Linux Analysis Report
Aqua.arm7-20240507-1844.elf

Overview

General Information

Sample name:	Aqua.arm7-20240507-1844.elf
Analysis ID:	1437718
MD5:	cf5bf3e2c9bc2bacbb2147f12feeefb6
SHA1:	d4ba86a8092af00c746728f6fe8598c6bbd270d1
SHA256:	b90a7a4bd8f25a85d097851fb7cc52f24cdc3976d55ca8135d5713b58130c62b
Infos:

Detection

Mirai

Score:	92
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Mirai

Contains symbols with names commonly found in malware

Queries the IP of a very long domain name

Reads system files that contain records of logged in users

Sample deletes itself

Sample reads /proc/mounts (often used for finding a writable filesystem)

Creates hidden files and/or directories

Deletes log files

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Executes commands using a shell command-line interpreter

Executes the "grep" command used to find patterns in files or piped streams

Executes the "kill" or "pkill" command typically used to terminate processes

Found strings indicative of a multi-platform dropper

HTTP GET or POST without a user agent

Reads CPU information from /sys indicative of miner or evasive malware

Reads system version information

Sample and/or dropped files contains symbols with suspicious names

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Sample tries to set the executable flag

Uses the "uname" system call to query kernel version information (possible evasion)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Aqua.arm7-20240507-1844.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: Aqua.arm7-20240507-1844.elf

ReversingLabs: Detection: 57%

Reads CPU information from /sys indicative of miner or evasive malware

Source: /usr/bin/pulseaudio (PID: 6263)	Reads CPU info from /sys: /sys/devices/system/cpu/online			Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	Reads CPU info from /sys: /sys/devices/system/cpu/online			Jump to behavior

Found strings indicative of a multi-platform dropper

Source: Aqua.arm7-20240507-1844.elf

String: EOF/proc//proc/%s/cmdlinewgetcurlftpechokillbashrebootshutdownhaltpoweroff[locker] killed process: %s ;; pid: %d

Networking

Queries the IP of a very long domain name

Source: unknown	DNS traffic detected: query: net.kovey-net.lol.v:fV66PV,PV!E(:'51(v:fNNPV!PV
Source: unknown	DNS traffic detected: query: net.kovey-net.lol.v:f66PV,PV!E(4x;]5 #v:f8NNPV!PV
Source: unknown	DNS traffic detected: query: net.kovey-net.lol.v:fC66PV,PV!E(:P5v:fDNNPV!PV
Source: unknown	DNS traffic detected: query: net.kovey-net.lol.v:fW66PV,PV!E(j:C5 v:fNNPV!PV
Source: unknown	DNS traffic detected: query: net.kovey-net.lol.v:f66PV,PV!E()exF5nv:fgJJPV!PV
Source: unknown	DNS traffic detected: query: net.kovey-net.lol.w:fl66PV,PV!E(zIx5<"sw:fNNPV!PV
Source: unknown	DNS traffic detected: query: net.kovey-net.lol.w:f66PV,PV!E(NDx!53"sw:fNNPV!PV
Source: unknown	DNS traffic detected: query: net.kovey-net.lol.w:fY/66PV,PV!E(>:o52"sw:f0NNPV!PV
Source: unknown	DNS traffic detected: query: net.kovey-net.lol.w:f'766PV,PV!E(7x5"sw:f9NNPV!PV
Source: unknown	DNS traffic detected: query: net.kovey-net.lol.w:fS66PV,PV!E(:$5g"sw:f3JJPV!PV

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.23:53010 -> 94.156.8.76:33966
Source: global traffic	TCP traffic: 192.168.2.23:50014 -> 89.190.156.145:7733

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: POST /9aadafe2051348cd32033e1cad68f0a5fe46fba3240ac1e6e42158f31b8a1371790c09baf3996b4979fe8e533446c7dedf30f654c68b25357334c66911dc6a9e HTTP/1.1 Host: daisy.ubuntu.com Accept: */* Content-Type: application/octet-stream X-Whoopsie-Version: 0.2.69ubuntu0.3 Content-Length: 164887 Expect: 100-continue

Sample listens on a socket

Source: /usr/sbin/gdm3 (PID: 6374)	Socket: <unknown socket type>:unknown			Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6401)	Socket: <unknown socket type>:unknown			Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: net.kovey-net.lol
Source: global traffic	DNS traffic detected: DNS query: net.kovey-net.lol.v:fV66PV,PV!E(:'51(v:fNNPV!PV
Source: global traffic	DNS traffic detected: DNS query: net.kovey-net.lol.v:f66PV,PV!E(4x;]5 #v:f8NNPV!PV
Source: global traffic	DNS traffic detected: DNS query: net.kovey-net.lol.v:fC66PV,PV!E(:P5v:fDNNPV!PV
Source: global traffic	DNS traffic detected: DNS query: net.kovey-net.lol.v:fW66PV,PV!E(j:C5 v:fNNPV!PV
Source: global traffic	DNS traffic detected: DNS query: net.kovey-net.lol.v:f66PV,PV!E()exF5nv:fgJJPV!PV
Source: global traffic	DNS traffic detected: DNS query: daisy.ubuntu.com
Source: global traffic	DNS traffic detected: DNS query: net.kovey-net.lol.w:fl66PV,PV!E(zIx5<"sw:fNNPV!PV
Source: global traffic	DNS traffic detected: DNS query: net.kovey-net.lol.w:f66PV,PV!E(NDx!53"sw:fNNPV!PV
Source: global traffic	DNS traffic detected: DNS query: net.kovey-net.lol.w:fY/66PV,PV!E(>:o52"sw:f0NNPV!PV
Source: global traffic	DNS traffic detected: DNS query: net.kovey-net.lol.w:f'766PV,PV!E(7x5"sw:f9NNPV!PV
Source: global traffic	DNS traffic detected: DNS query: net.kovey-net.lol.w:fS66PV,PV!E(:$5g"sw:f3JJPV!PV

Source: unknown

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 37600
Source: unknown	Network traffic detected: HTTP traffic on port 37600 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: Aqua.arm7-20240507-1844.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Aqua.arm7-20240507-1844.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 6222.1.00007ff4f8017000.00007ff4f8032000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6222.1.00007ff4f8017000.00007ff4f8032000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: Process Memory Space: Aqua.arm7-20240507-1844.elf PID: 6222, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: Aqua.arm7-20240507-1844.elf PID: 6222, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown

Contains symbols with names commonly found in malware

Source: ELF static info symbol of initial sample	Name: attack.c
Source: ELF static info symbol of initial sample	Name: attack_get_opt_int
Source: ELF static info symbol of initial sample	Name: attack_get_opt_ip
Source: ELF static info symbol of initial sample	Name: attack_gre.c

Sample and/or dropped files contains symbols with suspicious names

Source: Aqua.arm7-20240507-1844.elf

ELF static info symbol of initial sample: __gnu_unwind_execute

Sample tries to kill a process (SIGKILL)

Source: /tmp/Aqua.arm7-20240507-1844.elf (PID: 6226)

SIGKILL sent: pid: 777, result: successful

Jump to behavior

Yara signature match

Source: Aqua.arm7-20240507-1844.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Aqua.arm7-20240507-1844.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 6222.1.00007ff4f8017000.00007ff4f8032000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6222.1.00007ff4f8017000.00007ff4f8032000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: Process Memory Space: Aqua.arm7-20240507-1844.elf PID: 6222, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: Aqua.arm7-20240507-1844.elf PID: 6222, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16

Source: classification engine

Classification label: mal92.troj.evad.linELF@0/18@14/0

Persistence and Installation Behavior

Sample reads /proc/mounts (often used for finding a writable filesystem)

Source: /usr/bin/dbus-daemon (PID: 6228)	File: /proc/6228/mounts	Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6401)	File: /proc/6401/mounts	Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6406)	File: /proc/6406/mounts	Jump to behavior

Creates hidden files and/or directories

Source: /lib/systemd/systemd-logind (PID: 6271)	Directory: <invalid fd (18)>/..	Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6271)	Directory: <invalid fd (17)>/..	Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6271)	File: /run/systemd/seats/.#seat0nZ62Ip	Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6271)	File: /run/systemd/users/.#127H7C8Op	Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6271)	File: /run/systemd/users/.#127x4TTzp	Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6271)	File: /run/systemd/seats/.#seat0Kk2hHm	Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6271)	File: /run/systemd/users/.#127iyODDm	Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6271)	File: /run/systemd/users/.#127E4CdGo	Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6271)	File: /run/systemd/users/.#127FhSaSl	Jump to behavior
Source: /usr/lib/policykit-1/polkitd (PID: 6333)	Directory: /root/.cache	Jump to behavior
Source: /usr/lib/gdm3/gdm-wayland-session (PID: 6399)	Directory: /var/lib/gdm3/.cache	Jump to behavior
Source: /usr/lib/accountsservice/accounts-daemon (PID: 6380)	Directory: /var/lib/gdm3/.pam_environment	Jump to behavior
Source: /usr/lib/accountsservice/accounts-daemon (PID: 6380)	Directory: /root/.cache	Jump to behavior

Enumerates processes within the "proc" file system

Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6230/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6230/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6232/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6232/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6231/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6231/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6234/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6234/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6233/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6233/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6236/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6236/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6235/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6235/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/3088/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/3088/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/230/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/230/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/110/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/110/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/231/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/231/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/111/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/111/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/232/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/232/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/112/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/112/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/233/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/233/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/113/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/113/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/234/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/234/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/1335/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/1335/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/114/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/114/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/235/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/235/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/1334/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/1334/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/2302/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/2302/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/115/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/115/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/236/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/236/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/116/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/116/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/237/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/237/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/117/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/117/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/118/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/118/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/910/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/910/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/119/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/119/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6226/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6226/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6229/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6229/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6228/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6228/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/10/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/10/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/2307/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/2307/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/11/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/11/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/12/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/12/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6361/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6361/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/13/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/13/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6364/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6364/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/14/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/14/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/15/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/15/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6245/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6245/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/16/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/16/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6244/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6244/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6365/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6365/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/17/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/17/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6247/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6247/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/18/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/18/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6246/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6246/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/120/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/120/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/121/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/121/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/1/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/1/cmdline	Jump to behavior

Executes commands using a shell command-line interpreter

Source: /usr/bin/gpu-manager (PID: 6343)	Shell command executed: sh -c "grep -G \"^blacklist.nvidia[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6345)	Shell command executed: sh -c "grep -G \"^blacklist.nvidia[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6347)	Shell command executed: sh -c "grep -G \"^blacklist.radeon[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6352)	Shell command executed: sh -c "grep -G \"^blacklist.radeon[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6354)	Shell command executed: sh -c "grep -G \"^blacklist.amdgpu[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6356)	Shell command executed: sh -c "grep -G \"^blacklist.amdgpu[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6359)	Shell command executed: sh -c "grep -G \"^blacklist.nouveau[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6362)	Shell command executed: sh -c "grep -G \"^blacklist.nouveau[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/share/language-tools/language-options (PID: 6392)	Shell command executed: sh -c "locale -a \| grep -F .utf8 "	Jump to behavior

Executes the "grep" command used to find patterns in files or piped streams

Source: /bin/sh (PID: 6344)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nvidia[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 6346)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nvidia[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 6348)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.radeon[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 6353)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.radeon[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 6355)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.amdgpu[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 6357)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.amdgpu[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 6360)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nouveau[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 6363)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nouveau[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 6394)	Grep executable: /usr/bin/grep -> grep -F .utf8	Jump to behavior

Executes the "kill" or "pkill" command typically used to terminate processes

Source: /usr/share/gdm/generate-config (PID: 6365)

Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service

Jump to behavior

Reads system version information

Source: /sbin/agetty (PID: 6338)

Reads version info: /etc/issue

Jump to behavior

Sample tries to set the executable flag

Source: /usr/sbin/gdm3 (PID: 6374)	File: /var/run/gdm3 (bits: - usr: -x grp: x all: rwx)	Jump to behavior
Source: /usr/sbin/gdm3 (PID: 6374)	File: /var/log/gdm3 (bits: - usr: -x grp: x all: rwx)	Jump to behavior
Source: /usr/lib/accountsservice/accounts-daemon (PID: 6380)	File: /var/lib/AccountsService/icons (bits: - usr: rx grp: rwx all: rwx)	Jump to behavior
Source: /usr/lib/accountsservice/accounts-daemon (PID: 6380)	File: /var/lib/AccountsService/users (bits: - usr: - grp: - all: rwx)	Jump to behavior

Source: /usr/bin/gpu-manager (PID: 6342)

Log file created: /var/log/gpu-manager.log

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Sample deletes itself

Source: /tmp/Aqua.arm7-20240507-1844.elf (PID: 6224)

File: /tmp/Aqua.arm7-20240507-1844.elf

Jump to behavior

Deletes log files

Source: /usr/bin/gpu-manager (PID: 6342)

Truncated file: /var/log/gpu-manager.log

Jump to behavior

Reads CPU information from /sys indicative of miner or evasive malware

Source: /usr/bin/pulseaudio (PID: 6263)	Reads CPU info from /sys: /sys/devices/system/cpu/online			Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	Reads CPU info from /sys: /sys/devices/system/cpu/online			Jump to behavior

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/Aqua.arm7-20240507-1844.elf (PID: 6222)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/pulseaudio (PID: 6263)	Queries kernel information via 'uname':	Jump to behavior
Source: /sbin/agetty (PID: 6338)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6342)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/lib/gdm3/gdm-session-worker (PID: 6395)	Queries kernel information via 'uname':	Jump to behavior

Source: Aqua.arm7-20240507-1844.elf, 6222.1.00007ffede368000.00007ffede389000.rw-.sdmp	Binary or memory string: \|1x86_64/usr/bin/qemu-arm/tmp/Aqua.arm7-20240507-1844.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/Aqua.arm7-20240507-1844.elf
Source: Aqua.arm7-20240507-1844.elf, 6222.1.00007ffede368000.00007ffede389000.rw-.sdmp	Binary or memory string: /tmp/qemu-open.0an21F
Source: Aqua.arm7-20240507-1844.elf, 6222.1.00007ffede368000.00007ffede389000.rw-.sdmp	Binary or memory string: V/tmp/qemu-open.0an21F:
Source: Aqua.arm7-20240507-1844.elf, 6222.1.0000561690901000.0000561690a52000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: Aqua.arm7-20240507-1844.elf, 6222.1.0000561690901000.0000561690a52000.rw-.sdmp	Binary or memory string: V!/etc/qemu-binfmt/arm
Source: Aqua.arm7-20240507-1844.elf, 6222.1.00007ffede368000.00007ffede389000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm

Language, Device and Operating System Detection

Reads system files that contain records of logged in users

Source: /usr/lib/accountsservice/accounts-daemon (PID: 6380)

Logged in records file read: /var/log/wtmp

Jump to behavior

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: Aqua.arm7-20240507-1844.elf, type: SAMPLE
Source: Yara match	File source: 6222.1.00007ff4f8017000.00007ff4f8032000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Aqua.arm7-20240507-1844.elf PID: 6222, type: MEMORYSTR

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: Aqua.arm7-20240507-1844.elf, type: SAMPLE
Source: Yara match	File source: 6222.1.00007ff4f8017000.00007ff4f8032000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Aqua.arm7-20240507-1844.elf PID: 6222, type: MEMORYSTR

Screenshots

No Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
162.213.35.24	unknown	United States	41231	CANONICAL-ASGB	false
94.156.8.76	net.kovey-net.lol	Bulgaria	43561	NET1-ASBG	true
89.190.156.145	unknown	United Kingdom	7489	HOSTUS-GLOBAL-ASHostUSHK	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Contacted Domains

Name	IP	Active
daisy.ubuntu.com	162.213.35.25	true
net.kovey-net.lol	94.156.8.76	true
net.kovey-net.lol.v:f66PV,PV!E(4x;]5 #v:f8NNPV!PV	unknown	unknown
net.kovey-net.lol.v:fC66PV,PV!E(:P5v:fDNNPV!PV	unknown	unknown
net.kovey-net.lol.w:fl66PV,PV!E(zIx5<"sw:fNNPV!PV	unknown	unknown
net.kovey-net.lol.w:fY/66PV,PV!E(>:o52"sw:f0NNPV!PV	unknown	unknown
net.kovey-net.lol.v:fW66PV,PV!E(j:C5 v:fNNPV!PV	unknown	unknown
net.kovey-net.lol.w:f66PV,PV!E(NDx!53"sw:fNNPV!PV	unknown	unknown
net.kovey-net.lol.w:f'766PV,PV!E(7x5"sw:f9NNPV!PV	unknown	unknown
net.kovey-net.lol.v:f66PV,PV!E()exF5nv:fgJJPV!PV	unknown	unknown
net.kovey-net.lol.v:fV66PV,PV!E(:'51(v:fNNPV!PV	unknown	unknown
net.kovey-net.lol.w:fS66PV,PV!E(:$5g"sw:f3JJPV!PV	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://daisy.ubuntu.com/9aadafe2051348cd32033e1cad68f0a5fe46fba3240ac1e6e42158f31b8a1371790c09baf3996b4979fe8e533446c7dedf30f654c68b25357334c66911dc6a9e	false		high

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Aqua.arm7-20240507-1844.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: Aqua.arm7-20240507-1844.elf

ReversingLabs: Detection: 57%

Reads CPU information from /sys indicative of miner or evasive malware

Source: /usr/bin/pulseaudio (PID: 6263)	Reads CPU info from /sys: /sys/devices/system/cpu/online			Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	Reads CPU info from /sys: /sys/devices/system/cpu/online			Jump to behavior

Found strings indicative of a multi-platform dropper

Source: Aqua.arm7-20240507-1844.elf

String: EOF/proc//proc/%s/cmdlinewgetcurlftpechokillbashrebootshutdownhaltpoweroff[locker] killed process: %s ;; pid: %d

Networking

Queries the IP of a very long domain name

Source: unknown	DNS traffic detected: query: net.kovey-net.lol.v:fV66PV,PV!E(:'51(v:fNNPV!PV
Source: unknown	DNS traffic detected: query: net.kovey-net.lol.v:f66PV,PV!E(4x;]5 #v:f8NNPV!PV
Source: unknown	DNS traffic detected: query: net.kovey-net.lol.v:fC66PV,PV!E(:P5v:fDNNPV!PV
Source: unknown	DNS traffic detected: query: net.kovey-net.lol.v:fW66PV,PV!E(j:C5 v:fNNPV!PV
Source: unknown	DNS traffic detected: query: net.kovey-net.lol.v:f66PV,PV!E()exF5nv:fgJJPV!PV
Source: unknown	DNS traffic detected: query: net.kovey-net.lol.w:fl66PV,PV!E(zIx5<"sw:fNNPV!PV
Source: unknown	DNS traffic detected: query: net.kovey-net.lol.w:f66PV,PV!E(NDx!53"sw:fNNPV!PV
Source: unknown	DNS traffic detected: query: net.kovey-net.lol.w:fY/66PV,PV!E(>:o52"sw:f0NNPV!PV
Source: unknown	DNS traffic detected: query: net.kovey-net.lol.w:f'766PV,PV!E(7x5"sw:f9NNPV!PV
Source: unknown	DNS traffic detected: query: net.kovey-net.lol.w:fS66PV,PV!E(:$5g"sw:f3JJPV!PV

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.23:53010 -> 94.156.8.76:33966
Source: global traffic	TCP traffic: 192.168.2.23:50014 -> 89.190.156.145:7733

HTTP GET or POST without a user agent

Source: global traffic

Sample listens on a socket

Source: /usr/sbin/gdm3 (PID: 6374)	Socket: <unknown socket type>:unknown			Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6401)	Socket: <unknown socket type>:unknown			Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: net.kovey-net.lol
Source: global traffic	DNS traffic detected: DNS query: net.kovey-net.lol.v:fV66PV,PV!E(:'51(v:fNNPV!PV
Source: global traffic	DNS traffic detected: DNS query: net.kovey-net.lol.v:f66PV,PV!E(4x;]5 #v:f8NNPV!PV
Source: global traffic	DNS traffic detected: DNS query: net.kovey-net.lol.v:fC66PV,PV!E(:P5v:fDNNPV!PV
Source: global traffic	DNS traffic detected: DNS query: net.kovey-net.lol.v:fW66PV,PV!E(j:C5 v:fNNPV!PV
Source: global traffic	DNS traffic detected: DNS query: net.kovey-net.lol.v:f66PV,PV!E()exF5nv:fgJJPV!PV
Source: global traffic	DNS traffic detected: DNS query: daisy.ubuntu.com
Source: global traffic	DNS traffic detected: DNS query: net.kovey-net.lol.w:fl66PV,PV!E(zIx5<"sw:fNNPV!PV
Source: global traffic	DNS traffic detected: DNS query: net.kovey-net.lol.w:f66PV,PV!E(NDx!53"sw:fNNPV!PV
Source: global traffic	DNS traffic detected: DNS query: net.kovey-net.lol.w:fY/66PV,PV!E(>:o52"sw:f0NNPV!PV
Source: global traffic	DNS traffic detected: DNS query: net.kovey-net.lol.w:f'766PV,PV!E(7x5"sw:f9NNPV!PV
Source: global traffic	DNS traffic detected: DNS query: net.kovey-net.lol.w:fS66PV,PV!E(:$5g"sw:f3JJPV!PV

Source: unknown

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 37600
Source: unknown	Network traffic detected: HTTP traffic on port 37600 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: Aqua.arm7-20240507-1844.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Aqua.arm7-20240507-1844.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 6222.1.00007ff4f8017000.00007ff4f8032000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6222.1.00007ff4f8017000.00007ff4f8032000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: Process Memory Space: Aqua.arm7-20240507-1844.elf PID: 6222, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: Aqua.arm7-20240507-1844.elf PID: 6222, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown

Contains symbols with names commonly found in malware

Source: ELF static info symbol of initial sample	Name: attack.c
Source: ELF static info symbol of initial sample	Name: attack_get_opt_int
Source: ELF static info symbol of initial sample	Name: attack_get_opt_ip
Source: ELF static info symbol of initial sample	Name: attack_gre.c

Sample and/or dropped files contains symbols with suspicious names

Source: Aqua.arm7-20240507-1844.elf

ELF static info symbol of initial sample: __gnu_unwind_execute

Sample tries to kill a process (SIGKILL)

Source: /tmp/Aqua.arm7-20240507-1844.elf (PID: 6226)

SIGKILL sent: pid: 777, result: successful

Jump to behavior

Yara signature match

Source: Aqua.arm7-20240507-1844.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Aqua.arm7-20240507-1844.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 6222.1.00007ff4f8017000.00007ff4f8032000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6222.1.00007ff4f8017000.00007ff4f8032000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: Process Memory Space: Aqua.arm7-20240507-1844.elf PID: 6222, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: Aqua.arm7-20240507-1844.elf PID: 6222, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16

Source: classification engine

Classification label: mal92.troj.evad.linELF@0/18@14/0

Persistence and Installation Behavior

Sample reads /proc/mounts (often used for finding a writable filesystem)

Source: /usr/bin/dbus-daemon (PID: 6228)	File: /proc/6228/mounts	Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6401)	File: /proc/6401/mounts	Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6406)	File: /proc/6406/mounts	Jump to behavior

Creates hidden files and/or directories

Source: /lib/systemd/systemd-logind (PID: 6271)	Directory: <invalid fd (18)>/..	Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6271)	Directory: <invalid fd (17)>/..	Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6271)	File: /run/systemd/seats/.#seat0nZ62Ip	Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6271)	File: /run/systemd/users/.#127H7C8Op	Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6271)	File: /run/systemd/users/.#127x4TTzp	Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6271)	File: /run/systemd/seats/.#seat0Kk2hHm	Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6271)	File: /run/systemd/users/.#127iyODDm	Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6271)	File: /run/systemd/users/.#127E4CdGo	Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6271)	File: /run/systemd/users/.#127FhSaSl	Jump to behavior
Source: /usr/lib/policykit-1/polkitd (PID: 6333)	Directory: /root/.cache	Jump to behavior
Source: /usr/lib/gdm3/gdm-wayland-session (PID: 6399)	Directory: /var/lib/gdm3/.cache	Jump to behavior
Source: /usr/lib/accountsservice/accounts-daemon (PID: 6380)	Directory: /var/lib/gdm3/.pam_environment	Jump to behavior
Source: /usr/lib/accountsservice/accounts-daemon (PID: 6380)	Directory: /root/.cache	Jump to behavior

Enumerates processes within the "proc" file system

Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6230/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6230/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6232/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6232/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6231/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6231/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6234/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6234/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6233/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6233/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6236/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6236/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6235/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6235/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/3088/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/3088/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/230/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/230/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/110/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/110/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/231/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/231/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/111/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/111/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/232/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/232/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/112/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/112/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/233/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/233/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/113/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/113/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/234/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/234/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/1335/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/1335/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/114/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/114/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/235/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/235/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/1334/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/1334/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/2302/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/2302/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/115/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/115/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/236/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/236/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/116/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/116/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/237/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/237/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/117/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/117/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/118/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/118/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/910/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/910/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/119/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/119/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6226/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6226/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6229/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6229/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6228/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6228/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/10/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/10/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/2307/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/2307/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/11/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/11/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/12/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/12/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6361/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6361/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/13/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/13/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6364/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6364/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/14/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/14/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/15/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/15/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6245/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6245/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/16/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/16/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6244/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6244/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6365/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6365/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/17/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/17/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6247/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6247/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/18/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/18/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6246/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/6246/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/120/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/120/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/121/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/121/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/1/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	File opened: /proc/1/cmdline	Jump to behavior

Executes commands using a shell command-line interpreter

Source: /usr/bin/gpu-manager (PID: 6343)	Shell command executed: sh -c "grep -G \"^blacklist.nvidia[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6345)	Shell command executed: sh -c "grep -G \"^blacklist.nvidia[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6347)	Shell command executed: sh -c "grep -G \"^blacklist.radeon[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6352)	Shell command executed: sh -c "grep -G \"^blacklist.radeon[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6354)	Shell command executed: sh -c "grep -G \"^blacklist.amdgpu[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6356)	Shell command executed: sh -c "grep -G \"^blacklist.amdgpu[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6359)	Shell command executed: sh -c "grep -G \"^blacklist.nouveau[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6362)	Shell command executed: sh -c "grep -G \"^blacklist.nouveau[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/share/language-tools/language-options (PID: 6392)	Shell command executed: sh -c "locale -a \| grep -F .utf8 "	Jump to behavior

Executes the "grep" command used to find patterns in files or piped streams

Source: /bin/sh (PID: 6344)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nvidia[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 6346)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nvidia[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 6348)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.radeon[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 6353)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.radeon[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 6355)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.amdgpu[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 6357)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.amdgpu[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 6360)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nouveau[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 6363)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nouveau[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 6394)	Grep executable: /usr/bin/grep -> grep -F .utf8	Jump to behavior

Executes the "kill" or "pkill" command typically used to terminate processes

Source: /usr/share/gdm/generate-config (PID: 6365)

Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service

Jump to behavior

Reads system version information

Source: /sbin/agetty (PID: 6338)

Reads version info: /etc/issue

Jump to behavior

Sample tries to set the executable flag

Source: /usr/sbin/gdm3 (PID: 6374)	File: /var/run/gdm3 (bits: - usr: -x grp: x all: rwx)	Jump to behavior
Source: /usr/sbin/gdm3 (PID: 6374)	File: /var/log/gdm3 (bits: - usr: -x grp: x all: rwx)	Jump to behavior
Source: /usr/lib/accountsservice/accounts-daemon (PID: 6380)	File: /var/lib/AccountsService/icons (bits: - usr: rx grp: rwx all: rwx)	Jump to behavior
Source: /usr/lib/accountsservice/accounts-daemon (PID: 6380)	File: /var/lib/AccountsService/users (bits: - usr: - grp: - all: rwx)	Jump to behavior

Source: /usr/bin/gpu-manager (PID: 6342)

Log file created: /var/log/gpu-manager.log

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Sample deletes itself

Source: /tmp/Aqua.arm7-20240507-1844.elf (PID: 6224)

File: /tmp/Aqua.arm7-20240507-1844.elf

Jump to behavior

Deletes log files

Source: /usr/bin/gpu-manager (PID: 6342)

Truncated file: /var/log/gpu-manager.log

Jump to behavior

Reads CPU information from /sys indicative of miner or evasive malware

Source: /usr/bin/pulseaudio (PID: 6263)	Reads CPU info from /sys: /sys/devices/system/cpu/online			Jump to behavior
Source: /usr/bin/pkill (PID: 6365)	Reads CPU info from /sys: /sys/devices/system/cpu/online			Jump to behavior

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/Aqua.arm7-20240507-1844.elf (PID: 6222)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/pulseaudio (PID: 6263)	Queries kernel information via 'uname':	Jump to behavior
Source: /sbin/agetty (PID: 6338)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6342)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/lib/gdm3/gdm-session-worker (PID: 6395)	Queries kernel information via 'uname':	Jump to behavior

Source: Aqua.arm7-20240507-1844.elf, 6222.1.00007ffede368000.00007ffede389000.rw-.sdmp	Binary or memory string: \|1x86_64/usr/bin/qemu-arm/tmp/Aqua.arm7-20240507-1844.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/Aqua.arm7-20240507-1844.elf
Source: Aqua.arm7-20240507-1844.elf, 6222.1.00007ffede368000.00007ffede389000.rw-.sdmp	Binary or memory string: /tmp/qemu-open.0an21F
Source: Aqua.arm7-20240507-1844.elf, 6222.1.00007ffede368000.00007ffede389000.rw-.sdmp	Binary or memory string: V/tmp/qemu-open.0an21F:
Source: Aqua.arm7-20240507-1844.elf, 6222.1.0000561690901000.0000561690a52000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: Aqua.arm7-20240507-1844.elf, 6222.1.0000561690901000.0000561690a52000.rw-.sdmp	Binary or memory string: V!/etc/qemu-binfmt/arm
Source: Aqua.arm7-20240507-1844.elf, 6222.1.00007ffede368000.00007ffede389000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm

Language, Device and Operating System Detection

Reads system files that contain records of logged in users

Source: /usr/lib/accountsservice/accounts-daemon (PID: 6380)

Logged in records file read: /var/log/wtmp

Jump to behavior

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: Aqua.arm7-20240507-1844.elf, type: SAMPLE
Source: Yara match	File source: 6222.1.00007ff4f8017000.00007ff4f8032000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Aqua.arm7-20240507-1844.elf PID: 6222, type: MEMORYSTR

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: Aqua.arm7-20240507-1844.elf, type: SAMPLE
Source: Yara match	File source: 6222.1.00007ff4f8017000.00007ff4f8032000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Aqua.arm7-20240507-1844.elf PID: 6222, type: MEMORYSTR

ID:	1437718
Product:	CloudBasic
Start time:	20:45:09
Start date:	07.05.2024
Sample:	Aqua.arm7-20240507-1844.elf
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	cf5bf3e2c9bc2bacbb2147f12feeefb6
SHA1:	d4ba86a8092af00c746728f6fe8598c6bbd270d1
SHA256:	b90a7a4bd8f25a85d097851fb7cc52f24cdc3976d55ca8135d5713b58130c62b
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Name	Type	MD5	SHA1	SHA256
/home/saturnino/.config/pulse/ee49dfd4fa47433baee88884e2d7de7c-default-sink	ASCII text	FF001A15CE15CF062A3704CEA2991B5F	B06F6855F376C3245B82212AC73ADED55DFE5DEF	C54830B41ECFA1B6FBDC30397188DDA86B7B200E62AEAC21AE694A6192DCC38A
/home/saturnino/.config/pulse/ee49dfd4fa47433baee88884e2d7de7c-default-source	ASCII text	28FE6435F34B3367707BB1C5D5F6B430	EB8FE2D16BD6BBCCE106C94E4D284543B2573CF6	721A37C69E555799B41D308849E8F8125441883AB021B723FED90A9B744F36C0
/proc/6404/oom_score_adj	very short file (no magic)	CFCD208495D565EF66E7DFF9F98764DA	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
/run/gdm3.pid	ASCII text	0B81E3557F5A8F4C80FD3019BAE5B2A8	6513EDB0A74AB0B971C3BA40438A1503DCE5BEDD	47D91EFF9864643B8A02369B85CEE34752D7C506D1E65EC281931E060D03195F
/run/systemd/seats/.#seat0Kk2hHm	ASCII text	66D114877B3B4DB3BDD8A3AD4F5E7421	62E0CB0F51E0E3F97BE251CB917968DFF69ED344	A922628916A7DDBE2BAA33F421C82250527EA3C28E429749353A1C75C0C18860
/run/systemd/seats/.#seat0nZ62Ip	ASCII text	BE58CCABC942125F5E27AF6EB1BA2F88	07C20F55E36EE48869B223B8FC4DBC227C7353AC	551B1D1C8E5953D5D0CF49C83C1568E2FBEF8BDDB69903B3DA82240B777B4629
/run/systemd/users/.#127E4CdGo	ASCII text	A11A5E9DD87ADFFDF5C0B3E845EC612E	0754D3C1AB353C7008CEA0D303A7544263EB551C	1F09D391C250BE2A1C4F2FF16726B62DB81EEE272F6E5826F01D45254881E075
/run/systemd/users/.#127FhSaSl	ASCII text	8E2EAE693D572A986B9E0A1AB3E7BE7E	D2D8374F8A66FCC7F1F425D1701CA80662F495F0	74AFF3F57A343094BEE4E0481AEAD520ED88833A23C50B809B6D2E066776037B
/run/systemd/users/.#127H7C8Op	ASCII text	065A3AD1A34A9903F536410ECA748105	21CD684DF60D569FA96EEEB66A0819EAC1B2B1A4	E80554BF0FF4E32C61D4FA3054F8EFB27A26F1C37C91AE4EA94445C400693941
/run/systemd/users/.#127iyODDm	ASCII text	8BFE6FC336560C2FA2D73EFC79AA18CA	BC12986A3B0F0EB4AD3056CB4CF4C069A5170694	FEA5B80366E6D8AAC6FBE24510955126E474E0F9EAC6A8B52FAE4459CB630860
/run/systemd/users/.#127x4TTzp	ASCII text	8BFE6FC336560C2FA2D73EFC79AA18CA	BC12986A3B0F0EB4AD3056CB4CF4C069A5170694	FEA5B80366E6D8AAC6FBE24510955126E474E0F9EAC6A8B52FAE4459CB630860
/run/user/1000/pulse/pid	ASCII text	1CF7DB3799108FF0A9DDDA4DF93BCE13	C9092D0C0E060092E188117F69AED13D65CD7C4E	8CA139A3F63382CBD1D935E70F1C02A502DF312C0F953FB3EB5F78FB808D42D3
/run/utmp	data	9FEB58361D59946C1EA670F0E184BDB0	B5ACA27041409789DBD545E39593A65F7E7838DD	86FE80DB850E6C2D42107D76A2200EECEC50297865FED3FB6733FF9087B02147
/tmp/qemu-open.0an21F (deleted)	data	8BC44F33C761928BB0A038D47093E47C	0B841D7E3C99290853FB82EBD6E2BC2B6C615D68	33CBDD609D463860BE5E16DBC1E397D763181C4850178D0635D3C5330FF34110
/var/lib/AccountsService/users/gdm.U6EKN2	ASCII text	542BA3FB41206AE43928AF1C5E61FEBC	F56F574DAF50D609526B36B5B54FDD59EA4D6A26	730D9509D4EAA7266829A8F5A8CFEBA6BBDDD5873FC2BD580AD464F4A237E11A
/var/lib/ubuntu-drivers-common/last_gfx_boot	ASCII text	078760523943E160756979906B85FB5E	0962643266F4C5537F7D125046F28F21D6DD0C89	048416AC7A9A99690B8B53718CD39F32F637B55CC8DD8E67E58E5AEF060DD41C
/var/log/gpu-manager.log	ASCII text	3AF77E630DA00B3BE24F4E8AA5D78B13	BCF2D99E002F6DE2413A183227B011CFBEF5673D	EB1CBBA20845237B4409274D693FEAE13F835274DA3337B7A9D14F4D7FDF9DEA
/var/log/wtmp	data	9FEB58361D59946C1EA670F0E184BDB0	B5ACA27041409789DBD545E39593A65F7E7838DD	86FE80DB850E6C2D42107D76A2200EECEC50297865FED3FB6733FF9087B02147

Linux Analysis Report
Aqua.arm7-20240507-1844.elf

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Bitcoin Miner

Spreading

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Linux Analysis Report Aqua.arm7-20240507-1844.elf

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Bitcoin Miner

Spreading

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Linux Analysis Report
Aqua.arm7-20240507-1844.elf

Malware Threat Intel
Provided by