Edit tour

Linux Analysis Report
Aqua.arm5.elf

Overview

General Information

Sample name:	Aqua.arm5.elf
Analysis ID:	1581813
MD5:	035c27cc6ca3feb2e173031bb2577abe
SHA1:	a84eef5d979eec2320eea81c2f8305239f0a39cb
SHA256:	fe80d019b7f3b0413f2886f89b5fa01a4385afcbd3386862ab8507db003beabc
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Reads system files that contain records of logged in users

Sample deletes itself

Sample reads /proc/mounts (often used for finding a writable filesystem)

Sample tries to kill multiple processes (SIGKILL)

Sends malformed DNS queries

Creates hidden files and/or directories

Deletes log files

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Executes commands using a shell command-line interpreter

Executes the "grep" command used to find patterns in files or piped streams

Executes the "kill" or "pkill" command typically used to terminate processes

Found strings indicative of a multi-platform dropper

HTTP GET or POST without a user agent

Reads CPU information from /sys indicative of miner or evasive malware

Reads the 'hosts' file potentially containing internal network hosts

Sample has stripped symbol table

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Sample tries to set the executable flag

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581813
Start date and time:	2024-12-29 02:07:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	Aqua.arm5.elf
Detection:	MAL
Classification:	mal76.spre.troj.evad.linELF@0/26@65/0

Warnings

Connection to analysis system has been lost, crash info: Unknown
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Runtime Messages

Command:	/tmp/Aqua.arm5.elf
PID:	6238
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	about to cum inside a femboy btw
Standard Error:

Process Tree

system is lnxubuntu20

Aqua.arm5.elf (PID: 6238, Parent: 6162, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/Aqua.arm5.elf

Aqua.arm5.elf New Fork (PID: 6240, Parent: 6238)

Aqua.arm5.elf New Fork (PID: 6242, Parent: 6240)

gnome-session-binary New Fork (PID: 6244, Parent: 1477)

sh (PID: 6244, Parent: 1477, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-rfkill

gsd-rfkill (PID: 6244, Parent: 1477, MD5: 88a16a3c0aba1759358c06215ecfb5cc) Arguments: /usr/libexec/gsd-rfkill

systemd New Fork (PID: 6249, Parent: 1)

systemd-hostnamed (PID: 6249, Parent: 1, MD5: 2cc8a5576629a2d5bd98e49a4b8bef65) Arguments: /lib/systemd/systemd-hostnamed

gdm3 New Fork (PID: 6397, Parent: 1320)

Default (PID: 6397, Parent: 1320, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default

gdm3 New Fork (PID: 6401, Parent: 1320)

Default (PID: 6401, Parent: 1320, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default

systemd New Fork (PID: 6413, Parent: 1)

dbus-daemon (PID: 6413, Parent: 1, MD5: 3089d47e3f3ab84cd81c48fd406d7a8c) Arguments: /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only

systemd New Fork (PID: 6415, Parent: 1)

rsyslogd (PID: 6415, Parent: 1, MD5: 0b8087fc907c42eb3c81a691db258e33) Arguments: /usr/sbin/rsyslogd -n -iNONE

systemd New Fork (PID: 6416, Parent: 1860)

pulseaudio (PID: 6416, Parent: 1860, MD5: 0c3b4c789d8ffb12b25507f27e14c186) Arguments: /usr/bin/pulseaudio --daemonize=no --log-target=journal

gvfsd-fuse New Fork (PID: 6421, Parent: 2038)

fusermount (PID: 6421, Parent: 2038, MD5: 576a1b135c82bdcbc97a91acea900566) Arguments: fusermount -u -q -z -- /run/user/1000/gvfs

systemd New Fork (PID: 6434, Parent: 1)

systemd-logind (PID: 6434, Parent: 1, MD5: 8dd58a1b4c12f7a1d5fe3ce18b2aaeef) Arguments: /lib/systemd/systemd-logind

systemd New Fork (PID: 6441, Parent: 1)

rtkit-daemon (PID: 6441, Parent: 1, MD5: df0cacf1db4ec95ac70f5b6e06b8ffd7) Arguments: /usr/libexec/rtkit-daemon

gdm3 New Fork (PID: 6494, Parent: 1320)

Default (PID: 6494, Parent: 1320, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default

systemd New Fork (PID: 6497, Parent: 1)

dbus-daemon (PID: 6497, Parent: 1, MD5: 3089d47e3f3ab84cd81c48fd406d7a8c) Arguments: /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only

systemd New Fork (PID: 6500, Parent: 1)

rsyslogd (PID: 6500, Parent: 1, MD5: 0b8087fc907c42eb3c81a691db258e33) Arguments: /usr/sbin/rsyslogd -n -iNONE

systemd New Fork (PID: 6505, Parent: 1)

gpu-manager (PID: 6505, Parent: 1, MD5: 8fae9dd5dd67e1f33d873089c2fd8761) Arguments: /usr/bin/gpu-manager --log /var/log/gpu-manager.log

gpu-manager New Fork (PID: 6506, Parent: 6505)

sh (PID: 6506, Parent: 6505, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"

sh New Fork (PID: 6507, Parent: 6506)

grep (PID: 6507, Parent: 6506, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf

gpu-manager New Fork (PID: 6508, Parent: 6505)

sh (PID: 6508, Parent: 6505, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"

sh New Fork (PID: 6509, Parent: 6508)

grep (PID: 6509, Parent: 6508, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf

gpu-manager New Fork (PID: 6511, Parent: 6505)

sh (PID: 6511, Parent: 6505, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf"

sh New Fork (PID: 6512, Parent: 6511)

grep (PID: 6512, Parent: 6511, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf

gpu-manager New Fork (PID: 6514, Parent: 6505)

sh (PID: 6514, Parent: 6505, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf"

sh New Fork (PID: 6515, Parent: 6514)

grep (PID: 6515, Parent: 6514, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf

gpu-manager New Fork (PID: 6516, Parent: 6505)

sh (PID: 6516, Parent: 6505, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /etc/modprobe.d/*.conf"

sh New Fork (PID: 6517, Parent: 6516)

grep (PID: 6517, Parent: 6516, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*amdgpu[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf

gpu-manager New Fork (PID: 6518, Parent: 6505)

sh (PID: 6518, Parent: 6505, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /lib/modprobe.d/*.conf"

sh New Fork (PID: 6519, Parent: 6518)

grep (PID: 6519, Parent: 6518, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*amdgpu[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf

gpu-manager New Fork (PID: 6521, Parent: 6505)

sh (PID: 6521, Parent: 6505, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /etc/modprobe.d/*.conf"

sh New Fork (PID: 6522, Parent: 6521)

grep (PID: 6522, Parent: 6521, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*nouveau[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf

gpu-manager New Fork (PID: 6523, Parent: 6505)

sh (PID: 6523, Parent: 6505, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /lib/modprobe.d/*.conf"

sh New Fork (PID: 6524, Parent: 6523)

grep (PID: 6524, Parent: 6523, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*nouveau[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf

systemd New Fork (PID: 6525, Parent: 1)

generate-config (PID: 6525, Parent: 1, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /usr/share/gdm/generate-config

generate-config New Fork (PID: 6526, Parent: 6525)

pkill (PID: 6526, Parent: 6525, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill --signal HUP --uid gdm dconf-service

systemd New Fork (PID: 6529, Parent: 1)

gdm-wait-for-drm (PID: 6529, Parent: 1, MD5: 82043ba752c6930b4e6aaea2f7747545) Arguments: /usr/lib/gdm3/gdm-wait-for-drm

systemd New Fork (PID: 6535, Parent: 1)

dbus-daemon (PID: 6535, Parent: 1, MD5: 3089d47e3f3ab84cd81c48fd406d7a8c) Arguments: /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only

systemd New Fork (PID: 6536, Parent: 1)

rsyslogd (PID: 6536, Parent: 1, MD5: 0b8087fc907c42eb3c81a691db258e33) Arguments: /usr/sbin/rsyslogd -n -iNONE

systemd New Fork (PID: 6543, Parent: 1)

systemd-logind (PID: 6543, Parent: 1, MD5: 8dd58a1b4c12f7a1d5fe3ce18b2aaeef) Arguments: /lib/systemd/systemd-logind

systemd New Fork (PID: 6606, Parent: 1)

gdm3 (PID: 6606, Parent: 1, MD5: 2492e2d8d34f9377e3e530a61a15674f) Arguments: /usr/sbin/gdm3

gdm3 New Fork (PID: 6609, Parent: 6606)

plymouth (PID: 6609, Parent: 6606, MD5: 87003efd8dad470042f5e75360a8f49f) Arguments: plymouth --ping

gdm3 New Fork (PID: 6623, Parent: 6606)

gdm-session-worker (PID: 6623, Parent: 6606, MD5: 692243754bd9f38fe9bd7e230b5c060a) Arguments: "gdm-session-worker [pam/gdm-launch-environment]"

gdm-session-worker New Fork (PID: 6627, Parent: 6623)

gdm-wayland-session (PID: 6627, Parent: 6623, MD5: d3def63cf1e83f7fb8a0f13b1744ff7c) Arguments: /usr/lib/gdm3/gdm-wayland-session "dbus-run-session -- gnome-session --autostart /usr/share/gdm/greeter/autostart"

gdm-wayland-session New Fork (PID: 6629, Parent: 6627)

dbus-daemon (PID: 6629, Parent: 6627, MD5: 3089d47e3f3ab84cd81c48fd406d7a8c) Arguments: dbus-daemon --print-address 3 --session

dbus-daemon New Fork (PID: 6631, Parent: 6629)

dbus-daemon New Fork (PID: 6632, Parent: 6631)

false (PID: 6632, Parent: 6631, MD5: 3177546c74e4f0062909eae43d948bfc) Arguments: /bin/false

gdm-wayland-session New Fork (PID: 6633, Parent: 6627)

dbus-run-session (PID: 6633, Parent: 6627, MD5: 245f3ef6a268850b33b0225a8753b7f4) Arguments: dbus-run-session -- gnome-session --autostart /usr/share/gdm/greeter/autostart

dbus-run-session New Fork (PID: 6634, Parent: 6633)

dbus-daemon (PID: 6634, Parent: 6633, MD5: 3089d47e3f3ab84cd81c48fd406d7a8c) Arguments: dbus-daemon --nofork --print-address 4 --session

gdm3 New Fork (PID: 6637, Parent: 6606)

Default (PID: 6637, Parent: 6606, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default

gdm3 New Fork (PID: 6638, Parent: 6606)

Default (PID: 6638, Parent: 6606, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default

systemd New Fork (PID: 6610, Parent: 1)

accounts-daemon (PID: 6610, Parent: 1, MD5: 01a899e3fb5e7e434bea1290255a1f30) Arguments: /usr/lib/accountsservice/accounts-daemon

accounts-daemon New Fork (PID: 6614, Parent: 6610)

language-validate (PID: 6614, Parent: 6610, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /usr/share/language-tools/language-validate en_US.UTF-8

language-validate New Fork (PID: 6615, Parent: 6614)

language-options (PID: 6615, Parent: 6614, MD5: 16a21f464119ea7fad1d3660de963637) Arguments: /usr/share/language-tools/language-options

language-options New Fork (PID: 6616, Parent: 6615)

sh (PID: 6616, Parent: 6615, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "locale -a | grep -F .utf8 "

sh New Fork (PID: 6617, Parent: 6616)

locale (PID: 6617, Parent: 6616, MD5: c72a78792469db86d91369c9057f20d2) Arguments: locale -a

sh New Fork (PID: 6618, Parent: 6616)

grep (PID: 6618, Parent: 6616, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -F .utf8

systemd New Fork (PID: 6619, Parent: 1)

polkitd (PID: 6619, Parent: 1, MD5: 8efc9b4b5b524210ad2ea1954a9d0e69) Arguments: /usr/lib/policykit-1/polkitd --no-debug

systemd New Fork (PID: 6668, Parent: 1860)

dbus-daemon (PID: 6668, Parent: 1860, MD5: 3089d47e3f3ab84cd81c48fd406d7a8c) Arguments: /usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only

systemd New Fork (PID: 6673, Parent: 1860)

pulseaudio (PID: 6673, Parent: 1860, MD5: 0c3b4c789d8ffb12b25507f27e14c186) Arguments: /usr/bin/pulseaudio --daemonize=no --log-target=journal

systemd New Fork (PID: 6674, Parent: 1)

rtkit-daemon (PID: 6674, Parent: 1, MD5: df0cacf1db4ec95ac70f5b6e06b8ffd7) Arguments: /usr/libexec/rtkit-daemon

cleanup

HTTP traffic detected: POST /9aadafe2051348cd32033e1cad68f0a5fe46fba3240ac1e6e42158f31b8a1371790c09baf3996b4979fe8e533446c7dedf30f654c68b25357334c66911dc6a9e HTTP/1.1Host: daisy.ubuntu.comAccept: */*Content-Type: application/octet-streamX-Whoopsie-Version: 0.2.69ubuntu0.3Content-Length: 164887Expect: 100-continue

Source: /usr/sbin/rsyslogd (PID: 6415)	Reads hosts file: /etc/hosts	Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6500)	Reads hosts file: /etc/hosts	Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6536)	Reads hosts file: /etc/hosts	Jump to behavior

Source: /usr/sbin/gdm3 (PID: 6606)	Socket: unknown address family			Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6629)	Socket: unknown address family			Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145

Source: global traffic	DNS traffic detected: DNS query: raw.intenseapi.com
Source: global traffic	DNS traffic detected: DNS query: raw.intenseapi.com. [malformed]
Source: global traffic	DNS traffic detected: DNS query: daisy.ubuntu.com

Source: unknown

Source: syslog.92.dr, syslog.45.dr, syslog.29.dr

String found in binary or memory: https://www.rsyslog.com

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53122
Source: unknown	Network traffic detected: HTTP traffic on port 53122 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary

Sample tries to kill multiple processes (SIGKILL)

Source: /tmp/Aqua.arm5.elf (PID: 6242)	SIGKILL sent: pid: 1638, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	SIGKILL sent: pid: 6244, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	SIGKILL sent: pid: 658, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	SIGKILL sent: pid: 720, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	SIGKILL sent: pid: 721, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	SIGKILL sent: pid: 772, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	SIGKILL sent: pid: 774, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	SIGKILL sent: pid: 777, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	SIGKILL sent: pid: 785, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	SIGKILL sent: pid: 793, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	SIGKILL sent: pid: 1320, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	SIGKILL sent: pid: 1344, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	SIGKILL sent: pid: 1886, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	SIGKILL sent: pid: 1983, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	SIGKILL sent: pid: 2048, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	SIGKILL sent: pid: 6224, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	SIGKILL sent: pid: 6225, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	SIGKILL sent: pid: 6413, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	SIGKILL sent: pid: 6414, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	SIGKILL sent: pid: 6415, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	SIGKILL sent: pid: 6416, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	SIGKILL sent: pid: 1335, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	SIGKILL sent: pid: 1872, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	SIGKILL sent: pid: 6497, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	SIGKILL sent: pid: 6500, result: successful	Jump to behavior

Source: ELF static info symbol of initial sample

.symtab present: no

Source: /tmp/Aqua.arm5.elf (PID: 6242)	SIGKILL sent: pid: 1638, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	SIGKILL sent: pid: 6244, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	SIGKILL sent: pid: 658, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	SIGKILL sent: pid: 720, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	SIGKILL sent: pid: 721, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	SIGKILL sent: pid: 772, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	SIGKILL sent: pid: 774, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	SIGKILL sent: pid: 777, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	SIGKILL sent: pid: 785, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	SIGKILL sent: pid: 793, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	SIGKILL sent: pid: 1320, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	SIGKILL sent: pid: 1344, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	SIGKILL sent: pid: 1886, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	SIGKILL sent: pid: 1983, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	SIGKILL sent: pid: 2048, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	SIGKILL sent: pid: 6224, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	SIGKILL sent: pid: 6225, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	SIGKILL sent: pid: 6413, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	SIGKILL sent: pid: 6414, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	SIGKILL sent: pid: 6415, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	SIGKILL sent: pid: 6416, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	SIGKILL sent: pid: 1335, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	SIGKILL sent: pid: 1872, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	SIGKILL sent: pid: 6497, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	SIGKILL sent: pid: 6500, result: successful	Jump to behavior

Source: classification engine

Classification label: mal76.spre.troj.evad.linELF@0/26@65/0

Persistence and Installation Behavior

Sample reads /proc/mounts (often used for finding a writable filesystem)

Source: /usr/bin/dbus-daemon (PID: 6413)	File: /proc/6413/mounts	Jump to behavior
Source: /bin/fusermount (PID: 6421)	File: /proc/6421/mounts	Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6497)	File: /proc/6497/mounts	Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6535)	File: /proc/6535/mounts	Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6629)	File: /proc/6629/mounts	Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6634)	File: /proc/6634/mounts	Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6668)	File: /proc/6668/mounts	Jump to behavior

Source: /usr/libexec/gsd-rfkill (PID: 6244)	Directory: <invalid fd (9)>/..	Jump to behavior
Source: /usr/libexec/gsd-rfkill (PID: 6244)	Directory: <invalid fd (8)>/..	Jump to behavior
Source: /lib/systemd/systemd-hostnamed (PID: 6249)	Directory: <invalid fd (10)>/..	Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6434)	Directory: <invalid fd (18)>/..	Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6434)	Directory: <invalid fd (17)>/..	Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6434)	File: /run/systemd/seats/.#seat0iaQypH	Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6543)	Directory: <invalid fd (18)>/..	Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6543)	Directory: <invalid fd (17)>/..	Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6543)	File: /run/systemd/seats/.#seat0wtqFrX	Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6543)	File: /run/systemd/users/.#127OQMe4X	Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6543)	File: /run/systemd/users/.#127mAcU4X	Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6543)	File: /run/systemd/seats/.#seat0V3krPW	Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6543)	File: /run/systemd/users/.#127hz8mwX	Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6543)	File: /run/systemd/users/.#127VJImMU	Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6543)	File: /run/systemd/users/.#127DOhXhW	Jump to behavior
Source: /usr/lib/gdm3/gdm-wayland-session (PID: 6627)	Directory: /var/lib/gdm3/.cache	Jump to behavior
Source: /usr/lib/accountsservice/accounts-daemon (PID: 6610)	Directory: /var/lib/gdm3/.pam_environment	Jump to behavior
Source: /usr/lib/accountsservice/accounts-daemon (PID: 6610)	Directory: /root/.cache	Jump to behavior
Source: /usr/lib/policykit-1/polkitd (PID: 6619)	Directory: /root/.cache	Jump to behavior

Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/1582/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/3088/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/3088/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/230/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/230/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/230/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/230/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/110/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/110/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/110/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/110/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/231/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/231/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/231/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/231/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/111/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/111/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/111/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/111/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/232/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/232/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/232/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/232/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/1579/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/112/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/112/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/112/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/112/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/233/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/233/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/233/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/233/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/1699/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/113/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/113/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/113/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/113/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/234/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/234/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/234/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/234/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/1335/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/1335/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/1335/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/1335/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/1698/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/114/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/114/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/114/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/114/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/235/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/235/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/235/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/235/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/1334/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/1334/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/1334/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/1334/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/1576/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/2302/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/2302/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/2302/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/2302/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/115/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/115/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/115/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/115/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/236/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/236/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/236/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/236/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/116/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/116/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/116/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/116/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/237/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/237/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/237/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/237/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/117/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/117/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/117/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/117/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/118/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/118/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/118/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/118/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/910/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/910/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/910/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/910/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/119/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/119/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/119/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/119/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/912/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/10/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/10/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/10/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/10/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/2307/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/11/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/11/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/11/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6242)	File opened: /proc/11/stat	Jump to behavior

Source: /usr/bin/gpu-manager (PID: 6506)	Shell command executed: sh -c "grep -G \"^blacklist.nvidia[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6508)	Shell command executed: sh -c "grep -G \"^blacklist.nvidia[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6511)	Shell command executed: sh -c "grep -G \"^blacklist.radeon[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6514)	Shell command executed: sh -c "grep -G \"^blacklist.radeon[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6516)	Shell command executed: sh -c "grep -G \"^blacklist.amdgpu[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6518)	Shell command executed: sh -c "grep -G \"^blacklist.amdgpu[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6521)	Shell command executed: sh -c "grep -G \"^blacklist.nouveau[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6523)	Shell command executed: sh -c "grep -G \"^blacklist.nouveau[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/share/language-tools/language-options (PID: 6616)	Shell command executed: sh -c "locale -a \| grep -F .utf8 "	Jump to behavior

Source: /bin/sh (PID: 6507)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nvidia[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 6509)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nvidia[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 6512)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.radeon[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 6515)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.radeon[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 6517)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.amdgpu[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 6519)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.amdgpu[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 6522)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nouveau[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 6524)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nouveau[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 6618)	Grep executable: /usr/bin/grep -> grep -F .utf8	Jump to behavior

Source: /usr/share/gdm/generate-config (PID: 6526)

Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service

Jump to behavior

Source: /usr/sbin/gdm3 (PID: 6606)	File: /var/run/gdm3 (bits: - usr: -x grp: x all: rwx)	Jump to behavior
Source: /usr/sbin/gdm3 (PID: 6606)	File: /var/log/gdm3 (bits: - usr: -x grp: x all: rwx)	Jump to behavior
Source: /usr/lib/accountsservice/accounts-daemon (PID: 6610)	File: /var/lib/AccountsService/icons (bits: - usr: rx grp: rwx all: rwx)	Jump to behavior
Source: /usr/lib/accountsservice/accounts-daemon (PID: 6610)	File: /var/lib/AccountsService/users (bits: - usr: - grp: - all: rwx)	Jump to behavior

Source: /usr/sbin/rsyslogd (PID: 6415)	Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6415)	Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 6500)	Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 6500)	Log file created: /var/log/kern.log
Source: /usr/bin/gpu-manager (PID: 6505)	Log file created: /var/log/gpu-manager.log	Jump to dropped file
Source: /usr/sbin/rsyslogd (PID: 6536)	Log file created: /var/log/kern.log	Jump to dropped file
Source: /usr/sbin/rsyslogd (PID: 6536)	Log file created: /var/log/auth.log	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Sample deletes itself

Source: /tmp/Aqua.arm5.elf (PID: 6240)

File: /tmp/Aqua.arm5.elf

Jump to behavior

Source: /usr/bin/gpu-manager (PID: 6505)

Truncated file: /var/log/gpu-manager.log

Jump to behavior

Source: /usr/bin/pkill (PID: 6526)	Reads CPU info from /sys: /sys/devices/system/cpu/online			Jump to behavior
Source: /usr/bin/pulseaudio (PID: 6673)	Reads CPU info from /sys: /sys/devices/system/cpu/online			Jump to behavior

Source: /tmp/Aqua.arm5.elf (PID: 6238)	Queries kernel information via 'uname':	Jump to behavior
Source: /lib/systemd/systemd-hostnamed (PID: 6249)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6415)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6500)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6505)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6536)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/lib/gdm3/gdm-session-worker (PID: 6623)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/pulseaudio (PID: 6673)	Queries kernel information via 'uname':	Jump to behavior

Source: Aqua.arm5.elf, 6238.1.00007ffe4c385000.00007ffe4c3a6000.rw-.sdmp	Binary or memory string: /tmp/qemu-open.PP5vlS
Source: Aqua.arm5.elf, 6238.1.00007ffe4c385000.00007ffe4c3a6000.rw-.sdmp	Binary or memory string: U/tmp/qemu-open.PP5vlS:U>l
Source: Aqua.arm5.elf, 6238.1.000055be7052b000.000055be70659000.rw-.sdmp, Aqua.arm5.elf, 6242.1.000055be7052b000.000055be70659000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/arm
Source: syslog.29.dr	Binary or memory string: Dec 28 19:07:54 galassia kernel: [ 419.828647] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 12/12/2018
Source: Aqua.arm5.elf, 6238.1.00007ffe4c385000.00007ffe4c3a6000.rw-.sdmp, Aqua.arm5.elf, 6242.1.00007ffe4c385000.00007ffe4c3a6000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/Aqua.arm5.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/Aqua.arm5.elf
Source: Aqua.arm5.elf, 6238.1.000055be7052b000.000055be70659000.rw-.sdmp, Aqua.arm5.elf, 6242.1.000055be7052b000.000055be70659000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: Aqua.arm5.elf, 6238.1.00007ffe4c385000.00007ffe4c3a6000.rw-.sdmp, Aqua.arm5.elf, 6242.1.00007ffe4c385000.00007ffe4c3a6000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm
Source: syslog.29.dr	Binary or memory string: Dec 28 19:07:54 galassia kernel: [ 419.828611] Modules linked in: monitor(OE) md4 cmac cifs libarc4 fscache libdes vmw_vsock_vmci_transport vsock binfmt_misc dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua vmw_balloon joydev input_leds serio_raw vmw_vmci sch_fq_codel drm parport_pc ppdev lp parport ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel crypto_simd cryptd glue_helper psmouse ahci mptspi vmxnet3 scsi_transport_spi mptscsih libahci mptbase
Source: Aqua.arm5.elf, 6242.1.00007ffe4c385000.00007ffe4c3a6000.rw-.sdmp	Binary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped

Language, Device and Operating System Detection

Reads system files that contain records of logged in users

Source: /usr/lib/accountsservice/accounts-daemon (PID: 6610)

Logged in records file read: /var/log/wtmp

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	2 Scripting	Valid Accounts	Windows Management Instrumentation	2 Scripting	Path Interception	1 File and Directory Permissions Modification	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 Service Stop
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	1 System Owner/User Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Hidden Files and Directories	Security Account Manager	11 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Indicator Removal	NTDS	1 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 File Deletion	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Aqua.arm5.elf	50%	ReversingLabs	Linux.Backdoor.Mirai
Aqua.arm5.elf	100%	Avira	EXP/ELF.Mirai.W

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
raw.intenseapi.com	193.200.78.37	true	false	high
daisy.ubuntu.com	162.213.35.24	true	false	high
raw.intenseapi.com. [malformed]	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://daisy.ubuntu.com/9aadafe2051348cd32033e1cad68f0a5fe46fba3240ac1e6e42158f31b8a1371790c09baf3996b4979fe8e533446c7dedf30f654c68b25357334c66911dc6a9e	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.rsyslog.com	syslog.92.dr, syslog.45.dr, syslog.29.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
162.213.35.25	unknown	United States	41231	CANONICAL-ASGB	false
193.200.78.37	raw.intenseapi.com	Switzerland	29496	LINK-SERVICE-ASUA	false
89.190.156.145	unknown	United Kingdom	7489	HOSTUS-GLOBAL-ASHostUSHK	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
162.213.35.25	Aqua.mips.elf	Get hash	malicious	Unknown	Browse
	kqibeps.elf	Get hash	malicious	Mirai	Browse
	wlw68k.elf	Get hash	malicious	Mirai	Browse
	x86_64.elf	Get hash	malicious	Gafgyt	Browse
	Aqua.m68k.elf	Get hash	malicious	Unknown	Browse
	wiewa64.elf	Get hash	malicious	Mirai	Browse
	wrjkngh4.elf	Get hash	malicious	Mirai	Browse
	vwkjebwi686.elf	Get hash	malicious	Mirai	Browse
	dwhdbg.elf	Get hash	malicious	Mirai	Browse
	Aqua.arm7.elf	Get hash	malicious	Mirai	Browse
193.200.78.37	Aqua.dbg.elf	Get hash	malicious	Unknown	Browse
	Aqua.arm5.elf	Get hash	malicious	Unknown	Browse
	Aqua.mips.elf	Get hash	malicious	Unknown	Browse
	Aqua.x86_64.elf	Get hash	malicious	Unknown	Browse
	Aqua.x86.elf	Get hash	malicious	Unknown	Browse
	Aqua.x86.elf	Get hash	malicious	Unknown	Browse
	Aqua.mpsl.elf	Get hash	malicious	Unknown	Browse
	Aqua.arm7.elf	Get hash	malicious	Mirai	Browse
	Aqua.spc.elf	Get hash	malicious	Unknown	Browse
	Aqua.i686.elf	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
raw.intenseapi.com	Aqua.dbg.elf	Get hash	malicious	Unknown	Browse	193.200.78.37
	Aqua.mips.elf	Get hash	malicious	Unknown	Browse	193.200.78.37
	Aqua.x86_64.elf	Get hash	malicious	Unknown	Browse	193.200.78.37
	Aqua.mpsl.elf	Get hash	malicious	Unknown	Browse	193.200.78.37
	Aqua.spc.elf	Get hash	malicious	Unknown	Browse	193.200.78.37
daisy.ubuntu.com	Aqua.mips.elf	Get hash	malicious	Unknown	Browse	162.213.35.24
	Aqua.x86.elf	Get hash	malicious	Unknown	Browse	162.213.35.25
	db0fa4b8db0333367e9bda3ab68b8042.mips.elf	Get hash	malicious	Unknown	Browse	162.213.35.25
	Aqua.arm7.elf	Get hash	malicious	Mirai	Browse	162.213.35.25
	Aqua.spc.elf	Get hash	malicious	Unknown	Browse	162.213.35.25
	boatnet.arm7.elf	Get hash	malicious	Mirai	Browse	162.213.35.25
	boatnet.spc.elf	Get hash	malicious	Mirai	Browse	162.213.35.25
	45.200.149.186-boatnet.mpsl-2024-12-28T01_23_00.elf	Get hash	malicious	Mirai	Browse	162.213.35.25
	45.200.149.186-boatnet.arm7-2024-12-28T01_23_01.elf	Get hash	malicious	Mirai	Browse	162.213.35.24
	45.200.149.186-boatnet.x86-2024-12-28T01_22_59.elf	Get hash	malicious	Mirai	Browse	162.213.35.25

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CANONICAL-ASGB	ppc.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	Aqua.arm6.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	Aqua.dbg.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	Aqua.arm5.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	Aqua.mips.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	Aqua.x86.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	Aqua.x86.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	Aqua.arm7.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	Aqua.spc.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	arm6.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
LINK-SERVICE-ASUA	Aqua.dbg.elf	Get hash	malicious	Unknown	Browse	193.200.78.37
	Aqua.arm5.elf	Get hash	malicious	Unknown	Browse	193.200.78.37
	Aqua.mips.elf	Get hash	malicious	Unknown	Browse	193.200.78.37
	Aqua.x86_64.elf	Get hash	malicious	Unknown	Browse	193.200.78.37
	Aqua.x86.elf	Get hash	malicious	Unknown	Browse	193.200.78.37
	Aqua.x86.elf	Get hash	malicious	Unknown	Browse	193.200.78.37
	Aqua.mpsl.elf	Get hash	malicious	Unknown	Browse	193.200.78.37
	Aqua.arm7.elf	Get hash	malicious	Mirai	Browse	193.200.78.37
	Aqua.spc.elf	Get hash	malicious	Unknown	Browse	193.200.78.37
	Aqua.i686.elf	Get hash	malicious	Unknown	Browse	193.200.78.37

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

/home/saturnino/.config/pulse/ee49dfd4fa47433baee88884e2d7de7c-default-sink

Download File

Process:	/usr/bin/pulseaudio
File Type:	ASCII text
Category:	dropped
Size (bytes):	10
Entropy (8bit):	2.9219280948873623
Encrypted:	false
SSDEEP:	3:5bkPn:pkP
MD5:	FF001A15CE15CF062A3704CEA2991B5F
SHA1:	B06F6855F376C3245B82212AC73ADED55DFE5DEF
SHA-256:	C54830B41ECFA1B6FBDC30397188DDA86B7B200E62AEAC21AE694A6192DCC38A
SHA-512:	65EBF7C31F6F65713CE01B38A112E97D0AE64A6BD1DA40CE4C1B998F10CD3912EE1A48BB2B279B24493062118AAB3B8753742E2AF28E56A31A7AAB27DE80E7BF
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	auto_null.

/home/saturnino/.config/pulse/ee49dfd4fa47433baee88884e2d7de7c-default-source

Download File

Process:	/usr/bin/pulseaudio
File Type:	ASCII text
Category:	dropped
Size (bytes):	18
Entropy (8bit):	3.4613201402110088
Encrypted:	false
SSDEEP:	3:5bkrIZsXvn:pkckv
MD5:	28FE6435F34B3367707BB1C5D5F6B430
SHA1:	EB8FE2D16BD6BBCCE106C94E4D284543B2573CF6
SHA-256:	721A37C69E555799B41D308849E8F8125441883AB021B723FED90A9B744F36C0
SHA-512:	6B6AB7C0979629D0FEF6BE47C5C6BCC367EDD0AAE3FC973F4DE2FD5F0A819C89E7656DB65D453B1B5398E54012B27EDFE02894AD87A7E0AF3A9C5F2EB24A9919
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	auto_null.monitor.

/proc/6632/oom_score_adj

Download File

Process:	/usr/bin/dbus-daemon
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:V:V
MD5:	CFCD208495D565EF66E7DFF9F98764DA
SHA1:	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
SHA-256:	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
SHA-512:	31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
Malicious:	false
Reputation:	high, very likely benign file
Preview:	0

/run/gdm3.pid

Download File

Process:	/usr/sbin/gdm3
File Type:	ASCII text
Category:	dropped
Size (bytes):	5
Entropy (8bit):	1.3709505944546687
Encrypted:	false
SSDEEP:	3:p:p
MD5:	D4DA9E3A9B86115D97B41354A2254DF2
SHA1:	C1E6F1090295C5EC074182FBC0CD3E5E414398F1
SHA-256:	9DA32A79A729F5DFEE4B29AF99EC968FFA0BFF765A59C670F99DA54E6180F5B9
SHA-512:	0BF9655A55E8A2F8632B75897597EAB8C1BEBB735E0AD4BE6B7B20764F12ED422584466E0BD7CF1BB490DDDF68F60BBD50BC7A99271F6D1F24FDB70CC3D36175
Malicious:	false
Reputation:	low
Preview:	6606.

/run/systemd/seats/.#seat0V3krPW

Download File

Process:	/lib/systemd/systemd-logind
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.957035419463244
Encrypted:	false
SSDEEP:	3:SbFVVmFyinKMsuH47rLg205vmLUbr+ugKQ2KwshcXSv:SbFuFyLwH47Pg20ggWunQ2rNXc
MD5:	66D114877B3B4DB3BDD8A3AD4F5E7421
SHA1:	62E0CB0F51E0E3F97BE251CB917968DFF69ED344
SHA-256:	A922628916A7DDBE2BAA33F421C82250527EA3C28E429749353A1C75C0C18860
SHA-512:	5651247FA236DCF020A3C8456E4A9A74A85C5B9B3CCE94A3CF8F85FD4D66465C9F97DF7A1822E6CA4553C02BE149F3021D58DCC0C8CB6DCF37F915BD0A158187
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	# This is private data. Do not parse..IS_SEAT0=1.CAN_MULTI_SESSION=1.CAN_TTY=1.CAN_GRAPHICAL=0.SESSIONS=c1.UIDS=127.

/run/systemd/seats/.#seat0iaQypH

Download File

Process:	/lib/systemd/systemd-logind
File Type:	ASCII text
Category:	dropped
Size (bytes):	95
Entropy (8bit):	4.921230646592726
Encrypted:	false
SSDEEP:	3:SbFVVmFyinKMsuH47rLg205vmLUbr+v:SbFuFyLwH47Pg20ggWv
MD5:	BE58CCABC942125F5E27AF6EB1BA2F88
SHA1:	07C20F55E36EE48869B223B8FC4DBC227C7353AC
SHA-256:	551B1D1C8E5953D5D0CF49C83C1568E2FBEF8BDDB69903B3DA82240B777B4629
SHA-512:	E5A270995FDE80530927E0BACD3BF76EE820C968AABD55D2E34579326F388AFD6DE7FB8C5D54F69D3F6AC30A5B587FD3B0456FC60326E7DF4F45789A900D046C
Malicious:	false
Preview:	# This is private data. Do not parse..IS_SEAT0=1.CAN_MULTI_SESSION=1.CAN_TTY=1.CAN_GRAPHICAL=0.

/run/systemd/seats/.#seat0wtqFrX

Download File

Process:	/lib/systemd/systemd-logind
File Type:	ASCII text
Category:	dropped
Size (bytes):	95
Entropy (8bit):	4.921230646592726
Encrypted:	false
SSDEEP:	3:SbFVVmFyinKMsuH47rLg205vmLUbr+v:SbFuFyLwH47Pg20ggWv
MD5:	BE58CCABC942125F5E27AF6EB1BA2F88
SHA1:	07C20F55E36EE48869B223B8FC4DBC227C7353AC
SHA-256:	551B1D1C8E5953D5D0CF49C83C1568E2FBEF8BDDB69903B3DA82240B777B4629
SHA-512:	E5A270995FDE80530927E0BACD3BF76EE820C968AABD55D2E34579326F388AFD6DE7FB8C5D54F69D3F6AC30A5B587FD3B0456FC60326E7DF4F45789A900D046C
Malicious:	false
Preview:	# This is private data. Do not parse..IS_SEAT0=1.CAN_MULTI_SESSION=1.CAN_TTY=1.CAN_GRAPHICAL=0.

/run/systemd/users/.#127DOhXhW

Download File

Process:	/lib/systemd/systemd-logind
File Type:	ASCII text
Category:	dropped
Size (bytes):	223
Entropy (8bit):	5.475218344633375
Encrypted:	false
SSDEEP:	6:SbFuFyL3BVgdL87ynAir/0Ixff6VWgnt6MGx/:qgFq30dABibBIWgnIr
MD5:	E40CB07EF6D27DA5E2E25A0D54F0B33C
SHA1:	476EB53EB59FDA653C1F087E8F45EAB3A20777DB
SHA-256:	E2FAE397FD7E8698D08715303F21E28DAF6D0BA9E9A1783939808FBDF00009BD
SHA-512:	BF794D26AAAA10BCFEEC6DAF1D8312C0232967576FDC34447EA2A125DA1092A00C0851B2B2E91068E689BABB9319FE0CA072CF0DE6D865EC6D05EFADE14FF443
Malicious:	false
Preview:	# This is private data. Do not parse..NAME=gdm.STATE=closing.STOPPING=yes.RUNTIME=/run/user/127.SERVICE_JOB=/org/freedesktop/systemd1/job/12823.REALTIME=1735434493397036.MONOTONIC=438487547.LAST_SESSION_TIMESTAMP=438556422.

/run/systemd/users/.#127OQMe4X

Download File

Process:	/lib/systemd/systemd-logind
File Type:	ASCII text
Category:	dropped
Size (bytes):	188
Entropy (8bit):	4.928997328913428
Encrypted:	false
SSDEEP:	3:SbFVVmFyinKMs5BuSgVuMI2sKiYiesnAv/XS12K2hwEY8mTQ2pJi22sQ2KkmD2pi:SbFuFyL3BVgVuR257iesnAi12thQc2p4
MD5:	065A3AD1A34A9903F536410ECA748105
SHA1:	21CD684DF60D569FA96EEEB66A0819EAC1B2B1A4
SHA-256:	E80554BF0FF4E32C61D4FA3054F8EFB27A26F1C37C91AE4EA94445C400693941
SHA-512:	DB3C42E893640BAEE9F0001BDE6E93ED40CC33198AC2B47328F577D3C71E2C2E986AAAFEF5BD8ADBC639B5C24ADF715D87034AE24B697331FF6FEC5962630064
Malicious:	false
Preview:	# This is private data. Do not parse..NAME=gdm.STATE=opening.STOPPING=no.RUNTIME=/run/user/127.SESSIONS=c1.SEATS=seat0.ACTIVE_SESSIONS=.ONLINE_SESSIONS=c1.ACTIVE_SEATS=.ONLINE_SEATS=seat0.

/run/systemd/users/.#127VJImMU

Download File

Process:	/lib/systemd/systemd-logind
File Type:	ASCII text
Category:	dropped
Size (bytes):	174
Entropy (8bit):	5.3109095007648275
Encrypted:	false
SSDEEP:	3:SbFVVmFyinKMs5BuSgdNR2sKiYiesnAv/XSHxJgA5x4EW206qoduGx/:SbFuFyL3BVgdL87iesnAiRJgnt6MGx/
MD5:	C148439837D73024875F89D59661726F
SHA1:	EE33215765A35FFE57A1D1FD9805BD2620D8441B
SHA-256:	2A55AA0A339CEC8CD8658BA7BF3979CE682BE14BD8543E09C80190D32086482A
SHA-512:	2440105A3C6F1F372B3D80C4893C724EEC9CCFEF197C8899351E4C929600C27CC1B113ADC276117D1E8AA6F9D9B39D84EB4686F4458709C4AB044C1E2D7CB574
Malicious:	false
Preview:	# This is private data. Do not parse..NAME=gdm.STATE=closing.STOPPING=no.RUNTIME=/run/user/127.REALTIME=1735434493397036.MONOTONIC=438487547.LAST_SESSION_TIMESTAMP=438556422.

/run/systemd/users/.#127hz8mwX

Download File

Process:	/lib/systemd/systemd-logind
File Type:	ASCII text
Category:	dropped
Size (bytes):	282
Entropy (8bit):	5.3086673536049
Encrypted:	false
SSDEEP:	6:SbFuFyL3BVgVuR257iesnAir/0Ixff69gM2thQc2pb02/g2p9rwB:qgFq30VuR8L/ibBeg3thQHtPYq9M
MD5:	1119F9ECE7E726D08C5E689804E2CC25
SHA1:	CF1F8A4A18C37423AC40FB61EDB0F3D73BC2D41D
SHA-256:	48E97D2B38270F0AA3DF68E1170C4B6E8DB229AE1F7819A47C457D10C31F6380
SHA-512:	9E131B32981DAEC246B7D7BF74CA8A689F1C87F6DBF6D7B665D8C59A38895BCD260EB62FB2918D2451E886C79577839487405B9F98867761A01162A0AB281963
Malicious:	false
Preview:	# This is private data. Do not parse..NAME=gdm.STATE=opening.STOPPING=no.RUNTIME=/run/user/127.SERVICE_JOB=/org/freedesktop/systemd1/job/12761.REALTIME=1735434493397036.MONOTONIC=438487547.SESSIONS=c1.SEATS=seat0.ACTIVE_SESSIONS=.ONLINE_SESSIONS=c1.ACTIVE_SEATS=.ONLINE_SEATS=seat0.

/run/systemd/users/.#127mAcU4X

Download File

Process:	/lib/systemd/systemd-logind
File Type:	ASCII text
Category:	dropped
Size (bytes):	282
Entropy (8bit):	5.3086673536049
Encrypted:	false
SSDEEP:	6:SbFuFyL3BVgVuR257iesnAir/0Ixff69gM2thQc2pb02/g2p9rwB:qgFq30VuR8L/ibBeg3thQHtPYq9M
MD5:	1119F9ECE7E726D08C5E689804E2CC25
SHA1:	CF1F8A4A18C37423AC40FB61EDB0F3D73BC2D41D
SHA-256:	48E97D2B38270F0AA3DF68E1170C4B6E8DB229AE1F7819A47C457D10C31F6380
SHA-512:	9E131B32981DAEC246B7D7BF74CA8A689F1C87F6DBF6D7B665D8C59A38895BCD260EB62FB2918D2451E886C79577839487405B9F98867761A01162A0AB281963
Malicious:	false
Preview:	# This is private data. Do not parse..NAME=gdm.STATE=opening.STOPPING=no.RUNTIME=/run/user/127.SERVICE_JOB=/org/freedesktop/systemd1/job/12761.REALTIME=1735434493397036.MONOTONIC=438487547.SESSIONS=c1.SEATS=seat0.ACTIVE_SESSIONS=.ONLINE_SESSIONS=c1.ACTIVE_SEATS=.ONLINE_SEATS=seat0.

/run/user/1000/pulse/pid

Download File

Process:	/usr/bin/pulseaudio
File Type:	ASCII text
Category:	dropped
Size (bytes):	5
Entropy (8bit):	1.9219280948873623
Encrypted:	false
SSDEEP:	3:9vn:Nn
MD5:	289B54A4D30E2078EB146569B16A47E6
SHA1:	37682CAFF1B08FC2CC12AC1C2BB846E9CFE49D37
SHA-256:	EDCA54B01E931195FD893E0716AE8D7EF548DEB8193BD1079C6C692B0EDE5EC2
SHA-512:	B607685FF96C00E6F8259A4100B3F0A6F724A7A24BB6BA72BF0D1463C87C0C4A61BD681437DE27BDD9D8547C23C3F03752735412E6E65538E9947866C34F943D
Malicious:	false
Preview:	6673.

/tmp/qemu-open.PP5vlS (deleted)

Download File

Process:	/tmp/Aqua.arm5.elf
File Type:	data
Category:	dropped
Size (bytes):	29
Entropy (8bit):	4.1162646156680225
Encrypted:	false
SSDEEP:	3:Tg0wV8HJN:TguJN
MD5:	4544A7679D740EEB693F73BE3B914EA6
SHA1:	D464EFA50C50C678F92B3527D32F733EE193E9FD
SHA-256:	BF8D67FE4A6830DF4F7C4EFDF835D627B7AC41C686A405ECBEBE1D58FE741A08
SHA-512:	828DBECBB143E5502FE6FE8B1CA67AFE4FAB9DFD02B0C9EEDFB648166A3F5CE4B2BC5927852CDC277B1D25B80431CCB2C637536B17D834AA3DA53B7926330024
Malicious:	false
Preview:	/tmp/Aqua.arm5.elf.nwlrbbmqbh

/var/lib/AccountsService/users/gdm.VRCKZ2

Download File

Process:	/usr/lib/accountsservice/accounts-daemon
File Type:	ASCII text
Category:	dropped
Size (bytes):	61
Entropy (8bit):	4.66214589518167
Encrypted:	false
SSDEEP:	3:urzMQvNT+PzKLrAan4R8AKn:gzMQIzKLrAa4M
MD5:	542BA3FB41206AE43928AF1C5E61FEBC
SHA1:	F56F574DAF50D609526B36B5B54FDD59EA4D6A26
SHA-256:	730D9509D4EAA7266829A8F5A8CFEBA6BBDDD5873FC2BD580AD464F4A237E11A
SHA-512:	D774B8F191A5C65228D1B3CA1181701CFCD07A3D91C5571B0DDF32AD3E241C2D7BDFC0697AB97DC10441EF9CDC8AEE5B19BC34E13E5C8B0B91AD06EEF42F5AEA
Malicious:	false
Preview:	[User].XSession=.Icon=/var/lib/gdm3/.face.SystemAccount=true.

/var/lib/ubuntu-drivers-common/last_gfx_boot

Download File

Process:	/usr/bin/gpu-manager
File Type:	ASCII text
Category:	dropped
Size (bytes):	25
Entropy (8bit):	2.7550849518197795
Encrypted:	false
SSDEEP:	3:JoT/V9fDVbn:M/V3n
MD5:	078760523943E160756979906B85FB5E
SHA1:	0962643266F4C5537F7D125046F28F21D6DD0C89
SHA-256:	048416AC7A9A99690B8B53718CD39F32F637B55CC8DD8E67E58E5AEF060DD41C
SHA-512:	DEFAAE8F8B54C61A716A0B0B4884358FEB8EB44DFEA01AAA5A687FDA7182792B7DEBB34AA840672EB3B40EB59FD0186749E08E47D181786C7FAA8C8F73F0104D
Malicious:	false
Preview:	15ad:0405;0000:00:0f:0;1.

/var/log/auth.log

Download File

Process:	/usr/sbin/rsyslogd
File Type:	ASCII text
Category:	dropped
Size (bytes):	1537
Entropy (8bit):	4.956525673171144
Encrypted:	false
SSDEEP:	24:STZeauTZ4BuZGuF+FmeFPAvCPA2+VUg0pYrZJrbrCQU:G4vC4fVUPYrXrbrCn
MD5:	A07D94202949EA4E637BCC43E1B26BB9
SHA1:	FAA64A625C07DFCE90A6863116F8859401472BC2
SHA-256:	354AD9FDA266F3C6C1B8260F15CFDA98D300AE5871FE55F782BAEF12E1EFD11A
SHA-512:	77188D9236A62E7F0D949517DDFD84D88F31B25D9CD0D20CC86D7C25AB31815D830C522EFCD280A87D269DB44B6C11B9C86D0A093102988DCA14D75D87AF325B
Malicious:	false
Preview:	Dec 28 19:08:07 galassia systemd-logind[6543]: Failed to add user by file name 1000, ignoring: Invalid argument.Dec 28 19:08:07 galassia systemd-logind[6543]: Failed to add user by file name 127, ignoring: Invalid argument.Dec 28 19:08:07 galassia systemd-logind[6543]: User enumeration failed: Invalid argument.Dec 28 19:08:07 galassia systemd-logind[6543]: User of session 2 not known..Dec 28 19:08:07 galassia systemd-logind[6543]: User of session c1 not known..Dec 28 19:08:07 galassia systemd-logind[6543]: Session enumeration failed: No such file or directory.Dec 28 19:08:08 galassia systemd-logind[6543]: Watching system buttons on /dev/input/event0 (Power Button).Dec 28 19:08:08 galassia systemd-logind[6543]: Watching system buttons on /dev/input/event1 (AT Translated Set 2 keyboard).Dec 28 19:08:08 galassia systemd-logind[6543]: New seat seat0..Dec 28 19:08:13 galassia gdm-launch-environment]: pam_unix(gdm-launch-environment:session): session opened for user gdm by (uid=0).Dec 28 19:

/var/log/gpu-manager.log

Download File

Process:	/usr/bin/gpu-manager
File Type:	ASCII text
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	4.8296848499188485
Encrypted:	false
SSDEEP:	24:wPXXX9uV6BNu3WDF3GF3XFFxFFed2uk2HUvJlfWkpPpx7uvvAdow9555cJz:wPXXXe6vejpeC2HUR5WkpPpcvAdow95O
MD5:	3AF77E630DA00B3BE24F4E8AA5D78B13
SHA1:	BCF2D99E002F6DE2413A183227B011CFBEF5673D
SHA-256:	EB1CBBA20845237B4409274D693FEAE13F835274DA3337B7A9D14F4D7FDF9DEA
SHA-512:	8524B1E8A761F962B32F396812099B9B0B2DCF3C9FCA8605424753CFCFF4DC67EDC5EE1D8C91B9C0ED7FAE6BB1E752898B8D514B7C421D1839D6FEDA609C593C
Malicious:	false
Preview:	log_file: /var/log/gpu-manager.log.last_boot_file: /var/lib/ubuntu-drivers-common/last_gfx_boot.new_boot_file: /var/lib/ubuntu-drivers-common/last_gfx_boot.can't access /run/u-d-c-nvidia-was-loaded file.can't get module info via kmodcan't access /opt/amdgpu-pro/bin/amdgpu-pro-px.Looking for nvidia modules in /lib/modules/5.4.0-72-generic/kernel.Looking for nvidia modules in /lib/modules/5.4.0-72-generic/updates/dkms.Looking for amdgpu modules in /lib/modules/5.4.0-72-generic/kernel.Looking for amdgpu modules in /lib/modules/5.4.0-72-generic/updates/dkms.Is nvidia loaded? no.Was nvidia unloaded? no.Is nvidia blacklisted? no.Is intel loaded? no.Is radeon loaded? no.Is radeon blacklisted? no.Is amdgpu loaded? no.Is amdgpu blacklisted? no.Is amdgpu versioned? no.Is amdgpu pro stack? no.Is nouveau loaded? no.Is nouveau blacklisted? no.Is nvidia kernel module available? no.Is amdgpu kernel module available? no.Vendor/Device Id: 15ad:405.BusID "PCI:0@0:15:0".Is boot vga? yes.Error: can't acce

/var/log/kern.log

Download File

Process:	/usr/sbin/rsyslogd
File Type:	ASCII text
Category:	dropped
Size (bytes):	4716
Entropy (8bit):	4.693120256189967
Encrypted:	false
SSDEEP:	48:lBtlZs64ag3dT+LqJi4fO+rLMOcw5wNbkuS70SBBELeVb2P1BDP1PU/TUAXVWeOH:TqJqbtnkZSNX3WPIIbUWq
MD5:	B068ABAAEF4E4F8EBBF4B2196E9B0EAD
SHA1:	6C92948ECF28C86967E22F31E5AF41C932CBD8DE
SHA-256:	B169302B0A2624DFB5492F85F129A83A1176EAECC082F913CA5DC7ACDA7075AB
SHA-512:	E2F2CE657D4366AAD65D8CC99A8315B02A72F7482CAE4A67820B2674CD47EC99CE43E5D32BB9779204C293C379BF835116F3AED9B7496ED5F3EBF15251C6E9FA
Malicious:	false
Preview:	Dec 28 19:08:06 galassia kernel: [ 430.398002] blocking signal 9: 6242 -> 2048.Dec 28 19:08:06 galassia kernel: [ 430.835182] New task spawned: old: (tgid 6533, tid 6533), new (tgid: 6533, tid: 6534).Dec 28 19:08:06 galassia kernel: [ 431.070017] New task spawned: old: (tgid 6536, tid 6536), new (tgid: 6536, tid: 6537).Dec 28 19:08:06 galassia kernel: [ 431.070135] New task spawned: old: (tgid 6536, tid 6536), new (tgid: 6536, tid: 6538).Dec 28 19:08:06 galassia kernel: [ 431.072802] New task spawned: old: (tgid 6536, tid 6537), new (tgid: 6536, tid: 6539).Dec 28 19:08:06 galassia kernel: [ 431.500929] New task spawned: old: (tgid 6533, tid 6533), new (tgid: 6533, tid: 6540).Dec 28 19:08:07 galassia kernel: [ 431.832609] New task spawned: old: (tgid 6533, tid 6533), new (tgid: 6533, tid: 6600).Dec 28 19:08:11 galassia kernel: [ 432.412875] New task spawned: old: (tgid 6533, tid 6533), new (tgid: 6533, tid: 6603).Dec 28 19:08:11 galassia kernel: [ 435.877459] New task spawned:

/var/log/syslog

Download File

Process:	/usr/sbin/rsyslogd
File Type:	ASCII text, with very long lines (317)
Category:	dropped
Size (bytes):	26395
Entropy (8bit):	5.027844722497958
Encrypted:	false
SSDEEP:	768:Hi5dR+qEWLXSgUWONZbI+Q2jNVxJsqI8OF2vbRvPgxtX03KziPMJdzSEw+sWKghK:HiX3Lt+Q2jNVxJsqI8OF2vbRvPgxtX0l
MD5:	C1414D8D5E69F2CF58C62F5BE0B7FAAF
SHA1:	4BE25528E0D2FDC307F0C7096F9DBDDF395DBF8B
SHA-256:	9E5811AFB07C7F07DFFC50D8645642F981FABB218D177578CAABDCC3B335521B
SHA-512:	959E689D7187F7C92D15426C83B68800AD018444A4949A844B4A489E5BB90CEF957249945E2616BDAE5E5646C51AD56444E94CCEF973381683C1B7987F3C3F09
Malicious:	false
Preview:	Dec 28 19:08:05 galassia systemd[1]: whoopsie.service: Scheduled restart job, restart counter is at 3..Dec 28 19:08:05 galassia systemd[1]: Stopped crash report submission daemon..Dec 28 19:08:05 galassia systemd[1]: Started crash report submission daemon..Dec 28 19:08:05 galassia systemd[1]: rsyslog.service: Main process exited, code=killed, status=9/KILL.Dec 28 19:08:05 galassia systemd[1]: rsyslog.service: Failed with result 'signal'..Dec 28 19:08:05 galassia whoopsie[6533]: [19:08:05] Using lock path: /var/lock/whoopsie/lock.Dec 28 19:08:05 galassia systemd[1]: rsyslog.service: Scheduled restart job, restart counter is at 3..Dec 28 19:08:05 galassia systemd[1]: Started D-Bus System Message Bus..Dec 28 19:08:05 galassia systemd[1]: Stopped System Logging Service..Dec 28 19:08:05 galassia systemd[1]: Starting System Logging Service....Dec 28 19:08:06 galassia systemd[1]: Started System Logging Service..Dec 28 19:08:06 galassia kernel: [ 430.398002] blocking signal 9: 6242 -> 2048.De

Source: global traffic	TCP traffic: 192.168.2.23:50018 -> 89.190.156.145:7733
Source: global traffic	TCP traffic: 192.168.2.23:40838 -> 193.200.78.37:33966

File type:	ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
Entropy (8bit):	6.0522779452877415
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	Aqua.arm5.elf
File size:	75'268 bytes
MD5:	035c27cc6ca3feb2e173031bb2577abe
SHA1:	a84eef5d979eec2320eea81c2f8305239f0a39cb
SHA256:	fe80d019b7f3b0413f2886f89b5fa01a4385afcbd3386862ab8507db003beabc
SHA512:	bd78fa481741c017c25d5dffc32ae2371f2611dd422d8e7105b4c14c397ead6976bdae4cf8a99e90a3498ea451fb859b7ae5d878d1913c7df4487d9d1a021ecf
SSDEEP:	1536:8GcEk0+/kGoDDBKhjErbwlONGR5znoyhI6SiW:8GcSRMjEPsRnxS
TLSH:	65733A91FD829613C6D012BBFB5E418D372A13A8D3EE72079E256F20378785B0E77652
File Content Preview:	.ELF...a..........(.........4...t$......4. ...(.......................................... ... ... ..4....&..........Q.td..................................-...L."...vA..........0@-.\P...0....S.0...P@...0... ....R......0...0...........0... ....R..... 0....S

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	ARM
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	ARM - ABI
ABI Version:	0
Entry Point Address:	0x8190
Flags:	0x2
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	74868
Section Header Size:	40
Number of Section Headers:	10
Header String Table Index:	9

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x8094	0x94	0x18	0x0	0x6	AX	4
.text	PROGBITS	0x80b0	0xb0	0x10610	0x0	0x6	AX	16
.fini	PROGBITS	0x186c0	0x106c0	0x14	0x0	0x6	AX	4
.rodata	PROGBITS	0x186d4	0x106d4	0x1838	0x0	0x2	A	4
.ctors	PROGBITS	0x22000	0x12000	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x22008	0x12008	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x22014	0x12014	0x420	0x0	0x3	WA	4
.bss	NOBITS	0x22434	0x12434	0x21e0	0x0	0x3	WA	4
.shstrtab	STRTAB	0x0	0x12434	0x3e	0x0	0x0		1

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x8000	0x8000	0x11f0c	0x11f0c	6.0902	0x5	R E	0x8000	.init .text .fini .rodata
LOAD	0x12000	0x22000	0x22000	0x434	0x2614	3.5189	0x6	RW	0x8000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 29, 2024 02:07:52.003340960 CET	56548	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:07:52.364861012 CET	53	56548	8.8.8.8	192.168.2.23
Dec 29, 2024 02:07:52.366692066 CET	51069	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:07:52.488900900 CET	53	51069	8.8.8.8	192.168.2.23
Dec 29, 2024 02:07:52.490983963 CET	51547	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:07:52.613177061 CET	53	51547	8.8.8.8	192.168.2.23
Dec 29, 2024 02:07:52.615653992 CET	55284	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:07:52.737874985 CET	53	55284	8.8.8.8	192.168.2.23
Dec 29, 2024 02:07:52.739094973 CET	37287	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:07:52.861267090 CET	53	37287	8.8.8.8	192.168.2.23
Dec 29, 2024 02:07:52.862432957 CET	58923	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:07:52.984669924 CET	53	58923	8.8.8.8	192.168.2.23
Dec 29, 2024 02:07:54.437479019 CET	32815	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:07:54.559674025 CET	53	32815	8.8.8.8	192.168.2.23
Dec 29, 2024 02:07:54.562572956 CET	34247	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:07:54.684776068 CET	53	34247	8.8.8.8	192.168.2.23
Dec 29, 2024 02:07:54.702852011 CET	48302	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:07:54.825160980 CET	53	48302	8.8.8.8	192.168.2.23
Dec 29, 2024 02:07:54.829571009 CET	33913	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:07:54.951801062 CET	53	33913	8.8.8.8	192.168.2.23
Dec 29, 2024 02:07:54.955152988 CET	38438	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:07:55.077308893 CET	53	38438	8.8.8.8	192.168.2.23
Dec 29, 2024 02:07:55.079768896 CET	36828	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:07:55.201977968 CET	53	36828	8.8.8.8	192.168.2.23
Dec 29, 2024 02:07:55.203386068 CET	51334	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:07:55.325540066 CET	53	51334	8.8.8.8	192.168.2.23
Dec 29, 2024 02:07:55.347310066 CET	44521	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:07:55.469466925 CET	53	44521	8.8.8.8	192.168.2.23
Dec 29, 2024 02:07:55.471952915 CET	54978	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:07:55.594901085 CET	53	54978	8.8.8.8	192.168.2.23
Dec 29, 2024 02:07:55.597342968 CET	49497	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:07:55.719470978 CET	53	49497	8.8.8.8	192.168.2.23
Dec 29, 2024 02:07:57.448097944 CET	45811	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:07:57.570275068 CET	53	45811	8.8.8.8	192.168.2.23
Dec 29, 2024 02:07:57.573803902 CET	39930	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:07:57.696002960 CET	53	39930	8.8.8.8	192.168.2.23
Dec 29, 2024 02:07:57.697849989 CET	51348	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:07:57.820137978 CET	53	51348	8.8.8.8	192.168.2.23
Dec 29, 2024 02:07:57.823690891 CET	33819	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:07:57.945983887 CET	53	33819	8.8.8.8	192.168.2.23
Dec 29, 2024 02:07:57.949585915 CET	50777	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:07:58.018668890 CET	38875	53	192.168.2.23	1.1.1.1
Dec 29, 2024 02:07:58.018723011 CET	47881	53	192.168.2.23	1.1.1.1
Dec 29, 2024 02:07:58.071819067 CET	53	50777	8.8.8.8	192.168.2.23
Dec 29, 2024 02:07:58.074997902 CET	44034	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:07:58.197293043 CET	53	44034	8.8.8.8	192.168.2.23
Dec 29, 2024 02:07:58.200011969 CET	59155	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:07:58.243941069 CET	53	47881	1.1.1.1	192.168.2.23
Dec 29, 2024 02:07:58.246850014 CET	53	38875	1.1.1.1	192.168.2.23
Dec 29, 2024 02:07:58.322313070 CET	53	59155	8.8.8.8	192.168.2.23
Dec 29, 2024 02:07:58.326272964 CET	36376	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:07:58.448554039 CET	53	36376	8.8.8.8	192.168.2.23
Dec 29, 2024 02:07:58.453058004 CET	54740	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:07:58.502979040 CET	54966	53	192.168.2.23	1.1.1.1
Dec 29, 2024 02:07:58.575190067 CET	53	54740	8.8.8.8	192.168.2.23
Dec 29, 2024 02:07:58.577786922 CET	57747	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:07:58.640832901 CET	53	54966	1.1.1.1	192.168.2.23
Dec 29, 2024 02:07:58.699959993 CET	53	57747	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:00.065968037 CET	48455	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:00.188306093 CET	53	48455	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:00.190943956 CET	33371	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:00.313226938 CET	53	33371	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:00.315385103 CET	45981	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:00.437599897 CET	53	45981	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:00.440089941 CET	53396	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:00.562477112 CET	53	53396	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:00.565344095 CET	57665	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:00.687714100 CET	53	57665	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:00.689454079 CET	43922	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:00.811574936 CET	53	43922	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:00.813468933 CET	39420	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:00.935643911 CET	53	39420	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:00.937227011 CET	36689	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:01.060039043 CET	53	36689	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:01.061590910 CET	40384	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:01.183763027 CET	53	40384	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:01.185112000 CET	50758	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:01.307301998 CET	53	50758	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:02.723611116 CET	51926	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:02.947824955 CET	53	51926	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:02.949028969 CET	51706	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:03.071290016 CET	53	51706	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:03.072078943 CET	48534	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:03.194257021 CET	53	48534	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:03.194982052 CET	34515	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:03.317111015 CET	53	34515	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:03.317934036 CET	39282	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:03.440572023 CET	53	39282	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:03.441442013 CET	56082	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:03.563918114 CET	53	56082	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:03.564779997 CET	43417	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:03.687042952 CET	53	43417	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:03.687625885 CET	57388	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:03.809808016 CET	53	57388	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:03.810460091 CET	59575	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:03.932616949 CET	53	59575	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:03.933681965 CET	58637	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:04.055941105 CET	53	58637	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:05.466758966 CET	43354	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:05.588942051 CET	53	43354	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:05.589968920 CET	53901	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:05.712150097 CET	53	53901	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:05.713212967 CET	36426	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:05.835381985 CET	53	36426	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:05.836464882 CET	56890	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:05.958647966 CET	53	56890	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:05.959398985 CET	45045	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:06.081583977 CET	53	45045	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:06.082403898 CET	53024	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:06.204696894 CET	53	53024	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:06.205388069 CET	58960	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:06.327728987 CET	53	58960	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:06.328466892 CET	44322	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:06.450697899 CET	53	44322	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:06.451474905 CET	46386	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:06.573630095 CET	53	46386	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:06.574744940 CET	37761	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:06.696980000 CET	53	37761	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:08.179332972 CET	53067	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:08.301847935 CET	53	53067	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:08.311666965 CET	42356	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:08.434277058 CET	53	42356	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:08.442940950 CET	53069	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:08.558775902 CET	33571	53	192.168.2.23	1.1.1.1
Dec 29, 2024 02:08:08.565164089 CET	53	53069	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:08.571835995 CET	46050	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:08.694073915 CET	53	46050	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:08.697187901 CET	53	33571	1.1.1.1	192.168.2.23
Dec 29, 2024 02:08:08.700903893 CET	44676	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:08.823237896 CET	53	44676	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:08.832138062 CET	41481	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:08.954514027 CET	53	41481	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:08.956329107 CET	49046	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:09.078593016 CET	53	49046	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:09.079715014 CET	40709	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:09.202085972 CET	53	40709	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:09.203023911 CET	39711	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:09.325292110 CET	53	39711	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:09.326313972 CET	40879	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:09.448529005 CET	53	40879	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:10.859451056 CET	36452	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:10.981653929 CET	53	36452	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:10.982593060 CET	36314	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:11.105007887 CET	53	36314	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:11.106076956 CET	57819	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:11.228185892 CET	53	57819	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:11.229233980 CET	55663	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:11.351701975 CET	53	55663	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:11.352792025 CET	45759	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:11.475191116 CET	53	45759	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:11.476218939 CET	55599	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:11.599636078 CET	53	55599	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:11.600621939 CET	46775	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:11.722837925 CET	53	46775	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:11.724052906 CET	41703	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:11.847361088 CET	53	41703	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:11.848717928 CET	44129	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:11.971160889 CET	53	44129	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:11.972115993 CET	47120	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:12.094362974 CET	53	47120	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:13.571377993 CET	41815	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:13.693778038 CET	53	41815	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:13.695132017 CET	38483	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:13.817524910 CET	53	38483	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:13.818943024 CET	58996	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:14.091248035 CET	53	58996	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:14.093271971 CET	54518	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:14.216548920 CET	53	54518	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:14.219264030 CET	36731	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:14.341706991 CET	53	36731	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:14.346698999 CET	40650	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:14.468935966 CET	53	40650	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:14.470352888 CET	46548	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:14.592581034 CET	53	46548	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:14.594022036 CET	35614	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:14.716312885 CET	53	35614	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:14.718276978 CET	44538	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:14.840663910 CET	53	44538	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:14.842546940 CET	55787	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:14.964844942 CET	53	55787	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:16.422369003 CET	58438	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:16.544610023 CET	53	58438	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:16.545898914 CET	51256	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:16.668122053 CET	53	51256	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:16.669439077 CET	60502	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:16.791626930 CET	53	60502	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:16.792984009 CET	39931	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:16.915267944 CET	53	39931	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:16.916317940 CET	51334	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:17.038469076 CET	53	51334	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:17.039587021 CET	42481	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:17.161851883 CET	53	42481	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:17.162931919 CET	51092	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:17.285187006 CET	53	51092	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:17.286403894 CET	55858	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:17.408736944 CET	53	55858	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:17.409733057 CET	57200	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:17.532253027 CET	53	57200	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:17.533391953 CET	49873	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:17.655586004 CET	53	49873	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:19.113440990 CET	37219	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:19.235754967 CET	53	37219	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:19.237040997 CET	37703	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:19.359668970 CET	53	37703	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:19.360965967 CET	36798	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:19.483372927 CET	53	36798	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:19.484468937 CET	34438	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:19.606751919 CET	53	34438	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:19.607712984 CET	33019	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:19.730971098 CET	53	33019	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:19.731899977 CET	46171	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:19.854337931 CET	53	46171	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:19.855360031 CET	59493	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:19.977771044 CET	53	59493	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:19.978889942 CET	59302	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:20.101464033 CET	53	59302	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:20.102557898 CET	35776	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:20.225008011 CET	53	35776	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:20.226082087 CET	32916	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:20.348356962 CET	53	32916	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:21.759474039 CET	44908	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:21.881608963 CET	53	44908	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:21.882988930 CET	42170	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:22.005335093 CET	53	42170	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:22.006409883 CET	46857	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:22.128798008 CET	53	46857	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:22.129971027 CET	33360	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:22.252405882 CET	53	33360	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:22.253556967 CET	47604	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:22.376055002 CET	53	47604	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:22.377171040 CET	38220	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:22.499414921 CET	53	38220	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:22.500760078 CET	39784	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:22.623027086 CET	53	39784	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:22.623894930 CET	54639	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:22.746124029 CET	53	54639	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:22.746918917 CET	40275	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:22.869102955 CET	53	40275	8.8.8.8	192.168.2.23
Dec 29, 2024 02:08:22.869915962 CET	36020	53	192.168.2.23	8.8.8.8
Dec 29, 2024 02:08:22.992211103 CET	53	36020	8.8.8.8	192.168.2.23

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Dec 29, 2024 02:08:02.103182077 CET	192.168.2.23	192.168.2.1	8283	(Port unreachable)	Destination Unreachable
Dec 29, 2024 02:09:22.113806009 CET	192.168.2.23	192.168.2.1	8283	(Port unreachable)	Destination Unreachable

Timestamp	Bytes transferred	Direction	Data
2024-12-29 01:08:01 UTC	307	OUT	POST /9aadafe2051348cd32033e1cad68f0a5fe46fba3240ac1e6e42158f31b8a1371790c09baf3996b4979fe8e533446c7dedf30f654c68b25357334c66911dc6a9e HTTP/1.1 Host: daisy.ubuntu.com Accept: / Content-Type: application/octet-stream X-Whoopsie-Version: 0.2.69ubuntu0.3 Content-Length: 164887 Expect: 100-continue
2024-12-29 01:08:02 UTC	25	IN	HTTP/1.1 100 Continue
2024-12-29 01:08:02 UTC	16384	OUT	Data Raw: 17 84 02 00 02 50 72 6f 63 45 6e 76 69 72 6f 6e 00 4e 00 00 00 50 41 54 48 3d 28 63 75 73 74 6f 6d 2c 20 6e 6f 20 75 73 65 72 29 0a 58 44 47 5f 52 55 4e 54 49 4d 45 5f 44 49 52 3d 3c 73 65 74 3e 0a 4c 41 4e 47 3d 65 6e 5f 55 53 2e 55 54 46 2d 38 0a 53 48 45 4c 4c 3d 2f 62 69 6e 2f 62 61 73 68 00 02 5f 4c 6f 67 69 6e 64 53 65 73 73 69 6f 6e 00 02 00 00 00 35 00 02 44 61 74 65 00 19 00 00 00 54 75 65 20 41 75 67 20 31 37 20 32 30 3a 31 38 3a 30 34 20 32 30 32 31 00 02 53 6f 75 72 63 65 50 61 63 6b 61 67 65 00 0d 00 00 00 6c 69 67 68 74 2d 6c 6f 63 6b 65 72 00 02 50 61 63 6b 61 67 65 41 72 63 68 69 74 65 63 74 75 72 65 00 06 00 00 00 61 6d 64 36 34 00 02 41 72 63 68 69 74 65 63 74 75 72 65 00 06 00 00 00 61 6d 64 36 34 00 02 44 69 73 74 72 6f 52 65 6c 65 61 Data Ascii: ProcEnvironNPATH=(custom, no user)XDG_RUNTIME_DIR=<set>LANG=en_US.UTF-8SHELL=/bin/bash_LogindSession5DateTue Aug 17 20:18:04 2021SourcePackagelight-lockerPackageArchitectureamd64Architectureamd64DistroRelea
2024-12-29 01:08:02 UTC	16384	OUT	Data Raw: 74 75 34 2e 31 0a 6c 69 62 70 61 6d 2d 72 75 6e 74 69 6d 65 20 31 2e 33 2e 31 2d 35 75 62 75 6e 74 75 34 2e 31 0a 6c 69 62 70 61 6d 2d 73 79 73 74 65 6d 64 20 32 34 35 2e 34 2d 34 75 62 75 6e 74 75 33 2e 31 31 0a 6c 69 62 70 61 6d 30 67 20 31 2e 33 2e 31 2d 35 75 62 75 6e 74 75 34 2e 31 0a 6c 69 62 70 61 6e 67 6f 2d 31 2e 30 2d 30 20 31 2e 34 34 2e 37 2d 32 75 62 75 6e 74 75 34 0a 6c 69 62 70 61 6e 67 6f 63 61 69 72 6f 2d 31 2e 30 2d 30 20 31 2e 34 34 2e 37 2d 32 75 62 75 6e 74 75 34 0a 6c 69 62 70 61 6e 67 6f 66 74 32 2d 31 2e 30 2d 30 20 31 2e 34 34 2e 37 2d 32 75 62 75 6e 74 75 34 0a 6c 69 62 70 61 6e 67 6f 78 66 74 2d 31 2e 30 2d 30 20 31 2e 34 34 2e 37 2d 32 75 62 75 6e 74 75 34 0a 6c 69 62 70 61 70 65 72 2d 75 74 69 6c 73 20 31 2e 31 2e 32 38 0a 6c Data Ascii: tu4.1libpam-runtime 1.3.1-5ubuntu4.1libpam-systemd 245.4-4ubuntu3.11libpam0g 1.3.1-5ubuntu4.1libpango-1.0-0 1.44.7-2ubuntu4libpangocairo-1.0-0 1.44.7-2ubuntu4libpangoft2-1.0-0 1.44.7-2ubuntu4libpangoxft-1.0-0 1.44.7-2ubuntu4libpaper-utils 1.1.28l
2024-12-29 01:08:02 UTC	16384	OUT	Data Raw: 20 20 20 20 20 20 20 20 30 78 30 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 30 0a 67 73 20 20 20 20 20 20 20 20 20 20 20 20 20 30 78 30 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 30 0a 6b 30 20 20 20 20 20 20 20 20 20 20 20 20 20 30 78 30 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 30 0a 6b 31 20 20 20 20 20 20 20 20 20 20 20 20 20 30 78 30 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 30 0a 6b 32 20 20 20 20 20 20 20 20 20 20 20 20 20 30 78 30 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 30 0a 6b 33 20 20 20 20 20 20 20 20 20 20 20 20 20 30 78 30 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 30 0a 6b 34 20 20 20 20 20 20 20 20 20 20 20 20 20 30 78 30 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 30 0a 6b 35 20 Data Ascii: 0x0 0gs 0x0 0k0 0x0 0k1 0x0 0k2 0x0 0k3 0x0 0k4 0x0 0k5
2024-12-29 01:08:02 UTC	16384	OUT	Data Raw: 20 20 20 20 20 20 20 20 20 2f 75 73 72 2f 6c 69 62 2f 78 38 36 5f 36 34 2d 6c 69 6e 75 78 2d 67 6e 75 2f 6c 69 62 78 63 62 2d 72 65 6e 64 65 72 2e 73 6f 2e 30 2e 30 2e 30 0a 37 66 37 39 31 63 30 37 34 30 30 30 2d 37 66 37 39 31 63 30 37 35 30 30 30 20 2d 2d 2d 70 20 30 30 30 30 63 30 30 30 20 66 64 3a 30 30 20 38 30 36 32 36 30 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2f 75 73 72 2f 6c 69 62 2f 78 38 36 5f 36 34 2d 6c 69 6e 75 78 2d 67 6e 75 2f 6c 69 62 78 63 62 2d 72 65 6e 64 65 72 2e 73 6f 2e 30 2e 30 2e 30 0a 37 66 37 39 31 63 30 37 35 30 30 30 2d 37 66 37 39 31 63 30 37 36 30 30 30 20 72 2d 2d 70 20 30 30 30 30 63 30 30 30 20 66 64 3a 30 30 20 38 30 36 32 36 30 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2f 75 Data Ascii: /usr/lib/x86_64-linux-gnu/libxcb-render.so.0.0.07f791c074000-7f791c075000 ---p 0000c000 fd:00 806260 /usr/lib/x86_64-linux-gnu/libxcb-render.so.0.0.07f791c075000-7f791c076000 r--p 0000c000 fd:00 806260 /u
2024-12-29 01:08:02 UTC	16384	OUT	Data Raw: 6e 75 78 2d 67 6e 75 2f 6c 69 62 67 64 6b 5f 70 69 78 62 75 66 2d 32 2e 30 2e 73 6f 2e 30 2e 34 30 30 30 2e 30 0a 37 66 37 39 31 63 37 37 33 30 30 30 2d 37 66 37 39 31 63 37 37 34 30 30 30 20 72 77 2d 70 20 30 30 30 32 36 30 30 30 20 66 64 3a 30 30 20 38 30 36 32 34 35 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2f 75 73 72 2f 6c 69 62 2f 78 38 36 5f 36 34 2d 6c 69 6e 75 78 2d 67 6e 75 2f 6c 69 62 67 64 6b 5f 70 69 78 62 75 66 2d 32 2e 30 2e 73 6f 2e 30 2e 34 30 30 30 2e 30 0a 37 66 37 39 31 63 37 37 34 30 30 30 2d 37 66 37 39 31 63 37 37 38 30 30 30 20 72 2d 2d 70 20 30 30 30 30 30 30 30 30 20 66 64 3a 30 30 20 38 30 36 32 36 38 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2f 75 73 72 2f 6c 69 62 2f 78 38 36 5f 36 34 Data Ascii: nux-gnu/libgdk_pixbuf-2.0.so.0.4000.07f791c773000-7f791c774000 rw-p 00026000 fd:00 806245 /usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.4000.07f791c774000-7f791c778000 r--p 00000000 fd:00 806268 /usr/lib/x86_64
2024-12-29 01:08:02 UTC	16384	OUT	Data Raw: 20 70 6c 61 74 66 6f 72 6d 20 65 69 73 61 2e 30 3a 20 43 61 6e 6e 6f 74 20 61 6c 6c 6f 63 61 74 65 20 72 65 73 6f 75 72 63 65 20 66 6f 72 20 45 49 53 41 20 73 6c 6f 74 20 37 0a 41 75 67 20 31 37 20 32 30 3a 32 34 3a 34 36 20 67 61 6c 61 73 73 69 61 20 6b 65 72 6e 65 6c 3a 20 70 6c 61 74 66 6f 72 6d 20 65 69 73 61 2e 30 3a 20 43 61 6e 6e 6f 74 20 61 6c 6c 6f 63 61 74 65 20 72 65 73 6f 75 72 63 65 20 66 6f 72 20 45 49 53 41 20 73 6c 6f 74 20 38 0a 41 75 67 20 31 37 20 32 30 3a 32 34 3a 34 36 20 67 61 6c 61 73 73 69 61 20 6b 65 72 6e 65 6c 3a 20 73 64 20 33 32 3a 30 3a 30 3a 30 3a 20 5b 73 64 61 5d 20 41 73 73 75 6d 69 6e 67 20 64 72 69 76 65 20 63 61 63 68 65 3a 20 77 72 69 74 65 20 74 68 72 6f 75 67 68 0a 41 75 67 20 31 37 20 32 30 3a 32 34 3a 34 37 20 67 Data Ascii: platform eisa.0: Cannot allocate resource for EISA slot 7Aug 17 20:24:46 galassia kernel: platform eisa.0: Cannot allocate resource for EISA slot 8Aug 17 20:24:46 galassia kernel: sd 32:0:0:0: [sda] Assuming drive cache: write throughAug 17 20:24:47 g
2024-12-29 01:08:02 UTC	16384	OUT	Data Raw: 35 35 31 5d 3a 20 28 49 49 29 20 4c 6f 61 64 4d 6f 64 75 6c 65 3a 20 22 66 62 64 65 76 68 77 22 0a 41 75 67 20 31 37 20 32 30 3a 32 35 3a 30 34 20 67 61 6c 61 73 73 69 61 20 2f 75 73 72 2f 6c 69 62 2f 67 64 6d 33 2f 67 64 6d 2d 78 2d 73 65 73 73 69 6f 6e 5b 31 35 35 31 5d 3a 20 28 49 49 29 20 4c 6f 61 64 69 6e 67 20 2f 75 73 72 2f 6c 69 62 2f 78 6f 72 67 2f 6d 6f 64 75 6c 65 73 2f 6c 69 62 66 62 64 65 76 68 77 2e 73 6f 0a 41 75 67 20 31 37 20 32 30 3a 32 35 3a 30 34 20 67 61 6c 61 73 73 69 61 20 2f 75 73 72 2f 6c 69 62 2f 67 64 6d 33 2f 67 64 6d 2d 78 2d 73 65 73 73 69 6f 6e 5b 31 35 35 31 5d 3a 20 28 49 49 29 20 4d 6f 64 75 6c 65 20 66 62 64 65 76 68 77 3a 20 76 65 6e 64 6f 72 3d 22 58 2e 4f 72 67 20 46 6f 75 6e 64 61 74 69 6f 6e 22 0a 41 75 67 20 31 37 Data Ascii: 551]: (II) LoadModule: "fbdevhw"Aug 17 20:25:04 galassia /usr/lib/gdm3/gdm-x-session[1551]: (II) Loading /usr/lib/xorg/modules/libfbdevhw.soAug 17 20:25:04 galassia /usr/lib/gdm3/gdm-x-session[1551]: (II) Module fbdevhw: vendor="X.Org Foundation"Aug 17
2024-12-29 01:08:02 UTC	16384	OUT	Data Raw: 2f 6c 69 62 2f 67 64 6d 33 2f 67 64 6d 2d 78 2d 73 65 73 73 69 6f 6e 5b 31 35 35 31 5d 3a 20 28 49 49 29 20 76 6d 77 61 72 65 28 30 29 3a 20 4e 6f 74 20 75 73 69 6e 67 20 64 65 66 61 75 6c 74 20 6d 6f 64 65 20 22 31 39 32 30 78 31 32 30 30 22 20 28 69 6e 73 75 66 66 69 63 69 65 6e 74 20 6d 65 6d 6f 72 79 20 66 6f 72 20 6d 6f 64 65 29 0a 41 75 67 20 31 37 20 32 30 3a 32 35 3a 30 35 20 67 61 6c 61 73 73 69 61 20 2f 75 73 72 2f 6c 69 62 2f 67 64 6d 33 2f 67 64 6d 2d 78 2d 73 65 73 73 69 6f 6e 5b 31 35 35 31 5d 3a 20 28 49 49 29 20 76 6d 77 61 72 65 28 30 29 3a 20 4e 6f 74 20 75 73 69 6e 67 20 64 65 66 61 75 6c 74 20 6d 6f 64 65 20 22 39 36 30 78 36 30 30 22 20 28 62 61 64 20 6d 6f 64 65 20 63 6c 6f 63 6b 2f 69 6e 74 65 72 6c 61 63 65 2f 64 6f 75 62 6c 65 73 Data Ascii: /lib/gdm3/gdm-x-session[1551]: (II) vmware(0): Not using default mode "1920x1200" (insufficient memory for mode)Aug 17 20:25:05 galassia /usr/lib/gdm3/gdm-x-session[1551]: (II) vmware(0): Not using default mode "960x600" (bad mode clock/interlace/doubles
2024-12-29 01:08:02 UTC	16384	OUT	Data Raw: 20 31 33 33 36 20 31 35 32 30 20 20 38 36 34 20 38 36 35 20 38 36 38 20 38 39 35 20 2d 68 73 79 6e 63 20 2b 76 73 79 6e 63 20 28 35 33 2e 37 20 6b 48 7a 20 64 29 0a 41 75 67 20 31 37 20 32 30 3a 32 35 3a 30 35 20 67 61 6c 61 73 73 69 61 20 2f 75 73 72 2f 6c 69 62 2f 67 64 6d 33 2f 67 64 6d 2d 78 2d 73 65 73 73 69 6f 6e 5b 31 35 35 31 5d 3a 20 28 2a 2a 29 20 76 6d 77 61 72 65 28 30 29 3a 20 20 44 65 66 61 75 6c 74 20 6d 6f 64 65 20 22 31 30 32 34 78 37 36 38 22 3a 20 39 34 2e 35 20 4d 48 7a 2c 20 36 38 2e 37 20 6b 48 7a 2c 20 38 35 2e 30 20 48 7a 0a 41 75 67 20 31 37 20 32 30 3a 32 35 3a 30 35 20 67 61 6c 61 73 73 69 61 20 2f 75 73 72 2f 6c 69 62 2f 67 64 6d 33 2f 67 64 6d 2d 78 2d 73 65 73 73 69 6f 6e 5b 31 35 35 31 5d 3a 20 28 49 49 29 20 76 6d 77 61 72 Data Ascii: 1336 1520 864 865 868 895 -hsync +vsync (53.7 kHz d)Aug 17 20:25:05 galassia /usr/lib/gdm3/gdm-x-session[1551]: (**) vmware(0): Default mode "1024x768": 94.5 MHz, 68.7 kHz, 85.0 HzAug 17 20:25:05 galassia /usr/lib/gdm3/gdm-x-session[1551]: (II) vmwar
2024-12-29 01:08:02 UTC	16384	OUT	Data Raw: 65 64 20 53 65 74 20 32 20 6b 65 79 62 6f 61 72 64 3a 20 61 6c 77 61 79 73 20 72 65 70 6f 72 74 73 20 63 6f 72 65 20 65 76 65 6e 74 73 0a 41 75 67 20 31 37 20 32 30 3a 32 35 3a 30 35 20 67 61 6c 61 73 73 69 61 20 2f 75 73 72 2f 6c 69 62 2f 67 64 6d 33 2f 67 64 6d 2d 78 2d 73 65 73 73 69 6f 6e 5b 31 35 35 31 5d 3a 20 28 2a 2a 29 20 4f 70 74 69 6f 6e 20 22 44 65 76 69 63 65 22 20 22 2f 64 65 76 2f 69 6e 70 75 74 2f 65 76 65 6e 74 31 22 0a 41 75 67 20 31 37 20 32 30 3a 32 35 3a 30 35 20 67 61 6c 61 73 73 69 61 20 2f 75 73 72 2f 6c 69 62 2f 67 64 6d 33 2f 67 64 6d 2d 78 2d 73 65 73 73 69 6f 6e 5b 31 35 35 31 5d 3a 20 28 2a 2a 29 20 4f 70 74 69 6f 6e 20 22 5f 73 6f 75 72 63 65 22 20 22 73 65 72 76 65 72 2f 75 64 65 76 22 0a 41 75 67 20 31 37 20 32 30 3a 32 35 Data Ascii: ed Set 2 keyboard: always reports core eventsAug 17 20:25:05 galassia /usr/lib/gdm3/gdm-x-session[1551]: () Option "Device" "/dev/input/event1"Aug 17 20:25:05 galassia /usr/lib/gdm3/gdm-x-session[1551]: () Option "_source" "server/udev"Aug 17 20:25
2024-12-29 01:08:03 UTC	279	IN	HTTP/1.1 400 Bad Request Date: Sun, 29 Dec 2024 01:08:03 GMT Server: gunicorn/19.7.1 X-Daisy-Revision-Number: 979 X-Oops-Repository-Version: 0.0.0 Strict-Transport-Security: max-age=2592000 Connection: close Transfer-Encoding: chunked 17 Crash already reported. 0

Start time (UTC):	01:07:50
Start date (UTC):	29/12/2024
Path:	/tmp/Aqua.arm5.elf
Arguments:	/tmp/Aqua.arm5.elf
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time (UTC):	01:07:51
Start date (UTC):	29/12/2024
Path:	/tmp/Aqua.arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time (UTC):	01:07:52
Start date (UTC):	29/12/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	01:07:53
Start date (UTC):	29/12/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	01:07:54
Start date (UTC):	29/12/2024
Path:	/usr/libexec/gvfsd-fuse
Arguments:	-
File size:	47632 bytes
MD5 hash:	d18fbf1cbf8eb57b17fac48b7b4be933

Start time (UTC):	01:07:55
Start date (UTC):	29/12/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	01:07:56
Start date (UTC):	29/12/2024
Path:	/usr/bin/gpu-manager
Arguments:	-
File size:	76616 bytes
MD5 hash:	8fae9dd5dd67e1f33d873089c2fd8761

Start time (UTC):	01:07:57
Start date (UTC):	29/12/2024
Path:	/usr/bin/gpu-manager
Arguments:	-
File size:	76616 bytes
MD5 hash:	8fae9dd5dd67e1f33d873089c2fd8761

Start time (UTC):	01:07:58
Start date (UTC):	29/12/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	01:08:00
Start date (UTC):	29/12/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	01:08:05
Start date (UTC):	29/12/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	01:08:06
Start date (UTC):	29/12/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report Aqua.arm5.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Spreading

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/home/saturnino/.config/pulse/ee49dfd4fa47433baee88884e2d7de7c-default-sink

/home/saturnino/.config/pulse/ee49dfd4fa47433baee88884e2d7de7c-default-source

/proc/6632/oom_score_adj

/run/gdm3.pid

/run/systemd/seats/.#seat0V3krPW

/run/systemd/seats/.#seat0iaQypH

/run/systemd/seats/.#seat0wtqFrX

/run/systemd/users/.#127DOhXhW

/run/systemd/users/.#127OQMe4X

/run/systemd/users/.#127VJImMU

/run/systemd/users/.#127hz8mwX

/run/systemd/users/.#127mAcU4X

/run/user/1000/pulse/pid

/tmp/qemu-open.PP5vlS (deleted)

/var/lib/AccountsService/users/gdm.VRCKZ2

/var/lib/ubuntu-drivers-common/last_gfx_boot

/var/log/auth.log

/var/log/gpu-manager.log

/var/log/kern.log

/var/log/syslog

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

Linux Analysis Report
Aqua.arm5.elf

Start time (UTC):	01:08:10
Start date (UTC):	29/12/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	01:08:11
Start date (UTC):	29/12/2024
Path:	/usr/sbin/gdm3
Arguments:	-
File size:	453296 bytes
MD5 hash:	2492e2d8d34f9377e3e530a61a15674f

Start time (UTC):	01:08:13
Start date (UTC):	29/12/2024
Path:	/usr/lib/gdm3/gdm-session-worker
Arguments:	-
File size:	293360 bytes
MD5 hash:	692243754bd9f38fe9bd7e230b5c060a

Start time (UTC):	01:08:14
Start date (UTC):	29/12/2024
Path:	/usr/bin/dbus-daemon
Arguments:	-
File size:	249032 bytes
MD5 hash:	3089d47e3f3ab84cd81c48fd406d7a8c

Start time (UTC):	01:09:24
Start date (UTC):	29/12/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
Tactics:	Defense Evasion
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Deletion, File: File Metadata, File: File Modification, Firewall: Firewall Rule Modification, Network Traffic: Network Traffic Content, Process: OS API Execution, Process: Process Creation, Scheduled Job: Scheduled Job Modification, User Account: User Account Authentication, User Account: User Account Deletion, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, Google Workspace, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre