsbHlCC, 5280.1.000000006c8a81d0.000000004040623b.rw-.sdmp, seWzsbHlCC, 5282.1.000000006c8a81d0.000000004040623b.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/arm
    Source: seWzsbHlCC, 5278.1.000000004040623b.00000000812fe279.rw-.sdmpBinary or memory string: /usr/bin/vmtoolsd
    Source: seWzsbHlCC, 5278.1.000000004040623b.00000000812fe279.rw-.sdmpBinary or memory string: !/proc/1586/exe0!/usr/bin/vmtoolsd1P
    Source: seWzsbHlCC, 5271.1.000000006c8a81d0.000000004040623b.rw-.sdmp, seWzsbHlCC, 5273.1.000000006c8a81d0.000000004040623b.rw-.sdmp, seWzsbHlCC, 5275.1.000000006c8a81d0.000000004040623b.rw-.sdmp, seWzsbHlCC, 5278.1.000000006c8a81d0.000000004040623b.rw-.sdmp, seWzsbHlCC, 5280.1.000000006c8a81d0.000000004040623b.rw-.sdmp, seWzsbHlCC, 5282.1.000000006c8a81d0.000000004040623b.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
    Source: seWzsbHlCC, 5271.1.00000000360bfc1e.00000000b0787897.rw-.sdmp, seWzsbHlCC, 5273.1.00000000360bfc1e.00000000b0787897.rw-.sdmp, seWzsbHlCC, 5275.1.00000000360bfc1e.00000000b0787897.rw-.sdmp, seWzsbHlCC, 5278.1.00000000360bfc1e.00000000b0787897.rw-.sdmp, seWzsbHlCC, 5280.1.00000000360bfc1e.00000000b0787897.rw-.sdmp, seWzsbHlCC, 5282.1.00000000360bfc1e.00000000b0787897.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm

    Stealing of Sensitive Information:

    barindex
    Yara detected MiraiShow sources
    Source: Yara matchFile source: dump.pcap, type: PCAP

    Remote Access Functionality:

    barindex
    Yara detected MiraiShow sources
    Source: Yara matchFile source: dump.pcap, type: PCAP

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsCommand and Scripting Interpreter1Path InterceptionPath InterceptionFile and Directory Permissions Modification1OS Credential Dumping1Security Software Discovery11Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScripting1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemorySystem Network Configuration Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Standard Port11Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Scripting1Security Account ManagerFile and Directory Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Hidden Files and Directories1NTDSSystem Information Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol2SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonDisable or Modify System Firewall1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsIndicator Removal on Host11DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobFile Deletion11Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

    Malware Configuration

    No configs have been found

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Number of created Files
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 528748 Sample: seWzsbHlCC Startdate: 25/11/2021 Architecture: LINUX Score: 88 108 98.19.126.248 WINDSTREAMUS United States 2->108 110 200.83.48.33, 23 VTRBANDAANCHASACL Chile 2->110 112 99 other IPs or domains 2->112 114 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->114 116 Yara detected Mirai 2->116 118 Connects to many ports of the same IP (likely port scanning) 2->118 120 2 other signatures 2->120 13 seWzsbHlCC 2->13         started        15 systemd gpu-manager 2->15         started        17 systemd gpu-manager 2->17         started        19 15 other processes 2->19 signatures3 process4 signatures5 22 seWzsbHlCC 13->22         started        24 seWzsbHlCC 13->24         started        26 gpu-manager sh 15->26         started        28 gpu-manager sh