Source: 4wiwmAupak, type: SAMPLE |
Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13 |
Source: 6233.1.00007fd554464000.00007fd554466000.rw-.sdmp, type: MEMORY |
Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13 |
Source: 6236.1.00007fd554464000.00007fd554466000.rw-.sdmp, type: MEMORY |
Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13 |
Source: 6233.1.00007fd554400000.00007fd554424000.r-x.sdmp, type: MEMORY |
Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13 |
Source: 6236.1.00007fd554400000.00007fd554424000.r-x.sdmp, type: MEMORY |
Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13 |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/1582/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/2033/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/2275/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/3088/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/6191/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/6192/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/1612/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/1579/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/1699/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/1335/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/1698/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/2028/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/1334/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/1576/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/2302/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/3236/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/2025/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/2146/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/910/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/912/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/517/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/759/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/2307/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/918/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/6241/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/6243/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/6242/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/4462/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/6245/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/6244/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/1594/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/2285/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/2281/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/1349/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/1623/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/761/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/1622/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/884/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/1983/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/2038/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/1344/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/1465/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/1586/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/1463/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/2156/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/800/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/6238/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/801/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/1629/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/1627/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/1900/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/6252/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/4470/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/6251/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/6253/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/6258/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/3021/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/491/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/2294/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/2050/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/6250/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/1877/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/772/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/1633/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/1599/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/1632/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/774/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/1477/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/654/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/896/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/1476/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/1872/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/2048/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/655/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/1475/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/2289/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/656/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/777/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/657/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/658/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/4467/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/4468/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/4469/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/419/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/936/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/1639/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/4503/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/1638/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/2208/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/2180/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/6262/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/6265/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/6266/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/1809/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/6268/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/1494/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/1890/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/2063/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/2062/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/1888/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/1886/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/420/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/1489/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/785/exe |
Jump to behavior |
Source: /tmp/4wiwmAupak (PID: 6235) |
File opened: /proc/1642/exe |
Jump to behavior |
Source: 4wiwmAupak, 6233.1.0000562b48a4a000.0000562b48ad1000.rw-.sdmp, 4wiwmAupak, 6236.1.0000562b48a4a000.0000562b48ad1000.rw-.sdmp |
Binary or memory string: /etc/qemu-binfmt/mips |
Source: 4wiwmAupak, 6233.1.00007ffc33963000.00007ffc33984000.rw-.sdmp, 4wiwmAupak, 6236.1.00007ffc33963000.00007ffc33984000.rw-.sdmp |
Binary or memory string: /usr/bin/qemu-mips |
Source: 4wiwmAupak, 6233.1.0000562b48a4a000.0000562b48ad1000.rw-.sdmp, 4wiwmAupak, 6236.1.0000562b48a4a000.0000562b48ad1000.rw-.sdmp |
Binary or memory string: H+V!/etc/qemu-binfmt/mips |
Source: 4wiwmAupak, 6233.1.00007ffc33963000.00007ffc33984000.rw-.sdmp, 4wiwmAupak, 6236.1.00007ffc33963000.00007ffc33984000.rw-.sdmp |
Binary or memory string: x86_64/usr/bin/qemu-mips/tmp/4wiwmAupakSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/4wiwmAupak |