IOC Report
1isequal9.arm

loading gif

Files

File Path
Type
Category
Malicious
1isequal9.arm
ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
initial sample
malicious
/var/log/wtmp
data
dropped
malicious
/home/saturnino/.config/pulse/ee49dfd4fa47433baee88884e2d7de7c-default-sink
ASCII text
dropped
/home/saturnino/.config/pulse/ee49dfd4fa47433baee88884e2d7de7c-default-source
ASCII text
dropped
/proc/6474/oom_score_adj
very short file (no magic)
dropped
/run/gdm3.pid
ASCII text
dropped
/run/systemd/journal/streams/.#9:75018lw0CbK
ASCII text
dropped
/run/systemd/journal/streams/.#9:75019o3KZTM
ASCII text
dropped
/run/systemd/journal/streams/.#9:75245x49NsN
ASCII text
dropped
/run/systemd/journal/streams/.#9:752621A12rK
ASCII text
dropped
/run/systemd/journal/streams/.#9:75955K4u6BN
ASCII text
dropped
/run/systemd/journal/streams/.#9:76157OSqEhM
ASCII text
dropped
/run/systemd/journal/streams/.#9:76176G25jGK
ASCII text
dropped
/run/systemd/journal/streams/.#9:76283a6Cx8L
ASCII text
dropped
/run/systemd/journal/streams/.#9:76284tVVVfL
ASCII text
dropped
/run/systemd/journal/streams/.#9:76287G4fchO
ASCII text
dropped
/run/systemd/journal/streams/.#9:7644849WLoM
ASCII text
dropped
/run/systemd/journal/streams/.#9:76597ueUGtL
ASCII text
dropped
/run/systemd/journal/streams/.#9:76697hPVHgM
ASCII text
dropped
/run/systemd/journal/streams/.#9:76775rOT3ZM
ASCII text
dropped
/run/systemd/journal/streams/.#9:76790SdgP0M
ASCII text
dropped
/run/systemd/journal/streams/.#9:771928HMvgK
ASCII text
dropped
/run/systemd/journal/streams/.#9:77194PNcvLM
ASCII text
dropped
/run/systemd/journal/streams/.#9:77230EsEw0K
ASCII text
dropped
/run/systemd/journal/streams/.#9:77235e6ws8N
ASCII text
dropped
/run/systemd/journal/streams/.#9:77535UdbKIM
ASCII text
dropped
/run/systemd/journal/streams/.#9:77932cdsDmN
ASCII text
dropped
/run/systemd/seats/.#seat0izgq07
ASCII text
dropped
/run/systemd/seats/.#seat0xCLwZ7
ASCII text
dropped
/run/systemd/users/.#1273tH4oa
ASCII text
dropped
/run/systemd/users/.#127PRvuxa
ASCII text
dropped
/run/systemd/users/.#127UMUrx8
ASCII text
dropped
/run/systemd/users/.#127Z4PAH9
ASCII text
dropped
/run/systemd/users/.#127qgny5a
ASCII text
dropped
/run/user/1000/pulse/pid
ASCII text
dropped
/run/utmp
data
dropped
/tmp/qemu-open.hu2k0x (deleted)
ASCII text
dropped
/var/crash/_usr_bin_light-locker.1000.uploaded
ASCII text
dropped
/var/lib/AccountsService/users/gdm.WTWPL1
ASCII text
dropped
/var/lib/ubuntu-drivers-common/last_gfx_boot
ASCII text
dropped
/var/lib/whoopsie/whoopsie-id.60SZL1
ASCII text, with no line terminators
dropped
/var/log/auth.log
ASCII text
dropped
/var/log/gpu-manager.log
ASCII text
dropped
/var/log/journal/ee49dfd4fa47433baee88884e2d7de7c/system.journal
data
dropped
/var/log/journal/ee49dfd4fa47433baee88884e2d7de7c/user-1000.journal
data
dropped
/var/log/kern.log
ASCII text
dropped
/var/log/syslog
ASCII text, with very long lines
dropped
There are 37 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
/tmp/1isequal9.arm
/tmp/1isequal9.arm
/tmp/1isequal9.arm
n/a
/tmp/1isequal9.arm
n/a
/tmp/1isequal9.arm
n/a
/tmp/1isequal9.arm
n/a
/tmp/1isequal9.arm
n/a
/usr/lib/systemd/systemd
n/a
/usr/bin/journalctl
/usr/bin/journalctl --smart-relinquish-var
/usr/lib/systemd/systemd
n/a
/lib/systemd/systemd-journald
/lib/systemd/systemd-journald
/usr/lib/systemd/systemd
n/a
/usr/bin/journalctl
/usr/bin/journalctl --flush
/usr/lib/systemd/systemd
n/a
/usr/bin/dbus-daemon
/usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
/usr/lib/systemd/systemd
n/a
/usr/bin/whoopsie
/usr/bin/whoopsie -f
/usr/lib/systemd/systemd
n/a
/usr/bin/pulseaudio
/usr/bin/pulseaudio --daemonize=no --log-target=journal
/usr/lib/systemd/systemd
n/a
/usr/libexec/rtkit-daemon
/usr/libexec/rtkit-daemon
/usr/lib/systemd/systemd
n/a
/lib/systemd/systemd-logind
/lib/systemd/systemd-logind
/usr/lib/systemd/systemd
n/a
/usr/lib/policykit-1/polkitd
/usr/lib/policykit-1/polkitd --no-debug
/usr/lib/systemd/systemd
n/a
/usr/sbin/rsyslogd
/usr/sbin/rsyslogd -n -iNONE
/usr/sbin/gdm3
n/a
/etc/gdm3/PrimeOff/Default
/etc/gdm3/PrimeOff/Default
/usr/sbin/gdm3
n/a
/etc/gdm3/PrimeOff/Default
/etc/gdm3/PrimeOff/Default
/usr/sbin/gdm3
n/a
/etc/gdm3/PrimeOff/Default
/etc/gdm3/PrimeOff/Default
/usr/lib/systemd/systemd
n/a
/sbin/agetty
/sbin/agetty -o "-p -- \\u" --noclear tty2 linux
/usr/lib/systemd/systemd
n/a
/usr/bin/gpu-manager
/usr/bin/gpu-manager --log /var/log/gpu-manager.log
/usr/bin/gpu-manager
n/a
/bin/sh
sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"
/bin/sh
n/a
/usr/bin/grep
grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
/usr/bin/gpu-manager
n/a
/bin/sh
sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"
/bin/sh
n/a
/usr/bin/grep
grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
/usr/bin/gpu-manager
n/a
/bin/sh
sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf"
/bin/sh
n/a
/usr/bin/grep
grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
/usr/bin/gpu-manager
n/a
/bin/sh
sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf"
/bin/sh
n/a
/usr/bin/grep
grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
/usr/bin/gpu-manager
n/a
/bin/sh
sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /etc/modprobe.d/*.conf"
/bin/sh
n/a
/usr/bin/grep
grep -G ^blacklist.*amdgpu[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
/usr/bin/gpu-manager
n/a
/bin/sh
sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /lib/modprobe.d/*.conf"
/bin/sh
n/a
/usr/bin/grep
grep -G ^blacklist.*amdgpu[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
/usr/bin/gpu-manager
n/a
/bin/sh
sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /etc/modprobe.d/*.conf"
/bin/sh
n/a
/usr/bin/grep
grep -G ^blacklist.*nouveau[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
/usr/bin/gpu-manager
n/a
/bin/sh
sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /lib/modprobe.d/*.conf"
/bin/sh
n/a
/usr/bin/grep
grep -G ^blacklist.*nouveau[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
/usr/lib/systemd/systemd
n/a
/usr/share/gdm/generate-config
/usr/share/gdm/generate-config
/usr/share/gdm/generate-config
n/a
/usr/bin/pkill
pkill --signal HUP --uid gdm dconf-service
/usr/lib/systemd/systemd
n/a
/usr/lib/gdm3/gdm-wait-for-drm
/usr/lib/gdm3/gdm-wait-for-drm
/usr/lib/systemd/systemd
n/a
/usr/sbin/gdm3
/usr/sbin/gdm3
/usr/sbin/gdm3
n/a
/usr/bin/plymouth
plymouth --ping
/usr/sbin/gdm3
n/a
/usr/lib/gdm3/gdm-session-worker
"gdm-session-worker [pam/gdm-launch-environment]"
/usr/lib/gdm3/gdm-session-worker
n/a
/usr/lib/gdm3/gdm-wayland-session
/usr/lib/gdm3/gdm-wayland-session "dbus-run-session -- gnome-session --autostart /usr/share/gdm/greeter/autostart"
/usr/lib/gdm3/gdm-wayland-session
n/a
/usr/bin/dbus-daemon
dbus-daemon --print-address 3 --session
/usr/bin/dbus-daemon
n/a
/usr/bin/dbus-daemon
n/a
/bin/false
/bin/false
/usr/lib/gdm3/gdm-wayland-session
n/a
/usr/bin/dbus-run-session
dbus-run-session -- gnome-session --autostart /usr/share/gdm/greeter/autostart
/usr/bin/dbus-run-session
n/a
/usr/bin/dbus-daemon
dbus-daemon --nofork --print-address 4 --session
/usr/sbin/gdm3
n/a
/etc/gdm3/PrimeOff/Default
/etc/gdm3/PrimeOff/Default
/usr/sbin/gdm3
n/a
/etc/gdm3/PrimeOff/Default
/etc/gdm3/PrimeOff/Default
/usr/lib/systemd/systemd
n/a
/usr/lib/accountsservice/accounts-daemon
/usr/lib/accountsservice/accounts-daemon
/usr/lib/accountsservice/accounts-daemon
n/a
/usr/share/language-tools/language-validate
/usr/share/language-tools/language-validate en_US.UTF-8
/usr/share/language-tools/language-validate
n/a
/usr/share/language-tools/language-options
/usr/share/language-tools/language-options
/usr/share/language-tools/language-options
n/a
/bin/sh
sh -c "locale -a | grep -F .utf8 "
/bin/sh
n/a
/usr/bin/locale
locale -a
/bin/sh
n/a
/usr/bin/grep
grep -F .utf8
/usr/libexec/gvfsd-fuse
n/a
/bin/fusermount
fusermount -u -q -z -- /run/user/1000/gvfs
/usr/lib/systemd/systemd
n/a
/usr/bin/dbus-daemon
/usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
There are 101 hidden processes, click here to show them.

URLs

Name
IP
Malicious
https://www.rsyslog.com
unknown

Domains

Name
IP
Malicious
daisy.ubuntu.com
185.125.188.136

IPs

IP
Domain
Country
Malicious
219.76.244.159
unknown
Hong Kong
94.55.185.140
unknown
Turkey
161.239.44.164
unknown
United States
103.89.204.192
unknown
China
112.162.107.95
unknown
Korea Republic of
19.88.63.114
unknown
United States
213.199.125.244
unknown
Sweden
170.50.192.124
unknown
United States
4.35.55.127
unknown
United States
70.33.68.238
unknown
United States
206.198.76.25
unknown
United States
159.56.87.135
unknown
United States
222.241.253.153
unknown
China
117.232.69.31
unknown
India
201.67.204.201
unknown
Brazil
149.153.99.171
unknown
Ireland
205.184.130.99
unknown
United States
45.59.178.124
unknown
Reserved
39.73.204.115
unknown
China
149.4.73.29
unknown
United States
176.87.61.223
unknown
Spain
99.185.48.59
unknown
United States
14.197.211.211
unknown
China
62.248.184.246
unknown
Finland
105.132.245.150
unknown
Morocco
35.118.98.0
unknown
United States
176.144.150.251
unknown
France
202.47.73.91
unknown
Indonesia
104.246.182.216
unknown
Canada
222.191.84.208
unknown
China
111.161.231.74
unknown
China
119.254.64.175
unknown
China
186.243.14.231
unknown
Brazil
90.112.213.93
unknown
France
77.159.188.35
unknown
France
206.142.39.12
unknown
United States
99.230.212.150
unknown
Canada
48.144.192.91
unknown
United States
187.23.126.29
unknown
Brazil
48.4.254.53
unknown
United States
48.155.189.117
unknown
United States
18.102.67.185
unknown
United States
27.49.160.231
unknown
India
89.209.53.36
unknown
Ukraine
158.86.240.55
unknown
United States
40.47.207.4
unknown
United States
27.71.128.226
unknown
Viet Nam
36.161.228.78
unknown
China
119.25.246.238
unknown
Japan
2.191.24.140
unknown
Iran (ISLAMIC Republic Of)
216.176.66.144
unknown
United States
102.162.71.222
unknown
Mauritius
69.67.185.36
unknown
Canada
180.189.169.3
unknown
Timor-leste
76.29.185.146
unknown
United States
13.175.108.225
unknown
United States
176.110.148.193
unknown
Poland
193.184.0.191
unknown
Finland
187.226.24.14
unknown
Mexico
27.171.134.176
unknown
Korea Republic of
213.120.174.221
unknown
United Kingdom
208.90.218.236
unknown
United States
163.133.192.177
unknown
Japan
213.70.118.123
unknown
Germany
162.158.166.142
unknown
United States
2.78.125.73
unknown
Kazakhstan
1.148.197.113
unknown
Australia
57.146.227.212
unknown
Belgium
113.213.98.160
unknown
China
75.74.47.224
unknown
United States
111.249.108.11
unknown
Taiwan; Republic of China (ROC)
59.212.182.28
unknown
China
112.62.10.49
unknown
China
150.155.214.251
unknown
United States
32.255.96.230
unknown
United States
61.52.209.250
unknown
China
100.232.51.122
unknown
United States
187.116.133.91
unknown
Brazil
110.252.87.61
unknown
China
39.103.117.239
unknown
China
187.58.205.200
unknown
Brazil
157.157.170.165
unknown
Iceland
42.220.179.60
unknown
China
91.17.4.80
unknown
Germany
104.170.219.191
unknown
United States
217.48.206.92
unknown
Germany
81.228.1.219
unknown
Sweden
43.46.77.4
unknown
Japan
167.11.74.120
unknown
Canada
87.251.251.122
unknown
Poland
159.28.99.193
unknown
Japan
221.110.200.105
unknown
Japan
8.109.34.196
unknown
United States
36.88.205.100
unknown
Indonesia
73.134.223.75
unknown
United States
113.202.153.138
unknown
China
147.83.120.176
unknown
Spain
58.12.218.160
unknown
Japan
161.71.116.100
unknown
United States
118.234.109.176
unknown
Korea Republic of
There are 90 hidden IPs, click here to show them.