Linux Analysis Report
1isequal9.arm7

ID:	626544
Product:	CloudBasic
Start time:	11:58:31
Start date:	14.05.2022
Sample:	1isequal9.arm7
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	c798ceff4aaaf18c02b544d6ef56def9
SHA1:	b8ef596aad37bb69bcdb0191d5a50ed6aedfa3f1
SHA256:	63275088f5f653385fce127219b64d70e2c6b6c5511568d27997b2496d7c573e
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Name	Type	MD5	SHA1	SHA256
/home/saturnino/.config/pulse/ee49dfd4fa47433baee88884e2d7de7c-default-sink	ASCII text	FF001A15CE15CF062A3704CEA2991B5F	B06F6855F376C3245B82212AC73ADED55DFE5DEF	C54830B41ECFA1B6FBDC30397188DDA86B7B200E62AEAC21AE694A6192DCC38A
/home/saturnino/.config/pulse/ee49dfd4fa47433baee88884e2d7de7c-default-source	ASCII text	28FE6435F34B3367707BB1C5D5F6B430	EB8FE2D16BD6BBCCE106C94E4D284543B2573CF6	721A37C69E555799B41D308849E8F8125441883AB021B723FED90A9B744F36C0
/proc/6487/oom_score_adj	very short file (no magic)	CFCD208495D565EF66E7DFF9F98764DA	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
/run/gdm3.pid	ASCII text	A80D703472FC5766CAE46D8D596262DD	7B01D0FBE2CBB711EBA794E944F2138C22032C60	73D267E7B9831FEB83499133F3B4072D05D52E481EAFA86C8FF999AB19565CDA
/run/systemd/journal/streams/.#9:74260jbIoBF	ASCII text	05DC185FA59A143371B333CCD055EB84	6680F16EC01414AB38A139E23E2504B22B885ADC	FD058FEA25F473182E6E543F75EE04F3B02F561BBAE7F12D54B5A5B43CE3C1D3
/run/systemd/journal/streams/.#9:742640AmfuF	ASCII text	8A387B421EEC18FB0CA40CA58DA3E2D1	673550BE429997DD5FA199AEA8DC6AB16DB96D08	AF6A0AC2A22AF0D396B5811F82815F8D004257061EF0E63B69345E86BC07C123
/run/systemd/journal/streams/.#9:751583WC8PG	ASCII text	1B15315D1E887B5EDB3B071852BB1459	A1C23C80C5C9EA24194A3615D7989CC21CB0834B	F7FB16CBAA6B70B659C2A0E21F38F24AD77BDB0B8DA9E4110B274843BB0D6167
/run/systemd/journal/streams/.#9:75179VQFUUI	ASCII text	8C248AF314AD87B76D37B1B00DBE8697	26099C59464587AEB1E21E402D9A18A98252EC96	75CD0DF90FCA3D7AC72AEFAD990BF5FE0B6655F2DABA434D235B22F935F4167A
/run/systemd/journal/streams/.#9:75187TXWWLH	ASCII text	7EA4F0D7713629F98BD4164C9CCB42A4	7851C70D248622164FD67F2FDA5233C21BF5591C	F801B8B4BBB6110F0A3C6BF4FDAD33E226103B7A231F2FF52D7F1EB162176311
/run/systemd/journal/streams/.#9:75202EZFfDJ	ASCII text	180B5786951898994587E15A982AE7A3	36996516E6EE2FA0A6960E6D6D5D7D9FF0637F0D	A6174826A4BC2BDF0ADE776604E60AA98F024A85C99F5095CD1314AA10E7CBB0
/run/systemd/journal/streams/.#9:75203pS0XVI	ASCII text	63ED2FD3D9E246D95907CD311CCC1D8A	E211356F8759621282904A7980B97A2D22784994	4DAC3A24E8401D9CC7658FDAA815876A02652C8217928CBAAE3324DEB4A39079
/run/systemd/journal/streams/.#9:75217vV39uJ	ASCII text	C03339944511D081D869E2606E151C4F	88B292EAAAB2617DB3E2E71924D4C08A8691E894	8C055BCDAE0AB5FCD9C732E66D3F41A06C772180913AAFAAFE0A6413741F3AF0
/run/systemd/journal/streams/.#9:76305y3zhoJ	ASCII text	FB5BB507BDD4C6A6C5B292B654398B80	340F04AF5E66E752A818B6964ECD0408821A9B96	EB8ADF740FD028CEA146FD938A9F3A22C5C293B8977F218A8319939F8CA82CE3
/run/systemd/journal/streams/.#9:76357WYsSxI	ASCII text	79B843818CD8EBB72AD3FD1F54372034	3D4EB18D049AAEA5D6DD4F884F856FBF0A083915	F3FAB0E7C996AD22CACB3C312A5DD512E41DE23EE4EB978F045A528257E4C75C
/run/systemd/journal/streams/.#9:76368SnuQNG	ASCII text	58F829FE69CB441857FB79C98DFECD5A	8B8B82C161714354167C900EA80AB327DFE5A4FE	A6137C6D6F9DD2DDA53C83CC15AB5225FB3513B9C18029B62DC2237B30778773
/run/systemd/journal/streams/.#9:76437ONqasJ	ASCII text	575BEC6625DC1B1B9B0C04E98EE90529	D5507882E9906BD7F0C5BFF3CDCA8D1DEDCE9092	331D60204BA2152D4275EA12C8694D35E8D5E433F56F8E7091742B9763BFB8C8
/run/systemd/journal/streams/.#9:76484YZhShH	ASCII text	C801DCBA9D68D44D07D579048E51B383	32302CA89615D0A6E0C91D66C29F883BCFEA0E78	5A107A6F62280B04F05E4B9DEE12ECF1F9C660BD18CC445B5D73D38D289728CF
/run/systemd/journal/streams/.#9:76610qvo9xI	ASCII text	C9D1BEDA0B3E52C610FC8B155B2BEE10	D0E7AA994BD71DF78B845D30EBF6CB11D73279B0	22050DA0EFCAE928EE89555C4311691904F0F1F399188B1591A0D3629BA60F05
/run/systemd/journal/streams/.#9:76626JzW3KF	ASCII text	7386C257DFB4E2DF03C29DCA13D0B388	B345E588C422196D62267277F2E3979C4E875F30	6A70A975698626F516D3B347ECED2EEC529F067182B7CAD827B6B81DA73D0B70
/run/systemd/journal/streams/.#9:76627skHFNJ	ASCII text	F051AFD7C8ABEC8774357D99343AEF45	1136F210EE54C3FFE83963BFA868697F9AD2A399	46CF157B252C7846ADDB5E06645D332DE494B4F833E52E69D36EE783C2D38C7A
/run/systemd/journal/streams/.#9:76665nt1WEG	ASCII text	E29D0C38785D5E3863FA44CCDC8CC75D	D59A50FC73B977B22A4511E53DA369597A07E3E5	302DFBA3C42ED99FA82550193B9951D2412E7CAA73723EC7D42611158117F0B4
/run/systemd/journal/streams/.#9:76666eS2JiJ	ASCII text	DF157BCFA368D91E1048C0B9791B29C5	0847A7AC93E5C8D8925DCC50C0A3E3B8714C6A6C	4D00DD485D28D1CCF707740E7B60FAEBFC808AE0E1C42C1B53286386C8CBB81E
/run/systemd/journal/streams/.#9:78048lCuw2H	ASCII text	F09623415BD82D345929DD3D9D3086F0	D05672418DF9007D75DE9DC201656CB1E170F3F9	9FB9E88DACE473ACC0FD745BCB49B52F3228D95E4EAAF59B6D9D06C40A4D0984
/run/systemd/seats/.#seat0Syr5jA	ASCII text	BE58CCABC942125F5E27AF6EB1BA2F88	07C20F55E36EE48869B223B8FC4DBC227C7353AC	551B1D1C8E5953D5D0CF49C83C1568E2FBEF8BDDB69903B3DA82240B777B4629
/run/systemd/seats/.#seat0U1nTsA	ASCII text	66D114877B3B4DB3BDD8A3AD4F5E7421	62E0CB0F51E0E3F97BE251CB917968DFF69ED344	A922628916A7DDBE2BAA33F421C82250527EA3C28E429749353A1C75C0C18860
/run/systemd/users/.#1270q92lB	ASCII text	1C0F7FDE81B5D23151329426C133891A	08236DBA8796B971FD789DA13CE275671EA5F723	C717402E56F18497F0F5089BB62B1F1BEDD0411E2AD7E92B16C2272405B0632A
/run/systemd/users/.#127D3AltB	ASCII text	1C0F7FDE81B5D23151329426C133891A	08236DBA8796B971FD789DA13CE275671EA5F723	C717402E56F18497F0F5089BB62B1F1BEDD0411E2AD7E92B16C2272405B0632A
/run/systemd/users/.#127KRNzPC	ASCII text	4505D01CA91659332D7099EB6CC55C24	1E284AD8D071981ECBC23DB93CB82E109FD8CBFF	4F628E76D8CD6A0D8EA72AC5FC0B5A9E39BEDD083FADE68B5F393274DF36E156
/run/systemd/users/.#127NGNZoE	ASCII text	065A3AD1A34A9903F536410ECA748105	21CD684DF60D569FA96EEEB66A0819EAC1B2B1A4	E80554BF0FF4E32C61D4FA3054F8EFB27A26F1C37C91AE4EA94445C400693941
/run/systemd/users/.#127PTtX5B	ASCII text	4505D01CA91659332D7099EB6CC55C24	1E284AD8D071981ECBC23DB93CB82E109FD8CBFF	4F628E76D8CD6A0D8EA72AC5FC0B5A9E39BEDD083FADE68B5F393274DF36E156
/run/systemd/users/.#127fpweJA	ASCII text	D59B28A5703232BB11395EFD2FB438DD	FB691AEBFA005DA8EEAACD295BF1139F7F026FEA	185223BD0D9C7E561FB567E4DA94461D73EA7D2DDDC4C966F432C0086B24A69C
/run/user/1000/pulse/pid	ASCII text	79205720C1EC779F3C9E96DD33D55732	414C9F88079D7C3494AAAB612EA2600D2F817F25	0EF81B14AFB42BFC379F8EBAF7477F0F8E1BFFF35ED111DF95E190C1AF5CA4D0
/run/utmp	data	18694AF416802A0552577EB9CC13C89C	751CC3D7BEF45DB18F21128CB87753DB46CE0634	A3DDCC1F5EC78185F7EA65A59CFAD763BFBE123F469077A8568FE1A2323A681E
/tmp/qemu-open.2u2bbA (deleted)	ASCII text	FC342925026487E770B834EC500C82B6	4B9301261F706EE5845F6A8869EDB3F13022DA40	0284BE357CFDDEBDFF055B36842A1F711C46A1FFBDD5B245FE2EAFC5ADEA30A8
/var/crash/_usr_bin_light-locker.1000.uploaded	ASCII text	F54B887A98EFE4013F09A85C65602ED8	7771C4D7D200024D9C9FCAA6646AC8E5887231AC	EEB1B0022273B180B76A561347E0C06FC434B7AB0BE322E7CCDE7D5D37AF53AF
/var/lib/AccountsService/users/gdm.0BSUL1	ASCII text	542BA3FB41206AE43928AF1C5E61FEBC	F56F574DAF50D609526B36B5B54FDD59EA4D6A26	730D9509D4EAA7266829A8F5A8CFEBA6BBDDD5873FC2BD580AD464F4A237E11A
/var/lib/ubuntu-drivers-common/last_gfx_boot	ASCII text	078760523943E160756979906B85FB5E	0962643266F4C5537F7D125046F28F21D6DD0C89	048416AC7A9A99690B8B53718CD39F32F637B55CC8DD8E67E58E5AEF060DD41C
/var/lib/whoopsie/whoopsie-id.QC3QL1	ASCII text, with no line terminators	D2B5AAF22916F8D6665CF9E835EAD5E7	AAEF3CE527B8F1E3733BCD03EF7A6C0F30881E15	FEB925D4465BF6D30A42B19112406AD1B59BA90673DC4F91B25005A90FEFEB36
/var/log/auth.log	ASCII text	E3803C4226589C05C7094B2D28C278DE	14B2D31CAF3AD3782BCE5E237C58FE42D8155BA8	EFADE4E0FE86D18DA992B95943A0C5CAD593C4B64969951C7A299BAC7B08C95D
/var/log/gpu-manager.log	ASCII text	3AF77E630DA00B3BE24F4E8AA5D78B13	BCF2D99E002F6DE2413A183227B011CFBEF5673D	EB1CBBA20845237B4409274D693FEAE13F835274DA3337B7A9D14F4D7FDF9DEA
/var/log/journal/ee49dfd4fa47433baee88884e2d7de7c/system.journal	data	51B437E87C74D3DEBABB4D64994B2B36	056344BD79A489A6CA25E1D70435B4E78151CD0B	0F898083C11674C16FDCE5A4D9D1E68C725F7050DC63E24493E6246E0AEA4A07
/var/log/journal/ee49dfd4fa47433baee88884e2d7de7c/user-1000.journal	data	3C6172AC52AF3BC7462155ED45D8D0D2	57615C668E4EBF2419007A0608BD66555A5B102A	33495385AC6CD313C5326B0785CB1619BB39798D2D66579DAC7F05B40D593693
/var/log/kern.log	ASCII text, with very long lines	3E30220F671F17A3BBA91A31613E37F0	5F90B8E85A75CD6CC2A608DEF8F612ACAD658142	BFAD5480C1C7EAC4DB452A224747D16BD599794A39FBF6896939AED9D07B12A1
/var/log/syslog	ASCII text, with very long lines	2C82BCBFB46764083DDF24CD1CB63B25	C46CD01D8E01754635860A3DC77003062C5F05FA	48FCC5F781B2166DF49CBA7E61397138115EF19E147C7ACDA1765F8EB35E7F95
/var/log/wtmp	data	18694AF416802A0552577EB9CC13C89C	751CC3D7BEF45DB18F21128CB87753DB46CE0634	A3DDCC1F5EC78185F7EA65A59CFAD763BFBE123F469077A8568FE1A2323A681E

Bitcoin Miner

Source: /usr/bin/pulseaudio (PID: 6321)	Reads CPU info from /sys: /sys/devices/system/cpu/online			Jump to behavior
Source: /usr/bin/pkill (PID: 6428)	Reads CPU info from /sys: /sys/devices/system/cpu/online			Jump to behavior

Networking

Source: /tmp/1isequal9.arm7 (PID: 6226)	Socket: 127.0.0.1::59025			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	Socket: <unknown socket type>:unknown			Jump to behavior
Source: /usr/sbin/gdm3 (PID: 6450)	Socket: <unknown socket type>:unknown			Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6482)	Socket: <unknown socket type>:unknown			Jump to behavior

Source: syslog.35.dr

String found in binary or memory: https://www.rsyslog.com

System Summary

Source: ELF static info symbol of initial sample	Name: attack.c
Source: ELF static info symbol of initial sample	Name: attack_app.c
Source: ELF static info symbol of initial sample	Name: attack_get_opt_int
Source: ELF static info symbol of initial sample	Name: attack_get_opt_ip
Source: ELF static info symbol of initial sample	Name: attack_get_opt_str
Source: ELF static info symbol of initial sample	Name: attack_gre.c
Source: ELF static info symbol of initial sample	Name: attack_gre_eth
Source: ELF static info symbol of initial sample	Name: attack_gre_ip
Source: ELF static info symbol of initial sample	Name: attack_init
Source: ELF static info symbol of initial sample	Name: attack_method_http

Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 491, result: successful			Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 658, result: successful			Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 720, result: successful			Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 721, result: successful			Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 759, result: successful			Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 761, result: successful			Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 772, result: successful			Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 774, result: successful			Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 777, result: successful			Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 785, result: successful			Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 793, result: successful			Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 936, result: successful			Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 1334, result: successful			Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 1335, result: successful			Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 1344, result: successful			Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 1601, result: successful			Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 1860, result: successful			Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 1872, result: successful			Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 1886, result: successful			Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 2048, result: successful			Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 6044, result: successful			Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 6190, result: successful			Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 6191, result: successful			Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 6230, result: successful			Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 6234, result: unknown			Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6507)	SIGKILL sent: pid: 6505, result: successful			Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6515)	SIGKILL sent: pid: 6513, result: successful			Jump to behavior

Source: 1isequal9.arm7, type: SAMPLE	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6226.1.0000000097c8e407.000000009c2c05b8.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6229.1.0000000097c8e407.000000009c2c05b8.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6234.1.000000005d55c1b0.00000000007ca476.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6226.1.000000005d55c1b0.00000000007ca476.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6507.1.000000005d55c1b0.00000000007ca476.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6507.1.0000000097c8e407.000000009c2c05b8.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6513.1.000000005d55c1b0.00000000007ca476.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6230.1.000000005d55c1b0.00000000007ca476.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6233.1.000000005d55c1b0.00000000007ca476.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6229.1.000000005d55c1b0.00000000007ca476.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6515.1.000000005d55c1b0.00000000007ca476.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6513.1.0000000097c8e407.000000009c2c05b8.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6230.1.0000000097c8e407.000000009c2c05b8.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6505.1.000000005d55c1b0.00000000007ca476.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6234.1.0000000097c8e407.000000009c2c05b8.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6505.1.0000000097c8e407.000000009c2c05b8.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6515.1.0000000097c8e407.000000009c2c05b8.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6233.1.0000000097c8e407.000000009c2c05b8.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13

Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 491, result: successful			Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 658, result: successful			Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 720, result: successful			Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 721, result: successful			Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 759, result: successful			Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 761, result: successful			Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 772, result: successful			Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 774, result: successful			Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 777, result: successful			Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 785, result: successful			Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 793, result: successful			Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 936, result: successful			Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 1334, result: successful			Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 1335, result: successful			Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 1344, result: successful			Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 1601, result: successful			Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 1860, result: successful			Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 1872, result: successful			Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 1886, result: successful			Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 2048, result: successful			Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 6044, result: successful			Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 6190, result: successful			Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 6191, result: successful			Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 6230, result: successful			Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 6234, result: unknown			Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6507)	SIGKILL sent: pid: 6505, result: successful			Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6515)	SIGKILL sent: pid: 6513, result: successful			Jump to behavior

Source: ELF static info symbol of initial sample	Name: scanner.c
Source: ELF static info symbol of initial sample	Name: scanner_init
Source: ELF static info symbol of initial sample	Name: scanner_kill
Source: ELF static info symbol of initial sample	Name: scanner_pid
Source: ELF static info symbol of initial sample	Name: scanner_rawpkt

Source: classification engine

Classification label: mal64.spre.troj.linARM7@0/45@0/0

Persistence and Installation Behavior

Source: /usr/bin/dbus-daemon (PID: 6306)	File: /proc/6306/mounts			Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6482)	File: /proc/6482/mounts			Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6489)	File: /proc/6489/mounts			Jump to behavior
Source: /bin/fusermount (PID: 6498)	File: /proc/6498/mounts			Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6547)	File: /proc/6547/mounts			Jump to behavior

Source: /usr/share/gdm/generate-config (PID: 6428)

Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service

Jump to behavior

Source: /bin/sh (PID: 6407)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf			Jump to behavior
Source: /bin/sh (PID: 6409)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf			Jump to behavior
Source: /bin/sh (PID: 6411)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf			Jump to behavior
Source: /bin/sh (PID: 6416)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf			Jump to behavior
Source: /bin/sh (PID: 6418)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf			Jump to behavior
Source: /bin/sh (PID: 6420)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf			Jump to behavior
Source: /bin/sh (PID: 6424)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf			Jump to behavior
Source: /bin/sh (PID: 6426)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf			Jump to behavior
Source: /bin/sh (PID: 6474)	Grep executable: /usr/bin/grep -> grep -F .utf8			Jump to behavior

Source: /lib/systemd/systemd-journald (PID: 6262)

Reads from proc file: /proc/meminfo

Jump to behavior

Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/6395/comm			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/6395/cmdline			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/6395/status			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/6395/attr/current			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/6395/sessionid			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/6395/loginuid			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/6395/cgroup			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/6475/comm			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/6475/cmdline			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/6475/status			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/6475/attr/current			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/6475/sessionid			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/6475/loginuid			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/6475/cgroup			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2078/comm			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2078/cmdline			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2078/status			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2078/attr/current			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2078/sessionid			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2078/loginuid			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2078/cgroup			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2077/comm			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2077/cmdline			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2077/status			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2077/attr/current			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2077/sessionid			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2077/loginuid			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2077/cgroup			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2033/comm			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2033/cmdline			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2033/status			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2033/attr/current			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2033/sessionid			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2033/loginuid			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2033/cgroup			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2074/comm			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2074/cmdline			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2074/status			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2074/attr/current			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2074/sessionid			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2074/loginuid			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2074/cgroup			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2028/comm			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2028/cmdline			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2028/status			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2028/attr/current			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2028/sessionid			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2028/loginuid			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2028/cgroup			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2028/status			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2028/comm			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2028/cmdline			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2028/attr/current			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2028/sessionid			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2028/loginuid			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2028/cgroup			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2028/comm			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2028/cmdline			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2028/status			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2028/attr/current			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2028/sessionid			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2028/loginuid			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2028/cgroup			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/1532/comm			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/1532/cmdline			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/1532/status			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/1532/attr/current			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/1532/sessionid			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/1532/loginuid			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/1532/cgroup			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/1334/comm			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/1334/cmdline			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/1334/status			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/1334/attr/current			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/1334/sessionid			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/1334/loginuid			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/1334/cgroup			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/1334/comm			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/1334/cmdline			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/1334/status			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/1334/attr/current			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/1334/sessionid			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/1334/loginuid			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/1334/cgroup			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2302/comm			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2302/cmdline			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2302/status			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2302/attr/current			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2302/sessionid			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2302/loginuid			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2302/cgroup			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2025/comm			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2025/cmdline			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2025/status			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2025/attr/current			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2025/sessionid			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2025/loginuid			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2025/cgroup			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2223/comm			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2223/cmdline			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2223/status			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2223/attr/current			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2223/sessionid			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2223/loginuid			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2223/cgroup			Jump to behavior

Source: /usr/bin/whoopsie (PID: 6317)	Directory: /nonexistent/.cache			Jump to behavior
Source: /usr/lib/policykit-1/polkitd (PID: 6389)	Directory: /root/.cache			Jump to behavior
Source: /usr/lib/gdm3/gdm-wayland-session (PID: 6480)	Directory: /var/lib/gdm3/.cache			Jump to behavior
Source: /usr/lib/accountsservice/accounts-daemon (PID: 6456)	Directory: /root/.cache			Jump to behavior

Source: /usr/sbin/gdm3 (PID: 6450)	File: /var/run/gdm3 (bits: - usr: -x grp: x all: rwx)			Jump to behavior
Source: /usr/sbin/gdm3 (PID: 6450)	File: /var/log/gdm3 (bits: - usr: -x grp: x all: rwx)			Jump to behavior
Source: /usr/lib/accountsservice/accounts-daemon (PID: 6456)	File: /var/lib/AccountsService/icons (bits: - usr: rx grp: rwx all: rwx)			Jump to behavior
Source: /usr/lib/accountsservice/accounts-daemon (PID: 6456)	File: /var/lib/AccountsService/users (bits: - usr: - grp: - all: rwx)			Jump to behavior

Source: /usr/bin/gpu-manager (PID: 6406)	Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"			Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6408)	Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"			Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6410)	Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf"			Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6415)	Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf"			Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6417)	Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /etc/modprobe.d/*.conf"			Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6419)	Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /lib/modprobe.d/*.conf"			Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6423)	Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /etc/modprobe.d/*.conf"			Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6425)	Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /lib/modprobe.d/*.conf"			Jump to behavior
Source: /usr/share/language-tools/language-options (PID: 6470)	Shell command executed: sh -c "locale -a | grep -F .utf8 "			Jump to behavior

Source: /usr/sbin/rsyslogd (PID: 6395)	Log file created: /var/log/auth.log			Jump to dropped file
Source: /usr/sbin/rsyslogd (PID: 6395)	Log file created: /var/log/kern.log			Jump to dropped file
Source: /usr/bin/gpu-manager (PID: 6405)	Log file created: /var/log/gpu-manager.log			Jump to dropped file

Malware Analysis System Evasion

Source: /usr/bin/pulseaudio (PID: 6321)	Reads CPU info from /sys: /sys/devices/system/cpu/online			Jump to behavior
Source: /usr/bin/pkill (PID: 6428)	Reads CPU info from /sys: /sys/devices/system/cpu/online			Jump to behavior

Source: /tmp/1isequal9.arm7 (PID: 6226)	Queries kernel information via 'uname':			Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/whoopsie (PID: 6317)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/pulseaudio (PID: 6321)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6395)	Queries kernel information via 'uname':			Jump to behavior
Source: /sbin/agetty (PID: 6398)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6405)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/lib/gdm3/gdm-session-worker (PID: 6475)	Queries kernel information via 'uname':			Jump to behavior

Source: /usr/bin/gpu-manager (PID: 6405)

Truncated file: /var/log/gpu-manager.log

Jump to behavior

Source: syslog.35.dr	Binary or memory string: May 14 12:00:20 galassia kernel: [ 479.246636] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 12/12/2018
Source: syslog.35.dr	Binary or memory string: May 14 12:00:20 galassia kernel: [ 479.246585] Modules linked in: monitor(OE) md4 cmac cifs libarc4 fscache libdes vmw_vsock_vmci_transport vsock binfmt_misc dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua vmw_balloon joydev input_leds serio_raw vmw_vmci sch_fq_codel drm parport_pc ppdev lp parport ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel crypto_simd cryptd glue_helper psmouse ahci mptspi vmxnet3 scsi_transport_spi mptscsih libahci mptbase
Source: 1isequal9.arm7, 6226.1.000000003680e83a.000000005c5c2243.rw-.sdmp, 1isequal9.arm7, 6229.1.000000003680e83a.00000000ca6d1a3b.rw-.sdmp, 1isequal9.arm7, 6230.1.000000003680e83a.00000000ca6d1a3b.rw-.sdmp, 1isequal9.arm7, 6233.1.000000003680e83a.00000000ca6d1a3b.rw-.sdmp, 1isequal9.arm7, 6234.1.000000003680e83a.00000000ca6d1a3b.rw-.sdmp, 1isequal9.arm7, 6505.1.000000003680e83a.00000000ca6d1a3b.rw-.sdmp, 1isequal9.arm7, 6507.1.000000003680e83a.00000000ca6d1a3b.rw-.sdmp, 1isequal9.arm7, 6513.1.000000003680e83a.00000000ca6d1a3b.rw-.sdmp, 1isequal9.arm7, 6515.1.000000003680e83a.00000000ca6d1a3b.rw-.sdmp	Binary or memory string: "V!/etc/qemu-binfmt/arm
Source: 1isequal9.arm7, 6234.1.00000000fc8940c5.0000000022e68779.rw-.sdmp	Binary or memory string: /tmp/qemu-open.2u2bbA
Source: 1isequal9.arm7, 6226.1.00000000fc8940c5.0000000022e68779.rw-.sdmp, 1isequal9.arm7, 6229.1.00000000fc8940c5.0000000022e68779.rw-.sdmp, 1isequal9.arm7, 6230.1.00000000fc8940c5.0000000022e68779.rw-.sdmp, 1isequal9.arm7, 6233.1.00000000fc8940c5.0000000022e68779.rw-.sdmp, 1isequal9.arm7, 6234.1.00000000fc8940c5.0000000022e68779.rw-.sdmp, 1isequal9.arm7, 6505.1.00000000fc8940c5.0000000022e68779.rw-.sdmp, 1isequal9.arm7, 6507.1.00000000fc8940c5.0000000022e68779.rw-.sdmp, 1isequal9.arm7, 6513.1.00000000fc8940c5.0000000022e68779.rw-.sdmp, 1isequal9.arm7, 6515.1.00000000fc8940c5.0000000022e68779.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/1isequal9.arm7SUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/1isequal9.arm7
Source: 1isequal9.arm7, 6226.1.000000003680e83a.000000005c5c2243.rw-.sdmp, 1isequal9.arm7, 6229.1.000000003680e83a.00000000ca6d1a3b.rw-.sdmp, 1isequal9.arm7, 6230.1.000000003680e83a.00000000ca6d1a3b.rw-.sdmp, 1isequal9.arm7, 6233.1.000000003680e83a.00000000ca6d1a3b.rw-.sdmp, 1isequal9.arm7, 6234.1.000000003680e83a.00000000ca6d1a3b.rw-.sdmp, 1isequal9.arm7, 6505.1.000000003680e83a.00000000ca6d1a3b.rw-.sdmp, 1isequal9.arm7, 6507.1.000000003680e83a.00000000ca6d1a3b.rw-.sdmp, 1isequal9.arm7, 6513.1.000000003680e83a.00000000ca6d1a3b.rw-.sdmp, 1isequal9.arm7, 6515.1.000000003680e83a.00000000ca6d1a3b.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: 1isequal9.arm7, 6226.1.00000000fc8940c5.0000000022e68779.rw-.sdmp, 1isequal9.arm7, 6229.1.00000000fc8940c5.0000000022e68779.rw-.sdmp, 1isequal9.arm7, 6230.1.00000000fc8940c5.0000000022e68779.rw-.sdmp, 1isequal9.arm7, 6233.1.00000000fc8940c5.0000000022e68779.rw-.sdmp, 1isequal9.arm7, 6234.1.00000000fc8940c5.0000000022e68779.rw-.sdmp, 1isequal9.arm7, 6505.1.00000000fc8940c5.0000000022e68779.rw-.sdmp, 1isequal9.arm7, 6507.1.00000000fc8940c5.0000000022e68779.rw-.sdmp, 1isequal9.arm7, 6513.1.00000000fc8940c5.0000000022e68779.rw-.sdmp, 1isequal9.arm7, 6515.1.00000000fc8940c5.0000000022e68779.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm
Source: 1isequal9.arm7, 6234.1.00000000fc8940c5.0000000022e68779.rw-.sdmp	Binary or memory string: "V/tmp/qemu-open.2u2bbA

Language, Device and Operating System Detection

Source: /usr/lib/accountsservice/accounts-daemon (PID: 6456)

Logged in records file read: /var/log/wtmp

Jump to behavior

Stealing of Sensitive Information

Source: Yara match

File source: 1isequal9.arm7, type: SAMPLE

Remote Access Functionality

Source: Yara match

File source: 1isequal9.arm7, type: SAMPLE