Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
XHYKEGTtfq.elf

Overview

General Information

Sample name:XHYKEGTtfq.elf
renamed because original name is a hash value
Original sample name:73b136cb342e7a64855905830cdf0c0b.elf
Analysis ID:1430906
MD5:73b136cb342e7a64855905830cdf0c0b
SHA1:87c0098d9c86435194231c2f5623a7e8c488a861
SHA256:c860d081fb8cfed28d01b054bf1611c295a6d307537563ad02650cc94c280746
Tags:32elfpowerpc
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false

Signatures

Multi AV Scanner detection for submitted file
Sample deletes itself
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to kill multiple processes (SIGKILL)
Deletes log files
Detected TCP or UDP traffic on non-standard ports
ELF contains segments with high entropy indicating compressed/encrypted content
Executes commands using a shell command-line interpreter
Executes the "grep" command used to find patterns in files or piped streams
Executes the "kill" or "pkill" command typically used to terminate processes
Reads CPU information from /sys indicative of miner or evasive malware
Sample contains only a LOAD segment without any section mappings
Sample listens on a socket
Sample tries to kill a process (SIGKILL)
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might not execute correctly on this machine.

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1430906
Start date and time:2024-04-24 10:57:06 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 2s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:XHYKEGTtfq.elf
renamed because original name is a hash value
Original Sample Name:73b136cb342e7a64855905830cdf0c0b.elf
Detection:MAL
Classification:mal60.spre.troj.evad.linELF@0/0@0/0

Warnings

  • Connection to analysis system has been lost, crash info: Unknown

Runtime Messages

Command:/tmp/XHYKEGTtfq.elf
PID:5432
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
black botnet voodoo
Standard Error:

Process Tree

  • system is lnxubuntu20
  • systemd New Fork (PID: 5444, Parent: 1)
  • journalctl (PID: 5444, Parent: 1, MD5: bf3a987344f3bacafc44efd882abda8b) Arguments: /usr/bin/journalctl --smart-relinquish-var
  • systemd New Fork (PID: 5461, Parent: 1)
  • dbus-daemon (PID: 5461, Parent: 1, MD5: 3089d47e3f3ab84cd81c48fd406d7a8c) Arguments: /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
  • systemd New Fork (PID: 5478, Parent: 1)
  • rsyslogd (PID: 5478, Parent: 1, MD5: 0b8087fc907c42eb3c81a691db258e33) Arguments: /usr/sbin/rsyslogd -n -iNONE
  • fusermount (PID: 5479, Parent: 3122, MD5: 576a1b135c82bdcbc97a91acea900566) Arguments: fusermount -u -q -z -- /run/user/1000/gvfs
  • systemd New Fork (PID: 5480, Parent: 2935)
  • pulseaudio (PID: 5480, Parent: 2935, MD5: 0c3b4c789d8ffb12b25507f27e14c186) Arguments: /usr/bin/pulseaudio --daemonize=no --log-target=journal
  • systemd New Fork (PID: 5484, Parent: 1)
  • systemd-journald (PID: 5484, Parent: 1, MD5: 474667ece6cecb5e04c6eb897a1d0d9e) Arguments: /lib/systemd/systemd-journald
  • systemd New Fork (PID: 5485, Parent: 1)
  • dbus-daemon (PID: 5485, Parent: 1, MD5: 3089d47e3f3ab84cd81c48fd406d7a8c) Arguments: /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
  • systemd New Fork (PID: 5486, Parent: 1)
  • rsyslogd (PID: 5486, Parent: 1, MD5: 0b8087fc907c42eb3c81a691db258e33) Arguments: /usr/sbin/rsyslogd -n -iNONE
  • systemd New Fork (PID: 5490, Parent: 1)
  • systemd-journald (PID: 5490, Parent: 1, MD5: 474667ece6cecb5e04c6eb897a1d0d9e) Arguments: /lib/systemd/systemd-journald
  • systemd New Fork (PID: 5491, Parent: 1)
  • dbus-daemon (PID: 5491, Parent: 1, MD5: 3089d47e3f3ab84cd81c48fd406d7a8c) Arguments: /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
  • systemd New Fork (PID: 5492, Parent: 1)
  • systemd-journald (PID: 5492, Parent: 1, MD5: 474667ece6cecb5e04c6eb897a1d0d9e) Arguments: /lib/systemd/systemd-journald
  • systemd New Fork (PID: 5493, Parent: 1)
  • rsyslogd (PID: 5493, Parent: 1, MD5: 0b8087fc907c42eb3c81a691db258e33) Arguments: /usr/sbin/rsyslogd -n -iNONE
  • systemd New Fork (PID: 5494, Parent: 1)
  • dbus-daemon (PID: 5494, Parent: 1, MD5: 3089d47e3f3ab84cd81c48fd406d7a8c) Arguments: /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
  • systemd New Fork (PID: 5495, Parent: 1)
  • systemd-journald (PID: 5495, Parent: 1, MD5: 474667ece6cecb5e04c6eb897a1d0d9e) Arguments: /lib/systemd/systemd-journald
  • systemd New Fork (PID: 5496, Parent: 1)
  • dbus-daemon (PID: 5496, Parent: 1, MD5: 3089d47e3f3ab84cd81c48fd406d7a8c) Arguments: /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
  • systemd New Fork (PID: 5497, Parent: 1)
  • systemd-journald (PID: 5497, Parent: 1, MD5: 474667ece6cecb5e04c6eb897a1d0d9e) Arguments: /lib/systemd/systemd-journald
  • systemd New Fork (PID: 5498, Parent: 1)
  • rsyslogd (PID: 5498, Parent: 1, MD5: 0b8087fc907c42eb3c81a691db258e33) Arguments: /usr/sbin/rsyslogd -n -iNONE
  • gdm3 New Fork (PID: 5499, Parent: 1400)
  • Default (PID: 5499, Parent: 1400, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default
  • gdm3 New Fork (PID: 5500, Parent: 1400)
  • Default (PID: 5500, Parent: 1400, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default
  • gdm3 New Fork (PID: 5501, Parent: 1400)
  • Default (PID: 5501, Parent: 1400, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default
  • systemd New Fork (PID: 5502, Parent: 1)
  • rsyslogd (PID: 5502, Parent: 1, MD5: 0b8087fc907c42eb3c81a691db258e33) Arguments: /usr/sbin/rsyslogd -n -iNONE
  • systemd New Fork (PID: 5505, Parent: 1)
  • gpu-manager (PID: 5505, Parent: 1, MD5: 8fae9dd5dd67e1f33d873089c2fd8761) Arguments: /usr/bin/gpu-manager --log /var/log/gpu-manager.log
    • sh (PID: 5506, Parent: 5505, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"
      • sh New Fork (PID: 5507, Parent: 5506)
      • grep (PID: 5507, Parent: 5506, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
  • systemd New Fork (PID: 5508, Parent: 1)
  • generate-config (PID: 5508, Parent: 1, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /usr/share/gdm/generate-config
    • pkill (PID: 5509, Parent: 5508, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill --signal HUP --uid gdm dconf-service
  • systemd New Fork (PID: 5510, Parent: 1)
  • gpu-manager (PID: 5510, Parent: 1, MD5: 8fae9dd5dd67e1f33d873089c2fd8761) Arguments: /usr/bin/gpu-manager --log /var/log/gpu-manager.log
  • systemd New Fork (PID: 5511, Parent: 1)
  • generate-config (PID: 5511, Parent: 1, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /usr/share/gdm/generate-config
    • pkill (PID: 5512, Parent: 5511, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill --signal HUP --uid gdm dconf-service
  • systemd New Fork (PID: 5513, Parent: 1)
  • gpu-manager (PID: 5513, Parent: 1, MD5: 8fae9dd5dd67e1f33d873089c2fd8761) Arguments: /usr/bin/gpu-manager --log /var/log/gpu-manager.log
    • sh (PID: 5514, Parent: 5513, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"
      • sh New Fork (PID: 5515, Parent: 5514)
      • grep (PID: 5515, Parent: 5514, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
  • systemd New Fork (PID: 5516, Parent: 1)
  • generate-config (PID: 5516, Parent: 1, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /usr/share/gdm/generate-config
    • pkill (PID: 5517, Parent: 5516, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill --signal HUP --uid gdm dconf-service
  • systemd New Fork (PID: 5518, Parent: 1)
  • gpu-manager (PID: 5518, Parent: 1, MD5: 8fae9dd5dd67e1f33d873089c2fd8761) Arguments: /usr/bin/gpu-manager --log /var/log/gpu-manager.log
  • systemd New Fork (PID: 5519, Parent: 1)
  • generate-config (PID: 5519, Parent: 1, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /usr/share/gdm/generate-config
    • pkill (PID: 5520, Parent: 5519, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill --signal HUP --uid gdm dconf-service
  • systemd New Fork (PID: 5521, Parent: 1)
  • gpu-manager (PID: 5521, Parent: 1, MD5: 8fae9dd5dd67e1f33d873089c2fd8761) Arguments: /usr/bin/gpu-manager --log /var/log/gpu-manager.log
  • systemd New Fork (PID: 5522, Parent: 1)
  • generate-config (PID: 5522, Parent: 1, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /usr/share/gdm/generate-config
    • pkill (PID: 5523, Parent: 5522, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill --signal HUP --uid gdm dconf-service
  • systemd New Fork (PID: 5524, Parent: 1)
  • plymouth (PID: 5524, Parent: 1, MD5: 87003efd8dad470042f5e75360a8f49f) Arguments: /bin/plymouth quit
  • systemd New Fork (PID: 5526, Parent: 2935)
  • dbus-daemon (PID: 5526, Parent: 2935, MD5: 3089d47e3f3ab84cd81c48fd406d7a8c) Arguments: /usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
  • cleanup

Yara Signatures

No yara matches

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: XHYKEGTtfq.elfVirustotal: Detection: 11%Perma Link
Source: /usr/bin/pkill (PID: 5509)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
Source: /usr/bin/pkill (PID: 5517)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
Source: global trafficTCP traffic: 192.168.2.13:42674 -> 212.70.149.14:35342
Source: /tmp/XHYKEGTtfq.elf (PID: 5432)Socket: 127.0.0.1::8345Jump to behavior
Source: unknownTCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknownTCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknownTCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknownTCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknownTCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknownTCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknownTCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknownTCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknownTCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknownTCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknownTCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknownTCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknownTCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknownTCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknownTCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknownTCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknownUDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknownUDP traffic detected without corresponding DNS query: 51.77.149.139
Source: unknownUDP traffic detected without corresponding DNS query: 51.77.149.139
Source: unknownUDP traffic detected without corresponding DNS query: 51.77.149.139
Source: unknownUDP traffic detected without corresponding DNS query: 51.77.149.139
Source: unknownUDP traffic detected without corresponding DNS query: 51.77.149.139
Source: unknownUDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknownUDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknownUDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknownUDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknownUDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknownUDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknownUDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknownUDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknownUDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknownUDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 51.254.162.59
Source: unknownUDP traffic detected without corresponding DNS query: 51.254.162.59
Source: unknownUDP traffic detected without corresponding DNS query: 51.254.162.59
Source: unknownUDP traffic detected without corresponding DNS query: 51.254.162.59
Source: unknownUDP traffic detected without corresponding DNS query: 51.254.162.59
Source: unknownUDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknownUDP traffic detected without corresponding DNS query: 51.77.149.139
Source: unknownUDP traffic detected without corresponding DNS query: 51.77.149.139
Source: unknownUDP traffic detected without corresponding DNS query: 51.77.149.139
Source: unknownUDP traffic detected without corresponding DNS query: 51.77.149.139
Source: unknownUDP traffic detected without corresponding DNS query: 51.77.149.139
Source: unknownUDP traffic detected without corresponding DNS query: 94.16.114.254
Source: unknownUDP traffic detected without corresponding DNS query: 94.16.114.254

System Summary

barindex
Sample tries to kill multiple processes (SIGKILL)
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 1 (init), result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 490, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 660, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 726, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 727, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 765, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 767, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 778, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 780, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 783, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 790, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 795, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 800, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 936, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 1400, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 1410, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 1411, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 1432, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 1475, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 1565, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 1805, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 2926, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 2935, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 2936, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 2970, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 3069, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 3122, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 3132, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 3772, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5272, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5415, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5416, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5438, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5440, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5441, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5444, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5461, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5478, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5480, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5484, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5485, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5486, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5490, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5491, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5492, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5493, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5494, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5495, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5496, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5497, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5498, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5499, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5502, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5505, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5507, result: no such processJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5508, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5510, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5511, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5512, result: no such processJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5513, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5514, result: no such processJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5515, result: no such processJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5516, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5517, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5518, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5519, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5521, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5522, result: successfulJump to behavior
Source: LOAD without section mappingsProgram segment: 0x10000000
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 1 (init), result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 490, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 660, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 726, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 727, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 765, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 767, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 778, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 780, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 783, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 790, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 795, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 800, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 936, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 1400, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 1410, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 1411, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 1432, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 1475, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 1565, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 1805, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 2926, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 2935, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 2936, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 2970, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 3069, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 3122, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 3132, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 3772, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5272, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5415, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5416, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5438, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5440, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5441, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5444, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5461, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5478, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5480, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5484, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5485, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5486, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5490, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5491, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5492, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5493, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5494, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5495, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5496, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5497, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5498, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5499, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5502, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5505, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5507, result: no such processJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5508, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5510, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5511, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5512, result: no such processJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5513, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5514, result: no such processJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5515, result: no such processJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5516, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5517, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5518, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5519, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5521, result: successfulJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5436)SIGKILL sent: pid: 5522, result: successfulJump to behavior
Source: classification engineClassification label: mal60.spre.troj.evad.linELF@0/0@0/0

Persistence and Installation Behavior

barindex
Sample reads /proc/mounts (often used for finding a writable filesystem)
Source: /bin/fusermount (PID: 5479)File: /proc/5479/mountsJump to behavior
Source: /usr/bin/gpu-manager (PID: 5506)Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5514)Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"Jump to behavior
Source: /bin/sh (PID: 5507)Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.confJump to behavior
Source: /bin/sh (PID: 5515)Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.confJump to behavior
Source: /usr/share/gdm/generate-config (PID: 5509)Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-serviceJump to behavior
Source: /usr/share/gdm/generate-config (PID: 5512)Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-serviceJump to behavior
Source: /usr/share/gdm/generate-config (PID: 5517)Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-serviceJump to behavior
Source: /usr/share/gdm/generate-config (PID: 5520)Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-serviceJump to behavior
Source: /usr/share/gdm/generate-config (PID: 5523)Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-serviceJump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Sample deletes itself
Source: /tmp/XHYKEGTtfq.elf (PID: 5432)File: /tmp/XHYKEGTtfq.elfJump to behavior
Source: XHYKEGTtfq.elfSubmission file: segment LOAD with 7.8829 entropy (max. 8.0)
Source: XHYKEGTtfq.elfSubmission file: segment LOAD with 7.972 entropy (max. 8.0)
Source: /usr/bin/gpu-manager (PID: 5505)Truncated file: /var/log/gpu-manager.logJump to behavior
Source: /usr/bin/gpu-manager (PID: 5510)Truncated file: /var/log/gpu-manager.logJump to behavior
Source: /usr/bin/gpu-manager (PID: 5513)Truncated file: /var/log/gpu-manager.logJump to behavior
Source: /usr/bin/gpu-manager (PID: 5521)Truncated file: /var/log/gpu-manager.logJump to behavior
Source: /usr/bin/pkill (PID: 5509)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
Source: /usr/bin/pkill (PID: 5517)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
Source: /tmp/XHYKEGTtfq.elf (PID: 5432)Queries kernel information via 'uname': Jump to behavior
Source: XHYKEGTtfq.elf, 5441.1.00005585d9d4f000.00005585d9e20000.rw-.sdmpBinary or memory string: /ppc/tmp/vmware-root_727-4290690966
Source: XHYKEGTtfq.elf, 5432.1.00005585d9d4f000.00005585d9e20000.rw-.sdmpBinary or memory string: !/etc/qemu-binfmt/ppc11!hotpluggableq
Source: XHYKEGTtfq.elf, 5441.1.00007f7dac035000.00007f7dac038000.rw-.sdmpBinary or memory string: 1/tmp/vmware-root_727-4290690966
Source: XHYKEGTtfq.elf, 5438.1.00005585d9d4f000.00005585d9e20000.rw-.sdmp, XHYKEGTtfq.elf, 5440.1.00005585d9d4f000.00005585d9e20000.rw-.sdmp, XHYKEGTtfq.elf, 5441.1.00005585d9d4f000.00005585d9e20000.rw-.sdmpBinary or memory string: !/etc/qemu-binfmt/ppc1
Source: XHYKEGTtfq.elf, 5432.1.00007ffe423d8000.00007ffe423f9000.rw-.sdmp, XHYKEGTtfq.elf, 5438.1.00007ffe423d8000.00007ffe423f9000.rw-.sdmp, XHYKEGTtfq.elf, 5440.1.00007ffe423d8000.00007ffe423f9000.rw-.sdmp, XHYKEGTtfq.elf, 5441.1.00007ffe423d8000.00007ffe423f9000.rw-.sdmpBinary or memory string: =x86_64/usr/bin/qemu-ppc/tmp/XHYKEGTtfq.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/XHYKEGTtfq.elf
Source: XHYKEGTtfq.elf, 5441.1.00005585d9d4f000.00005585d9e20000.rw-.sdmpBinary or memory string: U1/tmp/vmware-root_727-4290690966
Source: XHYKEGTtfq.elf, 5432.1.00005585d9d4f000.00005585d9e20000.rw-.sdmp, XHYKEGTtfq.elf, 5438.1.00005585d9d4f000.00005585d9e20000.rw-.sdmp, XHYKEGTtfq.elf, 5440.1.00005585d9d4f000.00005585d9e20000.rw-.sdmp, XHYKEGTtfq.elf, 5441.1.00005585d9d4f000.00005585d9e20000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/ppc
Source: XHYKEGTtfq.elf, 5441.1.00007f7dac02a000.00007f7dac035000.rw-.sdmpBinary or memory string: vmware-root_727-4290690966
Source: XHYKEGTtfq.elf, 5441.1.00007f7dac035000.00007f7dac038000.rw-.sdmpBinary or memory string: 0a/tmp/systemd-private-fe424f1b0f85425093f40a37100b81c4-colord.service-PB7Ovfa1/tmp/vmware-root_727-4290690966
Source: XHYKEGTtfq.elf, 5432.1.00007ffe423d8000.00007ffe423f9000.rw-.sdmp, XHYKEGTtfq.elf, 5438.1.00007ffe423d8000.00007ffe423f9000.rw-.sdmp, XHYKEGTtfq.elf, 5440.1.00007ffe423d8000.00007ffe423f9000.rw-.sdmp, XHYKEGTtfq.elf, 5441.1.00007ffe423d8000.00007ffe423f9000.rw-.sdmpBinary or memory string: /usr/bin/qemu-ppc
Source: XHYKEGTtfq.elf, 5441.1.00005585d9d4f000.00005585d9e20000.rw-.sdmpBinary or memory string: /tmp/vmware-root_727-4290690966
Source: XHYKEGTtfq.elf, 5441.1.00005585d9d4f000.00005585d9e20000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/ppc/tmp/systemd-private-fe424f1b0f85425093f40a37100b81c4-upower.service-VKEayg
Source: XHYKEGTtfq.elf, 5441.1.00005585d9d4f000.00005585d9e20000.rw-.sdmpBinary or memory string: U/ppc/tmp/vmware-root_727-42906909665425093f40a37100b81c1/tmp/snap-private-tmp/snap.lxd/tmp

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		Valid AccountsWindows Management Instrumentation1
Scripting		Path Interception1
Disable or Modify Tools		OS Credential Dumping11
Security Software Discovery		Remote ServicesData from Local System1
Non-Standard Port		Exfiltration Over Other Network Medium1
Service Stop
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Indicator Removal		LSASS Memory1
File and Directory Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Obfuscated Files or Information		Security Account Manager1
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
File Deletion		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1430906 Sample: XHYKEGTtfq.elf Startdate: 24/04/2024 Architecture: LINUX Score: 60 42 212.70.149.14, 35342, 42674, 42678 INTERNET-HOSTINGBG Bulgaria 2->42 44 Multi AV Scanner detection for submitted file 2->44 8 XHYKEGTtfq.elf 2->8         started        11 gvfsd-fuse fusermount 2->11         started        13 systemd gpu-manager 2->13         started        15 31 other processes 2->15 signatures3 process4 signatures5 46 Sample deletes itself 8->46 17 XHYKEGTtfq.elf 8->17         started        48 Sample reads /proc/mounts (often used for finding a writable filesystem) 11->48 19 gpu-manager sh 13->19         started        21 gpu-manager sh 15->21         started        23 generate-config pkill 15->23         started        25 generate-config pkill 15->25         started        27 3 other processes 15->27 process6 process7 29 XHYKEGTtfq.elf 17->29         started        32 XHYKEGTtfq.elf 17->32         started        34 XHYKEGTtfq.elf 17->34         started        36 XHYKEGTtfq.elf 17->36         started        38 sh grep 19->38         started        40 sh grep 21->40         started        signatures8 50 Sample tries to kill multiple processes (SIGKILL) 29->50

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
XHYKEGTtfq.elf11%VirustotalBrowse

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public IPs

IPDomainCountryFlagASNASN NameMalicious
212.70.149.14
unknownBulgaria
208410INTERNET-HOSTINGBGfalse

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
212.70.149.14UOt98MEVJw.elfGet hashmaliciousUnknownBrowse
  • /arm6
XtpqFYYOsk.elfGet hashmaliciousUnknownBrowse
  • /arm7
M5JK7Pf4NO.elfGet hashmaliciousUnknownBrowse
  • /mips
aIIxWKK5Cm.elfGet hashmaliciousUnknownBrowse
  • /mpsl
Y8ahzapm43.elfGet hashmaliciousUnknownBrowse
  • /arm5

Domains

No context

ASNs

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
INTERNET-HOSTINGBGSecuriteInfo.com.Linux.Siggen.7232.1376.786.elfGet hashmaliciousUnknownBrowse
  • 212.70.149.10
SecuriteInfo.com.Linux.Mirai.8362.8829.19078.elfGet hashmaliciousMiraiBrowse
  • 212.70.149.14
SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elfGet hashmaliciousUnknownBrowse
  • 212.70.149.10
SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elfGet hashmaliciousUnknownBrowse
  • 212.70.149.14
UOt98MEVJw.elfGet hashmaliciousUnknownBrowse
  • 212.70.149.14
XtpqFYYOsk.elfGet hashmaliciousUnknownBrowse
  • 212.70.149.14
M5JK7Pf4NO.elfGet hashmaliciousUnknownBrowse
  • 212.70.149.14
aIIxWKK5Cm.elfGet hashmaliciousUnknownBrowse
  • 212.70.149.14
Y8ahzapm43.elfGet hashmaliciousUnknownBrowse
  • 212.70.149.14
CT9oaKX3q3.elfGet hashmaliciousUnknownBrowse
  • 87.246.7.66

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (GNU/Linux), statically linked, no section header
Entropy (8bit):7.970205312474335
TrID:
  • ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:XHYKEGTtfq.elf
File size:46'656 bytes
MD5:73b136cb342e7a64855905830cdf0c0b
SHA1:87c0098d9c86435194231c2f5623a7e8c488a861
SHA256:c860d081fb8cfed28d01b054bf1611c295a6d307537563ad02650cc94c280746
SHA512:81af757f1e3cc4608da40137130a6efb1be3c1e2edc08f6ed75159f9e440fcb695feb95728ef0d6157202be1e356d4d269448c279444bef88e34d24dd0cf6b72
SSDEEP:768:cnhQn2SuI+h7gjER7R3Q2stXIhyXkGhe0WDo31aostZwceD6hnTKcb4uVcqgw0Eo:XNO6Qc2UXIoX1e0J31fstZwyN3b4u+qc
TLSH:FE23F13ADD692D3AFC6FFD323D5A8363A72ED68515A3A3950184FF414C4D02AED848C4
File Content Preview:.ELF...........................4.........4. ...(........................../4...........................@...@........dt.Q................................sfga.P.....................W.......?.E.h4...@b........=.a...!.1.Z!K.......T.(..lj.T .`F.}.>...p.....>#9

Static ELF Info

ELF header

Class:ELF32
Data:2's complement, big endian
Version:1 (current)
Machine:PowerPC
Version Number:0x1
Type:EXEC (Executable file)
OS/ABI:UNIX - Linux
ABI Version:0
Entry Point Address:0x1004a1f8
Flags:0x0
ELF Header Size:52
Program Header Offset:52
Program Header Size:32
Number of Program Headers:3
Section Header Offset:0
Section Header Size:40
Number of Section Headers:0
Header String Table Index:0

Program Segments

TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
LOAD0x00x100000000x100000000x10000x32f347.88290x6RW 0x10000
LOAD0x00x100400000x100400000xb5400xb5407.97200x5R E0x10000
GNU_STACK0x00x00x00x00x00.00000x6RW 0x4

Network Behavior

Network Port Distribution

TCP Packets

TimestampSource PortDest PortSource IPDest IP
Apr 24, 2024 10:57:52.829941034 CEST4267435342192.168.2.13212.70.149.14
Apr 24, 2024 10:57:53.158019066 CEST3534242674212.70.149.14192.168.2.13
Apr 24, 2024 10:57:56.824860096 CEST4267835342192.168.2.13212.70.149.14
Apr 24, 2024 10:57:57.152399063 CEST3534242678212.70.149.14192.168.2.13
Apr 24, 2024 10:58:00.767880917 CEST4268035342192.168.2.13212.70.149.14
Apr 24, 2024 10:58:01.093925953 CEST3534242680212.70.149.14192.168.2.13
Apr 24, 2024 10:58:03.966942072 CEST4268235342192.168.2.13212.70.149.14
Apr 24, 2024 10:58:04.298343897 CEST3534242682212.70.149.14192.168.2.13
Apr 24, 2024 10:58:31.321029902 CEST4268435342192.168.2.13212.70.149.14
Apr 24, 2024 10:58:31.647145033 CEST3534242684212.70.149.14192.168.2.13
Apr 24, 2024 10:58:35.187374115 CEST4268635342192.168.2.13212.70.149.14
Apr 24, 2024 10:58:35.513803005 CEST3534242686212.70.149.14192.168.2.13
Apr 24, 2024 10:58:37.805960894 CEST4268835342192.168.2.13212.70.149.14
Apr 24, 2024 10:58:38.133001089 CEST3534242688212.70.149.14192.168.2.13
Apr 24, 2024 10:58:41.753118038 CEST4269035342192.168.2.13212.70.149.14
Apr 24, 2024 10:58:42.079061031 CEST3534242690212.70.149.14192.168.2.13
Apr 24, 2024 10:59:09.112138033 CEST4269235342192.168.2.13212.70.149.14
Apr 24, 2024 10:59:09.438483000 CEST3534242692212.70.149.14192.168.2.13
Apr 24, 2024 10:59:36.465599060 CEST4269435342192.168.2.13212.70.149.14
Apr 24, 2024 10:59:36.792435884 CEST3534242694212.70.149.14192.168.2.13
Apr 24, 2024 10:59:40.336221933 CEST4269635342192.168.2.13212.70.149.14
Apr 24, 2024 10:59:40.662914038 CEST3534242696212.70.149.14192.168.2.13
Apr 24, 2024 10:59:44.196711063 CEST4269835342192.168.2.13212.70.149.14
Apr 24, 2024 10:59:44.522787094 CEST3534242698212.70.149.14192.168.2.13
Apr 24, 2024 10:59:48.135737896 CEST4270035342192.168.2.13212.70.149.14
Apr 24, 2024 10:59:48.462379932 CEST3534242700212.70.149.14192.168.2.13
Apr 24, 2024 10:59:52.012990952 CEST4270235342192.168.2.13212.70.149.14
Apr 24, 2024 10:59:52.339411020 CEST3534242702212.70.149.14192.168.2.13
Apr 24, 2024 11:00:19.366575956 CEST4270435342192.168.2.13212.70.149.14
Apr 24, 2024 11:00:19.692785025 CEST3534242704212.70.149.14192.168.2.13
Apr 24, 2024 11:00:21.985075951 CEST4270635342192.168.2.13212.70.149.14

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Apr 24, 2024 10:57:52.537662983 CEST5277753192.168.2.1351.158.108.203
Apr 24, 2024 10:57:52.828303099 CEST535277751.158.108.203192.168.2.13
Apr 24, 2024 10:57:55.158890963 CEST4584153192.168.2.1351.77.149.139
Apr 24, 2024 10:57:55.476224899 CEST534584151.77.149.139192.168.2.13
Apr 24, 2024 10:57:55.476520061 CEST3859453192.168.2.1351.77.149.139
Apr 24, 2024 10:57:55.804251909 CEST533859451.77.149.139192.168.2.13
Apr 24, 2024 10:57:55.804567099 CEST4673553192.168.2.1351.77.149.139
Apr 24, 2024 10:57:56.113241911 CEST534673551.77.149.139192.168.2.13
Apr 24, 2024 10:57:56.113457918 CEST4601953192.168.2.1351.77.149.139
Apr 24, 2024 10:57:56.514849901 CEST534601951.77.149.139192.168.2.13
Apr 24, 2024 10:57:56.515017986 CEST3529953192.168.2.1351.77.149.139
Apr 24, 2024 10:57:56.824580908 CEST533529951.77.149.139192.168.2.13
Apr 24, 2024 10:57:59.152807951 CEST3820253192.168.2.13185.181.61.24
Apr 24, 2024 10:57:59.476119995 CEST5338202185.181.61.24192.168.2.13
Apr 24, 2024 10:57:59.476305008 CEST6018853192.168.2.13185.181.61.24
Apr 24, 2024 10:57:59.804452896 CEST5360188185.181.61.24192.168.2.13
Apr 24, 2024 10:57:59.804702997 CEST4565253192.168.2.13185.181.61.24
Apr 24, 2024 10:58:00.127368927 CEST5345652185.181.61.24192.168.2.13
Apr 24, 2024 10:58:00.127605915 CEST4782553192.168.2.13185.181.61.24
Apr 24, 2024 10:58:00.449290991 CEST5347825185.181.61.24192.168.2.13
Apr 24, 2024 10:58:00.449518919 CEST3837353192.168.2.13185.181.61.24
Apr 24, 2024 10:58:00.767709970 CEST5338373185.181.61.24192.168.2.13
Apr 24, 2024 10:58:03.094355106 CEST4482353192.168.2.13134.195.4.2
Apr 24, 2024 10:58:03.269135952 CEST5344823134.195.4.2192.168.2.13
Apr 24, 2024 10:58:03.269284010 CEST4757653192.168.2.13134.195.4.2
Apr 24, 2024 10:58:03.442320108 CEST5347576134.195.4.2192.168.2.13
Apr 24, 2024 10:58:03.442640066 CEST5360553192.168.2.13134.195.4.2
Apr 24, 2024 10:58:03.616166115 CEST5353605134.195.4.2192.168.2.13
Apr 24, 2024 10:58:03.616322994 CEST4731153192.168.2.13134.195.4.2
Apr 24, 2024 10:58:03.793488026 CEST5347311134.195.4.2192.168.2.13
Apr 24, 2024 10:58:03.793601036 CEST4667153192.168.2.13134.195.4.2
Apr 24, 2024 10:58:03.966528893 CEST5346671134.195.4.2192.168.2.13
Apr 24, 2024 10:58:06.298695087 CEST3869553192.168.2.131.1.1.1
Apr 24, 2024 10:58:11.303807020 CEST4261453192.168.2.131.1.1.1
Apr 24, 2024 10:58:16.305469036 CEST5392453192.168.2.131.1.1.1
Apr 24, 2024 10:58:21.310739994 CEST4305653192.168.2.131.1.1.1
Apr 24, 2024 10:58:26.315515041 CEST4533853192.168.2.131.1.1.1
Apr 24, 2024 10:58:33.648534060 CEST3987853192.168.2.1351.254.162.59
Apr 24, 2024 10:58:33.957607031 CEST533987851.254.162.59192.168.2.13
Apr 24, 2024 10:58:33.957890034 CEST3791053192.168.2.1351.254.162.59
Apr 24, 2024 10:58:34.262073040 CEST533791051.254.162.59192.168.2.13
Apr 24, 2024 10:58:34.262415886 CEST4291153192.168.2.1351.254.162.59
Apr 24, 2024 10:58:34.569291115 CEST534291151.254.162.59192.168.2.13
Apr 24, 2024 10:58:34.569632053 CEST4698953192.168.2.1351.254.162.59
Apr 24, 2024 10:58:34.879728079 CEST534698951.254.162.59192.168.2.13
Apr 24, 2024 10:58:34.879972935 CEST3527453192.168.2.1351.254.162.59
Apr 24, 2024 10:58:35.186902046 CEST533527451.254.162.59192.168.2.13
Apr 24, 2024 10:58:37.514334917 CEST5014853192.168.2.1351.158.108.203
Apr 24, 2024 10:58:37.805547953 CEST535014851.158.108.203192.168.2.13
Apr 24, 2024 10:58:40.133846998 CEST4626153192.168.2.1351.77.149.139
Apr 24, 2024 10:58:40.441004038 CEST534626151.77.149.139192.168.2.13
Apr 24, 2024 10:58:40.441299915 CEST3620753192.168.2.1351.77.149.139
Apr 24, 2024 10:58:40.758447886 CEST533620751.77.149.139192.168.2.13
Apr 24, 2024 10:58:40.758658886 CEST3354453192.168.2.1351.77.149.139
Apr 24, 2024 10:58:41.134124994 CEST533354451.77.149.139192.168.2.13
Apr 24, 2024 10:58:41.134320974 CEST6082453192.168.2.1351.77.149.139
Apr 24, 2024 10:58:41.443811893 CEST536082451.77.149.139192.168.2.13
Apr 24, 2024 10:58:41.444091082 CEST3456953192.168.2.1351.77.149.139
Apr 24, 2024 10:58:41.752899885 CEST533456951.77.149.139192.168.2.13
Apr 24, 2024 10:58:44.079926968 CEST3840453192.168.2.1394.16.114.254
Apr 24, 2024 10:58:49.081254959 CEST4178753192.168.2.1394.16.114.254
Apr 24, 2024 10:58:54.086536884 CEST5663953192.168.2.1394.16.114.254
Apr 24, 2024 10:58:59.091737032 CEST5985553192.168.2.1394.16.114.254
Apr 24, 2024 10:59:04.104593039 CEST5459153192.168.2.1394.16.114.254
Apr 24, 2024 10:59:11.439615011 CEST3617553192.168.2.1391.217.137.37
Apr 24, 2024 10:59:16.444818020 CEST3953453192.168.2.1391.217.137.37
Apr 24, 2024 10:59:21.450050116 CEST4395953192.168.2.1391.217.137.37
Apr 24, 2024 10:59:26.455229998 CEST5095053192.168.2.1391.217.137.37
Apr 24, 2024 10:59:31.460372925 CEST4523553192.168.2.1391.217.137.37
Apr 24, 2024 10:59:38.793472052 CEST5235853192.168.2.1351.77.149.139
Apr 24, 2024 10:59:39.100649118 CEST535235851.77.149.139192.168.2.13
Apr 24, 2024 10:59:39.101006031 CEST6076853192.168.2.1351.77.149.139
Apr 24, 2024 10:59:39.408070087 CEST536076851.77.149.139192.168.2.13
Apr 24, 2024 10:59:39.408582926 CEST6038153192.168.2.1351.77.149.139
Apr 24, 2024 10:59:39.719038963 CEST536038151.77.149.139192.168.2.13
Apr 24, 2024 10:59:39.719460964 CEST3958553192.168.2.1351.77.149.139
Apr 24, 2024 10:59:40.026556969 CEST533958551.77.149.139192.168.2.13
Apr 24, 2024 10:59:40.026803017 CEST3277653192.168.2.1351.77.149.139
Apr 24, 2024 10:59:40.335963011 CEST533277651.77.149.139192.168.2.13
Apr 24, 2024 10:59:42.663521051 CEST4833053192.168.2.1351.254.162.59
Apr 24, 2024 10:59:42.970443964 CEST534833051.254.162.59192.168.2.13
Apr 24, 2024 10:59:42.970669031 CEST4904553192.168.2.1351.254.162.59
Apr 24, 2024 10:59:43.273282051 CEST534904551.254.162.59192.168.2.13
Apr 24, 2024 10:59:43.273499966 CEST3564553192.168.2.1351.254.162.59
Apr 24, 2024 10:59:43.580207109 CEST533564551.254.162.59192.168.2.13
Apr 24, 2024 10:59:43.580478907 CEST5801353192.168.2.1351.254.162.59
Apr 24, 2024 10:59:43.888185978 CEST535801351.254.162.59192.168.2.13
Apr 24, 2024 10:59:43.888392925 CEST3472653192.168.2.1351.254.162.59
Apr 24, 2024 10:59:44.196475983 CEST533472651.254.162.59192.168.2.13
Apr 24, 2024 10:59:46.523507118 CEST4777153192.168.2.13185.181.61.24
Apr 24, 2024 10:59:46.846268892 CEST5347771185.181.61.24192.168.2.13
Apr 24, 2024 10:59:46.846836090 CEST5429253192.168.2.13185.181.61.24
Apr 24, 2024 10:59:47.168649912 CEST5354292185.181.61.24192.168.2.13
Apr 24, 2024 10:59:47.169198990 CEST3493653192.168.2.13185.181.61.24
Apr 24, 2024 10:59:47.490906000 CEST5334936185.181.61.24192.168.2.13
Apr 24, 2024 10:59:47.491437912 CEST3402653192.168.2.13185.181.61.24
Apr 24, 2024 10:59:47.813054085 CEST5334026185.181.61.24192.168.2.13
Apr 24, 2024 10:59:47.813406944 CEST3546653192.168.2.13185.181.61.24
Apr 24, 2024 10:59:48.135298014 CEST5335466185.181.61.24192.168.2.13
Apr 24, 2024 10:59:50.463210106 CEST4793353192.168.2.1351.77.149.139
Apr 24, 2024 10:59:50.771748066 CEST534793351.77.149.139192.168.2.13
Apr 24, 2024 10:59:50.772161961 CEST4832553192.168.2.1351.77.149.139
Apr 24, 2024 10:59:51.079488993 CEST534832551.77.149.139192.168.2.13
Apr 24, 2024 10:59:51.079859972 CEST3352053192.168.2.1351.77.149.139
Apr 24, 2024 10:59:51.396220922 CEST533352051.77.149.139192.168.2.13
Apr 24, 2024 10:59:51.396677971 CEST3318553192.168.2.1351.77.149.139
Apr 24, 2024 10:59:51.703886032 CEST533318551.77.149.139192.168.2.13
Apr 24, 2024 10:59:51.704359055 CEST3664253192.168.2.1351.77.149.139
Apr 24, 2024 10:59:52.012482882 CEST533664251.77.149.139192.168.2.13
Apr 24, 2024 10:59:54.340229988 CEST4490553192.168.2.1394.16.114.254
Apr 24, 2024 10:59:59.345390081 CEST5087653192.168.2.1394.16.114.254
Apr 24, 2024 11:00:04.350707054 CEST4916753192.168.2.1394.16.114.254
Apr 24, 2024 11:00:09.355878115 CEST5992053192.168.2.1394.16.114.254
Apr 24, 2024 11:00:14.361112118 CEST4216853192.168.2.1394.16.114.254
Apr 24, 2024 11:00:21.693627119 CEST3768453192.168.2.1351.158.108.203
Apr 24, 2024 11:00:21.984572887 CEST533768451.158.108.203192.168.2.13

ICMP Packets

TimestampSource IPDest IPChecksumCodeType
Apr 24, 2024 10:58:01.382989883 CEST192.168.2.13192.168.2.18279(Port unreachable)Destination Unreachable
Apr 24, 2024 10:59:21.410352945 CEST192.168.2.13192.168.2.18279(Port unreachable)Destination Unreachable

DNS Answers

TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
Apr 24, 2024 10:59:46.846268892 CEST185.181.61.24192.168.2.130xf795Format error (1)security.rebirth-network.sunonenoneA (IP address)IN (0x0001)false
Apr 24, 2024 10:59:47.168649912 CEST185.181.61.24192.168.2.130xf795Format error (1)security.rebirth-network.sunonenoneA (IP address)IN (0x0001)false
Apr 24, 2024 10:59:47.490906000 CEST185.181.61.24192.168.2.130xf795Format error (1)security.rebirth-network.sunonenoneA (IP address)IN (0x0001)false
Apr 24, 2024 10:59:47.813054085 CEST185.181.61.24192.168.2.130xf795Format error (1)security.rebirth-network.sunonenoneA (IP address)IN (0x0001)false
Apr 24, 2024 10:59:48.135298014 CEST185.181.61.24192.168.2.130xf795Format error (1)security.rebirth-network.sunonenoneA (IP address)IN (0x0001)false

System Behavior

General

Start time (UTC):08:57:51
Start date (UTC):24/04/2024
Path:/tmp/XHYKEGTtfq.elf
Arguments:/tmp/XHYKEGTtfq.elf
File size:5388968 bytes
MD5 hash:ae65271c943d3451b7f026d1fadccea6

Chronological Activities


General

Start time (UTC):08:57:51
Start date (UTC):24/04/2024
Path:/tmp/XHYKEGTtfq.elf
Arguments:-
File size:5388968 bytes
MD5 hash:ae65271c943d3451b7f026d1fadccea6

Chronological Activities


General

Start time (UTC):08:57:51
Start date (UTC):24/04/2024
Path:/tmp/XHYKEGTtfq.elf
Arguments:-
File size:5388968 bytes
MD5 hash:ae65271c943d3451b7f026d1fadccea6

Chronological Activities


General

Start time (UTC):08:57:51
Start date (UTC):24/04/2024
Path:/tmp/XHYKEGTtfq.elf
Arguments:-
File size:5388968 bytes
MD5 hash:ae65271c943d3451b7f026d1fadccea6

Chronological Activities


General

Start time (UTC):08:57:51
Start date (UTC):24/04/2024
Path:/tmp/XHYKEGTtfq.elf
Arguments:-
File size:5388968 bytes
MD5 hash:ae65271c943d3451b7f026d1fadccea6

Chronological Activities


General

Start time (UTC):08:57:51
Start date (UTC):24/04/2024
Path:/tmp/XHYKEGTtfq.elf
Arguments:-
File size:5388968 bytes
MD5 hash:ae65271c943d3451b7f026d1fadccea6

Chronological Activities


General

Start time (UTC):08:57:51
Start date (UTC):24/04/2024
Path:/usr/lib/systemd/systemd
Arguments:-
File size:1620224 bytes
MD5 hash:9b2bec7092a40488108543f9334aab75

Chronological Activities


General

Start time (UTC):08:57:51
Start date (UTC):24/04/2024
Path:/usr/bin/journalctl
Arguments:/usr/bin/journalctl --smart-relinquish-var
File size:80120 bytes
MD5 hash:bf3a987344f3bacafc44efd882abda8b

Chronological Activities


General

Start time (UTC):08:57:51
Start date (UTC):24/04/2024
Path:/usr/lib/systemd/systemd
Arguments:-
File size:1620224 bytes
MD5 hash:9b2bec7092a40488108543f9334aab75

Chronological Activities


General

Start time (UTC):08:57:51
Start date (UTC):24/04/2024
Path:/usr/bin/dbus-daemon
Arguments:/usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
File size:249032 bytes
MD5 hash:3089d47e3f3ab84cd81c48fd406d7a8c

Chronological Activities


General

Start time (UTC):08:57:51
Start date (UTC):24/04/2024
Path:/usr/lib/systemd/systemd
Arguments:-
File size:1620224 bytes
MD5 hash:9b2bec7092a40488108543f9334aab75

Chronological Activities


General

Start time (UTC):08:57:51
Start date (UTC):24/04/2024
Path:/usr/sbin/rsyslogd
Arguments:/usr/sbin/rsyslogd -n -iNONE
File size:727248 bytes
MD5 hash:0b8087fc907c42eb3c81a691db258e33

Chronological Activities


General

Start time (UTC):08:57:51
Start date (UTC):24/04/2024
Path:/usr/libexec/gvfsd-fuse
Arguments:-
File size:47632 bytes
MD5 hash:d18fbf1cbf8eb57b17fac48b7b4be933

Chronological Activities


General

Start time (UTC):08:57:51
Start date (UTC):24/04/2024
Path:/bin/fusermount
Arguments:fusermount -u -q -z -- /run/user/1000/gvfs
File size:39144 bytes
MD5 hash:576a1b135c82bdcbc97a91acea900566

Chronological Activities


General

Start time (UTC):08:57:51
Start date (UTC):24/04/2024
Path:/usr/lib/systemd/systemd
Arguments:-
File size:1620224 bytes
MD5 hash:9b2bec7092a40488108543f9334aab75

Chronological Activities


General

Start time (UTC):08:57:51
Start date (UTC):24/04/2024
Path:/usr/bin/pulseaudio
Arguments:/usr/bin/pulseaudio --daemonize=no --log-target=journal
File size:100832 bytes
MD5 hash:0c3b4c789d8ffb12b25507f27e14c186

Chronological Activities


General

Start time (UTC):08:57:52
Start date (UTC):24/04/2024
Path:/usr/lib/systemd/systemd
Arguments:-
File size:1620224 bytes
MD5 hash:9b2bec7092a40488108543f9334aab75

Chronological Activities


General

Start time (UTC):08:57:52
Start date (UTC):24/04/2024
Path:/lib/systemd/systemd-journald
Arguments:/lib/systemd/systemd-journald
File size:162032 bytes
MD5 hash:474667ece6cecb5e04c6eb897a1d0d9e

Chronological Activities


General

Start time (UTC):08:57:52
Start date (UTC):24/04/2024
Path:/usr/lib/systemd/systemd
Arguments:-
File size:1620224 bytes
MD5 hash:9b2bec7092a40488108543f9334aab75

Chronological Activities


General

Start time (UTC):08:57:52
Start date (UTC):24/04/2024
Path:/usr/bin/dbus-daemon
Arguments:/usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
File size:249032 bytes
MD5 hash:3089d47e3f3ab84cd81c48fd406d7a8c

Chronological Activities


General

Start time (UTC):08:57:52
Start date (UTC):24/04/2024
Path:/usr/lib/systemd/systemd
Arguments:-
File size:1620224 bytes
MD5 hash:9b2bec7092a40488108543f9334aab75

Chronological Activities


General

Start time (UTC):08:57:52
Start date (UTC):24/04/2024
Path:/usr/sbin/rsyslogd
Arguments:/usr/sbin/rsyslogd -n -iNONE
File size:727248 bytes
MD5 hash:0b8087fc907c42eb3c81a691db258e33

Chronological Activities


General

Start time (UTC):08:57:52
Start date (UTC):24/04/2024
Path:/usr/lib/systemd/systemd
Arguments:-
File size:1620224 bytes
MD5 hash:9b2bec7092a40488108543f9334aab75

Chronological Activities


General

Start time (UTC):08:57:52
Start date (UTC):24/04/2024
Path:/lib/systemd/systemd-journald
Arguments:/lib/systemd/systemd-journald
File size:162032 bytes
MD5 hash:474667ece6cecb5e04c6eb897a1d0d9e

Chronological Activities


General

Start time (UTC):08:57:52
Start date (UTC):24/04/2024
Path:/usr/lib/systemd/systemd
Arguments:-
File size:1620224 bytes
MD5 hash:9b2bec7092a40488108543f9334aab75

Chronological Activities


General

Start time (UTC):08:57:52
Start date (UTC):24/04/2024
Path:/usr/bin/dbus-daemon
Arguments:/usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
File size:249032 bytes
MD5 hash:3089d47e3f3ab84cd81c48fd406d7a8c

Chronological Activities


General

Start time (UTC):08:57:53
Start date (UTC):24/04/2024
Path:/usr/lib/systemd/systemd
Arguments:-
File size:1620224 bytes
MD5 hash:9b2bec7092a40488108543f9334aab75

Chronological Activities


General

Start time (UTC):08:57:53
Start date (UTC):24/04/2024
Path:/lib/systemd/systemd-journald
Arguments:/lib/systemd/systemd-journald
File size:162032 bytes
MD5 hash:474667ece6cecb5e04c6eb897a1d0d9e

Chronological Activities


General

Start time (UTC):08:57:53
Start date (UTC):24/04/2024
Path:/usr/lib/systemd/systemd
Arguments:-
File size:1620224 bytes
MD5 hash:9b2bec7092a40488108543f9334aab75

Chronological Activities


General

Start time (UTC):08:57:53
Start date (UTC):24/04/2024
Path:/usr/sbin/rsyslogd
Arguments:/usr/sbin/rsyslogd -n -iNONE
File size:727248 bytes
MD5 hash:0b8087fc907c42eb3c81a691db258e33

Chronological Activities


General

Start time (UTC):08:57:53
Start date (UTC):24/04/2024
Path:/usr/lib/systemd/systemd
Arguments:-
File size:1620224 bytes
MD5 hash:9b2bec7092a40488108543f9334aab75

Chronological Activities


General

Start time (UTC):08:57:53
Start date (UTC):24/04/2024
Path:/usr/bin/dbus-daemon
Arguments:/usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
File size:249032 bytes
MD5 hash:3089d47e3f3ab84cd81c48fd406d7a8c

Chronological Activities


General

Start time (UTC):08:57:53
Start date (UTC):24/04/2024
Path:/usr/lib/systemd/systemd
Arguments:-
File size:1620224 bytes
MD5 hash:9b2bec7092a40488108543f9334aab75

Chronological Activities


General

Start time (UTC):08:57:53
Start date (UTC):24/04/2024
Path:/lib/systemd/systemd-journald
Arguments:/lib/systemd/systemd-journald
File size:162032 bytes
MD5 hash:474667ece6cecb5e04c6eb897a1d0d9e

Chronological Activities


General

Start time (UTC):08:57:53
Start date (UTC):24/04/2024
Path:/usr/lib/systemd/systemd
Arguments:-
File size:1620224 bytes
MD5 hash:9b2bec7092a40488108543f9334aab75

Chronological Activities


General

Start time (UTC):08:57:53
Start date (UTC):24/04/2024
Path:/usr/bin/dbus-daemon
Arguments:/usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
File size:249032 bytes
MD5 hash:3089d47e3f3ab84cd81c48fd406d7a8c

Chronological Activities


General

Start time (UTC):08:57:53
Start date (UTC):24/04/2024
Path:/usr/lib/systemd/systemd
Arguments:-
File size:1620224 bytes
MD5 hash:9b2bec7092a40488108543f9334aab75

Chronological Activities


General

Start time (UTC):08:57:53
Start date (UTC):24/04/2024
Path:/lib/systemd/systemd-journald
Arguments:/lib/systemd/systemd-journald
File size:162032 bytes
MD5 hash:474667ece6cecb5e04c6eb897a1d0d9e

Chronological Activities


General

Start time (UTC):08:57:53
Start date (UTC):24/04/2024
Path:/usr/lib/systemd/systemd
Arguments:-
File size:1620224 bytes
MD5 hash:9b2bec7092a40488108543f9334aab75

Chronological Activities


General

Start time (UTC):08:57:53
Start date (UTC):24/04/2024
Path:/usr/sbin/rsyslogd
Arguments:/usr/sbin/rsyslogd -n -iNONE
File size:727248 bytes
MD5 hash:0b8087fc907c42eb3c81a691db258e33

Chronological Activities


General

Start time (UTC):08:57:53
Start date (UTC):24/04/2024
Path:/usr/sbin/gdm3
Arguments:-
File size:453296 bytes
MD5 hash:2492e2d8d34f9377e3e530a61a15674f

Chronological Activities


General

Start time (UTC):08:57:53
Start date (UTC):24/04/2024
Path:/etc/gdm3/PrimeOff/Default
Arguments:/etc/gdm3/PrimeOff/Default
File size:129816 bytes
MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities


General

Start time (UTC):08:57:53
Start date (UTC):24/04/2024
Path:/usr/sbin/gdm3
Arguments:-
File size:453296 bytes
MD5 hash:2492e2d8d34f9377e3e530a61a15674f

Chronological Activities


General

Start time (UTC):08:57:53
Start date (UTC):24/04/2024
Path:/etc/gdm3/PrimeOff/Default
Arguments:/etc/gdm3/PrimeOff/Default
File size:129816 bytes
MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities


General

Start time (UTC):08:57:53
Start date (UTC):24/04/2024
Path:/usr/sbin/gdm3
Arguments:-
File size:453296 bytes
MD5 hash:2492e2d8d34f9377e3e530a61a15674f

Chronological Activities


General

Start time (UTC):08:57:53
Start date (UTC):24/04/2024
Path:/etc/gdm3/PrimeOff/Default
Arguments:/etc/gdm3/PrimeOff/Default
File size:129816 bytes
MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities


General

Start time (UTC):08:57:54
Start date (UTC):24/04/2024
Path:/usr/lib/systemd/systemd
Arguments:-
File size:1620224 bytes
MD5 hash:9b2bec7092a40488108543f9334aab75

Chronological Activities


General

Start time (UTC):08:57:54
Start date (UTC):24/04/2024
Path:/usr/sbin/rsyslogd
Arguments:/usr/sbin/rsyslogd -n -iNONE
File size:727248 bytes
MD5 hash:0b8087fc907c42eb3c81a691db258e33

Chronological Activities


General

Start time (UTC):08:57:55
Start date (UTC):24/04/2024
Path:/usr/lib/systemd/systemd
Arguments:-
File size:1620224 bytes
MD5 hash:9b2bec7092a40488108543f9334aab75

Chronological Activities


General

Start time (UTC):08:57:55
Start date (UTC):24/04/2024
Path:/usr/bin/gpu-manager
Arguments:/usr/bin/gpu-manager --log /var/log/gpu-manager.log
File size:76616 bytes
MD5 hash:8fae9dd5dd67e1f33d873089c2fd8761

Chronological Activities


General

Start time (UTC):08:57:55
Start date (UTC):24/04/2024
Path:/usr/bin/gpu-manager
Arguments:-
File size:76616 bytes
MD5 hash:8fae9dd5dd67e1f33d873089c2fd8761

Chronological Activities


General

Start time (UTC):08:57:55
Start date (UTC):24/04/2024
Path:/bin/sh
Arguments:sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"
File size:129816 bytes
MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities


General

Start time (UTC):08:57:55
Start date (UTC):24/04/2024
Path:/bin/sh
Arguments:-
File size:129816 bytes
MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities


General

Start time (UTC):08:57:55
Start date (UTC):24/04/2024
Path:/usr/bin/grep
Arguments:grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
File size:199136 bytes
MD5 hash:1e6ebb9dd094f774478f72727bdba0f5

Chronological Activities


General

Start time (UTC):08:57:55
Start date (UTC):24/04/2024
Path:/usr/lib/systemd/systemd
Arguments:-
File size:1620224 bytes
MD5 hash:9b2bec7092a40488108543f9334aab75

Chronological Activities


General

Start time (UTC):08:57:55
Start date (UTC):24/04/2024
Path:/usr/share/gdm/generate-config
Arguments:/usr/share/gdm/generate-config
File size:129816 bytes
MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities


General

Start time (UTC):08:57:55
Start date (UTC):24/04/2024
Path:/usr/share/gdm/generate-config
Arguments:-
File size:129816 bytes
MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities


General

Start time (UTC):08:57:55
Start date (UTC):24/04/2024
Path:/usr/bin/pkill
Arguments:pkill --signal HUP --uid gdm dconf-service
File size:30968 bytes
MD5 hash:fa96a75a08109d8842e4865b2907d51f

Chronological Activities


General

Start time (UTC):08:57:56
Start date (UTC):24/04/2024
Path:/usr/lib/systemd/systemd
Arguments:-
File size:1620224 bytes
MD5 hash:9b2bec7092a40488108543f9334aab75

Chronological Activities


General

Start time (UTC):08:57:56
Start date (UTC):24/04/2024
Path:/usr/bin/gpu-manager
Arguments:/usr/bin/gpu-manager --log /var/log/gpu-manager.log
File size:76616 bytes
MD5 hash:8fae9dd5dd67e1f33d873089c2fd8761

Chronological Activities


General

Start time (UTC):08:57:56
Start date (UTC):24/04/2024
Path:/usr/lib/systemd/systemd
Arguments:-
File size:1620224 bytes
MD5 hash:9b2bec7092a40488108543f9334aab75

Chronological Activities


General

Start time (UTC):08:57:56
Start date (UTC):24/04/2024
Path:/usr/share/gdm/generate-config
Arguments:/usr/share/gdm/generate-config
File size:129816 bytes
MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities


General

Start time (UTC):08:57:56
Start date (UTC):24/04/2024
Path:/usr/share/gdm/generate-config
Arguments:-
File size:129816 bytes
MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities


General

Start time (UTC):08:57:56
Start date (UTC):24/04/2024
Path:/usr/bin/pkill
Arguments:pkill --signal HUP --uid gdm dconf-service
File size:30968 bytes
MD5 hash:fa96a75a08109d8842e4865b2907d51f

Chronological Activities


General

Start time (UTC):08:57:57
Start date (UTC):24/04/2024
Path:/usr/lib/systemd/systemd
Arguments:-
File size:1620224 bytes
MD5 hash:9b2bec7092a40488108543f9334aab75

Chronological Activities


General

Start time (UTC):08:57:57
Start date (UTC):24/04/2024
Path:/usr/bin/gpu-manager
Arguments:/usr/bin/gpu-manager --log /var/log/gpu-manager.log
File size:76616 bytes
MD5 hash:8fae9dd5dd67e1f33d873089c2fd8761

Chronological Activities


General

Start time (UTC):08:57:57
Start date (UTC):24/04/2024
Path:/usr/bin/gpu-manager
Arguments:-
File size:76616 bytes
MD5 hash:8fae9dd5dd67e1f33d873089c2fd8761

Chronological Activities


General

Start time (UTC):08:57:57
Start date (UTC):24/04/2024
Path:/bin/sh
Arguments:sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"
File size:129816 bytes
MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities


General

Start time (UTC):08:57:57
Start date (UTC):24/04/2024
Path:/bin/sh
Arguments:-
File size:129816 bytes
MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities


General

Start time (UTC):08:57:57
Start date (UTC):24/04/2024
Path:/usr/bin/grep
Arguments:grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
File size:199136 bytes
MD5 hash:1e6ebb9dd094f774478f72727bdba0f5

Chronological Activities


General

Start time (UTC):08:57:57
Start date (UTC):24/04/2024
Path:/usr/lib/systemd/systemd
Arguments:-
File size:1620224 bytes
MD5 hash:9b2bec7092a40488108543f9334aab75

Chronological Activities


General

Start time (UTC):08:57:57
Start date (UTC):24/04/2024
Path:/usr/share/gdm/generate-config
Arguments:/usr/share/gdm/generate-config
File size:129816 bytes
MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities


General

Start time (UTC):08:57:57
Start date (UTC):24/04/2024
Path:/usr/share/gdm/generate-config
Arguments:-
File size:129816 bytes
MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities


General

Start time (UTC):08:57:57
Start date (UTC):24/04/2024
Path:/usr/bin/pkill
Arguments:pkill --signal HUP --uid gdm dconf-service
File size:30968 bytes
MD5 hash:fa96a75a08109d8842e4865b2907d51f

Chronological Activities


General

Start time (UTC):08:57:58
Start date (UTC):24/04/2024
Path:/usr/lib/systemd/systemd
Arguments:-
File size:1620224 bytes
MD5 hash:9b2bec7092a40488108543f9334aab75

Chronological Activities


General

Start time (UTC):08:57:58
Start date (UTC):24/04/2024
Path:/usr/bin/gpu-manager
Arguments:/usr/bin/gpu-manager --log /var/log/gpu-manager.log
File size:76616 bytes
MD5 hash:8fae9dd5dd67e1f33d873089c2fd8761

Chronological Activities


General

Start time (UTC):08:57:58
Start date (UTC):24/04/2024
Path:/usr/lib/systemd/systemd
Arguments:-
File size:1620224 bytes
MD5 hash:9b2bec7092a40488108543f9334aab75

Chronological Activities


General

Start time (UTC):08:57:58
Start date (UTC):24/04/2024
Path:/usr/share/gdm/generate-config
Arguments:/usr/share/gdm/generate-config
File size:129816 bytes
MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities


General

Start time (UTC):08:57:58
Start date (UTC):24/04/2024
Path:/usr/share/gdm/generate-config
Arguments:-
File size:129816 bytes
MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities


General

Start time (UTC):08:57:58
Start date (UTC):24/04/2024
Path:/usr/bin/pkill
Arguments:pkill --signal HUP --uid gdm dconf-service
File size:30968 bytes
MD5 hash:fa96a75a08109d8842e4865b2907d51f

Chronological Activities


General

Start time (UTC):08:58:00
Start date (UTC):24/04/2024
Path:/usr/lib/systemd/systemd
Arguments:-
File size:1620224 bytes
MD5 hash:9b2bec7092a40488108543f9334aab75

Chronological Activities


General

Start time (UTC):08:58:00
Start date (UTC):24/04/2024
Path:/usr/bin/gpu-manager
Arguments:/usr/bin/gpu-manager --log /var/log/gpu-manager.log
File size:76616 bytes
MD5 hash:8fae9dd5dd67e1f33d873089c2fd8761

Chronological Activities


General

Start time (UTC):08:58:00
Start date (UTC):24/04/2024
Path:/usr/lib/systemd/systemd
Arguments:-
File size:1620224 bytes
MD5 hash:9b2bec7092a40488108543f9334aab75

Chronological Activities


General

Start time (UTC):08:58:00
Start date (UTC):24/04/2024
Path:/usr/share/gdm/generate-config
Arguments:/usr/share/gdm/generate-config
File size:129816 bytes
MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities


General

Start time (UTC):08:58:00
Start date (UTC):24/04/2024
Path:/usr/share/gdm/generate-config
Arguments:-
File size:129816 bytes
MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities


General

Start time (UTC):08:58:00
Start date (UTC):24/04/2024
Path:/usr/bin/pkill
Arguments:pkill --signal HUP --uid gdm dconf-service
File size:30968 bytes
MD5 hash:fa96a75a08109d8842e4865b2907d51f

Chronological Activities


General

Start time (UTC):08:58:01
Start date (UTC):24/04/2024
Path:/usr/lib/systemd/systemd
Arguments:-
File size:1620224 bytes
MD5 hash:9b2bec7092a40488108543f9334aab75

Chronological Activities


General

Start time (UTC):08:58:01
Start date (UTC):24/04/2024
Path:/bin/plymouth
Arguments:/bin/plymouth quit
File size:51352 bytes
MD5 hash:87003efd8dad470042f5e75360a8f49f

Chronological Activities


General

Start time (UTC):08:59:21
Start date (UTC):24/04/2024
Path:/usr/lib/systemd/systemd
Arguments:-
File size:1620224 bytes
MD5 hash:9b2bec7092a40488108543f9334aab75

Chronological Activities


General

Start time (UTC):08:59:21
Start date (UTC):24/04/2024
Path:/usr/bin/dbus-daemon
Arguments:/usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
File size:249032 bytes
MD5 hash:3089d47e3f3ab84cd81c48fd406d7a8c

Chronological Activities