Source: MUuRNNXESN, type: SAMPLE |
Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13 |
Source: 6230.1.00007f4db442c000.00007f4db442d000.rw-.sdmp, type: MEMORY |
Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13 |
Source: 6233.1.00007f4db4400000.00007f4db441b000.r-x.sdmp, type: MEMORY |
Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13 |
Source: 6230.1.00007f4db4400000.00007f4db441b000.r-x.sdmp, type: MEMORY |
Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13 |
Source: 6233.1.00007f4db442c000.00007f4db442d000.rw-.sdmp, type: MEMORY |
Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13 |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/6235/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/1582/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/2033/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/2275/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/3088/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/6191/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/6192/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/1612/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/1579/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/1699/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/1335/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/1698/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/2028/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/1334/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/1576/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/2302/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/3236/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/2025/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/2146/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/910/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/912/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/517/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/759/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/2307/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/918/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/6241/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/6243/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/6245/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/6247/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/6246/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/1594/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/2285/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/2281/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/1349/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/1623/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/761/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/1622/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/884/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/1983/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/2038/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/1344/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/1465/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/1586/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/1463/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/2156/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/800/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/6238/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/801/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/1629/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/6239/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/1627/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/1900/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/4470/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/6254/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/6253/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/6256/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/6255/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/4354/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/3021/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/491/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/2294/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/2050/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/1877/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/772/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/1633/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/1599/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/1632/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/774/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/1477/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/654/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/896/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/1476/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/1872/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/2048/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/655/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/1475/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/2289/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/656/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/777/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/657/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/658/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/4467/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/6248/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/4468/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/4469/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/419/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/936/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/1639/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/4503/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/1638/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/2208/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/2180/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/6263/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/6264/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/1809/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/1494/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/1890/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/2063/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/2062/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/6261/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/1888/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/1886/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/420/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/1489/exe |
Jump to behavior |
Source: /tmp/MUuRNNXESN (PID: 6232) |
File opened: /proc/785/exe |
Jump to behavior |
Source: MUuRNNXESN, 6230.1.00007ffe4dbd5000.00007ffe4dbf6000.rw-.sdmp, MUuRNNXESN, 6233.1.00007ffe4dbd5000.00007ffe4dbf6000.rw-.sdmp |
Binary or memory string: x86_64/usr/bin/qemu-sh4/tmp/MUuRNNXESNSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/MUuRNNXESN |
Source: MUuRNNXESN, 6230.1.00007ffe4dbd5000.00007ffe4dbf6000.rw-.sdmp, MUuRNNXESN, 6233.1.00007ffe4dbd5000.00007ffe4dbf6000.rw-.sdmp |
Binary or memory string: /usr/bin/qemu-sh4 |
Source: MUuRNNXESN, 6230.1.000055ec0c78c000.000055ec0c7ef000.rw-.sdmp, MUuRNNXESN, 6233.1.000055ec0c78c000.000055ec0c7ef000.rw-.sdmp |
Binary or memory string: U5!/etc/qemu-binfmt/sh4 |
Source: MUuRNNXESN, 6230.1.000055ec0c78c000.000055ec0c7ef000.rw-.sdmp, MUuRNNXESN, 6233.1.000055ec0c78c000.000055ec0c7ef000.rw-.sdmp |
Binary or memory string: /etc/qemu-binfmt/sh4 |