Linux Analysis Report
aarch64.elf

Overview

General Information

Sample name:	aarch64.elf
Analysis ID:	1466764
MD5:	f1605ee67da4359d523697d61e380d69
SHA1:	a0238a3433fcdffbfd04dadb7c0fc6c103a9efb2
SHA256:	70638556617d43b14e017779db4468e547d880cbff50a52ff292fbfd6ef04972
Tags:	elf
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sample tries to persist itself using cron

Sample tries to set files in /etc globally writable

Writes identical ELF files to multiple locations

Creates hidden files and/or directories

Sample tries to set the executable flag

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Writes ELF files to disk

Yara signature match

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: aarch64.elf	ReversingLabs: Detection: 50%
Source: aarch64.elf	Virustotal: Detection: 51%			Perma Link

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43

Source: aarch64.elf, 6221.1.000055d716b7a000.000055d716be9000.rw-.sdmp	String found in binary or memory: http://cf0.pw/0/etc/cron.hourly/0
Source: aarch64.elf, 6221.1.000055d716b7a000.000055d716be9000.rw-.sdmp	String found in binary or memory: https://gnu.org/licenses/gpl.html
Source: aarch64.elf, 6221.1.000055d716b7a000.000055d716be9000.rw-.sdmp	String found in binary or memory: https://translationproject.org/team/
Source: aarch64.elf, 6221.1.000055d716b7a000.000055d716be9000.rw-.sdmp	String found in binary or memory: https://wiki.xiph.org/MIME_Types_and_File_Extensions
Source: aarch64.elf, 6221.1.000055d716b7a000.000055d716be9000.rw-.sdmp	String found in binary or memory: https://wiki.xiph.org/MIME_Types_and_File_Extensions.oga
Source: aarch64.elf, 6221.1.000055d716b7a000.000055d716be9000.rw-.sdmp	String found in binary or memory: https://wiki.xiph.org/MIME_Types_and_File_Extensions.ogv
Source: aarch64.elf, 6221.1.000055d716b7a000.000055d716be9000.rw-.sdmp	String found in binary or memory: https://www.gnu.org/gethelp/
Source: aarch64.elf, 6221.1.000055d716b7a000.000055d716be9000.rw-.sdmp	String found in binary or memory: https://www.gnu.org/software/coreutils/
Source: aarch64.elf, 6221.1.000055d716b7a000.000055d716be9000.rw-.sdmp	String found in binary or memory: https://www.gnu.org/software/coreutils/Report

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: aarch64.elf, type: SAMPLE	Matched rule: Linux_Trojan_Ladvix_db41f9d2 Author: unknown
Source: 6221.1.000055d71633d000.000055d71633f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Ladvix_db41f9d2 Author: unknown
Source: 6221.1.00007f179df71000.00007f179e1c9000.rw-.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Ladvix_db41f9d2 Author: unknown

Yara signature match

Source: aarch64.elf, type: SAMPLE	Matched rule: Linux_Trojan_Ladvix_db41f9d2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Ladvix, fingerprint = d0aaa680e81f44cc555bf7799d33fce66f172563788afb2ad0fb16d3e460e8c6, id = db41f9d2-aa5c-4d26-b8ba-cece44eddca8, last_modified = 2021-09-16
Source: 6221.1.000055d71633d000.000055d71633f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Ladvix_db41f9d2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Ladvix, fingerprint = d0aaa680e81f44cc555bf7799d33fce66f172563788afb2ad0fb16d3e460e8c6, id = db41f9d2-aa5c-4d26-b8ba-cece44eddca8, last_modified = 2021-09-16
Source: 6221.1.00007f179df71000.00007f179e1c9000.rw-.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Ladvix_db41f9d2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Ladvix, fingerprint = d0aaa680e81f44cc555bf7799d33fce66f172563788afb2ad0fb16d3e460e8c6, id = db41f9d2-aa5c-4d26-b8ba-cece44eddca8, last_modified = 2021-09-16

Source: classification engine

Classification label: mal68.troj.linELF@0/40@0/0

Persistence and Installation Behavior

Sample tries to persist itself using cron

Source: /tmp/aarch64.elf (PID: 6221)

File: /etc/cron.hourly/0

Jump to behavior

Sample tries to set files in /etc globally writable

Source: /tmp/aarch64.elf (PID: 6221)

File: /etc/cron.hourly/0 (bits: uv usr: rwx grp: rwx all: rwx)

Jump to behavior

Writes identical ELF files to multiple locations

Source: /tmp/fileRk9HVm (PID: 6393)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/fileAhzouC	Jump to dropped file
Source: /tmp/fileYj3Od9 (PID: 6430)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/file3unzfn	Jump to dropped file
Source: /tmp/filenxowZz (PID: 6224)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/filefeqQnR	Jump to dropped file
Source: /tmp/fileFyLkXt (PID: 6292)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/fileufE8BW	Jump to dropped file
Source: /tmp/fileHrjhlr (PID: 6361)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/filevQYMqb	Jump to dropped file
Source: /tmp/filehGga1T (PID: 6321)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/fileLKzJ69	Jump to dropped file
Source: /tmp/filezmeGW5 (PID: 6283)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/filesFsnIh	Jump to dropped file
Source: /tmp/fileL9uCJw (PID: 6408)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/fileVcsatJ	Jump to dropped file
Source: /tmp/filesnf6n9 (PID: 6382)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/fileS1TPeL	Jump to dropped file
Source: /tmp/fileufE8BW (PID: 6295)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/file4Fy7Jd	Jump to dropped file
Source: /tmp/fileyVgJK1 (PID: 6232)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/fileokK3kt	Jump to dropped file
Source: /tmp/fileVcsatJ (PID: 6413)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/filelQzal6	Jump to dropped file
Source: /tmp/fileutPfDq (PID: 6304)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/filecNf1cR	Jump to dropped file
Source: /tmp/fileyKcg50 (PID: 6405)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/fileL9uCJw	Jump to dropped file
Source: /tmp/file8SeDcK (PID: 6266)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/fileK3KBC0	Jump to dropped file
Source: /tmp/fileLKzJ69 (PID: 6351)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/fileHrjhlr	Jump to dropped file
Source: /tmp/fileH8WeMN (PID: 6427)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/fileYj3Od9	Jump to dropped file
Source: /tmp/filezpLQSZ (PID: 6390)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/fileRk9HVm	Jump to dropped file
Source: /tmp/file3unzfn (PID: 6436)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/fileyfZXVP	Jump to dropped file
Source: /tmp/file4Fy7Jd (PID: 6298)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/fileutPfDq	Jump to dropped file
Source: /tmp/filehLNBcR (PID: 6280)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/filezmeGW5	Jump to dropped file
Source: /tmp/fileokK3kt (PID: 6255)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/filebHGuS9	Jump to dropped file
Source: /tmp/filepy4g6w (PID: 6318)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/filehGga1T	Jump to dropped file
Source: /tmp/filesFsnIh (PID: 6286)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/fileFyLkXt	Jump to dropped file
Source: /tmp/filebHGuS9 (PID: 6260)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/filekiqVZx	Jump to dropped file
Source: /tmp/fileK3KBC0 (PID: 6274)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/filePSqv2D	Jump to dropped file
Source: /tmp/fileS1TPeL (PID: 6385)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/filezpLQSZ	Jump to dropped file
Source: /tmp/fileI3e44j (PID: 6422)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/fileH8WeMN	Jump to dropped file
Source: /tmp/filelQzal6 (PID: 6416)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/fileI3e44j	Jump to dropped file
Source: /tmp/filecNf1cR (PID: 6310)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/fileEJ1YHm	Jump to dropped file
Source: /tmp/fileAhzouC (PID: 6398)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/fileyKcg50	Jump to dropped file
Source: /tmp/fileEJ1YHm (PID: 6313)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/filepy4g6w	Jump to dropped file
Source: /tmp/filevQYMqb (PID: 6365)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/fileJh0LZs	Jump to dropped file
Source: /tmp/filePSqv2D (PID: 6277)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/filehLNBcR	Jump to dropped file
Source: /tmp/fileSv5sYL (PID: 6374)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/filesnf6n9	Jump to dropped file
Source: /tmp/filekiqVZx (PID: 6263)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/file8SeDcK	Jump to dropped file
Source: /tmp/filefeqQnR (PID: 6227)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/fileyVgJK1	Jump to dropped file
Source: /tmp/fileJh0LZs (PID: 6369)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/fileSv5sYL	Jump to dropped file

Creates hidden files and/or directories

Source: /tmp/aarch64.elf (PID: 6221)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/aarch64.elf (PID: 6221)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/aarch64.elf (PID: 6221)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/aarch64.elf (PID: 6221)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/aarch64.elf (PID: 6221)	Directory: /tmp/.	Jump to behavior
Source: /tmp/aarch64.elf (PID: 6221)	Directory: /tmp/..	Jump to behavior
Source: /tmp/aarch64.elf (PID: 6221)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/aarch64.elf (PID: 6221)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/filenxowZz (PID: 6224)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/filenxowZz (PID: 6224)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/filenxowZz (PID: 6224)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/filenxowZz (PID: 6224)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/filenxowZz (PID: 6224)	Directory: /tmp/.	Jump to behavior
Source: /tmp/filenxowZz (PID: 6224)	Directory: /tmp/..	Jump to behavior
Source: /tmp/filenxowZz (PID: 6224)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/filenxowZz (PID: 6224)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/filefeqQnR (PID: 6227)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/filefeqQnR (PID: 6227)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/filefeqQnR (PID: 6227)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/filefeqQnR (PID: 6227)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/filefeqQnR (PID: 6227)	Directory: /tmp/.	Jump to behavior
Source: /tmp/filefeqQnR (PID: 6227)	Directory: /tmp/..	Jump to behavior
Source: /tmp/filefeqQnR (PID: 6227)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/filefeqQnR (PID: 6227)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/fileyVgJK1 (PID: 6232)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/fileyVgJK1 (PID: 6232)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/fileyVgJK1 (PID: 6232)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/fileyVgJK1 (PID: 6232)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/fileyVgJK1 (PID: 6232)	Directory: /tmp/.	Jump to behavior
Source: /tmp/fileyVgJK1 (PID: 6232)	Directory: /tmp/..	Jump to behavior
Source: /tmp/fileyVgJK1 (PID: 6232)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/fileyVgJK1 (PID: 6232)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/fileokK3kt (PID: 6255)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/fileokK3kt (PID: 6255)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/fileokK3kt (PID: 6255)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/fileokK3kt (PID: 6255)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/fileokK3kt (PID: 6255)	Directory: /tmp/.	Jump to behavior
Source: /tmp/fileokK3kt (PID: 6255)	Directory: /tmp/..	Jump to behavior
Source: /tmp/fileokK3kt (PID: 6255)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/fileokK3kt (PID: 6255)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/filebHGuS9 (PID: 6260)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/filebHGuS9 (PID: 6260)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/filebHGuS9 (PID: 6260)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/filebHGuS9 (PID: 6260)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/filebHGuS9 (PID: 6260)	Directory: /tmp/.	Jump to behavior
Source: /tmp/filebHGuS9 (PID: 6260)	Directory: /tmp/..	Jump to behavior
Source: /tmp/filebHGuS9 (PID: 6260)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/filebHGuS9 (PID: 6260)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/filekiqVZx (PID: 6263)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/filekiqVZx (PID: 6263)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/filekiqVZx (PID: 6263)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/filekiqVZx (PID: 6263)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/filekiqVZx (PID: 6263)	Directory: /tmp/.	Jump to behavior
Source: /tmp/filekiqVZx (PID: 6263)	Directory: /tmp/..	Jump to behavior
Source: /tmp/filekiqVZx (PID: 6263)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/filekiqVZx (PID: 6263)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/file8SeDcK (PID: 6266)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/file8SeDcK (PID: 6266)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/file8SeDcK (PID: 6266)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/file8SeDcK (PID: 6266)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/file8SeDcK (PID: 6266)	Directory: /tmp/.	Jump to behavior
Source: /tmp/file8SeDcK (PID: 6266)	Directory: /tmp/..	Jump to behavior
Source: /tmp/file8SeDcK (PID: 6266)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/file8SeDcK (PID: 6266)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/fileK3KBC0 (PID: 6274)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/fileK3KBC0 (PID: 6274)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/fileK3KBC0 (PID: 6274)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/fileK3KBC0 (PID: 6274)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/fileK3KBC0 (PID: 6274)	Directory: /tmp/.	Jump to behavior
Source: /tmp/fileK3KBC0 (PID: 6274)	Directory: /tmp/..	Jump to behavior
Source: /tmp/fileK3KBC0 (PID: 6274)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/fileK3KBC0 (PID: 6274)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/filePSqv2D (PID: 6277)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/filePSqv2D (PID: 6277)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/filePSqv2D (PID: 6277)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/filePSqv2D (PID: 6277)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/filePSqv2D (PID: 6277)	Directory: /tmp/.	Jump to behavior
Source: /tmp/filePSqv2D (PID: 6277)	Directory: /tmp/..	Jump to behavior
Source: /tmp/filePSqv2D (PID: 6277)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/filePSqv2D (PID: 6277)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/filehLNBcR (PID: 6280)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/filehLNBcR (PID: 6280)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/filehLNBcR (PID: 6280)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/filehLNBcR (PID: 6280)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/filehLNBcR (PID: 6280)	Directory: /tmp/.	Jump to behavior
Source: /tmp/filehLNBcR (PID: 6280)	Directory: /tmp/..	Jump to behavior
Source: /tmp/filehLNBcR (PID: 6280)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/filehLNBcR (PID: 6280)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/filezmeGW5 (PID: 6283)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/filezmeGW5 (PID: 6283)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/filezmeGW5 (PID: 6283)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/filezmeGW5 (PID: 6283)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/filezmeGW5 (PID: 6283)	Directory: /tmp/.	Jump to behavior
Source: /tmp/filezmeGW5 (PID: 6283)	Directory: /tmp/..	Jump to behavior
Source: /tmp/filezmeGW5 (PID: 6283)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/filezmeGW5 (PID: 6283)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/filesFsnIh (PID: 6286)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/filesFsnIh (PID: 6286)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/filesFsnIh (PID: 6286)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/filesFsnIh (PID: 6286)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/filesFsnIh (PID: 6286)	Directory: /tmp/.	Jump to behavior
Source: /tmp/filesFsnIh (PID: 6286)	Directory: /tmp/..	Jump to behavior
Source: /tmp/filesFsnIh (PID: 6286)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/filesFsnIh (PID: 6286)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/fileFyLkXt (PID: 6292)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/fileFyLkXt (PID: 6292)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/fileFyLkXt (PID: 6292)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/fileFyLkXt (PID: 6292)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/fileFyLkXt (PID: 6292)	Directory: /tmp/.	Jump to behavior
Source: /tmp/fileFyLkXt (PID: 6292)	Directory: /tmp/..	Jump to behavior
Source: /tmp/fileFyLkXt (PID: 6292)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/fileFyLkXt (PID: 6292)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/fileufE8BW (PID: 6295)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/fileufE8BW (PID: 6295)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/fileufE8BW (PID: 6295)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/fileufE8BW (PID: 6295)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/fileufE8BW (PID: 6295)	Directory: /tmp/.	Jump to behavior
Source: /tmp/fileufE8BW (PID: 6295)	Directory: /tmp/..	Jump to behavior
Source: /tmp/fileufE8BW (PID: 6295)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/fileufE8BW (PID: 6295)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/file4Fy7Jd (PID: 6298)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/file4Fy7Jd (PID: 6298)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/file4Fy7Jd (PID: 6298)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/file4Fy7Jd (PID: 6298)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/file4Fy7Jd (PID: 6298)	Directory: /tmp/.	Jump to behavior
Source: /tmp/file4Fy7Jd (PID: 6298)	Directory: /tmp/..	Jump to behavior
Source: /tmp/file4Fy7Jd (PID: 6298)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/file4Fy7Jd (PID: 6298)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/fileutPfDq (PID: 6304)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/fileutPfDq (PID: 6304)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/fileutPfDq (PID: 6304)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/fileutPfDq (PID: 6304)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/fileutPfDq (PID: 6304)	Directory: /tmp/.	Jump to behavior
Source: /tmp/fileutPfDq (PID: 6304)	Directory: /tmp/..	Jump to behavior
Source: /tmp/fileutPfDq (PID: 6304)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/fileutPfDq (PID: 6304)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/filecNf1cR (PID: 6310)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/filecNf1cR (PID: 6310)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/filecNf1cR (PID: 6310)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/filecNf1cR (PID: 6310)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/filecNf1cR (PID: 6310)	Directory: /tmp/.	Jump to behavior
Source: /tmp/filecNf1cR (PID: 6310)	Directory: /tmp/..	Jump to behavior
Source: /tmp/filecNf1cR (PID: 6310)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/filecNf1cR (PID: 6310)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/fileEJ1YHm (PID: 6313)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/fileEJ1YHm (PID: 6313)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/fileEJ1YHm (PID: 6313)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/fileEJ1YHm (PID: 6313)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/fileEJ1YHm (PID: 6313)	Directory: /tmp/.	Jump to behavior
Source: /tmp/fileEJ1YHm (PID: 6313)	Directory: /tmp/..	Jump to behavior
Source: /tmp/fileEJ1YHm (PID: 6313)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/fileEJ1YHm (PID: 6313)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/filepy4g6w (PID: 6318)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/filepy4g6w (PID: 6318)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/filepy4g6w (PID: 6318)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/filepy4g6w (PID: 6318)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/filepy4g6w (PID: 6318)	Directory: /tmp/.	Jump to behavior
Source: /tmp/filepy4g6w (PID: 6318)	Directory: /tmp/..	Jump to behavior
Source: /tmp/filepy4g6w (PID: 6318)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/filepy4g6w (PID: 6318)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/filehGga1T (PID: 6321)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/filehGga1T (PID: 6321)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/filehGga1T (PID: 6321)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/filehGga1T (PID: 6321)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/filehGga1T (PID: 6321)	Directory: /tmp/.	Jump to behavior
Source: /tmp/filehGga1T (PID: 6321)	Directory: /tmp/..	Jump to behavior
Source: /tmp/filehGga1T (PID: 6321)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/filehGga1T (PID: 6321)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/fileLKzJ69 (PID: 6351)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/fileLKzJ69 (PID: 6351)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/fileLKzJ69 (PID: 6351)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/fileLKzJ69 (PID: 6351)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/fileLKzJ69 (PID: 6351)	Directory: /tmp/.	Jump to behavior
Source: /tmp/fileLKzJ69 (PID: 6351)	Directory: /tmp/..	Jump to behavior
Source: /tmp/fileLKzJ69 (PID: 6351)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/fileLKzJ69 (PID: 6351)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/fileHrjhlr (PID: 6361)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/fileHrjhlr (PID: 6361)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/fileHrjhlr (PID: 6361)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/fileHrjhlr (PID: 6361)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/fileHrjhlr (PID: 6361)	Directory: /tmp/.	Jump to behavior
Source: /tmp/fileHrjhlr (PID: 6361)	Directory: /tmp/..	Jump to behavior
Source: /tmp/fileHrjhlr (PID: 6361)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/fileHrjhlr (PID: 6361)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/filevQYMqb (PID: 6365)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/filevQYMqb (PID: 6365)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/filevQYMqb (PID: 6365)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/filevQYMqb (PID: 6365)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/filevQYMqb (PID: 6365)	Directory: /tmp/.	Jump to behavior
Source: /tmp/filevQYMqb (PID: 6365)	Directory: /tmp/..	Jump to behavior
Source: /tmp/filevQYMqb (PID: 6365)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/filevQYMqb (PID: 6365)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/fileJh0LZs (PID: 6369)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/fileJh0LZs (PID: 6369)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/fileJh0LZs (PID: 6369)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/fileJh0LZs (PID: 6369)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/fileJh0LZs (PID: 6369)	Directory: /tmp/.	Jump to behavior
Source: /tmp/fileJh0LZs (PID: 6369)	Directory: /tmp/..	Jump to behavior
Source: /tmp/fileJh0LZs (PID: 6369)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/fileJh0LZs (PID: 6369)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/fileSv5sYL (PID: 6374)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/fileSv5sYL (PID: 6374)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/fileSv5sYL (PID: 6374)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/fileSv5sYL (PID: 6374)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/fileSv5sYL (PID: 6374)	Directory: /tmp/.	Jump to behavior
Source: /tmp/fileSv5sYL (PID: 6374)	Directory: /tmp/..	Jump to behavior
Source: /tmp/fileSv5sYL (PID: 6374)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/fileSv5sYL (PID: 6374)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/filesnf6n9 (PID: 6382)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/filesnf6n9 (PID: 6382)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/filesnf6n9 (PID: 6382)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/filesnf6n9 (PID: 6382)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/filesnf6n9 (PID: 6382)	Directory: /tmp/.	Jump to behavior
Source: /tmp/filesnf6n9 (PID: 6382)	Directory: /tmp/..	Jump to behavior
Source: /tmp/filesnf6n9 (PID: 6382)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/filesnf6n9 (PID: 6382)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/fileS1TPeL (PID: 6385)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/fileS1TPeL (PID: 6385)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/fileS1TPeL (PID: 6385)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/fileS1TPeL (PID: 6385)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/fileS1TPeL (PID: 6385)	Directory: /tmp/.	Jump to behavior
Source: /tmp/fileS1TPeL (PID: 6385)	Directory: /tmp/..	Jump to behavior
Source: /tmp/fileS1TPeL (PID: 6385)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/fileS1TPeL (PID: 6385)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/filezpLQSZ (PID: 6390)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/filezpLQSZ (PID: 6390)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/filezpLQSZ (PID: 6390)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/filezpLQSZ (PID: 6390)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/filezpLQSZ (PID: 6390)	Directory: /tmp/.	Jump to behavior
Source: /tmp/filezpLQSZ (PID: 6390)	Directory: /tmp/..	Jump to behavior
Source: /tmp/filezpLQSZ (PID: 6390)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/filezpLQSZ (PID: 6390)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/fileRk9HVm (PID: 6393)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/fileRk9HVm (PID: 6393)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/fileRk9HVm (PID: 6393)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/fileRk9HVm (PID: 6393)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/fileRk9HVm (PID: 6393)	Directory: /tmp/.	Jump to behavior
Source: /tmp/fileRk9HVm (PID: 6393)	Directory: /tmp/..	Jump to behavior
Source: /tmp/fileRk9HVm (PID: 6393)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/fileRk9HVm (PID: 6393)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/fileAhzouC (PID: 6398)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/fileAhzouC (PID: 6398)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/fileAhzouC (PID: 6398)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/fileAhzouC (PID: 6398)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/fileAhzouC (PID: 6398)	Directory: /tmp/.	Jump to behavior
Source: /tmp/fileAhzouC (PID: 6398)	Directory: /tmp/..	Jump to behavior
Source: /tmp/fileAhzouC (PID: 6398)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/fileAhzouC (PID: 6398)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/fileyKcg50 (PID: 6405)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/fileyKcg50 (PID: 6405)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/fileyKcg50 (PID: 6405)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/fileyKcg50 (PID: 6405)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/fileyKcg50 (PID: 6405)	Directory: /tmp/.	Jump to behavior
Source: /tmp/fileyKcg50 (PID: 6405)	Directory: /tmp/..	Jump to behavior
Source: /tmp/fileyKcg50 (PID: 6405)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/fileyKcg50 (PID: 6405)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/fileL9uCJw (PID: 6408)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/fileL9uCJw (PID: 6408)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/fileL9uCJw (PID: 6408)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/fileL9uCJw (PID: 6408)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/fileL9uCJw (PID: 6408)	Directory: /tmp/.	Jump to behavior
Source: /tmp/fileL9uCJw (PID: 6408)	Directory: /tmp/..	Jump to behavior
Source: /tmp/fileL9uCJw (PID: 6408)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/fileL9uCJw (PID: 6408)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/fileVcsatJ (PID: 6413)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/fileVcsatJ (PID: 6413)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/fileVcsatJ (PID: 6413)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/fileVcsatJ (PID: 6413)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/fileVcsatJ (PID: 6413)	Directory: /tmp/.	Jump to behavior
Source: /tmp/fileVcsatJ (PID: 6413)	Directory: /tmp/..	Jump to behavior
Source: /tmp/fileVcsatJ (PID: 6413)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/fileVcsatJ (PID: 6413)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/filelQzal6 (PID: 6416)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/filelQzal6 (PID: 6416)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/filelQzal6 (PID: 6416)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/filelQzal6 (PID: 6416)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/filelQzal6 (PID: 6416)	Directory: /tmp/.	Jump to behavior
Source: /tmp/filelQzal6 (PID: 6416)	Directory: /tmp/..	Jump to behavior
Source: /tmp/filelQzal6 (PID: 6416)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/filelQzal6 (PID: 6416)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/fileI3e44j (PID: 6422)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/fileI3e44j (PID: 6422)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/fileI3e44j (PID: 6422)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/fileI3e44j (PID: 6422)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/fileI3e44j (PID: 6422)	Directory: /tmp/.	Jump to behavior
Source: /tmp/fileI3e44j (PID: 6422)	Directory: /tmp/..	Jump to behavior
Source: /tmp/fileI3e44j (PID: 6422)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/fileI3e44j (PID: 6422)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/fileH8WeMN (PID: 6427)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/fileH8WeMN (PID: 6427)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/fileH8WeMN (PID: 6427)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/fileH8WeMN (PID: 6427)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/fileH8WeMN (PID: 6427)	Directory: /tmp/.	Jump to behavior
Source: /tmp/fileH8WeMN (PID: 6427)	Directory: /tmp/..	Jump to behavior
Source: /tmp/fileH8WeMN (PID: 6427)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/fileH8WeMN (PID: 6427)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/fileYj3Od9 (PID: 6430)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/fileYj3Od9 (PID: 6430)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/fileYj3Od9 (PID: 6430)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/fileYj3Od9 (PID: 6430)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/fileYj3Od9 (PID: 6430)	Directory: /tmp/.	Jump to behavior
Source: /tmp/fileYj3Od9 (PID: 6430)	Directory: /tmp/..	Jump to behavior
Source: /tmp/fileYj3Od9 (PID: 6430)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/fileYj3Od9 (PID: 6430)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/file3unzfn (PID: 6436)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/file3unzfn (PID: 6436)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/file3unzfn (PID: 6436)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/file3unzfn (PID: 6436)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/file3unzfn (PID: 6436)	Directory: /tmp/.	Jump to behavior
Source: /tmp/file3unzfn (PID: 6436)	Directory: /tmp/..	Jump to behavior
Source: /tmp/file3unzfn (PID: 6436)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/file3unzfn (PID: 6436)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior

Sample tries to set the executable flag

Source: /tmp/aarch64.elf (PID: 6221)	File: /etc/cron.hourly/0 (bits: uv usr: rwx grp: rwx all: rwx)			Jump to behavior
Source: /tmp/aarch64.elf (PID: 6221)	File: <invalid fd (-1)> (bits: uv usr: rwx grp: rwx all: rwx)			Jump to behavior

Writes ELF files to disk

Source: /tmp/aarch64.elf (PID: 6221)	File written: /tmp/filenxowZz	Jump to dropped file
Source: /tmp/filenxowZz (PID: 6224)	File written: /tmp/filefeqQnR	Jump to dropped file
Source: /tmp/filefeqQnR (PID: 6227)	File written: /tmp/fileyVgJK1	Jump to dropped file
Source: /tmp/fileyVgJK1 (PID: 6232)	File written: /tmp/fileokK3kt	Jump to dropped file
Source: /tmp/fileokK3kt (PID: 6255)	File written: /tmp/filebHGuS9	Jump to dropped file
Source: /tmp/filebHGuS9 (PID: 6260)	File written: /tmp/filekiqVZx	Jump to dropped file
Source: /tmp/filekiqVZx (PID: 6263)	File written: /tmp/file8SeDcK	Jump to dropped file
Source: /tmp/file8SeDcK (PID: 6266)	File written: /tmp/fileK3KBC0	Jump to dropped file
Source: /tmp/fileK3KBC0 (PID: 6274)	File written: /tmp/filePSqv2D	Jump to dropped file
Source: /tmp/filePSqv2D (PID: 6277)	File written: /tmp/filehLNBcR	Jump to dropped file
Source: /tmp/filehLNBcR (PID: 6280)	File written: /tmp/filezmeGW5	Jump to dropped file
Source: /tmp/filezmeGW5 (PID: 6283)	File written: /tmp/filesFsnIh	Jump to dropped file
Source: /tmp/filesFsnIh (PID: 6286)	File written: /tmp/fileFyLkXt	Jump to dropped file
Source: /tmp/fileFyLkXt (PID: 6292)	File written: /tmp/fileufE8BW	Jump to dropped file
Source: /tmp/fileufE8BW (PID: 6295)	File written: /tmp/file4Fy7Jd	Jump to dropped file
Source: /tmp/file4Fy7Jd (PID: 6298)	File written: /tmp/fileutPfDq	Jump to dropped file
Source: /tmp/fileutPfDq (PID: 6304)	File written: /tmp/filecNf1cR	Jump to dropped file
Source: /tmp/filecNf1cR (PID: 6310)	File written: /tmp/fileEJ1YHm	Jump to dropped file
Source: /tmp/fileEJ1YHm (PID: 6313)	File written: /tmp/filepy4g6w	Jump to dropped file
Source: /tmp/filepy4g6w (PID: 6318)	File written: /tmp/filehGga1T	Jump to dropped file
Source: /tmp/filehGga1T (PID: 6321)	File written: /tmp/fileLKzJ69	Jump to dropped file
Source: /tmp/fileLKzJ69 (PID: 6351)	File written: /tmp/fileHrjhlr	Jump to dropped file
Source: /tmp/fileHrjhlr (PID: 6361)	File written: /tmp/filevQYMqb	Jump to dropped file
Source: /tmp/filevQYMqb (PID: 6365)	File written: /tmp/fileJh0LZs	Jump to dropped file
Source: /tmp/fileJh0LZs (PID: 6369)	File written: /tmp/fileSv5sYL	Jump to dropped file
Source: /tmp/fileSv5sYL (PID: 6374)	File written: /tmp/filesnf6n9	Jump to dropped file
Source: /tmp/filesnf6n9 (PID: 6382)	File written: /tmp/fileS1TPeL	Jump to dropped file
Source: /tmp/fileS1TPeL (PID: 6385)	File written: /tmp/filezpLQSZ	Jump to dropped file
Source: /tmp/filezpLQSZ (PID: 6390)	File written: /tmp/fileRk9HVm	Jump to dropped file
Source: /tmp/fileRk9HVm (PID: 6393)	File written: /tmp/fileAhzouC	Jump to dropped file
Source: /tmp/fileAhzouC (PID: 6398)	File written: /tmp/fileyKcg50	Jump to dropped file
Source: /tmp/fileyKcg50 (PID: 6405)	File written: /tmp/fileL9uCJw	Jump to dropped file
Source: /tmp/fileL9uCJw (PID: 6408)	File written: /tmp/fileVcsatJ	Jump to dropped file
Source: /tmp/fileVcsatJ (PID: 6413)	File written: /tmp/filelQzal6	Jump to dropped file
Source: /tmp/filelQzal6 (PID: 6416)	File written: /tmp/fileI3e44j	Jump to dropped file
Source: /tmp/fileI3e44j (PID: 6422)	File written: /tmp/fileH8WeMN	Jump to dropped file
Source: /tmp/fileH8WeMN (PID: 6427)	File written: /tmp/fileYj3Od9	Jump to dropped file
Source: /tmp/fileYj3Od9 (PID: 6430)	File written: /tmp/file3unzfn	Jump to dropped file
Source: /tmp/file3unzfn (PID: 6436)	File written: /tmp/fileyfZXVP	Jump to dropped file
Source: /tmp/fileyfZXVP (PID: 6439)	File written: /tmp/filewURL35	Jump to dropped file

Source: aarch64.elf, 6221.1.000055d716b7a000.000055d716be9000.rw-.sdmp	Binary or memory string: vmware-root_721-4290559889?G
Source: aarch64.elf, 6221.1.000055d716b7a000.000055d716be9000.rw-.sdmp	Binary or memory string: vmware-root_721-4290559889

Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Name	Type	MD5	SHA1	SHA256
/tmp/file3unzfn	ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880	0301FDAB44F0164C09462E965B241808	60C9797192E5EB6B41636B4A5E9F0B15483F8D7D	D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC
/tmp/file4Fy7Jd	ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880	0301FDAB44F0164C09462E965B241808	60C9797192E5EB6B41636B4A5E9F0B15483F8D7D	D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC
/tmp/file8SeDcK	ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880	0301FDAB44F0164C09462E965B241808	60C9797192E5EB6B41636B4A5E9F0B15483F8D7D	D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC
/tmp/fileAhzouC	ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880	0301FDAB44F0164C09462E965B241808	60C9797192E5EB6B41636B4A5E9F0B15483F8D7D	D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC
/tmp/fileEJ1YHm	ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880	0301FDAB44F0164C09462E965B241808	60C9797192E5EB6B41636B4A5E9F0B15483F8D7D	D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC
/tmp/fileFyLkXt	ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880	0301FDAB44F0164C09462E965B241808	60C9797192E5EB6B41636B4A5E9F0B15483F8D7D	D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC
/tmp/fileH8WeMN	ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880	0301FDAB44F0164C09462E965B241808	60C9797192E5EB6B41636B4A5E9F0B15483F8D7D	D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC
/tmp/fileHrjhlr	ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880	0301FDAB44F0164C09462E965B241808	60C9797192E5EB6B41636B4A5E9F0B15483F8D7D	D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC
/tmp/fileI3e44j	ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880	0301FDAB44F0164C09462E965B241808	60C9797192E5EB6B41636B4A5E9F0B15483F8D7D	D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC
/tmp/fileJh0LZs	ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880	0301FDAB44F0164C09462E965B241808	60C9797192E5EB6B41636B4A5E9F0B15483F8D7D	D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC
/tmp/fileK3KBC0	ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880	0301FDAB44F0164C09462E965B241808	60C9797192E5EB6B41636B4A5E9F0B15483F8D7D	D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC
/tmp/fileL9uCJw	ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880	0301FDAB44F0164C09462E965B241808	60C9797192E5EB6B41636B4A5E9F0B15483F8D7D	D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC
/tmp/fileLKzJ69	ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880	0301FDAB44F0164C09462E965B241808	60C9797192E5EB6B41636B4A5E9F0B15483F8D7D	D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC
/tmp/filePSqv2D	ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880	0301FDAB44F0164C09462E965B241808	60C9797192E5EB6B41636B4A5E9F0B15483F8D7D	D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC
/tmp/fileRk9HVm	ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880	0301FDAB44F0164C09462E965B241808	60C9797192E5EB6B41636B4A5E9F0B15483F8D7D	D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC
/tmp/fileS1TPeL	ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880	0301FDAB44F0164C09462E965B241808	60C9797192E5EB6B41636B4A5E9F0B15483F8D7D	D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC
/tmp/fileSv5sYL	ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880	0301FDAB44F0164C09462E965B241808	60C9797192E5EB6B41636B4A5E9F0B15483F8D7D	D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC
/tmp/fileVcsatJ	ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880	0301FDAB44F0164C09462E965B241808	60C9797192E5EB6B41636B4A5E9F0B15483F8D7D	D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC
/tmp/fileYj3Od9	ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880	0301FDAB44F0164C09462E965B241808	60C9797192E5EB6B41636B4A5E9F0B15483F8D7D	D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC
/tmp/filebHGuS9	ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880	0301FDAB44F0164C09462E965B241808	60C9797192E5EB6B41636B4A5E9F0B15483F8D7D	D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC
/tmp/filecNf1cR	ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880	0301FDAB44F0164C09462E965B241808	60C9797192E5EB6B41636B4A5E9F0B15483F8D7D	D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC
/tmp/filefeqQnR	ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880	0301FDAB44F0164C09462E965B241808	60C9797192E5EB6B41636B4A5E9F0B15483F8D7D	D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC
/tmp/filehGga1T	ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880	0301FDAB44F0164C09462E965B241808	60C9797192E5EB6B41636B4A5E9F0B15483F8D7D	D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC
/tmp/filehLNBcR	ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880	0301FDAB44F0164C09462E965B241808	60C9797192E5EB6B41636B4A5E9F0B15483F8D7D	D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC
/tmp/filekiqVZx	ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880	0301FDAB44F0164C09462E965B241808	60C9797192E5EB6B41636B4A5E9F0B15483F8D7D	D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC
/tmp/filelQzal6	ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880	0301FDAB44F0164C09462E965B241808	60C9797192E5EB6B41636B4A5E9F0B15483F8D7D	D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC
/tmp/filenxowZz	ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880	6FEAF8AA1D5BD270CAA56B7E62DB4116	7472444D10C5FE48E60FA6835FE1921F548C429D	BF62860194307145490EEE76A852A44AE1FBEF763906811BB1ECE6EA54BC2EA0
/tmp/fileokK3kt	ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880	0301FDAB44F0164C09462E965B241808	60C9797192E5EB6B41636B4A5E9F0B15483F8D7D	D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC
/tmp/filepy4g6w	ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880	0301FDAB44F0164C09462E965B241808	60C9797192E5EB6B41636B4A5E9F0B15483F8D7D	D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC
/tmp/filesFsnIh	ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880	0301FDAB44F0164C09462E965B241808	60C9797192E5EB6B41636B4A5E9F0B15483F8D7D	D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC
/tmp/filesnf6n9	ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880	0301FDAB44F0164C09462E965B241808	60C9797192E5EB6B41636B4A5E9F0B15483F8D7D	D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC
/tmp/fileufE8BW	ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880	0301FDAB44F0164C09462E965B241808	60C9797192E5EB6B41636B4A5E9F0B15483F8D7D	D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC
/tmp/fileutPfDq	ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880	0301FDAB44F0164C09462E965B241808	60C9797192E5EB6B41636B4A5E9F0B15483F8D7D	D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC
/tmp/filevQYMqb	ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880	0301FDAB44F0164C09462E965B241808	60C9797192E5EB6B41636B4A5E9F0B15483F8D7D	D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC
/tmp/filewURL35	ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880	D0AC19C627ED95E9328759FF6AE19CC8	110DC86D0ACEDEEEF3A43E91B4618A7065858E16	6B8E2B6EFBF69EF5FFA7A1CCDBA37999FD5247907E6FDF65B475BD8340C7D099
/tmp/fileyKcg50	ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880	0301FDAB44F0164C09462E965B241808	60C9797192E5EB6B41636B4A5E9F0B15483F8D7D	D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC
/tmp/fileyVgJK1	ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880	0301FDAB44F0164C09462E965B241808	60C9797192E5EB6B41636B4A5E9F0B15483F8D7D	D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC
/tmp/fileyfZXVP	ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880	0301FDAB44F0164C09462E965B241808	60C9797192E5EB6B41636B4A5E9F0B15483F8D7D	D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC
/tmp/filezmeGW5	ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880	0301FDAB44F0164C09462E965B241808	60C9797192E5EB6B41636B4A5E9F0B15483F8D7D	D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC
/tmp/filezpLQSZ	ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, too large section header offset 5242880	0301FDAB44F0164C09462E965B241808	60C9797192E5EB6B41636B4A5E9F0B15483F8D7D	D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC

AV Detection

Multi AV Scanner detection for submitted file

Source: aarch64.elf	ReversingLabs: Detection: 50%
Source: aarch64.elf	Virustotal: Detection: 51%			Perma Link

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43

Source: aarch64.elf, 6221.1.000055d716b7a000.000055d716be9000.rw-.sdmp	String found in binary or memory: http://cf0.pw/0/etc/cron.hourly/0
Source: aarch64.elf, 6221.1.000055d716b7a000.000055d716be9000.rw-.sdmp	String found in binary or memory: https://gnu.org/licenses/gpl.html
Source: aarch64.elf, 6221.1.000055d716b7a000.000055d716be9000.rw-.sdmp	String found in binary or memory: https://translationproject.org/team/
Source: aarch64.elf, 6221.1.000055d716b7a000.000055d716be9000.rw-.sdmp	String found in binary or memory: https://wiki.xiph.org/MIME_Types_and_File_Extensions
Source: aarch64.elf, 6221.1.000055d716b7a000.000055d716be9000.rw-.sdmp	String found in binary or memory: https://wiki.xiph.org/MIME_Types_and_File_Extensions.oga
Source: aarch64.elf, 6221.1.000055d716b7a000.000055d716be9000.rw-.sdmp	String found in binary or memory: https://wiki.xiph.org/MIME_Types_and_File_Extensions.ogv
Source: aarch64.elf, 6221.1.000055d716b7a000.000055d716be9000.rw-.sdmp	String found in binary or memory: https://www.gnu.org/gethelp/
Source: aarch64.elf, 6221.1.000055d716b7a000.000055d716be9000.rw-.sdmp	String found in binary or memory: https://www.gnu.org/software/coreutils/
Source: aarch64.elf, 6221.1.000055d716b7a000.000055d716be9000.rw-.sdmp	String found in binary or memory: https://www.gnu.org/software/coreutils/Report

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: aarch64.elf, type: SAMPLE	Matched rule: Linux_Trojan_Ladvix_db41f9d2 Author: unknown
Source: 6221.1.000055d71633d000.000055d71633f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Ladvix_db41f9d2 Author: unknown
Source: 6221.1.00007f179df71000.00007f179e1c9000.rw-.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Ladvix_db41f9d2 Author: unknown

Yara signature match

Source: aarch64.elf, type: SAMPLE	Matched rule: Linux_Trojan_Ladvix_db41f9d2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Ladvix, fingerprint = d0aaa680e81f44cc555bf7799d33fce66f172563788afb2ad0fb16d3e460e8c6, id = db41f9d2-aa5c-4d26-b8ba-cece44eddca8, last_modified = 2021-09-16
Source: 6221.1.000055d71633d000.000055d71633f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Ladvix_db41f9d2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Ladvix, fingerprint = d0aaa680e81f44cc555bf7799d33fce66f172563788afb2ad0fb16d3e460e8c6, id = db41f9d2-aa5c-4d26-b8ba-cece44eddca8, last_modified = 2021-09-16
Source: 6221.1.00007f179df71000.00007f179e1c9000.rw-.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Ladvix_db41f9d2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Ladvix, fingerprint = d0aaa680e81f44cc555bf7799d33fce66f172563788afb2ad0fb16d3e460e8c6, id = db41f9d2-aa5c-4d26-b8ba-cece44eddca8, last_modified = 2021-09-16

Source: classification engine

Classification label: mal68.troj.linELF@0/40@0/0

Persistence and Installation Behavior

Sample tries to persist itself using cron

Source: /tmp/aarch64.elf (PID: 6221)

File: /etc/cron.hourly/0

Jump to behavior

Sample tries to set files in /etc globally writable

Source: /tmp/aarch64.elf (PID: 6221)

File: /etc/cron.hourly/0 (bits: uv usr: rwx grp: rwx all: rwx)

Jump to behavior

Writes identical ELF files to multiple locations

Source: /tmp/fileRk9HVm (PID: 6393)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/fileAhzouC	Jump to dropped file
Source: /tmp/fileYj3Od9 (PID: 6430)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/file3unzfn	Jump to dropped file
Source: /tmp/filenxowZz (PID: 6224)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/filefeqQnR	Jump to dropped file
Source: /tmp/fileFyLkXt (PID: 6292)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/fileufE8BW	Jump to dropped file
Source: /tmp/fileHrjhlr (PID: 6361)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/filevQYMqb	Jump to dropped file
Source: /tmp/filehGga1T (PID: 6321)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/fileLKzJ69	Jump to dropped file
Source: /tmp/filezmeGW5 (PID: 6283)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/filesFsnIh	Jump to dropped file
Source: /tmp/fileL9uCJw (PID: 6408)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/fileVcsatJ	Jump to dropped file
Source: /tmp/filesnf6n9 (PID: 6382)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/fileS1TPeL	Jump to dropped file
Source: /tmp/fileufE8BW (PID: 6295)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/file4Fy7Jd	Jump to dropped file
Source: /tmp/fileyVgJK1 (PID: 6232)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/fileokK3kt	Jump to dropped file
Source: /tmp/fileVcsatJ (PID: 6413)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/filelQzal6	Jump to dropped file
Source: /tmp/fileutPfDq (PID: 6304)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/filecNf1cR	Jump to dropped file
Source: /tmp/fileyKcg50 (PID: 6405)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/fileL9uCJw	Jump to dropped file
Source: /tmp/file8SeDcK (PID: 6266)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/fileK3KBC0	Jump to dropped file
Source: /tmp/fileLKzJ69 (PID: 6351)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/fileHrjhlr	Jump to dropped file
Source: /tmp/fileH8WeMN (PID: 6427)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/fileYj3Od9	Jump to dropped file
Source: /tmp/filezpLQSZ (PID: 6390)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/fileRk9HVm	Jump to dropped file
Source: /tmp/file3unzfn (PID: 6436)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/fileyfZXVP	Jump to dropped file
Source: /tmp/file4Fy7Jd (PID: 6298)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/fileutPfDq	Jump to dropped file
Source: /tmp/filehLNBcR (PID: 6280)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/filezmeGW5	Jump to dropped file
Source: /tmp/fileokK3kt (PID: 6255)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/filebHGuS9	Jump to dropped file
Source: /tmp/filepy4g6w (PID: 6318)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/filehGga1T	Jump to dropped file
Source: /tmp/filesFsnIh (PID: 6286)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/fileFyLkXt	Jump to dropped file
Source: /tmp/filebHGuS9 (PID: 6260)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/filekiqVZx	Jump to dropped file
Source: /tmp/fileK3KBC0 (PID: 6274)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/filePSqv2D	Jump to dropped file
Source: /tmp/fileS1TPeL (PID: 6385)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/filezpLQSZ	Jump to dropped file
Source: /tmp/fileI3e44j (PID: 6422)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/fileH8WeMN	Jump to dropped file
Source: /tmp/filelQzal6 (PID: 6416)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/fileI3e44j	Jump to dropped file
Source: /tmp/filecNf1cR (PID: 6310)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/fileEJ1YHm	Jump to dropped file
Source: /tmp/fileAhzouC (PID: 6398)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/fileyKcg50	Jump to dropped file
Source: /tmp/fileEJ1YHm (PID: 6313)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/filepy4g6w	Jump to dropped file
Source: /tmp/filevQYMqb (PID: 6365)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/fileJh0LZs	Jump to dropped file
Source: /tmp/filePSqv2D (PID: 6277)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/filehLNBcR	Jump to dropped file
Source: /tmp/fileSv5sYL (PID: 6374)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/filesnf6n9	Jump to dropped file
Source: /tmp/filekiqVZx (PID: 6263)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/file8SeDcK	Jump to dropped file
Source: /tmp/filefeqQnR (PID: 6227)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/fileyVgJK1	Jump to dropped file
Source: /tmp/fileJh0LZs (PID: 6369)	File with SHA-256 D8B7A9E4524E1310DEF7D8A26BC53848C62C2058C93BAD08A1B2F6BB254686FC written: /tmp/fileSv5sYL	Jump to dropped file

Creates hidden files and/or directories

Source: /tmp/aarch64.elf (PID: 6221)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/aarch64.elf (PID: 6221)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/aarch64.elf (PID: 6221)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/aarch64.elf (PID: 6221)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/aarch64.elf (PID: 6221)	Directory: /tmp/.	Jump to behavior
Source: /tmp/aarch64.elf (PID: 6221)	Directory: /tmp/..	Jump to behavior
Source: /tmp/aarch64.elf (PID: 6221)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/aarch64.elf (PID: 6221)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/filenxowZz (PID: 6224)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/filenxowZz (PID: 6224)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/filenxowZz (PID: 6224)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/filenxowZz (PID: 6224)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/filenxowZz (PID: 6224)	Directory: /tmp/.	Jump to behavior
Source: /tmp/filenxowZz (PID: 6224)	Directory: /tmp/..	Jump to behavior
Source: /tmp/filenxowZz (PID: 6224)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/filenxowZz (PID: 6224)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/filefeqQnR (PID: 6227)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/filefeqQnR (PID: 6227)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/filefeqQnR (PID: 6227)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/filefeqQnR (PID: 6227)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/filefeqQnR (PID: 6227)	Directory: /tmp/.	Jump to behavior
Source: /tmp/filefeqQnR (PID: 6227)	Directory: /tmp/..	Jump to behavior
Source: /tmp/filefeqQnR (PID: 6227)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/filefeqQnR (PID: 6227)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/fileyVgJK1 (PID: 6232)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/fileyVgJK1 (PID: 6232)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/fileyVgJK1 (PID: 6232)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/fileyVgJK1 (PID: 6232)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/fileyVgJK1 (PID: 6232)	Directory: /tmp/.	Jump to behavior
Source: /tmp/fileyVgJK1 (PID: 6232)	Directory: /tmp/..	Jump to behavior
Source: /tmp/fileyVgJK1 (PID: 6232)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/fileyVgJK1 (PID: 6232)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/fileokK3kt (PID: 6255)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/fileokK3kt (PID: 6255)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/fileokK3kt (PID: 6255)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/fileokK3kt (PID: 6255)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/fileokK3kt (PID: 6255)	Directory: /tmp/.	Jump to behavior
Source: /tmp/fileokK3kt (PID: 6255)	Directory: /tmp/..	Jump to behavior
Source: /tmp/fileokK3kt (PID: 6255)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/fileokK3kt (PID: 6255)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/filebHGuS9 (PID: 6260)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/filebHGuS9 (PID: 6260)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/filebHGuS9 (PID: 6260)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/filebHGuS9 (PID: 6260)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/filebHGuS9 (PID: 6260)	Directory: /tmp/.	Jump to behavior
Source: /tmp/filebHGuS9 (PID: 6260)	Directory: /tmp/..	Jump to behavior
Source: /tmp/filebHGuS9 (PID: 6260)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/filebHGuS9 (PID: 6260)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/filekiqVZx (PID: 6263)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/filekiqVZx (PID: 6263)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/filekiqVZx (PID: 6263)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/filekiqVZx (PID: 6263)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/filekiqVZx (PID: 6263)	Directory: /tmp/.	Jump to behavior
Source: /tmp/filekiqVZx (PID: 6263)	Directory: /tmp/..	Jump to behavior
Source: /tmp/filekiqVZx (PID: 6263)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/filekiqVZx (PID: 6263)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/file8SeDcK (PID: 6266)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/file8SeDcK (PID: 6266)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/file8SeDcK (PID: 6266)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/file8SeDcK (PID: 6266)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/file8SeDcK (PID: 6266)	Directory: /tmp/.	Jump to behavior
Source: /tmp/file8SeDcK (PID: 6266)	Directory: /tmp/..	Jump to behavior
Source: /tmp/file8SeDcK (PID: 6266)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/file8SeDcK (PID: 6266)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/fileK3KBC0 (PID: 6274)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/fileK3KBC0 (PID: 6274)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/fileK3KBC0 (PID: 6274)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/fileK3KBC0 (PID: 6274)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/fileK3KBC0 (PID: 6274)	Directory: /tmp/.	Jump to behavior
Source: /tmp/fileK3KBC0 (PID: 6274)	Directory: /tmp/..	Jump to behavior
Source: /tmp/fileK3KBC0 (PID: 6274)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/fileK3KBC0 (PID: 6274)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/filePSqv2D (PID: 6277)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/filePSqv2D (PID: 6277)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/filePSqv2D (PID: 6277)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/filePSqv2D (PID: 6277)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/filePSqv2D (PID: 6277)	Directory: /tmp/.	Jump to behavior
Source: /tmp/filePSqv2D (PID: 6277)	Directory: /tmp/..	Jump to behavior
Source: /tmp/filePSqv2D (PID: 6277)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/filePSqv2D (PID: 6277)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/filehLNBcR (PID: 6280)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/filehLNBcR (PID: 6280)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/filehLNBcR (PID: 6280)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/filehLNBcR (PID: 6280)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/filehLNBcR (PID: 6280)	Directory: /tmp/.	Jump to behavior
Source: /tmp/filehLNBcR (PID: 6280)	Directory: /tmp/..	Jump to behavior
Source: /tmp/filehLNBcR (PID: 6280)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/filehLNBcR (PID: 6280)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/filezmeGW5 (PID: 6283)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/filezmeGW5 (PID: 6283)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/filezmeGW5 (PID: 6283)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/filezmeGW5 (PID: 6283)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/filezmeGW5 (PID: 6283)	Directory: /tmp/.	Jump to behavior
Source: /tmp/filezmeGW5 (PID: 6283)	Directory: /tmp/..	Jump to behavior
Source: /tmp/filezmeGW5 (PID: 6283)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/filezmeGW5 (PID: 6283)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/filesFsnIh (PID: 6286)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/filesFsnIh (PID: 6286)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/filesFsnIh (PID: 6286)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/filesFsnIh (PID: 6286)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/filesFsnIh (PID: 6286)	Directory: /tmp/.	Jump to behavior
Source: /tmp/filesFsnIh (PID: 6286)	Directory: /tmp/..	Jump to behavior
Source: /tmp/filesFsnIh (PID: 6286)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/filesFsnIh (PID: 6286)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/fileFyLkXt (PID: 6292)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/fileFyLkXt (PID: 6292)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/fileFyLkXt (PID: 6292)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/fileFyLkXt (PID: 6292)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/fileFyLkXt (PID: 6292)	Directory: /tmp/.	Jump to behavior
Source: /tmp/fileFyLkXt (PID: 6292)	Directory: /tmp/..	Jump to behavior
Source: /tmp/fileFyLkXt (PID: 6292)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/fileFyLkXt (PID: 6292)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/fileufE8BW (PID: 6295)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/fileufE8BW (PID: 6295)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/fileufE8BW (PID: 6295)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/fileufE8BW (PID: 6295)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/fileufE8BW (PID: 6295)	Directory: /tmp/.	Jump to behavior
Source: /tmp/fileufE8BW (PID: 6295)	Directory: /tmp/..	Jump to behavior
Source: /tmp/fileufE8BW (PID: 6295)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/fileufE8BW (PID: 6295)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/file4Fy7Jd (PID: 6298)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/file4Fy7Jd (PID: 6298)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/file4Fy7Jd (PID: 6298)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/file4Fy7Jd (PID: 6298)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/file4Fy7Jd (PID: 6298)	Directory: /tmp/.	Jump to behavior
Source: /tmp/file4Fy7Jd (PID: 6298)	Directory: /tmp/..	Jump to behavior
Source: /tmp/file4Fy7Jd (PID: 6298)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/file4Fy7Jd (PID: 6298)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/fileutPfDq (PID: 6304)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/fileutPfDq (PID: 6304)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/fileutPfDq (PID: 6304)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/fileutPfDq (PID: 6304)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/fileutPfDq (PID: 6304)	Directory: /tmp/.	Jump to behavior
Source: /tmp/fileutPfDq (PID: 6304)	Directory: /tmp/..	Jump to behavior
Source: /tmp/fileutPfDq (PID: 6304)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/fileutPfDq (PID: 6304)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/filecNf1cR (PID: 6310)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/filecNf1cR (PID: 6310)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/filecNf1cR (PID: 6310)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/filecNf1cR (PID: 6310)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/filecNf1cR (PID: 6310)	Directory: /tmp/.	Jump to behavior
Source: /tmp/filecNf1cR (PID: 6310)	Directory: /tmp/..	Jump to behavior
Source: /tmp/filecNf1cR (PID: 6310)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/filecNf1cR (PID: 6310)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/fileEJ1YHm (PID: 6313)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/fileEJ1YHm (PID: 6313)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/fileEJ1YHm (PID: 6313)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/fileEJ1YHm (PID: 6313)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/fileEJ1YHm (PID: 6313)	Directory: /tmp/.	Jump to behavior
Source: /tmp/fileEJ1YHm (PID: 6313)	Directory: /tmp/..	Jump to behavior
Source: /tmp/fileEJ1YHm (PID: 6313)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/fileEJ1YHm (PID: 6313)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/filepy4g6w (PID: 6318)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/filepy4g6w (PID: 6318)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/filepy4g6w (PID: 6318)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/filepy4g6w (PID: 6318)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/filepy4g6w (PID: 6318)	Directory: /tmp/.	Jump to behavior
Source: /tmp/filepy4g6w (PID: 6318)	Directory: /tmp/..	Jump to behavior
Source: /tmp/filepy4g6w (PID: 6318)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/filepy4g6w (PID: 6318)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/filehGga1T (PID: 6321)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/filehGga1T (PID: 6321)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/filehGga1T (PID: 6321)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/filehGga1T (PID: 6321)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/filehGga1T (PID: 6321)	Directory: /tmp/.	Jump to behavior
Source: /tmp/filehGga1T (PID: 6321)	Directory: /tmp/..	Jump to behavior
Source: /tmp/filehGga1T (PID: 6321)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/filehGga1T (PID: 6321)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/fileLKzJ69 (PID: 6351)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/fileLKzJ69 (PID: 6351)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/fileLKzJ69 (PID: 6351)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/fileLKzJ69 (PID: 6351)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/fileLKzJ69 (PID: 6351)	Directory: /tmp/.	Jump to behavior
Source: /tmp/fileLKzJ69 (PID: 6351)	Directory: /tmp/..	Jump to behavior
Source: /tmp/fileLKzJ69 (PID: 6351)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/fileLKzJ69 (PID: 6351)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/fileHrjhlr (PID: 6361)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/fileHrjhlr (PID: 6361)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/fileHrjhlr (PID: 6361)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/fileHrjhlr (PID: 6361)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/fileHrjhlr (PID: 6361)	Directory: /tmp/.	Jump to behavior
Source: /tmp/fileHrjhlr (PID: 6361)	Directory: /tmp/..	Jump to behavior
Source: /tmp/fileHrjhlr (PID: 6361)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/fileHrjhlr (PID: 6361)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/filevQYMqb (PID: 6365)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/filevQYMqb (PID: 6365)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/filevQYMqb (PID: 6365)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/filevQYMqb (PID: 6365)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/filevQYMqb (PID: 6365)	Directory: /tmp/.	Jump to behavior
Source: /tmp/filevQYMqb (PID: 6365)	Directory: /tmp/..	Jump to behavior
Source: /tmp/filevQYMqb (PID: 6365)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/filevQYMqb (PID: 6365)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/fileJh0LZs (PID: 6369)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/fileJh0LZs (PID: 6369)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/fileJh0LZs (PID: 6369)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/fileJh0LZs (PID: 6369)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/fileJh0LZs (PID: 6369)	Directory: /tmp/.	Jump to behavior
Source: /tmp/fileJh0LZs (PID: 6369)	Directory: /tmp/..	Jump to behavior
Source: /tmp/fileJh0LZs (PID: 6369)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/fileJh0LZs (PID: 6369)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/fileSv5sYL (PID: 6374)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/fileSv5sYL (PID: 6374)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/fileSv5sYL (PID: 6374)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/fileSv5sYL (PID: 6374)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/fileSv5sYL (PID: 6374)	Directory: /tmp/.	Jump to behavior
Source: /tmp/fileSv5sYL (PID: 6374)	Directory: /tmp/..	Jump to behavior
Source: /tmp/fileSv5sYL (PID: 6374)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/fileSv5sYL (PID: 6374)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/filesnf6n9 (PID: 6382)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/filesnf6n9 (PID: 6382)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/filesnf6n9 (PID: 6382)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/filesnf6n9 (PID: 6382)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/filesnf6n9 (PID: 6382)	Directory: /tmp/.	Jump to behavior
Source: /tmp/filesnf6n9 (PID: 6382)	Directory: /tmp/..	Jump to behavior
Source: /tmp/filesnf6n9 (PID: 6382)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/filesnf6n9 (PID: 6382)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/fileS1TPeL (PID: 6385)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/fileS1TPeL (PID: 6385)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/fileS1TPeL (PID: 6385)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/fileS1TPeL (PID: 6385)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/fileS1TPeL (PID: 6385)	Directory: /tmp/.	Jump to behavior
Source: /tmp/fileS1TPeL (PID: 6385)	Directory: /tmp/..	Jump to behavior
Source: /tmp/fileS1TPeL (PID: 6385)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/fileS1TPeL (PID: 6385)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/filezpLQSZ (PID: 6390)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/filezpLQSZ (PID: 6390)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/filezpLQSZ (PID: 6390)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/filezpLQSZ (PID: 6390)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/filezpLQSZ (PID: 6390)	Directory: /tmp/.	Jump to behavior
Source: /tmp/filezpLQSZ (PID: 6390)	Directory: /tmp/..	Jump to behavior
Source: /tmp/filezpLQSZ (PID: 6390)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/filezpLQSZ (PID: 6390)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/fileRk9HVm (PID: 6393)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/fileRk9HVm (PID: 6393)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/fileRk9HVm (PID: 6393)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/fileRk9HVm (PID: 6393)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/fileRk9HVm (PID: 6393)	Directory: /tmp/.	Jump to behavior
Source: /tmp/fileRk9HVm (PID: 6393)	Directory: /tmp/..	Jump to behavior
Source: /tmp/fileRk9HVm (PID: 6393)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/fileRk9HVm (PID: 6393)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/fileAhzouC (PID: 6398)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/fileAhzouC (PID: 6398)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/fileAhzouC (PID: 6398)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/fileAhzouC (PID: 6398)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/fileAhzouC (PID: 6398)	Directory: /tmp/.	Jump to behavior
Source: /tmp/fileAhzouC (PID: 6398)	Directory: /tmp/..	Jump to behavior
Source: /tmp/fileAhzouC (PID: 6398)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/fileAhzouC (PID: 6398)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/fileyKcg50 (PID: 6405)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/fileyKcg50 (PID: 6405)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/fileyKcg50 (PID: 6405)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/fileyKcg50 (PID: 6405)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/fileyKcg50 (PID: 6405)	Directory: /tmp/.	Jump to behavior
Source: /tmp/fileyKcg50 (PID: 6405)	Directory: /tmp/..	Jump to behavior
Source: /tmp/fileyKcg50 (PID: 6405)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/fileyKcg50 (PID: 6405)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/fileL9uCJw (PID: 6408)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/fileL9uCJw (PID: 6408)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/fileL9uCJw (PID: 6408)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/fileL9uCJw (PID: 6408)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/fileL9uCJw (PID: 6408)	Directory: /tmp/.	Jump to behavior
Source: /tmp/fileL9uCJw (PID: 6408)	Directory: /tmp/..	Jump to behavior
Source: /tmp/fileL9uCJw (PID: 6408)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/fileL9uCJw (PID: 6408)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/fileVcsatJ (PID: 6413)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/fileVcsatJ (PID: 6413)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/fileVcsatJ (PID: 6413)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/fileVcsatJ (PID: 6413)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/fileVcsatJ (PID: 6413)	Directory: /tmp/.	Jump to behavior
Source: /tmp/fileVcsatJ (PID: 6413)	Directory: /tmp/..	Jump to behavior
Source: /tmp/fileVcsatJ (PID: 6413)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/fileVcsatJ (PID: 6413)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/filelQzal6 (PID: 6416)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/filelQzal6 (PID: 6416)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/filelQzal6 (PID: 6416)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/filelQzal6 (PID: 6416)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/filelQzal6 (PID: 6416)	Directory: /tmp/.	Jump to behavior
Source: /tmp/filelQzal6 (PID: 6416)	Directory: /tmp/..	Jump to behavior
Source: /tmp/filelQzal6 (PID: 6416)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/filelQzal6 (PID: 6416)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/fileI3e44j (PID: 6422)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/fileI3e44j (PID: 6422)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/fileI3e44j (PID: 6422)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/fileI3e44j (PID: 6422)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/fileI3e44j (PID: 6422)	Directory: /tmp/.	Jump to behavior
Source: /tmp/fileI3e44j (PID: 6422)	Directory: /tmp/..	Jump to behavior
Source: /tmp/fileI3e44j (PID: 6422)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/fileI3e44j (PID: 6422)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/fileH8WeMN (PID: 6427)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/fileH8WeMN (PID: 6427)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/fileH8WeMN (PID: 6427)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/fileH8WeMN (PID: 6427)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/fileH8WeMN (PID: 6427)	Directory: /tmp/.	Jump to behavior
Source: /tmp/fileH8WeMN (PID: 6427)	Directory: /tmp/..	Jump to behavior
Source: /tmp/fileH8WeMN (PID: 6427)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/fileH8WeMN (PID: 6427)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/fileYj3Od9 (PID: 6430)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/fileYj3Od9 (PID: 6430)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/fileYj3Od9 (PID: 6430)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/fileYj3Od9 (PID: 6430)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/fileYj3Od9 (PID: 6430)	Directory: /tmp/.	Jump to behavior
Source: /tmp/fileYj3Od9 (PID: 6430)	Directory: /tmp/..	Jump to behavior
Source: /tmp/fileYj3Od9 (PID: 6430)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/fileYj3Od9 (PID: 6430)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior
Source: /tmp/file3unzfn (PID: 6436)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/file3unzfn (PID: 6436)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/file3unzfn (PID: 6436)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/file3unzfn (PID: 6436)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/file3unzfn (PID: 6436)	Directory: /tmp/.	Jump to behavior
Source: /tmp/file3unzfn (PID: 6436)	Directory: /tmp/..	Jump to behavior
Source: /tmp/file3unzfn (PID: 6436)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/file3unzfn (PID: 6436)	Directory: /tmp/.xfsm-ICE-S33I80	Jump to behavior

Sample tries to set the executable flag

Source: /tmp/aarch64.elf (PID: 6221)	File: /etc/cron.hourly/0 (bits: uv usr: rwx grp: rwx all: rwx)			Jump to behavior
Source: /tmp/aarch64.elf (PID: 6221)	File: <invalid fd (-1)> (bits: uv usr: rwx grp: rwx all: rwx)			Jump to behavior

Writes ELF files to disk

Source: /tmp/aarch64.elf (PID: 6221)	File written: /tmp/filenxowZz	Jump to dropped file
Source: /tmp/filenxowZz (PID: 6224)	File written: /tmp/filefeqQnR	Jump to dropped file
Source: /tmp/filefeqQnR (PID: 6227)	File written: /tmp/fileyVgJK1	Jump to dropped file
Source: /tmp/fileyVgJK1 (PID: 6232)	File written: /tmp/fileokK3kt	Jump to dropped file
Source: /tmp/fileokK3kt (PID: 6255)	File written: /tmp/filebHGuS9	Jump to dropped file
Source: /tmp/filebHGuS9 (PID: 6260)	File written: /tmp/filekiqVZx	Jump to dropped file
Source: /tmp/filekiqVZx (PID: 6263)	File written: /tmp/file8SeDcK	Jump to dropped file
Source: /tmp/file8SeDcK (PID: 6266)	File written: /tmp/fileK3KBC0	Jump to dropped file
Source: /tmp/fileK3KBC0 (PID: 6274)	File written: /tmp/filePSqv2D	Jump to dropped file
Source: /tmp/filePSqv2D (PID: 6277)	File written: /tmp/filehLNBcR	Jump to dropped file
Source: /tmp/filehLNBcR (PID: 6280)	File written: /tmp/filezmeGW5	Jump to dropped file
Source: /tmp/filezmeGW5 (PID: 6283)	File written: /tmp/filesFsnIh	Jump to dropped file
Source: /tmp/filesFsnIh (PID: 6286)	File written: /tmp/fileFyLkXt	Jump to dropped file
Source: /tmp/fileFyLkXt (PID: 6292)	File written: /tmp/fileufE8BW	Jump to dropped file
Source: /tmp/fileufE8BW (PID: 6295)	File written: /tmp/file4Fy7Jd	Jump to dropped file
Source: /tmp/file4Fy7Jd (PID: 6298)	File written: /tmp/fileutPfDq	Jump to dropped file
Source: /tmp/fileutPfDq (PID: 6304)	File written: /tmp/filecNf1cR	Jump to dropped file
Source: /tmp/filecNf1cR (PID: 6310)	File written: /tmp/fileEJ1YHm	Jump to dropped file
Source: /tmp/fileEJ1YHm (PID: 6313)	File written: /tmp/filepy4g6w	Jump to dropped file
Source: /tmp/filepy4g6w (PID: 6318)	File written: /tmp/filehGga1T	Jump to dropped file
Source: /tmp/filehGga1T (PID: 6321)	File written: /tmp/fileLKzJ69	Jump to dropped file
Source: /tmp/fileLKzJ69 (PID: 6351)	File written: /tmp/fileHrjhlr	Jump to dropped file
Source: /tmp/fileHrjhlr (PID: 6361)	File written: /tmp/filevQYMqb	Jump to dropped file
Source: /tmp/filevQYMqb (PID: 6365)	File written: /tmp/fileJh0LZs	Jump to dropped file
Source: /tmp/fileJh0LZs (PID: 6369)	File written: /tmp/fileSv5sYL	Jump to dropped file
Source: /tmp/fileSv5sYL (PID: 6374)	File written: /tmp/filesnf6n9	Jump to dropped file
Source: /tmp/filesnf6n9 (PID: 6382)	File written: /tmp/fileS1TPeL	Jump to dropped file
Source: /tmp/fileS1TPeL (PID: 6385)	File written: /tmp/filezpLQSZ	Jump to dropped file
Source: /tmp/filezpLQSZ (PID: 6390)	File written: /tmp/fileRk9HVm	Jump to dropped file
Source: /tmp/fileRk9HVm (PID: 6393)	File written: /tmp/fileAhzouC	Jump to dropped file
Source: /tmp/fileAhzouC (PID: 6398)	File written: /tmp/fileyKcg50	Jump to dropped file
Source: /tmp/fileyKcg50 (PID: 6405)	File written: /tmp/fileL9uCJw	Jump to dropped file
Source: /tmp/fileL9uCJw (PID: 6408)	File written: /tmp/fileVcsatJ	Jump to dropped file
Source: /tmp/fileVcsatJ (PID: 6413)	File written: /tmp/filelQzal6	Jump to dropped file
Source: /tmp/filelQzal6 (PID: 6416)	File written: /tmp/fileI3e44j	Jump to dropped file
Source: /tmp/fileI3e44j (PID: 6422)	File written: /tmp/fileH8WeMN	Jump to dropped file
Source: /tmp/fileH8WeMN (PID: 6427)	File written: /tmp/fileYj3Od9	Jump to dropped file
Source: /tmp/fileYj3Od9 (PID: 6430)	File written: /tmp/file3unzfn	Jump to dropped file
Source: /tmp/file3unzfn (PID: 6436)	File written: /tmp/fileyfZXVP	Jump to dropped file
Source: /tmp/fileyfZXVP (PID: 6439)	File written: /tmp/filewURL35	Jump to dropped file

Source: aarch64.elf, 6221.1.000055d716b7a000.000055d716be9000.rw-.sdmp	Binary or memory string: vmware-root_721-4290559889?G
Source: aarch64.elf, 6221.1.000055d716b7a000.000055d716be9000.rw-.sdmp	Binary or memory string: vmware-root_721-4290559889

ID:	1466764
Product:	CloudBasic
Start time:	11:16:06
Start date:	03.07.2024
Sample:	aarch64.elf
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	f1605ee67da4359d523697d61e380d69
SHA1:	a0238a3433fcdffbfd04dadb7c0fc6c103a9efb2
SHA256:	70638556617d43b14e017779db4468e547d880cbff50a52ff292fbfd6ef04972
Filetype:	ELF Executable and Linkable format (Linux) (4029/14) 49.77%

Linux Analysis Report
aarch64.elf

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Screenshots

Network Map

Contacted Public IPs

Linux Analysis Report aarch64.elf

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Screenshots

Network Map

Contacted Public IPs

Linux Analysis Report
aarch64.elf