Loading ...

Play interactive tourEdit tour

Linux Analysis Report SadGbSEaaD

Overview

General Information

Sample Name:SadGbSEaaD
Analysis ID:528759
MD5:031afe8b5c0562d8f256cd4c1ba70eac
SHA1:7ab79aaa20d216648c6197e89e02e7244511c326
SHA256:8a2b9ef42d6da1cf4216252b5d5354013c439a9cd88ac992a1c953b744ef79cd
Tags:32elfmipsmirai
Infos:

Detection

Score:72
Range:0 - 100
Whitelisted:false

Signatures

Multi AV Scanner detection for submitted file
Sample tries to kill many processes (SIGKILL)
Deletes all firewall rules
Sample deletes itself
Sample is packed with UPX
Deletes security-related log files
Sample reads /proc/mounts (often used for finding a writable filesystem)
Executes the "kill" or "pkill" command typically used to terminate processes
Sample contains only a LOAD segment without any section mappings
Reads CPU information from /sys indicative of miner or evasive malware
Yara signature match
Executes the "grep" command used to find patterns in files or piped streams
Uses the "uname" system call to query kernel version information (possible evasion)
Enumerates processes within the "proc" file system
Sample listens on a socket
Sample tries to kill a process (SIGKILL)
Deletes log files
Creates hidden files and/or directories
Executes the "iptables" command used for managing IP filtering and manipulation
Sample tries to set the executable flag
Executes commands using a shell command-line interpreter
Executes the "rm" command used to delete files or directories

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures
Static ELF header machine description suggests that the sample might not execute correctly on this machine

General Information

Joe Sandbox Version:34.0.0 Boulder Opal
Analysis ID:528759
Start date:25.11.2021
Start time:18:38:57
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 9m 18s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:SadGbSEaaD
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Detection:MAL
Classification:mal72.spre.troj.evad.lin@0/9@0/0
Warnings:
Show All
  • Connection to analysis system has been lost, crash info: Unknown

Process Tree

  • system is lnxubuntu20
  • SadGbSEaaD (PID: 5222, Parent: 5119, MD5: 0d6f61f82cf2f781c6eb0661071d42d9) Arguments: /tmp/SadGbSEaaD
    • SadGbSEaaD New Fork (PID: 5225, Parent: 5222)
      • SadGbSEaaD New Fork (PID: 5232, Parent: 5225)
        • SadGbSEaaD New Fork (PID: 5234, Parent: 5232)
          • sh (PID: 5236, Parent: 5234, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*"
            • sh New Fork (PID: 5238, Parent: 5236)
            • rm (PID: 5238, Parent: 5236, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /tmp/SadGbSEaaD /tmp/config-err-dHT8bZ /tmp/dmesgtail.log /tmp/snap.lxd /tmp/ssh-hOQ5FjG2iVgO /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-c4RYFi /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-gKIF8e /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-gB0a9f /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-APWnLg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-IofUpj /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-AfPZzg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-x0xO0i /tmp/vmware-root_721-4290559889 /var/backups /var/cache /var/crash /var/lib /var/local /var/lock /var/log /var/mail /var/metrics /var/opt /var/run /var/snap /var/spool /var/tmp /var/run/NetworkManager /var/run/acpid.pid /var/run/acpid.socket /var/run/apport.lock /var/run/avahi-daemon /var/run/blkid /var/run/cloud-init /var/run/console-setup /var/run/crond.pid /var/run/crond.reboot /var/run/cryptsetup /var/run/cups /var/run/dbus /var/run/dmeventd-client /var/run/dmeventd-server /var/run/gdm3 /var/run/gdm3.pid /var/run/initctl /var/run/initramfs /var/run/irqbalance /var/run/lock /var/run/log /var/run/lvm /var/run/mlocate.daily.lock /var/run/mono-xsp4 /var/run/mono-xsp4.pid /var/run/motd.d /var/run/mount /var/run/multipathd.pid /var/run/netns /var/run/network /var/run/screen /var/run/sendsigs.omit.d /var/run/shm /var/run/snapd /var/run/snapd-snap.socket /var/run/snapd.socket /var/run/speech-dispatcher /var/run/spice-vdagentd /var/run/sshd /var/run/sshd.pid /var/run/sudo /var/run/systemd /var/run/tmpfiles.d /var/run/udev /var/run/udisks2 /var/run/unattended-upgrades.lock /var/run/user /var/run/utmp /var/run/uuidd /var/run/vmware /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-J6Q1Te /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-srP90f /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-biJ0Gi /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-1jIxdj /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-llmWag /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-X16eHh /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-GpSnaf
          • sh (PID: 5245, Parent: 5234, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /var/log/wtmp"
            • sh New Fork (PID: 5247, Parent: 5245)
            • rm (PID: 5247, Parent: 5245, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /var/log/wtmp
          • sh (PID: 5248, Parent: 5234, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /tmp/*"
            • sh New Fork (PID: 5250, Parent: 5248)
            • rm (PID: 5250, Parent: 5248, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /tmp/*
          • sh (PID: 5251, Parent: 5234, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /bin/netstat"
            • sh New Fork (PID: 5253, Parent: 5251)
            • rm (PID: 5253, Parent: 5251, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /bin/netstat
          • sh (PID: 5255, Parent: 5234, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "iptables -F"
            • sh New Fork (PID: 5261, Parent: 5255)
            • iptables (PID: 5261, Parent: 5255, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -F
          • sh (PID: 5265, Parent: 5234, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 busybox"
            • sh New Fork (PID: 5267, Parent: 5265)
            • pkill (PID: 5267, Parent: 5265, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 busybox
          • sh (PID: 5268, Parent: 5234, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 perl"
            • sh New Fork (PID: 5270, Parent: 5268)
            • pkill (PID: 5270, Parent: 5268, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 perl
          • sh (PID: 5273, Parent: 5234, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 python"
            • sh New Fork (PID: 5275, Parent: 5273)
            • pkill (PID: 5275, Parent: 5273, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 python
          • sh (PID: 5276, Parent: 5234, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "service iptables stop"
            • sh New Fork (PID: 5278, Parent: 5276)
            • service (PID: 5278, Parent: 5276, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: service iptables stop
              • service New Fork (PID: 5279, Parent: 5278)
              • basename (PID: 5279, Parent: 5278, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service
              • service New Fork (PID: 5280, Parent: 5278)
              • basename (PID: 5280, Parent: 5278, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service
              • service New Fork (PID: 5281, Parent: 5278)
              • systemctl (PID: 5281, Parent: 5278, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl --quiet is-active multi-user.target
              • service New Fork (PID: 5282, Parent: 5278)
                • service New Fork (PID: 5283, Parent: 5282)
                • systemctl (PID: 5283, Parent: 5282, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl list-unit-files --full --type=socket
                • service New Fork (PID: 5284, Parent: 5282)
                • sed (PID: 5284, Parent: 5282, MD5: 885062561f66aa1d4af4c54b9e7cc81a) Arguments: sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p
            • systemctl (PID: 5278, Parent: 5276, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl stop iptables.service
          • sh (PID: 5288, Parent: 5234, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "/sbin/iptables -F; /sbin/iptables -X"
            • sh New Fork (PID: 5290, Parent: 5288)
            • iptables (PID: 5290, Parent: 5288, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: /sbin/iptables -F
            • sh New Fork (PID: 5291, Parent: 5288)
            • iptables (PID: 5291, Parent: 5288, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: /sbin/iptables -X
          • sh (PID: 5292, Parent: 5234, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "service firewalld stop"
            • sh New Fork (PID: 5294, Parent: 5292)
            • service (PID: 5294, Parent: 5292, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: service firewalld stop
              • service New Fork (PID: 5295, Parent: 5294)
              • basename (PID: 5295, Parent: 5294, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service
              • service New Fork (PID: 5296, Parent: 5294)
              • basename (PID: 5296, Parent: 5294, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service
              • service New Fork (PID: 5297, Parent: 5294)
              • systemctl (PID: 5297, Parent: 5294, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl --quiet is-active multi-user.target
              • service New Fork (PID: 5298, Parent: 5294)
                • service New Fork (PID: 5299, Parent: 5298)
                • systemctl (PID: 5299, Parent: 5298, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl list-unit-files --full --type=socket
                • service New Fork (PID: 5300, Parent: 5298)
                • sed (PID: 5300, Parent: 5298, MD5: 885062561f66aa1d4af4c54b9e7cc81a) Arguments: sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p
            • systemctl (PID: 5294, Parent: 5292, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl stop firewalld.service
          • sh (PID: 5301, Parent: 5234, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf ~/.bash_history"
            • sh New Fork (PID: 5303, Parent: 5301)
            • rm (PID: 5303, Parent: 5301, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /root/.bash_history
          • sh (PID: 5304, Parent: 5234, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "history -c"
  • systemd New Fork (PID: 5339, Parent: 1)
  • whoopsie (PID: 5339, Parent: 1, MD5: d3a6915d0e7398fb4c89a037c13959c8) Arguments: /usr/bin/whoopsie -f
  • systemd New Fork (PID: 5347, Parent: 1)
  • sshd (PID: 5347, Parent: 1, MD5: dbca7a6bbf7bf57fedac243d4b2cb340) Arguments: /usr/sbin/sshd -t
  • systemd New Fork (PID: 5348, Parent: 1)
  • sshd (PID: 5348, Parent: 1, MD5: dbca7a6bbf7bf57fedac243d4b2cb340) Arguments: /usr/sbin/sshd -D
  • gdm3 New Fork (PID: 5351, Parent: 1320)
  • Default (PID: 5351, Parent: 1320, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default
  • gdm3 New Fork (PID: 5371, Parent: 1320)
  • Default (PID: 5371, Parent: 1320, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default
  • systemd New Fork (PID: 5372, Parent: 1)
  • accounts-daemon (PID: 5372, Parent: 1, MD5: 01a899e3fb5e7e434bea1290255a1f30) Arguments: /usr/lib/accountsservice/accounts-daemon
  • systemd New Fork (PID: 5386, Parent: 1860)
  • pulseaudio (PID: 5386, Parent: 1860, MD5: 0c3b4c789d8ffb12b25507f27e14c186) Arguments: /usr/bin/pulseaudio --daemonize=no --log-target=journal
  • systemd New Fork (PID: 5410, Parent: 1)
  • gpu-manager (PID: 5410, Parent: 1, MD5: 8fae9dd5dd67e1f33d873089c2fd8761) Arguments: /usr/bin/gpu-manager --log /var/log/gpu-manager.log
    • sh (PID: 5411, Parent: 5410, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"
      • sh New Fork (PID: 5412, Parent: 5411)
      • grep (PID: 5412, Parent: 5411, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
    • sh (PID: 5413, Parent: 5410, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"
      • sh New Fork (PID: 5414, Parent: 5413)
      • grep (PID: 5414, Parent: 5413, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
    • sh (PID: 5415, Parent: 5410, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf"
      • sh New Fork (PID: 5416, Parent: 5415)
      • grep (PID: 5416, Parent: 5415, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
    • sh (PID: 5417, Parent: 5410, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf"
      • sh New Fork (PID: 5418, Parent: 5417)
      • grep (PID: 5418, Parent: 5417, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
    • sh (PID: 5419, Parent: 5410, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /etc/modprobe.d/*.conf"
      • sh New Fork (PID: 5420, Parent: 5419)
      • grep (PID: 5420, Parent: 5419, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*amdgpu[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
    • sh (PID: 5421, Parent: 5410, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /lib/modprobe.d/*.conf"
      • sh New Fork (PID: 5422, Parent: 5421)
      • grep (PID: 5422, Parent: 5421, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*amdgpu[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
    • sh (PID: 5423, Parent: 5410, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /etc/modprobe.d/*.conf"
      • sh New Fork (PID: 5424, Parent: 5423)
      • grep (PID: 5424, Parent: 5423, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*nouveau[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
    • sh (PID: 5425, Parent: 5410, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /lib/modprobe.d/*.conf"
      • sh New Fork (PID: 5426, Parent: 5425)
      • grep (PID: 5426, Parent: 5425, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*nouveau[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
  • systemd New Fork (PID: 5427, Parent: 1)
  • generate-config (PID: 5427, Parent: 1, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /usr/share/gdm/generate-config
    • pkill (PID: 5428, Parent: 5427, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill --signal HUP --uid gdm dconf-service
  • systemd New Fork (PID: 5429, Parent: 1)
  • gdm-wait-for-drm (PID: 5429, Parent: 1, MD5: 82043ba752c6930b4e6aaea2f7747545) Arguments: /usr/lib/gdm3/gdm-wait-for-drm
  • fusermount (PID: 5433, Parent: 2038, MD5: 576a1b135c82bdcbc97a91acea900566) Arguments: fusermount -u -q -z -- /run/user/1000/gvfs
  • systemd New Fork (PID: 5443, Parent: 1)
  • systemd-user-runtime-dir (PID: 5443, Parent: 1, MD5: d55f4b0847f88131dbcfb07435178e54) Arguments: /lib/systemd/systemd-user-runtime-dir stop 1000
  • systemd New Fork (PID: 5464, Parent: 1)
  • gdm3 (PID: 5464, Parent: 1, MD5: 2492e2d8d34f9377e3e530a61a15674f) Arguments: /usr/sbin/gdm3
  • systemd New Fork (PID: 5511, Parent: 1)
  • gpu-manager (PID: 5511, Parent: 1, MD5: 8fae9dd5dd67e1f33d873089c2fd8761) Arguments: /usr/bin/gpu-manager --log /var/log/gpu-manager.log
    • sh (PID: 5512, Parent: 5511, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"
      • sh New Fork (PID: 5513, Parent: 5512)
      • grep (PID: 5513, Parent: 5512, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
    • sh (PID: 5514, Parent: 5511, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"
      • sh New Fork (PID: 5515, Parent: 5514)
      • grep (PID: 5515, Parent: 5514, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
    • sh (PID: 5516, Parent: 5511, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf"
      • sh New Fork (PID: 5517, Parent: 5516)
      • grep (PID: 5517, Parent: 5516, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
    • sh (PID: 5518, Parent: 5511, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf"
      • sh New Fork (PID: 5519, Parent: 5518)
      • grep (PID: 5519, Parent: 5518, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
    • sh (PID: 5520, Parent: 5511, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /etc/modprobe.d/*.conf"
      • sh New Fork (PID: 5521, Parent: 5520)
      • grep (PID: 5521, Parent: 5520, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*amdgpu[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
    • sh (PID: 5522, Parent: 5511, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /lib/modprobe.d/*.conf"
      • sh New Fork (PID: 5523, Parent: 5522)
      • grep (PID: 5523, Parent: 5522, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*amdgpu[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
    • sh (PID: 5524, Parent: 5511, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /etc/modprobe.d/*.conf"
      • sh New Fork (PID: 5525, Parent: 5524)
      • grep (PID: 5525, Parent: 5524, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*nouveau[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
    • sh (PID: 5526, Parent: 5511, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /lib/modprobe.d/*.conf"
      • sh New Fork (PID: 5527, Parent: 5526)
      • grep (PID: 5527, Parent: 5526, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*nouveau[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
  • systemd New Fork (PID: 5528, Parent: 1)
  • generate-config (PID: 5528, Parent: 1, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /usr/share/gdm/generate-config
    • pkill (PID: 5529, Parent: 5528, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill --signal HUP --uid gdm dconf-service
  • systemd New Fork (PID: 5531, Parent: 1)
  • gdm-wait-for-drm (PID: 5531, Parent: 1, MD5: 82043ba752c6930b4e6aaea2f7747545) Arguments: /usr/lib/gdm3/gdm-wait-for-drm
  • systemd New Fork (PID: 5537, Parent: 1)
  • gdm3 (PID: 5537, Parent: 1, MD5: 2492e2d8d34f9377e3e530a61a15674f) Arguments: /usr/sbin/gdm3
  • cleanup

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
SadGbSEaaDSUSP_ELF_LNX_UPX_Compressed_FileDetects a suspicious ELF binary with UPX compressionFlorian Roth
  • 0xc7b0:$s1: PROT_EXEC|PROT_WRITE failed.
  • 0xc81f:$s2: $Id: UPX
  • 0xc7d0:$s3: $Info: This file is packed with the UPX executable packer

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: SadGbSEaaDVirustotal: Detection: 20%Perma Link
Source: /usr/bin/pkill (PID: 5267)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
Source: /usr/bin/pkill (PID: 5270)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
Source: /usr/bin/pkill (PID: 5275)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
Source: /usr/bin/pulseaudio (PID: 5386)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
Source: /usr/bin/pkill (PID: 5428)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
Source: /usr/bin/pkill (PID: 5529)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior

Networking:

barindex
Deletes all firewall rulesShow sources
Source: /bin/sh (PID: 5261)Args: iptables -FJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)Socket: 0.0.0.0::23Jump to behavior
Source: /usr/sbin/sshd (PID: 5348)Socket: 0.0.0.0::22Jump to behavior
Source: /usr/sbin/sshd (PID: 5348)Socket: [::]::22Jump to behavior
Source: /bin/sh (PID: 5290)Iptables executable: /sbin/iptables -> /sbin/iptables -FJump to behavior
Source: /bin/sh (PID: 5291)Iptables executable: /sbin/iptables -> /sbin/iptables -XJump to behavior
Source: SadGbSEaaDString found in binary or memory: http://upx.sf.net

System Summary:

barindex
Sample tries to kill many processes (SIGKILL)Show sources
Source: /tmp/SadGbSEaaD (PID: 5230)SIGKILL sent: pid: 658, result: successfulJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)SIGKILL sent: pid: 720, result: successfulJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)SIGKILL sent: pid: 759, result: successfulJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)SIGKILL sent: pid: 772, result: successfulJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)SIGKILL sent: pid: 789, result: successfulJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)SIGKILL sent: pid: 800, result: successfulJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)SIGKILL sent: pid: 904, result: successfulJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)SIGKILL sent: pid: 936, result: successfulJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)SIGKILL sent: pid: 1320, result: successfulJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)SIGKILL sent: pid: 1334, result: successfulJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)SIGKILL sent: pid: 1335, result: successfulJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)SIGKILL sent: pid: 1389, result: successfulJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)SIGKILL sent: pid: 1809, result: successfulJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)SIGKILL sent: pid: 1872, result: successfulJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)SIGKILL sent: pid: 1888, result: successfulJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)SIGKILL sent: pid: 2048, result: successfulJump to behavior
Source: LOAD without section mappingsProgram segment: 0x100000
Source: SadGbSEaaD, type: SAMPLEMatched rule: SUSP_ELF_LNX_UPX_Compressed_File date = 2018-12-12, author = Florian Roth, description = Detects a suspicious ELF binary with UPX compression, reference = Internal Research, score = 038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4
Source: /tmp/SadGbSEaaD (PID: 5230)SIGKILL sent: pid: 658, result: successfulJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)SIGKILL sent: pid: 720, result: successfulJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)SIGKILL sent: pid: 759, result: successfulJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)SIGKILL sent: pid: 772, result: successfulJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)SIGKILL sent: pid: 789, result: successfulJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)SIGKILL sent: pid: 800, result: successfulJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)SIGKILL sent: pid: 904, result: successfulJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)SIGKILL sent: pid: 936, result: successfulJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)SIGKILL sent: pid: 1320, result: successfulJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)SIGKILL sent: pid: 1334, result: successfulJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)SIGKILL sent: pid: 1335, result: successfulJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)SIGKILL sent: pid: 1389, result: successfulJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)SIGKILL sent: pid: 1809, result: successfulJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)SIGKILL sent: pid: 1872, result: successfulJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)SIGKILL sent: pid: 1888, result: successfulJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)SIGKILL sent: pid: 2048, result: successfulJump to behavior
Source: classification engineClassification label: mal72.spre.troj.evad.lin@0/9@0/0

Data Obfuscation:

barindex
Sample is packed with UPXShow sources
Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sampleString containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Persistence and Installation Behavior:

barindex
Deletes all firewall rulesShow sources
Source: /bin/sh (PID: 5261)Args: iptables -FJump to behavior
Sample reads /proc/mounts (often used for finding a writable filesystem)Show sources
Source: /bin/fusermount (PID: 5433)File: /proc/5433/mountsJump to behavior
Source: /bin/sh (PID: 5267)Pkill executable: /usr/bin/pkill -> pkill -9 busyboxJump to behavior
Source: /bin/sh (PID: 5270)Pkill executable: /usr/bin/pkill -> pkill -9 perlJump to behavior
Source: /bin/sh (PID: 5275)Pkill executable: /usr/bin/pkill -> pkill -9 pythonJump to behavior
Source: /usr/share/gdm/generate-config (PID: 5428)Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-serviceJump to behavior
Source: /usr/share/gdm/generate-config (PID: 5529)Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-serviceJump to behavior
Source: /bin/sh (PID: 5412)Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.confJump to behavior
Source: /bin/sh (PID: 5414)Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.confJump to behavior
Source: /bin/sh (PID: 5416)Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.confJump to behavior
Source: /bin/sh (PID: 5418)Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.confJump to behavior
Source: /bin/sh (PID: 5420)Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.confJump to behavior
Source: /bin/sh (PID: 5422)Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.confJump to behavior
Source: /bin/sh (PID: 5424)Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.confJump to behavior
Source: /bin/sh (PID: 5426)Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.confJump to behavior
Source: /bin/sh (PID: 5513)Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.confJump to behavior
Source: /bin/sh (PID: 5515)Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.confJump to behavior
Source: /bin/sh (PID: 5517)Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.confJump to behavior
Source: /bin/sh (PID: 5519)Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.confJump to behavior
Source: /bin/sh (PID: 5521)Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.confJump to behavior
Source: /bin/sh (PID: 5523)Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.confJump to behavior
Source: /bin/sh (PID: 5525)Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.confJump to behavior
Source: /bin/sh (PID: 5527)Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.confJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/1582/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/2033/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/670/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/793/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/1579/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/1612/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/1699/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/674/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/1335/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/2028/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/675/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/796/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/1334/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/1532/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/1576/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/797/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/676/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/677/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/2025/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/799/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/910/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/912/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/517/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/759/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/918/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/1594/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/1349/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/761/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/884/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/1389/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/1983/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/2038/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/720/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/1344/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/1465/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/1586/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/721/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/1463/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/800/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/801/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/847/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/1900/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/491/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/2050/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/1877/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/2009/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/772/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/1599/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/774/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/1477/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/654/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/896/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/1476/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/1872/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/2048/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/655/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/1475/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/656/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/777/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/657/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/658/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/419/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/936/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/1809/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/1494/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/1890/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/1888/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/1601/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/420/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/1886/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/2018/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/1489/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/785/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/2014/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/1320/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/788/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/667/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/789/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/904/exeJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5230)File opened: /proc/1207/exeJump to behavior
Source: /usr/bin/pkill (PID: 5275)File opened: /proc/5263/statusJump to behavior
Source: /usr/bin/pkill (PID: 5275)File opened: /proc/5263/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5275)File opened: /proc/1582/statusJump to behavior
Source: /usr/bin/pkill (PID: 5275)File opened: /proc/1582/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5275)File opened: /proc/3088/statusJump to behavior
Source: /usr/bin/pkill (PID: 5275)File opened: /proc/3088/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5275)File opened: /proc/230/statusJump to behavior
Source: /usr/bin/pkill (PID: 5275)File opened: /proc/230/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5275)File opened: /proc/110/statusJump to behavior
Source: /usr/bin/pkill (PID: 5275)File opened: /proc/110/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5275)File opened: /proc/231/statusJump to behavior
Source: /usr/bin/pkill (PID: 5275)File opened: /proc/231/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5275)File opened: /proc/111/statusJump to behavior
Source: /usr/bin/pkill (PID: 5275)File opened: /proc/111/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5275)File opened: /proc/232/statusJump to behavior
Source: /usr/bin/pkill (PID: 5275)File opened: /proc/232/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5275)File opened: /proc/1579/statusJump to behavior
Source: /usr/bin/pkill (PID: 5275)File opened: /proc/1579/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5275)File opened: /proc/112/statusJump to behavior
Source: /usr/bin/pkill (PID: 5275)File opened: /proc/112/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5275)File opened: /proc/233/statusJump to behavior
Source: /usr/bin/pkill (PID: 5275)File opened: /proc/233/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5275)File opened: /proc/1699/statusJump to behavior
Source: /usr/bin/pkill (PID: 5275)File opened: /proc/1699/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5275)File opened: /proc/113/statusJump to behavior
Source: /usr/bin/pkill (PID: 5275)File opened: /proc/113/cmdlineJump to behavior
Source: /usr/bin/whoopsie (PID: 5339)Directory: /nonexistent/.cacheJump to behavior
Source: /bin/sh (PID: 5290)Iptables executable: /sbin/iptables -> /sbin/iptables -FJump to behavior
Source: /bin/sh (PID: 5291)Iptables executable: /sbin/iptables -> /sbin/iptables -XJump to behavior
Source: /usr/bin/whoopsie (PID: 5339)File: /var/crash (bits: gv usr: rwx grp: rwx all: rwx)Jump to behavior
Source: /usr/sbin/gdm3 (PID: 5464)File: /var/run/gdm3 (bits: - usr: -x grp: x all: rwx)Jump to behavior
Source: /usr/sbin/gdm3 (PID: 5464)File: /var/log/gdm3 (bits: - usr: -x grp: x all: rwx)Jump to behavior
Source: /usr/sbin/gdm3 (PID: 5537)File: /var/run/gdm3 (bits: - usr: -x grp: x all: rwx)Jump to behavior
Source: /usr/sbin/gdm3 (PID: 5537)File: /var/log/gdm3 (bits: - usr: -x grp: x all: rwx)Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5236)Shell command executed: sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*"Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5245)Shell command executed: sh -c "rm -rf /var/log/wtmp"Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5248)Shell command executed: sh -c "rm -rf /tmp/*"Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5251)Shell command executed: sh -c "rm -rf /bin/netstat"Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5255)Shell command executed: sh -c "iptables -F"Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5265)Shell command executed: sh -c "pkill -9 busybox"Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5268)Shell command executed: sh -c "pkill -9 perl"Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5273)Shell command executed: sh -c "pkill -9 python"Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5276)Shell command executed: sh -c "service iptables stop"Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5288)Shell command executed: sh -c "/sbin/iptables -F; /sbin/iptables -X"Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5292)Shell command executed: sh -c "service firewalld stop"Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5301)Shell command executed: sh -c "rm -rf ~/.bash_history"Jump to behavior
Source: /tmp/SadGbSEaaD (PID: 5304)Shell command executed: sh -c "history -c"Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5411)Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5413)Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5415)Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf"Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5417)Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf"Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5419)Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /etc/modprobe.d/*.conf"Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5421)Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /lib/modprobe.d/*.conf"Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5423)Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /etc/modprobe.d/*.conf"Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5425)Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /lib/modprobe.d/*.conf"Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5512)Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5514)Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5516)Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf"Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5518)Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf"Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5520)Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /etc/modprobe.d/*.conf"Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5522)Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /lib/modprobe.d/*.conf"Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5524)Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /etc/modprobe.d/*.conf"Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5526)Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /lib/modprobe.d/*.conf"Jump to behavior
Source: /bin/sh (PID: 5238)Rm executable: /usr/bin/rm -> rm -rf /tmp/SadGbSEaaD /tmp/config-err-dHT8bZ /tmp/dmesgtail.log /tmp/snap.lxd /tmp/ssh-hOQ5FjG2iVgO /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-c4RYFi /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-gKIF8e /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-gB0a9f /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-APWnLg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-IofUpj /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-AfPZzg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-x0xO0i /tmp/vmware-root_721-4290559889 /var/backups /var/cache /var/crash /var/lib /var/local /var/lock /var/log /var/mail /var/metrics /var/opt /var/run /var/snap /var/spool /var/tmp /var/run/NetworkManager /var/run/acpid.pid /var/run/acpid.socket /var/run/apport.lock /var/run/avahi-daemon /var/run/blkid /var/run/cloud-init /var/run/console-setup /var/run/crond.pid /var/run/crond.reboot /var/run/cryptsetup /var/run/cups /var/run/dbus /var/run/dmeventd-client /var/run/dmeventd-server /var/run/gdm3 /var/run/gdm3.pid /var/run/initctl /var/run/initramfs /var/run/irqbalance /var/run/lock /var/run/log /var/run/lvm /var/run/mlocate.daily.lock /var/run/mono-xsp4 /var/run/mono-xsp4.pid /var/run/motd.d /var/run/mount /var/run/multipathd.pid /var/run/netns /var/run/network /var/run/screen /var/run/sendsigs.omit.d /var/run/shm /var/run/snapd /var/run/snapd-snap.socket /var/run/snapd.socket /var/run/speech-dispatcher /var/run/spice-vdagentd /var/run/sshd /var/run/sshd.pid /var/run/sudo /var/run/systemd /var/run/tmpfiles.d /var/run/udev /var/run/udisks2 /var/run/unattended-upgrades.lock /var/run/user /var/run/utmp /var/run/uuidd /var/run/vmware /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-J6Q1Te /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-srP90f /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-biJ0Gi /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-1jIxdj /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-llmWag /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-X16eHh /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-GpSnafJump to behavior
Source: /bin/sh (PID: 5247)Rm executable: /usr/bin/rm -> rm -rf /var/log/wtmpJump to behavior
Source: /bin/sh (PID: 5250)Rm executable: /usr/bin/rm -> rm -rf /tmp/*Jump to behavior
Source: /bin/sh (PID: 5253)Rm executable: /usr/bin/rm -> rm -rf /bin/netstatJump to behavior
Source: /bin/sh (PID: 5303)Rm executable: /usr/bin/rm -> rm -rf /root/.bash_historyJump to behavior
Source: /usr/bin/gpu-manager (PID: 5511)Log file created: /var/log/gpu-manager.logJump to dropped file
Source: /usr/sbin/service (PID: 5284)Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/pJump to behavior
Source: /usr/sbin/service (PID: 5300)Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/pJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Sample deletes itselfShow sources
Source: /usr/bin/rm (PID: 5238)File: /tmp/SadGbSEaaDJump to behavior

Malware Analysis System Evasion:

barindex
Deletes security-related log filesShow sources
Source: /usr/bin/rm (PID: 5247)Truncated file: /var/log/wtmpJump to behavior
Source: /usr/bin/pkill (PID: 5267)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
Source: /usr/bin/pkill (PID: 5270)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
Source: /usr/bin/pkill (PID: 5275)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
Source: /usr/bin/pulseaudio (PID: 5386)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
Source: /usr/bin/pkill (PID: 5428)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
Source: /usr/bin/pkill (PID: 5529)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
Source: /tmp/SadGbSEaaD (PID: 5222)Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/whoopsie (PID: 5339)Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/pulseaudio (PID: 5386)Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5410)Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5511)Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/rm (PID: 5247)Truncated file: /var/log/wtmpJump to behavior
Source: /usr/bin/gpu-manager (PID: 5410)Truncated file: /var/log/gpu-manager.logJump to behavior
Source: /usr/bin/gpu-manager (PID: 5511)Truncated file: /var/log/gpu-manager.logJump to behavior
Source: SadGbSEaaD, 5230.1.00000000179da0e7.000000002d284515.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/mipsel/usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfdQ
Source: SadGbSEaaD, 5222.1.000000009c0a4112.00000000179da0e7.rw-.sdmp, SadGbSEaaD, 5224.1.000000009c0a4112.00000000179da0e7.rw-.sdmp, SadGbSEaaD, 5225.1.000000009c0a4112.00000000179da0e7.rw-.sdmp, SadGbSEaaD, 5230.1.000000009c0a4112.00000000179da0e7.rw-.sdmp, SadGbSEaaD, 5232.1.000000009c0a4112.00000000179da0e7.rw-.sdmp, SadGbSEaaD, 5234.1.000000009c0a4112.00000000179da0e7.rw-.sdmp, SadGbSEaaD, 5306.1.000000009c0a4112.00000000179da0e7.rw-.sdmp, SadGbSEaaD, 5308.1.000000009c0a4112.00000000179da0e7.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/mipsel
Source: SadGbSEaaD, 5230.1.000000009c0a4112.00000000179da0e7.rw-.sdmpBinary or memory string: UName!/usr/bin/vmtoolsd
Source: SadGbSEaaD, 5230.1.000000009c0a4112.00000000179da0e7.rw-.sdmpBinary or memory string: /usr/bin/vmtoolsd
Source: SadGbSEaaD, 5222.1.00000000eac01c1d.0000000034ed70ec.rw-.sdmp, SadGbSEaaD, 5224.1.00000000eac01c1d.0000000034ed70ec.rw-.sdmp, SadGbSEaaD, 5225.1.00000000eac01c1d.0000000034ed70ec.rw-.sdmp, SadGbSEaaD, 5230.1.00000000eac01c1d.0000000034ed70ec.rw-.sdmp, SadGbSEaaD, 5232.1.00000000eac01c1d.0000000034ed70ec.rw-.sdmp, SadGbSEaaD, 5234.1.00000000eac01c1d.0000000034ed70ec.rw-.sdmp, SadGbSEaaD, 5306.1.00000000eac01c1d.0000000034ed70ec.rw-.sdmp, SadGbSEaaD, 5308.1.00000000eac01c1d.0000000034ed70ec.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-mipsel/tmp/SadGbSEaaDSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/SadGbSEaaD
Source: SadGbSEaaD, 5222.1.000000009c0a4112.00000000179da0e7.rw-.sdmp, SadGbSEaaD, 5224.1.000000009c0a4112.00000000179da0e7.rw-.sdmp, SadGbSEaaD, 5225.1.000000009c0a4112.00000000179da0e7.rw-.sdmp, SadGbSEaaD, 5230.1.000000009c0a4112.00000000179da0e7.rw-.sdmp, SadGbSEaaD, 5232.1.000000009c0a4112.00000000179da0e7.rw-.sdmp, SadGbSEaaD, 5234.1.000000009c0a4112.00000000179da0e7.rw-.sdmp, SadGbSEaaD, 5306.1.000000009c0a4112.00000000179da0e7.rw-.sdmp, SadGbSEaaD, 5308.1.000000009c0a4112.00000000179da0e7.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/mipsel
Source: SadGbSEaaD, 5222.1.00000000eac01c1d.0000000034ed70ec.rw-.sdmp, SadGbSEaaD, 5224.1.00000000eac01c1d.0000000034ed70ec.rw-.sdmp, SadGbSEaaD, 5225.1.00000000eac01c1d.0000000034ed70ec.rw-.sdmp, SadGbSEaaD, 5230.1.00000000eac01c1d.0000000034ed70ec.rw-.sdmp, SadGbSEaaD, 5232.1.00000000eac01c1d.0000000034ed70ec.rw-.sdmp, SadGbSEaaD, 5234.1.00000000eac01c1d.0000000034ed70ec.rw-.sdmp, SadGbSEaaD, 5306.1.00000000eac01c1d.0000000034ed70ec.rw-.sdmp, SadGbSEaaD, 5308.1.00000000eac01c1d.0000000034ed70ec.rw-.sdmpBinary or memory string: /usr/bin/qemu-mipsel
Source: SadGbSEaaD, 5230.1.00000000179da0e7.000000002d284515.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/mipsel/usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsCommand and Scripting Interpreter1Path InterceptionPath InterceptionFile and Directory Permissions Modification1OS Credential Dumping1Security Software Discovery11Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScripting1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemorySystem Network Configuration Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Scripting1Security Account ManagerFile and Directory Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Hidden Files and Directories1NTDSSystem Information Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonDisable or Modify System Firewall1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsIndicator Removal on Host11DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobFile Deletion11Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 528759 Sample: SadGbSEaaD Startdate: 25/11/2021 Architecture: LINUX Score: 72 107 Multi AV Scanner detection for submitted file 2->107 109 Sample is packed with UPX 2->109 12 SadGbSEaaD 2->12         started        14 systemd gpu-manager 2->14         started        16 systemd gpu-manager 2->16         started        18 15 other processes 2->18 process3 signatures4 21 SadGbSEaaD 12->21         started        23 SadGbSEaaD 12->23         started        25 gpu-manager sh 14->25         started        27 gpu-manager sh 14->27         started        29 gpu-manager sh 14->29         started        33 5 other processes 14->33 31 gpu-manager sh 16->31         started        35 7 other processes 16->35 111 Sample reads /proc/mounts (often used for finding a writable filesystem) 18->111 37 2 other processes 18->37 process5 process6 39 SadGbSEaaD 21->39         started        41 SadGbSEaaD 21->41         started        44 sh grep 25->44         started        46 sh grep 27->46         started        48 sh grep 29->48         started        50 sh grep 31->50         started        52 sh grep 33->52         started        54 4 other processes 33->54 56 7 other processes 35->56 signatures7 58 SadGbSEaaD 39->58         started        119 Sample tries to kill many processes (SIGKILL) 41->119 process8 process9 60 SadGbSEaaD sh 58->60         started        62 SadGbSEaaD sh 58->62         started        64 SadGbSEaaD sh 58->64         started        66 12 other processes 58->66 process10 68 sh rm 60->68         started        71 sh rm 62->71         started        73 sh iptables 64->73         started        75 sh service systemctl 66->75         started        77 sh service systemctl 66->77         started        79 sh rm 66->79         started        81 7 other processes 66->81 signatures11 113 Sample deletes itself 68->113 115 Deletes security-related log files 71->115 117 Deletes all firewall rules 73->117 83 service 75->83         started        85 service basename 75->85         started        87 service basename 75->87         started        89 service systemctl 75->89         started        91 service 77->91         started        93 service basename 77->93         started        95 service basename 77->95         started        97 service systemctl 77->97         started        process12 process13 99 service systemctl 83->99         started        101 service sed 83->101         started        103 service systemctl 91->103         started        105 service sed 91->105         started       

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SadGbSEaaD20%VirustotalBrowse

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://upx.sf.netSadGbSEaaDfalse
    high

    Contacted IPs

    No contacted IP infos

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASN

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    /home/saturnino/.config/pulse/ee49dfd4fa47433baee88884e2d7de7c-default-sink
    Process:/usr/bin/pulseaudio
    File Type:ASCII text
    Category:dropped
    Size (bytes):10
    Entropy (8bit):2.9219280948873623
    Encrypted:false
    SSDEEP:3:5bkPn:pkP
    MD5:FF001A15CE15CF062A3704CEA2991B5F
    SHA1:B06F6855F376C3245B82212AC73ADED55DFE5DEF
    SHA-256:C54830B41ECFA1B6FBDC30397188DDA86B7B200E62AEAC21AE694A6192DCC38A
    SHA-512:65EBF7C31F6F65713CE01B38A112E97D0AE64A6BD1DA40CE4C1B998F10CD3912EE1A48BB2B279B24493062118AAB3B8753742E2AF28E56A31A7AAB27DE80E7BF
    Malicious:false
    Reputation:moderate, very likely benign file
    Preview: auto_null.
    /home/saturnino/.config/pulse/ee49dfd4fa47433baee88884e2d7de7c-default-source
    Process:/usr/bin/pulseaudio
    File Type:ASCII text
    Category:dropped
    Size (bytes):18
    Entropy (8bit):3.4613201402110088
    Encrypted:false
    SSDEEP:3:5bkrIZsXvn:pkckv
    MD5:28FE6435F34B3367707BB1C5D5F6B430
    SHA1:EB8FE2D16BD6BBCCE106C94E4D284543B2573CF6
    SHA-256:721A37C69E555799B41D308849E8F8125441883AB021B723FED90A9B744F36C0
    SHA-512:6B6AB7C0979629D0FEF6BE47C5C6BCC367EDD0AAE3FC973F4DE2FD5F0A819C89E7656DB65D453B1B5398E54012B27EDFE02894AD87A7E0AF3A9C5F2EB24A9919
    Malicious:false
    Reputation:moderate, very likely benign file
    Preview: auto_null.monitor.
    /proc/5348/oom_score_adj
    Process:/usr/sbin/sshd
    File Type:ASCII text
    Category:dropped
    Size (bytes):6
    Entropy (8bit):1.7924812503605778
    Encrypted:false
    SSDEEP:3:ptn:Dn
    MD5:CBF282CC55ED0792C33D10003D1F760A
    SHA1:007DD8BD75468E6B7ABA4285E9B267202C7EAEED
    SHA-256:FCDBAB99FCC0F4409E5F9D7D6FC497780288B4C441698126BB62832412774D22
    SHA-512:4643A8675D213C7DA35CC0C2BFB3B6F20324F9C48AEA7BA79F470615698C9A0CEFDA45CAA1957FC29110EE746BC8458AB8AB1E43EB513912A5E1E8858812CC00
    Malicious:false
    Reputation:high, very likely benign file
    Preview: -1000.
    /run/sshd.pid
    Process:/usr/sbin/sshd
    File Type:ASCII text
    Category:dropped
    Size (bytes):5
    Entropy (8bit):2.321928094887362
    Encrypted:false
    SSDEEP:3:DRdvn:Ndvn
    MD5:3EF34F121A6567F0BA4BA91ECBCF02A1
    SHA1:4717E42F13939A385C9A56661B962D1F681C0794
    SHA-256:F9BEE384387E79153F170D318A737CD21F09629D44688ECDC52AC31E128C2745
    SHA-512:93D1D18FEA49E589C8AD4D435F78850C7AD2FA3A3F1F7857B9E82AAD27C768913C16B947E8311FF04B57024B36FAEE30A8CEA8B6B7B73D8B20B01F694BAA2260
    Malicious:false
    Reputation:low
    Preview: 5348.
    /run/systemd/resolve/stub-resolv.conf
    Process:/tmp/SadGbSEaaD
    File Type:ASCII text
    Category:dropped
    Size (bytes):38
    Entropy (8bit):3.3918926446809334
    Encrypted:false
    SSDEEP:3:KkZRAkd:KaAu
    MD5:C7EA09D26E26605227076E0514A33038
    SHA1:C3F9736E9AF7BD0885578859A50B205C8FA5FC8E
    SHA-256:7E8AD76E0D200E93918CA2E93C99FF8ECD02071953BF1479819DB3AC0DBB6D07
    SHA-512:17D0088725EB9991E9EB82E8A3DE0878E45E6F394BBC2AD260AA59C786FF0AD565E145E21256425D1C0ABE15F3ECB402EBB0A6A5E1C2D5BA7A4D95EC93A2861F
    Malicious:false
    Reputation:moderate, very likely benign file
    Preview: nameserver 8.8.8.8.nameserver 8.8.4.4.
    /run/user/1000/pulse/pid
    Process:/usr/bin/pulseaudio
    File Type:ASCII text
    Category:dropped
    Size (bytes):5
    Entropy (8bit):2.321928094887362
    Encrypted:false
    SSDEEP:3:DdTv:BTv
    MD5:2A1CA5B92D3768BE40B6336FC569FE4A
    SHA1:48462E8B308EC176015059A662E552217D2D6772
    SHA-256:B5E361F8FC7EBEF020A876B4AF8F041B8C3403703E0E23AD3D1DF6CF3048203E
    SHA-512:27532A8BFA1874038B2F61C971F4864BE8D824FAD134E7B1B03237851EDA8993958DAC27E023C52EF84AF0B18768347439A6DC51D4AD9B3EA62E90A9F806D420
    Malicious:false
    Reputation:low
    Preview: 5386.
    /var/log/gpu-manager.log
    Process:/usr/bin/gpu-manager
    File Type:ASCII text
    Category:dropped
    Size (bytes):1515
    Entropy (8bit):4.825813629825568
    Encrypted:false
    SSDEEP:24:wPXXX9uV6BNu3WDF3GF3XFFxFFed2uk2HUvJlfWkpPpx7uvvAdow9555Ro7uRkoT:wPXXXe6vejpeC2HUR5WkpPpcvAdow959
    MD5:7B48386106F00126E44F428D0193E1ED
    SHA1:75F652293B2DE03A845A73B678A5CB7E9701A9F4
    SHA-256:9F60B5D0D5C6F6CB3892E1687D16333F36E3BD450713B00FDF0B2BB90EC7312C
    SHA-512:57D0856EC65558B4A843A4696B644AC3E80B3EA0E6EC1C2FAC7A00015B96EBB2CC30967EB8DEFC3E648E59AC6882F6A4F69468D4B6CD0FD60F9F343C206DBFBC
    Malicious:false
    Preview: log_file: /var/log/gpu-manager.log.last_boot_file: /var/lib/ubuntu-drivers-common/last_gfx_boot.new_boot_file: /var/lib/ubuntu-drivers-common/last_gfx_boot.can't access /run/u-d-c-nvidia-was-loaded file.can't get module info via kmodcan't access /opt/amdgpu-pro/bin/amdgpu-pro-px.Looking for nvidia modules in /lib/modules/5.4.0-72-generic/kernel.Looking for nvidia modules in /lib/modules/5.4.0-72-generic/updates/dkms.Looking for amdgpu modules in /lib/modules/5.4.0-72-generic/kernel.Looking for amdgpu modules in /lib/modules/5.4.0-72-generic/updates/dkms.Is nvidia loaded? no.Was nvidia unloaded? no.Is nvidia blacklisted? no.Is intel loaded? no.Is radeon loaded? no.Is radeon blacklisted? no.Is amdgpu loaded? no.Is amdgpu blacklisted? no.Is amdgpu versioned? no.Is amdgpu pro stack? no.Is nouveau loaded? no.Is nouveau blacklisted? no.Is nvidia kernel module available? no.Is amdgpu kernel module available? no.Vendor/Device Id: 15ad:405.BusID "PCI:0@0:15:0".Is boot vga? yes.Error: can't acce
    /var/run/gdm3.pid
    Process:/usr/sbin/gdm3
    File Type:ASCII text
    Category:dropped
    Size (bytes):5
    Entropy (8bit):1.9219280948873623
    Encrypted:false
    SSDEEP:3:FWc:D
    MD5:F4AC5F432DDDC207F126ADBDB69F5B77
    SHA1:85779FD856ADA77F77CAEF8E4E1A7B1C21731774
    SHA-256:52D3411459C6C6E2CAEAD9A1232A2E52763124432AF69BAB58A16EB714B61A62
    SHA-512:82F4B59D28655CA2555634CD4C1D6AB0F56FFE04E408B70CAA47BB164D16778B6D02DD50798EAA55548E95454C7D3DB87B51125123982E4A44872909A7A021F3
    Malicious:false
    Preview: 5537.

    Static File Info

    General

    File type:ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
    Entropy (8bit):7.958921028701868
    TrID:
    • ELF Executable and Linkable format (generic) (4004/1) 100.00%
    File name:SadGbSEaaD
    File size:53364
    MD5:031afe8b5c0562d8f256cd4c1ba70eac
    SHA1:7ab79aaa20d216648c6197e89e02e7244511c326
    SHA256:8a2b9ef42d6da1cf4216252b5d5354013c439a9cd88ac992a1c953b744ef79cd
    SHA512:dd7bf3e0bdaaaf45acd3610ecc87e4b9db65d593b17c3866f257b245a404d89dfd75415c245b3c863a747f1a45c7dff1b17fe9d962aedcbacd01e57d317c7e72
    SSDEEP:1536:+kZmb1tixCdWslx+XvTdL6/nPnZ1+RdSk5V8U:+aO1lQvTR6/Pn+Rdx
    File Content Preview:.ELF........................4...........4. ...(.....................=...=.....................F...F...................i`UPX!`...................V..........?.E.h;....#......b.L#<p..........1......)B..R...Ov.....P.y...TU@.q..M...........-..Lt..q............

    Static ELF Info

    ELF header

    Class:ELF32
    Data:2's complement, little endian
    Version:1 (current)
    Machine:MIPS R3000
    Version Number:0x1
    Type:EXEC (Executable file)
    OS/ABI:UNIX - System V
    ABI Version:0
    Entry Point Address:0x10bc00
    Flags:0x1007
    ELF Header Size:52
    Program Header Offset:52
    Program Header Size:32
    Number of Program Headers:2
    Section Header Offset:0
    Section Header Size:40
    Number of Section Headers:0
    Header String Table Index:0

    Program Segments

    TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
    LOAD0x00x1000000x1000000xcf3d0xcf3d4.11750x5R E0x10000
    LOAD0xe9cc0x46e9cc0x46e9cc0x00x00.00000x6RW 0x10000

    Network Behavior

    No network behavior found

    System Behavior