Linux
Analysis Report
kdevtmpfsi
Overview
General Information
Sample Name: | kdevtmpfsi |
Analysis ID: | 1338613 |
MD5: | c82bb3c68f7a033b407aa3f53827b7fd |
SHA1: | 6296e8ed40e430480791bf7b4fcdafde5f834837 |
SHA256: | 6fc94d8aecc538b1d099a429fb68ac20d7b6ae8b3c7795ae72dd2b7107690b8f |
Infos: |
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Signatures
Classification
Joe Sandbox Version: | 38.0.0 Ammolite |
Analysis ID: | 1338613 |
Start date and time: | 2023-11-07 22:52:27 +01:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 5m 5s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | defaultlinuxfilecookbook.jbs |
Analysis system description: | Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11) |
Analysis Mode: | default |
Sample file name: | kdevtmpfsi |
Detection: | MAL |
Classification: | mal100.troj.evad.mine.lin@0/1@0/0 |
- VT rate limit hit for: kdevtmpfsi
Command: | /tmp/kdevtmpfsi |
PID: | 6216 |
Exit Code: | 0 |
Exit Code Info: | |
Killed: | False |
Standard Output: | |
Standard Error: |
- system is lnxubuntu20
- kdevtmpfsi New Fork (PID: 6217, Parent: 6216)
- kdevtmpfsi New Fork (PID: 6223, Parent: 6217)
- sh New Fork (PID: 6224, Parent: 6223)
- cleanup
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
Linux_Cryptominer_Generic_e1ff020a | unknown | unknown |
| |
Linux_Trojan_Pornoasset_927f314f | unknown | unknown |
| |
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security |
- • AV Detection
- • Bitcoin Miner
- • Networking
- • System Summary
- • Data Obfuscation
- • Persistence and Installation Behavior
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | ReversingLabs: |
Source: | Joe Sandbox ML: |
Bitcoin Miner |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Modprobe: | Jump to behavior |
Source: | TCP traffic: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | MSR open for writing: | Jump to behavior | ||
Source: | MSR open for writing: | Jump to behavior |
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior |
Source: | Reads CPU info from proc file: | Jump to behavior |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Program segment: |
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Classification label: |
Data Obfuscation |
---|
Source: | String containing UPX found: | ||
Source: | String containing UPX found: | ||
Source: | String containing UPX found: |
Persistence and Installation Behavior |
---|
Source: | File: | Jump to behavior |
Source: | Reads from proc file: | Jump to behavior | ||
Source: | Reads from proc file: | Jump to behavior | ||
Source: | Reads from proc file: | Jump to behavior |
Source: | Shell command executed: | Jump to behavior |
Source: | Modprobe: | Jump to behavior |
Source: | Submission file: |
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior | ||
Source: | Reads CPU info from /sys: | Jump to behavior |
Source: | Queries kernel information via 'uname': | Jump to behavior | ||
Source: | Queries kernel information via 'uname': | Jump to behavior |
Source: | Reads CPU info from proc file: | Jump to behavior |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact | Resource Development | Reconnaissance |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 1 Scripting | 1 Kernel Modules and Extensions | 1 Kernel Modules and Extensions | 1 Scripting | OS Credential Dumping | 1 Security Software Discovery | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | 1 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition | ||
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 11 Obfuscated Files or Information | LSASS Memory | 1 File and Directory Discovery | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | 1 Application Layer Protocol | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout | ||
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information | Security Account Manager | 23 System Information Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
71% | ReversingLabs | Linux.Trojan.Malxmr | ||
100% | Avira | LINUX/BitCoinMiner.knmjq | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
185.156.179.225 | unknown | Russian Federation | 59504 | HostingvpsvilleruRU | true | |
109.202.202.202 | unknown | Switzerland | 13030 | INIT7CH | false | |
91.189.91.43 | unknown | United Kingdom | 41231 | CANONICAL-ASGB | false | |
91.189.91.42 | unknown | United Kingdom | 41231 | CANONICAL-ASGB | false |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
185.156.179.225 | Get hash | malicious | Xmrig | Browse | ||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Xmrig | Browse | |||
Get hash | malicious | Xmrig | Browse | |||
Get hash | malicious | Xmrig | Browse | |||
Get hash | malicious | Xmrig | Browse | |||
109.202.202.202 | Get hash | malicious | Unknown | Browse | ||
Get hash | malicious | Mirai | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Kinsing | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Mirai | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Mirai | Browse | |||
Get hash | malicious | Mirai, Moobot | Browse | |||
Get hash | malicious | Mirai, Moobot | Browse | |||
Get hash | malicious | Mirai, Moobot | Browse | |||
Get hash | malicious | Kinsing Downloader | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
91.189.91.43 | Get hash | malicious | Unknown | Browse | ||
Get hash | malicious | Mirai | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Kinsing | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Mirai | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Mirai | Browse | |||
Get hash | malicious | Mirai, Moobot | Browse | |||
Get hash | malicious | Mirai, Moobot | Browse | |||
Get hash | malicious | Mirai, Moobot | Browse | |||
Get hash | malicious | Kinsing Downloader | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
CANONICAL-ASGB | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Kinsing | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai, Moobot | Browse |
| ||
Get hash | malicious | Mirai, Moobot | Browse |
| ||
Get hash | malicious | Mirai, Moobot | Browse |
| ||
Get hash | malicious | Mirai, Moobot | Browse |
| ||
Get hash | malicious | Mirai, Moobot | Browse |
| ||
Get hash | malicious | Mirai, Moobot | Browse |
| ||
Get hash | malicious | Kinsing Downloader | Browse |
| ||
HostingvpsvilleruRU | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | RedLine | Browse |
| ||
Get hash | malicious | RedLine | Browse |
| ||
Get hash | malicious | RedLine | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | SmokeLoader | Browse |
| ||
Get hash | malicious | Ursnif, SmokeLoader | Browse |
| ||
Get hash | malicious | CryptbotV2 | Browse |
| ||
Get hash | malicious | Xmrig | Browse |
| ||
Get hash | malicious | CryptbotV2 | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | RedLine | Browse |
| ||
Get hash | malicious | RedLine | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
INIT7CH | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Kinsing | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai, Moobot | Browse |
| ||
Get hash | malicious | Mirai, Moobot | Browse |
| ||
Get hash | malicious | Mirai, Moobot | Browse |
| ||
Get hash | malicious | Kinsing Downloader | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Process: | /tmp/kdevtmpfsi |
File Type: | |
Category: | dropped |
Size (bytes): | 4 |
Entropy (8bit): | 1.5 |
Encrypted: | false |
SSDEEP: | 3:MRV:Mz |
MD5: | 537D9B6C927223C796CAC288CCED29DF |
SHA1: | EA10E810F96FCA6858E37FDA9832ACE147EED87C |
SHA-256: | 0D21AE129A64E1D19E4A94DFCA3A67C777E17374E9D4CA2F74B65647A88119EA |
SHA-512: | 6D4B04576201F789368F251EA231F5D2C0AE4CF17E95851D3AE10A1825724502732289F830E06247465F0284D4E33A9A120F6D730E62483515556DC1FD9CD120 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
File type: | |
Entropy (8bit): | 7.908267509543498 |
TrID: |
|
File name: | kdevtmpfsi |
File size: | 2'084'964 bytes |
MD5: | c82bb3c68f7a033b407aa3f53827b7fd |
SHA1: | 6296e8ed40e430480791bf7b4fcdafde5f834837 |
SHA256: | 6fc94d8aecc538b1d099a429fb68ac20d7b6ae8b3c7795ae72dd2b7107690b8f |
SHA512: | 0412482bf1eaaf0c1fd795dd1253f3466db46f1d528297f4d9455dd59117097b4f53583405d77dd7bcc9ffc123cf65d5470f23e6075cbb61b01709f324347df5 |
SSDEEP: | 49152:j03YLQvH4kOUho7iw0ml1nLOkqjUg9m9m:jX+YTbKS9m |
TLSH: | 5FA533EAC11176B2E507CF22EE6765A21C45962FA514CCFEF31AA9FF05320CA1E18D71 |
File Content Preview: | .ELF..............>.....H._.....@...................@.8...@.......................@.......@.....\.......\......... ....................................................... .....F...UPX!........p8P.p8P..................ELF.......>....U@../..@/.0PE&8......l` |
ELF header | |
---|---|
Class: | |
Data: | |
Version: | |
Machine: | |
Version Number: | |
Type: | |
OS/ABI: | |
ABI Version: | 0 |
Entry Point Address: | |
Flags: | |
ELF Header Size: | 64 |
Program Header Offset: | 64 |
Program Header Size: | 56 |
Number of Program Headers: | 2 |
Section Header Offset: | 0 |
Section Header Size: | 64 |
Number of Section Headers: | 0 |
Header String Table Index: | 0 |
Type | Offset | Virtual Address | Physical Address | File Size | Memory Size | Entropy | Flags | Flags Description | Align | Prog Interpreter | Section Mappings |
---|---|---|---|---|---|---|---|---|---|---|---|
LOAD | 0x0 | 0x400000 | 0x400000 | 0x1fcd5c | 0x1fcd5c | 7.9083 | 0x5 | R E | 0x200000 | ||
LOAD | 0x1b1680 | 0xbb1680 | 0xbb1680 | 0x0 | 0x0 | 0.0000 | 0x6 | RW | 0x200000 |
Download Network PCAP: filtered – full
- Total Packets: 36
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Nov 7, 2023 22:53:05.496236086 CET | 57756 | 80 | 192.168.2.23 | 185.156.179.225 |
Nov 7, 2023 22:53:05.841350079 CET | 80 | 57756 | 185.156.179.225 | 192.168.2.23 |
Nov 7, 2023 22:53:05.841535091 CET | 57756 | 80 | 192.168.2.23 | 185.156.179.225 |
Nov 7, 2023 22:53:05.846263885 CET | 57756 | 80 | 192.168.2.23 | 185.156.179.225 |
Nov 7, 2023 22:53:06.167023897 CET | 43928 | 443 | 192.168.2.23 | 91.189.91.42 |
Nov 7, 2023 22:53:06.188221931 CET | 80 | 57756 | 185.156.179.225 | 192.168.2.23 |
Nov 7, 2023 22:53:06.188249111 CET | 80 | 57756 | 185.156.179.225 | 192.168.2.23 |
Nov 7, 2023 22:53:06.188555002 CET | 57756 | 80 | 192.168.2.23 | 185.156.179.225 |
Nov 7, 2023 22:53:07.732362032 CET | 80 | 57756 | 185.156.179.225 | 192.168.2.23 |
Nov 7, 2023 22:53:07.732624054 CET | 57756 | 80 | 192.168.2.23 | 185.156.179.225 |
Nov 7, 2023 22:53:11.798347950 CET | 42836 | 443 | 192.168.2.23 | 91.189.91.43 |
Nov 7, 2023 22:53:13.334049940 CET | 42516 | 80 | 192.168.2.23 | 109.202.202.202 |
Nov 7, 2023 22:53:18.026143074 CET | 80 | 57756 | 185.156.179.225 | 192.168.2.23 |
Nov 7, 2023 22:53:18.026448011 CET | 57756 | 80 | 192.168.2.23 | 185.156.179.225 |
Nov 7, 2023 22:53:26.647522926 CET | 43928 | 443 | 192.168.2.23 | 91.189.91.42 |
Nov 7, 2023 22:53:28.317589045 CET | 80 | 57756 | 185.156.179.225 | 192.168.2.23 |
Nov 7, 2023 22:53:28.317801952 CET | 57756 | 80 | 192.168.2.23 | 185.156.179.225 |
Nov 7, 2023 22:53:38.575719118 CET | 80 | 57756 | 185.156.179.225 | 192.168.2.23 |
Nov 7, 2023 22:53:38.575993061 CET | 57756 | 80 | 192.168.2.23 | 185.156.179.225 |
Nov 7, 2023 22:53:38.930430889 CET | 42836 | 443 | 192.168.2.23 | 91.189.91.43 |
Nov 7, 2023 22:53:43.025840998 CET | 42516 | 80 | 192.168.2.23 | 109.202.202.202 |
Nov 7, 2023 22:53:48.852683067 CET | 80 | 57756 | 185.156.179.225 | 192.168.2.23 |
Nov 7, 2023 22:53:48.852916002 CET | 57756 | 80 | 192.168.2.23 | 185.156.179.225 |
Nov 7, 2023 22:53:57.701997995 CET | 80 | 57756 | 185.156.179.225 | 192.168.2.23 |
Nov 7, 2023 22:53:57.702151060 CET | 57756 | 80 | 192.168.2.23 | 185.156.179.225 |
Nov 7, 2023 22:53:59.151110888 CET | 80 | 57756 | 185.156.179.225 | 192.168.2.23 |
Nov 7, 2023 22:53:59.151318073 CET | 57756 | 80 | 192.168.2.23 | 185.156.179.225 |
Nov 7, 2023 22:54:07.598318100 CET | 43928 | 443 | 192.168.2.23 | 91.189.91.42 |
Nov 7, 2023 22:54:09.221987963 CET | 80 | 57756 | 185.156.179.225 | 192.168.2.23 |
Nov 7, 2023 22:54:09.222153902 CET | 57756 | 80 | 192.168.2.23 | 185.156.179.225 |
Nov 7, 2023 22:54:19.211205006 CET | 80 | 57756 | 185.156.179.225 | 192.168.2.23 |
Nov 7, 2023 22:54:19.211364985 CET | 57756 | 80 | 192.168.2.23 | 185.156.179.225 |
Nov 7, 2023 22:54:29.254852057 CET | 80 | 57756 | 185.156.179.225 | 192.168.2.23 |
Nov 7, 2023 22:54:29.255011082 CET | 57756 | 80 | 192.168.2.23 | 185.156.179.225 |
Nov 7, 2023 22:54:39.309081078 CET | 80 | 57756 | 185.156.179.225 | 192.168.2.23 |
Nov 7, 2023 22:54:39.309238911 CET | 57756 | 80 | 192.168.2.23 | 185.156.179.225 |
Nov 7, 2023 22:54:49.360008955 CET | 80 | 57756 | 185.156.179.225 | 192.168.2.23 |
Nov 7, 2023 22:54:49.360145092 CET | 57756 | 80 | 192.168.2.23 | 185.156.179.225 |
Nov 7, 2023 22:54:57.785370111 CET | 80 | 57756 | 185.156.179.225 | 192.168.2.23 |
Nov 7, 2023 22:54:57.785522938 CET | 57756 | 80 | 192.168.2.23 | 185.156.179.225 |
Nov 7, 2023 22:54:59.459109068 CET | 80 | 57756 | 185.156.179.225 | 192.168.2.23 |
Nov 7, 2023 22:54:59.459250927 CET | 57756 | 80 | 192.168.2.23 | 185.156.179.225 |
Nov 7, 2023 22:55:04.547291994 CET | 80 | 57756 | 185.156.179.225 | 192.168.2.23 |
Nov 7, 2023 22:55:04.547524929 CET | 57756 | 80 | 192.168.2.23 | 185.156.179.225 |
Nov 7, 2023 22:55:09.750680923 CET | 80 | 57756 | 185.156.179.225 | 192.168.2.23 |
Nov 7, 2023 22:55:09.750832081 CET | 57756 | 80 | 192.168.2.23 | 185.156.179.225 |
Nov 7, 2023 22:55:19.745145082 CET | 80 | 57756 | 185.156.179.225 | 192.168.2.23 |
Nov 7, 2023 22:55:19.745289087 CET | 57756 | 80 | 192.168.2.23 | 185.156.179.225 |
Nov 7, 2023 22:55:29.860502005 CET | 80 | 57756 | 185.156.179.225 | 192.168.2.23 |
Nov 7, 2023 22:55:29.860667944 CET | 57756 | 80 | 192.168.2.23 | 185.156.179.225 |
Nov 7, 2023 22:55:40.039525986 CET | 80 | 57756 | 185.156.179.225 | 192.168.2.23 |
Nov 7, 2023 22:55:40.039669037 CET | 57756 | 80 | 192.168.2.23 | 185.156.179.225 |
Nov 7, 2023 22:55:50.129267931 CET | 80 | 57756 | 185.156.179.225 | 192.168.2.23 |
Nov 7, 2023 22:55:50.129383087 CET | 57756 | 80 | 192.168.2.23 | 185.156.179.225 |
Nov 7, 2023 22:55:57.910867929 CET | 80 | 57756 | 185.156.179.225 | 192.168.2.23 |
Nov 7, 2023 22:55:57.911072016 CET | 57756 | 80 | 192.168.2.23 | 185.156.179.225 |
Nov 7, 2023 22:56:00.496972084 CET | 80 | 57756 | 185.156.179.225 | 192.168.2.23 |
Nov 7, 2023 22:56:00.497196913 CET | 57756 | 80 | 192.168.2.23 | 185.156.179.225 |
Nov 7, 2023 22:56:10.796866894 CET | 80 | 57756 | 185.156.179.225 | 192.168.2.23 |
Nov 7, 2023 22:56:10.797106028 CET | 57756 | 80 | 192.168.2.23 | 185.156.179.225 |
Nov 7, 2023 22:56:21.067985058 CET | 80 | 57756 | 185.156.179.225 | 192.168.2.23 |
Nov 7, 2023 22:56:21.068105936 CET | 57756 | 80 | 192.168.2.23 | 185.156.179.225 |
Nov 7, 2023 22:56:31.157403946 CET | 80 | 57756 | 185.156.179.225 | 192.168.2.23 |
Nov 7, 2023 22:56:31.157572031 CET | 57756 | 80 | 192.168.2.23 | 185.156.179.225 |
Session ID | Source IP | Source Port | Destination IP | Destination Port |
---|---|---|---|---|
0 | 192.168.2.23 | 57756 | 185.156.179.225 | 80 |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Nov 7, 2023 22:53:05.846263885 CET | 0 | OUT | |
Nov 7, 2023 22:53:06.188249111 CET | 1 | IN | |
Nov 7, 2023 22:53:07.732362032 CET | 1 | IN | |
Nov 7, 2023 22:53:18.026143074 CET | 2 | IN | |
Nov 7, 2023 22:53:28.317589045 CET | 3 | IN | |
Nov 7, 2023 22:53:38.575719118 CET | 3 | IN | |
Nov 7, 2023 22:53:48.852683067 CET | 4 | IN | |
Nov 7, 2023 22:53:57.701997995 CET | 4 | IN | |
Nov 7, 2023 22:53:59.151110888 CET | 5 | IN | |
Nov 7, 2023 22:54:09.221987963 CET | 5 | IN | |
Nov 7, 2023 22:54:19.211205006 CET | 6 | IN |
System Behavior
Start time (UTC): | 21:53:04 |
Start date (UTC): | 07/11/2023 |
Path: | /tmp/kdevtmpfsi |
Arguments: | /tmp/kdevtmpfsi |
File size: | 2084964 bytes |
MD5 hash: | c82bb3c68f7a033b407aa3f53827b7fd |
Start time (UTC): | 21:53:04 |
Start date (UTC): | 07/11/2023 |
Path: | /tmp/kdevtmpfsi |
Arguments: | - |
File size: | 2084964 bytes |
MD5 hash: | c82bb3c68f7a033b407aa3f53827b7fd |
Start time (UTC): | 21:53:05 |
Start date (UTC): | 07/11/2023 |
Path: | /tmp/kdevtmpfsi |
Arguments: | - |
File size: | 2084964 bytes |
MD5 hash: | c82bb3c68f7a033b407aa3f53827b7fd |
Start time (UTC): | 21:53:05 |
Start date (UTC): | 07/11/2023 |
Path: | /bin/sh |
Arguments: | sh -c "/sbin/modprobe msr allow_writes=on > /dev/null 2>&1" |
File size: | 129816 bytes |
MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
Start time (UTC): | 21:53:05 |
Start date (UTC): | 07/11/2023 |
Path: | /bin/sh |
Arguments: | - |
File size: | 129816 bytes |
MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
Start time (UTC): | 21:53:05 |
Start date (UTC): | 07/11/2023 |
Path: | /sbin/modprobe |
Arguments: | /sbin/modprobe msr allow_writes=on |
File size: | 174424 bytes |
MD5 hash: | 0b44462b1a40df8039d6d61cfff7ea84 |