Linux Analysis Report psO5Q4nOUG

Overview

General Information

Sample Name: psO5Q4nOUG
Analysis ID: 551275
MD5: 5e11432c30783b184dc2bf27aa1728b4
SHA1: 23c56da0cdddc664980705c4d14cb2579a970eed
SHA256: bd0141e88a0d56b508bc52db4dab68a49b6027a486e4d9514ec0db006fe71eed
Tags: backdoorelfsysjoker
Infos:

Detection

Score: 64
Range: 0 - 100
Whitelisted: false

Signatures

Multi AV Scanner detection for submitted file
Writes ELF files to hidden directories
Executes the "ifconfig" command used to gather network information
Sample tries to persist itself using cron
Executes the "crontab" command typically for achieving persistence
Writes ELF files to disk
Executes the "grep" command used to find patterns in files or piped streams
Uses the "uname" system call to query kernel version information (possible evasion)
Executes the "uname" command used to read OS and architecture name
Executes the "systemctl" command used for controlling the systemd system and service manager
Deletes log files
Creates hidden files and/or directories
Executes the "id" command, possibly to determine if the user is root or not
Executes commands using a shell command-line interpreter
Executes the "nohup" (no hangup) command used to avoid background terminal process from being killed
Executes the "rm" command used to delete files or directories

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: psO5Q4nOUG ReversingLabs: Detection: 13%
Source: unknown HTTPS traffic detected: 54.171.230.55:443 -> 192.168.2.23:33608 version: TLS 1.2

Networking:

barindex
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 33608
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 34804
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 36110
Source: unknown Network traffic detected: HTTP traffic on port 33608 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 36112
Source: unknown Network traffic detected: HTTP traffic on port 44708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 44708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 36106
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 36108
Source: unknown Network traffic detected: HTTP traffic on port 34804 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 36108 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 36110 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 36112 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 36106 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: psO5Q4nOUG, updateSystem.68.dr String found in binary or memory: https://drive.google.com/uc?export=download&id=1W64PQQxrwY3XjBnv_QAeBQu-ePr537eu
Source: psO5Q4nOUG, 5249.1.0000000076e416fc.00000000a43e02a2.rw-.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1W64PQQxrwY3XjBnv_QAeBQu-ePr537eu1
Source: updateSystem.68.dr String found in binary or memory: https://gcc.gnu.org/bugs
Source: motd-news.125.dr String found in binary or memory: https://ubuntu.com/blog/microk8s-memory-optimisation
Source: unknown DNS traffic detected: queries for: drive.google.com
Source: unknown HTTPS traffic detected: 54.171.230.55:443 -> 192.168.2.23:33608 version: TLS 1.2

System Summary:

barindex
Source: classification engine Classification label: mal64.troj.spyw.evad.lin@0/56@10/0

Persistence and Installation Behavior:

barindex
Writes ELF files to hidden directories
Source: /usr/bin/cp (PID: 5263) File written to hidden directory: /.Library/SystemServices/updateSystem Jump to dropped file
Sample tries to persist itself using cron
Source: /usr/bin/crontab (PID: 5260) File: /var/spool/cron/crontabs/tmp.UWWGtW Jump to behavior
Source: /usr/bin/crontab (PID: 5260) File: /var/spool/cron/crontabs/root Jump to behavior
Executes the "crontab" command typically for achieving persistence
Source: /bin/sh (PID: 5255) Crontab executable: /usr/bin/crontab -> crontab -l Jump to behavior
Source: /bin/sh (PID: 5261) Crontab executable: /usr/bin/crontab -> crontab -l Jump to behavior
Source: /bin/sh (PID: 5260) Crontab executable: /usr/bin/crontab -> crontab - Jump to behavior
Source: /bin/sh (PID: 5272) Crontab executable: /usr/bin/crontab -> crontab -l Jump to behavior
Writes ELF files to disk
Source: /usr/bin/cp (PID: 5263) File written: /.Library/SystemServices/updateSystem Jump to dropped file
Executes the "grep" command used to find patterns in files or piped streams
Source: /usr/bin/egrep (PID: 5256) Grep executable: /usr/bin/grep -> grep -E -v ^(#|$) Jump to behavior
Source: /bin/sh (PID: 5257) Grep executable: /usr/bin/grep -> grep -e "@reboot (/.Library/SystemServices/updateSystem)" Jump to behavior
Source: /usr/bin/egrep (PID: 5273) Grep executable: /usr/bin/grep -> grep -E -v ^(#|$) Jump to behavior
Source: /bin/sh (PID: 5274) Grep executable: /usr/bin/grep -> grep -e "@reboot (/.Library/SystemServices/updateSystem)" Jump to behavior
Source: /bin/sh (PID: 5279) Grep executable: /usr/bin/grep -> grep -v 127.0.0.1 Jump to behavior
Source: /bin/sh (PID: 5280) Grep executable: /usr/bin/grep -> grep -E "inet ([0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})" Jump to behavior
Executes the "systemctl" command used for controlling the systemd system and service manager
Source: /usr/sbin/invoke-rc.d (PID: 5225) Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-enabled cups.service Jump to behavior
Source: /usr/sbin/invoke-rc.d (PID: 5227) Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active cups.service Jump to behavior
Source: /usr/lib/rsyslog/rsyslog-rotate (PID: 5233) Systemctl executable: /usr/bin/systemctl -> systemctl kill -s HUP rsyslog.service Jump to behavior
Creates hidden files and/or directories
Source: /tmp/psO5Q4nOUG (PID: 5249) Directory: /.Library Jump to behavior
Executes the "id" command, possibly to determine if the user is root or not
Source: /bin/sh (PID: 5251) Executable: /usr/bin/id -> id -u Jump to behavior
Source: /bin/sh (PID: 5268) Executable: /usr/bin/id -> id -u Jump to behavior
Executes commands using a shell command-line interpreter
Source: /usr/sbin/logrotate (PID: 5222) Shell command executed: sh -c "\n\t\tinvoke-rc.d --quiet cups restart > /dev/null\n" logrotate_script "/var/log/cups/*log " Jump to behavior
Source: /usr/sbin/logrotate (PID: 5231) Shell command executed: sh -c /usr/lib/rsyslog/rsyslog-rotate logrotate_script /var/log/syslog Jump to behavior
Source: /tmp/psO5Q4nOUG (PID: 5250) Shell command executed: sh -c "id -u" Jump to behavior
Source: /tmp/psO5Q4nOUG (PID: 5252) Shell command executed: sh -c whoami Jump to behavior
Source: /tmp/psO5Q4nOUG (PID: 5254) Shell command executed: sh -c "crontab -l | egrep -v \"^(#|$)\" | grep -e \"@reboot (/.Library/SystemServices/updateSystem)\"" Jump to behavior
Source: /tmp/psO5Q4nOUG (PID: 5258) Shell command executed: sh -c "(crontab -l; echo \"@reboot (/.Library/SystemServices/updateSystem)\") | crontab -" Jump to behavior
Source: /tmp/psO5Q4nOUG (PID: 5262) Shell command executed: sh -c "cp -rf '/tmp/psO5Q4nOUG' '/.Library/SystemServices/updateSystem'" Jump to behavior
Source: /tmp/psO5Q4nOUG (PID: 5264) Shell command executed: sh -c "nohup '/.Library/SystemServices/updateSystem' >/dev/null 2>&1 &" Jump to behavior
Source: /.Library/SystemServices/updateSystem (PID: 5267) Shell command executed: sh -c "id -u" Jump to behavior
Source: /.Library/SystemServices/updateSystem (PID: 5269) Shell command executed: sh -c whoami Jump to behavior
Source: /.Library/SystemServices/updateSystem (PID: 5271) Shell command executed: sh -c "crontab -l | egrep -v \"^(#|$)\" | grep -e \"@reboot (/.Library/SystemServices/updateSystem)\"" Jump to behavior
Source: /.Library/SystemServices/updateSystem (PID: 5277) Shell command executed: sh -c "ifconfig | grep -v 127.0.0.1 | grep -E \"inet ([0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})\" | awk '{print $2}'" Jump to behavior
Source: /.Library/SystemServices/updateSystem (PID: 5282) Shell command executed: sh -c "ip address | awk '/ether/{print $2}'" Jump to behavior
Source: /.Library/SystemServices/updateSystem (PID: 5285) Shell command executed: sh -c "uname -mrs" Jump to behavior
Executes the "nohup" (no hangup) command used to avoid background terminal process from being killed
Source: /bin/sh (PID: 5265) Nohup executable: /usr/bin/nohup -> nohup /.Library/SystemServices/updateSystem Jump to behavior
Executes the "rm" command used to delete files or directories
Source: /usr/bin/dash (PID: 5304) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.Q8Xy6IVkIu /tmp/tmp.IvmgDS2E93 /tmp/tmp.bl8wKDFCTb Jump to behavior
Source: /bin/sh (PID: 5281) Awk executable: /usr/bin/awk -> awk "{print $2}" Jump to behavior
Source: /bin/sh (PID: 5284) Awk executable: /usr/bin/awk -> awk "/ether/{print $2}" Jump to behavior
Source: submitted sample Stderr: no crontab for rootno crontab for root: exit code = 0

Malware Analysis System Evasion:

barindex
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /.Library/SystemServices/updateSystem (PID: 5265) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/ifconfig (PID: 5278) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/uname (PID: 5286) Queries kernel information via 'uname': Jump to behavior
Deletes log files
Source: /usr/sbin/logrotate (PID: 5172) Truncated file: /var/log/cups/access_log.1 Jump to behavior
Source: /usr/sbin/logrotate (PID: 5172) Truncated file: /var/log/syslog.1 Jump to behavior
Executes the "id" command, possibly to determine if the user is root or not
Source: /bin/sh (PID: 5251) Executable: /usr/bin/id -> id -u Jump to behavior
Source: /bin/sh (PID: 5268) Executable: /usr/bin/id -> id -u Jump to behavior
Source: 5220.9.dr Binary or memory string: -9915837702310A--gzvmware kernel module
Source: 5220.9.dr Binary or memory string: -1116261022170A--gzQEMU User Emulator
Source: 5220.9.dr Binary or memory string: qemu-or1k
Source: 5220.9.dr Binary or memory string: qemu-riscv64
Source: 5220.9.dr Binary or memory string: {cqemu
Source: 5220.9.dr Binary or memory string: qemu-arm
Source: 5220.9.dr Binary or memory string: (qemu
Source: 5220.9.dr Binary or memory string: qemu-tilegx
Source: 5220.9.dr Binary or memory string: qemu-hppa
Source: 5220.9.dr Binary or memory string: q{rqemu%
Source: 5220.9.dr Binary or memory string: )qemu
Source: 5220.9.dr Binary or memory string: vmware-toolbox-cmd
Source: 5220.9.dr Binary or memory string: qemu-ppc
Source: 5220.9.dr Binary or memory string: Tqemu9
Source: 5220.9.dr Binary or memory string: qemu-aarch64_be
Source: 5220.9.dr Binary or memory string: 0qemu9
Source: 5220.9.dr Binary or memory string: qemu-sparc64
Source: 5220.9.dr Binary or memory string: qemu-mips64
Source: 5220.9.dr Binary or memory string: vV:qemu9
Source: 5220.9.dr Binary or memory string: qemu-ppc64le
Source: 5220.9.dr Binary or memory string: <glib::param::uint64Glib::Param::UInt643pm315820097650A--gzWrapper for uint64 parameters in GLibx86_64-linux-gnu-ld.gold-1116112426130B--gzThe GNU ELF linkerprinter-profile-1115804162510A--gzProfile using X-Rite ColorMunki and Argyll CMSgrub-fstest-1116214898500A--gzdebug tool for GRUB filesystem driversxdg-user-dir-1115483406210A--gzFind an XDG user dirkmodsign-1115569251480A--gzKernel module signing toolsensible-editor-1115739932820A--gzsensible editing, paging, and web browsingminesMines6615854478170Cgnome-mines-gzinputattach-1115708189280A--gzattach a serial line to an input-layer devicegapplication-1116155671180A--gzD-Bus application launcherip-tunnel-8815816145190A--gztunnel configurationkoi8rxterm-1116140167530A--gzX terminal emulator for KOI8-R environmentsfoo2hiperc-wrapper-1115804162510A-tgzConvert Postscript into a HIPERC printer streamcryptsetup-reencrypt-8816002888050A--gztool for offline LUKS device re-encryptionsyndaemon-1115861716810A--gza program that monitors keyboard activity and disables the touchpad when the keyboard is being used.gslj-1115980290200B--gzFormat and print text for LaserJet printer using ghostscriptfile2brl-1115757179490A--gzTranslate an xml or a text file into an embosser-ready braille filexfdesktop-settings-1115793419820A--gzDesktop settings for Xfceua-1115856013570B--gzManage Ubuntu Advantage services from Canonicallatin4-7715812813670B--gzISO 8859-4 character set encoded in octal, decimal, and hexadecimalsane-genesys-5516003468200A--gzSANE backend for GL646, GL841, GL843, GL847 and GL124 based USB flatbed scannerspdftohtml-1115853266670A--gzprogram to convert PDF files into HTML, XML and PNG imagesbluetooth-sendto-1116015653360A--gzGTK application for transferring files over Bluetoothqemu-ppc64-1116261022170B--gzQEMU User Emulatorcache_metadata_size-8815811608350A--gzEstimate the size of the metadata device needed for a given configuration.net::dbus::exporterNet::DBus::Exporter3pm315773746310A--gzExport object methods and signals to the bussane-pint-5516003468200A--gzSANE backend for scanners that use the PINT device driverbpf-helpers7-7715812813670A--gzlist of eBPF helper functionsfull-4415812813670A--gzalways full devicelogin-1115906478670A--gzbegin session on the systemcups-snmp-8815877390340A--gzcups snmp backend (deprecated)ordchr-3am315728089600A--gzconvert characters to strings and vice versasosreport-1116092694050A--gzCollect and package diagnostic and support datatop-1115827827270A--gzdisplay Linux processesuri::_punycodeURI::_punycode3pm315811897880A--gzencodes Unicode string in Punycodettytty4tty1systemd-localed-8816268940210B--gzLocale bus mechanismlvmsadc-8815816289110
Source: 5220.9.dr Binary or memory string: vmware
Source: 5220.9.dr Binary or memory string: qemu-cris
Source: 5220.9.dr Binary or memory string: libvmtools
Source: 5220.9.dr Binary or memory string: qemu-m68k
Source: 5220.9.dr Binary or memory string: qemu-xtensa
Source: 5220.9.dr Binary or memory string: 9qemu
Source: 5220.9.dr Binary or memory string: qemu-sh4
Source: 5220.9.dr Binary or memory string: Dprezip-bin-1116269780060A--gzprefix zip delta word list compressor/decompressornameif-8815490444730A--gzname network interfaces based on MAC addressesxdg-user-dirs-update-1115483406210A--gzUpdate XDG user dir configurationip-link-8815816145190A--gznetwork device configurationhpsa-4415812813670A--gzHP Smart Array SCSI driverhd4-4415812813670A--gzMFM/IDE hard disk devicessane-canon630u-5516003468200A--gzSANE backend for the Canon 630u USB flatbed scannersg_copy_results-8815825816070A--gzsend SCSI RECEIVE COPY RESULTS command (XCOPY related)grub-macbless-8816214898500A--gzbless a mac file/directoryntfstruncate-8815568625640A-tgztruncate a file on an NTFS volumelessfile-1115936459130B--gz"input preprocessor" for less.sane-artec-5516003468200A--gzSANE backend for Artec flatbed scannersrmdir-1115676799200A--gzremove empty directoriessystemd-networkd-wait-online.service-8816268940210A--gzWait for network to come onlinemkfs.ntfs-8815568625640B-tgzcreate an NTFS file systemsg_inq-8815825816070A--gzissue SCSI INQUIRY command and/or decode its responseradattr.so-8815955079440Cpppd-radattr-gzc_rehash-1ssl116164130370B--gzCreate symbolic links to files named by the hash valuestc-htb-8815816145190A--gzHierarchy Token Bucketgvfs-open-1115868766090A--gzsg_rbuf-8815825816070A--gzreads data using SCSI READ BUFFER commandglib-compile-schemas-1116155671180A--gzGSettings schema compileropenssl-srp-1ssl116164130370B--gzmaintain SRP password fileopenssl-rehash-1ssl116164130370B--gzCreate symbolic links to files named by the hash valueslibvmtools-3315837702310A--gzvmware shared librarypasswd5-5515906478670A--gzthe password filenet::dbus::dumperNet::DBus::Dumper3pm315773746310A--gzStringify Net::DBus objects suitable for printingsane-hp4200-5516003468200A--gzSANE backend for Hewlett-Packard 4200 scannersposixoptions-7715812813670A--gzoptional parts of the POSIX standardnetworkmanager.confNetworkManager.conf5516002723180A--gzNetworkManager configuration fileownership-8815771238010A--gzCompaq ownership tag retrieveroakdecode-1115804162510A--gzDecode an OAKT printer stream into human readable form.gvfs-save-1115868766090A--gzmkfs.minix-8815953177680A--gzmake a Minix filesystemuri7-7715812813670A--gzuniform resource identifier (URI), including a URL or URNedit-1115714399500B--gzexecute programs via entries in the mailcap filegit-diff-files-1116148628880A--gzCompares files in the working tree and the index.ldaprc-5516136581350Cldap.conf-gzpactl-1116219586470A--gzControl a running PulseAudio sound servertempfile-1115756848240A--gzcreate a temporary file in a safe mannerhp-check-1115857238880A--gzDependency/Vers
Source: 5220.9.dr Binary or memory string: .qemu{
Source: 5220.9.dr Binary or memory string: qemu-ppc64abi32
Source: 5220.9.dr Binary or memory string: qemu-ppc64
Source: 5220.9.dr Binary or memory string: qemu-i386
Source: 5220.9.dr Binary or memory string: qemu-x86_64
Source: 5220.9.dr Binary or memory string: H~6\nqemu*q
Source: 5220.9.dr Binary or memory string: @qemu
Source: 5220.9.dr Binary or memory string: Fqqemu
Source: 5220.9.dr Binary or memory string: N4qemu
Source: 5220.9.dr Binary or memory string: ~6\nqemu*q
Source: 5220.9.dr Binary or memory string: qemu-mips64el
Source: 5220.9.dr Binary or memory string: hqemu
Source: 5220.9.dr Binary or memory string: &mqemu
Source: 5220.9.dr Binary or memory string: $qemu
Source: 5220.9.dr Binary or memory string: qemu-sparc
Source: 5220.9.dr Binary or memory string: qemu-microblaze
Source: 5220.9.dr Binary or memory string: qemu-user
Source: 5220.9.dr Binary or memory string: qemu-aarch64
Source: 5220.9.dr Binary or memory string: qemu-sh4eb
Source: 5220.9.dr Binary or memory string: iqemu
Source: 5220.9.dr Binary or memory string: qemu-mipsel
Source: 5220.9.dr Binary or memory string: qemuP`
Source: 5220.9.dr Binary or memory string: qemu-alpha
Source: 5220.9.dr Binary or memory string: qemu-microblazeel
Source: 5220.9.dr Binary or memory string: \qemu
Source: 5220.9.dr Binary or memory string: qemu-xtensaeb
Source: 5220.9.dr Binary or memory string: qemu-mipsn32el
Source: 5220.9.dr Binary or memory string: SAqemu
Source: 5220.9.dr Binary or memory string: Vqemu
Source: 5220.9.dr Binary or memory string: qemu-mipsn32
Source: 5220.9.dr Binary or memory string: qemuAU
Source: 5220.9.dr Binary or memory string: qemu-riscv32
Source: 5220.9.dr Binary or memory string: qemu-sparc32plus
Source: 5220.9.dr Binary or memory string: 7,qemu
Source: 5220.9.dr Binary or memory string: qemu-s390x
Source: 5220.9.dr Binary or memory string: vmware-checkvm
Source: 5220.9.dr Binary or memory string: qemu-nios2
Source: 5220.9.dr Binary or memory string: qemu-armeb
Source: 5220.9.dr Binary or memory string: -4415868968400A--gzVMware SVGA video driver
Source: 5220.9.dr Binary or memory string: 7xml::parser::style::streamXML::Parser::Style::Stream3pm315701248990A--gzStream style for XML::Parsersystemd-timedated-8816268940210B--gzTime and date bus mechanismxfce4-keyboard-settings-1115867081120A--gzKeyboard settings for Xfcepygettext2-1115841026830B--gzPython equivalent of xgettext(1)sudoedit-8816110660620B--gzexecute a command as another userintro7-7715812813670A--gzintroduction to overview and miscellany sectionsprof-1115812813670A--gzread and display shared object profiling datadhclient.conf-5516219398220A--gzDHCP client configuration filepam_group-8815953742440A--gzPAM module for group accesssystemd-ask-password-1116268940210A--gzQuery the user for a system passwordupdate-dictcommon-hunspell-8815422954860A--gzrebuild hunspell database and emacsen stuffqemu-nios2-1116261022170B--gzQEMU User Emulatorlwp::useragentLWP::UserAgent3pm315750405830A--gzWeb user agent classgpgcompose-1115838662460A--gzGenerate a stream of OpenPGP packetsecho-1115676799200A--gzdisplay a line of textio::socket::ssl::utilsIO::Socket::SSL::Utils3pm315817106800A--gz- loading, storing, creating certificates and keyscurl-1116268709580A--gztransfer a URLgetcap-8815819434600A--gzexamine file capabilitieszegrep-1115762517060B--gzsearch possibly compressed files for a regular expressiongrub-syslinux2cfg-1116214898500A--gztransform syslinux config into grub.cfgrtc-4415812813670A--gzreal-time clockglib::codegenGlib::CodeGen3pm315820097650A--gzcode generation utilities for Glib-based bindings.wpa_cli-8816146062790A--gzWPA command line clientiso_8859_3-7715812813670B--gzISO 8859-3 character set encoded in octal, decimal, and hexadecimaliso_8859-9-7715812813670A-tgzISO 8859-9 character set encoded in octal, decimal, and hexadecimallvextend-8815816289110A--gzAdd space to a logical volumeresolvectl-1116268940210A--gzResolve domain names, IPV4 and IPv6 addresses, DNS resource records, and services; introspect and reconfigure the DNS resolverchgrp-1115676799200A--gzchange group ownershipsystemd-cgls-1116268940210A--gzRecursively show control group contentspygettext3.8-1113852085880A--gzPython equivalent of xgettext(1)ping4-8815804258830B--gzsend ICMP ECHO_REQUEST to network hostsidmapwb-8816000845410A--gzwinbind ID mapping plugin for cifs-utilsapturl-gtk-8815799493830B--gzgraphical apt-protocol interpreting package installersane-epsonds-5516003468200A--gzSANE backend for EPSON ESC/I-2 scannersgvfs-monitor-file-1115868766090A--gzrstart-1115829564830A--gza sample implementation of a Remote Start clientgit-stage-1116148628880A--gzAdd file contents to the staging areatc-pedit-8815816145190A--gzgeneric packet editor actioniptables-save-881582899
Source: 5220.9.dr Binary or memory string: I_qemu
Source: 5220.9.dr Binary or memory string: -1116261022170B--gzQEMU User Emulator
Source: 5220.9.dr Binary or memory string: -3315837702310A--gzvmware shared library
Source: 5220.9.dr Binary or memory string: qemu-mips
Source: 5220.9.dr Binary or memory string: qemuj\
Source: 5220.9.dr Binary or memory string: {qemuQ&
Source: 5220.9.dr Binary or memory string: Wgnome-text-editor-111629209547491759146B--gztext editor for the GNOME Desktopx11::protocol::connection::filehandleX11::Protocol::Connection::FileHandle3pm314314075500A--gzPerl module base class for FileHandle-based X11 connectionshtbHTB8815816145190Ctc-htb-gzcifscreds-1116000845410A--gzmanage NTLM credentials in kernel keyringiwconfig-8815490049440A--gzconfigure a wireless network interfaceossl_store-file-7ssl716164130370A--gzThe store 'file' scheme loadertc-stab-8815816145190A--gzGeneric size table manipulationsnotifier-7715877390340A--gzcups notification interfaceqemu-arm-1116261022170B--gzQEMU User EmulatorgemfileGemfile5516263767190Cgemfile2.7-gzglib::object::subclassGlib::Object::Subclass3pm315820097650A--gzregister a perl class as a GObject classnetcat-111612200165426646725B--gzarbitrary TCP and UDP connections and listensdpkg::changelog::parseDpkg::Changelog::Parse3perl315849439740A--gzgeneric changelog parser for dpkg-parsechangelogmpris-proxy-1116243432320A--gzBluetooth mpris-proxybundle-pristine2.7-1116263767190A--gzRestores installed gems to their pristine conditionfsck.ext3-8815816604980B--gzcheck a Linux ext2/ext3/ext4 file systemvolname-1115625752510A--gzreturn volume nameiso-8859-9-7715812813670B--gzISO 8859-9 character set encoded in octal, decimal, and hexadecimalheadhead1HEAD1psd-4415812813670A--gzdriver for SCSI disk driveschrt-1115953177680A--gzmanipulate the real-time attributes of a processvcs-4415812813670A--gzvirtual console memorygit-upload-archive-1116148628880A--gzSend archive back to git-archivenet::dbus::binding::message::errorNet::DBus::Binding::Message::Error3pm315773746310A--gza message encoding a method call errorpkcs11.conf-5516097870510A--gzConfiguration files for PKCS#11 modulessfill-1115227593860A--gzsecure free disk and inode space wiper (secure_deletion toolkit)ldattach-8815953177680A--gzattach a line discipline to a serial linethin_restore-8815811608350A--gzrestore thin provisioning metadata file to device or file.phar.phar7.4-1116254980150B--gzPHAR (PHP archive) command line toolbundle-outdated2.7-1116263767190A--gzList installed gems with newer versions availablemail::addressMail::Address3pm315640244160A--gzparse mail addressesopenssl-ca-1ssl116164130370B--gzsample minimal CA applicationchardet3-1115765858900A--gzuniversal character encoding detectorerb2.7-1116263767190A--gzRuby Templatingchktrust-1115826667350A--gzCheck the trust of a PE executable.sg_raw-8815825816070A--gzsend arbitrary SCSI command to a devicegvfs-trash-1115868766090A--gzintro1-1115812813670A--gzintroduction to user commandsmailcap-5515714399500A--gzmetamail capabilities filegigoloGigolo1gig
Source: 5220.9.dr Binary or memory string: vmware-xferlogs

Stealing of Sensitive Information:

barindex
Executes the "ifconfig" command used to gather network information
Source: /bin/sh (PID: 5278) Ifconfig executable: /usr/sbin/ifconfig -> ifconfig Jump to behavior
Executes the "uname" command used to read OS and architecture name
Source: /bin/sh (PID: 5286) Uname executable: /usr/bin/uname -> uname -mrs Jump to behavior

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
54.171.230.55
 unknown United States
16509 AMAZON-02US false
23.254.131.176
 graphic-updater.com United States
54290 HOSTWINDSUS false
142.250.181.78
 drive.google.com United States
15169 GOOGLEUS false
109.202.202.202
 unknown Switzerland
13030 INIT7CH false
142.250.181.65
 googlehosted.l.googleusercontent.com United States
15169 GOOGLEUS false
91.189.91.43
 unknown United Kingdom
41231 CANONICAL-ASGB false
91.189.91.42
 unknown United Kingdom
41231 CANONICAL-ASGB false

Contacted Domains

Name IP Active
graphic-updater.com 23.254.131.176 true
drive.google.com 142.250.181.78 true
googlehosted.l.googleusercontent.com 142.250.181.65 true
doc-0k-2o-docs.googleusercontent.com unknown unknown