Edit tour

Linux Analysis Report
na.elf

Overview

General Information

Sample name:	na.elf
Analysis ID:	1528730
MD5:	14e20246c5525fe85472eb6fb023d498
SHA1:	f0cec71e503802f4eaf89c391c81a26784be257f
SHA256:	14608e020d2968f0c7beec6939c1955ead78024f201aac430f994f1998f030ff
Tags:	elfuser-abuse_ch
Infos:

Detection

Mirai

Score:	84
Range:	0 - 100
Whitelisted:	false

Signatures

Detected Mirai

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Machine Learning detection for sample

Reads system files that contain records of logged in users

Sample tries to kill multiple processes (SIGKILL)

Creates hidden files and/or directories

Detected TCP or UDP traffic on non-standard ports

Executes commands using a shell command-line interpreter

Executes the "grep" command used to find patterns in files or piped streams

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample has stripped symbol table

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Sample tries to set the executable flag

Uses the "uname" system call to query kernel version information (possible evasion)

Yara signature match

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528730
Start date and time:	2024-10-08 10:02:02 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	na.elf
Detection:	MAL
Classification:	mal84.spre.troj.linELF@0/12@3/0

Warnings

Connection to analysis system has been lost, crash info: Unknown

Process Tree

system is lnxubuntu20

na.elf (PID: 5489, Parent: 5416, MD5: 14e20246c5525fe85472eb6fb023d498) Arguments: /tmp/na.elf

na.elf New Fork (PID: 5490, Parent: 5489)

na.elf New Fork (PID: 5491, Parent: 5489)

udisksd New Fork (PID: 5500, Parent: 803)

dumpe2fs (PID: 5500, Parent: 803, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

udisksd New Fork (PID: 5552, Parent: 803)

dumpe2fs (PID: 5552, Parent: 803, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

systemd New Fork (PID: 5560, Parent: 1)

upowerd (PID: 5560, Parent: 1, MD5: 1253eea2fe5fe4017069664284e326cd) Arguments: /usr/lib/upower/upowerd

gnome-session-binary New Fork (PID: 5569, Parent: 1383)

sh (PID: 5569, Parent: 1383, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-wacom

gsd-wacom (PID: 5569, Parent: 1383, MD5: 13778dd1a23a4e94ddc17ac9caa4fcc1) Arguments: /usr/libexec/gsd-wacom

udisksd New Fork (PID: 5571, Parent: 803)

dumpe2fs (PID: 5571, Parent: 803, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

xfce4-panel New Fork (PID: 5585, Parent: 3172)

wrapper-2.0 (PID: 5585, Parent: 3172, MD5: ac0b8a906f359a8ae102244738682e76) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 6 12582920 systray "Notification Area" "Area where notification icons appear"

gnome-session-binary New Fork (PID: 5591, Parent: 1383)

sh (PID: 5591, Parent: 1383, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-print-notifications

gsd-print-notifications (PID: 5591, Parent: 1383, MD5: 71539698aa691718cee775d6b9450ae2) Arguments: /usr/libexec/gsd-print-notifications

gsd-print-notifications New Fork (PID: 5808, Parent: 5591)

gsd-print-notifications New Fork (PID: 5809, Parent: 5808)

gsd-printer (PID: 5809, Parent: 1, MD5: 7995828cf98c315fd55f2ffb3b22384d) Arguments: /usr/libexec/gsd-printer

gnome-session-binary New Fork (PID: 5600, Parent: 1383)

sh (PID: 5600, Parent: 1383, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-screensaver-proxy

gsd-screensaver-proxy (PID: 5600, Parent: 1383, MD5: 77e309450c87dceee43f1a9e50cc0d02) Arguments: /usr/libexec/gsd-screensaver-proxy

xfce4-panel New Fork (PID: 5604, Parent: 3172)

wrapper-2.0 (PID: 5604, Parent: 3172, MD5: ac0b8a906f359a8ae102244738682e76) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libstatusnotifier.so 7 12582921 statusnotifier "Status Notifier Plugin" "Provides a panel area for status notifier items (application indicators)"

xfce4-panel New Fork (PID: 5610, Parent: 3172)

wrapper-2.0 (PID: 5610, Parent: 3172, MD5: ac0b8a906f359a8ae102244738682e76) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libpulseaudio-plugin.so 8 12582922 pulseaudio "PulseAudio Plugin" "Adjust the audio volume of the PulseAudio sound system"

gnome-session-binary New Fork (PID: 5621, Parent: 1383)

sh (PID: 5621, Parent: 1383, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-color

gsd-color (PID: 5621, Parent: 1383, MD5: ac2861ad93ce047283e8e87cefef9a19) Arguments: /usr/libexec/gsd-color

gnome-session-binary New Fork (PID: 5627, Parent: 1383)

sh (PID: 5627, Parent: 1383, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-rfkill

gsd-rfkill (PID: 5627, Parent: 1383, MD5: 88a16a3c0aba1759358c06215ecfb5cc) Arguments: /usr/libexec/gsd-rfkill

gdm-session-worker New Fork (PID: 5629, Parent: 2946)

Default (PID: 5629, Parent: 2946, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PostSession/Default

gnome-session-binary New Fork (PID: 5630, Parent: 1383)

sh (PID: 5630, Parent: 1383, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-a11y-settings

gsd-a11y-settings (PID: 5630, Parent: 1383, MD5: 18e243d2cf30ecee7ea89d1462725c5c) Arguments: /usr/libexec/gsd-a11y-settings

gnome-session-binary New Fork (PID: 5631, Parent: 1383)

sh (PID: 5631, Parent: 1383, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-smartcard

gsd-smartcard (PID: 5631, Parent: 1383, MD5: ea1fbd7f62e4cd0331eae2ef754ee605) Arguments: /usr/libexec/gsd-smartcard

gnome-session-binary New Fork (PID: 5632, Parent: 1383)

sh (PID: 5632, Parent: 1383, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-media-keys

gsd-media-keys (PID: 5632, Parent: 1383, MD5: a425448c135afb4b8bfd79cc0b6b74da) Arguments: /usr/libexec/gsd-media-keys

gdm3 New Fork (PID: 5633, Parent: 1289)

Default (PID: 5633, Parent: 1289, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default

gnome-session-binary New Fork (PID: 5634, Parent: 1383)

sh (PID: 5634, Parent: 1383, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-datetime

gsd-datetime (PID: 5634, Parent: 1383, MD5: d80d39745740de37d6634d36e344d4bc) Arguments: /usr/libexec/gsd-datetime

udisksd New Fork (PID: 5635, Parent: 803)

dumpe2fs (PID: 5635, Parent: 803, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

gnome-session-binary New Fork (PID: 5637, Parent: 1383)

sh (PID: 5637, Parent: 1383, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-keyboard

gsd-keyboard (PID: 5637, Parent: 1383, MD5: 8e288fd17c80bb0a1148b964b2ac2279) Arguments: /usr/libexec/gsd-keyboard

gnome-session-binary New Fork (PID: 5638, Parent: 1383)

sh (PID: 5638, Parent: 1383, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-sound

gsd-sound (PID: 5638, Parent: 1383, MD5: 4c7d3fb993463337b4a0eb5c80c760ee) Arguments: /usr/libexec/gsd-sound

gnome-session-binary New Fork (PID: 5639, Parent: 1383)

sh (PID: 5639, Parent: 1383, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping

gsd-housekeeping (PID: 5639, Parent: 1383, MD5: b55f3394a84976ddb92a2915e5d76914) Arguments: /usr/libexec/gsd-housekeeping

gnome-session-binary New Fork (PID: 5640, Parent: 1383)

sh (PID: 5640, Parent: 1383, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-power

gsd-power (PID: 5640, Parent: 1383, MD5: 28b8e1b43c3e7f1db6741ea1ecd978b7) Arguments: /usr/libexec/gsd-power

udisksd New Fork (PID: 5641, Parent: 803)

dumpe2fs (PID: 5641, Parent: 803, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

Xorg New Fork (PID: 5642, Parent: 1371)

sh (PID: 5642, Parent: 1371, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "\"/usr/bin/xkbcomp\" -w 1 \"-R/usr/share/X11/xkb\" -xkm \"-\" -em1 \"The XKEYBOARD keymap compiler (xkbcomp) reports:\" -emp \"> \" -eml \"Errors from xkbcomp are not fatal to the X server\" \"/tmp/server-0.xkm\""

sh New Fork (PID: 5645, Parent: 5642)

xkbcomp (PID: 5645, Parent: 5642, MD5: c5f953aec4c00d2a1cc27acb75d62c9b) Arguments: /usr/bin/xkbcomp -w 1 -R/usr/share/X11/xkb -xkm - -em1 "The XKEYBOARD keymap compiler (xkbcomp) reports:" -emp "> " -eml "Errors from xkbcomp are not fatal to the X server" /tmp/server-0.xkm

udisksd New Fork (PID: 5655, Parent: 803)

dumpe2fs (PID: 5655, Parent: 803, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

udisksd New Fork (PID: 5664, Parent: 803)

dumpe2fs (PID: 5664, Parent: 803, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

systemd New Fork (PID: 5670, Parent: 1)

systemd-hostnamed (PID: 5670, Parent: 1, MD5: 2cc8a5576629a2d5bd98e49a4b8bef65) Arguments: /lib/systemd/systemd-hostnamed

udisksd New Fork (PID: 5804, Parent: 803)

dumpe2fs (PID: 5804, Parent: 803, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

Xorg New Fork (PID: 5812, Parent: 1371)

sh (PID: 5812, Parent: 1371, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "\"/usr/bin/xkbcomp\" -w 1 \"-R/usr/share/X11/xkb\" -xkm \"-\" -em1 \"The XKEYBOARD keymap compiler (xkbcomp) reports:\" -emp \"> \" -eml \"Errors from xkbcomp are not fatal to the X server\" \"/tmp/server-0.xkm\""

sh New Fork (PID: 5813, Parent: 5812)

xkbcomp (PID: 5813, Parent: 5812, MD5: c5f953aec4c00d2a1cc27acb75d62c9b) Arguments: /usr/bin/xkbcomp -w 1 -R/usr/share/X11/xkb -xkm - -em1 "The XKEYBOARD keymap compiler (xkbcomp) reports:" -emp "> " -eml "Errors from xkbcomp are not fatal to the X server" /tmp/server-0.xkm

systemd New Fork (PID: 5826, Parent: 1)

systemd-user-runtime-dir (PID: 5826, Parent: 1, MD5: d55f4b0847f88131dbcfb07435178e54) Arguments: /lib/systemd/systemd-user-runtime-dir stop 1000

systemd New Fork (PID: 5856, Parent: 1)

colord (PID: 5856, Parent: 1, MD5: 70861d1b2818c9279cd4a5c9035dac1f) Arguments: /usr/libexec/colord

colord New Fork (PID: 5877, Parent: 5856)

colord-sane (PID: 5877, Parent: 5856, MD5: 5f98d754a07bf1385c3ff001cde3882e) Arguments: /usr/libexec/colord-sane

systemd New Fork (PID: 5857, Parent: 1)

accounts-daemon (PID: 5857, Parent: 1, MD5: 01a899e3fb5e7e434bea1290255a1f30) Arguments: /usr/lib/accountsservice/accounts-daemon

accounts-daemon New Fork (PID: 5867, Parent: 5857)

language-validate (PID: 5867, Parent: 5857, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /usr/share/language-tools/language-validate en_US.UTF-8

language-validate New Fork (PID: 5868, Parent: 5867)

language-options (PID: 5868, Parent: 5867, MD5: 16a21f464119ea7fad1d3660de963637) Arguments: /usr/share/language-tools/language-options

language-options New Fork (PID: 5870, Parent: 5868)

sh (PID: 5870, Parent: 5868, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "locale -a | grep -F .utf8 "

sh New Fork (PID: 5871, Parent: 5870)

locale (PID: 5871, Parent: 5870, MD5: c72a78792469db86d91369c9057f20d2) Arguments: locale -a

sh New Fork (PID: 5872, Parent: 5870)

grep (PID: 5872, Parent: 5870, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -F .utf8

systemd New Fork (PID: 5882, Parent: 1)

systemd-localed (PID: 5882, Parent: 1, MD5: 1244af9646256d49594f2a8203329aa9) Arguments: /lib/systemd/systemd-localed

gdm3 New Fork (PID: 6014, Parent: 1289)

Default (PID: 6014, Parent: 1289, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default

gdm3 New Fork (PID: 6015, Parent: 1289)

Default (PID: 6015, Parent: 1289, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default

systemd New Fork (PID: 6023, Parent: 1)

systemd-user-runtime-dir (PID: 6023, Parent: 1, MD5: d55f4b0847f88131dbcfb07435178e54) Arguments: /lib/systemd/systemd-user-runtime-dir stop 127

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
na.elf	Linux_Trojan_Gafgyt_9e9530a7	unknown	unknown	0x6d30:$a: F6 48 63 FF B8 36 00 00 00 0F 05 48 3D 00 F0 FF FF 48 89 C3
na.elf	Linux_Trojan_Gafgyt_807911a2	unknown	unknown	0x751f:$a: FE 48 39 F3 0F 94 C2 48 83 F9 FF 0F 94 C0 84 D0 74 16 4B 8D
na.elf	Linux_Trojan_Gafgyt_d4227dbf	unknown	unknown	0x45be:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00 0x46cc:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
na.elf	Linux_Trojan_Gafgyt_d996d335	unknown	unknown	0x9cae:$a: D0 EB 0F 40 38 37 75 04 48 89 F8 C3 49 FF C8 48 FF C7 4D 85 C0
na.elf	Linux_Trojan_Gafgyt_620087b9	unknown	unknown	0x70df:$a: 48 89 D8 48 83 C8 01 EB 04 48 8B 76 10 48 3B 46 08 72 F6 48 8B
na.elf	Linux_Trojan_Gafgyt_33b4111a	unknown	unknown	0x73aa:$a: C1 83 E1 0F 74 1A B8 10 00 00 00 48 29 C8 48 8D 0C 02 48 89 DA 48
na.elf	Linux_Trojan_Mirai_1e0c5ce0	unknown	unknown	0x8d7:$a: 4C 24 54 31 F6 41 B8 04 00 00 00 BA 03 00 00 00 C7 44 24 54 01 00
na.elf	Linux_Trojan_Mirai_520deeb8	unknown	unknown	0x34a:$a: ED 48 89 44 24 30 44 89 6C 24 10 7E 47 48 89 C1 44 89 E8 44
na.elf	Linux_Trojan_Mirai_6a77af0f	unknown	unknown	0x31bf:$a: 31 D1 89 0F 48 83 C7 04 85 F6 7E 3B 44 89 C8 45 89 D1 45 89 C2 41
na.elf	Linux_Trojan_Mirai_01e4a728	unknown	unknown	0x44d:$a: 44 24 23 48 8B 6C 24 28 83 F9 01 4A 8D 14 20 0F B6 02 88 45 08
na.elf	Linux_Trojan_Mirai_e0cf29e2	unknown	unknown	0x2032:$a: 83 FE 01 76 12 0F B7 07 83 EE 02 48 83 C7 02 48 01 C2 83 FE 01
Click to see the 6 entries

Memory Dumps

Source	Rule	Description	Author	Strings
5490.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Gafgyt_9e9530a7	unknown	unknown	0x6d30:$a: F6 48 63 FF B8 36 00 00 00 0F 05 48 3D 00 F0 FF FF 48 89 C3
5490.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Gafgyt_807911a2	unknown	unknown	0x751f:$a: FE 48 39 F3 0F 94 C2 48 83 F9 FF 0F 94 C0 84 D0 74 16 4B 8D
5490.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Gafgyt_d4227dbf	unknown	unknown	0x45be:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00 0x46cc:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
5490.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Gafgyt_d996d335	unknown	unknown	0x9cae:$a: D0 EB 0F 40 38 37 75 04 48 89 F8 C3 49 FF C8 48 FF C7 4D 85 C0
5490.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Gafgyt_620087b9	unknown	unknown	0x70df:$a: 48 89 D8 48 83 C8 01 EB 04 48 8B 76 10 48 3B 46 08 72 F6 48 8B
5490.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Gafgyt_33b4111a	unknown	unknown	0x73aa:$a: C1 83 E1 0F 74 1A B8 10 00 00 00 48 29 C8 48 8D 0C 02 48 89 DA 48
5490.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Mirai_1e0c5ce0	unknown	unknown	0x8d7:$a: 4C 24 54 31 F6 41 B8 04 00 00 00 BA 03 00 00 00 C7 44 24 54 01 00
5490.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Mirai_520deeb8	unknown	unknown	0x34a:$a: ED 48 89 44 24 30 44 89 6C 24 10 7E 47 48 89 C1 44 89 E8 44
5490.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Mirai_6a77af0f	unknown	unknown	0x31bf:$a: 31 D1 89 0F 48 83 C7 04 85 F6 7E 3B 44 89 C8 45 89 D1 45 89 C2 41
5490.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Mirai_01e4a728	unknown	unknown	0x44d:$a: 44 24 23 48 8B 6C 24 28 83 F9 01 4A 8D 14 20 0F B6 02 88 45 08
5490.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Mirai_e0cf29e2	unknown	unknown	0x2032:$a: 83 FE 01 76 12 0F B7 07 83 EE 02 48 83 C7 02 48 01 C2 83 FE 01
5491.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Gafgyt_9e9530a7	unknown	unknown	0x6d30:$a: F6 48 63 FF B8 36 00 00 00 0F 05 48 3D 00 F0 FF FF 48 89 C3
5491.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Gafgyt_807911a2	unknown	unknown	0x751f:$a: FE 48 39 F3 0F 94 C2 48 83 F9 FF 0F 94 C0 84 D0 74 16 4B 8D
5491.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Gafgyt_d4227dbf	unknown	unknown	0x45be:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00 0x46cc:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
5491.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Gafgyt_d996d335	unknown	unknown	0x9cae:$a: D0 EB 0F 40 38 37 75 04 48 89 F8 C3 49 FF C8 48 FF C7 4D 85 C0
5491.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Gafgyt_620087b9	unknown	unknown	0x70df:$a: 48 89 D8 48 83 C8 01 EB 04 48 8B 76 10 48 3B 46 08 72 F6 48 8B
5491.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Gafgyt_33b4111a	unknown	unknown	0x73aa:$a: C1 83 E1 0F 74 1A B8 10 00 00 00 48 29 C8 48 8D 0C 02 48 89 DA 48
5491.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Mirai_1e0c5ce0	unknown	unknown	0x8d7:$a: 4C 24 54 31 F6 41 B8 04 00 00 00 BA 03 00 00 00 C7 44 24 54 01 00
5491.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Mirai_520deeb8	unknown	unknown	0x34a:$a: ED 48 89 44 24 30 44 89 6C 24 10 7E 47 48 89 C1 44 89 E8 44
5491.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Mirai_6a77af0f	unknown	unknown	0x31bf:$a: 31 D1 89 0F 48 83 C7 04 85 F6 7E 3B 44 89 C8 45 89 D1 45 89 C2 41
5491.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Mirai_01e4a728	unknown	unknown	0x44d:$a: 44 24 23 48 8B 6C 24 28 83 F9 01 4A 8D 14 20 0F B6 02 88 45 08
5491.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Mirai_e0cf29e2	unknown	unknown	0x2032:$a: 83 FE 01 76 12 0F B7 07 83 EE 02 48 83 C7 02 48 01 C2 83 FE 01
5489.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Gafgyt_9e9530a7	unknown	unknown	0x6d30:$a: F6 48 63 FF B8 36 00 00 00 0F 05 48 3D 00 F0 FF FF 48 89 C3
5489.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Gafgyt_807911a2	unknown	unknown	0x751f:$a: FE 48 39 F3 0F 94 C2 48 83 F9 FF 0F 94 C0 84 D0 74 16 4B 8D
5489.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Gafgyt_d4227dbf	unknown	unknown	0x45be:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00 0x46cc:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
5489.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Gafgyt_d996d335	unknown	unknown	0x9cae:$a: D0 EB 0F 40 38 37 75 04 48 89 F8 C3 49 FF C8 48 FF C7 4D 85 C0
5489.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Gafgyt_620087b9	unknown	unknown	0x70df:$a: 48 89 D8 48 83 C8 01 EB 04 48 8B 76 10 48 3B 46 08 72 F6 48 8B
5489.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Gafgyt_33b4111a	unknown	unknown	0x73aa:$a: C1 83 E1 0F 74 1A B8 10 00 00 00 48 29 C8 48 8D 0C 02 48 89 DA 48
5489.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Mirai_1e0c5ce0	unknown	unknown	0x8d7:$a: 4C 24 54 31 F6 41 B8 04 00 00 00 BA 03 00 00 00 C7 44 24 54 01 00
5489.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Mirai_520deeb8	unknown	unknown	0x34a:$a: ED 48 89 44 24 30 44 89 6C 24 10 7E 47 48 89 C1 44 89 E8 44
5489.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Mirai_6a77af0f	unknown	unknown	0x31bf:$a: 31 D1 89 0F 48 83 C7 04 85 F6 7E 3B 44 89 C8 45 89 D1 45 89 C2 41
5489.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Mirai_01e4a728	unknown	unknown	0x44d:$a: 44 24 23 48 8B 6C 24 28 83 F9 01 4A 8D 14 20 0F B6 02 88 45 08
5489.1.0000000000400000.000000000040d000.r-x.sdmp	Linux_Trojan_Mirai_e0cf29e2	unknown	unknown	0x2032:$a: 83 FE 01 76 12 0F B7 07 83 EE 02 48 83 C7 02 48 01 C2 83 FE 01
Click to see the 28 entries

Suricata Signatures

ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T10:02:49.642153+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.14	36612	93.123.39.116	51511	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: na.elf	ReversingLabs: Detection: 60%
Source: na.elf	Virustotal: Detection: 70%			Perma Link

Machine Learning detection for sample

Source: na.elf

Joe Sandbox ML: detected

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.14:36612 -> 93.123.39.116:51511

Source: global traffic

TCP traffic: 192.168.2.14:36612 -> 93.123.39.116:51511

Source: /tmp/na.elf (PID: 5489)

Socket: 127.0.0.1:6628

Jump to behavior

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: fdh32fsdfhs.shop
Source: global traffic	DNS traffic detected: DNS query: daisy.ubuntu.com

System Summary

Malicious sample detected (through community Yara rule)

Source: na.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
Source: na.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
Source: na.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
Source: na.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
Source: na.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
Source: na.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
Source: na.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_1e0c5ce0 Author: unknown
Source: na.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_520deeb8 Author: unknown
Source: na.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_6a77af0f Author: unknown
Source: na.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_01e4a728 Author: unknown
Source: na.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_e0cf29e2 Author: unknown
Source: 5490.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
Source: 5490.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
Source: 5490.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
Source: 5490.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
Source: 5490.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
Source: 5490.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
Source: 5490.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_1e0c5ce0 Author: unknown
Source: 5490.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_520deeb8 Author: unknown
Source: 5490.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_6a77af0f Author: unknown
Source: 5490.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_01e4a728 Author: unknown
Source: 5490.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_e0cf29e2 Author: unknown
Source: 5491.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
Source: 5491.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
Source: 5491.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
Source: 5491.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
Source: 5491.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
Source: 5491.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
Source: 5491.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_1e0c5ce0 Author: unknown
Source: 5491.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_520deeb8 Author: unknown
Source: 5491.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_6a77af0f Author: unknown
Source: 5491.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_01e4a728 Author: unknown
Source: 5491.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_e0cf29e2 Author: unknown
Source: 5489.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
Source: 5489.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
Source: 5489.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
Source: 5489.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
Source: 5489.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
Source: 5489.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
Source: 5489.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_1e0c5ce0 Author: unknown
Source: 5489.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_520deeb8 Author: unknown
Source: 5489.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_6a77af0f Author: unknown
Source: 5489.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_01e4a728 Author: unknown
Source: 5489.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_e0cf29e2 Author: unknown

Sample tries to kill multiple processes (SIGKILL)

Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 795, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 800, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 803, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 1364, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 1369, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 1371, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 1383, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 1394, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 1560, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 1564, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 1567, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 1577, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 1588, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 1593, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 1610, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 1630, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 1633, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 1635, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 1638, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 1639, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 1640, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 1642, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 1647, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 1650, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 1653, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 1655, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 1659, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 1661, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 1683, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 1712, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 1717, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 2946, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 2997, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 2999, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 3120, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 3129, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 3134, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 3142, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 3147, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 3184, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 3187, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 3188, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 3189, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 3190, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 3193, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 3207, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 3215, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 3235, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 3245, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 3246, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 3268, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 3304, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 3319, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 3329, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 3341, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 3353, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 3361, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 3392, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 3398, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 3402, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 3406, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 3412, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 3420, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 3425, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 3663, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 5554, result: successful	Jump to behavior

Source: Initial sample	String containing 'busybox' found: /bin/busybox
Source: Initial sample	String containing 'busybox' found: /proc/self/exe/bin/busybox/proc/%d/etc/systmp.d/proc/%s/lib/systemd/usr/lib/systemd/systemd/usr/lib/openssh/sftp-server/sys/system/dvr/main/usr/mnt/mtd/org/userfs/home/process/net_process/var/tmp/sonia/usr/sbin/usr/bin/mnt/gm/bin/var/Sofia/usr/sbin/sshd/usr/sbin/ntpd/usr/sbin/cupsd/usr/lib/apt/methods/http/usr/sbin/crond/usr/sbin/rsyslogd/usr/sbin/inetd/usr/sbin/dnsmasq/usr/bin/DVRServer/usr/bin/DVRShell/usr/bin/DVRControl/usr/bin/DVRRemoteAgent/usr/bin/DVRNetService/usr/libexec/openssh/sftp-server]

Source: ELF static info symbol of initial sample

.symtab present: no

Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 795, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 800, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 803, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 1364, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 1369, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 1371, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 1383, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 1394, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 1560, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 1564, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 1567, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 1577, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 1588, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 1593, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 1610, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 1630, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 1633, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 1635, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 1638, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 1639, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 1640, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 1642, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 1647, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 1650, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 1653, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 1655, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 1659, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 1661, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 1683, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 1712, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 1717, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 2946, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 2997, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 2999, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 3120, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 3129, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 3134, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 3142, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 3147, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 3184, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 3187, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 3188, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 3189, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 3190, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 3193, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 3207, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 3215, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 3235, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 3245, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 3246, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 3268, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 3304, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 3319, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 3329, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 3341, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 3353, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 3361, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 3392, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 3398, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 3402, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 3406, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 3412, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 3420, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 3425, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 3663, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5490)	SIGKILL sent: pid: 5554, result: successful	Jump to behavior

Source: na.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
Source: na.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
Source: na.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
Source: na.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
Source: na.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
Source: na.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
Source: na.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_1e0c5ce0 reference_sample = 5b1f95840caebf9721bf318126be27085ec08cf7881ec64a884211a934351c2d, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 8e45538b59f9c9b8bc49661069044900c8199e487714c715c1b1f970fd528e3b, id = 1e0c5ce0-3b76-4da4-8bed-2e5036b6ce79, last_modified = 2021-09-16
Source: na.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_520deeb8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f4dfd1d76e07ff875eedfe0ef4f861bee1e4d8e66d68385f602f29cc35e30cca, id = 520deeb8-cbc0-4225-8d23-adba5e040471, last_modified = 2021-09-16
Source: na.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_6a77af0f os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 4e436f509e7e732e3d0326bcbdde555bba0653213ddf31b43cfdfbe16abb0016, id = 6a77af0f-31fa-4793-82aa-10b065ba1ec0, last_modified = 2021-09-16
Source: na.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_01e4a728 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = d90477364982bdc6cd22079c245d866454475749f762620273091f2fab73c196, id = 01e4a728-7c1c-479b-aed0-cb76d64dbb02, last_modified = 2021-09-16
Source: na.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_e0cf29e2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3f124c3c9f124264dfbbcca1e4b4d7cfcf3274170d4bf8966b6559045873948f, id = e0cf29e2-88d7-4aa4-b60a-c24626f2b246, last_modified = 2021-09-16
Source: 5490.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
Source: 5490.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
Source: 5490.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
Source: 5490.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
Source: 5490.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
Source: 5490.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
Source: 5490.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_1e0c5ce0 reference_sample = 5b1f95840caebf9721bf318126be27085ec08cf7881ec64a884211a934351c2d, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 8e45538b59f9c9b8bc49661069044900c8199e487714c715c1b1f970fd528e3b, id = 1e0c5ce0-3b76-4da4-8bed-2e5036b6ce79, last_modified = 2021-09-16
Source: 5490.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_520deeb8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f4dfd1d76e07ff875eedfe0ef4f861bee1e4d8e66d68385f602f29cc35e30cca, id = 520deeb8-cbc0-4225-8d23-adba5e040471, last_modified = 2021-09-16
Source: 5490.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_6a77af0f os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 4e436f509e7e732e3d0326bcbdde555bba0653213ddf31b43cfdfbe16abb0016, id = 6a77af0f-31fa-4793-82aa-10b065ba1ec0, last_modified = 2021-09-16
Source: 5490.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_01e4a728 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = d90477364982bdc6cd22079c245d866454475749f762620273091f2fab73c196, id = 01e4a728-7c1c-479b-aed0-cb76d64dbb02, last_modified = 2021-09-16
Source: 5490.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_e0cf29e2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3f124c3c9f124264dfbbcca1e4b4d7cfcf3274170d4bf8966b6559045873948f, id = e0cf29e2-88d7-4aa4-b60a-c24626f2b246, last_modified = 2021-09-16
Source: 5491.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
Source: 5491.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
Source: 5491.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
Source: 5491.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
Source: 5491.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
Source: 5491.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
Source: 5491.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_1e0c5ce0 reference_sample = 5b1f95840caebf9721bf318126be27085ec08cf7881ec64a884211a934351c2d, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 8e45538b59f9c9b8bc49661069044900c8199e487714c715c1b1f970fd528e3b, id = 1e0c5ce0-3b76-4da4-8bed-2e5036b6ce79, last_modified = 2021-09-16
Source: 5491.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_520deeb8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f4dfd1d76e07ff875eedfe0ef4f861bee1e4d8e66d68385f602f29cc35e30cca, id = 520deeb8-cbc0-4225-8d23-adba5e040471, last_modified = 2021-09-16
Source: 5491.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_6a77af0f os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 4e436f509e7e732e3d0326bcbdde555bba0653213ddf31b43cfdfbe16abb0016, id = 6a77af0f-31fa-4793-82aa-10b065ba1ec0, last_modified = 2021-09-16
Source: 5491.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_01e4a728 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = d90477364982bdc6cd22079c245d866454475749f762620273091f2fab73c196, id = 01e4a728-7c1c-479b-aed0-cb76d64dbb02, last_modified = 2021-09-16
Source: 5491.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_e0cf29e2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3f124c3c9f124264dfbbcca1e4b4d7cfcf3274170d4bf8966b6559045873948f, id = e0cf29e2-88d7-4aa4-b60a-c24626f2b246, last_modified = 2021-09-16
Source: 5489.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
Source: 5489.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
Source: 5489.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
Source: 5489.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
Source: 5489.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
Source: 5489.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
Source: 5489.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_1e0c5ce0 reference_sample = 5b1f95840caebf9721bf318126be27085ec08cf7881ec64a884211a934351c2d, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 8e45538b59f9c9b8bc49661069044900c8199e487714c715c1b1f970fd528e3b, id = 1e0c5ce0-3b76-4da4-8bed-2e5036b6ce79, last_modified = 2021-09-16
Source: 5489.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_520deeb8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f4dfd1d76e07ff875eedfe0ef4f861bee1e4d8e66d68385f602f29cc35e30cca, id = 520deeb8-cbc0-4225-8d23-adba5e040471, last_modified = 2021-09-16
Source: 5489.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_6a77af0f os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 4e436f509e7e732e3d0326bcbdde555bba0653213ddf31b43cfdfbe16abb0016, id = 6a77af0f-31fa-4793-82aa-10b065ba1ec0, last_modified = 2021-09-16
Source: 5489.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_01e4a728 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = d90477364982bdc6cd22079c245d866454475749f762620273091f2fab73c196, id = 01e4a728-7c1c-479b-aed0-cb76d64dbb02, last_modified = 2021-09-16
Source: 5489.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_e0cf29e2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3f124c3c9f124264dfbbcca1e4b4d7cfcf3274170d4bf8966b6559045873948f, id = e0cf29e2-88d7-4aa4-b60a-c24626f2b246, last_modified = 2021-09-16

Source: classification engine

Classification label: mal84.spre.troj.linELF@0/12@3/0

Source: /usr/lib/upower/upowerd (PID: 5560)	Directory: <invalid fd (12)>/..	Jump to behavior
Source: /usr/lib/upower/upowerd (PID: 5560)	Directory: <invalid fd (11)>/..	Jump to behavior
Source: /usr/libexec/gsd-wacom (PID: 5569)	Directory: /var/lib/gdm3/.Xdefaults	Jump to behavior
Source: /usr/libexec/gsd-wacom (PID: 5569)	Directory: /var/lib/gdm3/.Xdefaults-galassia	Jump to behavior
Source: /usr/libexec/gsd-color (PID: 5621)	Directory: /var/lib/gdm3/.Xdefaults	Jump to behavior
Source: /usr/libexec/gsd-color (PID: 5621)	Directory: /var/lib/gdm3/.Xdefaults-galassia	Jump to behavior
Source: /usr/libexec/gsd-rfkill (PID: 5627)	Directory: <invalid fd (9)>/..	Jump to behavior
Source: /usr/libexec/gsd-rfkill (PID: 5627)	Directory: <invalid fd (8)>/..	Jump to behavior
Source: /usr/libexec/gsd-media-keys (PID: 5632)	Directory: /var/lib/gdm3/.Xdefaults	Jump to behavior
Source: /usr/libexec/gsd-media-keys (PID: 5632)	Directory: /var/lib/gdm3/.Xdefaults-galassia	Jump to behavior
Source: /usr/libexec/gsd-media-keys (PID: 5632)	Directory: /usr/share/locale/en_US.UTF-8/LC_MESSAGES/.mo	Jump to behavior
Source: /usr/libexec/gsd-media-keys (PID: 5632)	Directory: /usr/share/locale/en_US.utf8/LC_MESSAGES/.mo	Jump to behavior
Source: /usr/libexec/gsd-media-keys (PID: 5632)	Directory: /usr/share/locale/en_US/LC_MESSAGES/.mo	Jump to behavior
Source: /usr/libexec/gsd-media-keys (PID: 5632)	Directory: /usr/share/locale/en.UTF-8/LC_MESSAGES/.mo	Jump to behavior
Source: /usr/libexec/gsd-media-keys (PID: 5632)	Directory: /usr/share/locale/en.utf8/LC_MESSAGES/.mo	Jump to behavior
Source: /usr/libexec/gsd-media-keys (PID: 5632)	Directory: /usr/share/locale/en/LC_MESSAGES/.mo	Jump to behavior
Source: /usr/libexec/gsd-media-keys (PID: 5632)	Directory: /usr/share/locale-langpack/en_US.UTF-8/LC_MESSAGES/.mo	Jump to behavior
Source: /usr/libexec/gsd-media-keys (PID: 5632)	Directory: /usr/share/locale-langpack/en_US.utf8/LC_MESSAGES/.mo	Jump to behavior
Source: /usr/libexec/gsd-media-keys (PID: 5632)	Directory: /usr/share/locale-langpack/en_US/LC_MESSAGES/.mo	Jump to behavior
Source: /usr/libexec/gsd-media-keys (PID: 5632)	Directory: /usr/share/locale-langpack/en.UTF-8/LC_MESSAGES/.mo	Jump to behavior
Source: /usr/libexec/gsd-media-keys (PID: 5632)	Directory: /usr/share/locale-langpack/en.utf8/LC_MESSAGES/.mo	Jump to behavior
Source: /usr/libexec/gsd-media-keys (PID: 5632)	Directory: /usr/share/locale-langpack/en/LC_MESSAGES/.mo	Jump to behavior
Source: /usr/libexec/gsd-keyboard (PID: 5637)	Directory: /var/lib/gdm3/.Xdefaults	Jump to behavior
Source: /usr/libexec/gsd-keyboard (PID: 5637)	Directory: /var/lib/gdm3/.Xdefaults-galassia	Jump to behavior
Source: /usr/libexec/gsd-power (PID: 5640)	Directory: /var/lib/gdm3/.Xdefaults	Jump to behavior
Source: /usr/libexec/gsd-power (PID: 5640)	Directory: /var/lib/gdm3/.Xdefaults-galassia	Jump to behavior
Source: /lib/systemd/systemd-hostnamed (PID: 5670)	Directory: <invalid fd (10)>/..	Jump to behavior
Source: /usr/libexec/colord (PID: 5856)	Directory: /var/lib/colord/.cache	Jump to behavior
Source: /usr/lib/accountsservice/accounts-daemon (PID: 5857)	Directory: /var/lib/gdm3/.pam_environment	Jump to behavior
Source: /usr/lib/accountsservice/accounts-daemon (PID: 5857)	Directory: /root/.cache	Jump to behavior

Source: /usr/lib/xorg/Xorg (PID: 5642)	Shell command executed: sh -c "\"/usr/bin/xkbcomp\" -w 1 \"-R/usr/share/X11/xkb\" -xkm \"-\" -em1 \"The XKEYBOARD keymap compiler (xkbcomp) reports:\" -emp \"> \" -eml \"Errors from xkbcomp are not fatal to the X server\" \"/tmp/server-0.xkm\""	Jump to behavior
Source: /usr/lib/xorg/Xorg (PID: 5812)	Shell command executed: sh -c "\"/usr/bin/xkbcomp\" -w 1 \"-R/usr/share/X11/xkb\" -xkm \"-\" -em1 \"The XKEYBOARD keymap compiler (xkbcomp) reports:\" -emp \"> \" -eml \"Errors from xkbcomp are not fatal to the X server\" \"/tmp/server-0.xkm\""	Jump to behavior
Source: /usr/share/language-tools/language-options (PID: 5870)	Shell command executed: sh -c "locale -a \| grep -F .utf8 "	Jump to behavior

Source: /bin/sh (PID: 5872)

Grep executable: /usr/bin/grep -> grep -F .utf8

Jump to behavior

Source: /usr/lib/accountsservice/accounts-daemon (PID: 5857)	File: /var/lib/AccountsService/icons (bits: - usr: rx grp: rwx all: rwx)			Jump to behavior
Source: /usr/lib/accountsservice/accounts-daemon (PID: 5857)	File: /var/lib/AccountsService/users (bits: - usr: - grp: - all: rwx)			Jump to behavior

Source: /tmp/na.elf (PID: 5491)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/libexec/gsd-wacom (PID: 5569)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/libexec/gsd-color (PID: 5621)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/libexec/gsd-smartcard (PID: 5631)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/libexec/gsd-media-keys (PID: 5632)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/libexec/gsd-keyboard (PID: 5637)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/libexec/gsd-power (PID: 5640)	Queries kernel information via 'uname':	Jump to behavior
Source: /lib/systemd/systemd-hostnamed (PID: 5670)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/libexec/colord-sane (PID: 5877)	Queries kernel information via 'uname':	Jump to behavior

Language, Device and Operating System Detection

Reads system files that contain records of logged in users

Source: /usr/lib/accountsservice/accounts-daemon (PID: 5857)

Logged in records file read: /var/log/wtmp

Jump to behavior

Remote Access Functionality

Detected Mirai

Source: Traffic

Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	Windows Management Instrumentation	1 Scripting	Path Interception	1 File and Directory Permissions Modification	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	1 Service Stop
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Hidden Files and Directories	LSASS Memory	1 System Owner/User Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
na.elf	61%	ReversingLabs	Linux.Backdoor.Mirai
na.elf	70%	Virustotal		Browse
na.elf	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
daisy.ubuntu.com	0%	Virustotal		Browse
fdh32fsdfhs.shop	15%	Virustotal		Browse

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
daisy.ubuntu.com	162.213.35.24	true	false	0%, Virustotal, Browse	unknown
fdh32fsdfhs.shop	93.123.39.116	true	true	15%, Virustotal, Browse	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
93.123.39.116	fdh32fsdfhs.shop	Bulgaria		43561	NET1-ASBG	true

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
93.123.39.116	na.elf	Get hash	malicious	Mirai	Browse
	na.elf	Get hash	malicious	Mirai	Browse
	na.elf	Get hash	malicious	Mirai	Browse
	na.elf	Get hash	malicious	Mirai	Browse
	na.elf	Get hash	malicious	Mirai	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
daisy.ubuntu.com	na.elf	Get hash	malicious	Mirai	Browse	162.213.35.25
	na.elf	Get hash	malicious	Mirai	Browse	162.213.35.25
	na.elf	Get hash	malicious	Mirai	Browse	162.213.35.25
	na.elf	Get hash	malicious	Mirai	Browse	162.213.35.24
	na.elf	Get hash	malicious	Unknown	Browse	162.213.35.25
	na.elf	Get hash	malicious	Unknown	Browse	162.213.35.24
	na.elf	Get hash	malicious	Unknown	Browse	162.213.35.24
	na.elf	Get hash	malicious	Unknown	Browse	162.213.35.24
	na.elf	Get hash	malicious	Unknown	Browse	162.213.35.25
	na.elf	Get hash	malicious	Unknown	Browse	162.213.35.25
fdh32fsdfhs.shop	na.elf	Get hash	malicious	Mirai	Browse	93.123.39.116
	na.elf	Get hash	malicious	Mirai	Browse	93.123.39.116
	na.elf	Get hash	malicious	Mirai	Browse	93.123.39.116
	na.elf	Get hash	malicious	Mirai	Browse	93.123.39.116
	na.elf	Get hash	malicious	Mirai	Browse	93.123.39.116
	i586.elf	Get hash	malicious	Mirai	Browse	185.196.9.5
	i686.elf	Get hash	malicious	Mirai	Browse	185.196.9.5
	i686nk.elf	Get hash	malicious	Mirai	Browse	185.196.9.5
	mips.elf	Get hash	malicious	Mirai	Browse	185.196.9.5
	mipsel.elf	Get hash	malicious	Mirai	Browse	185.196.9.5

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NET1-ASBG	na.elf	Get hash	malicious	Mirai	Browse	93.123.39.116
	na.elf	Get hash	malicious	Mirai	Browse	93.123.39.116
	na.elf	Get hash	malicious	Mirai	Browse	93.123.39.116
	na.elf	Get hash	malicious	Mirai	Browse	93.123.39.116
	na.elf	Get hash	malicious	Mirai	Browse	93.123.39.116
	arm7.elf	Get hash	malicious	Mirai	Browse	93.123.39.105
	x86.elf	Get hash	malicious	Unknown	Browse	93.123.39.105
	k4STQvJ6rV.vbs	Get hash	malicious	XWorm	Browse	93.123.39.76
	https://swissquotech.com/swissquote-2024.zip	Get hash	malicious	Phisher	Browse	87.121.45.6
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse	93.123.85.166

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

/run/user/127/dconf/user

Download File

Process:	/usr/libexec/gsd-power
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	93B885ADFE0DA089CDF634904FD59F71
SHA1:	5BA93C9DB0CFF93F52B521D7420E43F6EDA2784F
SHA-256:	6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D
SHA-512:	B8244D028981D693AF7B456AF8EFA4CAD63D282E19FF14942C246E50D9351D22704A802A71C3580B6370DE4CEB293C324A8423342557D4E5C38438F0E36910EE
Malicious:	false
Reputation:	high, very likely benign file
Preview:	.

/tmp/server-0.xkm

Download File

Process:	/usr/bin/xkbcomp
File Type:	Compiled XKB Keymap: lsb, version 15
Category:	dropped
Size (bytes):	12060
Entropy (8bit):	4.8492493153178975
Encrypted:	false
SSDEEP:	192:tDyb2zOmnECQmwTVFfLaSLus4UVcqLkjoqdD//HJeCQ1+JdDx0s2T:tDyAxvYhFf+S6tUzmp7/1MJ
MD5:	B4E3EB0B8B6B0FC1F46740C573E18D86
SHA1:	7D35426357695EBA77850757E8939A62DCEFF2D1
SHA-256:	7951135CC89A6E89493E3A9997C3D9054439459F8BFCE3DDEC76B943DA79FA91
SHA-512:	8196A23E2B5E525A5581562A2D7F2EE4FF5B694FEF3E218206D52EA9BFE80600BB0C6AA8968CA58E93E1AAD478FA05E157D08DB6D4D1224DDEA6754E377BE001
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.mkx..............D.......................h.......<.....P.@%.......&......D.......NumLock.....Alt.....LevelThree..LAlt....RAlt....RControl....LControl....ScrollLock..LevelFive...AltGr...Meta....Super...Hyper...........evdev+aliases(qwerty)...!.....ESC.AE01AE02AE03AE04AE05AE06AE07AE08AE09AE10AE11AE12BKSPTAB.AD01AD02AD03AD04AD05AD06AD07AD08AD09AD10AD11AD12RTRNLCTLAC01AC02AC03AC04AC05AC06AC07AC08AC09AC10AC11TLDELFSHBKSLAB01AB02AB03AB04AB05AB06AB07AB08AB09AB10RTSHKPMULALTSPCECAPSFK01FK02FK03FK04FK05FK06FK07FK08FK09FK10NMLKSCLKKP7.KP8.KP9.KPSUKP4.KP5.KP6.KPADKP1.KP2.KP3.KP0.KPDLLVL3....LSGTFK11FK12AB11KATAHIRAHENKHKTGMUHEJPCMKPENRCTLKPDVPRSCRALTLNFDHOMEUP..PGUPLEFTRGHTEND.DOWNPGDNINS.DELEI120MUTEVOL-VOL+POWRKPEQI126PAUSI128I129HNGLHJCVAE13LWINRWINCOMPSTOPAGAIPROPUNDOFRNTCOPYOPENPASTFINDCUT.HELPI147I148I149I150I151I152I153I154I155I156I157I158I159I160I161I162I163I164I165I166I167I168I169I170I171I172I173I174I175I176I177I178I179I180I181I182I183I184I185I186I187I188I189I190FK13FK14FK15FK16FK17FK18

/var/lib/AccountsService/users/gdm.65HBV2

Download File

Process:	/usr/lib/accountsservice/accounts-daemon
File Type:	ASCII text
Category:	dropped
Size (bytes):	51
Entropy (8bit):	4.647628037922664
Encrypted:	false
SSDEEP:	3:urCLnT+PzKLrAan4R8AKn:gI+zKLrAa4M
MD5:	071DABFEAD25B35D415780C2CFA55287
SHA1:	ED08D2B2FC77EF256FF9196934A55CFE4AE1B8E3
SHA-256:	E778170EDFD4C9871EFF24F592FF7A23D2A08A86479A6B14E42AF5FC1094416C
SHA-512:	8FBC64B76E1916570726BE87A2E9FBF7BDD1B07AB64A4A007EF20846273D416C04B32F8D2B923F1FDAA82BA729F2668A402DF608F4852E7676F67247A2666668
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	[User].Icon=/var/lib/gdm3/.face.SystemAccount=true.

Static File Info

General

File type:	ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.2579465590880226
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	na.elf
File size:	51'264 bytes
MD5:	14e20246c5525fe85472eb6fb023d498
SHA1:	f0cec71e503802f4eaf89c391c81a26784be257f
SHA256:	14608e020d2968f0c7beec6939c1955ead78024f201aac430f994f1998f030ff
SHA512:	a3a7f7def639ffd240932cbb55dbe1e45dff418b521e1044ae9406fd140fd2ad03ecd57c410b477ae0f68f2a9f772fb0c8f1c252eb00b3058341c2cd8ea723ce
SSDEEP:	768:nHHqmdDSodln8muwp4roeuZ7YvK3VfoRYjGbWnaWUohyye43egkE6I2jvk:HKmdDSodl8mxnZsvIfurWnaEyyOr
TLSH:	CE334A07B96280FDC5ADC17847BAB639CD3374BE027976AA33D4FA3A6D49D211E5D800
File Content Preview:	.ELF..............>.......@.....@...................@.8...@.......................@.......@...............................................P.......P..............1..............Q.td....................................................H...._........H........

Static ELF Info

ELF header
Class:	ELF64
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Advanced Micro Devices X86-64
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x400194
Flags:	0x0
ELF Header Size:	64
Program Header Offset:	64
Program Header Size:	56
Number of Program Headers:	3
Section Header Offset:	50624
Section Header Size:	64
Number of Section Headers:	10
Header String Table Index:	9

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x4000e8	0xe8	0x13	0x0	0x6	AX	1
.text	PROGBITS	0x400100	0x100	0xa006	0x0	0x6	AX	16
.fini	PROGBITS	0x40a106	0xa106	0xe	0x0	0x6	AX	1
.rodata	PROGBITS	0x40a120	0xa120	0x1f70	0x0	0x2	A	32
.ctors	PROGBITS	0x50c098	0xc098	0x10	0x0	0x3	WA	8
.dtors	PROGBITS	0x50c0a8	0xc0a8	0x10	0x0	0x3	WA	8
.data	PROGBITS	0x50c0c0	0xc0c0	0x4c0	0x0	0x3	WA	32
.bss	NOBITS	0x50c580	0xc580	0x2ce8	0x0	0x3	WA	32
.shstrtab	STRTAB	0x0	0xc580	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x400000	0x400000	0xc090	0xc090	6.3586	0x5	R E	0x100000	.init .text .fini .rodata
LOAD	0xc098	0x50c098	0x50c098	0x4e8	0x31d0	2.3223	0x6	RW	0x100000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x8

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-08T10:02:49.642153+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.14	36612	93.123.39.116	51511	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 10:02:49.620507956 CEST	36612	51511	192.168.2.14	93.123.39.116
Oct 8, 2024 10:02:49.625574112 CEST	51511	36612	93.123.39.116	192.168.2.14
Oct 8, 2024 10:02:49.625669956 CEST	36612	51511	192.168.2.14	93.123.39.116
Oct 8, 2024 10:02:49.642153025 CEST	36612	51511	192.168.2.14	93.123.39.116
Oct 8, 2024 10:02:49.647412062 CEST	51511	36612	93.123.39.116	192.168.2.14
Oct 8, 2024 10:02:49.939327002 CEST	36612	51511	192.168.2.14	93.123.39.116
Oct 8, 2024 10:02:49.991807938 CEST	51511	36612	93.123.39.116	192.168.2.14
Oct 8, 2024 10:03:10.975876093 CEST	51511	36612	93.123.39.116	192.168.2.14
Oct 8, 2024 10:03:10.976041079 CEST	36612	51511	192.168.2.14	93.123.39.116

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 10:02:49.605722904 CEST	41712	53	192.168.2.14	8.8.8.8
Oct 8, 2024 10:02:49.614809990 CEST	53	41712	8.8.8.8	192.168.2.14
Oct 8, 2024 10:02:57.659993887 CEST	51227	53	192.168.2.14	1.1.1.1
Oct 8, 2024 10:02:57.660048008 CEST	55932	53	192.168.2.14	1.1.1.1
Oct 8, 2024 10:02:57.667269945 CEST	53	55932	1.1.1.1	192.168.2.14
Oct 8, 2024 10:02:57.667330027 CEST	53	51227	1.1.1.1	192.168.2.14

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Oct 8, 2024 10:02:58.512265921 CEST	192.168.2.14	192.168.2.1	827a	(Port unreachable)	Destination Unreachable
Oct 8, 2024 10:04:18.526520967 CEST	192.168.2.14	192.168.2.1	827a	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 8, 2024 10:02:49.605722904 CEST	192.168.2.14	8.8.8.8	0x53db	Standard query (0)	fdh32fsdfhs.shop	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:02:57.659993887 CEST	192.168.2.14	1.1.1.1	0xb81e	Standard query (0)	daisy.ubuntu.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:02:57.660048008 CEST	192.168.2.14	1.1.1.1	0x23c5	Standard query (0)	daisy.ubuntu.com	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 8, 2024 10:02:49.614809990 CEST	8.8.8.8	192.168.2.14	0x53db	No error (0)	fdh32fsdfhs.shop	93.123.39.116	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:02:57.667330027 CEST	1.1.1.1	192.168.2.14	0xb81e	No error (0)	daisy.ubuntu.com	162.213.35.24	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:02:57.667330027 CEST	1.1.1.1	192.168.2.14	0xb81e	No error (0)	daisy.ubuntu.com	162.213.35.25	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: na.elf PID: 5489, Parent PID: 5416

General

Start time (UTC):	08:02:48
Start date (UTC):	08/10/2024
Path:	/tmp/na.elf
Arguments:	/tmp/na.elf
File size:	51264 bytes
MD5 hash:	14e20246c5525fe85472eb6fb023d498

Chronological Activities

Analysis Process: na.elf PID: 5490, Parent PID: 5489

General

Start time (UTC):	08:02:48
Start date (UTC):	08/10/2024
Path:	/tmp/na.elf
Arguments:	-
File size:	51264 bytes
MD5 hash:	14e20246c5525fe85472eb6fb023d498

Chronological Activities

Analysis Process: na.elf PID: 5491, Parent PID: 5489

General

Start time (UTC):	08:02:48
Start date (UTC):	08/10/2024
Path:	/tmp/na.elf
Arguments:	-
File size:	51264 bytes
MD5 hash:	14e20246c5525fe85472eb6fb023d498

Chronological Activities

Analysis Process: udisksd PID: 5500, Parent PID: 803

General

Start time (UTC):	08:02:48
Start date (UTC):	08/10/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Chronological Activities

Analysis Process: dumpe2fs PID: 5500, Parent PID: 803

General

Start time (UTC):	08:02:48
Start date (UTC):	08/10/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Chronological Activities

Analysis Process: udisksd PID: 5552, Parent PID: 803

General

Start time (UTC):	08:02:48
Start date (UTC):	08/10/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Chronological Activities

Analysis Process: dumpe2fs PID: 5552, Parent PID: 803

General

Start time (UTC):	08:02:48
Start date (UTC):	08/10/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Chronological Activities

Analysis Process: systemd PID: 5560, Parent PID: 1

General

Start time (UTC):	08:02:48
Start date (UTC):	08/10/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: upowerd PID: 5560, Parent PID: 1

General

Start time (UTC):	08:02:48
Start date (UTC):	08/10/2024
Path:	/usr/lib/upower/upowerd
Arguments:	/usr/lib/upower/upowerd
File size:	260328 bytes
MD5 hash:	1253eea2fe5fe4017069664284e326cd

Chronological Activities

Analysis Process: gnome-session-binary PID: 5569, Parent PID: 1383

General

Start time (UTC):	08:02:48
Start date (UTC):	08/10/2024
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Chronological Activities

Analysis Process: sh PID: 5569, Parent PID: 1383

General

Start time (UTC):	08:02:48
Start date (UTC):	08/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-wacom
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gsd-wacom PID: 5569, Parent PID: 1383

General

Start time (UTC):	08:02:48
Start date (UTC):	08/10/2024
Path:	/usr/libexec/gsd-wacom
Arguments:	/usr/libexec/gsd-wacom
File size:	39520 bytes
MD5 hash:	13778dd1a23a4e94ddc17ac9caa4fcc1

Chronological Activities

Analysis Process: udisksd PID: 5571, Parent PID: 803

General

Start time (UTC):	08:02:48
Start date (UTC):	08/10/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Chronological Activities

Analysis Process: dumpe2fs PID: 5571, Parent PID: 803

General

Start time (UTC):	08:02:48
Start date (UTC):	08/10/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Chronological Activities

Analysis Process: xfce4-panel PID: 5585, Parent PID: 3172

General

Start time (UTC):	08:02:48
Start date (UTC):	08/10/2024
Path:	/usr/bin/xfce4-panel
Arguments:	-
File size:	375768 bytes
MD5 hash:	a15b657c7d54ac1385f1f15004ea6784

Chronological Activities

Analysis Process: wrapper-2.0 PID: 5585, Parent PID: 3172

General

Start time (UTC):	08:02:48
Start date (UTC):	08/10/2024
Path:	/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
Arguments:	/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 6 12582920 systray "Notification Area" "Area where notification icons appear"
File size:	35136 bytes
MD5 hash:	ac0b8a906f359a8ae102244738682e76

Chronological Activities

Analysis Process: gnome-session-binary PID: 5591, Parent PID: 1383

General

Start time (UTC):	08:02:48
Start date (UTC):	08/10/2024
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Chronological Activities

Analysis Process: sh PID: 5591, Parent PID: 1383

General

Start time (UTC):	08:02:48
Start date (UTC):	08/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-print-notifications
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gsd-print-notifications PID: 5591, Parent PID: 1383

General

Start time (UTC):	08:02:48
Start date (UTC):	08/10/2024
Path:	/usr/libexec/gsd-print-notifications
Arguments:	/usr/libexec/gsd-print-notifications
File size:	51840 bytes
MD5 hash:	71539698aa691718cee775d6b9450ae2

Chronological Activities

Analysis Process: gsd-print-notifications PID: 5808, Parent PID: 5591

General

Start time (UTC):	08:02:54
Start date (UTC):	08/10/2024
Path:	/usr/libexec/gsd-print-notifications
Arguments:	-
File size:	51840 bytes
MD5 hash:	71539698aa691718cee775d6b9450ae2

Chronological Activities

Analysis Process: gsd-print-notifications PID: 5809, Parent PID: 5808

General

Start time (UTC):	08:02:55
Start date (UTC):	08/10/2024
Path:	/usr/libexec/gsd-print-notifications
Arguments:	-
File size:	51840 bytes
MD5 hash:	71539698aa691718cee775d6b9450ae2

Chronological Activities

Analysis Process: gsd-printer PID: 5809, Parent PID: 1

General

Start time (UTC):	08:02:55
Start date (UTC):	08/10/2024
Path:	/usr/libexec/gsd-printer
Arguments:	/usr/libexec/gsd-printer
File size:	31120 bytes
MD5 hash:	7995828cf98c315fd55f2ffb3b22384d

Chronological Activities

Analysis Process: gnome-session-binary PID: 5600, Parent PID: 1383

General

Start time (UTC):	08:02:48
Start date (UTC):	08/10/2024
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Chronological Activities

Analysis Process: sh PID: 5600, Parent PID: 1383

General

Start time (UTC):	08:02:48
Start date (UTC):	08/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-screensaver-proxy
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gsd-screensaver-proxy PID: 5600, Parent PID: 1383

General

Start time (UTC):	08:02:49
Start date (UTC):	08/10/2024
Path:	/usr/libexec/gsd-screensaver-proxy
Arguments:	/usr/libexec/gsd-screensaver-proxy
File size:	27232 bytes
MD5 hash:	77e309450c87dceee43f1a9e50cc0d02

Chronological Activities

Analysis Process: xfce4-panel PID: 5604, Parent PID: 3172

General

Start time (UTC):	08:02:48
Start date (UTC):	08/10/2024
Path:	/usr/bin/xfce4-panel
Arguments:	-
File size:	375768 bytes
MD5 hash:	a15b657c7d54ac1385f1f15004ea6784

Chronological Activities

Analysis Process: wrapper-2.0 PID: 5604, Parent PID: 3172

General

Start time (UTC):	08:02:48
Start date (UTC):	08/10/2024
Path:	/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
Arguments:	/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libstatusnotifier.so 7 12582921 statusnotifier "Status Notifier Plugin" "Provides a panel area for status notifier items (application indicators)"
File size:	35136 bytes
MD5 hash:	ac0b8a906f359a8ae102244738682e76

Chronological Activities

Analysis Process: xfce4-panel PID: 5610, Parent PID: 3172

General

Start time (UTC):	08:02:48
Start date (UTC):	08/10/2024
Path:	/usr/bin/xfce4-panel
Arguments:	-
File size:	375768 bytes
MD5 hash:	a15b657c7d54ac1385f1f15004ea6784

Chronological Activities

Analysis Process: wrapper-2.0 PID: 5610, Parent PID: 3172

General

Start time (UTC):	08:02:48
Start date (UTC):	08/10/2024
Path:	/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
Arguments:	/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libpulseaudio-plugin.so 8 12582922 pulseaudio "PulseAudio Plugin" "Adjust the audio volume of the PulseAudio sound system"
File size:	35136 bytes
MD5 hash:	ac0b8a906f359a8ae102244738682e76

Chronological Activities

Analysis Process: gnome-session-binary PID: 5621, Parent PID: 1383

General

Start time (UTC):	08:02:48
Start date (UTC):	08/10/2024
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Chronological Activities

Analysis Process: sh PID: 5621, Parent PID: 1383

General

Start time (UTC):	08:02:48
Start date (UTC):	08/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-color
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gsd-color PID: 5621, Parent PID: 1383

General

Start time (UTC):	08:02:49
Start date (UTC):	08/10/2024
Path:	/usr/libexec/gsd-color
Arguments:	/usr/libexec/gsd-color
File size:	92832 bytes
MD5 hash:	ac2861ad93ce047283e8e87cefef9a19

Chronological Activities

Analysis Process: gnome-session-binary PID: 5627, Parent PID: 1383

General

Start time (UTC):	08:02:48
Start date (UTC):	08/10/2024
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Chronological Activities

Analysis Process: sh PID: 5627, Parent PID: 1383

General

Start time (UTC):	08:02:48
Start date (UTC):	08/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-rfkill
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gsd-rfkill PID: 5627, Parent PID: 1383

General

Start time (UTC):	08:02:49
Start date (UTC):	08/10/2024
Path:	/usr/libexec/gsd-rfkill
Arguments:	/usr/libexec/gsd-rfkill
File size:	51808 bytes
MD5 hash:	88a16a3c0aba1759358c06215ecfb5cc

Chronological Activities

Analysis Process: gdm-session-worker PID: 5629, Parent PID: 2946

General

Start time (UTC):	08:02:48
Start date (UTC):	08/10/2024
Path:	/usr/lib/gdm3/gdm-session-worker
Arguments:	-
File size:	293360 bytes
MD5 hash:	692243754bd9f38fe9bd7e230b5c060a

Chronological Activities

Analysis Process: Default PID: 5629, Parent PID: 2946

General

Start time (UTC):	08:02:48
Start date (UTC):	08/10/2024
Path:	/etc/gdm3/PostSession/Default
Arguments:	/etc/gdm3/PostSession/Default
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gnome-session-binary PID: 5630, Parent PID: 1383

General

Start time (UTC):	08:02:49
Start date (UTC):	08/10/2024
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Chronological Activities

Analysis Process: sh PID: 5630, Parent PID: 1383

General

Start time (UTC):	08:02:49
Start date (UTC):	08/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-a11y-settings
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gsd-a11y-settings PID: 5630, Parent PID: 1383

General

Start time (UTC):	08:02:49
Start date (UTC):	08/10/2024
Path:	/usr/libexec/gsd-a11y-settings
Arguments:	/usr/libexec/gsd-a11y-settings
File size:	23056 bytes
MD5 hash:	18e243d2cf30ecee7ea89d1462725c5c

Chronological Activities

Analysis Process: gnome-session-binary PID: 5631, Parent PID: 1383

General

Start time (UTC):	08:02:49
Start date (UTC):	08/10/2024
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Chronological Activities

Analysis Process: sh PID: 5631, Parent PID: 1383

General

Start time (UTC):	08:02:49
Start date (UTC):	08/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-smartcard
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gsd-smartcard PID: 5631, Parent PID: 1383

General

Start time (UTC):	08:02:49
Start date (UTC):	08/10/2024
Path:	/usr/libexec/gsd-smartcard
Arguments:	/usr/libexec/gsd-smartcard
File size:	109152 bytes
MD5 hash:	ea1fbd7f62e4cd0331eae2ef754ee605

Chronological Activities

Analysis Process: gnome-session-binary PID: 5632, Parent PID: 1383

General

Start time (UTC):	08:02:49
Start date (UTC):	08/10/2024
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Chronological Activities

Analysis Process: sh PID: 5632, Parent PID: 1383

General

Start time (UTC):	08:02:49
Start date (UTC):	08/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-media-keys
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gsd-media-keys PID: 5632, Parent PID: 1383

General

Start time (UTC):	08:02:50
Start date (UTC):	08/10/2024
Path:	/usr/libexec/gsd-media-keys
Arguments:	/usr/libexec/gsd-media-keys
File size:	232936 bytes
MD5 hash:	a425448c135afb4b8bfd79cc0b6b74da

Chronological Activities

Analysis Process: gdm3 PID: 5633, Parent PID: 1289

General

Start time (UTC):	08:02:49
Start date (UTC):	08/10/2024
Path:	/usr/sbin/gdm3
Arguments:	-
File size:	453296 bytes
MD5 hash:	2492e2d8d34f9377e3e530a61a15674f

Chronological Activities

Analysis Process: Default PID: 5633, Parent PID: 1289

General

Start time (UTC):	08:02:49
Start date (UTC):	08/10/2024
Path:	/etc/gdm3/PrimeOff/Default
Arguments:	/etc/gdm3/PrimeOff/Default
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gnome-session-binary PID: 5634, Parent PID: 1383

General

Start time (UTC):	08:02:49
Start date (UTC):	08/10/2024
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Chronological Activities

Analysis Process: sh PID: 5634, Parent PID: 1383

General

Start time (UTC):	08:02:49
Start date (UTC):	08/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-datetime
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gsd-datetime PID: 5634, Parent PID: 1383

General

Start time (UTC):	08:02:50
Start date (UTC):	08/10/2024
Path:	/usr/libexec/gsd-datetime
Arguments:	/usr/libexec/gsd-datetime
File size:	76736 bytes
MD5 hash:	d80d39745740de37d6634d36e344d4bc

Chronological Activities

Analysis Process: udisksd PID: 5635, Parent PID: 803

General

Start time (UTC):	08:02:49
Start date (UTC):	08/10/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Chronological Activities

Analysis Process: dumpe2fs PID: 5635, Parent PID: 803

General

Start time (UTC):	08:02:49
Start date (UTC):	08/10/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Chronological Activities

Analysis Process: gnome-session-binary PID: 5637, Parent PID: 1383

General

Start time (UTC):	08:02:49
Start date (UTC):	08/10/2024
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Chronological Activities

Analysis Process: sh PID: 5637, Parent PID: 1383

General

Start time (UTC):	08:02:49
Start date (UTC):	08/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-keyboard
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gsd-keyboard PID: 5637, Parent PID: 1383

General

Start time (UTC):	08:02:50
Start date (UTC):	08/10/2024
Path:	/usr/libexec/gsd-keyboard
Arguments:	/usr/libexec/gsd-keyboard
File size:	39760 bytes
MD5 hash:	8e288fd17c80bb0a1148b964b2ac2279

Chronological Activities

Analysis Process: gnome-session-binary PID: 5638, Parent PID: 1383

General

Start time (UTC):	08:02:50
Start date (UTC):	08/10/2024
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Chronological Activities

Analysis Process: sh PID: 5638, Parent PID: 1383

General

Start time (UTC):	08:02:50
Start date (UTC):	08/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-sound
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gsd-sound PID: 5638, Parent PID: 1383

General

Start time (UTC):	08:02:50
Start date (UTC):	08/10/2024
Path:	/usr/libexec/gsd-sound
Arguments:	/usr/libexec/gsd-sound
File size:	31248 bytes
MD5 hash:	4c7d3fb993463337b4a0eb5c80c760ee

Chronological Activities

Analysis Process: gnome-session-binary PID: 5639, Parent PID: 1383

General

Start time (UTC):	08:02:50
Start date (UTC):	08/10/2024
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Chronological Activities

Analysis Process: sh PID: 5639, Parent PID: 1383

General

Start time (UTC):	08:02:50
Start date (UTC):	08/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gsd-housekeeping PID: 5639, Parent PID: 1383

General

Start time (UTC):	08:02:50
Start date (UTC):	08/10/2024
Path:	/usr/libexec/gsd-housekeeping
Arguments:	/usr/libexec/gsd-housekeeping
File size:	51840 bytes
MD5 hash:	b55f3394a84976ddb92a2915e5d76914

Chronological Activities

Analysis Process: gnome-session-binary PID: 5640, Parent PID: 1383

General

Start time (UTC):	08:02:50
Start date (UTC):	08/10/2024
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Chronological Activities

Analysis Process: sh PID: 5640, Parent PID: 1383

General

Start time (UTC):	08:02:50
Start date (UTC):	08/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-power
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gsd-power PID: 5640, Parent PID: 1383

General

Start time (UTC):	08:02:50
Start date (UTC):	08/10/2024
Path:	/usr/libexec/gsd-power
Arguments:	/usr/libexec/gsd-power
File size:	88672 bytes
MD5 hash:	28b8e1b43c3e7f1db6741ea1ecd978b7

Chronological Activities

Analysis Process: udisksd PID: 5641, Parent PID: 803

General

Start time (UTC):	08:02:50
Start date (UTC):	08/10/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Chronological Activities

Analysis Process: dumpe2fs PID: 5641, Parent PID: 803

General

Start time (UTC):	08:02:50
Start date (UTC):	08/10/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Chronological Activities

Analysis Process: Xorg PID: 5642, Parent PID: 1371

General

Start time (UTC):	08:02:50
Start date (UTC):	08/10/2024
Path:	/usr/lib/xorg/Xorg
Arguments:	-
File size:	2448840 bytes
MD5 hash:	730cf4c45a7ee8bea88abf165463b7f8

Chronological Activities

Analysis Process: sh PID: 5642, Parent PID: 1371

General

Start time (UTC):	08:02:50
Start date (UTC):	08/10/2024
Path:	/bin/sh
Arguments:	sh -c "\"/usr/bin/xkbcomp\" -w 1 \"-R/usr/share/X11/xkb\" -xkm \"-\" -em1 \"The XKEYBOARD keymap compiler (xkbcomp) reports:\" -emp \"> \" -eml \"Errors from xkbcomp are not fatal to the X server\" \"/tmp/server-0.xkm\""
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5645, Parent PID: 5642

General

Start time (UTC):	08:02:50
Start date (UTC):	08/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: xkbcomp PID: 5645, Parent PID: 5642

General

Start time (UTC):	08:02:50
Start date (UTC):	08/10/2024
Path:	/usr/bin/xkbcomp
Arguments:	/usr/bin/xkbcomp -w 1 -R/usr/share/X11/xkb -xkm - -em1 "The XKEYBOARD keymap compiler (xkbcomp) reports:" -emp "> " -eml "Errors from xkbcomp are not fatal to the X server" /tmp/server-0.xkm
File size:	217184 bytes
MD5 hash:	c5f953aec4c00d2a1cc27acb75d62c9b

Chronological Activities

Analysis Process: udisksd PID: 5655, Parent PID: 803

General

Start time (UTC):	08:02:51
Start date (UTC):	08/10/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Chronological Activities

Analysis Process: dumpe2fs PID: 5655, Parent PID: 803

General

Start time (UTC):	08:02:52
Start date (UTC):	08/10/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Chronological Activities

Analysis Process: udisksd PID: 5664, Parent PID: 803

General

Start time (UTC):	08:02:53
Start date (UTC):	08/10/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Chronological Activities

Analysis Process: dumpe2fs PID: 5664, Parent PID: 803

General

Start time (UTC):	08:02:53
Start date (UTC):	08/10/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Chronological Activities

Analysis Process: systemd PID: 5670, Parent PID: 1

General

Start time (UTC):	08:02:54
Start date (UTC):	08/10/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: systemd-hostnamed PID: 5670, Parent PID: 1

General

Start time (UTC):	08:02:54
Start date (UTC):	08/10/2024
Path:	/lib/systemd/systemd-hostnamed
Arguments:	/lib/systemd/systemd-hostnamed
File size:	35040 bytes
MD5 hash:	2cc8a5576629a2d5bd98e49a4b8bef65

Chronological Activities

Analysis Process: udisksd PID: 5804, Parent PID: 803

General

Start time (UTC):	08:02:54
Start date (UTC):	08/10/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Chronological Activities

Analysis Process: dumpe2fs PID: 5804, Parent PID: 803

General

Start time (UTC):	08:02:54
Start date (UTC):	08/10/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Chronological Activities

Analysis Process: Xorg PID: 5812, Parent PID: 1371

General

Start time (UTC):	08:02:56
Start date (UTC):	08/10/2024
Path:	/usr/lib/xorg/Xorg
Arguments:	-
File size:	2448840 bytes
MD5 hash:	730cf4c45a7ee8bea88abf165463b7f8

Chronological Activities

Analysis Process: sh PID: 5812, Parent PID: 1371

General

Start time (UTC):	08:02:56
Start date (UTC):	08/10/2024
Path:	/bin/sh
Arguments:	sh -c "\"/usr/bin/xkbcomp\" -w 1 \"-R/usr/share/X11/xkb\" -xkm \"-\" -em1 \"The XKEYBOARD keymap compiler (xkbcomp) reports:\" -emp \"> \" -eml \"Errors from xkbcomp are not fatal to the X server\" \"/tmp/server-0.xkm\""
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5813, Parent PID: 5812

General

Start time (UTC):	08:02:56
Start date (UTC):	08/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: xkbcomp PID: 5813, Parent PID: 5812

General

Start time (UTC):	08:02:56
Start date (UTC):	08/10/2024
Path:	/usr/bin/xkbcomp
Arguments:	/usr/bin/xkbcomp -w 1 -R/usr/share/X11/xkb -xkm - -em1 "The XKEYBOARD keymap compiler (xkbcomp) reports:" -emp "> " -eml "Errors from xkbcomp are not fatal to the X server" /tmp/server-0.xkm
File size:	217184 bytes
MD5 hash:	c5f953aec4c00d2a1cc27acb75d62c9b

Chronological Activities

Analysis Process: systemd PID: 5826, Parent PID: 1

General

Start time (UTC):	08:02:58
Start date (UTC):	08/10/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: systemd-user-runtime-dir PID: 5826, Parent PID: 1

General

Start time (UTC):	08:02:58
Start date (UTC):	08/10/2024
Path:	/lib/systemd/systemd-user-runtime-dir
Arguments:	/lib/systemd/systemd-user-runtime-dir stop 1000
File size:	22672 bytes
MD5 hash:	d55f4b0847f88131dbcfb07435178e54

Chronological Activities

Analysis Process: systemd PID: 5856, Parent PID: 1

General

Start time (UTC):	08:03:02
Start date (UTC):	08/10/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: colord PID: 5856, Parent PID: 1

General

Start time (UTC):	08:03:02
Start date (UTC):	08/10/2024
Path:	/usr/libexec/colord
Arguments:	/usr/libexec/colord
File size:	346632 bytes
MD5 hash:	70861d1b2818c9279cd4a5c9035dac1f

Chronological Activities

Analysis Process: colord PID: 5877, Parent PID: 5856

General

Start time (UTC):	08:03:08
Start date (UTC):	08/10/2024
Path:	/usr/libexec/colord
Arguments:	-
File size:	346632 bytes
MD5 hash:	70861d1b2818c9279cd4a5c9035dac1f

Chronological Activities

Analysis Process: colord-sane PID: 5877, Parent PID: 5856

General

Start time (UTC):	08:03:08
Start date (UTC):	08/10/2024
Path:	/usr/libexec/colord-sane
Arguments:	/usr/libexec/colord-sane
File size:	18736 bytes
MD5 hash:	5f98d754a07bf1385c3ff001cde3882e

Chronological Activities

Analysis Process: systemd PID: 5857, Parent PID: 1

General

Start time (UTC):	08:03:02
Start date (UTC):	08/10/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: accounts-daemon PID: 5857, Parent PID: 1

General

Start time (UTC):	08:03:02
Start date (UTC):	08/10/2024
Path:	/usr/lib/accountsservice/accounts-daemon
Arguments:	/usr/lib/accountsservice/accounts-daemon
File size:	203192 bytes
MD5 hash:	01a899e3fb5e7e434bea1290255a1f30

Chronological Activities

Analysis Process: accounts-daemon PID: 5867, Parent PID: 5857

General

Start time (UTC):	08:03:04
Start date (UTC):	08/10/2024
Path:	/usr/lib/accountsservice/accounts-daemon
Arguments:	-
File size:	203192 bytes
MD5 hash:	01a899e3fb5e7e434bea1290255a1f30

Chronological Activities

Analysis Process: language-validate PID: 5867, Parent PID: 5857

General

Start time (UTC):	08:03:04
Start date (UTC):	08/10/2024
Path:	/usr/share/language-tools/language-validate
Arguments:	/usr/share/language-tools/language-validate en_US.UTF-8
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: language-validate PID: 5868, Parent PID: 5867

General

Start time (UTC):	08:03:04
Start date (UTC):	08/10/2024
Path:	/usr/share/language-tools/language-validate
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: language-options PID: 5868, Parent PID: 5867

General

Start time (UTC):	08:03:04
Start date (UTC):	08/10/2024
Path:	/usr/share/language-tools/language-options
Arguments:	/usr/share/language-tools/language-options
File size:	3478464 bytes
MD5 hash:	16a21f464119ea7fad1d3660de963637

Chronological Activities

Analysis Process: language-options PID: 5870, Parent PID: 5868

General

Start time (UTC):	08:03:05
Start date (UTC):	08/10/2024
Path:	/usr/share/language-tools/language-options
Arguments:	-
File size:	3478464 bytes
MD5 hash:	16a21f464119ea7fad1d3660de963637

Chronological Activities

Analysis Process: sh PID: 5870, Parent PID: 5868

General

Start time (UTC):	08:03:05
Start date (UTC):	08/10/2024
Path:	/bin/sh
Arguments:	sh -c "locale -a \| grep -F .utf8 "
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5871, Parent PID: 5870

General

Start time (UTC):	08:03:05
Start date (UTC):	08/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: locale PID: 5871, Parent PID: 5870

General

Start time (UTC):	08:03:05
Start date (UTC):	08/10/2024
Path:	/usr/bin/locale
Arguments:	locale -a
File size:	58944 bytes
MD5 hash:	c72a78792469db86d91369c9057f20d2

Chronological Activities

Analysis Process: sh PID: 5872, Parent PID: 5870

General

Start time (UTC):	08:03:05
Start date (UTC):	08/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: grep PID: 5872, Parent PID: 5870

General

Start time (UTC):	08:03:05
Start date (UTC):	08/10/2024
Path:	/usr/bin/grep
Arguments:	grep -F .utf8
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Chronological Activities

Analysis Process: systemd PID: 5882, Parent PID: 1

General

Start time (UTC):	08:03:09
Start date (UTC):	08/10/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: systemd-localed PID: 5882, Parent PID: 1

General

Start time (UTC):	08:03:09
Start date (UTC):	08/10/2024
Path:	/lib/systemd/systemd-localed
Arguments:	/lib/systemd/systemd-localed
File size:	43232 bytes
MD5 hash:	1244af9646256d49594f2a8203329aa9

Chronological Activities

Analysis Process: gdm3 PID: 6014, Parent PID: 1289

General

Start time (UTC):	08:03:10
Start date (UTC):	08/10/2024
Path:	/usr/sbin/gdm3
Arguments:	-
File size:	453296 bytes
MD5 hash:	2492e2d8d34f9377e3e530a61a15674f

Chronological Activities

Analysis Process: Default PID: 6014, Parent PID: 1289

General

Start time (UTC):	08:03:10
Start date (UTC):	08/10/2024
Path:	/etc/gdm3/PrimeOff/Default
Arguments:	/etc/gdm3/PrimeOff/Default
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gdm3 PID: 6015, Parent PID: 1289

General

Start time (UTC):	08:03:10
Start date (UTC):	08/10/2024
Path:	/usr/sbin/gdm3
Arguments:	-
File size:	453296 bytes
MD5 hash:	2492e2d8d34f9377e3e530a61a15674f

Chronological Activities

Analysis Process: Default PID: 6015, Parent PID: 1289

General

Start time (UTC):	08:03:10
Start date (UTC):	08/10/2024
Path:	/etc/gdm3/PrimeOff/Default
Arguments:	/etc/gdm3/PrimeOff/Default
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: systemd PID: 6023, Parent PID: 1

General

Start time (UTC):	08:03:20
Start date (UTC):	08/10/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: systemd-user-runtime-dir PID: 6023, Parent PID: 1

General

Start time (UTC):	08:03:20
Start date (UTC):	08/10/2024
Path:	/lib/systemd/systemd-user-runtime-dir
Arguments:	/lib/systemd/systemd-user-runtime-dir stop 127
File size:	22672 bytes
MD5 hash:	d55f4b0847f88131dbcfb07435178e54

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.
Tactics:	Impact
Data Sources:	Command: Command Execution, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Termination, Service: Service Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report na.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Process Tree

Malware Threat Intel

Yara Signatures

Initial Sample

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/run/user/127/dconf/user

/tmp/server-0.xkm

/var/lib/AccountsService/users/gdm.65HBV2

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: na.elf PID: 5489, Parent PID: 5416

General

Chronological Activities

Analysis Process: na.elf PID: 5490, Parent PID: 5489

General

Chronological Activities

Analysis Process: na.elf PID: 5491, Parent PID: 5489

General

Chronological Activities

Analysis Process: udisksd PID: 5500, Parent PID: 803

General

Chronological Activities

Analysis Process: dumpe2fs PID: 5500, Parent PID: 803

General

Linux Analysis Report
na.elf