Edit tour

Linux Analysis Report
1isequal9.arm7

Overview

General Information

Sample Name:	1isequal9.arm7
Analysis ID:	626544
MD5:	c798ceff4aaaf18c02b544d6ef56def9
SHA1:	b8ef596aad37bb69bcdb0191d5a50ed6aedfa3f1
SHA256:	63275088f5f653385fce127219b64d70e2c6b6c5511568d27997b2496d7c573e
Infos:

Detection

Mirai

Score:	64
Range:	0 - 100
Whitelisted:	false

Signatures

Yara detected Mirai

Reads system files that contain records of logged in users

Contains symbols with names commonly found in malware

Sample tries to kill multiple processes (SIGKILL)

Sample reads /proc/mounts (often used for finding a writable filesystem)

Executes the "kill" or "pkill" command typically used to terminate processes

Reads CPU information from /sys indicative of miner or evasive malware

Yara signature match

Executes the "grep" command used to find patterns in files or piped streams

Reads system information from the proc file system

Uses the "uname" system call to query kernel version information (possible evasion)

Enumerates processes within the "proc" file system

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Sample contains symbols with suspicious names

Deletes log files

Creates hidden files and/or directories

Sample tries to set the executable flag

Executes commands using a shell command-line interpreter

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might not execute correctly on this machine.

Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures.

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	626544
Start date and time: 14/05/202211:58:31	2022-05-14 11:58:31 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	1isequal9.arm7
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Detection:	MAL
Classification:	mal64.spre.troj.linARM7@0/45@0/0

Warnings

Connection to analysis system has been lost, crash info: Unknown
VT rate limit hit for: 1isequal9.arm7

Runtime Messages

Command:	/tmp/1isequal9.arm7
PID:	6226
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	VegaSec-KATANA001
Standard Error:

Process Tree

system is lnxubuntu20

1isequal9.arm7 (PID: 6226, Parent: 6124, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/1isequal9.arm7

1isequal9.arm7 New Fork (PID: 6229, Parent: 6226)

1isequal9.arm7 New Fork (PID: 6230, Parent: 6226)

1isequal9.arm7 New Fork (PID: 6233, Parent: 6230)

1isequal9.arm7 New Fork (PID: 6234, Parent: 6230)

1isequal9.arm7 New Fork (PID: 6236, Parent: 6230)

1isequal9.arm7 New Fork (PID: 6505, Parent: 6230)

1isequal9.arm7 New Fork (PID: 6507, Parent: 6505)

1isequal9.arm7 New Fork (PID: 6513, Parent: 6230)

1isequal9.arm7 New Fork (PID: 6515, Parent: 6513)

systemd New Fork (PID: 6245, Parent: 1)

journalctl (PID: 6245, Parent: 1, MD5: bf3a987344f3bacafc44efd882abda8b) Arguments: /usr/bin/journalctl --smart-relinquish-var

systemd New Fork (PID: 6262, Parent: 1)

systemd-journald (PID: 6262, Parent: 1, MD5: 474667ece6cecb5e04c6eb897a1d0d9e) Arguments: /lib/systemd/systemd-journald

systemd New Fork (PID: 6265, Parent: 1)

journalctl (PID: 6265, Parent: 1, MD5: bf3a987344f3bacafc44efd882abda8b) Arguments: /usr/bin/journalctl --flush

systemd New Fork (PID: 6306, Parent: 1)

dbus-daemon (PID: 6306, Parent: 1, MD5: 3089d47e3f3ab84cd81c48fd406d7a8c) Arguments: /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only

systemd New Fork (PID: 6317, Parent: 1)

whoopsie (PID: 6317, Parent: 1, MD5: d3a6915d0e7398fb4c89a037c13959c8) Arguments: /usr/bin/whoopsie -f

systemd New Fork (PID: 6321, Parent: 1860)

pulseaudio (PID: 6321, Parent: 1860, MD5: 0c3b4c789d8ffb12b25507f27e14c186) Arguments: /usr/bin/pulseaudio --daemonize=no --log-target=journal

systemd New Fork (PID: 6324, Parent: 1)

rtkit-daemon (PID: 6324, Parent: 1, MD5: df0cacf1db4ec95ac70f5b6e06b8ffd7) Arguments: /usr/libexec/rtkit-daemon

systemd New Fork (PID: 6327, Parent: 1)

systemd-logind (PID: 6327, Parent: 1, MD5: 8dd58a1b4c12f7a1d5fe3ce18b2aaeef) Arguments: /lib/systemd/systemd-logind

systemd New Fork (PID: 6389, Parent: 1)

polkitd (PID: 6389, Parent: 1, MD5: 8efc9b4b5b524210ad2ea1954a9d0e69) Arguments: /usr/lib/policykit-1/polkitd --no-debug

systemd New Fork (PID: 6395, Parent: 1)

rsyslogd (PID: 6395, Parent: 1, MD5: 0b8087fc907c42eb3c81a691db258e33) Arguments: /usr/sbin/rsyslogd -n -iNONE

systemd New Fork (PID: 6398, Parent: 1)

agetty (PID: 6398, Parent: 1, MD5: 3a374724ba7e863768139bdd60ca36f7) Arguments: /sbin/agetty -o "-p -- \\u" --noclear tty2 linux

gdm3 New Fork (PID: 6399, Parent: 1320)

Default (PID: 6399, Parent: 1320, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default

gdm3 New Fork (PID: 6403, Parent: 1320)

Default (PID: 6403, Parent: 1320, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default

gdm3 New Fork (PID: 6404, Parent: 1320)

Default (PID: 6404, Parent: 1320, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default

systemd New Fork (PID: 6405, Parent: 1)

gpu-manager (PID: 6405, Parent: 1, MD5: 8fae9dd5dd67e1f33d873089c2fd8761) Arguments: /usr/bin/gpu-manager --log /var/log/gpu-manager.log

gpu-manager New Fork (PID: 6406, Parent: 6405)

sh (PID: 6406, Parent: 6405, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"

sh New Fork (PID: 6407, Parent: 6406)

grep (PID: 6407, Parent: 6406, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf

gpu-manager New Fork (PID: 6408, Parent: 6405)

sh (PID: 6408, Parent: 6405, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"

sh New Fork (PID: 6409, Parent: 6408)

grep (PID: 6409, Parent: 6408, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf

gpu-manager New Fork (PID: 6410, Parent: 6405)

sh (PID: 6410, Parent: 6405, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf"

sh New Fork (PID: 6411, Parent: 6410)

grep (PID: 6411, Parent: 6410, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf

gpu-manager New Fork (PID: 6415, Parent: 6405)

sh (PID: 6415, Parent: 6405, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf"

sh New Fork (PID: 6416, Parent: 6415)

grep (PID: 6416, Parent: 6415, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf

gpu-manager New Fork (PID: 6417, Parent: 6405)

sh (PID: 6417, Parent: 6405, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /etc/modprobe.d/*.conf"

sh New Fork (PID: 6418, Parent: 6417)

grep (PID: 6418, Parent: 6417, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*amdgpu[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf

gpu-manager New Fork (PID: 6419, Parent: 6405)

sh (PID: 6419, Parent: 6405, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /lib/modprobe.d/*.conf"

sh New Fork (PID: 6420, Parent: 6419)

grep (PID: 6420, Parent: 6419, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*amdgpu[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf

gpu-manager New Fork (PID: 6423, Parent: 6405)

sh (PID: 6423, Parent: 6405, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /etc/modprobe.d/*.conf"

sh New Fork (PID: 6424, Parent: 6423)

grep (PID: 6424, Parent: 6423, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*nouveau[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf

gpu-manager New Fork (PID: 6425, Parent: 6405)

sh (PID: 6425, Parent: 6405, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /lib/modprobe.d/*.conf"

sh New Fork (PID: 6426, Parent: 6425)

grep (PID: 6426, Parent: 6425, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*nouveau[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf

systemd New Fork (PID: 6427, Parent: 1)

generate-config (PID: 6427, Parent: 1, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /usr/share/gdm/generate-config

generate-config New Fork (PID: 6428, Parent: 6427)

pkill (PID: 6428, Parent: 6427, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill --signal HUP --uid gdm dconf-service

systemd New Fork (PID: 6431, Parent: 1)

gdm-wait-for-drm (PID: 6431, Parent: 1, MD5: 82043ba752c6930b4e6aaea2f7747545) Arguments: /usr/lib/gdm3/gdm-wait-for-drm

systemd New Fork (PID: 6450, Parent: 1)

gdm3 (PID: 6450, Parent: 1, MD5: 2492e2d8d34f9377e3e530a61a15674f) Arguments: /usr/sbin/gdm3

gdm3 New Fork (PID: 6455, Parent: 6450)

plymouth (PID: 6455, Parent: 6450, MD5: 87003efd8dad470042f5e75360a8f49f) Arguments: plymouth --ping

gdm3 New Fork (PID: 6475, Parent: 6450)

gdm-session-worker (PID: 6475, Parent: 6450, MD5: 692243754bd9f38fe9bd7e230b5c060a) Arguments: "gdm-session-worker [pam/gdm-launch-environment]"

gdm-session-worker New Fork (PID: 6480, Parent: 6475)

gdm-wayland-session (PID: 6480, Parent: 6475, MD5: d3def63cf1e83f7fb8a0f13b1744ff7c) Arguments: /usr/lib/gdm3/gdm-wayland-session "dbus-run-session -- gnome-session --autostart /usr/share/gdm/greeter/autostart"

gdm-wayland-session New Fork (PID: 6482, Parent: 6480)

dbus-daemon (PID: 6482, Parent: 6480, MD5: 3089d47e3f3ab84cd81c48fd406d7a8c) Arguments: dbus-daemon --print-address 3 --session

dbus-daemon New Fork (PID: 6486, Parent: 6482)

dbus-daemon New Fork (PID: 6487, Parent: 6486)

false (PID: 6487, Parent: 6486, MD5: 3177546c74e4f0062909eae43d948bfc) Arguments: /bin/false

gdm-wayland-session New Fork (PID: 6488, Parent: 6480)

dbus-run-session (PID: 6488, Parent: 6480, MD5: 245f3ef6a268850b33b0225a8753b7f4) Arguments: dbus-run-session -- gnome-session --autostart /usr/share/gdm/greeter/autostart

dbus-run-session New Fork (PID: 6489, Parent: 6488)

dbus-daemon (PID: 6489, Parent: 6488, MD5: 3089d47e3f3ab84cd81c48fd406d7a8c) Arguments: dbus-daemon --nofork --print-address 4 --session

gdm3 New Fork (PID: 6490, Parent: 6450)

Default (PID: 6490, Parent: 6450, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default

gdm3 New Fork (PID: 6491, Parent: 6450)

Default (PID: 6491, Parent: 6450, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default

systemd New Fork (PID: 6456, Parent: 1)

accounts-daemon (PID: 6456, Parent: 1, MD5: 01a899e3fb5e7e434bea1290255a1f30) Arguments: /usr/lib/accountsservice/accounts-daemon

accounts-daemon New Fork (PID: 6468, Parent: 6456)

language-validate (PID: 6468, Parent: 6456, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /usr/share/language-tools/language-validate en_US.UTF-8

language-validate New Fork (PID: 6469, Parent: 6468)

language-options (PID: 6469, Parent: 6468, MD5: 16a21f464119ea7fad1d3660de963637) Arguments: /usr/share/language-tools/language-options

language-options New Fork (PID: 6470, Parent: 6469)

sh (PID: 6470, Parent: 6469, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "locale -a | grep -F .utf8 "

sh New Fork (PID: 6473, Parent: 6470)

locale (PID: 6473, Parent: 6470, MD5: c72a78792469db86d91369c9057f20d2) Arguments: locale -a

sh New Fork (PID: 6474, Parent: 6470)

grep (PID: 6474, Parent: 6470, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -F .utf8

gvfsd-fuse New Fork (PID: 6498, Parent: 2038)

fusermount (PID: 6498, Parent: 2038, MD5: 576a1b135c82bdcbc97a91acea900566) Arguments: fusermount -u -q -z -- /run/user/1000/gvfs

systemd New Fork (PID: 6547, Parent: 1860)

dbus-daemon (PID: 6547, Parent: 1860, MD5: 3089d47e3f3ab84cd81c48fd406d7a8c) Arguments: /usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
1isequal9.arm7	SUSP_XORed_Mozilla	Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.	Florian Roth	0x171d8:$xo1: \x18:/<994z`{e 0x17250:$xo1: \x18:/<994z`{e 0x172c8:$xo1: \x18:/<994z`{e 0x1731c:$xo1: \x18:/<994z`{e 0x17394:$xo1: \x18:/<994z`{e 0x1740c:$xo1: \x18:/<994z`{e 0x17484:$xo1: \x18:/<994z`{e 0x174f4:$xo1: \x18:/<994z`{e 0x17570:$xo1: \x18:/<994z`{e 0x175c0:$xo1: \x18:/<994z`{e
1isequal9.arm7	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
6226.1.0000000097c8e407.000000009c2c05b8.rw-.sdmp	SUSP_XORed_Mozilla	Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.	Florian Roth	0x3f00:$xo1: \x18:/<994z`{e 0x3f78:$xo1: \x18:/<994z`{e 0x3ff0:$xo1: \x18:/<994z`{e 0x4048:$xo1: \x18:/<994z`{e 0x40c0:$xo1: \x18:/<994z`{e 0x4138:$xo1: \x18:/<994z`{e 0x41b8:$xo1: \x18:/<994z`{e 0x4230:$xo1: \x18:/<994z`{e 0x42b0:$xo1: \x18:/<994z`{e 0x4308:$xo1: \x18:/<994z`{e
6229.1.0000000097c8e407.000000009c2c05b8.rw-.sdmp	SUSP_XORed_Mozilla	Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.	Florian Roth	0x3f00:$xo1: \x18:/<994z`{e 0x3f78:$xo1: \x18:/<994z`{e 0x3ff0:$xo1: \x18:/<994z`{e 0x4048:$xo1: \x18:/<994z`{e 0x40c0:$xo1: \x18:/<994z`{e 0x4138:$xo1: \x18:/<994z`{e 0x41b8:$xo1: \x18:/<994z`{e 0x4230:$xo1: \x18:/<994z`{e 0x42b0:$xo1: \x18:/<994z`{e 0x4308:$xo1: \x18:/<994z`{e
6234.1.000000005d55c1b0.00000000007ca476.r-x.sdmp	SUSP_XORed_Mozilla	Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.	Florian Roth	0x171d8:$xo1: \x18:/<994z`{e 0x17250:$xo1: \x18:/<994z`{e 0x172c8:$xo1: \x18:/<994z`{e 0x1731c:$xo1: \x18:/<994z`{e 0x17394:$xo1: \x18:/<994z`{e 0x1740c:$xo1: \x18:/<994z`{e 0x17484:$xo1: \x18:/<994z`{e 0x174f4:$xo1: \x18:/<994z`{e 0x17570:$xo1: \x18:/<994z`{e 0x175c0:$xo1: \x18:/<994z`{e
6226.1.000000005d55c1b0.00000000007ca476.r-x.sdmp	SUSP_XORed_Mozilla	Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.	Florian Roth	0x171d8:$xo1: \x18:/<994z`{e 0x17250:$xo1: \x18:/<994z`{e 0x172c8:$xo1: \x18:/<994z`{e 0x1731c:$xo1: \x18:/<994z`{e 0x17394:$xo1: \x18:/<994z`{e 0x1740c:$xo1: \x18:/<994z`{e 0x17484:$xo1: \x18:/<994z`{e 0x174f4:$xo1: \x18:/<994z`{e 0x17570:$xo1: \x18:/<994z`{e 0x175c0:$xo1: \x18:/<994z`{e
6507.1.000000005d55c1b0.00000000007ca476.r-x.sdmp	SUSP_XORed_Mozilla	Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.	Florian Roth	0x171d8:$xo1: \x18:/<994z`{e 0x17250:$xo1: \x18:/<994z`{e 0x172c8:$xo1: \x18:/<994z`{e 0x1731c:$xo1: \x18:/<994z`{e 0x17394:$xo1: \x18:/<994z`{e 0x1740c:$xo1: \x18:/<994z`{e 0x17484:$xo1: \x18:/<994z`{e 0x174f4:$xo1: \x18:/<994z`{e 0x17570:$xo1: \x18:/<994z`{e 0x175c0:$xo1: \x18:/<994z`{e
6507.1.0000000097c8e407.000000009c2c05b8.rw-.sdmp	SUSP_XORed_Mozilla	Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.	Florian Roth	0x3f00:$xo1: \x18:/<994z`{e 0x3f78:$xo1: \x18:/<994z`{e 0x3ff0:$xo1: \x18:/<994z`{e 0x4048:$xo1: \x18:/<994z`{e 0x40c0:$xo1: \x18:/<994z`{e 0x4138:$xo1: \x18:/<994z`{e 0x41b8:$xo1: \x18:/<994z`{e 0x4230:$xo1: \x18:/<994z`{e 0x42b0:$xo1: \x18:/<994z`{e 0x4308:$xo1: \x18:/<994z`{e
6513.1.000000005d55c1b0.00000000007ca476.r-x.sdmp	SUSP_XORed_Mozilla	Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.	Florian Roth	0x171d8:$xo1: \x18:/<994z`{e 0x17250:$xo1: \x18:/<994z`{e 0x172c8:$xo1: \x18:/<994z`{e 0x1731c:$xo1: \x18:/<994z`{e 0x17394:$xo1: \x18:/<994z`{e 0x1740c:$xo1: \x18:/<994z`{e 0x17484:$xo1: \x18:/<994z`{e 0x174f4:$xo1: \x18:/<994z`{e 0x17570:$xo1: \x18:/<994z`{e 0x175c0:$xo1: \x18:/<994z`{e
6230.1.000000005d55c1b0.00000000007ca476.r-x.sdmp	SUSP_XORed_Mozilla	Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.	Florian Roth	0x171d8:$xo1: \x18:/<994z`{e 0x17250:$xo1: \x18:/<994z`{e 0x172c8:$xo1: \x18:/<994z`{e 0x1731c:$xo1: \x18:/<994z`{e 0x17394:$xo1: \x18:/<994z`{e 0x1740c:$xo1: \x18:/<994z`{e 0x17484:$xo1: \x18:/<994z`{e 0x174f4:$xo1: \x18:/<994z`{e 0x17570:$xo1: \x18:/<994z`{e 0x175c0:$xo1: \x18:/<994z`{e
6233.1.000000005d55c1b0.00000000007ca476.r-x.sdmp	SUSP_XORed_Mozilla	Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.	Florian Roth	0x171d8:$xo1: \x18:/<994z`{e 0x17250:$xo1: \x18:/<994z`{e 0x172c8:$xo1: \x18:/<994z`{e 0x1731c:$xo1: \x18:/<994z`{e 0x17394:$xo1: \x18:/<994z`{e 0x1740c:$xo1: \x18:/<994z`{e 0x17484:$xo1: \x18:/<994z`{e 0x174f4:$xo1: \x18:/<994z`{e 0x17570:$xo1: \x18:/<994z`{e 0x175c0:$xo1: \x18:/<994z`{e
6229.1.000000005d55c1b0.00000000007ca476.r-x.sdmp	SUSP_XORed_Mozilla	Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.	Florian Roth	0x171d8:$xo1: \x18:/<994z`{e 0x17250:$xo1: \x18:/<994z`{e 0x172c8:$xo1: \x18:/<994z`{e 0x1731c:$xo1: \x18:/<994z`{e 0x17394:$xo1: \x18:/<994z`{e 0x1740c:$xo1: \x18:/<994z`{e 0x17484:$xo1: \x18:/<994z`{e 0x174f4:$xo1: \x18:/<994z`{e 0x17570:$xo1: \x18:/<994z`{e 0x175c0:$xo1: \x18:/<994z`{e
6515.1.000000005d55c1b0.00000000007ca476.r-x.sdmp	SUSP_XORed_Mozilla	Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.	Florian Roth	0x171d8:$xo1: \x18:/<994z`{e 0x17250:$xo1: \x18:/<994z`{e 0x172c8:$xo1: \x18:/<994z`{e 0x1731c:$xo1: \x18:/<994z`{e 0x17394:$xo1: \x18:/<994z`{e 0x1740c:$xo1: \x18:/<994z`{e 0x17484:$xo1: \x18:/<994z`{e 0x174f4:$xo1: \x18:/<994z`{e 0x17570:$xo1: \x18:/<994z`{e 0x175c0:$xo1: \x18:/<994z`{e
6513.1.0000000097c8e407.000000009c2c05b8.rw-.sdmp	SUSP_XORed_Mozilla	Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.	Florian Roth	0x3f00:$xo1: \x18:/<994z`{e 0x3f78:$xo1: \x18:/<994z`{e 0x3ff0:$xo1: \x18:/<994z`{e 0x4048:$xo1: \x18:/<994z`{e 0x40c0:$xo1: \x18:/<994z`{e 0x4138:$xo1: \x18:/<994z`{e 0x41b8:$xo1: \x18:/<994z`{e 0x4230:$xo1: \x18:/<994z`{e 0x42b0:$xo1: \x18:/<994z`{e 0x4308:$xo1: \x18:/<994z`{e
6230.1.0000000097c8e407.000000009c2c05b8.rw-.sdmp	SUSP_XORed_Mozilla	Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.	Florian Roth	0x3f00:$xo1: \x18:/<994z`{e 0x3f78:$xo1: \x18:/<994z`{e 0x3ff0:$xo1: \x18:/<994z`{e 0x4048:$xo1: \x18:/<994z`{e 0x40c0:$xo1: \x18:/<994z`{e 0x4138:$xo1: \x18:/<994z`{e 0x41b8:$xo1: \x18:/<994z`{e 0x4230:$xo1: \x18:/<994z`{e 0x42b0:$xo1: \x18:/<994z`{e 0x4308:$xo1: \x18:/<994z`{e
6505.1.000000005d55c1b0.00000000007ca476.r-x.sdmp	SUSP_XORed_Mozilla	Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.	Florian Roth	0x171d8:$xo1: \x18:/<994z`{e 0x17250:$xo1: \x18:/<994z`{e 0x172c8:$xo1: \x18:/<994z`{e 0x1731c:$xo1: \x18:/<994z`{e 0x17394:$xo1: \x18:/<994z`{e 0x1740c:$xo1: \x18:/<994z`{e 0x17484:$xo1: \x18:/<994z`{e 0x174f4:$xo1: \x18:/<994z`{e 0x17570:$xo1: \x18:/<994z`{e 0x175c0:$xo1: \x18:/<994z`{e
6234.1.0000000097c8e407.000000009c2c05b8.rw-.sdmp	SUSP_XORed_Mozilla	Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.	Florian Roth	0x3f00:$xo1: \x18:/<994z`{e 0x3f78:$xo1: \x18:/<994z`{e 0x3ff0:$xo1: \x18:/<994z`{e 0x4048:$xo1: \x18:/<994z`{e 0x40c0:$xo1: \x18:/<994z`{e 0x4138:$xo1: \x18:/<994z`{e 0x41b8:$xo1: \x18:/<994z`{e 0x4230:$xo1: \x18:/<994z`{e 0x42b0:$xo1: \x18:/<994z`{e 0x4308:$xo1: \x18:/<994z`{e
6505.1.0000000097c8e407.000000009c2c05b8.rw-.sdmp	SUSP_XORed_Mozilla	Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.	Florian Roth	0x3f00:$xo1: \x18:/<994z`{e 0x3f78:$xo1: \x18:/<994z`{e 0x3ff0:$xo1: \x18:/<994z`{e 0x4048:$xo1: \x18:/<994z`{e 0x40c0:$xo1: \x18:/<994z`{e 0x4138:$xo1: \x18:/<994z`{e 0x41b8:$xo1: \x18:/<994z`{e 0x4230:$xo1: \x18:/<994z`{e 0x42b0:$xo1: \x18:/<994z`{e 0x4308:$xo1: \x18:/<994z`{e
6515.1.0000000097c8e407.000000009c2c05b8.rw-.sdmp	SUSP_XORed_Mozilla	Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.	Florian Roth	0x3f00:$xo1: \x18:/<994z`{e 0x3f78:$xo1: \x18:/<994z`{e 0x3ff0:$xo1: \x18:/<994z`{e 0x4048:$xo1: \x18:/<994z`{e 0x40c0:$xo1: \x18:/<994z`{e 0x4138:$xo1: \x18:/<994z`{e 0x41b8:$xo1: \x18:/<994z`{e 0x4230:$xo1: \x18:/<994z`{e 0x42b0:$xo1: \x18:/<994z`{e 0x4308:$xo1: \x18:/<994z`{e
6233.1.0000000097c8e407.000000009c2c05b8.rw-.sdmp	SUSP_XORed_Mozilla	Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.	Florian Roth	0x3f00:$xo1: \x18:/<994z`{e 0x3f78:$xo1: \x18:/<994z`{e 0x3ff0:$xo1: \x18:/<994z`{e 0x4048:$xo1: \x18:/<994z`{e 0x40c0:$xo1: \x18:/<994z`{e 0x4138:$xo1: \x18:/<994z`{e 0x41b8:$xo1: \x18:/<994z`{e 0x4230:$xo1: \x18:/<994z`{e 0x42b0:$xo1: \x18:/<994z`{e 0x4308:$xo1: \x18:/<994z`{e
Click to see the 13 entries

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: /usr/bin/pulseaudio (PID: 6321)	Reads CPU info from /sys: /sys/devices/system/cpu/online			Jump to behavior
Source: /usr/bin/pkill (PID: 6428)	Reads CPU info from /sys: /sys/devices/system/cpu/online			Jump to behavior

Source: /tmp/1isequal9.arm7 (PID: 6226)	Socket: 127.0.0.1::59025	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	Socket: <unknown socket type>:unknown	Jump to behavior
Source: /usr/sbin/gdm3 (PID: 6450)	Socket: <unknown socket type>:unknown	Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6482)	Socket: <unknown socket type>:unknown	Jump to behavior

Source: syslog.35.dr

String found in binary or memory: https://www.rsyslog.com

System Summary

Contains symbols with names commonly found in malware

Source: ELF static info symbol of initial sample	Name: attack.c
Source: ELF static info symbol of initial sample	Name: attack_app.c
Source: ELF static info symbol of initial sample	Name: attack_get_opt_int
Source: ELF static info symbol of initial sample	Name: attack_get_opt_ip
Source: ELF static info symbol of initial sample	Name: attack_get_opt_str
Source: ELF static info symbol of initial sample	Name: attack_gre.c
Source: ELF static info symbol of initial sample	Name: attack_gre_eth
Source: ELF static info symbol of initial sample	Name: attack_gre_ip
Source: ELF static info symbol of initial sample	Name: attack_init
Source: ELF static info symbol of initial sample	Name: attack_method_http

Sample tries to kill multiple processes (SIGKILL)

Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 491, result: successful	Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 658, result: successful	Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 720, result: successful	Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 721, result: successful	Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 759, result: successful	Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 761, result: successful	Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 772, result: successful	Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 774, result: successful	Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 777, result: successful	Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 785, result: successful	Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 793, result: successful	Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 1334, result: successful	Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 1335, result: successful	Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 1344, result: successful	Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 1601, result: successful	Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 1860, result: successful	Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 1872, result: successful	Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 1886, result: successful	Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 2048, result: successful	Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 6044, result: successful	Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 6190, result: successful	Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 6191, result: successful	Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 6230, result: successful	Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 6234, result: unknown	Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6507)	SIGKILL sent: pid: 6505, result: successful	Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6515)	SIGKILL sent: pid: 6513, result: successful	Jump to behavior

Source: 1isequal9.arm7, type: SAMPLE	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6226.1.0000000097c8e407.000000009c2c05b8.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6229.1.0000000097c8e407.000000009c2c05b8.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6234.1.000000005d55c1b0.00000000007ca476.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6226.1.000000005d55c1b0.00000000007ca476.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6507.1.000000005d55c1b0.00000000007ca476.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6507.1.0000000097c8e407.000000009c2c05b8.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6513.1.000000005d55c1b0.00000000007ca476.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6230.1.000000005d55c1b0.00000000007ca476.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6233.1.000000005d55c1b0.00000000007ca476.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6229.1.000000005d55c1b0.00000000007ca476.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6515.1.000000005d55c1b0.00000000007ca476.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6513.1.0000000097c8e407.000000009c2c05b8.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6230.1.0000000097c8e407.000000009c2c05b8.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6505.1.000000005d55c1b0.00000000007ca476.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6234.1.0000000097c8e407.000000009c2c05b8.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6505.1.0000000097c8e407.000000009c2c05b8.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6515.1.0000000097c8e407.000000009c2c05b8.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6233.1.0000000097c8e407.000000009c2c05b8.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13

Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 491, result: successful	Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 658, result: successful	Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 720, result: successful	Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 721, result: successful	Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 759, result: successful	Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 761, result: successful	Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 772, result: successful	Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 774, result: successful	Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 777, result: successful	Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 785, result: successful	Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 793, result: successful	Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 1334, result: successful	Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 1335, result: successful	Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 1344, result: successful	Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 1601, result: successful	Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 1860, result: successful	Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 1872, result: successful	Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 1886, result: successful	Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 2048, result: successful	Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 6044, result: successful	Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 6190, result: successful	Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 6191, result: successful	Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 6230, result: successful	Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6234)	SIGKILL sent: pid: 6234, result: unknown	Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6507)	SIGKILL sent: pid: 6505, result: successful	Jump to behavior
Source: /tmp/1isequal9.arm7 (PID: 6515)	SIGKILL sent: pid: 6513, result: successful	Jump to behavior

Source: ELF static info symbol of initial sample	Name: scanner.c
Source: ELF static info symbol of initial sample	Name: scanner_init
Source: ELF static info symbol of initial sample	Name: scanner_kill
Source: ELF static info symbol of initial sample	Name: scanner_pid
Source: ELF static info symbol of initial sample	Name: scanner_rawpkt

Source: classification engine

Classification label: mal64.spre.troj.linARM7@0/45@0/0

Persistence and Installation Behavior

Sample reads /proc/mounts (often used for finding a writable filesystem)

Source: /usr/bin/dbus-daemon (PID: 6306)	File: /proc/6306/mounts	Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6482)	File: /proc/6482/mounts	Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6489)	File: /proc/6489/mounts	Jump to behavior
Source: /bin/fusermount (PID: 6498)	File: /proc/6498/mounts	Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6547)	File: /proc/6547/mounts	Jump to behavior

Source: /usr/share/gdm/generate-config (PID: 6428)

Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service

Jump to behavior

Source: /bin/sh (PID: 6407)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nvidia[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 6409)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nvidia[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 6411)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.radeon[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 6416)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.radeon[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 6418)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.amdgpu[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 6420)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.amdgpu[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 6424)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nouveau[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 6426)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nouveau[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 6474)	Grep executable: /usr/bin/grep -> grep -F .utf8	Jump to behavior

Source: /lib/systemd/systemd-journald (PID: 6262)

Reads from proc file: /proc/meminfo

Jump to behavior

Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/6395/comm	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/6395/cmdline	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/6395/status	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/6395/attr/current	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/6395/sessionid	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/6395/loginuid	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/6395/cgroup	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/6475/comm	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/6475/cmdline	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/6475/status	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/6475/attr/current	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/6475/sessionid	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/6475/loginuid	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/6475/cgroup	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2078/comm	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2078/cmdline	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2078/status	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2078/attr/current	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2078/sessionid	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2078/loginuid	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2078/cgroup	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2077/comm	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2077/cmdline	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2077/status	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2077/attr/current	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2077/sessionid	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2077/loginuid	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2077/cgroup	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2033/comm	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2033/cmdline	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2033/status	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2033/attr/current	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2033/sessionid	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2033/loginuid	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2033/cgroup	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2074/comm	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2074/cmdline	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2074/status	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2074/attr/current	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2074/sessionid	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2074/loginuid	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2074/cgroup	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2028/comm	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2028/cmdline	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2028/status	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2028/attr/current	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2028/sessionid	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2028/loginuid	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2028/cgroup	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2028/status	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2028/comm	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2028/cmdline	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2028/attr/current	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2028/sessionid	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2028/loginuid	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2028/cgroup	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2028/comm	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2028/cmdline	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2028/status	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2028/attr/current	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2028/sessionid	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2028/loginuid	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2028/cgroup	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/1532/comm	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/1532/cmdline	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/1532/status	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/1532/attr/current	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/1532/sessionid	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/1532/loginuid	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/1532/cgroup	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/1334/comm	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/1334/cmdline	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/1334/status	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/1334/attr/current	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/1334/sessionid	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/1334/loginuid	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/1334/cgroup	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/1334/comm	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/1334/cmdline	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/1334/status	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/1334/attr/current	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/1334/sessionid	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/1334/loginuid	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/1334/cgroup	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2302/comm	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2302/cmdline	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2302/status	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2302/attr/current	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2302/sessionid	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2302/loginuid	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2302/cgroup	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2025/comm	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2025/cmdline	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2025/status	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2025/attr/current	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2025/sessionid	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2025/loginuid	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2025/cgroup	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2223/comm	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2223/cmdline	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2223/status	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2223/attr/current	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2223/sessionid	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2223/loginuid	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	File opened: /proc/2223/cgroup	Jump to behavior

Source: /usr/bin/whoopsie (PID: 6317)	Directory: /nonexistent/.cache	Jump to behavior
Source: /usr/lib/policykit-1/polkitd (PID: 6389)	Directory: /root/.cache	Jump to behavior
Source: /usr/lib/gdm3/gdm-wayland-session (PID: 6480)	Directory: /var/lib/gdm3/.cache	Jump to behavior
Source: /usr/lib/accountsservice/accounts-daemon (PID: 6456)	Directory: /root/.cache	Jump to behavior

Source: /usr/sbin/gdm3 (PID: 6450)	File: /var/run/gdm3 (bits: - usr: -x grp: x all: rwx)	Jump to behavior
Source: /usr/sbin/gdm3 (PID: 6450)	File: /var/log/gdm3 (bits: - usr: -x grp: x all: rwx)	Jump to behavior
Source: /usr/lib/accountsservice/accounts-daemon (PID: 6456)	File: /var/lib/AccountsService/icons (bits: - usr: rx grp: rwx all: rwx)	Jump to behavior
Source: /usr/lib/accountsservice/accounts-daemon (PID: 6456)	File: /var/lib/AccountsService/users (bits: - usr: - grp: - all: rwx)	Jump to behavior

Source: /usr/bin/gpu-manager (PID: 6406)	Shell command executed: sh -c "grep -G \"^blacklist.nvidia[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6408)	Shell command executed: sh -c "grep -G \"^blacklist.nvidia[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6410)	Shell command executed: sh -c "grep -G \"^blacklist.radeon[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6415)	Shell command executed: sh -c "grep -G \"^blacklist.radeon[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6417)	Shell command executed: sh -c "grep -G \"^blacklist.amdgpu[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6419)	Shell command executed: sh -c "grep -G \"^blacklist.amdgpu[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6423)	Shell command executed: sh -c "grep -G \"^blacklist.nouveau[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6425)	Shell command executed: sh -c "grep -G \"^blacklist.nouveau[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/share/language-tools/language-options (PID: 6470)	Shell command executed: sh -c "locale -a \| grep -F .utf8 "	Jump to behavior

Source: /usr/sbin/rsyslogd (PID: 6395)	Log file created: /var/log/auth.log	Jump to dropped file
Source: /usr/sbin/rsyslogd (PID: 6395)	Log file created: /var/log/kern.log	Jump to dropped file
Source: /usr/bin/gpu-manager (PID: 6405)	Log file created: /var/log/gpu-manager.log	Jump to dropped file

Source: /usr/bin/pulseaudio (PID: 6321)	Reads CPU info from /sys: /sys/devices/system/cpu/online			Jump to behavior
Source: /usr/bin/pkill (PID: 6428)	Reads CPU info from /sys: /sys/devices/system/cpu/online			Jump to behavior

Source: /tmp/1isequal9.arm7 (PID: 6226)	Queries kernel information via 'uname':	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6262)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/whoopsie (PID: 6317)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/pulseaudio (PID: 6321)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6395)	Queries kernel information via 'uname':	Jump to behavior
Source: /sbin/agetty (PID: 6398)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6405)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/lib/gdm3/gdm-session-worker (PID: 6475)	Queries kernel information via 'uname':	Jump to behavior

Source: /usr/bin/gpu-manager (PID: 6405)

Truncated file: /var/log/gpu-manager.log

Jump to behavior

Source: syslog.35.dr	Binary or memory string: May 14 12:00:20 galassia kernel: [ 479.246636] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 12/12/2018
Source: syslog.35.dr	Binary or memory string: May 14 12:00:20 galassia kernel: [ 479.246585] Modules linked in: monitor(OE) md4 cmac cifs libarc4 fscache libdes vmw_vsock_vmci_transport vsock binfmt_misc dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua vmw_balloon joydev input_leds serio_raw vmw_vmci sch_fq_codel drm parport_pc ppdev lp parport ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel crypto_simd cryptd glue_helper psmouse ahci mptspi vmxnet3 scsi_transport_spi mptscsih libahci mptbase
Source: 1isequal9.arm7, 6226.1.000000003680e83a.000000005c5c2243.rw-.sdmp, 1isequal9.arm7, 6229.1.000000003680e83a.00000000ca6d1a3b.rw-.sdmp, 1isequal9.arm7, 6230.1.000000003680e83a.00000000ca6d1a3b.rw-.sdmp, 1isequal9.arm7, 6233.1.000000003680e83a.00000000ca6d1a3b.rw-.sdmp, 1isequal9.arm7, 6234.1.000000003680e83a.00000000ca6d1a3b.rw-.sdmp, 1isequal9.arm7, 6505.1.000000003680e83a.00000000ca6d1a3b.rw-.sdmp, 1isequal9.arm7, 6507.1.000000003680e83a.00000000ca6d1a3b.rw-.sdmp, 1isequal9.arm7, 6513.1.000000003680e83a.00000000ca6d1a3b.rw-.sdmp, 1isequal9.arm7, 6515.1.000000003680e83a.00000000ca6d1a3b.rw-.sdmp	Binary or memory string: "V!/etc/qemu-binfmt/arm
Source: 1isequal9.arm7, 6234.1.00000000fc8940c5.0000000022e68779.rw-.sdmp	Binary or memory string: /tmp/qemu-open.2u2bbA
Source: 1isequal9.arm7, 6226.1.00000000fc8940c5.0000000022e68779.rw-.sdmp, 1isequal9.arm7, 6229.1.00000000fc8940c5.0000000022e68779.rw-.sdmp, 1isequal9.arm7, 6230.1.00000000fc8940c5.0000000022e68779.rw-.sdmp, 1isequal9.arm7, 6233.1.00000000fc8940c5.0000000022e68779.rw-.sdmp, 1isequal9.arm7, 6234.1.00000000fc8940c5.0000000022e68779.rw-.sdmp, 1isequal9.arm7, 6505.1.00000000fc8940c5.0000000022e68779.rw-.sdmp, 1isequal9.arm7, 6507.1.00000000fc8940c5.0000000022e68779.rw-.sdmp, 1isequal9.arm7, 6513.1.00000000fc8940c5.0000000022e68779.rw-.sdmp, 1isequal9.arm7, 6515.1.00000000fc8940c5.0000000022e68779.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/1isequal9.arm7SUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/1isequal9.arm7
Source: 1isequal9.arm7, 6226.1.000000003680e83a.000000005c5c2243.rw-.sdmp, 1isequal9.arm7, 6229.1.000000003680e83a.00000000ca6d1a3b.rw-.sdmp, 1isequal9.arm7, 6230.1.000000003680e83a.00000000ca6d1a3b.rw-.sdmp, 1isequal9.arm7, 6233.1.000000003680e83a.00000000ca6d1a3b.rw-.sdmp, 1isequal9.arm7, 6234.1.000000003680e83a.00000000ca6d1a3b.rw-.sdmp, 1isequal9.arm7, 6505.1.000000003680e83a.00000000ca6d1a3b.rw-.sdmp, 1isequal9.arm7, 6507.1.000000003680e83a.00000000ca6d1a3b.rw-.sdmp, 1isequal9.arm7, 6513.1.000000003680e83a.00000000ca6d1a3b.rw-.sdmp, 1isequal9.arm7, 6515.1.000000003680e83a.00000000ca6d1a3b.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: 1isequal9.arm7, 6226.1.00000000fc8940c5.0000000022e68779.rw-.sdmp, 1isequal9.arm7, 6229.1.00000000fc8940c5.0000000022e68779.rw-.sdmp, 1isequal9.arm7, 6230.1.00000000fc8940c5.0000000022e68779.rw-.sdmp, 1isequal9.arm7, 6233.1.00000000fc8940c5.0000000022e68779.rw-.sdmp, 1isequal9.arm7, 6234.1.00000000fc8940c5.0000000022e68779.rw-.sdmp, 1isequal9.arm7, 6505.1.00000000fc8940c5.0000000022e68779.rw-.sdmp, 1isequal9.arm7, 6507.1.00000000fc8940c5.0000000022e68779.rw-.sdmp, 1isequal9.arm7, 6513.1.00000000fc8940c5.0000000022e68779.rw-.sdmp, 1isequal9.arm7, 6515.1.00000000fc8940c5.0000000022e68779.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm
Source: 1isequal9.arm7, 6234.1.00000000fc8940c5.0000000022e68779.rw-.sdmp	Binary or memory string: "V/tmp/qemu-open.2u2bbA

Language, Device and Operating System Detection

Reads system files that contain records of logged in users

Source: /usr/lib/accountsservice/accounts-daemon (PID: 6456)

Logged in records file read: /var/log/wtmp

Jump to behavior

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match

File source: 1isequal9.arm7, type: SAMPLE

Remote Access Functionality

Yara detected Mirai

Source: Yara match

File source: 1isequal9.arm7, type: SAMPLE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Scripting	Path Interception	Path Interception	1 Masquerading	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 Service Stop
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 File and Directory Permissions Modification	LSASS Memory	1 System Owner/User Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Scripting	NTDS	2 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Hidden Files and Directories	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Indicator Removal on Host	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report
1isequal9.arm7

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Initial Sample

Memory Dumps

Snort Signatures

Joe Sandbox Signatures

Bitcoin Miner

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report 1isequal9.arm7

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Initial Sample

Memory Dumps

Snort Signatures

Joe Sandbox Signatures

Bitcoin Miner

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Linux Analysis Report
1isequal9.arm7