IOC Report

loading gif

Files

File Path
Type
Category
Malicious
SadGbSEaaD
ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
initial sample
malicious
/home/saturnino/.config/pulse/ee49dfd4fa47433baee88884e2d7de7c-default-sink
ASCII text
dropped
clean
/home/saturnino/.config/pulse/ee49dfd4fa47433baee88884e2d7de7c-default-source
ASCII text
dropped
clean
/proc/5348/oom_score_adj
ASCII text
dropped
clean
/run/sshd.pid
ASCII text
dropped
clean
/run/systemd/resolve/stub-resolv.conf
ASCII text
dropped
clean
/run/user/1000/pulse/pid
ASCII text
dropped
clean
/var/log/gpu-manager.log
ASCII text
dropped
clean
/var/run/gdm3.pid
ASCII text
dropped
clean

Processes

Path
Cmdline
Malicious
/tmp/SadGbSEaaD
/tmp/SadGbSEaaD
clean
/tmp/SadGbSEaaD
n/a
clean
/tmp/SadGbSEaaD
n/a
clean
/tmp/SadGbSEaaD
n/a
clean
/tmp/SadGbSEaaD
n/a
clean
/tmp/SadGbSEaaD
n/a
clean
/tmp/SadGbSEaaD
n/a
clean
/bin/sh
sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*"
clean
/bin/sh
n/a
clean
/usr/bin/rm
rm -rf /tmp/SadGbSEaaD /tmp/config-err-dHT8bZ /tmp/dmesgtail.log /tmp/snap.lxd /tmp/ssh-hOQ5FjG2iVgO /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-c4RYFi /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-gKIF8e /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-gB0a9f /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-APWnLg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-IofUpj /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-AfPZzg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-x0xO0i /tmp/vmware-root_721-4290559889 /var/backups /var/cache /var/crash /var/lib /var/local /var/lock /var/log /var/mail /var/metrics /var/opt /var/run /var/snap /var/spool /var/tmp /var/run/NetworkManager /var/run/acpid.pid /var/run/acpid.socket /var/run/apport.lock /var/run/avahi-daemon /var/run/blkid /var/run/cloud-init /var/run/console-setup /var/run/crond.pid /var/run/crond.reboot /var/run/cryptsetup /var/run/cups /var/run/dbus /var/run/dmeventd-client /var/run/dmeventd-server /var/run/gdm3 /var/run/gdm3.pid /var/run/initctl /var/run/initramfs /var/run/irqbalance /var/run/lock /var/run/log /var/run/lvm /var/run/mlocate.daily.lock /var/run/mono-xsp4 /var/run/mono-xsp4.pid /var/run/motd.d /var/run/mount /var/run/multipathd.pid /var/run/netns /var/run/network /var/run/screen /var/run/sendsigs.omit.d /var/run/shm /var/run/snapd /var/run/snapd-snap.socket /var/run/snapd.socket /var/run/speech-dispatcher /var/run/spice-vdagentd /var/run/sshd /var/run/sshd.pid /var/run/sudo /var/run/systemd /var/run/tmpfiles.d /var/run/udev /var/run/udisks2 /var/run/unattended-upgrades.lock /var/run/user /var/run/utmp /var/run/uuidd /var/run/vmware /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-J6Q1Te /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-srP90f /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-biJ0Gi /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-1jIxdj /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-llmWag /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-X16eHh /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-GpSnaf
clean
/tmp/SadGbSEaaD
n/a
clean
/bin/sh
sh -c "rm -rf /var/log/wtmp"
clean
/bin/sh
n/a
clean
/usr/bin/rm
rm -rf /var/log/wtmp
clean
/tmp/SadGbSEaaD
n/a
clean
/bin/sh
sh -c "rm -rf /tmp/*"
clean
/bin/sh
n/a
clean
/usr/bin/rm
rm -rf /tmp/*
clean
/tmp/SadGbSEaaD
n/a
clean
/bin/sh
sh -c "rm -rf /bin/netstat"
clean
/bin/sh
n/a
clean
/usr/bin/rm
rm -rf /bin/netstat
clean
/tmp/SadGbSEaaD
n/a
clean
/bin/sh
sh -c "iptables -F"
clean
/bin/sh
n/a
clean
/usr/sbin/iptables
iptables -F
clean
/tmp/SadGbSEaaD
n/a
clean
/bin/sh
sh -c "pkill -9 busybox"
clean
/bin/sh
n/a
clean
/usr/bin/pkill
pkill -9 busybox
clean
/tmp/SadGbSEaaD
n/a
clean
/bin/sh
sh -c "pkill -9 perl"
clean
/bin/sh
n/a
clean
/usr/bin/pkill
pkill -9 perl
clean
/tmp/SadGbSEaaD
n/a
clean
/bin/sh
sh -c "pkill -9 python"
clean
/bin/sh
n/a
clean
/usr/bin/pkill
pkill -9 python
clean
/tmp/SadGbSEaaD
n/a
clean
/bin/sh
sh -c "service iptables stop"
clean
/bin/sh
n/a
clean
/usr/sbin/service
service iptables stop
clean
/usr/sbin/service
n/a
clean
/usr/bin/basename
basename /usr/sbin/service
clean
/usr/sbin/service
n/a
clean
/usr/bin/basename
basename /usr/sbin/service
clean
/usr/sbin/service
n/a
clean
/usr/bin/systemctl
systemctl --quiet is-active multi-user.target
clean
/usr/sbin/service
n/a
clean
/usr/sbin/service
n/a
clean
/usr/bin/systemctl
systemctl list-unit-files --full --type=socket
clean
/usr/sbin/service
n/a
clean
/usr/bin/sed
sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p
clean
/usr/bin/systemctl
systemctl stop iptables.service
clean
/tmp/SadGbSEaaD
n/a
clean
/bin/sh
sh -c "/sbin/iptables -F; /sbin/iptables -X"
clean
/bin/sh
n/a
clean
/sbin/iptables
/sbin/iptables -F
clean
/bin/sh
n/a
clean
/sbin/iptables
/sbin/iptables -X
clean
/tmp/SadGbSEaaD
n/a
clean
/bin/sh
sh -c "service firewalld stop"
clean
/bin/sh
n/a
clean
/usr/sbin/service
service firewalld stop
clean
/usr/sbin/service
n/a
clean
/usr/bin/basename
basename /usr/sbin/service
clean
/usr/sbin/service
n/a
clean
/usr/bin/basename
basename /usr/sbin/service
clean
/usr/sbin/service
n/a
clean
/usr/bin/systemctl
systemctl --quiet is-active multi-user.target
clean
/usr/sbin/service
n/a
clean
/usr/sbin/service
n/a
clean
/usr/bin/systemctl
systemctl list-unit-files --full --type=socket
clean
/usr/sbin/service
n/a
clean
/usr/bin/sed
sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p
clean
/usr/bin/systemctl
systemctl stop firewalld.service
clean
/tmp/SadGbSEaaD
n/a
clean
/bin/sh
sh -c "rm -rf ~/.bash_history"
clean
/bin/sh
n/a
clean
/usr/bin/rm
rm -rf /root/.bash_history
clean
/tmp/SadGbSEaaD
n/a
clean
/bin/sh
sh -c "history -c"
clean
/tmp/SadGbSEaaD
n/a
clean
/tmp/SadGbSEaaD
n/a
clean
/usr/lib/systemd/systemd
n/a
clean
/usr/bin/whoopsie
/usr/bin/whoopsie -f
clean
/usr/lib/systemd/systemd
n/a
clean
/usr/sbin/sshd
/usr/sbin/sshd -t
clean
/usr/lib/systemd/systemd
n/a
clean
/usr/sbin/sshd
/usr/sbin/sshd -D
clean
/usr/sbin/gdm3
n/a
clean
/etc/gdm3/PrimeOff/Default
/etc/gdm3/PrimeOff/Default
clean
/usr/sbin/gdm3
n/a
clean
/etc/gdm3/PrimeOff/Default
/etc/gdm3/PrimeOff/Default
clean
/usr/lib/systemd/systemd
n/a
clean
/usr/lib/accountsservice/accounts-daemon
/usr/lib/accountsservice/accounts-daemon
clean
/usr/lib/systemd/systemd
n/a
clean
/usr/bin/pulseaudio
/usr/bin/pulseaudio --daemonize=no --log-target=journal
clean
/usr/lib/systemd/systemd
n/a
clean
/usr/bin/gpu-manager
/usr/bin/gpu-manager --log /var/log/gpu-manager.log
clean
/usr/bin/gpu-manager
n/a
clean
/bin/sh
sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"
clean
/bin/sh
n/a
clean
/usr/bin/grep
grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
clean
/usr/bin/gpu-manager
n/a
clean
/bin/sh
sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"
clean
/bin/sh
n/a
clean
/usr/bin/grep
grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
clean
/usr/bin/gpu-manager
n/a
clean
/bin/sh
sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf"
clean
/bin/sh
n/a
clean
/usr/bin/grep
grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
clean
/usr/bin/gpu-manager
n/a
clean
/bin/sh
sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf"
clean
/bin/sh
n/a
clean
/usr/bin/grep
grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
clean
/usr/bin/gpu-manager
n/a
clean
/bin/sh
sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /etc/modprobe.d/*.conf"
clean
/bin/sh
n/a
clean
/usr/bin/grep
grep -G ^blacklist.*amdgpu[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
clean
/usr/bin/gpu-manager
n/a
clean
/bin/sh
sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /lib/modprobe.d/*.conf"
clean
/bin/sh
n/a
clean
/usr/bin/grep
grep -G ^blacklist.*amdgpu[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
clean
/usr/bin/gpu-manager
n/a
clean
/bin/sh
sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /etc/modprobe.d/*.conf"
clean
/bin/sh
n/a
clean
/usr/bin/grep
grep -G ^blacklist.*nouveau[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
clean
/usr/bin/gpu-manager
n/a
clean
/bin/sh
sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /lib/modprobe.d/*.conf"
clean
/bin/sh
n/a
clean
/usr/bin/grep
grep -G ^blacklist.*nouveau[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
clean
/usr/lib/systemd/systemd
n/a
clean
/usr/share/gdm/generate-config
/usr/share/gdm/generate-config
clean
/usr/share/gdm/generate-config
n/a
clean
/usr/bin/pkill
pkill --signal HUP --uid gdm dconf-service
clean
/usr/lib/systemd/systemd
n/a
clean
/usr/lib/gdm3/gdm-wait-for-drm
/usr/lib/gdm3/gdm-wait-for-drm
clean
/usr/libexec/gvfsd-fuse
n/a
clean
/bin/fusermount
fusermount -u -q -z -- /run/user/1000/gvfs
clean
/usr/lib/systemd/systemd
n/a
clean
/lib/systemd/systemd-user-runtime-dir
/lib/systemd/systemd-user-runtime-dir stop 1000
clean
/usr/lib/systemd/systemd
n/a
clean
/usr/sbin/gdm3
/usr/sbin/gdm3
clean
/usr/lib/systemd/systemd
n/a
clean
/usr/bin/gpu-manager
/usr/bin/gpu-manager --log /var/log/gpu-manager.log
clean
/usr/bin/gpu-manager
n/a
clean
/bin/sh
sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"
clean
/bin/sh
n/a
clean
/usr/bin/grep
grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
clean
/usr/bin/gpu-manager
n/a
clean
/bin/sh
sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"
clean
/bin/sh
n/a
clean
/usr/bin/grep
grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
clean
/usr/bin/gpu-manager
n/a
clean
/bin/sh
sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf"
clean
/bin/sh
n/a
clean
/usr/bin/grep
grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
clean
/usr/bin/gpu-manager
n/a
clean
/bin/sh
sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf"
clean
/bin/sh
n/a
clean
/usr/bin/grep
grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
clean
/usr/bin/gpu-manager
n/a
clean
/bin/sh
sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /etc/modprobe.d/*.conf"
clean
/bin/sh
n/a
clean
/usr/bin/grep
grep -G ^blacklist.*amdgpu[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
clean
/usr/bin/gpu-manager
n/a
clean
/bin/sh
sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /lib/modprobe.d/*.conf"
clean
/bin/sh
n/a
clean
/usr/bin/grep
grep -G ^blacklist.*amdgpu[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
clean
/usr/bin/gpu-manager
n/a
clean
/bin/sh
sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /etc/modprobe.d/*.conf"
clean
/bin/sh
n/a
clean
/usr/bin/grep
grep -G ^blacklist.*nouveau[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
clean
/usr/bin/gpu-manager
n/a
clean
/bin/sh
sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /lib/modprobe.d/*.conf"
clean
/bin/sh
n/a
clean
/usr/bin/grep
grep -G ^blacklist.*nouveau[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
clean
/usr/lib/systemd/systemd
n/a
clean
/usr/share/gdm/generate-config
/usr/share/gdm/generate-config
clean
/usr/share/gdm/generate-config
n/a
clean
/usr/bin/pkill
pkill --signal HUP --uid gdm dconf-service
clean
/usr/lib/systemd/systemd
n/a
clean
/usr/lib/gdm3/gdm-wait-for-drm
/usr/lib/gdm3/gdm-wait-for-drm
clean
/usr/lib/systemd/systemd
n/a
clean
/usr/sbin/gdm3
/usr/sbin/gdm3
clean
There are 176 hidden processes, click here to show them.

URLs

Name
IP
Malicious
http://upx.sf.net
unknown
clean