Linux Analysis Report SadGbSEaaD

Overview

General Information

Sample Name:	SadGbSEaaD
Analysis ID:	528759
MD5:	031afe8b5c0562d8f256cd4c1ba70eac
SHA1:	7ab79aaa20d216648c6197e89e02e7244511c326
SHA256:	8a2b9ef42d6da1cf4216252b5d5354013c439a9cd88ac992a1c953b744ef79cd
Tags:	32elfmipsmirai
Infos:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Sample tries to kill many processes (SIGKILL)

Deletes all firewall rules

Sample deletes itself

Sample is packed with UPX

Deletes security-related log files

Sample reads /proc/mounts (often used for finding a writable filesystem)

Executes the "kill" or "pkill" command typically used to terminate processes

Sample contains only a LOAD segment without any section mappings

Reads CPU information from /sys indicative of miner or evasive malware

Yara signature match

Executes the "grep" command used to find patterns in files or piped streams

Uses the "uname" system call to query kernel version information (possible evasion)

Enumerates processes within the "proc" file system

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Deletes log files

Creates hidden files and/or directories

Executes the "iptables" command used for managing IP filtering and manipulation

Sample tries to set the executable flag

Executes commands using a shell command-line interpreter

Executes the "rm" command used to delete files or directories

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: SadGbSEaaD

Virustotal: Detection: 20%

Perma Link

Bitcoin Miner:

Reads CPU information from /sys indicative of miner or evasive malware

Source: /usr/bin/pkill (PID: 5267)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 5270)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 5275)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pulseaudio (PID: 5386)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 5428)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 5529)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior

Networking:

Deletes all firewall rules

Source: /bin/sh (PID: 5261)

Args: iptables -F

Jump to behavior

Sample listens on a socket

Source: /tmp/SadGbSEaaD (PID: 5230)	Socket: 0.0.0.0::23	Jump to behavior
Source: /usr/sbin/sshd (PID: 5348)	Socket: 0.0.0.0::22	Jump to behavior
Source: /usr/sbin/sshd (PID: 5348)	Socket: [::]::22	Jump to behavior

Executes the "iptables" command used for managing IP filtering and manipulation

Source: /bin/sh (PID: 5290)	Iptables executable: /sbin/iptables -> /sbin/iptables -F			Jump to behavior
Source: /bin/sh (PID: 5291)	Iptables executable: /sbin/iptables -> /sbin/iptables -X			Jump to behavior

Source: SadGbSEaaD

String found in binary or memory: http://upx.sf.net

System Summary:

Sample tries to kill many processes (SIGKILL)

Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 658, result: successful	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 720, result: successful	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 759, result: successful	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 772, result: successful	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 789, result: successful	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 800, result: successful	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 904, result: successful	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 1320, result: successful	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 1334, result: successful	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 1335, result: successful	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 1389, result: successful	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 1809, result: successful	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 1872, result: successful	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 1888, result: successful	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 2048, result: successful	Jump to behavior

Sample contains only a LOAD segment without any section mappings

Source: LOAD without section mappings

Program segment: 0x100000

Yara signature match

Source: SadGbSEaaD, type: SAMPLE

Matched rule: SUSP_ELF_LNX_UPX_Compressed_File date = 2018-12-12, author = Florian Roth, description = Detects a suspicious ELF binary with UPX compression, reference = Internal Research, score = 038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4

Sample tries to kill a process (SIGKILL)

Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 658, result: successful	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 720, result: successful	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 759, result: successful	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 772, result: successful	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 789, result: successful	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 800, result: successful	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 904, result: successful	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 1320, result: successful	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 1334, result: successful	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 1335, result: successful	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 1389, result: successful	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 1809, result: successful	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 1872, result: successful	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 1888, result: successful	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 2048, result: successful	Jump to behavior

Source: classification engine

Classification label: mal72.spre.troj.evad.lin@0/9@0/0

Data Obfuscation:

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Persistence and Installation Behavior:

Deletes all firewall rules

Source: /bin/sh (PID: 5261)

Args: iptables -F

Jump to behavior

Sample reads /proc/mounts (often used for finding a writable filesystem)

Source: /bin/fusermount (PID: 5433)

File: /proc/5433/mounts

Jump to behavior

Executes the "kill" or "pkill" command typically used to terminate processes

Source: /bin/sh (PID: 5267)	Pkill executable: /usr/bin/pkill -> pkill -9 busybox	Jump to behavior
Source: /bin/sh (PID: 5270)	Pkill executable: /usr/bin/pkill -> pkill -9 perl	Jump to behavior
Source: /bin/sh (PID: 5275)	Pkill executable: /usr/bin/pkill -> pkill -9 python	Jump to behavior
Source: /usr/share/gdm/generate-config (PID: 5428)	Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service	Jump to behavior
Source: /usr/share/gdm/generate-config (PID: 5529)	Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service	Jump to behavior

Executes the "grep" command used to find patterns in files or piped streams

Source: /bin/sh (PID: 5412)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nvidia[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 5414)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nvidia[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 5416)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.radeon[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 5418)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.radeon[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 5420)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.amdgpu[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 5422)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.amdgpu[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 5424)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nouveau[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 5426)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nouveau[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 5513)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nvidia[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 5515)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nvidia[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 5517)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.radeon[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 5519)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.radeon[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 5521)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.amdgpu[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 5523)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.amdgpu[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 5525)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nouveau[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 5527)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nouveau[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior

Enumerates processes within the "proc" file system

Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1582/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/2033/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/670/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/793/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1579/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1612/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1699/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/674/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1335/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/2028/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/675/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/796/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1334/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1532/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1576/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/797/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/676/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/677/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/2025/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/799/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/910/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/912/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/517/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/759/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/918/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1594/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1349/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/761/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/884/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1389/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1983/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/2038/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/720/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1344/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1465/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1586/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/721/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1463/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/800/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/801/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/847/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1900/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/491/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/2050/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1877/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/2009/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/772/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1599/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/774/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1477/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/654/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/896/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1476/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1872/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/2048/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/655/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1475/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/656/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/777/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/657/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/658/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/419/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/936/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1809/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1494/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1890/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1888/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1601/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/420/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1886/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/2018/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1489/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/785/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/2014/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1320/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/788/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/667/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/789/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/904/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1207/exe	Jump to behavior
Source: /usr/bin/pkill (PID: 5275)	File opened: /proc/5263/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5275)	File opened: /proc/5263/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5275)	File opened: /proc/1582/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5275)	File opened: /proc/1582/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5275)	File opened: /proc/3088/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5275)	File opened: /proc/3088/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5275)	File opened: /proc/230/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5275)	File opened: /proc/230/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5275)	File opened: /proc/110/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5275)	File opened: /proc/110/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5275)	File opened: /proc/231/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5275)	File opened: /proc/231/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5275)	File opened: /proc/111/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5275)	File opened: /proc/111/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5275)	File opened: /proc/232/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5275)	File opened: /proc/232/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5275)	File opened: /proc/1579/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5275)	File opened: /proc/1579/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5275)	File opened: /proc/112/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5275)	File opened: /proc/112/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5275)	File opened: /proc/233/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5275)	File opened: /proc/233/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5275)	File opened: /proc/1699/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5275)	File opened: /proc/1699/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5275)	File opened: /proc/113/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5275)	File opened: /proc/113/cmdline	Jump to behavior

Creates hidden files and/or directories

Source: /usr/bin/whoopsie (PID: 5339)

Directory: /nonexistent/.cache

Jump to behavior

Executes the "iptables" command used for managing IP filtering and manipulation

Source: /bin/sh (PID: 5290)	Iptables executable: /sbin/iptables -> /sbin/iptables -F			Jump to behavior
Source: /bin/sh (PID: 5291)	Iptables executable: /sbin/iptables -> /sbin/iptables -X			Jump to behavior

Sample tries to set the executable flag

Source: /usr/bin/whoopsie (PID: 5339)	File: /var/crash (bits: gv usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/sbin/gdm3 (PID: 5464)	File: /var/run/gdm3 (bits: - usr: -x grp: x all: rwx)	Jump to behavior
Source: /usr/sbin/gdm3 (PID: 5464)	File: /var/log/gdm3 (bits: - usr: -x grp: x all: rwx)	Jump to behavior
Source: /usr/sbin/gdm3 (PID: 5537)	File: /var/run/gdm3 (bits: - usr: -x grp: x all: rwx)	Jump to behavior
Source: /usr/sbin/gdm3 (PID: 5537)	File: /var/log/gdm3 (bits: - usr: -x grp: x all: rwx)	Jump to behavior

Executes commands using a shell command-line interpreter

Source: /tmp/SadGbSEaaD (PID: 5236)	Shell command executed: sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*"	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5245)	Shell command executed: sh -c "rm -rf /var/log/wtmp"	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5248)	Shell command executed: sh -c "rm -rf /tmp/*"	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5251)	Shell command executed: sh -c "rm -rf /bin/netstat"	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5255)	Shell command executed: sh -c "iptables -F"	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5265)	Shell command executed: sh -c "pkill -9 busybox"	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5268)	Shell command executed: sh -c "pkill -9 perl"	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5273)	Shell command executed: sh -c "pkill -9 python"	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5276)	Shell command executed: sh -c "service iptables stop"	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5288)	Shell command executed: sh -c "/sbin/iptables -F; /sbin/iptables -X"	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5292)	Shell command executed: sh -c "service firewalld stop"	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5301)	Shell command executed: sh -c "rm -rf ~/.bash_history"	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5304)	Shell command executed: sh -c "history -c"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5411)	Shell command executed: sh -c "grep -G \"^blacklist.nvidia[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5413)	Shell command executed: sh -c "grep -G \"^blacklist.nvidia[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5415)	Shell command executed: sh -c "grep -G \"^blacklist.radeon[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5417)	Shell command executed: sh -c "grep -G \"^blacklist.radeon[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5419)	Shell command executed: sh -c "grep -G \"^blacklist.amdgpu[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5421)	Shell command executed: sh -c "grep -G \"^blacklist.amdgpu[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5423)	Shell command executed: sh -c "grep -G \"^blacklist.nouveau[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5425)	Shell command executed: sh -c "grep -G \"^blacklist.nouveau[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5512)	Shell command executed: sh -c "grep -G \"^blacklist.nvidia[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5514)	Shell command executed: sh -c "grep -G \"^blacklist.nvidia[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5516)	Shell command executed: sh -c "grep -G \"^blacklist.radeon[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5518)	Shell command executed: sh -c "grep -G \"^blacklist.radeon[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5520)	Shell command executed: sh -c "grep -G \"^blacklist.amdgpu[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5522)	Shell command executed: sh -c "grep -G \"^blacklist.amdgpu[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5524)	Shell command executed: sh -c "grep -G \"^blacklist.nouveau[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5526)	Shell command executed: sh -c "grep -G \"^blacklist.nouveau[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior

Executes the "rm" command used to delete files or directories

Source: /bin/sh (PID: 5238)	Rm executable: /usr/bin/rm -> rm -rf /tmp/SadGbSEaaD /tmp/config-err-dHT8bZ /tmp/dmesgtail.log /tmp/snap.lxd /tmp/ssh-hOQ5FjG2iVgO /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-c4RYFi /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-gKIF8e /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-gB0a9f /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-APWnLg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-IofUpj /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-AfPZzg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-x0xO0i /tmp/vmware-root_721-4290559889 /var/backups /var/cache /var/crash /var/lib /var/local /var/lock /var/log /var/mail /var/metrics /var/opt /var/run /var/snap /var/spool /var/tmp /var/run/NetworkManager /var/run/acpid.pid /var/run/acpid.socket /var/run/apport.lock /var/run/avahi-daemon /var/run/blkid /var/run/cloud-init /var/run/console-setup /var/run/crond.pid /var/run/crond.reboot /var/run/cryptsetup /var/run/cups /var/run/dbus /var/run/dmeventd-client /var/run/dmeventd-server /var/run/gdm3 /var/run/gdm3.pid /var/run/initctl /var/run/initramfs /var/run/irqbalance /var/run/lock /var/run/log /var/run/lvm /var/run/mlocate.daily.lock /var/run/mono-xsp4 /var/run/mono-xsp4.pid /var/run/motd.d /var/run/mount /var/run/multipathd.pid /var/run/netns /var/run/network /var/run/screen /var/run/sendsigs.omit.d /var/run/shm /var/run/snapd /var/run/snapd-snap.socket /var/run/snapd.socket /var/run/speech-dispatcher /var/run/spice-vdagentd /var/run/sshd /var/run/sshd.pid /var/run/sudo /var/run/systemd /var/run/tmpfiles.d /var/run/udev /var/run/udisks2 /var/run/unattended-upgrades.lock /var/run/user /var/run/utmp /var/run/uuidd /var/run/vmware /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-J6Q1Te /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-srP90f /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-biJ0Gi /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-1jIxdj /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-llmWag /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-X16eHh /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-GpSnaf	Jump to behavior
Source: /bin/sh (PID: 5247)	Rm executable: /usr/bin/rm -> rm -rf /var/log/wtmp	Jump to behavior
Source: /bin/sh (PID: 5250)	Rm executable: /usr/bin/rm -> rm -rf /tmp/*	Jump to behavior
Source: /bin/sh (PID: 5253)	Rm executable: /usr/bin/rm -> rm -rf /bin/netstat	Jump to behavior
Source: /bin/sh (PID: 5303)	Rm executable: /usr/bin/rm -> rm -rf /root/.bash_history	Jump to behavior

Source: /usr/bin/gpu-manager (PID: 5511)

Log file created: /var/log/gpu-manager.log

Jump to dropped file

Source: /usr/sbin/service (PID: 5284)	Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s[a-z]\\s*$/.socket/p			Jump to behavior
Source: /usr/sbin/service (PID: 5300)	Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s[a-z]\\s*$/.socket/p			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Sample deletes itself

Source: /usr/bin/rm (PID: 5238)

File: /tmp/SadGbSEaaD

Jump to behavior

Malware Analysis System Evasion:

Deletes security-related log files

Source: /usr/bin/rm (PID: 5247)

Truncated file: /var/log/wtmp

Jump to behavior

Reads CPU information from /sys indicative of miner or evasive malware

Source: /usr/bin/pkill (PID: 5267)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 5270)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 5275)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pulseaudio (PID: 5386)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 5428)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 5529)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/SadGbSEaaD (PID: 5222)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/whoopsie (PID: 5339)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/pulseaudio (PID: 5386)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5410)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5511)	Queries kernel information via 'uname':	Jump to behavior

Deletes log files

Source: /usr/bin/rm (PID: 5247)	Truncated file: /var/log/wtmp	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5410)	Truncated file: /var/log/gpu-manager.log	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5511)	Truncated file: /var/log/gpu-manager.log	Jump to behavior

Source: SadGbSEaaD, 5230.1.00000000179da0e7.000000002d284515.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mipsel/usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfdQ
Source: SadGbSEaaD, 5222.1.000000009c0a4112.00000000179da0e7.rw-.sdmp, SadGbSEaaD, 5224.1.000000009c0a4112.00000000179da0e7.rw-.sdmp, SadGbSEaaD, 5225.1.000000009c0a4112.00000000179da0e7.rw-.sdmp, SadGbSEaaD, 5230.1.000000009c0a4112.00000000179da0e7.rw-.sdmp, SadGbSEaaD, 5232.1.000000009c0a4112.00000000179da0e7.rw-.sdmp, SadGbSEaaD, 5234.1.000000009c0a4112.00000000179da0e7.rw-.sdmp, SadGbSEaaD, 5306.1.000000009c0a4112.00000000179da0e7.rw-.sdmp, SadGbSEaaD, 5308.1.000000009c0a4112.00000000179da0e7.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mipsel
Source: SadGbSEaaD, 5230.1.000000009c0a4112.00000000179da0e7.rw-.sdmp	Binary or memory string: UName!/usr/bin/vmtoolsd
Source: SadGbSEaaD, 5230.1.000000009c0a4112.00000000179da0e7.rw-.sdmp	Binary or memory string: /usr/bin/vmtoolsd
Source: SadGbSEaaD, 5222.1.00000000eac01c1d.0000000034ed70ec.rw-.sdmp, SadGbSEaaD, 5224.1.00000000eac01c1d.0000000034ed70ec.rw-.sdmp, SadGbSEaaD, 5225.1.00000000eac01c1d.0000000034ed70ec.rw-.sdmp, SadGbSEaaD, 5230.1.00000000eac01c1d.0000000034ed70ec.rw-.sdmp, SadGbSEaaD, 5232.1.00000000eac01c1d.0000000034ed70ec.rw-.sdmp, SadGbSEaaD, 5234.1.00000000eac01c1d.0000000034ed70ec.rw-.sdmp, SadGbSEaaD, 5306.1.00000000eac01c1d.0000000034ed70ec.rw-.sdmp, SadGbSEaaD, 5308.1.00000000eac01c1d.0000000034ed70ec.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-mipsel/tmp/SadGbSEaaDSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/SadGbSEaaD
Source: SadGbSEaaD, 5222.1.000000009c0a4112.00000000179da0e7.rw-.sdmp, SadGbSEaaD, 5224.1.000000009c0a4112.00000000179da0e7.rw-.sdmp, SadGbSEaaD, 5225.1.000000009c0a4112.00000000179da0e7.rw-.sdmp, SadGbSEaaD, 5230.1.000000009c0a4112.00000000179da0e7.rw-.sdmp, SadGbSEaaD, 5232.1.000000009c0a4112.00000000179da0e7.rw-.sdmp, SadGbSEaaD, 5234.1.000000009c0a4112.00000000179da0e7.rw-.sdmp, SadGbSEaaD, 5306.1.000000009c0a4112.00000000179da0e7.rw-.sdmp, SadGbSEaaD, 5308.1.000000009c0a4112.00000000179da0e7.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/mipsel
Source: SadGbSEaaD, 5222.1.00000000eac01c1d.0000000034ed70ec.rw-.sdmp, SadGbSEaaD, 5224.1.00000000eac01c1d.0000000034ed70ec.rw-.sdmp, SadGbSEaaD, 5225.1.00000000eac01c1d.0000000034ed70ec.rw-.sdmp, SadGbSEaaD, 5230.1.00000000eac01c1d.0000000034ed70ec.rw-.sdmp, SadGbSEaaD, 5232.1.00000000eac01c1d.0000000034ed70ec.rw-.sdmp, SadGbSEaaD, 5234.1.00000000eac01c1d.0000000034ed70ec.rw-.sdmp, SadGbSEaaD, 5306.1.00000000eac01c1d.0000000034ed70ec.rw-.sdmp, SadGbSEaaD, 5308.1.00000000eac01c1d.0000000034ed70ec.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mipsel
Source: SadGbSEaaD, 5230.1.00000000179da0e7.000000002d284515.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mipsel/usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd

Screenshots

No Screenshots

Network Map

No contacted IP infos

AV Detection:

Multi AV Scanner detection for submitted file

Source: SadGbSEaaD

Virustotal: Detection: 20%

Perma Link

Bitcoin Miner:

Reads CPU information from /sys indicative of miner or evasive malware

Source: /usr/bin/pkill (PID: 5267)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 5270)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 5275)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pulseaudio (PID: 5386)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 5428)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 5529)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior

Networking:

Deletes all firewall rules

Source: /bin/sh (PID: 5261)

Args: iptables -F

Jump to behavior

Sample listens on a socket

Source: /tmp/SadGbSEaaD (PID: 5230)	Socket: 0.0.0.0::23	Jump to behavior
Source: /usr/sbin/sshd (PID: 5348)	Socket: 0.0.0.0::22	Jump to behavior
Source: /usr/sbin/sshd (PID: 5348)	Socket: [::]::22	Jump to behavior

Executes the "iptables" command used for managing IP filtering and manipulation

Source: /bin/sh (PID: 5290)	Iptables executable: /sbin/iptables -> /sbin/iptables -F			Jump to behavior
Source: /bin/sh (PID: 5291)	Iptables executable: /sbin/iptables -> /sbin/iptables -X			Jump to behavior

Source: SadGbSEaaD

String found in binary or memory: http://upx.sf.net

System Summary:

Sample tries to kill many processes (SIGKILL)

Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 658, result: successful	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 720, result: successful	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 759, result: successful	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 772, result: successful	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 789, result: successful	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 800, result: successful	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 904, result: successful	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 1320, result: successful	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 1334, result: successful	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 1335, result: successful	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 1389, result: successful	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 1809, result: successful	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 1872, result: successful	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 1888, result: successful	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 2048, result: successful	Jump to behavior

Sample contains only a LOAD segment without any section mappings

Source: LOAD without section mappings

Program segment: 0x100000

Yara signature match

Source: SadGbSEaaD, type: SAMPLE

Sample tries to kill a process (SIGKILL)

Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 658, result: successful	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 720, result: successful	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 759, result: successful	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 772, result: successful	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 789, result: successful	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 800, result: successful	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 904, result: successful	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 1320, result: successful	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 1334, result: successful	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 1335, result: successful	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 1389, result: successful	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 1809, result: successful	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 1872, result: successful	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 1888, result: successful	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	SIGKILL sent: pid: 2048, result: successful	Jump to behavior

Source: classification engine

Classification label: mal72.spre.troj.evad.lin@0/9@0/0

Data Obfuscation:

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Persistence and Installation Behavior:

Deletes all firewall rules

Source: /bin/sh (PID: 5261)

Args: iptables -F

Jump to behavior

Sample reads /proc/mounts (often used for finding a writable filesystem)

Source: /bin/fusermount (PID: 5433)

File: /proc/5433/mounts

Jump to behavior

Executes the "kill" or "pkill" command typically used to terminate processes

Source: /bin/sh (PID: 5267)	Pkill executable: /usr/bin/pkill -> pkill -9 busybox	Jump to behavior
Source: /bin/sh (PID: 5270)	Pkill executable: /usr/bin/pkill -> pkill -9 perl	Jump to behavior
Source: /bin/sh (PID: 5275)	Pkill executable: /usr/bin/pkill -> pkill -9 python	Jump to behavior
Source: /usr/share/gdm/generate-config (PID: 5428)	Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service	Jump to behavior
Source: /usr/share/gdm/generate-config (PID: 5529)	Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service	Jump to behavior

Executes the "grep" command used to find patterns in files or piped streams

Source: /bin/sh (PID: 5412)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nvidia[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 5414)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nvidia[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 5416)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.radeon[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 5418)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.radeon[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 5420)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.amdgpu[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 5422)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.amdgpu[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 5424)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nouveau[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 5426)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nouveau[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 5513)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nvidia[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 5515)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nvidia[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 5517)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.radeon[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 5519)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.radeon[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 5521)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.amdgpu[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 5523)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.amdgpu[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 5525)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nouveau[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 5527)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nouveau[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior

Enumerates processes within the "proc" file system

Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1582/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/2033/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/670/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/793/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1579/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1612/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1699/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/674/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1335/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/2028/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/675/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/796/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1334/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1532/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1576/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/797/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/676/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/677/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/2025/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/799/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/910/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/912/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/517/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/759/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/918/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1594/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1349/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/761/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/884/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1389/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1983/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/2038/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/720/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1344/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1465/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1586/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/721/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1463/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/800/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/801/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/847/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1900/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/491/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/2050/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1877/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/2009/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/772/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1599/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/774/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1477/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/654/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/896/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1476/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1872/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/2048/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/655/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1475/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/656/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/777/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/657/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/658/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/419/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/936/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1809/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1494/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1890/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1888/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1601/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/420/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1886/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/2018/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1489/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/785/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/2014/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1320/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/788/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/667/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/789/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/904/exe	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)	File opened: /proc/1207/exe	Jump to behavior
Source: /usr/bin/pkill (PID: 5275)	File opened: /proc/5263/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5275)	File opened: /proc/5263/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5275)	File opened: /proc/1582/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5275)	File opened: /proc/1582/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5275)	File opened: /proc/3088/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5275)	File opened: /proc/3088/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5275)	File opened: /proc/230/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5275)	File opened: /proc/230/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5275)	File opened: /proc/110/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5275)	File opened: /proc/110/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5275)	File opened: /proc/231/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5275)	File opened: /proc/231/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5275)	File opened: /proc/111/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5275)	File opened: /proc/111/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5275)	File opened: /proc/232/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5275)	File opened: /proc/232/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5275)	File opened: /proc/1579/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5275)	File opened: /proc/1579/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5275)	File opened: /proc/112/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5275)	File opened: /proc/112/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5275)	File opened: /proc/233/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5275)	File opened: /proc/233/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5275)	File opened: /proc/1699/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5275)	File opened: /proc/1699/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5275)	File opened: /proc/113/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5275)	File opened: /proc/113/cmdline	Jump to behavior

Creates hidden files and/or directories

Source: /usr/bin/whoopsie (PID: 5339)

Directory: /nonexistent/.cache

Jump to behavior

Executes the "iptables" command used for managing IP filtering and manipulation

Source: /bin/sh (PID: 5290)	Iptables executable: /sbin/iptables -> /sbin/iptables -F			Jump to behavior
Source: /bin/sh (PID: 5291)	Iptables executable: /sbin/iptables -> /sbin/iptables -X			Jump to behavior

Sample tries to set the executable flag

Source: /usr/bin/whoopsie (PID: 5339)	File: /var/crash (bits: gv usr: rwx grp: rwx all: rwx)	Jump to behavior
Source: /usr/sbin/gdm3 (PID: 5464)	File: /var/run/gdm3 (bits: - usr: -x grp: x all: rwx)	Jump to behavior
Source: /usr/sbin/gdm3 (PID: 5464)	File: /var/log/gdm3 (bits: - usr: -x grp: x all: rwx)	Jump to behavior
Source: /usr/sbin/gdm3 (PID: 5537)	File: /var/run/gdm3 (bits: - usr: -x grp: x all: rwx)	Jump to behavior
Source: /usr/sbin/gdm3 (PID: 5537)	File: /var/log/gdm3 (bits: - usr: -x grp: x all: rwx)	Jump to behavior

Executes commands using a shell command-line interpreter

Source: /tmp/SadGbSEaaD (PID: 5236)	Shell command executed: sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*"	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5245)	Shell command executed: sh -c "rm -rf /var/log/wtmp"	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5248)	Shell command executed: sh -c "rm -rf /tmp/*"	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5251)	Shell command executed: sh -c "rm -rf /bin/netstat"	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5255)	Shell command executed: sh -c "iptables -F"	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5265)	Shell command executed: sh -c "pkill -9 busybox"	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5268)	Shell command executed: sh -c "pkill -9 perl"	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5273)	Shell command executed: sh -c "pkill -9 python"	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5276)	Shell command executed: sh -c "service iptables stop"	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5288)	Shell command executed: sh -c "/sbin/iptables -F; /sbin/iptables -X"	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5292)	Shell command executed: sh -c "service firewalld stop"	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5301)	Shell command executed: sh -c "rm -rf ~/.bash_history"	Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5304)	Shell command executed: sh -c "history -c"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5411)	Shell command executed: sh -c "grep -G \"^blacklist.nvidia[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5413)	Shell command executed: sh -c "grep -G \"^blacklist.nvidia[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5415)	Shell command executed: sh -c "grep -G \"^blacklist.radeon[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5417)	Shell command executed: sh -c "grep -G \"^blacklist.radeon[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5419)	Shell command executed: sh -c "grep -G \"^blacklist.amdgpu[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5421)	Shell command executed: sh -c "grep -G \"^blacklist.amdgpu[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5423)	Shell command executed: sh -c "grep -G \"^blacklist.nouveau[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5425)	Shell command executed: sh -c "grep -G \"^blacklist.nouveau[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5512)	Shell command executed: sh -c "grep -G \"^blacklist.nvidia[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5514)	Shell command executed: sh -c "grep -G \"^blacklist.nvidia[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5516)	Shell command executed: sh -c "grep -G \"^blacklist.radeon[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5518)	Shell command executed: sh -c "grep -G \"^blacklist.radeon[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5520)	Shell command executed: sh -c "grep -G \"^blacklist.amdgpu[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5522)	Shell command executed: sh -c "grep -G \"^blacklist.amdgpu[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5524)	Shell command executed: sh -c "grep -G \"^blacklist.nouveau[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5526)	Shell command executed: sh -c "grep -G \"^blacklist.nouveau[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior

Executes the "rm" command used to delete files or directories

Source: /bin/sh (PID: 5238)	Rm executable: /usr/bin/rm -> rm -rf /tmp/SadGbSEaaD /tmp/config-err-dHT8bZ /tmp/dmesgtail.log /tmp/snap.lxd /tmp/ssh-hOQ5FjG2iVgO /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-c4RYFi /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-gKIF8e /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-gB0a9f /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-APWnLg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-IofUpj /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-AfPZzg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-x0xO0i /tmp/vmware-root_721-4290559889 /var/backups /var/cache /var/crash /var/lib /var/local /var/lock /var/log /var/mail /var/metrics /var/opt /var/run /var/snap /var/spool /var/tmp /var/run/NetworkManager /var/run/acpid.pid /var/run/acpid.socket /var/run/apport.lock /var/run/avahi-daemon /var/run/blkid /var/run/cloud-init /var/run/console-setup /var/run/crond.pid /var/run/crond.reboot /var/run/cryptsetup /var/run/cups /var/run/dbus /var/run/dmeventd-client /var/run/dmeventd-server /var/run/gdm3 /var/run/gdm3.pid /var/run/initctl /var/run/initramfs /var/run/irqbalance /var/run/lock /var/run/log /var/run/lvm /var/run/mlocate.daily.lock /var/run/mono-xsp4 /var/run/mono-xsp4.pid /var/run/motd.d /var/run/mount /var/run/multipathd.pid /var/run/netns /var/run/network /var/run/screen /var/run/sendsigs.omit.d /var/run/shm /var/run/snapd /var/run/snapd-snap.socket /var/run/snapd.socket /var/run/speech-dispatcher /var/run/spice-vdagentd /var/run/sshd /var/run/sshd.pid /var/run/sudo /var/run/systemd /var/run/tmpfiles.d /var/run/udev /var/run/udisks2 /var/run/unattended-upgrades.lock /var/run/user /var/run/utmp /var/run/uuidd /var/run/vmware /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-J6Q1Te /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-srP90f /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-biJ0Gi /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-1jIxdj /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-llmWag /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-X16eHh /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-GpSnaf	Jump to behavior
Source: /bin/sh (PID: 5247)	Rm executable: /usr/bin/rm -> rm -rf /var/log/wtmp	Jump to behavior
Source: /bin/sh (PID: 5250)	Rm executable: /usr/bin/rm -> rm -rf /tmp/*	Jump to behavior
Source: /bin/sh (PID: 5253)	Rm executable: /usr/bin/rm -> rm -rf /bin/netstat	Jump to behavior
Source: /bin/sh (PID: 5303)	Rm executable: /usr/bin/rm -> rm -rf /root/.bash_history	Jump to behavior

Source: /usr/bin/gpu-manager (PID: 5511)

Log file created: /var/log/gpu-manager.log

Jump to dropped file

Source: /usr/sbin/service (PID: 5284)	Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s[a-z]\\s*$/.socket/p			Jump to behavior
Source: /usr/sbin/service (PID: 5300)	Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s[a-z]\\s*$/.socket/p			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Sample deletes itself

Source: /usr/bin/rm (PID: 5238)

File: /tmp/SadGbSEaaD

Jump to behavior

Malware Analysis System Evasion:

Deletes security-related log files

Source: /usr/bin/rm (PID: 5247)

Truncated file: /var/log/wtmp

Jump to behavior

Reads CPU information from /sys indicative of miner or evasive malware

Source: /usr/bin/pkill (PID: 5267)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 5270)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 5275)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pulseaudio (PID: 5386)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 5428)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 5529)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/SadGbSEaaD (PID: 5222)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/whoopsie (PID: 5339)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/pulseaudio (PID: 5386)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5410)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5511)	Queries kernel information via 'uname':	Jump to behavior

Deletes log files

Source: /usr/bin/rm (PID: 5247)	Truncated file: /var/log/wtmp	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5410)	Truncated file: /var/log/gpu-manager.log	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5511)	Truncated file: /var/log/gpu-manager.log	Jump to behavior

Source: SadGbSEaaD, 5230.1.00000000179da0e7.000000002d284515.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mipsel/usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfdQ
Source: SadGbSEaaD, 5222.1.000000009c0a4112.00000000179da0e7.rw-.sdmp, SadGbSEaaD, 5224.1.000000009c0a4112.00000000179da0e7.rw-.sdmp, SadGbSEaaD, 5225.1.000000009c0a4112.00000000179da0e7.rw-.sdmp, SadGbSEaaD, 5230.1.000000009c0a4112.00000000179da0e7.rw-.sdmp, SadGbSEaaD, 5232.1.000000009c0a4112.00000000179da0e7.rw-.sdmp, SadGbSEaaD, 5234.1.000000009c0a4112.00000000179da0e7.rw-.sdmp, SadGbSEaaD, 5306.1.000000009c0a4112.00000000179da0e7.rw-.sdmp, SadGbSEaaD, 5308.1.000000009c0a4112.00000000179da0e7.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mipsel
Source: SadGbSEaaD, 5230.1.000000009c0a4112.00000000179da0e7.rw-.sdmp	Binary or memory string: UName!/usr/bin/vmtoolsd
Source: SadGbSEaaD, 5230.1.000000009c0a4112.00000000179da0e7.rw-.sdmp	Binary or memory string: /usr/bin/vmtoolsd
Source: SadGbSEaaD, 5222.1.00000000eac01c1d.0000000034ed70ec.rw-.sdmp, SadGbSEaaD, 5224.1.00000000eac01c1d.0000000034ed70ec.rw-.sdmp, SadGbSEaaD, 5225.1.00000000eac01c1d.0000000034ed70ec.rw-.sdmp, SadGbSEaaD, 5230.1.00000000eac01c1d.0000000034ed70ec.rw-.sdmp, SadGbSEaaD, 5232.1.00000000eac01c1d.0000000034ed70ec.rw-.sdmp, SadGbSEaaD, 5234.1.00000000eac01c1d.0000000034ed70ec.rw-.sdmp, SadGbSEaaD, 5306.1.00000000eac01c1d.0000000034ed70ec.rw-.sdmp, SadGbSEaaD, 5308.1.00000000eac01c1d.0000000034ed70ec.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-mipsel/tmp/SadGbSEaaDSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/SadGbSEaaD
Source: SadGbSEaaD, 5222.1.000000009c0a4112.00000000179da0e7.rw-.sdmp, SadGbSEaaD, 5224.1.000000009c0a4112.00000000179da0e7.rw-.sdmp, SadGbSEaaD, 5225.1.000000009c0a4112.00000000179da0e7.rw-.sdmp, SadGbSEaaD, 5230.1.000000009c0a4112.00000000179da0e7.rw-.sdmp, SadGbSEaaD, 5232.1.000000009c0a4112.00000000179da0e7.rw-.sdmp, SadGbSEaaD, 5234.1.000000009c0a4112.00000000179da0e7.rw-.sdmp, SadGbSEaaD, 5306.1.000000009c0a4112.00000000179da0e7.rw-.sdmp, SadGbSEaaD, 5308.1.000000009c0a4112.00000000179da0e7.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/mipsel
Source: SadGbSEaaD, 5222.1.00000000eac01c1d.0000000034ed70ec.rw-.sdmp, SadGbSEaaD, 5224.1.00000000eac01c1d.0000000034ed70ec.rw-.sdmp, SadGbSEaaD, 5225.1.00000000eac01c1d.0000000034ed70ec.rw-.sdmp, SadGbSEaaD, 5230.1.00000000eac01c1d.0000000034ed70ec.rw-.sdmp, SadGbSEaaD, 5232.1.00000000eac01c1d.0000000034ed70ec.rw-.sdmp, SadGbSEaaD, 5234.1.00000000eac01c1d.0000000034ed70ec.rw-.sdmp, SadGbSEaaD, 5306.1.00000000eac01c1d.0000000034ed70ec.rw-.sdmp, SadGbSEaaD, 5308.1.00000000eac01c1d.0000000034ed70ec.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mipsel
Source: SadGbSEaaD, 5230.1.00000000179da0e7.000000002d284515.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mipsel/usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd

ID:	528759
Product:	CloudBasic
Start time:	18:38:57
Start date:	25.11.2021
Sample:	SadGbSEaaD
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	031afe8b5c0562d8f256cd4c1ba70eac
SHA1:	7ab79aaa20d216648c6197e89e02e7244511c326
SHA256:	8a2b9ef42d6da1cf4216252b5d5354013c439a9cd88ac992a1c953b744ef79cd
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Name	Type	MD5	SHA1	SHA256
/home/saturnino/.config/pulse/ee49dfd4fa47433baee88884e2d7de7c-default-sink	ASCII text	FF001A15CE15CF062A3704CEA2991B5F	B06F6855F376C3245B82212AC73ADED55DFE5DEF	C54830B41ECFA1B6FBDC30397188DDA86B7B200E62AEAC21AE694A6192DCC38A
/home/saturnino/.config/pulse/ee49dfd4fa47433baee88884e2d7de7c-default-source	ASCII text	28FE6435F34B3367707BB1C5D5F6B430	EB8FE2D16BD6BBCCE106C94E4D284543B2573CF6	721A37C69E555799B41D308849E8F8125441883AB021B723FED90A9B744F36C0
/proc/5348/oom_score_adj	ASCII text	CBF282CC55ED0792C33D10003D1F760A	007DD8BD75468E6B7ABA4285E9B267202C7EAEED	FCDBAB99FCC0F4409E5F9D7D6FC497780288B4C441698126BB62832412774D22
/run/sshd.pid	ASCII text	3EF34F121A6567F0BA4BA91ECBCF02A1	4717E42F13939A385C9A56661B962D1F681C0794	F9BEE384387E79153F170D318A737CD21F09629D44688ECDC52AC31E128C2745
/run/systemd/resolve/stub-resolv.conf	ASCII text	C7EA09D26E26605227076E0514A33038	C3F9736E9AF7BD0885578859A50B205C8FA5FC8E	7E8AD76E0D200E93918CA2E93C99FF8ECD02071953BF1479819DB3AC0DBB6D07
/run/user/1000/pulse/pid	ASCII text	2A1CA5B92D3768BE40B6336FC569FE4A	48462E8B308EC176015059A662E552217D2D6772	B5E361F8FC7EBEF020A876B4AF8F041B8C3403703E0E23AD3D1DF6CF3048203E
/var/log/gpu-manager.log	ASCII text	7B48386106F00126E44F428D0193E1ED	75F652293B2DE03A845A73B678A5CB7E9701A9F4	9F60B5D0D5C6F6CB3892E1687D16333F36E3BD450713B00FDF0B2BB90EC7312C
/var/run/gdm3.pid	ASCII text	F4AC5F432DDDC207F126ADBDB69F5B77	85779FD856ADA77F77CAEF8E4E1A7B1C21731774	52D3411459C6C6E2CAEAD9A1232A2E52763124432AF69BAB58A16EB714B61A62

Linux Analysis Report SadGbSEaaD

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Bitcoin Miner:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Screenshots

Network Map