Edit tour

Linux Analysis Report
Aqua.arm5.elf

Overview

General Information

Sample name:	Aqua.arm5.elf
Analysis ID:	1582027
MD5:	4f1be192cb2790c9a272bc8ae2ed4b79
SHA1:	d7c5fc8426775df43d7904f7d8475c9a2f5d6443
SHA256:	e2991286f85807cd3f7a227420b2692c4928c06c241656c0454319388522cf65
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Reads system files that contain records of logged in users

Sample deletes itself

Sample reads /proc/mounts (often used for finding a writable filesystem)

Sample tries to kill multiple processes (SIGKILL)

Sends malformed DNS queries

Creates hidden files and/or directories

Deletes log files

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Executes commands using a shell command-line interpreter

Executes the "grep" command used to find patterns in files or piped streams

Executes the "kill" or "pkill" command typically used to terminate processes

Found strings indicative of a multi-platform dropper

HTTP GET or POST without a user agent

Reads CPU information from /sys indicative of miner or evasive malware

Reads system version information

Reads the 'hosts' file potentially containing internal network hosts

Sample has stripped symbol table

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Sample tries to set the executable flag

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1582027
Start date and time:	2024-12-29 16:22:17 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	Aqua.arm5.elf
Detection:	MAL
Classification:	mal76.spre.troj.evad.linELF@0/30@20/0

Warnings

Connection to analysis system has been lost, crash info: Unknown
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: raw.cloudboats.vip

Runtime Messages

Command:	/tmp/Aqua.arm5.elf
PID:	6218
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	about to cum inside a femboy btw
Standard Error:

Process Tree

system is lnxubuntu20

Aqua.arm5.elf (PID: 6218, Parent: 6133, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/Aqua.arm5.elf

Aqua.arm5.elf New Fork (PID: 6220, Parent: 6218)

Aqua.arm5.elf New Fork (PID: 6222, Parent: 6220)

gnome-session-binary New Fork (PID: 6225, Parent: 1477)

sh (PID: 6225, Parent: 1477, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-rfkill

gsd-rfkill (PID: 6225, Parent: 1477, MD5: 88a16a3c0aba1759358c06215ecfb5cc) Arguments: /usr/libexec/gsd-rfkill

systemd New Fork (PID: 6230, Parent: 1)

systemd-hostnamed (PID: 6230, Parent: 1, MD5: 2cc8a5576629a2d5bd98e49a4b8bef65) Arguments: /lib/systemd/systemd-hostnamed

gdm3 New Fork (PID: 6378, Parent: 1320)

Default (PID: 6378, Parent: 1320, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default

gdm3 New Fork (PID: 6382, Parent: 1320)

Default (PID: 6382, Parent: 1320, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default

gdm3 New Fork (PID: 6392, Parent: 1320)

Default (PID: 6392, Parent: 1320, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default

systemd New Fork (PID: 6399, Parent: 1860)

pulseaudio (PID: 6399, Parent: 1860, MD5: 0c3b4c789d8ffb12b25507f27e14c186) Arguments: /usr/bin/pulseaudio --daemonize=no --log-target=journal

systemd New Fork (PID: 6400, Parent: 1)

rsyslogd (PID: 6400, Parent: 1, MD5: 0b8087fc907c42eb3c81a691db258e33) Arguments: /usr/sbin/rsyslogd -n -iNONE

systemd New Fork (PID: 6401, Parent: 1)

dbus-daemon (PID: 6401, Parent: 1, MD5: 3089d47e3f3ab84cd81c48fd406d7a8c) Arguments: /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only

gvfsd-fuse New Fork (PID: 6402, Parent: 2038)

fusermount (PID: 6402, Parent: 2038, MD5: 576a1b135c82bdcbc97a91acea900566) Arguments: fusermount -u -q -z -- /run/user/1000/gvfs

systemd New Fork (PID: 6414, Parent: 1)

rtkit-daemon (PID: 6414, Parent: 1, MD5: df0cacf1db4ec95ac70f5b6e06b8ffd7) Arguments: /usr/libexec/rtkit-daemon

systemd New Fork (PID: 6417, Parent: 1)

systemd-logind (PID: 6417, Parent: 1, MD5: 8dd58a1b4c12f7a1d5fe3ce18b2aaeef) Arguments: /lib/systemd/systemd-logind

systemd New Fork (PID: 6477, Parent: 1)

rsyslogd (PID: 6477, Parent: 1, MD5: 0b8087fc907c42eb3c81a691db258e33) Arguments: /usr/sbin/rsyslogd -n -iNONE

systemd New Fork (PID: 6478, Parent: 1)

dbus-daemon (PID: 6478, Parent: 1, MD5: 3089d47e3f3ab84cd81c48fd406d7a8c) Arguments: /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only

systemd New Fork (PID: 6480, Parent: 1)

gpu-manager (PID: 6480, Parent: 1, MD5: 8fae9dd5dd67e1f33d873089c2fd8761) Arguments: /usr/bin/gpu-manager --log /var/log/gpu-manager.log

gpu-manager New Fork (PID: 6485, Parent: 6480)

sh (PID: 6485, Parent: 6480, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"

sh New Fork (PID: 6486, Parent: 6485)

grep (PID: 6486, Parent: 6485, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf

gpu-manager New Fork (PID: 6487, Parent: 6480)

sh (PID: 6487, Parent: 6480, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"

sh New Fork (PID: 6488, Parent: 6487)

grep (PID: 6488, Parent: 6487, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf

gpu-manager New Fork (PID: 6489, Parent: 6480)

sh (PID: 6489, Parent: 6480, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf"

sh New Fork (PID: 6490, Parent: 6489)

grep (PID: 6490, Parent: 6489, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf

gpu-manager New Fork (PID: 6491, Parent: 6480)

sh (PID: 6491, Parent: 6480, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf"

sh New Fork (PID: 6492, Parent: 6491)

grep (PID: 6492, Parent: 6491, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf

gpu-manager New Fork (PID: 6495, Parent: 6480)

sh (PID: 6495, Parent: 6480, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /etc/modprobe.d/*.conf"

sh New Fork (PID: 6498, Parent: 6495)

grep (PID: 6498, Parent: 6495, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*amdgpu[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf

gpu-manager New Fork (PID: 6500, Parent: 6480)

sh (PID: 6500, Parent: 6480, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /lib/modprobe.d/*.conf"

sh New Fork (PID: 6502, Parent: 6500)

grep (PID: 6502, Parent: 6500, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*amdgpu[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf

gpu-manager New Fork (PID: 6503, Parent: 6480)

sh (PID: 6503, Parent: 6480, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /etc/modprobe.d/*.conf"

sh New Fork (PID: 6504, Parent: 6503)

grep (PID: 6504, Parent: 6503, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*nouveau[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf

gpu-manager New Fork (PID: 6506, Parent: 6480)

sh (PID: 6506, Parent: 6480, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /lib/modprobe.d/*.conf"

sh New Fork (PID: 6507, Parent: 6506)

grep (PID: 6507, Parent: 6506, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*nouveau[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf

systemd New Fork (PID: 6493, Parent: 1)

agetty (PID: 6493, Parent: 1, MD5: 3a374724ba7e863768139bdd60ca36f7) Arguments: /sbin/agetty -o "-p -- \\u" --noclear tty2 linux

systemd New Fork (PID: 6508, Parent: 1)

generate-config (PID: 6508, Parent: 1, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /usr/share/gdm/generate-config

generate-config New Fork (PID: 6509, Parent: 6508)

pkill (PID: 6509, Parent: 6508, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill --signal HUP --uid gdm dconf-service

systemd New Fork (PID: 6510, Parent: 1)

gdm-wait-for-drm (PID: 6510, Parent: 1, MD5: 82043ba752c6930b4e6aaea2f7747545) Arguments: /usr/lib/gdm3/gdm-wait-for-drm

systemd New Fork (PID: 6515, Parent: 1)

rsyslogd (PID: 6515, Parent: 1, MD5: 0b8087fc907c42eb3c81a691db258e33) Arguments: /usr/sbin/rsyslogd -n -iNONE

systemd New Fork (PID: 6516, Parent: 1)

dbus-daemon (PID: 6516, Parent: 1, MD5: 3089d47e3f3ab84cd81c48fd406d7a8c) Arguments: /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only

systemd New Fork (PID: 6517, Parent: 1)

agetty (PID: 6517, Parent: 1, MD5: 3a374724ba7e863768139bdd60ca36f7) Arguments: /sbin/agetty -o "-p -- \\u" --noclear tty2 linux

systemd New Fork (PID: 6529, Parent: 1)

systemd-logind (PID: 6529, Parent: 1, MD5: 8dd58a1b4c12f7a1d5fe3ce18b2aaeef) Arguments: /lib/systemd/systemd-logind

systemd New Fork (PID: 6587, Parent: 1)

gdm3 (PID: 6587, Parent: 1, MD5: 2492e2d8d34f9377e3e530a61a15674f) Arguments: /usr/sbin/gdm3

gdm3 New Fork (PID: 6592, Parent: 6587)

plymouth (PID: 6592, Parent: 6587, MD5: 87003efd8dad470042f5e75360a8f49f) Arguments: plymouth --ping

gdm3 New Fork (PID: 6606, Parent: 6587)

gdm-session-worker (PID: 6606, Parent: 6587, MD5: 692243754bd9f38fe9bd7e230b5c060a) Arguments: "gdm-session-worker [pam/gdm-launch-environment]"

gdm-session-worker New Fork (PID: 6612, Parent: 6606)

gdm-wayland-session (PID: 6612, Parent: 6606, MD5: d3def63cf1e83f7fb8a0f13b1744ff7c) Arguments: /usr/lib/gdm3/gdm-wayland-session "dbus-run-session -- gnome-session --autostart /usr/share/gdm/greeter/autostart"

gdm-wayland-session New Fork (PID: 6614, Parent: 6612)

dbus-daemon (PID: 6614, Parent: 6612, MD5: 3089d47e3f3ab84cd81c48fd406d7a8c) Arguments: dbus-daemon --print-address 3 --session

dbus-daemon New Fork (PID: 6616, Parent: 6614)

dbus-daemon New Fork (PID: 6617, Parent: 6616)

false (PID: 6617, Parent: 6616, MD5: 3177546c74e4f0062909eae43d948bfc) Arguments: /bin/false

gdm-wayland-session New Fork (PID: 6618, Parent: 6612)

dbus-run-session (PID: 6618, Parent: 6612, MD5: 245f3ef6a268850b33b0225a8753b7f4) Arguments: dbus-run-session -- gnome-session --autostart /usr/share/gdm/greeter/autostart

dbus-run-session New Fork (PID: 6619, Parent: 6618)

dbus-daemon (PID: 6619, Parent: 6618, MD5: 3089d47e3f3ab84cd81c48fd406d7a8c) Arguments: dbus-daemon --nofork --print-address 4 --session

gdm3 New Fork (PID: 6620, Parent: 6587)

Default (PID: 6620, Parent: 6587, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default

gdm3 New Fork (PID: 6621, Parent: 6587)

Default (PID: 6621, Parent: 6587, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default

systemd New Fork (PID: 6593, Parent: 1)

accounts-daemon (PID: 6593, Parent: 1, MD5: 01a899e3fb5e7e434bea1290255a1f30) Arguments: /usr/lib/accountsservice/accounts-daemon

accounts-daemon New Fork (PID: 6597, Parent: 6593)

language-validate (PID: 6597, Parent: 6593, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /usr/share/language-tools/language-validate en_US.UTF-8

language-validate New Fork (PID: 6598, Parent: 6597)

language-options (PID: 6598, Parent: 6597, MD5: 16a21f464119ea7fad1d3660de963637) Arguments: /usr/share/language-tools/language-options

language-options New Fork (PID: 6599, Parent: 6598)

sh (PID: 6599, Parent: 6598, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "locale -a | grep -F .utf8 "

sh New Fork (PID: 6600, Parent: 6599)

locale (PID: 6600, Parent: 6599, MD5: c72a78792469db86d91369c9057f20d2) Arguments: locale -a

sh New Fork (PID: 6601, Parent: 6599)

grep (PID: 6601, Parent: 6599, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -F .utf8

systemd New Fork (PID: 6602, Parent: 1)

polkitd (PID: 6602, Parent: 1, MD5: 8efc9b4b5b524210ad2ea1954a9d0e69) Arguments: /usr/lib/policykit-1/polkitd --no-debug

systemd New Fork (PID: 6651, Parent: 1860)

dbus-daemon (PID: 6651, Parent: 1860, MD5: 3089d47e3f3ab84cd81c48fd406d7a8c) Arguments: /usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only

systemd New Fork (PID: 6654, Parent: 1860)

pulseaudio (PID: 6654, Parent: 1860, MD5: 0c3b4c789d8ffb12b25507f27e14c186) Arguments: /usr/bin/pulseaudio --daemonize=no --log-target=journal

systemd New Fork (PID: 6655, Parent: 1)

rtkit-daemon (PID: 6655, Parent: 1, MD5: df0cacf1db4ec95ac70f5b6e06b8ffd7) Arguments: /usr/libexec/rtkit-daemon

cleanup

HTTP traffic detected: POST /9aadafe2051348cd32033e1cad68f0a5fe46fba3240ac1e6e42158f31b8a1371790c09baf3996b4979fe8e533446c7dedf30f654c68b25357334c66911dc6a9e HTTP/1.1Host: daisy.ubuntu.comAccept: */*Content-Type: application/octet-streamX-Whoopsie-Version: 0.2.69ubuntu0.3Content-Length: 164887Expect: 100-continue

Source: /usr/sbin/rsyslogd (PID: 6400)	Reads hosts file: /etc/hosts	Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6477)	Reads hosts file: /etc/hosts	Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6515)	Reads hosts file: /etc/hosts	Jump to behavior

Source: /usr/sbin/gdm3 (PID: 6587)	Socket: unknown address family			Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6614)	Socket: unknown address family			Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145

Source: global traffic	DNS traffic detected: DNS query: raw.cloudboats.vip
Source: global traffic	DNS traffic detected: DNS query: raw.cloudboats.vip. [malformed]
Source: global traffic	DNS traffic detected: DNS query: daisy.ubuntu.com

Source: unknown

Source: syslog.93.dr, syslog.43.dr, syslog.29.dr

String found in binary or memory: https://www.rsyslog.com

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53118
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53118 -> 443

System Summary

Sample tries to kill multiple processes (SIGKILL)

Source: /tmp/Aqua.arm5.elf (PID: 6222)	SIGKILL sent: pid: 1638, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	SIGKILL sent: pid: 6225, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	SIGKILL sent: pid: 658, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	SIGKILL sent: pid: 720, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	SIGKILL sent: pid: 721, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	SIGKILL sent: pid: 772, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	SIGKILL sent: pid: 774, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	SIGKILL sent: pid: 777, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	SIGKILL sent: pid: 785, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	SIGKILL sent: pid: 793, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	SIGKILL sent: pid: 1320, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	SIGKILL sent: pid: 1344, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	SIGKILL sent: pid: 1886, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	SIGKILL sent: pid: 1983, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	SIGKILL sent: pid: 2048, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	SIGKILL sent: pid: 6195, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	SIGKILL sent: pid: 6196, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	SIGKILL sent: pid: 6397, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	SIGKILL sent: pid: 6399, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	SIGKILL sent: pid: 6400, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	SIGKILL sent: pid: 6401, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	SIGKILL sent: pid: 1335, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	SIGKILL sent: pid: 1872, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	SIGKILL sent: pid: 6474, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	SIGKILL sent: pid: 6477, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	SIGKILL sent: pid: 6478, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	SIGKILL sent: pid: 6493, result: successful	Jump to behavior

Source: ELF static info symbol of initial sample

.symtab present: no

Source: /tmp/Aqua.arm5.elf (PID: 6222)	SIGKILL sent: pid: 1638, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	SIGKILL sent: pid: 6225, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	SIGKILL sent: pid: 658, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	SIGKILL sent: pid: 720, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	SIGKILL sent: pid: 721, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	SIGKILL sent: pid: 772, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	SIGKILL sent: pid: 774, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	SIGKILL sent: pid: 777, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	SIGKILL sent: pid: 785, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	SIGKILL sent: pid: 793, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	SIGKILL sent: pid: 1320, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	SIGKILL sent: pid: 1344, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	SIGKILL sent: pid: 1886, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	SIGKILL sent: pid: 1983, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	SIGKILL sent: pid: 2048, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	SIGKILL sent: pid: 6195, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	SIGKILL sent: pid: 6196, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	SIGKILL sent: pid: 6397, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	SIGKILL sent: pid: 6399, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	SIGKILL sent: pid: 6400, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	SIGKILL sent: pid: 6401, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	SIGKILL sent: pid: 1335, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	SIGKILL sent: pid: 1872, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	SIGKILL sent: pid: 6474, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	SIGKILL sent: pid: 6477, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	SIGKILL sent: pid: 6478, result: successful	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	SIGKILL sent: pid: 6493, result: successful	Jump to behavior

Source: classification engine

Classification label: mal76.spre.troj.evad.linELF@0/30@20/0

Persistence and Installation Behavior

Sample reads /proc/mounts (often used for finding a writable filesystem)

Source: /usr/bin/dbus-daemon (PID: 6401)	File: /proc/6401/mounts	Jump to behavior
Source: /bin/fusermount (PID: 6402)	File: /proc/6402/mounts	Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6478)	File: /proc/6478/mounts	Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6516)	File: /proc/6516/mounts	Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6614)	File: /proc/6614/mounts	Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6619)	File: /proc/6619/mounts	Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6651)	File: /proc/6651/mounts	Jump to behavior

Source: /usr/libexec/gsd-rfkill (PID: 6225)	Directory: <invalid fd (9)>/..	Jump to behavior
Source: /usr/libexec/gsd-rfkill (PID: 6225)	Directory: <invalid fd (8)>/..	Jump to behavior
Source: /lib/systemd/systemd-hostnamed (PID: 6230)	Directory: <invalid fd (10)>/..	Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6417)	Directory: <invalid fd (18)>/..	Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6417)	Directory: <invalid fd (17)>/..	Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6417)	File: /run/systemd/seats/.#seat0yL4nmq	Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6529)	Directory: <invalid fd (18)>/..	Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6529)	Directory: <invalid fd (17)>/..	Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6529)	File: /run/systemd/seats/.#seat0WzTeHS	Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6529)	File: /run/systemd/users/.#127ueliFR	Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6529)	File: /run/systemd/users/.#127RpkN5Q	Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6529)	File: /run/systemd/seats/.#seat0boHm9U	Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6529)	File: /run/systemd/users/.#127WIi0rT	Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6529)	File: /run/systemd/users/.#1271ptRsU	Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6529)	File: /run/systemd/users/.#127LtJfhS	Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6529)	File: /run/systemd/users/.#127BFFozU	Jump to behavior
Source: /usr/lib/gdm3/gdm-wayland-session (PID: 6612)	Directory: /var/lib/gdm3/.cache	Jump to behavior
Source: /usr/lib/accountsservice/accounts-daemon (PID: 6593)	Directory: /var/lib/gdm3/.pam_environment	Jump to behavior
Source: /usr/lib/accountsservice/accounts-daemon (PID: 6593)	Directory: /root/.cache	Jump to behavior
Source: /usr/lib/policykit-1/polkitd (PID: 6602)	Directory: /root/.cache	Jump to behavior

Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/6230/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/6232/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/6232/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/6232/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/6232/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/6474/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/6474/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/6234/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/6234/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/6234/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/6234/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/6233/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/6233/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/6233/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/6233/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/6236/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/6236/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/6236/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/6236/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/6478/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/6478/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/6235/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/6235/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/6235/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/6235/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/6477/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/6477/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/1582/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/3088/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/3088/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/230/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/230/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/230/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/230/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/110/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/110/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/110/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/110/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/231/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/231/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/231/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/231/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/111/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/111/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/111/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/111/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/232/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/232/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/232/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/232/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/1579/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/112/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/112/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/112/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/112/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/233/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/233/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/233/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/233/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/1699/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/113/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/113/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/113/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/113/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/234/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/234/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/234/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/234/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/1335/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/1335/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/1335/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/1335/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/1698/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/114/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/114/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/114/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/114/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/235/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/235/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/235/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/235/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/1334/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/1334/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/1334/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/1334/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/1576/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/2302/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/2302/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/2302/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/2302/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/115/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/115/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/115/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/115/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/236/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/236/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/236/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/236/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/116/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/116/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/116/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/116/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/237/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/237/stat	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/237/cmdline	Jump to behavior
Source: /tmp/Aqua.arm5.elf (PID: 6222)	File opened: /proc/237/stat	Jump to behavior

Source: /usr/bin/gpu-manager (PID: 6485)	Shell command executed: sh -c "grep -G \"^blacklist.nvidia[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6487)	Shell command executed: sh -c "grep -G \"^blacklist.nvidia[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6489)	Shell command executed: sh -c "grep -G \"^blacklist.radeon[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6491)	Shell command executed: sh -c "grep -G \"^blacklist.radeon[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6495)	Shell command executed: sh -c "grep -G \"^blacklist.amdgpu[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6500)	Shell command executed: sh -c "grep -G \"^blacklist.amdgpu[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6503)	Shell command executed: sh -c "grep -G \"^blacklist.nouveau[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6506)	Shell command executed: sh -c "grep -G \"^blacklist.nouveau[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/share/language-tools/language-options (PID: 6599)	Shell command executed: sh -c "locale -a \| grep -F .utf8 "	Jump to behavior

Source: /bin/sh (PID: 6486)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nvidia[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 6488)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nvidia[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 6490)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.radeon[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 6492)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.radeon[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 6498)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.amdgpu[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 6502)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.amdgpu[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 6504)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nouveau[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 6507)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nouveau[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 6601)	Grep executable: /usr/bin/grep -> grep -F .utf8	Jump to behavior

Source: /usr/share/gdm/generate-config (PID: 6509)

Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service

Jump to behavior

Source: /sbin/agetty (PID: 6493)	Reads version info: /etc/issue			Jump to behavior
Source: /sbin/agetty (PID: 6517)	Reads version info: /etc/issue			Jump to behavior

Source: /usr/sbin/gdm3 (PID: 6587)	File: /var/run/gdm3 (bits: - usr: -x grp: x all: rwx)	Jump to behavior
Source: /usr/sbin/gdm3 (PID: 6587)	File: /var/log/gdm3 (bits: - usr: -x grp: x all: rwx)	Jump to behavior
Source: /usr/lib/accountsservice/accounts-daemon (PID: 6593)	File: /var/lib/AccountsService/icons (bits: - usr: rx grp: rwx all: rwx)	Jump to behavior
Source: /usr/lib/accountsservice/accounts-daemon (PID: 6593)	File: /var/lib/AccountsService/users (bits: - usr: - grp: - all: rwx)	Jump to behavior

Source: /usr/sbin/rsyslogd (PID: 6400)	Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6477)	Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 6477)	Log file created: /var/log/kern.log
Source: /usr/bin/gpu-manager (PID: 6480)	Log file created: /var/log/gpu-manager.log	Jump to dropped file
Source: /usr/sbin/rsyslogd (PID: 6515)	Log file created: /var/log/kern.log	Jump to dropped file
Source: /usr/sbin/rsyslogd (PID: 6515)	Log file created: /var/log/auth.log	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Sample deletes itself

Source: /tmp/Aqua.arm5.elf (PID: 6220)

File: /tmp/Aqua.arm5.elf

Jump to behavior

Source: /usr/bin/gpu-manager (PID: 6480)

Truncated file: /var/log/gpu-manager.log

Jump to behavior

Source: /usr/bin/pkill (PID: 6509)	Reads CPU info from /sys: /sys/devices/system/cpu/online			Jump to behavior
Source: /usr/bin/pulseaudio (PID: 6654)	Reads CPU info from /sys: /sys/devices/system/cpu/online			Jump to behavior

Source: /tmp/Aqua.arm5.elf (PID: 6218)	Queries kernel information via 'uname':	Jump to behavior
Source: /lib/systemd/systemd-hostnamed (PID: 6230)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6400)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6477)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6480)	Queries kernel information via 'uname':	Jump to behavior
Source: /sbin/agetty (PID: 6493)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6515)	Queries kernel information via 'uname':	Jump to behavior
Source: /sbin/agetty (PID: 6517)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/lib/gdm3/gdm-session-worker (PID: 6606)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/pulseaudio (PID: 6654)	Queries kernel information via 'uname':	Jump to behavior

Source: syslog.29.dr	Binary or memory string: Dec 29 09:23:02 galassia kernel: [ 415.286901] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 12/12/2018
Source: Aqua.arm5.elf, 6218.1.000055a2b8743000.000055a2b8871000.rw-.sdmp, Aqua.arm5.elf, 6222.1.000055a2b8743000.000055a2b8871000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/arm
Source: Aqua.arm5.elf, 6218.1.00007fff90eef000.00007fff90f10000.rw-.sdmp, Aqua.arm5.elf, 6222.1.00007fff90eef000.00007fff90f10000.rw-.sdmp	Binary or memory string: cx86_64/usr/bin/qemu-arm/tmp/Aqua.arm5.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/Aqua.arm5.elf
Source: Aqua.arm5.elf, 6218.1.00007fff90eef000.00007fff90f10000.rw-.sdmp	Binary or memory string: /tmp/qemu-open.52VBHo
Source: syslog.29.dr	Binary or memory string: Dec 29 09:23:02 galassia kernel: [ 415.286881] Modules linked in: monitor(OE) md4 cmac cifs libarc4 fscache libdes vmw_vsock_vmci_transport vsock binfmt_misc dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua vmw_balloon joydev input_leds serio_raw vmw_vmci sch_fq_codel drm parport_pc ppdev lp parport ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel crypto_simd cryptd glue_helper psmouse ahci mptspi vmxnet3 scsi_transport_spi mptscsih libahci mptbase
Source: Aqua.arm5.elf, 6218.1.000055a2b8743000.000055a2b8871000.rw-.sdmp, Aqua.arm5.elf, 6222.1.000055a2b8743000.000055a2b8871000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: Aqua.arm5.elf, 6218.1.00007fff90eef000.00007fff90f10000.rw-.sdmp, Aqua.arm5.elf, 6222.1.00007fff90eef000.00007fff90f10000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm
Source: Aqua.arm5.elf, 6222.1.00007fff90eef000.00007fff90f10000.rw-.sdmp	Binary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped
Source: Aqua.arm5.elf, 6218.1.00007fff90eef000.00007fff90f10000.rw-.sdmp	Binary or memory string: U/tmp/qemu-open.52VBHo:U

Language, Device and Operating System Detection

Reads system files that contain records of logged in users

Source: /usr/lib/accountsservice/accounts-daemon (PID: 6593)

Logged in records file read: /var/log/wtmp

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	2 Scripting	Valid Accounts	Windows Management Instrumentation	2 Scripting	Path Interception	1 File and Directory Permissions Modification	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 Service Stop
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	1 System Owner/User Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Hidden Files and Directories	Security Account Manager	11 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Indicator Removal	NTDS	2 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 File Deletion	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Aqua.arm5.elf	52%	Virustotal		Browse
Aqua.arm5.elf	50%	ReversingLabs	Linux.Backdoor.Mirai
Aqua.arm5.elf	100%	Avira	EXP/ELF.Mirai.W

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
daisy.ubuntu.com	162.213.35.24	true	false	high
raw.cloudboats.vip	193.111.248.108	true	true	unknown
raw.cloudboats.vip. [malformed]	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://daisy.ubuntu.com/9aadafe2051348cd32033e1cad68f0a5fe46fba3240ac1e6e42158f31b8a1371790c09baf3996b4979fe8e533446c7dedf30f654c68b25357334c66911dc6a9e	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.rsyslog.com	syslog.93.dr, syslog.43.dr, syslog.29.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
162.213.35.25	unknown	United States	41231	CANONICAL-ASGB	false
193.111.248.108	raw.cloudboats.vip	Russian Federation	8100	ASN-QUADRANET-GLOBALUS	true
89.190.156.145	unknown	United Kingdom	7489	HOSTUS-GLOBAL-ASHostUSHK	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
162.213.35.25	Aqua.arm7.elf	Get hash	malicious	Mirai	Browse
	Aqua.ppc.elf	Get hash	malicious	Unknown	Browse
	Aqua.arm5.elf	Get hash	malicious	Unknown	Browse
	Aqua.mips.elf	Get hash	malicious	Unknown	Browse
	kqibeps.elf	Get hash	malicious	Mirai	Browse
	wlw68k.elf	Get hash	malicious	Mirai	Browse
	x86_64.elf	Get hash	malicious	Gafgyt	Browse
	Aqua.m68k.elf	Get hash	malicious	Unknown	Browse
	wiewa64.elf	Get hash	malicious	Mirai	Browse
	wrjkngh4.elf	Get hash	malicious	Mirai	Browse
193.111.248.108	Aqua.x86.elf	Get hash	malicious	Unknown	Browse
89.190.156.145	Aqua.x86.elf	Get hash	malicious	Unknown	Browse
	Aqua.arm7.elf	Get hash	malicious	Mirai	Browse
	Aqua.arm7.elf	Get hash	malicious	Mirai	Browse
	Aqua.arm4.elf	Get hash	malicious	Unknown	Browse
	Aqua.ppc.elf	Get hash	malicious	Unknown	Browse
	Aqua.arm5.elf	Get hash	malicious	Unknown	Browse
	Aqua.dbg.elf	Get hash	malicious	Unknown	Browse
	Aqua.mips.elf	Get hash	malicious	Unknown	Browse
	Aqua.x86_64.elf	Get hash	malicious	Unknown	Browse
	Aqua.x86.elf	Get hash	malicious	Unknown	Browse
109.202.202.202	kpLwzBouH4.elf	Get hash	malicious	Unknown	Browse	ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
daisy.ubuntu.com	Aqua.x86.elf	Get hash	malicious	Unknown	Browse	162.213.35.25
	i.elf	Get hash	malicious	Unknown	Browse	162.213.35.24
	tftp.elf	Get hash	malicious	Unknown	Browse	162.213.35.25
	Aqua.arm7.elf	Get hash	malicious	Mirai	Browse	162.213.35.24
	m68k.elf	Get hash	malicious	Gafgyt, Mirai	Browse	162.213.35.24
	mips.elf	Get hash	malicious	Gafgyt, Mirai	Browse	162.213.35.25
	mipsel.elf	Get hash	malicious	Gafgyt, Mirai	Browse	162.213.35.24
	i686.elf	Get hash	malicious	Gafgyt, Mirai	Browse	162.213.35.24
	arm61.elf	Get hash	malicious	Gafgyt, Mirai	Browse	162.213.35.24

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HOSTUS-GLOBAL-ASHostUSHK	Aqua.x86.elf	Get hash	malicious	Unknown	Browse	89.190.156.145
	Aqua.arm7.elf	Get hash	malicious	Mirai	Browse	89.190.156.145
	Aqua.arm7.elf	Get hash	malicious	Mirai	Browse	89.190.156.145
	Aqua.arm4.elf	Get hash	malicious	Unknown	Browse	89.190.156.145
	Aqua.ppc.elf	Get hash	malicious	Unknown	Browse	89.190.156.145
	Aqua.arm5.elf	Get hash	malicious	Unknown	Browse	89.190.156.145
	Aqua.dbg.elf	Get hash	malicious	Unknown	Browse	89.190.156.145
	Aqua.mips.elf	Get hash	malicious	Unknown	Browse	89.190.156.145
	Aqua.x86_64.elf	Get hash	malicious	Unknown	Browse	89.190.156.145
	Aqua.x86.elf	Get hash	malicious	Unknown	Browse	89.190.156.145
ASN-QUADRANET-GLOBALUS	Aqua.x86.elf	Get hash	malicious	Unknown	Browse	193.111.248.108
	db0fa4b8db0333367e9bda3ab68b8042.sh4.elf	Get hash	malicious	Mirai, Gafgyt	Browse	192.161.55.174
	xd.ppc.elf	Get hash	malicious	Mirai	Browse	104.200.183.149
	armv4l.elf	Get hash	malicious	Mirai	Browse	72.11.146.94
	jklm68k.elf	Get hash	malicious	Unknown	Browse	162.220.9.16
	splmpsl.elf	Get hash	malicious	Unknown	Browse	104.200.183.167
	arm.elf	Get hash	malicious	Mirai, Moobot	Browse	104.223.82.214
	nshkarm7.elf	Get hash	malicious	Mirai	Browse	154.205.78.194
	sh4.elf	Get hash	malicious	Mirai, Moobot	Browse	154.205.78.167
	nshkmpsl.elf	Get hash	malicious	Mirai	Browse	162.220.9.60
INIT7CH	Aqua.x86.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	109.71.252.43-boatnet.m68k-2024-12-28T20_30_38.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	Aqua.arm7.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	sh4.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	arm.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	mips64.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	arm6l.elf	Get hash	malicious	Gafgyt, Mirai	Browse	109.202.202.202
	mips.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	mipsel.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	bot.x86_64.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	109.202.202.202
CANONICAL-ASGB	Aqua.x86.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	109.71.252.43-boatnet.m68k-2024-12-28T20_30_38.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	Aqua.arm7.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	sh4.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	arm5.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	arm.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	x86_64.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	bot.x86.elf	Get hash	malicious	Mirai, Okiru	Browse	185.125.190.26
	armv6l.elf	Get hash	malicious	Mirai	Browse	185.125.190.26
	mips64.elf	Get hash	malicious	Mirai	Browse	91.189.91.42

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

/home/saturnino/.config/pulse/ee49dfd4fa47433baee88884e2d7de7c-default-sink

Download File

Process:	/usr/bin/pulseaudio
File Type:	ASCII text
Category:	dropped
Size (bytes):	10
Entropy (8bit):	2.9219280948873623
Encrypted:	false
SSDEEP:	3:5bkPn:pkP
MD5:	FF001A15CE15CF062A3704CEA2991B5F
SHA1:	B06F6855F376C3245B82212AC73ADED55DFE5DEF
SHA-256:	C54830B41ECFA1B6FBDC30397188DDA86B7B200E62AEAC21AE694A6192DCC38A
SHA-512:	65EBF7C31F6F65713CE01B38A112E97D0AE64A6BD1DA40CE4C1B998F10CD3912EE1A48BB2B279B24493062118AAB3B8753742E2AF28E56A31A7AAB27DE80E7BF
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	auto_null.

/home/saturnino/.config/pulse/ee49dfd4fa47433baee88884e2d7de7c-default-source

Download File

Process:	/usr/bin/pulseaudio
File Type:	ASCII text
Category:	dropped
Size (bytes):	18
Entropy (8bit):	3.4613201402110088
Encrypted:	false
SSDEEP:	3:5bkrIZsXvn:pkckv
MD5:	28FE6435F34B3367707BB1C5D5F6B430
SHA1:	EB8FE2D16BD6BBCCE106C94E4D284543B2573CF6
SHA-256:	721A37C69E555799B41D308849E8F8125441883AB021B723FED90A9B744F36C0
SHA-512:	6B6AB7C0979629D0FEF6BE47C5C6BCC367EDD0AAE3FC973F4DE2FD5F0A819C89E7656DB65D453B1B5398E54012B27EDFE02894AD87A7E0AF3A9C5F2EB24A9919
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	auto_null.monitor.

/proc/6617/oom_score_adj

Download File

Process:	/usr/bin/dbus-daemon
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:V:V
MD5:	CFCD208495D565EF66E7DFF9F98764DA
SHA1:	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
SHA-256:	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
SHA-512:	31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
Malicious:	false
Reputation:	high, very likely benign file
Preview:	0

/run/gdm3.pid

Download File

Process:	/usr/sbin/gdm3
File Type:	ASCII text
Category:	dropped
Size (bytes):	5
Entropy (8bit):	2.321928094887362
Encrypted:	false
SSDEEP:	3:sc:sc
MD5:	C35D3422B2C4A5C8B315159E44938ADE
SHA1:	70573B741B3B4FBC2557D62A194FE1E940BF7DB1
SHA-256:	01CBB9AB65D4B0DD531F435D501AAF08AC8A5200A43DBDCD5B2357BC01948BB3
SHA-512:	1DCB9101B62591D4C2F776DC2D1E7C10D7192DEF1C650669990DF69D52C51E63E7CD9F55303CA03E7016B2FE3E6093B1887C74DEBD15DD423450209721D7196C
Malicious:	false
Reputation:	low
Preview:	6587.

/run/systemd/seats/.#seat0WzTeHS

Download File

Process:	/lib/systemd/systemd-logind
File Type:	ASCII text
Category:	dropped
Size (bytes):	95
Entropy (8bit):	4.921230646592726
Encrypted:	false
SSDEEP:	3:SbFVVmFyinKMsuH47rLg205vmLUbr+v:SbFuFyLwH47Pg20ggWv
MD5:	BE58CCABC942125F5E27AF6EB1BA2F88
SHA1:	07C20F55E36EE48869B223B8FC4DBC227C7353AC
SHA-256:	551B1D1C8E5953D5D0CF49C83C1568E2FBEF8BDDB69903B3DA82240B777B4629
SHA-512:	E5A270995FDE80530927E0BACD3BF76EE820C968AABD55D2E34579326F388AFD6DE7FB8C5D54F69D3F6AC30A5B587FD3B0456FC60326E7DF4F45789A900D046C
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	# This is private data. Do not parse..IS_SEAT0=1.CAN_MULTI_SESSION=1.CAN_TTY=1.CAN_GRAPHICAL=0.

/run/systemd/seats/.#seat0boHm9U

Download File

Process:	/lib/systemd/systemd-logind
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.957035419463244
Encrypted:	false
SSDEEP:	3:SbFVVmFyinKMsuH47rLg205vmLUbr+ugKQ2KwshcXSv:SbFuFyLwH47Pg20ggWunQ2rNXc
MD5:	66D114877B3B4DB3BDD8A3AD4F5E7421
SHA1:	62E0CB0F51E0E3F97BE251CB917968DFF69ED344
SHA-256:	A922628916A7DDBE2BAA33F421C82250527EA3C28E429749353A1C75C0C18860
SHA-512:	5651247FA236DCF020A3C8456E4A9A74A85C5B9B3CCE94A3CF8F85FD4D66465C9F97DF7A1822E6CA4553C02BE149F3021D58DCC0C8CB6DCF37F915BD0A158187
Malicious:	false
Preview:	# This is private data. Do not parse..IS_SEAT0=1.CAN_MULTI_SESSION=1.CAN_TTY=1.CAN_GRAPHICAL=0.SESSIONS=c1.UIDS=127.

/run/systemd/seats/.#seat0yL4nmq

Download File

Process:	/lib/systemd/systemd-logind
File Type:	ASCII text
Category:	dropped
Size (bytes):	95
Entropy (8bit):	4.921230646592726
Encrypted:	false
SSDEEP:	3:SbFVVmFyinKMsuH47rLg205vmLUbr+v:SbFuFyLwH47Pg20ggWv
MD5:	BE58CCABC942125F5E27AF6EB1BA2F88
SHA1:	07C20F55E36EE48869B223B8FC4DBC227C7353AC
SHA-256:	551B1D1C8E5953D5D0CF49C83C1568E2FBEF8BDDB69903B3DA82240B777B4629
SHA-512:	E5A270995FDE80530927E0BACD3BF76EE820C968AABD55D2E34579326F388AFD6DE7FB8C5D54F69D3F6AC30A5B587FD3B0456FC60326E7DF4F45789A900D046C
Malicious:	false
Preview:	# This is private data. Do not parse..IS_SEAT0=1.CAN_MULTI_SESSION=1.CAN_TTY=1.CAN_GRAPHICAL=0.

/run/systemd/users/.#1271ptRsU

Download File

Process:	/lib/systemd/systemd-logind
File Type:	ASCII text
Category:	dropped
Size (bytes):	174
Entropy (8bit):	5.295225271148732
Encrypted:	false
SSDEEP:	3:SbFVVmFyinKMs5BuSgdNR2sKiYiesnAv/XSHxJgAUXEdfWVok5206qodvQX6:SbFuFyL3BVgdL87iesnAiRJgZXEdfWVS
MD5:	F94EDF9F779D8B3A74B5BE58B6409248
SHA1:	075C6E0790A5968C09CDD6590C19B158F005B804
SHA-256:	14AA3A7DB1C10BC53BA5961193F9CEFAF2CE9D3F5781C809666CF9B5D958162D
SHA-512:	B8EB2790BBF306A8F197ABC094D3BEC801FC29E0FBFF13F24A180D82CBEEAEF0CF6AFFD305763EEEFE73F13F8F458BC0947D3D414F8C39596FA59AFF9FDC90B0
Malicious:	false
Preview:	# This is private data. Do not parse..NAME=gdm.STATE=closing.STOPPING=no.RUNTIME=/run/user/127.REALTIME=1735485805668663.MONOTONIC=438351857.LAST_SESSION_TIMESTAMP=438456405.

/run/systemd/users/.#127BFFozU

Download File

Process:	/lib/systemd/systemd-logind
File Type:	ASCII text
Category:	dropped
Size (bytes):	223
Entropy (8bit):	5.479991003962759
Encrypted:	false
SSDEEP:	6:SbFuFyL3BVgdL87ynAir/0Ixff6MxJgZXEdfWVt6CX6:qgFq30dABibBJgpZICX6
MD5:	BAAF7DDBF3C343FE52A53BB71A63B407
SHA1:	78211D76BD65DF27479E5B7796D4220A4B23F0FB
SHA-256:	9A3A0C7C33C77832D2AA9725E8D440433150D1719E915265690A83F99865E8ED
SHA-512:	EC88BE6085A18E3F5A57B1B0A07E11E14C40A78946B0F1E581A13FFA18D0D7D616547530006246C1B9FCA64F54FD351BEC23E61F99FBB31EF27F03ED96F9B14F
Malicious:	false
Preview:	# This is private data. Do not parse..NAME=gdm.STATE=closing.STOPPING=yes.RUNTIME=/run/user/127.SERVICE_JOB=/org/freedesktop/systemd1/job/12946.REALTIME=1735485805668663.MONOTONIC=438351857.LAST_SESSION_TIMESTAMP=438456405.

/run/systemd/users/.#127LtJfhS

Download File

Process:	/lib/systemd/systemd-logind
File Type:	ASCII text
Category:	dropped
Size (bytes):	223
Entropy (8bit):	5.479991003962759
Encrypted:	false
SSDEEP:	6:SbFuFyL3BVgdL87ynAir/0Ixff6MxJgZXEdfWVt6CX6:qgFq30dABibBJgpZICX6
MD5:	BAAF7DDBF3C343FE52A53BB71A63B407
SHA1:	78211D76BD65DF27479E5B7796D4220A4B23F0FB
SHA-256:	9A3A0C7C33C77832D2AA9725E8D440433150D1719E915265690A83F99865E8ED
SHA-512:	EC88BE6085A18E3F5A57B1B0A07E11E14C40A78946B0F1E581A13FFA18D0D7D616547530006246C1B9FCA64F54FD351BEC23E61F99FBB31EF27F03ED96F9B14F
Malicious:	false
Preview:	# This is private data. Do not parse..NAME=gdm.STATE=closing.STOPPING=yes.RUNTIME=/run/user/127.SERVICE_JOB=/org/freedesktop/systemd1/job/12946.REALTIME=1735485805668663.MONOTONIC=438351857.LAST_SESSION_TIMESTAMP=438456405.

/run/systemd/users/.#127RpkN5Q

Download File

Process:	/lib/systemd/systemd-logind
File Type:	ASCII text
Category:	dropped
Size (bytes):	282
Entropy (8bit):	5.300718506370197
Encrypted:	false
SSDEEP:	6:SbFuFyL3BVgVuR257iesnAir/0Ixff6fJpJgZXEdfW5Q2thQc2pb02/g2p9rwB:qgFq30VuR8L/ibBcrgpxthQHtPYq9M
MD5:	07E86A03008971DDC042AD2EAA34161F
SHA1:	D298491CC58B68DCFF10029A6ADAB06590981585
SHA-256:	D4062A3857E704343FBC101D8D03ABDE7D599CC2E3FC992A8F27D18362400371
SHA-512:	6460EFFE1EE4645582348EBABABC8EF532D593FD4C08408CEB637931AB5C6324D9A0FF93803D893A91B1A5C0CA705A7866082D5DFCFAC4628C52984B87B38733
Malicious:	false
Preview:	# This is private data. Do not parse..NAME=gdm.STATE=opening.STOPPING=no.RUNTIME=/run/user/127.SERVICE_JOB=/org/freedesktop/systemd1/job/12884.REALTIME=1735485805668663.MONOTONIC=438351857.SESSIONS=c1.SEATS=seat0.ACTIVE_SESSIONS=.ONLINE_SESSIONS=c1.ACTIVE_SEATS=.ONLINE_SEATS=seat0.

/run/systemd/users/.#127WIi0rT

Download File

Process:	/lib/systemd/systemd-logind
File Type:	ASCII text
Category:	dropped
Size (bytes):	282
Entropy (8bit):	5.300718506370197
Encrypted:	false
SSDEEP:	6:SbFuFyL3BVgVuR257iesnAir/0Ixff6fJpJgZXEdfW5Q2thQc2pb02/g2p9rwB:qgFq30VuR8L/ibBcrgpxthQHtPYq9M
MD5:	07E86A03008971DDC042AD2EAA34161F
SHA1:	D298491CC58B68DCFF10029A6ADAB06590981585
SHA-256:	D4062A3857E704343FBC101D8D03ABDE7D599CC2E3FC992A8F27D18362400371
SHA-512:	6460EFFE1EE4645582348EBABABC8EF532D593FD4C08408CEB637931AB5C6324D9A0FF93803D893A91B1A5C0CA705A7866082D5DFCFAC4628C52984B87B38733
Malicious:	false
Preview:	# This is private data. Do not parse..NAME=gdm.STATE=opening.STOPPING=no.RUNTIME=/run/user/127.SERVICE_JOB=/org/freedesktop/systemd1/job/12884.REALTIME=1735485805668663.MONOTONIC=438351857.SESSIONS=c1.SEATS=seat0.ACTIVE_SESSIONS=.ONLINE_SESSIONS=c1.ACTIVE_SEATS=.ONLINE_SEATS=seat0.

/run/systemd/users/.#127ueliFR

Download File

Process:	/lib/systemd/systemd-logind
File Type:	ASCII text
Category:	dropped
Size (bytes):	188
Entropy (8bit):	4.928997328913428
Encrypted:	false
SSDEEP:	3:SbFVVmFyinKMs5BuSgVuMI2sKiYiesnAv/XS12K2hwEY8mTQ2pJi22sQ2KkmD2pi:SbFuFyL3BVgVuR257iesnAi12thQc2p4
MD5:	065A3AD1A34A9903F536410ECA748105
SHA1:	21CD684DF60D569FA96EEEB66A0819EAC1B2B1A4
SHA-256:	E80554BF0FF4E32C61D4FA3054F8EFB27A26F1C37C91AE4EA94445C400693941
SHA-512:	DB3C42E893640BAEE9F0001BDE6E93ED40CC33198AC2B47328F577D3C71E2C2E986AAAFEF5BD8ADBC639B5C24ADF715D87034AE24B697331FF6FEC5962630064
Malicious:	false
Preview:	# This is private data. Do not parse..NAME=gdm.STATE=opening.STOPPING=no.RUNTIME=/run/user/127.SESSIONS=c1.SEATS=seat0.ACTIVE_SESSIONS=.ONLINE_SESSIONS=c1.ACTIVE_SEATS=.ONLINE_SEATS=seat0.

/run/user/1000/pulse/pid

Download File

Process:	/usr/bin/pulseaudio
File Type:	ASCII text
Category:	dropped
Size (bytes):	5
Entropy (8bit):	1.9219280948873623
Encrypted:	false
SSDEEP:	3:cv:cv
MD5:	FE93D837F8344E82B97F9511D8177F46
SHA1:	90EE86EA26BE71E924CEB110FE683A1B518A9A2A
SHA-256:	9BF55207E13CAD7C0F9ED70788BEE43760529AEEA3626CBEF2668CDA56DCCC11
SHA-512:	CD9B14D1602D1CC60C4FFCBA1E113DC67F82085D7DC211C5F0120C45355123F8F87CC1765531A21A3D8C96D24693BC2D2AF226108BDAEFBE9A44AB1B099F783D
Malicious:	false
Preview:	6654.

/run/utmp

Download File

Process:	/sbin/agetty
File Type:	data
Category:	dropped
Size (bytes):	384
Entropy (8bit):	0.6775035134351415
Encrypted:	false
SSDEEP:	3:Rlc1sXlXEWtl/WbMgll:Rlv+yl+l
MD5:	A2DB2C96A33AF875FD006D833172CB9F
SHA1:	85C49960DAE751FA9A1325024B2431FD6C5F9A58
SHA-256:	86F9FD46EB1AE96B79840643D9BB30D289B23B4577C8D12F9E2342B136988BB2
SHA-512:	C8BDE27770C1BADA145564AAA20E9EAAFC6BB60C2A2CDB6784FD47419AF271E6C6A87FF957894F25A8DF5462735B8B207980A32B1B1720DF6209B2DA2CB9478A
Malicious:	false
Preview:	....u...tty2.tty2.......................tty2LOGIN...............................................................................................................................................................................................................................................................................................u...hiqg........................................

/tmp/qemu-open.52VBHo (deleted)

Download File

Process:	/tmp/Aqua.arm5.elf
File Type:	data
Category:	dropped
Size (bytes):	29
Entropy (8bit):	4.1162646156680225
Encrypted:	false
SSDEEP:	3:Tg0wV8HJN:TguJN
MD5:	4544A7679D740EEB693F73BE3B914EA6
SHA1:	D464EFA50C50C678F92B3527D32F733EE193E9FD
SHA-256:	BF8D67FE4A6830DF4F7C4EFDF835D627B7AC41C686A405ECBEBE1D58FE741A08
SHA-512:	828DBECBB143E5502FE6FE8B1CA67AFE4FAB9DFD02B0C9EEDFB648166A3F5CE4B2BC5927852CDC277B1D25B80431CCB2C637536B17D834AA3DA53B7926330024
Malicious:	false
Preview:	/tmp/Aqua.arm5.elf.nwlrbbmqbh

/var/lib/AccountsService/users/gdm.R92JZ2

Download File

Process:	/usr/lib/accountsservice/accounts-daemon
File Type:	ASCII text
Category:	dropped
Size (bytes):	61
Entropy (8bit):	4.66214589518167
Encrypted:	false
SSDEEP:	3:urzMQvNT+PzKLrAan4R8AKn:gzMQIzKLrAa4M
MD5:	542BA3FB41206AE43928AF1C5E61FEBC
SHA1:	F56F574DAF50D609526B36B5B54FDD59EA4D6A26
SHA-256:	730D9509D4EAA7266829A8F5A8CFEBA6BBDDD5873FC2BD580AD464F4A237E11A
SHA-512:	D774B8F191A5C65228D1B3CA1181701CFCD07A3D91C5571B0DDF32AD3E241C2D7BDFC0697AB97DC10441EF9CDC8AEE5B19BC34E13E5C8B0B91AD06EEF42F5AEA
Malicious:	false
Preview:	[User].XSession=.Icon=/var/lib/gdm3/.face.SystemAccount=true.

/var/lib/ubuntu-drivers-common/last_gfx_boot

Download File

Process:	/usr/bin/gpu-manager
File Type:	ASCII text
Category:	dropped
Size (bytes):	25
Entropy (8bit):	2.7550849518197795
Encrypted:	false
SSDEEP:	3:JoT/V9fDVbn:M/V3n
MD5:	078760523943E160756979906B85FB5E
SHA1:	0962643266F4C5537F7D125046F28F21D6DD0C89
SHA-256:	048416AC7A9A99690B8B53718CD39F32F637B55CC8DD8E67E58E5AEF060DD41C
SHA-512:	DEFAAE8F8B54C61A716A0B0B4884358FEB8EB44DFEA01AAA5A687FDA7182792B7DEBB34AA840672EB3B40EB59FD0186749E08E47D181786C7FAA8C8F73F0104D
Malicious:	false
Preview:	15ad:0405;0000:00:0f:0;1.

/var/log/auth.log

Download File

Process:	/usr/sbin/rsyslogd
File Type:	ASCII text
Category:	dropped
Size (bytes):	1537
Entropy (8bit):	4.92296459270281
Encrypted:	false
SSDEEP:	24:HZeaLZ4BBGN9O5AvqA2+VhHZX0pYrfVJrkfrCQU:/v7fVaYrrrkfrCn
MD5:	9ED8961C567D16855BBFA2B799CF0B70
SHA1:	73B1E4DE35972529DAF7675BCC3C2153289FFDF4
SHA-256:	09EC9EAD7E185D4619739F8ADEDEED03BAAC9EA987616C739F6D4404179004BF
SHA-512:	7388C2F12E674758A733F2D3F4638DE9FFE523060BFF5CCAF81315E57504E7AECDF59F24D491770C588BEF02857C6E4D26419B08FB14794844EACB3F846A6A4A
Malicious:	false
Preview:	Dec 29 09:23:18 galassia systemd-logind[6529]: Failed to add user by file name 1000, ignoring: Invalid argument.Dec 29 09:23:18 galassia systemd-logind[6529]: Failed to add user by file name 127, ignoring: Invalid argument.Dec 29 09:23:18 galassia systemd-logind[6529]: User enumeration failed: Invalid argument.Dec 29 09:23:18 galassia systemd-logind[6529]: User of session 2 not known..Dec 29 09:23:18 galassia systemd-logind[6529]: User of session c1 not known..Dec 29 09:23:18 galassia systemd-logind[6529]: Session enumeration failed: No such file or directory.Dec 29 09:23:18 galassia systemd-logind[6529]: Watching system buttons on /dev/input/event0 (Power Button).Dec 29 09:23:18 galassia systemd-logind[6529]: Watching system buttons on /dev/input/event1 (AT Translated Set 2 keyboard).Dec 29 09:23:18 galassia systemd-logind[6529]: New seat seat0..Dec 29 09:23:25 galassia gdm-launch-environment]: pam_unix(gdm-launch-environment:session): session opened for user gdm by (uid=0).Dec 29 09:

/var/log/gpu-manager.log

Download File

Process:	/usr/bin/gpu-manager
File Type:	ASCII text
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	4.8296848499188485
Encrypted:	false
SSDEEP:	24:wPXXX9uV6BNu3WDF3GF3XFFxFFed2uk2HUvJlfWkpPpx7uvvAdow9555cJz:wPXXXe6vejpeC2HUR5WkpPpcvAdow95O
MD5:	3AF77E630DA00B3BE24F4E8AA5D78B13
SHA1:	BCF2D99E002F6DE2413A183227B011CFBEF5673D
SHA-256:	EB1CBBA20845237B4409274D693FEAE13F835274DA3337B7A9D14F4D7FDF9DEA
SHA-512:	8524B1E8A761F962B32F396812099B9B0B2DCF3C9FCA8605424753CFCFF4DC67EDC5EE1D8C91B9C0ED7FAE6BB1E752898B8D514B7C421D1839D6FEDA609C593C
Malicious:	false
Preview:	log_file: /var/log/gpu-manager.log.last_boot_file: /var/lib/ubuntu-drivers-common/last_gfx_boot.new_boot_file: /var/lib/ubuntu-drivers-common/last_gfx_boot.can't access /run/u-d-c-nvidia-was-loaded file.can't get module info via kmodcan't access /opt/amdgpu-pro/bin/amdgpu-pro-px.Looking for nvidia modules in /lib/modules/5.4.0-72-generic/kernel.Looking for nvidia modules in /lib/modules/5.4.0-72-generic/updates/dkms.Looking for amdgpu modules in /lib/modules/5.4.0-72-generic/kernel.Looking for amdgpu modules in /lib/modules/5.4.0-72-generic/updates/dkms.Is nvidia loaded? no.Was nvidia unloaded? no.Is nvidia blacklisted? no.Is intel loaded? no.Is radeon loaded? no.Is radeon blacklisted? no.Is amdgpu loaded? no.Is amdgpu blacklisted? no.Is amdgpu versioned? no.Is amdgpu pro stack? no.Is nouveau loaded? no.Is nouveau blacklisted? no.Is nvidia kernel module available? no.Is amdgpu kernel module available? no.Vendor/Device Id: 15ad:405.BusID "PCI:0@0:15:0".Is boot vga? yes.Error: can't acce

/var/log/kern.log

Download File

Process:	/usr/sbin/rsyslogd
File Type:	ASCII text
Category:	dropped
Size (bytes):	4594
Entropy (8bit):	4.705346206458608
Encrypted:	false
SSDEEP:	48:SYVl2r7x+JSY9kpJH+U7xD/7xcjXl4tW39EEtW5l8etbIJfDz8/9oFw/9v3/9jhq:FmepG0i2Qh1H8EGyTH6v
MD5:	38BFD8726D0BBF860AA423686960FD18
SHA1:	1364DB77CC58FC63C250FB2265BDA28B720160A5
SHA-256:	04FFAE6C4AC9443DFFBF62F7B14BED0F7FF3376C085A81296681F8711A0B5E5C
SHA-512:	F967CF059491963FC9DD9C31DCEC61D562565A230136627DDE915F445CD5D33348794D383DAAB93D3E0BA31B3440F59EAA333DD2BB60FA04833080C2340A97FA
Malicious:	false
Preview:	Dec 29 09:23:15 galassia kernel: [ 427.125755] blocking signal 9: 6222 -> 2048.Dec 29 09:23:15 galassia kernel: [ 428.044408] New task spawned: old: (tgid 6514, tid 6514), new (tgid: 6514, tid: 6518).Dec 29 09:23:15 galassia kernel: [ 428.067214] New task spawned: old: (tgid 6515, tid 6515), new (tgid: 6515, tid: 6519).Dec 29 09:23:15 galassia kernel: [ 428.067905] New task spawned: old: (tgid 6515, tid 6515), new (tgid: 6515, tid: 6520).Dec 29 09:23:16 galassia kernel: [ 428.070592] New task spawned: old: (tgid 6515, tid 6519), new (tgid: 6515, tid: 6521).Dec 29 09:23:17 galassia kernel: [ 429.192711] New task spawned: old: (tgid 6514, tid 6514), new (tgid: 6514, tid: 6526).Dec 29 09:23:20 galassia kernel: [ 430.114807] New task spawned: old: (tgid 6514, tid 6514), new (tgid: 6514, tid: 6586).Dec 29 09:23:21 galassia kernel: [ 433.363349] New task spawned: old: (tgid 6587, tid 6587), new (tgid: 6587, tid: 6590).Dec 29 09:23:21 galassia kernel: [ 433.694291] New task spawned:

/var/log/syslog

Download File

Process:	/usr/sbin/rsyslogd
File Type:	ASCII text, with very long lines (317)
Category:	dropped
Size (bytes):	26946
Entropy (8bit):	5.021057648897129
Encrypted:	false
SSDEEP:	768:m+ycdS8tWig3foj31mVh9zyUom9UYKDhtfBnLF0Sewv5NTaM4GcOyAJ7HVFjXpwt:NvYfrCy2MR
MD5:	B41444CF7DEBB2339F245CC0B03FA70E
SHA1:	190A989917EA699319D4EFECD59BD8658F1A5A08
SHA-256:	781FD0C019FAFCD0DF2B77275895CFAF708D028577F74B108A31D26A6479B065
SHA-512:	FC93ADCBC538B6B6DAAB127E1E81F1F72BA29558191E9186129CDEBF6862D3A70FA6BE2FDE0B2B3C6C3282D2068757B104860BCC684EA6C1943E584F358C6309
Malicious:	false
Preview:	Dec 29 09:23:15 galassia systemd[1]: whoopsie.service: Scheduled restart job, restart counter is at 3..Dec 29 09:23:15 galassia systemd[1]: Stopped crash report submission daemon..Dec 29 09:23:15 galassia systemd[1]: Started crash report submission daemon..Dec 29 09:23:15 galassia systemd[1]: rsyslog.service: Main process exited, code=killed, status=9/KILL.Dec 29 09:23:15 galassia systemd[1]: rsyslog.service: Failed with result 'signal'..Dec 29 09:23:15 galassia systemd[1]: rsyslog.service: Scheduled restart job, restart counter is at 3..Dec 29 09:23:15 galassia systemd[1]: Stopped System Logging Service..Dec 29 09:23:15 galassia systemd[1]: Starting System Logging Service....Dec 29 09:23:15 galassia systemd[1]: dbus.service: Main process exited, code=killed, status=9/KILL.Dec 29 09:23:15 galassia systemd[1]: dbus.service: Failed with result 'signal'..Dec 29 09:23:15 galassia systemd[1]: Started D-Bus System Message Bus..Dec 29 09:23:15 galassia systemd[1]: getty@tty2.service: Succeede

/var/log/wtmp

Download File

Process:	/sbin/agetty
File Type:	data
Category:	dropped
Size (bytes):	384
Entropy (8bit):	0.6775035134351415
Encrypted:	false
SSDEEP:	3:Rlc1sXlXEWtl/WbMgll:Rlv+yl+l
MD5:	A2DB2C96A33AF875FD006D833172CB9F
SHA1:	85C49960DAE751FA9A1325024B2431FD6C5F9A58
SHA-256:	86F9FD46EB1AE96B79840643D9BB30D289B23B4577C8D12F9E2342B136988BB2
SHA-512:	C8BDE27770C1BADA145564AAA20E9EAAFC6BB60C2A2CDB6784FD47419AF271E6C6A87FF957894F25A8DF5462735B8B207980A32B1B1720DF6209B2DA2CB9478A
Malicious:	true
Preview:	....u...tty2.tty2.......................tty2LOGIN...............................................................................................................................................................................................................................................................................................u...hiqg........................................

Source: Aqua.arm5.elf	Virustotal: Detection: 52%			Perma Link
Source: Aqua.arm5.elf	ReversingLabs: Detection: 50%

Source: global traffic	TCP traffic: 192.168.2.23:50012 -> 89.190.156.145:7733
Source: global traffic	TCP traffic: 192.168.2.23:34790 -> 193.111.248.108:33966

File type:	ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
Entropy (8bit):	6.052334400992591
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	Aqua.arm5.elf
File size:	75'268 bytes
MD5:	4f1be192cb2790c9a272bc8ae2ed4b79
SHA1:	d7c5fc8426775df43d7904f7d8475c9a2f5d6443
SHA256:	e2991286f85807cd3f7a227420b2692c4928c06c241656c0454319388522cf65
SHA512:	0af8a527e472857be69174be2544d328bd5001283a6e6999eaa577ff48bef64429c5b7934f1dbe2a0339d0984721bc5632622f2f4052cbc54a832518e7ae6861
SSDEEP:	1536:8GcEk0+/kGoDDBKhjErbwlONGR5znoyhI6Sim:8GcSRMjEPsRnxC
TLSH:	96733A91FD829613C6D012BBFB5E418D372A13A8D3EE72079E256F20378785B0E77652
File Content Preview:	.ELF...a..........(.........4...t$......4. ...(.......................................... ... ... ..4....&..........Q.td..................................-...L."...vA..........0@-.\P...0....S.0...P@...0... ....R......0...0...........0... ....R..... 0....S

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	ARM
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	ARM - ABI
ABI Version:	0
Entry Point Address:	0x8190
Flags:	0x2
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	74868
Section Header Size:	40
Number of Section Headers:	10
Header String Table Index:	9

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x8094	0x94	0x18	0x0	0x6	AX	4
.text	PROGBITS	0x80b0	0xb0	0x10610	0x0	0x6	AX	16
.fini	PROGBITS	0x186c0	0x106c0	0x14	0x0	0x6	AX	4
.rodata	PROGBITS	0x186d4	0x106d4	0x1838	0x0	0x2	A	4
.ctors	PROGBITS	0x22000	0x12000	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x22008	0x12008	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x22014	0x12014	0x420	0x0	0x3	WA	4
.bss	NOBITS	0x22434	0x12434	0x21e0	0x0	0x3	WA	4
.shstrtab	STRTAB	0x0	0x12434	0x3e	0x0	0x0		1

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x8000	0x8000	0x11f0c	0x11f0c	6.0902	0x5	R E	0x8000	.init .text .fini .rodata
LOAD	0x12000	0x22000	0x22000	0x434	0x2614	3.5189	0x6	RW	0x8000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 29, 2024 16:22:59.804801941 CET	41714	53	192.168.2.23	8.8.8.8
Dec 29, 2024 16:23:00.163810968 CET	53	41714	8.8.8.8	192.168.2.23
Dec 29, 2024 16:23:00.165216923 CET	59913	53	192.168.2.23	8.8.8.8
Dec 29, 2024 16:23:00.294501066 CET	53	59913	8.8.8.8	192.168.2.23
Dec 29, 2024 16:23:00.296869993 CET	56423	53	192.168.2.23	8.8.8.8
Dec 29, 2024 16:23:00.420454025 CET	53	56423	8.8.8.8	192.168.2.23
Dec 29, 2024 16:23:00.422379017 CET	45793	53	192.168.2.23	8.8.8.8
Dec 29, 2024 16:23:00.552583933 CET	53	45793	8.8.8.8	192.168.2.23
Dec 29, 2024 16:23:00.554254055 CET	46445	53	192.168.2.23	8.8.8.8
Dec 29, 2024 16:23:00.689564943 CET	53	46445	8.8.8.8	192.168.2.23
Dec 29, 2024 16:23:00.691548109 CET	57200	53	192.168.2.23	8.8.8.8
Dec 29, 2024 16:23:00.818968058 CET	53	57200	8.8.8.8	192.168.2.23
Dec 29, 2024 16:23:02.410679102 CET	45020	53	192.168.2.23	8.8.8.8
Dec 29, 2024 16:23:02.534492016 CET	53	45020	8.8.8.8	192.168.2.23
Dec 29, 2024 16:23:02.539820910 CET	37050	53	192.168.2.23	8.8.8.8
Dec 29, 2024 16:23:02.675759077 CET	53	37050	8.8.8.8	192.168.2.23
Dec 29, 2024 16:23:02.677232027 CET	39488	53	192.168.2.23	8.8.8.8
Dec 29, 2024 16:23:02.812218904 CET	53	39488	8.8.8.8	192.168.2.23
Dec 29, 2024 16:23:02.814249039 CET	45229	53	192.168.2.23	8.8.8.8
Dec 29, 2024 16:23:02.940426111 CET	53	45229	8.8.8.8	192.168.2.23
Dec 29, 2024 16:23:02.951777935 CET	41702	53	192.168.2.23	8.8.8.8
Dec 29, 2024 16:23:03.078391075 CET	53	41702	8.8.8.8	192.168.2.23
Dec 29, 2024 16:23:03.084408045 CET	60010	53	192.168.2.23	8.8.8.8
Dec 29, 2024 16:23:03.219750881 CET	53	60010	8.8.8.8	192.168.2.23
Dec 29, 2024 16:23:03.225720882 CET	57981	53	192.168.2.23	8.8.8.8
Dec 29, 2024 16:23:03.349337101 CET	53	57981	8.8.8.8	192.168.2.23
Dec 29, 2024 16:23:03.356023073 CET	49033	53	192.168.2.23	8.8.8.8
Dec 29, 2024 16:23:03.479691982 CET	53	49033	8.8.8.8	192.168.2.23
Dec 29, 2024 16:23:03.482846022 CET	48443	53	192.168.2.23	8.8.8.8
Dec 29, 2024 16:23:03.606412888 CET	53	48443	8.8.8.8	192.168.2.23
Dec 29, 2024 16:23:03.608429909 CET	59809	53	192.168.2.23	8.8.8.8
Dec 29, 2024 16:23:03.737711906 CET	53	59809	8.8.8.8	192.168.2.23
Dec 29, 2024 16:23:05.194233894 CET	48939	53	192.168.2.23	8.8.8.8
Dec 29, 2024 16:23:05.319045067 CET	53	48939	8.8.8.8	192.168.2.23
Dec 29, 2024 16:23:05.324007034 CET	39505	53	192.168.2.23	8.8.8.8
Dec 29, 2024 16:23:05.447843075 CET	53	39505	8.8.8.8	192.168.2.23
Dec 29, 2024 16:23:05.452833891 CET	53101	53	192.168.2.23	8.8.8.8
Dec 29, 2024 16:23:05.581944942 CET	53	53101	8.8.8.8	192.168.2.23
Dec 29, 2024 16:23:05.594971895 CET	39542	53	192.168.2.23	8.8.8.8
Dec 29, 2024 16:23:05.724430084 CET	53	39542	8.8.8.8	192.168.2.23
Dec 29, 2024 16:23:05.782972097 CET	41982	53	192.168.2.23	8.8.8.8
Dec 29, 2024 16:23:05.906831980 CET	53	41982	8.8.8.8	192.168.2.23
Dec 29, 2024 16:23:05.912106037 CET	54176	53	192.168.2.23	8.8.8.8
Dec 29, 2024 16:23:06.047221899 CET	53	54176	8.8.8.8	192.168.2.23
Dec 29, 2024 16:23:06.120500088 CET	36400	53	192.168.2.23	8.8.8.8
Dec 29, 2024 16:23:06.245152950 CET	53	36400	8.8.8.8	192.168.2.23
Dec 29, 2024 16:23:06.253791094 CET	49250	53	192.168.2.23	8.8.8.8
Dec 29, 2024 16:23:06.377702951 CET	53	49250	8.8.8.8	192.168.2.23
Dec 29, 2024 16:23:06.430018902 CET	39966	53	192.168.2.23	8.8.8.8
Dec 29, 2024 16:23:06.564644098 CET	53	39966	8.8.8.8	192.168.2.23
Dec 29, 2024 16:23:06.567190886 CET	34512	53	192.168.2.23	8.8.8.8
Dec 29, 2024 16:23:06.690978050 CET	53	34512	8.8.8.8	192.168.2.23
Dec 29, 2024 16:23:07.286732912 CET	55518	53	192.168.2.23	1.1.1.1
Dec 29, 2024 16:23:07.286794901 CET	37958	53	192.168.2.23	1.1.1.1
Dec 29, 2024 16:23:07.425364017 CET	53	37958	1.1.1.1	192.168.2.23
Dec 29, 2024 16:23:07.509897947 CET	53	55518	1.1.1.1	192.168.2.23
Dec 29, 2024 16:23:07.724648952 CET	53081	53	192.168.2.23	1.1.1.1
Dec 29, 2024 16:23:07.862605095 CET	53	53081	1.1.1.1	192.168.2.23
Dec 29, 2024 16:23:19.286891937 CET	38719	53	192.168.2.23	1.1.1.1
Dec 29, 2024 16:23:19.425668955 CET	53	38719	1.1.1.1	192.168.2.23

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Dec 29, 2024 16:23:08.348875999 CET	192.168.2.23	192.168.2.1	8283	(Port unreachable)	Destination Unreachable
Dec 29, 2024 16:24:28.361999035 CET	192.168.2.23	192.168.2.1	8283	(Port unreachable)	Destination Unreachable

Timestamp	Bytes transferred	Direction	Data
2024-12-29 15:23:11 UTC	307	OUT	POST /9aadafe2051348cd32033e1cad68f0a5fe46fba3240ac1e6e42158f31b8a1371790c09baf3996b4979fe8e533446c7dedf30f654c68b25357334c66911dc6a9e HTTP/1.1 Host: daisy.ubuntu.com Accept: / Content-Type: application/octet-stream X-Whoopsie-Version: 0.2.69ubuntu0.3 Content-Length: 164887 Expect: 100-continue
2024-12-29 15:23:12 UTC	25	IN	HTTP/1.1 100 Continue
2024-12-29 15:23:12 UTC	16384	OUT	Data Raw: 17 84 02 00 02 50 72 6f 63 45 6e 76 69 72 6f 6e 00 4e 00 00 00 50 41 54 48 3d 28 63 75 73 74 6f 6d 2c 20 6e 6f 20 75 73 65 72 29 0a 58 44 47 5f 52 55 4e 54 49 4d 45 5f 44 49 52 3d 3c 73 65 74 3e 0a 4c 41 4e 47 3d 65 6e 5f 55 53 2e 55 54 46 2d 38 0a 53 48 45 4c 4c 3d 2f 62 69 6e 2f 62 61 73 68 00 02 5f 4c 6f 67 69 6e 64 53 65 73 73 69 6f 6e 00 02 00 00 00 35 00 02 44 61 74 65 00 19 00 00 00 54 75 65 20 41 75 67 20 31 37 20 32 30 3a 31 38 3a 30 34 20 32 30 32 31 00 02 53 6f 75 72 63 65 50 61 63 6b 61 67 65 00 0d 00 00 00 6c 69 67 68 74 2d 6c 6f 63 6b 65 72 00 02 50 61 63 6b 61 67 65 41 72 63 68 69 74 65 63 74 75 72 65 00 06 00 00 00 61 6d 64 36 34 00 02 41 72 63 68 69 74 65 63 74 75 72 65 00 06 00 00 00 61 6d 64 36 34 00 02 44 69 73 74 72 6f 52 65 6c 65 61 Data Ascii: ProcEnvironNPATH=(custom, no user)XDG_RUNTIME_DIR=<set>LANG=en_US.UTF-8SHELL=/bin/bash_LogindSession5DateTue Aug 17 20:18:04 2021SourcePackagelight-lockerPackageArchitectureamd64Architectureamd64DistroRelea
2024-12-29 15:23:12 UTC	16384	OUT	Data Raw: 74 75 34 2e 31 0a 6c 69 62 70 61 6d 2d 72 75 6e 74 69 6d 65 20 31 2e 33 2e 31 2d 35 75 62 75 6e 74 75 34 2e 31 0a 6c 69 62 70 61 6d 2d 73 79 73 74 65 6d 64 20 32 34 35 2e 34 2d 34 75 62 75 6e 74 75 33 2e 31 31 0a 6c 69 62 70 61 6d 30 67 20 31 2e 33 2e 31 2d 35 75 62 75 6e 74 75 34 2e 31 0a 6c 69 62 70 61 6e 67 6f 2d 31 2e 30 2d 30 20 31 2e 34 34 2e 37 2d 32 75 62 75 6e 74 75 34 0a 6c 69 62 70 61 6e 67 6f 63 61 69 72 6f 2d 31 2e 30 2d 30 20 31 2e 34 34 2e 37 2d 32 75 62 75 6e 74 75 34 0a 6c 69 62 70 61 6e 67 6f 66 74 32 2d 31 2e 30 2d 30 20 31 2e 34 34 2e 37 2d 32 75 62 75 6e 74 75 34 0a 6c 69 62 70 61 6e 67 6f 78 66 74 2d 31 2e 30 2d 30 20 31 2e 34 34 2e 37 2d 32 75 62 75 6e 74 75 34 0a 6c 69 62 70 61 70 65 72 2d 75 74 69 6c 73 20 31 2e 31 2e 32 38 0a 6c Data Ascii: tu4.1libpam-runtime 1.3.1-5ubuntu4.1libpam-systemd 245.4-4ubuntu3.11libpam0g 1.3.1-5ubuntu4.1libpango-1.0-0 1.44.7-2ubuntu4libpangocairo-1.0-0 1.44.7-2ubuntu4libpangoft2-1.0-0 1.44.7-2ubuntu4libpangoxft-1.0-0 1.44.7-2ubuntu4libpaper-utils 1.1.28l
2024-12-29 15:23:12 UTC	16384	OUT	Data Raw: 20 20 20 20 20 20 20 20 30 78 30 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 30 0a 67 73 20 20 20 20 20 20 20 20 20 20 20 20 20 30 78 30 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 30 0a 6b 30 20 20 20 20 20 20 20 20 20 20 20 20 20 30 78 30 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 30 0a 6b 31 20 20 20 20 20 20 20 20 20 20 20 20 20 30 78 30 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 30 0a 6b 32 20 20 20 20 20 20 20 20 20 20 20 20 20 30 78 30 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 30 0a 6b 33 20 20 20 20 20 20 20 20 20 20 20 20 20 30 78 30 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 30 0a 6b 34 20 20 20 20 20 20 20 20 20 20 20 20 20 30 78 30 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 30 0a 6b 35 20 Data Ascii: 0x0 0gs 0x0 0k0 0x0 0k1 0x0 0k2 0x0 0k3 0x0 0k4 0x0 0k5
2024-12-29 15:23:12 UTC	16384	OUT	Data Raw: 20 20 20 20 20 20 20 20 20 2f 75 73 72 2f 6c 69 62 2f 78 38 36 5f 36 34 2d 6c 69 6e 75 78 2d 67 6e 75 2f 6c 69 62 78 63 62 2d 72 65 6e 64 65 72 2e 73 6f 2e 30 2e 30 2e 30 0a 37 66 37 39 31 63 30 37 34 30 30 30 2d 37 66 37 39 31 63 30 37 35 30 30 30 20 2d 2d 2d 70 20 30 30 30 30 63 30 30 30 20 66 64 3a 30 30 20 38 30 36 32 36 30 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2f 75 73 72 2f 6c 69 62 2f 78 38 36 5f 36 34 2d 6c 69 6e 75 78 2d 67 6e 75 2f 6c 69 62 78 63 62 2d 72 65 6e 64 65 72 2e 73 6f 2e 30 2e 30 2e 30 0a 37 66 37 39 31 63 30 37 35 30 30 30 2d 37 66 37 39 31 63 30 37 36 30 30 30 20 72 2d 2d 70 20 30 30 30 30 63 30 30 30 20 66 64 3a 30 30 20 38 30 36 32 36 30 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2f 75 Data Ascii: /usr/lib/x86_64-linux-gnu/libxcb-render.so.0.0.07f791c074000-7f791c075000 ---p 0000c000 fd:00 806260 /usr/lib/x86_64-linux-gnu/libxcb-render.so.0.0.07f791c075000-7f791c076000 r--p 0000c000 fd:00 806260 /u
2024-12-29 15:23:12 UTC	16384	OUT	Data Raw: 6e 75 78 2d 67 6e 75 2f 6c 69 62 67 64 6b 5f 70 69 78 62 75 66 2d 32 2e 30 2e 73 6f 2e 30 2e 34 30 30 30 2e 30 0a 37 66 37 39 31 63 37 37 33 30 30 30 2d 37 66 37 39 31 63 37 37 34 30 30 30 20 72 77 2d 70 20 30 30 30 32 36 30 30 30 20 66 64 3a 30 30 20 38 30 36 32 34 35 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2f 75 73 72 2f 6c 69 62 2f 78 38 36 5f 36 34 2d 6c 69 6e 75 78 2d 67 6e 75 2f 6c 69 62 67 64 6b 5f 70 69 78 62 75 66 2d 32 2e 30 2e 73 6f 2e 30 2e 34 30 30 30 2e 30 0a 37 66 37 39 31 63 37 37 34 30 30 30 2d 37 66 37 39 31 63 37 37 38 30 30 30 20 72 2d 2d 70 20 30 30 30 30 30 30 30 30 20 66 64 3a 30 30 20 38 30 36 32 36 38 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2f 75 73 72 2f 6c 69 62 2f 78 38 36 5f 36 34 Data Ascii: nux-gnu/libgdk_pixbuf-2.0.so.0.4000.07f791c773000-7f791c774000 rw-p 00026000 fd:00 806245 /usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.4000.07f791c774000-7f791c778000 r--p 00000000 fd:00 806268 /usr/lib/x86_64
2024-12-29 15:23:12 UTC	16384	OUT	Data Raw: 20 70 6c 61 74 66 6f 72 6d 20 65 69 73 61 2e 30 3a 20 43 61 6e 6e 6f 74 20 61 6c 6c 6f 63 61 74 65 20 72 65 73 6f 75 72 63 65 20 66 6f 72 20 45 49 53 41 20 73 6c 6f 74 20 37 0a 41 75 67 20 31 37 20 32 30 3a 32 34 3a 34 36 20 67 61 6c 61 73 73 69 61 20 6b 65 72 6e 65 6c 3a 20 70 6c 61 74 66 6f 72 6d 20 65 69 73 61 2e 30 3a 20 43 61 6e 6e 6f 74 20 61 6c 6c 6f 63 61 74 65 20 72 65 73 6f 75 72 63 65 20 66 6f 72 20 45 49 53 41 20 73 6c 6f 74 20 38 0a 41 75 67 20 31 37 20 32 30 3a 32 34 3a 34 36 20 67 61 6c 61 73 73 69 61 20 6b 65 72 6e 65 6c 3a 20 73 64 20 33 32 3a 30 3a 30 3a 30 3a 20 5b 73 64 61 5d 20 41 73 73 75 6d 69 6e 67 20 64 72 69 76 65 20 63 61 63 68 65 3a 20 77 72 69 74 65 20 74 68 72 6f 75 67 68 0a 41 75 67 20 31 37 20 32 30 3a 32 34 3a 34 37 20 67 Data Ascii: platform eisa.0: Cannot allocate resource for EISA slot 7Aug 17 20:24:46 galassia kernel: platform eisa.0: Cannot allocate resource for EISA slot 8Aug 17 20:24:46 galassia kernel: sd 32:0:0:0: [sda] Assuming drive cache: write throughAug 17 20:24:47 g
2024-12-29 15:23:12 UTC	16384	OUT	Data Raw: 35 35 31 5d 3a 20 28 49 49 29 20 4c 6f 61 64 4d 6f 64 75 6c 65 3a 20 22 66 62 64 65 76 68 77 22 0a 41 75 67 20 31 37 20 32 30 3a 32 35 3a 30 34 20 67 61 6c 61 73 73 69 61 20 2f 75 73 72 2f 6c 69 62 2f 67 64 6d 33 2f 67 64 6d 2d 78 2d 73 65 73 73 69 6f 6e 5b 31 35 35 31 5d 3a 20 28 49 49 29 20 4c 6f 61 64 69 6e 67 20 2f 75 73 72 2f 6c 69 62 2f 78 6f 72 67 2f 6d 6f 64 75 6c 65 73 2f 6c 69 62 66 62 64 65 76 68 77 2e 73 6f 0a 41 75 67 20 31 37 20 32 30 3a 32 35 3a 30 34 20 67 61 6c 61 73 73 69 61 20 2f 75 73 72 2f 6c 69 62 2f 67 64 6d 33 2f 67 64 6d 2d 78 2d 73 65 73 73 69 6f 6e 5b 31 35 35 31 5d 3a 20 28 49 49 29 20 4d 6f 64 75 6c 65 20 66 62 64 65 76 68 77 3a 20 76 65 6e 64 6f 72 3d 22 58 2e 4f 72 67 20 46 6f 75 6e 64 61 74 69 6f 6e 22 0a 41 75 67 20 31 37 Data Ascii: 551]: (II) LoadModule: "fbdevhw"Aug 17 20:25:04 galassia /usr/lib/gdm3/gdm-x-session[1551]: (II) Loading /usr/lib/xorg/modules/libfbdevhw.soAug 17 20:25:04 galassia /usr/lib/gdm3/gdm-x-session[1551]: (II) Module fbdevhw: vendor="X.Org Foundation"Aug 17
2024-12-29 15:23:12 UTC	16384	OUT	Data Raw: 2f 6c 69 62 2f 67 64 6d 33 2f 67 64 6d 2d 78 2d 73 65 73 73 69 6f 6e 5b 31 35 35 31 5d 3a 20 28 49 49 29 20 76 6d 77 61 72 65 28 30 29 3a 20 4e 6f 74 20 75 73 69 6e 67 20 64 65 66 61 75 6c 74 20 6d 6f 64 65 20 22 31 39 32 30 78 31 32 30 30 22 20 28 69 6e 73 75 66 66 69 63 69 65 6e 74 20 6d 65 6d 6f 72 79 20 66 6f 72 20 6d 6f 64 65 29 0a 41 75 67 20 31 37 20 32 30 3a 32 35 3a 30 35 20 67 61 6c 61 73 73 69 61 20 2f 75 73 72 2f 6c 69 62 2f 67 64 6d 33 2f 67 64 6d 2d 78 2d 73 65 73 73 69 6f 6e 5b 31 35 35 31 5d 3a 20 28 49 49 29 20 76 6d 77 61 72 65 28 30 29 3a 20 4e 6f 74 20 75 73 69 6e 67 20 64 65 66 61 75 6c 74 20 6d 6f 64 65 20 22 39 36 30 78 36 30 30 22 20 28 62 61 64 20 6d 6f 64 65 20 63 6c 6f 63 6b 2f 69 6e 74 65 72 6c 61 63 65 2f 64 6f 75 62 6c 65 73 Data Ascii: /lib/gdm3/gdm-x-session[1551]: (II) vmware(0): Not using default mode "1920x1200" (insufficient memory for mode)Aug 17 20:25:05 galassia /usr/lib/gdm3/gdm-x-session[1551]: (II) vmware(0): Not using default mode "960x600" (bad mode clock/interlace/doubles
2024-12-29 15:23:12 UTC	16384	OUT	Data Raw: 20 31 33 33 36 20 31 35 32 30 20 20 38 36 34 20 38 36 35 20 38 36 38 20 38 39 35 20 2d 68 73 79 6e 63 20 2b 76 73 79 6e 63 20 28 35 33 2e 37 20 6b 48 7a 20 64 29 0a 41 75 67 20 31 37 20 32 30 3a 32 35 3a 30 35 20 67 61 6c 61 73 73 69 61 20 2f 75 73 72 2f 6c 69 62 2f 67 64 6d 33 2f 67 64 6d 2d 78 2d 73 65 73 73 69 6f 6e 5b 31 35 35 31 5d 3a 20 28 2a 2a 29 20 76 6d 77 61 72 65 28 30 29 3a 20 20 44 65 66 61 75 6c 74 20 6d 6f 64 65 20 22 31 30 32 34 78 37 36 38 22 3a 20 39 34 2e 35 20 4d 48 7a 2c 20 36 38 2e 37 20 6b 48 7a 2c 20 38 35 2e 30 20 48 7a 0a 41 75 67 20 31 37 20 32 30 3a 32 35 3a 30 35 20 67 61 6c 61 73 73 69 61 20 2f 75 73 72 2f 6c 69 62 2f 67 64 6d 33 2f 67 64 6d 2d 78 2d 73 65 73 73 69 6f 6e 5b 31 35 35 31 5d 3a 20 28 49 49 29 20 76 6d 77 61 72 Data Ascii: 1336 1520 864 865 868 895 -hsync +vsync (53.7 kHz d)Aug 17 20:25:05 galassia /usr/lib/gdm3/gdm-x-session[1551]: (**) vmware(0): Default mode "1024x768": 94.5 MHz, 68.7 kHz, 85.0 HzAug 17 20:25:05 galassia /usr/lib/gdm3/gdm-x-session[1551]: (II) vmwar
2024-12-29 15:23:12 UTC	16384	OUT	Data Raw: 65 64 20 53 65 74 20 32 20 6b 65 79 62 6f 61 72 64 3a 20 61 6c 77 61 79 73 20 72 65 70 6f 72 74 73 20 63 6f 72 65 20 65 76 65 6e 74 73 0a 41 75 67 20 31 37 20 32 30 3a 32 35 3a 30 35 20 67 61 6c 61 73 73 69 61 20 2f 75 73 72 2f 6c 69 62 2f 67 64 6d 33 2f 67 64 6d 2d 78 2d 73 65 73 73 69 6f 6e 5b 31 35 35 31 5d 3a 20 28 2a 2a 29 20 4f 70 74 69 6f 6e 20 22 44 65 76 69 63 65 22 20 22 2f 64 65 76 2f 69 6e 70 75 74 2f 65 76 65 6e 74 31 22 0a 41 75 67 20 31 37 20 32 30 3a 32 35 3a 30 35 20 67 61 6c 61 73 73 69 61 20 2f 75 73 72 2f 6c 69 62 2f 67 64 6d 33 2f 67 64 6d 2d 78 2d 73 65 73 73 69 6f 6e 5b 31 35 35 31 5d 3a 20 28 2a 2a 29 20 4f 70 74 69 6f 6e 20 22 5f 73 6f 75 72 63 65 22 20 22 73 65 72 76 65 72 2f 75 64 65 76 22 0a 41 75 67 20 31 37 20 32 30 3a 32 35 Data Ascii: ed Set 2 keyboard: always reports core eventsAug 17 20:25:05 galassia /usr/lib/gdm3/gdm-x-session[1551]: () Option "Device" "/dev/input/event1"Aug 17 20:25:05 galassia /usr/lib/gdm3/gdm-x-session[1551]: () Option "_source" "server/udev"Aug 17 20:25
2024-12-29 15:23:13 UTC	279	IN	HTTP/1.1 400 Bad Request Date: Sun, 29 Dec 2024 15:23:13 GMT Server: gunicorn/19.7.1 X-Daisy-Revision-Number: 979 X-Oops-Repository-Version: 0.0.0 Strict-Transport-Security: max-age=2592000 Connection: close Transfer-Encoding: chunked 17 Crash already reported. 0

Start time (UTC):	15:22:58
Start date (UTC):	29/12/2024
Path:	/tmp/Aqua.arm5.elf
Arguments:	/tmp/Aqua.arm5.elf
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time (UTC):	15:22:59
Start date (UTC):	29/12/2024
Path:	/usr/libexec/gsd-rfkill
Arguments:	/usr/libexec/gsd-rfkill
File size:	51808 bytes
MD5 hash:	88a16a3c0aba1759358c06215ecfb5cc

Start time (UTC):	15:23:01
Start date (UTC):	29/12/2024
Path:	/usr/sbin/gdm3
Arguments:	-
File size:	453296 bytes
MD5 hash:	2492e2d8d34f9377e3e530a61a15674f

Start time (UTC):	15:23:02
Start date (UTC):	29/12/2024
Path:	/usr/libexec/gvfsd-fuse
Arguments:	-
File size:	47632 bytes
MD5 hash:	d18fbf1cbf8eb57b17fac48b7b4be933

Start time (UTC):	15:23:03
Start date (UTC):	29/12/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	15:23:04
Start date (UTC):	29/12/2024
Path:	/usr/bin/gpu-manager
Arguments:	-
File size:	76616 bytes
MD5 hash:	8fae9dd5dd67e1f33d873089c2fd8761

Start time (UTC):	15:23:05
Start date (UTC):	29/12/2024
Path:	/usr/bin/gpu-manager
Arguments:	-
File size:	76616 bytes
MD5 hash:	8fae9dd5dd67e1f33d873089c2fd8761

Start time (UTC):	15:23:06
Start date (UTC):	29/12/2024
Path:	/usr/bin/gpu-manager
Arguments:	-
File size:	76616 bytes
MD5 hash:	8fae9dd5dd67e1f33d873089c2fd8761

Start time (UTC):	15:23:10
Start date (UTC):	29/12/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	15:23:07
Start date (UTC):	29/12/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	15:23:09
Start date (UTC):	29/12/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report Aqua.arm5.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Spreading

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/home/saturnino/.config/pulse/ee49dfd4fa47433baee88884e2d7de7c-default-sink

/home/saturnino/.config/pulse/ee49dfd4fa47433baee88884e2d7de7c-default-source

/proc/6617/oom_score_adj

/run/gdm3.pid

/run/systemd/seats/.#seat0WzTeHS

/run/systemd/seats/.#seat0boHm9U

/run/systemd/seats/.#seat0yL4nmq

/run/systemd/users/.#1271ptRsU

/run/systemd/users/.#127BFFozU

/run/systemd/users/.#127LtJfhS

/run/systemd/users/.#127RpkN5Q

/run/systemd/users/.#127WIi0rT

/run/systemd/users/.#127ueliFR

/run/user/1000/pulse/pid

/run/utmp

/tmp/qemu-open.52VBHo (deleted)

/var/lib/AccountsService/users/gdm.R92JZ2

/var/lib/ubuntu-drivers-common/last_gfx_boot

/var/log/auth.log

/var/log/gpu-manager.log

/var/log/kern.log

/var/log/syslog

/var/log/wtmp

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Linux Analysis Report
Aqua.arm5.elf

Start time (UTC):	15:23:15
Start date (UTC):	29/12/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	15:23:20
Start date (UTC):	29/12/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	15:23:17
Start date (UTC):	29/12/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	15:23:21
Start date (UTC):	29/12/2024
Path:	/usr/sbin/gdm3
Arguments:	-
File size:	453296 bytes
MD5 hash:	2492e2d8d34f9377e3e530a61a15674f

Start time (UTC):	15:23:23
Start date (UTC):	29/12/2024
Path:	/usr/sbin/gdm3
Arguments:	-
File size:	453296 bytes
MD5 hash:	2492e2d8d34f9377e3e530a61a15674f

Start time (UTC):	15:23:26
Start date (UTC):	29/12/2024
Path:	/usr/lib/gdm3/gdm-session-worker
Arguments:	-
File size:	293360 bytes
MD5 hash:	692243754bd9f38fe9bd7e230b5c060a

Start time (UTC):	15:23:27
Start date (UTC):	29/12/2024
Path:	/usr/sbin/gdm3
Arguments:	-
File size:	453296 bytes
MD5 hash:	2492e2d8d34f9377e3e530a61a15674f

Start time (UTC):	15:23:22
Start date (UTC):	29/12/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	15:24:32
Start date (UTC):	29/12/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre