IOC Report
1isequal9.arm7

loading gif

Files

File Path
Type
Category
Malicious
1isequal9.arm7
ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, with debug_info, not stripped
initial sample
malicious
/var/log/wtmp
data
dropped
malicious
/home/saturnino/.config/pulse/ee49dfd4fa47433baee88884e2d7de7c-default-sink
ASCII text
dropped
/home/saturnino/.config/pulse/ee49dfd4fa47433baee88884e2d7de7c-default-source
ASCII text
dropped
/proc/6487/oom_score_adj
very short file (no magic)
dropped
/run/gdm3.pid
ASCII text
dropped
/run/systemd/journal/streams/.#9:74260jbIoBF
ASCII text
dropped
/run/systemd/journal/streams/.#9:742640AmfuF
ASCII text
dropped
/run/systemd/journal/streams/.#9:751583WC8PG
ASCII text
dropped
/run/systemd/journal/streams/.#9:75179VQFUUI
ASCII text
dropped
/run/systemd/journal/streams/.#9:75187TXWWLH
ASCII text
dropped
/run/systemd/journal/streams/.#9:75202EZFfDJ
ASCII text
dropped
/run/systemd/journal/streams/.#9:75203pS0XVI
ASCII text
dropped
/run/systemd/journal/streams/.#9:75217vV39uJ
ASCII text
dropped
/run/systemd/journal/streams/.#9:76305y3zhoJ
ASCII text
dropped
/run/systemd/journal/streams/.#9:76357WYsSxI
ASCII text
dropped
/run/systemd/journal/streams/.#9:76368SnuQNG
ASCII text
dropped
/run/systemd/journal/streams/.#9:76437ONqasJ
ASCII text
dropped
/run/systemd/journal/streams/.#9:76484YZhShH
ASCII text
dropped
/run/systemd/journal/streams/.#9:76610qvo9xI
ASCII text
dropped
/run/systemd/journal/streams/.#9:76626JzW3KF
ASCII text
dropped
/run/systemd/journal/streams/.#9:76627skHFNJ
ASCII text
dropped
/run/systemd/journal/streams/.#9:76665nt1WEG
ASCII text
dropped
/run/systemd/journal/streams/.#9:76666eS2JiJ
ASCII text
dropped
/run/systemd/journal/streams/.#9:78048lCuw2H
ASCII text
dropped
/run/systemd/seats/.#seat0Syr5jA
ASCII text
dropped
/run/systemd/seats/.#seat0U1nTsA
ASCII text
dropped
/run/systemd/users/.#1270q92lB
ASCII text
dropped
/run/systemd/users/.#127D3AltB
ASCII text
dropped
/run/systemd/users/.#127KRNzPC
ASCII text
dropped
/run/systemd/users/.#127NGNZoE
ASCII text
dropped
/run/systemd/users/.#127PTtX5B
ASCII text
dropped
/run/systemd/users/.#127fpweJA
ASCII text
dropped
/run/user/1000/pulse/pid
ASCII text
dropped
/run/utmp
data
dropped
/tmp/qemu-open.2u2bbA (deleted)
ASCII text
dropped
/var/crash/_usr_bin_light-locker.1000.uploaded
ASCII text
dropped
/var/lib/AccountsService/users/gdm.0BSUL1
ASCII text
dropped
/var/lib/ubuntu-drivers-common/last_gfx_boot
ASCII text
dropped
/var/lib/whoopsie/whoopsie-id.QC3QL1
ASCII text, with no line terminators
dropped
/var/log/auth.log
ASCII text
dropped
/var/log/gpu-manager.log
ASCII text
dropped
/var/log/journal/ee49dfd4fa47433baee88884e2d7de7c/system.journal
data
dropped
/var/log/journal/ee49dfd4fa47433baee88884e2d7de7c/user-1000.journal
data
dropped
/var/log/kern.log
ASCII text, with very long lines
dropped
/var/log/syslog
ASCII text, with very long lines
dropped
There are 36 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
/tmp/1isequal9.arm7
/tmp/1isequal9.arm7
/tmp/1isequal9.arm7
n/a
/tmp/1isequal9.arm7
n/a
/tmp/1isequal9.arm7
n/a
/tmp/1isequal9.arm7
n/a
/tmp/1isequal9.arm7
n/a
/tmp/1isequal9.arm7
n/a
/tmp/1isequal9.arm7
n/a
/tmp/1isequal9.arm7
n/a
/tmp/1isequal9.arm7
n/a
/usr/lib/systemd/systemd
n/a
/usr/bin/journalctl
/usr/bin/journalctl --smart-relinquish-var
/usr/lib/systemd/systemd
n/a
/lib/systemd/systemd-journald
/lib/systemd/systemd-journald
/usr/lib/systemd/systemd
n/a
/usr/bin/journalctl
/usr/bin/journalctl --flush
/usr/lib/systemd/systemd
n/a
/usr/bin/dbus-daemon
/usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
/usr/lib/systemd/systemd
n/a
/usr/bin/whoopsie
/usr/bin/whoopsie -f
/usr/lib/systemd/systemd
n/a
/usr/bin/pulseaudio
/usr/bin/pulseaudio --daemonize=no --log-target=journal
/usr/lib/systemd/systemd
n/a
/usr/libexec/rtkit-daemon
/usr/libexec/rtkit-daemon
/usr/lib/systemd/systemd
n/a
/lib/systemd/systemd-logind
/lib/systemd/systemd-logind
/usr/lib/systemd/systemd
n/a
/usr/lib/policykit-1/polkitd
/usr/lib/policykit-1/polkitd --no-debug
/usr/lib/systemd/systemd
n/a
/usr/sbin/rsyslogd
/usr/sbin/rsyslogd -n -iNONE
/usr/lib/systemd/systemd
n/a
/sbin/agetty
/sbin/agetty -o "-p -- \\u" --noclear tty2 linux
/usr/sbin/gdm3
n/a
/etc/gdm3/PrimeOff/Default
/etc/gdm3/PrimeOff/Default
/usr/sbin/gdm3
n/a
/etc/gdm3/PrimeOff/Default
/etc/gdm3/PrimeOff/Default
/usr/sbin/gdm3
n/a
/etc/gdm3/PrimeOff/Default
/etc/gdm3/PrimeOff/Default
/usr/lib/systemd/systemd
n/a
/usr/bin/gpu-manager
/usr/bin/gpu-manager --log /var/log/gpu-manager.log
/usr/bin/gpu-manager
n/a
/bin/sh
sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"
/bin/sh
n/a
/usr/bin/grep
grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
/usr/bin/gpu-manager
n/a
/bin/sh
sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"
/bin/sh
n/a
/usr/bin/grep
grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
/usr/bin/gpu-manager
n/a
/bin/sh
sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf"
/bin/sh
n/a
/usr/bin/grep
grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
/usr/bin/gpu-manager
n/a
/bin/sh
sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf"
/bin/sh
n/a
/usr/bin/grep
grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
/usr/bin/gpu-manager
n/a
/bin/sh
sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /etc/modprobe.d/*.conf"
/bin/sh
n/a
/usr/bin/grep
grep -G ^blacklist.*amdgpu[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
/usr/bin/gpu-manager
n/a
/bin/sh
sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /lib/modprobe.d/*.conf"
/bin/sh
n/a
/usr/bin/grep
grep -G ^blacklist.*amdgpu[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
/usr/bin/gpu-manager
n/a
/bin/sh
sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /etc/modprobe.d/*.conf"
/bin/sh
n/a
/usr/bin/grep
grep -G ^blacklist.*nouveau[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
/usr/bin/gpu-manager
n/a
/bin/sh
sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /lib/modprobe.d/*.conf"
/bin/sh
n/a
/usr/bin/grep
grep -G ^blacklist.*nouveau[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
/usr/lib/systemd/systemd
n/a
/usr/share/gdm/generate-config
/usr/share/gdm/generate-config
/usr/share/gdm/generate-config
n/a
/usr/bin/pkill
pkill --signal HUP --uid gdm dconf-service
/usr/lib/systemd/systemd
n/a
/usr/lib/gdm3/gdm-wait-for-drm
/usr/lib/gdm3/gdm-wait-for-drm
/usr/lib/systemd/systemd
n/a
/usr/sbin/gdm3
/usr/sbin/gdm3
/usr/sbin/gdm3
n/a
/usr/bin/plymouth
plymouth --ping
/usr/sbin/gdm3
n/a
/usr/lib/gdm3/gdm-session-worker
"gdm-session-worker [pam/gdm-launch-environment]"
/usr/lib/gdm3/gdm-session-worker
n/a
/usr/lib/gdm3/gdm-wayland-session
/usr/lib/gdm3/gdm-wayland-session "dbus-run-session -- gnome-session --autostart /usr/share/gdm/greeter/autostart"
/usr/lib/gdm3/gdm-wayland-session
n/a
/usr/bin/dbus-daemon
dbus-daemon --print-address 3 --session
/usr/bin/dbus-daemon
n/a
/usr/bin/dbus-daemon
n/a
/bin/false
/bin/false
/usr/lib/gdm3/gdm-wayland-session
n/a
/usr/bin/dbus-run-session
dbus-run-session -- gnome-session --autostart /usr/share/gdm/greeter/autostart
/usr/bin/dbus-run-session
n/a
/usr/bin/dbus-daemon
dbus-daemon --nofork --print-address 4 --session
/usr/sbin/gdm3
n/a
/etc/gdm3/PrimeOff/Default
/etc/gdm3/PrimeOff/Default
/usr/sbin/gdm3
n/a
/etc/gdm3/PrimeOff/Default
/etc/gdm3/PrimeOff/Default
/usr/lib/systemd/systemd
n/a
/usr/lib/accountsservice/accounts-daemon
/usr/lib/accountsservice/accounts-daemon
/usr/lib/accountsservice/accounts-daemon
n/a
/usr/share/language-tools/language-validate
/usr/share/language-tools/language-validate en_US.UTF-8
/usr/share/language-tools/language-validate
n/a
/usr/share/language-tools/language-options
/usr/share/language-tools/language-options
/usr/share/language-tools/language-options
n/a
/bin/sh
sh -c "locale -a | grep -F .utf8 "
/bin/sh
n/a
/usr/bin/locale
locale -a
/bin/sh
n/a
/usr/bin/grep
grep -F .utf8
/usr/libexec/gvfsd-fuse
n/a
/bin/fusermount
fusermount -u -q -z -- /run/user/1000/gvfs
/usr/lib/systemd/systemd
n/a
/usr/bin/dbus-daemon
/usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
There are 105 hidden processes, click here to show them.

URLs

Name
IP
Malicious
https://www.rsyslog.com
unknown