Edit tour

Linux Analysis Report
Aqua.arm7.elf

Overview

General Information

Sample name:	Aqua.arm7.elf
Analysis ID:	1592475
MD5:	01a083125eaa53dd09755e2fa57d1da2
SHA1:	fdfc0a9266976fea799184fe185f7df1d45f5fc9
SHA256:	a7c7393869871186599a3ee6a6e8fd5c0e33d09cb4e14f0601cd9e4d7a1deeaf
Tags:	elfuser-abuse_ch
Infos:

Detection

Mirai

Score:	88
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Mirai

Reads system files that contain records of logged in users

Sample deletes itself

Sample reads /proc/mounts (often used for finding a writable filesystem)

Sends malformed DNS queries

Creates hidden files and/or directories

Deletes log files

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Executes commands using a shell command-line interpreter

Executes the "grep" command used to find patterns in files or piped streams

Executes the "kill" or "pkill" command typically used to terminate processes

Executes the "rm" command used to delete files or directories

Found strings indicative of a multi-platform dropper

HTTP GET or POST without a user agent

Reads CPU information from /sys indicative of miner or evasive malware

Reads system version information

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Sample tries to set the executable flag

Uses the "uname" system call to query kernel version information (possible evasion)

Yara signature match

Classification

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1592475
Start date and time:	2025-01-16 07:34:39 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	Aqua.arm7.elf
Detection:	MAL
Classification:	mal88.troj.evad.linELF@0/18@138/0

Warnings

Connection to analysis system has been lost, crash info: Unknown
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Runtime Messages

Command:	/tmp/Aqua.arm7.elf
PID:	6260
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	about to cum inside a femboy btw
Standard Error:

Process Tree

system is lnxubuntu20

Aqua.arm7.elf (PID: 6260, Parent: 6182, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/Aqua.arm7.elf

Aqua.arm7.elf New Fork (PID: 6262, Parent: 6260)

Aqua.arm7.elf New Fork (PID: 6264, Parent: 6262)

systemd New Fork (PID: 6268, Parent: 1)

dbus-daemon (PID: 6268, Parent: 1, MD5: 3089d47e3f3ab84cd81c48fd406d7a8c) Arguments: /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only

systemd New Fork (PID: 6302, Parent: 1860)

pulseaudio (PID: 6302, Parent: 1860, MD5: 0c3b4c789d8ffb12b25507f27e14c186) Arguments: /usr/bin/pulseaudio --daemonize=no --log-target=journal

systemd New Fork (PID: 6308, Parent: 1)

systemd-logind (PID: 6308, Parent: 1, MD5: 8dd58a1b4c12f7a1d5fe3ce18b2aaeef) Arguments: /lib/systemd/systemd-logind

systemd New Fork (PID: 6368, Parent: 1)

rtkit-daemon (PID: 6368, Parent: 1, MD5: df0cacf1db4ec95ac70f5b6e06b8ffd7) Arguments: /usr/libexec/rtkit-daemon

systemd New Fork (PID: 6372, Parent: 1)

polkitd (PID: 6372, Parent: 1, MD5: 8efc9b4b5b524210ad2ea1954a9d0e69) Arguments: /usr/lib/policykit-1/polkitd --no-debug

systemd New Fork (PID: 6378, Parent: 1)

agetty (PID: 6378, Parent: 1, MD5: 3a374724ba7e863768139bdd60ca36f7) Arguments: /sbin/agetty -o "-p -- \\u" --noclear tty2 linux

gdm3 New Fork (PID: 6379, Parent: 1320)

Default (PID: 6379, Parent: 1320, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default

gdm3 New Fork (PID: 6380, Parent: 1320)

Default (PID: 6380, Parent: 1320, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default

gdm3 New Fork (PID: 6381, Parent: 1320)

Default (PID: 6381, Parent: 1320, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default

systemd New Fork (PID: 6382, Parent: 1)

gpu-manager (PID: 6382, Parent: 1, MD5: 8fae9dd5dd67e1f33d873089c2fd8761) Arguments: /usr/bin/gpu-manager --log /var/log/gpu-manager.log

gpu-manager New Fork (PID: 6383, Parent: 6382)

sh (PID: 6383, Parent: 6382, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"

sh New Fork (PID: 6386, Parent: 6383)

grep (PID: 6386, Parent: 6383, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf

gpu-manager New Fork (PID: 6387, Parent: 6382)

sh (PID: 6387, Parent: 6382, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"

sh New Fork (PID: 6388, Parent: 6387)

grep (PID: 6388, Parent: 6387, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf

gpu-manager New Fork (PID: 6389, Parent: 6382)

sh (PID: 6389, Parent: 6382, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf"

sh New Fork (PID: 6390, Parent: 6389)

grep (PID: 6390, Parent: 6389, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf

gpu-manager New Fork (PID: 6391, Parent: 6382)

sh (PID: 6391, Parent: 6382, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf"

sh New Fork (PID: 6392, Parent: 6391)

grep (PID: 6392, Parent: 6391, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf

gpu-manager New Fork (PID: 6393, Parent: 6382)

sh (PID: 6393, Parent: 6382, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /etc/modprobe.d/*.conf"

sh New Fork (PID: 6394, Parent: 6393)

grep (PID: 6394, Parent: 6393, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*amdgpu[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf

gpu-manager New Fork (PID: 6395, Parent: 6382)

sh (PID: 6395, Parent: 6382, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /lib/modprobe.d/*.conf"

sh New Fork (PID: 6396, Parent: 6395)

grep (PID: 6396, Parent: 6395, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*amdgpu[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf

gpu-manager New Fork (PID: 6399, Parent: 6382)

sh (PID: 6399, Parent: 6382, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /etc/modprobe.d/*.conf"

sh New Fork (PID: 6400, Parent: 6399)

grep (PID: 6400, Parent: 6399, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*nouveau[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf

gpu-manager New Fork (PID: 6401, Parent: 6382)

sh (PID: 6401, Parent: 6382, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /lib/modprobe.d/*.conf"

sh New Fork (PID: 6403, Parent: 6401)

grep (PID: 6403, Parent: 6401, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*nouveau[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf

systemd New Fork (PID: 6406, Parent: 1)

generate-config (PID: 6406, Parent: 1, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /usr/share/gdm/generate-config

generate-config New Fork (PID: 6407, Parent: 6406)

pkill (PID: 6407, Parent: 6406, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill --signal HUP --uid gdm dconf-service

systemd New Fork (PID: 6408, Parent: 1)

gdm-wait-for-drm (PID: 6408, Parent: 1, MD5: 82043ba752c6930b4e6aaea2f7747545) Arguments: /usr/lib/gdm3/gdm-wait-for-drm

systemd New Fork (PID: 6416, Parent: 1)

gdm3 (PID: 6416, Parent: 1, MD5: 2492e2d8d34f9377e3e530a61a15674f) Arguments: /usr/sbin/gdm3

gdm3 New Fork (PID: 6421, Parent: 6416)

plymouth (PID: 6421, Parent: 6416, MD5: 87003efd8dad470042f5e75360a8f49f) Arguments: plymouth --ping

gdm3 New Fork (PID: 6436, Parent: 6416)

gdm-session-worker (PID: 6436, Parent: 6416, MD5: 692243754bd9f38fe9bd7e230b5c060a) Arguments: "gdm-session-worker [pam/gdm-launch-environment]"

gdm-session-worker New Fork (PID: 6440, Parent: 6436)

gdm-wayland-session (PID: 6440, Parent: 6436, MD5: d3def63cf1e83f7fb8a0f13b1744ff7c) Arguments: /usr/lib/gdm3/gdm-wayland-session "dbus-run-session -- gnome-session --autostart /usr/share/gdm/greeter/autostart"

gdm-wayland-session New Fork (PID: 6442, Parent: 6440)

dbus-daemon (PID: 6442, Parent: 6440, MD5: 3089d47e3f3ab84cd81c48fd406d7a8c) Arguments: dbus-daemon --print-address 3 --session

dbus-daemon New Fork (PID: 6444, Parent: 6442)

dbus-daemon New Fork (PID: 6445, Parent: 6444)

false (PID: 6445, Parent: 6444, MD5: 3177546c74e4f0062909eae43d948bfc) Arguments: /bin/false

gdm-wayland-session New Fork (PID: 6446, Parent: 6440)

dbus-run-session (PID: 6446, Parent: 6440, MD5: 245f3ef6a268850b33b0225a8753b7f4) Arguments: dbus-run-session -- gnome-session --autostart /usr/share/gdm/greeter/autostart

dbus-run-session New Fork (PID: 6447, Parent: 6446)

dbus-daemon (PID: 6447, Parent: 6446, MD5: 3089d47e3f3ab84cd81c48fd406d7a8c) Arguments: dbus-daemon --nofork --print-address 4 --session

gdm3 New Fork (PID: 6450, Parent: 6416)

Default (PID: 6450, Parent: 6416, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default

gdm3 New Fork (PID: 6451, Parent: 6416)

Default (PID: 6451, Parent: 6416, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default

systemd New Fork (PID: 6422, Parent: 1)

accounts-daemon (PID: 6422, Parent: 1, MD5: 01a899e3fb5e7e434bea1290255a1f30) Arguments: /usr/lib/accountsservice/accounts-daemon

accounts-daemon New Fork (PID: 6431, Parent: 6422)

language-validate (PID: 6431, Parent: 6422, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /usr/share/language-tools/language-validate en_US.UTF-8

language-validate New Fork (PID: 6432, Parent: 6431)

language-options (PID: 6432, Parent: 6431, MD5: 16a21f464119ea7fad1d3660de963637) Arguments: /usr/share/language-tools/language-options

language-options New Fork (PID: 6433, Parent: 6432)

sh (PID: 6433, Parent: 6432, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "locale -a | grep -F .utf8 "

sh New Fork (PID: 6434, Parent: 6433)

locale (PID: 6434, Parent: 6433, MD5: c72a78792469db86d91369c9057f20d2) Arguments: locale -a

sh New Fork (PID: 6435, Parent: 6433)

grep (PID: 6435, Parent: 6433, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -F .utf8

dash New Fork (PID: 6452, Parent: 4332)

rm (PID: 6452, Parent: 4332, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.DU9nAtUFM5 /tmp/tmp.LafeURqZFD /tmp/tmp.xoSoSMvPar

dash New Fork (PID: 6453, Parent: 4332)

rm (PID: 6453, Parent: 4332, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.DU9nAtUFM5 /tmp/tmp.LafeURqZFD /tmp/tmp.xoSoSMvPar

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Aqua.arm7.elf	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Aqua.arm7.elf	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x1fd78:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1fd8c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1fda0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1fdb4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1fdc8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1fddc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1fdf0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1fe04:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1fe18:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1fe2c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1fe40:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1fe54:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1fe68:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1fe7c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1fe90:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1fea4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1feb8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1fecc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1fee0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1fef4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1ff08:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F

Memory Dumps

Source	Rule	Description	Author	Strings
6260.1.00007f5cd8017000.00007f5cd803a000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6260.1.00007f5cd8017000.00007f5cd803a000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x1fd78:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1fd8c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1fda0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1fdb4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1fdc8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1fddc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1fdf0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1fe04:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1fe18:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1fe2c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1fe40:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1fe54:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1fe68:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1fe7c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1fe90:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1fea4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1feb8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1fecc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1fee0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1fef4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1ff08:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: Aqua.arm7.elf PID: 6260	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: Aqua.arm7.elf PID: 6260	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x13cae:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13cc2:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13cd6:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13cea:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13cfe:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13d12:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13d26:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13d3a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13d4e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13d62:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13d76:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13d8a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13d9e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13db2:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13dc6:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13dda:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13dee:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13e02:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13e16:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13e2a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13e3e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Aqua.arm7.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: Aqua.arm7.elf	ReversingLabs: Detection: 36%
Source: Aqua.arm7.elf	Virustotal: Detection: 36%			Perma Link

Source: /usr/bin/pulseaudio (PID: 6302)	Reads CPU info from /sys: /sys/devices/system/cpu/online			Jump to behavior
Source: /usr/bin/pkill (PID: 6407)	Reads CPU info from /sys: /sys/devices/system/cpu/online			Jump to behavior

Source: Aqua.arm7.elf

String: EOF/proc//proc/%s/cmdlinewgetcurlftpechokillbashrebootshutdownhaltpoweroff[locker] killed process: %s ;; pid: %d

Networking

Sends malformed DNS queries

Source: global traffic

DNS traffic detected: malformed DNS query: server.eye-network.ru. [malformed]

Source: global traffic

TCP traffic: 192.168.2.23:50026 -> 89.190.156.145:7733

Source: global traffic

HTTP traffic detected: POST /9aadafe2051348cd32033e1cad68f0a5fe46fba3240ac1e6e42158f31b8a1371790c09baf3996b4979fe8e533446c7dedf30f654c68b25357334c66911dc6a9e HTTP/1.1Host: daisy.ubuntu.comAccept: */*Content-Type: application/octet-streamX-Whoopsie-Version: 0.2.69ubuntu0.3Content-Length: 164887Expect: 100-continue

Source: /usr/sbin/gdm3 (PID: 6416)	Socket: unknown address family			Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6442)	Socket: unknown address family			Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown	TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: server.eye-network.ru
Source: global traffic	DNS traffic detected: DNS query: server.eye-network.ru. [malformed]
Source: global traffic	DNS traffic detected: DNS query: daisy.ubuntu.com

Source: unknown

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 33606
Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 33606 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53080 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53080

System Summary

Malicious sample detected (through community Yara rule)

Source: Aqua.arm7.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6260.1.00007f5cd8017000.00007f5cd803a000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: Aqua.arm7.elf PID: 6260, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown

Source: /tmp/Aqua.arm7.elf (PID: 6264)

SIGKILL sent: pid: 777, result: successful

Jump to behavior

Source: Aqua.arm7.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6260.1.00007f5cd8017000.00007f5cd803a000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: Aqua.arm7.elf PID: 6260, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16

Source: classification engine

Classification label: mal88.troj.evad.linELF@0/18@138/0

Persistence and Installation Behavior

Sample reads /proc/mounts (often used for finding a writable filesystem)

Source: /usr/bin/dbus-daemon (PID: 6268)	File: /proc/6268/mounts	Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6442)	File: /proc/6442/mounts	Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6447)	File: /proc/6447/mounts	Jump to behavior

Source: /lib/systemd/systemd-logind (PID: 6308)	Directory: <invalid fd (18)>/..	Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6308)	Directory: <invalid fd (17)>/..	Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6308)	File: /run/systemd/seats/.#seat0gJ7Kr9	Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6308)	File: /run/systemd/users/.#1275uh928	Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6308)	File: /run/systemd/users/.#127JX0wZb	Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6308)	File: /run/systemd/seats/.#seat0DEFbLc	Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6308)	File: /run/systemd/users/.#127Xj6Hxc	Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6308)	File: /run/systemd/users/.#1271cb1V9	Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6308)	File: /run/systemd/users/.#127d06mDa	Jump to behavior
Source: /usr/lib/policykit-1/polkitd (PID: 6372)	Directory: /root/.cache	Jump to behavior
Source: /usr/lib/gdm3/gdm-wayland-session (PID: 6440)	Directory: /var/lib/gdm3/.cache	Jump to behavior
Source: /usr/lib/accountsservice/accounts-daemon (PID: 6422)	Directory: /var/lib/gdm3/.pam_environment	Jump to behavior
Source: /usr/lib/accountsservice/accounts-daemon (PID: 6422)	Directory: /root/.cache	Jump to behavior

Source: /tmp/Aqua.arm7.elf (PID: 6264)	File opened: /proc/11/cmdline	Jump to behavior
Source: /tmp/Aqua.arm7.elf (PID: 6264)	File opened: /proc/11/stat	Jump to behavior
Source: /tmp/Aqua.arm7.elf (PID: 6264)	File opened: /proc/11/cmdline	Jump to behavior
Source: /tmp/Aqua.arm7.elf (PID: 6264)	File opened: /proc/11/stat	Jump to behavior
Source: /tmp/Aqua.arm7.elf (PID: 6264)	File opened: /proc/11/cmdline	Jump to behavior
Source: /tmp/Aqua.arm7.elf (PID: 6264)	File opened: /proc/11/stat	Jump to behavior
Source: /tmp/Aqua.arm7.elf (PID: 6264)	File opened: /proc/11/cmdline	Jump to behavior
Source: /tmp/Aqua.arm7.elf (PID: 6264)	File opened: /proc/11/stat	Jump to behavior
Source: /tmp/Aqua.arm7.elf (PID: 6264)	File opened: /proc/22/cmdline	Jump to behavior
Source: /tmp/Aqua.arm7.elf (PID: 6264)	File opened: /proc/22/stat	Jump to behavior
Source: /tmp/Aqua.arm7.elf (PID: 6264)	File opened: /proc/22/cmdline	Jump to behavior
Source: /tmp/Aqua.arm7.elf (PID: 6264)	File opened: /proc/22/stat	Jump to behavior
Source: /tmp/Aqua.arm7.elf (PID: 6264)	File opened: /proc/22/cmdline	Jump to behavior
Source: /tmp/Aqua.arm7.elf (PID: 6264)	File opened: /proc/22/stat	Jump to behavior
Source: /tmp/Aqua.arm7.elf (PID: 6264)	File opened: /proc/22/cmdline	Jump to behavior
Source: /tmp/Aqua.arm7.elf (PID: 6264)	File opened: /proc/22/stat	Jump to behavior
Source: /tmp/Aqua.arm7.elf (PID: 6264)	File opened: /proc/66/cmdline	Jump to behavior
Source: /tmp/Aqua.arm7.elf (PID: 6264)	File opened: /proc/66/stat	Jump to behavior
Source: /tmp/Aqua.arm7.elf (PID: 6264)	File opened: /proc/99/cmdline	Jump to behavior
Source: /tmp/Aqua.arm7.elf (PID: 6264)	File opened: /proc/33/stat	Jump to behavior
Source: /tmp/Aqua.arm7.elf (PID: 6264)	File opened: /proc/33/cmdline	Jump to behavior
Source: /tmp/Aqua.arm7.elf (PID: 6264)	File opened: /proc/111/cmdline	Jump to behavior
Source: /tmp/Aqua.arm7.elf (PID: 6264)	File opened: /proc/111/cmdline	Jump to behavior
Source: /tmp/Aqua.arm7.elf (PID: 6264)	File opened: /proc/111/stat	Jump to behavior
Source: /tmp/Aqua.arm7.elf (PID: 6264)	File opened: /proc/111/cmdline	Jump to behavior
Source: /tmp/Aqua.arm7.elf (PID: 6264)	File opened: /proc/111/cmdline	Jump to behavior
Source: /tmp/Aqua.arm7.elf (PID: 6264)	File opened: /proc/111/stat	Jump to behavior
Source: /tmp/Aqua.arm7.elf (PID: 6264)	File opened: /proc/222/cmdline	Jump to behavior
Source: /tmp/Aqua.arm7.elf (PID: 6264)	File opened: /proc/222/cmdline	Jump to behavior
Source: /tmp/Aqua.arm7.elf (PID: 6264)	File opened: /proc/222/stat	Jump to behavior
Source: /tmp/Aqua.arm7.elf (PID: 6264)	File opened: /proc/222/cmdline	Jump to behavior
Source: /tmp/Aqua.arm7.elf (PID: 6264)	File opened: /proc/222/cmdline	Jump to behavior
Source: /tmp/Aqua.arm7.elf (PID: 6264)	File opened: /proc/222/stat	Jump to behavior
Source: /tmp/Aqua.arm7.elf (PID: 6264)	File opened: /proc/333/cmdline	Jump to behavior
Source: /tmp/Aqua.arm7.elf (PID: 6264)	File opened: /proc/333/cmdline	Jump to behavior
Source: /tmp/Aqua.arm7.elf (PID: 6264)	File opened: /proc/333/stat	Jump to behavior
Source: /tmp/Aqua.arm7.elf (PID: 6264)	File opened: /proc/333/cmdline	Jump to behavior
Source: /tmp/Aqua.arm7.elf (PID: 6264)	File opened: /proc/333/cmdline	Jump to behavior
Source: /tmp/Aqua.arm7.elf (PID: 6264)	File opened: /proc/333/stat	Jump to behavior
Source: /tmp/Aqua.arm7.elf (PID: 6264)	File opened: /proc/777/cmdline	Jump to behavior
Source: /tmp/Aqua.arm7.elf (PID: 6264)	File opened: /proc/777/cmdline	Jump to behavior
Source: /tmp/Aqua.arm7.elf (PID: 6264)	File opened: /proc/777/stat	Jump to behavior
Source: /tmp/Aqua.arm7.elf (PID: 6264)	File opened: /proc/888/cmdline	Jump to behavior
Source: /tmp/Aqua.arm7.elf (PID: 6264)	File opened: /proc/888/stat	Jump to behavior
Source: /tmp/Aqua.arm7.elf (PID: 6264)	File opened: /proc/999/cmdline	Jump to behavior
Source: /tmp/Aqua.arm7.elf (PID: 6264)	File opened: /proc/999/stat	Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6268)	File opened: /proc/6372/cmdline	Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6268)	File opened: /proc/6440/cmdline	Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6268)	File opened: /proc/6299/cmdline	Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6268)	File opened: /proc/6299/cmdline	Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6268)	File opened: /proc/6302/cmdline	Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6268)	File opened: /proc/6302/cmdline	Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6268)	File opened: /proc/6302/cmdline	Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6268)	File opened: /proc/6368/cmdline	Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6268)	File opened: /proc/6268/status	Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6268)	File opened: /proc/6268/attr/current	Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6268)	File opened: /proc/1809/cmdline	Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6268)	File opened: /proc/6422/cmdline	Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6268)	File opened: /proc/1/cmdline	Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6268)	File opened: /proc/1389/cmdline	Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6268)	File opened: /proc/6436/cmdline	Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6268)	File opened: /proc/6436/cmdline	Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6268)	File opened: /proc/6416/cmdline	Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6268)	File opened: /proc/6308/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6407)	File opened: /proc/3088/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6407)	File opened: /proc/3088/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6407)	File opened: /proc/230/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6407)	File opened: /proc/230/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6407)	File opened: /proc/110/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6407)	File opened: /proc/110/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6407)	File opened: /proc/231/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6407)	File opened: /proc/231/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6407)	File opened: /proc/111/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6407)	File opened: /proc/111/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6407)	File opened: /proc/232/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6407)	File opened: /proc/232/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6407)	File opened: /proc/112/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6407)	File opened: /proc/112/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6407)	File opened: /proc/233/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6407)	File opened: /proc/233/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6407)	File opened: /proc/113/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6407)	File opened: /proc/113/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6407)	File opened: /proc/234/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6407)	File opened: /proc/234/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6407)	File opened: /proc/1335/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6407)	File opened: /proc/1335/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6407)	File opened: /proc/114/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6407)	File opened: /proc/114/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6407)	File opened: /proc/235/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6407)	File opened: /proc/235/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6407)	File opened: /proc/1334/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6407)	File opened: /proc/1334/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6407)	File opened: /proc/2302/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6407)	File opened: /proc/2302/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6407)	File opened: /proc/115/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6407)	File opened: /proc/115/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6407)	File opened: /proc/236/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6407)	File opened: /proc/236/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6407)	File opened: /proc/116/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6407)	File opened: /proc/116/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6407)	File opened: /proc/237/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6407)	File opened: /proc/237/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6407)	File opened: /proc/117/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6407)	File opened: /proc/117/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6407)	File opened: /proc/118/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6407)	File opened: /proc/118/cmdline	Jump to behavior

Source: /usr/bin/gpu-manager (PID: 6383)	Shell command executed: sh -c "grep -G \"^blacklist.nvidia[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6387)	Shell command executed: sh -c "grep -G \"^blacklist.nvidia[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6389)	Shell command executed: sh -c "grep -G \"^blacklist.radeon[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6391)	Shell command executed: sh -c "grep -G \"^blacklist.radeon[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6393)	Shell command executed: sh -c "grep -G \"^blacklist.amdgpu[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6395)	Shell command executed: sh -c "grep -G \"^blacklist.amdgpu[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6399)	Shell command executed: sh -c "grep -G \"^blacklist.nouveau[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6401)	Shell command executed: sh -c "grep -G \"^blacklist.nouveau[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/share/language-tools/language-options (PID: 6433)	Shell command executed: sh -c "locale -a \| grep -F .utf8 "	Jump to behavior

Source: /bin/sh (PID: 6386)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nvidia[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 6388)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nvidia[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 6390)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.radeon[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 6392)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.radeon[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 6394)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.amdgpu[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 6396)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.amdgpu[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 6400)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nouveau[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 6403)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nouveau[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 6435)	Grep executable: /usr/bin/grep -> grep -F .utf8	Jump to behavior

Source: /usr/share/gdm/generate-config (PID: 6407)

Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service

Jump to behavior

Source: /usr/bin/dash (PID: 6452)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.DU9nAtUFM5 /tmp/tmp.LafeURqZFD /tmp/tmp.xoSoSMvPar			Jump to behavior
Source: /usr/bin/dash (PID: 6453)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.DU9nAtUFM5 /tmp/tmp.LafeURqZFD /tmp/tmp.xoSoSMvPar			Jump to behavior

Source: /sbin/agetty (PID: 6378)

Reads version info: /etc/issue

Jump to behavior

Source: /usr/sbin/gdm3 (PID: 6416)	File: /var/run/gdm3 (bits: - usr: -x grp: x all: rwx)	Jump to behavior
Source: /usr/sbin/gdm3 (PID: 6416)	File: /var/log/gdm3 (bits: - usr: -x grp: x all: rwx)	Jump to behavior
Source: /usr/lib/accountsservice/accounts-daemon (PID: 6422)	File: /var/lib/AccountsService/icons (bits: - usr: rx grp: rwx all: rwx)	Jump to behavior
Source: /usr/lib/accountsservice/accounts-daemon (PID: 6422)	File: /var/lib/AccountsService/users (bits: - usr: - grp: - all: rwx)	Jump to behavior

Source: /usr/bin/gpu-manager (PID: 6382)

Log file created: /var/log/gpu-manager.log

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Sample deletes itself

Source: /tmp/Aqua.arm7.elf (PID: 6262)

File: /tmp/Aqua.arm7.elf

Jump to behavior

Source: /usr/bin/gpu-manager (PID: 6382)

Truncated file: /var/log/gpu-manager.log

Jump to behavior

Source: /usr/bin/pulseaudio (PID: 6302)	Reads CPU info from /sys: /sys/devices/system/cpu/online			Jump to behavior
Source: /usr/bin/pkill (PID: 6407)	Reads CPU info from /sys: /sys/devices/system/cpu/online			Jump to behavior

Source: /tmp/Aqua.arm7.elf (PID: 6260)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/pulseaudio (PID: 6302)	Queries kernel information via 'uname':	Jump to behavior
Source: /sbin/agetty (PID: 6378)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6382)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/lib/gdm3/gdm-session-worker (PID: 6436)	Queries kernel information via 'uname':	Jump to behavior

Source: Aqua.arm7.elf, 6260.1.00007ffca824d000.00007ffca826e000.rw-.sdmp	Binary or memory string: [U/tmp/qemu-open.M2gNxz:
Source: Aqua.arm7.elf, 6260.1.0000555bd5fe6000.0000555bd6139000.rw-.sdmp	Binary or memory string: [U!/etc/qemu-binfmt/arm
Source: Aqua.arm7.elf, 6260.1.0000555bd5fe6000.0000555bd6139000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: Aqua.arm7.elf, 6260.1.00007ffca824d000.00007ffca826e000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm
Source: Aqua.arm7.elf, 6260.1.00007ffca824d000.00007ffca826e000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/Aqua.arm7.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/Aqua.arm7.elf
Source: Aqua.arm7.elf, 6260.1.00007ffca824d000.00007ffca826e000.rw-.sdmp	Binary or memory string: /tmp/qemu-open.M2gNxz

Language, Device and Operating System Detection

Reads system files that contain records of logged in users

Source: /usr/lib/accountsservice/accounts-daemon (PID: 6422)

Logged in records file read: /var/log/wtmp

Jump to behavior

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: Aqua.arm7.elf, type: SAMPLE
Source: Yara match	File source: 6260.1.00007f5cd8017000.00007f5cd803a000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Aqua.arm7.elf PID: 6260, type: MEMORYSTR

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: Aqua.arm7.elf, type: SAMPLE
Source: Yara match	File source: 6260.1.00007f5cd8017000.00007f5cd803a000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Aqua.arm7.elf PID: 6260, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	2 Scripting	Valid Accounts	Windows Management Instrumentation	2 Scripting	Path Interception	1 File and Directory Permissions Modification	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	1 System Owner/User Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Hidden Files and Directories	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Indicator Removal	NTDS	2 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 File Deletion	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Aqua.arm7.elf	37%	ReversingLabs	Linux.Backdoor.Mirai
Aqua.arm7.elf	37%	Virustotal		Browse
Aqua.arm7.elf	100%	Avira	EXP/ELF.Mirai.Z.A

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
daisy.ubuntu.com	162.213.35.24	true	false	high
server.eye-network.ru	unknown	unknown	false	high
server.eye-network.ru. [malformed]	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://daisy.ubuntu.com/9aadafe2051348cd32033e1cad68f0a5fe46fba3240ac1e6e42158f31b8a1371790c09baf3996b4979fe8e533446c7dedf30f654c68b25357334c66911dc6a9e	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
162.213.35.25	unknown	United States	41231	CANONICAL-ASGB	false
54.171.230.55	unknown	United States	16509	AMAZON-02US	false
89.190.156.145	unknown	United Kingdom	7489	HOSTUS-GLOBAL-ASHostUSHK	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
162.213.35.25	byte.m68k.elf	Get hash	malicious	Mirai, Okiru	Browse
	byte.mips.elf	Get hash	malicious	Mirai, Okiru	Browse
	byte.sh4.elf	Get hash	malicious	Mirai, Okiru	Browse
	gnjqwpc.elf	Get hash	malicious	Unknown	Browse
	jefne64.elf	Get hash	malicious	Mirai	Browse
	Aqua.mips.elf	Get hash	malicious	Unknown	Browse
	Aqua.i686.elf	Get hash	malicious	Unknown	Browse
	Aqua.dbg.elf	Get hash	malicious	Unknown	Browse
	Aqua.mpsl.elf	Get hash	malicious	Unknown	Browse
	Aqua.sh4.elf	Get hash	malicious	Unknown	Browse
54.171.230.55	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	ub8ehJSePAfc9FYqZIT6.arc.elf	Get hash	malicious	Unknown	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	boatnet.arm7.elf	Get hash	malicious	Mirai	Browse
	arm5.elf	Get hash	malicious	Mirai	Browse
	boatnet.sh4.elf	Get hash	malicious	Mirai	Browse
	main_m68k.elf	Get hash	malicious	Mirai	Browse
	p-p.c-.Sakura.elf	Get hash	malicious	Gafgyt, Mirai	Browse
89.190.156.145	jefne64.elf	Get hash	malicious	Unknown	Browse
	qbfwdbg.elf	Get hash	malicious	Unknown	Browse
	wrjkngh4.elf	Get hash	malicious	Unknown	Browse
	gnjqwpc.elf	Get hash	malicious	Unknown	Browse
	jefne64.elf	Get hash	malicious	Unknown	Browse
	wlw68k.elf	Get hash	malicious	Unknown	Browse
	fqkjei686.elf	Get hash	malicious	Unknown	Browse
	fbhervbhsl.elf	Get hash	malicious	Unknown	Browse
	ngwa5.elf	Get hash	malicious	Unknown	Browse
	debvps.elf	Get hash	malicious	Unknown	Browse
109.202.202.202	kpLwzBouH4.elf	Get hash	malicious	Unknown	Browse	ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
daisy.ubuntu.com	sora.arm6.elf	Get hash	malicious	Mirai	Browse	162.213.35.24
	sora.arm7.elf	Get hash	malicious	Mirai	Browse	162.213.35.24
	sora.mpsl.elf	Get hash	malicious	Mirai	Browse	162.213.35.25
	sora.m68k.elf	Get hash	malicious	Mirai	Browse	162.213.35.25
	sora.mips.elf	Get hash	malicious	Mirai	Browse	162.213.35.24
	byte.arm7.elf	Get hash	malicious	Mirai, Okiru	Browse	162.213.35.25
	sora.x86_64.elf	Get hash	malicious	Mirai	Browse	162.213.35.25
	byte.mips.elf	Get hash	malicious	Mirai, Okiru	Browse	162.213.35.25
	byte.sh4.elf	Get hash	malicious	Mirai, Okiru	Browse	162.213.35.25

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HOSTUS-GLOBAL-ASHostUSHK	jefne64.elf	Get hash	malicious	Unknown	Browse	89.190.156.145
	qbfwdbg.elf	Get hash	malicious	Unknown	Browse	89.190.156.145
	wrjkngh4.elf	Get hash	malicious	Unknown	Browse	89.190.156.145
	gnjqwpc.elf	Get hash	malicious	Unknown	Browse	89.190.156.145
	jefne64.elf	Get hash	malicious	Unknown	Browse	89.190.156.145
	wlw68k.elf	Get hash	malicious	Unknown	Browse	89.190.156.145
	fqkjei686.elf	Get hash	malicious	Unknown	Browse	89.190.156.145
	fbhervbhsl.elf	Get hash	malicious	Unknown	Browse	89.190.156.145
	ngwa5.elf	Get hash	malicious	Unknown	Browse	89.190.156.145
	debvps.elf	Get hash	malicious	Unknown	Browse	89.190.156.145
AMAZON-02US	sora.mpsl.elf	Get hash	malicious	Mirai	Browse	13.122.108.244
	sora.m68k.elf	Get hash	malicious	Mirai	Browse	34.221.242.254
	sora.sh4.elf	Get hash	malicious	Mirai	Browse	35.74.235.143
	sora.mips.elf	Get hash	malicious	Mirai	Browse	18.230.73.253
	sora.arm.elf	Get hash	malicious	Mirai	Browse	34.223.10.79
	https://dd21m32yacj0k.cloudfront.net/revision/au/v4.42.536.90.63	Get hash	malicious	Unknown	Browse	3.160.156.200
	Pedang @ P#U00ecsau.exe	Get hash	malicious	Brontok	Browse	3.130.204.160
	https://cc68b94d-d9d0-4a03-bf37-d58a3335e1ce.p.reviewstudio.com/-/en/gp/help/customer/display.html?nodeId=TLtMJsPGBmJPpN3hvy&ref_=footer_report_illegal_content	Get hash	malicious	Unknown	Browse	3.254.238.10
	https://cc68b94d-d9d0-4a03-bf37-d58a3335e1ce.p.reviewstudio.com/-/en/Drogerie-K%C3%B6rperpflege/b/?ie=UTF8&node=64187031&ref_=nav_cs_hpc	Get hash	malicious	Unknown	Browse	3.254.239.211
	https://cc68b94d-d9d0-4a03-bf37-d58a3335e1ce.p.reviewstudio.com/-/en/eu-sl-newarrivals24/ref=s9_bw_cg_NASPR24_1a1_w?pf_rd_m=A3JWKAKR8XB7XF&pf_rd_s=merchandised-search-3&pf_rd_r=C6W8YV9R6EKM9SMV1N9W&pf_rd_t=101&pf_rd_p=d7785b14-f69d-4ff4-8eec-1d9c43d8a300&pf_rd_i=11961464031	Get hash	malicious	Unknown	Browse	52.49.211.24
INIT7CH	sora.arm5.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	byte.arm7.elf	Get hash	malicious	Mirai, Okiru	Browse	109.202.202.202
	byte.arm6.elf	Get hash	malicious	Mirai, Okiru	Browse	109.202.202.202
	byte.mips.elf	Get hash	malicious	Mirai, Okiru	Browse	109.202.202.202
	na.elf	Get hash	malicious	Prometei	Browse	109.202.202.202
	na.elf	Get hash	malicious	Prometei	Browse	109.202.202.202
	byte.sh4.elf	Get hash	malicious	Mirai, Okiru	Browse	109.202.202.202
	byte.arm.elf	Get hash	malicious	Mirai, Okiru	Browse	109.202.202.202
	byte.spc.elf	Get hash	malicious	Mirai, Okiru	Browse	109.202.202.202
	dlr.arm5.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
CANONICAL-ASGB	sora.arm5.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	byte.arm7.elf	Get hash	malicious	Mirai, Okiru	Browse	91.189.91.42
	byte.arm6.elf	Get hash	malicious	Mirai, Okiru	Browse	91.189.91.42
	byte.mips.elf	Get hash	malicious	Mirai, Okiru	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	byte.sh4.elf	Get hash	malicious	Mirai, Okiru	Browse	91.189.91.42
	byte.arm.elf	Get hash	malicious	Mirai, Okiru	Browse	91.189.91.42
	byte.spc.elf	Get hash	malicious	Mirai, Okiru	Browse	91.189.91.42
	dlr.m68k.elf	Get hash	malicious	Unknown	Browse	185.125.190.26

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

/home/saturnino/.config/pulse/ee49dfd4fa47433baee88884e2d7de7c-default-sink

Download File

Process:	/usr/bin/pulseaudio
File Type:	ASCII text
Category:	dropped
Size (bytes):	10
Entropy (8bit):	2.9219280948873623
Encrypted:	false
SSDEEP:	3:5bkPn:pkP
MD5:	FF001A15CE15CF062A3704CEA2991B5F
SHA1:	B06F6855F376C3245B82212AC73ADED55DFE5DEF
SHA-256:	C54830B41ECFA1B6FBDC30397188DDA86B7B200E62AEAC21AE694A6192DCC38A
SHA-512:	65EBF7C31F6F65713CE01B38A112E97D0AE64A6BD1DA40CE4C1B998F10CD3912EE1A48BB2B279B24493062118AAB3B8753742E2AF28E56A31A7AAB27DE80E7BF
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	auto_null.

/home/saturnino/.config/pulse/ee49dfd4fa47433baee88884e2d7de7c-default-source

Download File

Process:	/usr/bin/pulseaudio
File Type:	ASCII text
Category:	dropped
Size (bytes):	18
Entropy (8bit):	3.4613201402110088
Encrypted:	false
SSDEEP:	3:5bkrIZsXvn:pkckv
MD5:	28FE6435F34B3367707BB1C5D5F6B430
SHA1:	EB8FE2D16BD6BBCCE106C94E4D284543B2573CF6
SHA-256:	721A37C69E555799B41D308849E8F8125441883AB021B723FED90A9B744F36C0
SHA-512:	6B6AB7C0979629D0FEF6BE47C5C6BCC367EDD0AAE3FC973F4DE2FD5F0A819C89E7656DB65D453B1B5398E54012B27EDFE02894AD87A7E0AF3A9C5F2EB24A9919
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	auto_null.monitor.

/proc/6445/oom_score_adj

Download File

Process:	/usr/bin/dbus-daemon
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:V:V
MD5:	CFCD208495D565EF66E7DFF9F98764DA
SHA1:	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
SHA-256:	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
SHA-512:	31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
Malicious:	false
Reputation:	high, very likely benign file
Preview:	0

/run/gdm3.pid

Download File

Process:	/usr/sbin/gdm3
File Type:	ASCII text
Category:	dropped
Size (bytes):	5
Entropy (8bit):	1.9219280948873623
Encrypted:	false
SSDEEP:	3:2:2
MD5:	B1607E49CD5359031F99A77EE8BADC14
SHA1:	B06FEEE087F7B9B371F979D2E10746EA702E7C0E
SHA-256:	D9162AC8760CEB3D9ACC4B805E24A1D7948353A6305CCBC2F294B1C29E43C506
SHA-512:	7899C0A17C0EAFB4CF9EDA1AE4F3B304D6FA684A7C9C291C987A8FC328D59BAADE0DD3C92A376148D584187EFABCDE0FD32E1884D052D1DFB699533643C67B1F
Malicious:	false
Reputation:	low
Preview:	6416.

/run/systemd/seats/.#seat0DEFbLc

Download File

Process:	/lib/systemd/systemd-logind
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.957035419463244
Encrypted:	false
SSDEEP:	3:SbFVVmFyinKMsuH47rLg205vmLUbr+ugKQ2KwshcXSv:SbFuFyLwH47Pg20ggWunQ2rNXc
MD5:	66D114877B3B4DB3BDD8A3AD4F5E7421
SHA1:	62E0CB0F51E0E3F97BE251CB917968DFF69ED344
SHA-256:	A922628916A7DDBE2BAA33F421C82250527EA3C28E429749353A1C75C0C18860
SHA-512:	5651247FA236DCF020A3C8456E4A9A74A85C5B9B3CCE94A3CF8F85FD4D66465C9F97DF7A1822E6CA4553C02BE149F3021D58DCC0C8CB6DCF37F915BD0A158187
Malicious:	false
Preview:	# This is private data. Do not parse..IS_SEAT0=1.CAN_MULTI_SESSION=1.CAN_TTY=1.CAN_GRAPHICAL=0.SESSIONS=c1.UIDS=127.

/run/systemd/seats/.#seat0gJ7Kr9

Download File

Process:	/lib/systemd/systemd-logind
File Type:	ASCII text
Category:	dropped
Size (bytes):	95
Entropy (8bit):	4.921230646592726
Encrypted:	false
SSDEEP:	3:SbFVVmFyinKMsuH47rLg205vmLUbr+v:SbFuFyLwH47Pg20ggWv
MD5:	BE58CCABC942125F5E27AF6EB1BA2F88
SHA1:	07C20F55E36EE48869B223B8FC4DBC227C7353AC
SHA-256:	551B1D1C8E5953D5D0CF49C83C1568E2FBEF8BDDB69903B3DA82240B777B4629
SHA-512:	E5A270995FDE80530927E0BACD3BF76EE820C968AABD55D2E34579326F388AFD6DE7FB8C5D54F69D3F6AC30A5B587FD3B0456FC60326E7DF4F45789A900D046C
Malicious:	false
Preview:	# This is private data. Do not parse..IS_SEAT0=1.CAN_MULTI_SESSION=1.CAN_TTY=1.CAN_GRAPHICAL=0.

/run/systemd/users/.#1271cb1V9

Download File

Process:	/lib/systemd/systemd-logind
File Type:	ASCII text
Category:	dropped
Size (bytes):	174
Entropy (8bit):	5.285693319368825
Encrypted:	false
SSDEEP:	3:SbFVVmFyinKMs5BuSgdNR2sKiYiesnAv/XSHxJgCqSwzv39VcnVxk9H206qodtlO:SbFuFyL3BVgdL87iesnAiRJg9Swzvrkk
MD5:	A4379BF1C3B20382EEC988232099A25D
SHA1:	ADF6B6B671772DAB0B7D8439D5FFF20FD78EAAA6
SHA-256:	A884C6CA832D91D08957E6FCF4F63C23AB7480D7977A96DB49F7CB2CDB1FB3FA
SHA-512:	5A0326F826DE49C533D92AF98D74FDF4355A264A4EE7C41CB98AD2A42A7B0C372D5AA108F668529F8F9F25491BA2FDE363740EA57F4001043D30AA7B9CFC74DB
Malicious:	false
Preview:	# This is private data. Do not parse..NAME=gdm.STATE=closing.STOPPING=no.RUNTIME=/run/user/127.REALTIME=1737009377436749.MONOTONIC=467849930.LAST_SESSION_TIMESTAMP=467917486.

/run/systemd/users/.#1275uh928

Download File

Process:	/lib/systemd/systemd-logind
File Type:	ASCII text
Category:	dropped
Size (bytes):	188
Entropy (8bit):	4.928997328913428
Encrypted:	false
SSDEEP:	3:SbFVVmFyinKMs5BuSgVuMI2sKiYiesnAv/XS12K2hwEY8mTQ2pJi22sQ2KkmD2pi:SbFuFyL3BVgVuR257iesnAi12thQc2p4
MD5:	065A3AD1A34A9903F536410ECA748105
SHA1:	21CD684DF60D569FA96EEEB66A0819EAC1B2B1A4
SHA-256:	E80554BF0FF4E32C61D4FA3054F8EFB27A26F1C37C91AE4EA94445C400693941
SHA-512:	DB3C42E893640BAEE9F0001BDE6E93ED40CC33198AC2B47328F577D3C71E2C2E986AAAFEF5BD8ADBC639B5C24ADF715D87034AE24B697331FF6FEC5962630064
Malicious:	false
Preview:	# This is private data. Do not parse..NAME=gdm.STATE=opening.STOPPING=no.RUNTIME=/run/user/127.SESSIONS=c1.SEATS=seat0.ACTIVE_SESSIONS=.ONLINE_SESSIONS=c1.ACTIVE_SEATS=.ONLINE_SEATS=seat0.

/run/systemd/users/.#127JX0wZb

Download File

Process:	/lib/systemd/systemd-logind
File Type:	ASCII text
Category:	dropped
Size (bytes):	282
Entropy (8bit):	5.300866889277879
Encrypted:	false
SSDEEP:	6:SbFuFyL3BVgVuR257iesnAir/0Ixff6NWg9SwzvrkMnQ2thQc2pb02/g2p9rwB:qgFq30VuR8L/ibBEWgfz1njthQHtPYqi
MD5:	0969BF9996B73DA9F74628679B47685B
SHA1:	1779D23171E792C2FC16B85C7799D7FD73D1D476
SHA-256:	F8CB127ABC1A53FB667A5F1A1D25452EA9B00FC4C11DB6E6F9659A5061FAEB8C
SHA-512:	FB006FCF053455F29888AD6909AD1E4E593D8B7321CE68355AABD79975788ED91816A2A04FBE21AB899DC68F6ECEAD4CA7A3D29118C53A8F69F7C61F0356AC15
Malicious:	false
Preview:	# This is private data. Do not parse..NAME=gdm.STATE=opening.STOPPING=no.RUNTIME=/run/user/127.SERVICE_JOB=/org/freedesktop/systemd1/job/12283.REALTIME=1737009377436749.MONOTONIC=467849930.SESSIONS=c1.SEATS=seat0.ACTIVE_SESSIONS=.ONLINE_SESSIONS=c1.ACTIVE_SEATS=.ONLINE_SEATS=seat0.

/run/systemd/users/.#127Xj6Hxc

Download File

Process:	/lib/systemd/systemd-logind
File Type:	ASCII text
Category:	dropped
Size (bytes):	282
Entropy (8bit):	5.300866889277879
Encrypted:	false
SSDEEP:	6:SbFuFyL3BVgVuR257iesnAir/0Ixff6NWg9SwzvrkMnQ2thQc2pb02/g2p9rwB:qgFq30VuR8L/ibBEWgfz1njthQHtPYqi
MD5:	0969BF9996B73DA9F74628679B47685B
SHA1:	1779D23171E792C2FC16B85C7799D7FD73D1D476
SHA-256:	F8CB127ABC1A53FB667A5F1A1D25452EA9B00FC4C11DB6E6F9659A5061FAEB8C
SHA-512:	FB006FCF053455F29888AD6909AD1E4E593D8B7321CE68355AABD79975788ED91816A2A04FBE21AB899DC68F6ECEAD4CA7A3D29118C53A8F69F7C61F0356AC15
Malicious:	false
Preview:	# This is private data. Do not parse..NAME=gdm.STATE=opening.STOPPING=no.RUNTIME=/run/user/127.SERVICE_JOB=/org/freedesktop/systemd1/job/12283.REALTIME=1737009377436749.MONOTONIC=467849930.SESSIONS=c1.SEATS=seat0.ACTIVE_SESSIONS=.ONLINE_SESSIONS=c1.ACTIVE_SEATS=.ONLINE_SEATS=seat0.

/run/systemd/users/.#127d06mDa

Download File

Process:	/lib/systemd/systemd-logind
File Type:	ASCII text
Category:	dropped
Size (bytes):	223
Entropy (8bit):	5.4727728852433115
Encrypted:	false
SSDEEP:	6:SbFuFyL3BVgdL87ynAir/0Ixff6BJg9SwzvrkMt6DlO:qgFq30dABibBGJgfzxIDlO
MD5:	A4B26FB02232F6FE70069B1048D17F29
SHA1:	616243F7A18BAEC7605DAA2B8495727B74669066
SHA-256:	9E8D0F7344A429E57BD0B0CF5501D65A066A38CA9DC0322A718F2B855A32BC32
SHA-512:	D7D45BB465649EFBAFEC67FD9E6AB657B4C68999528F037DC28C05A51FA7C069CDEBC7D866B06F7E2DCB22B43E21557620C30CD3CE530D8DB7863637A69ED78D
Malicious:	false
Preview:	# This is private data. Do not parse..NAME=gdm.STATE=closing.STOPPING=yes.RUNTIME=/run/user/127.SERVICE_JOB=/org/freedesktop/systemd1/job/12345.REALTIME=1737009377436749.MONOTONIC=467849930.LAST_SESSION_TIMESTAMP=467917486.

/run/user/1000/pulse/pid

Download File

Process:	/usr/bin/pulseaudio
File Type:	ASCII text
Category:	dropped
Size (bytes):	5
Entropy (8bit):	2.321928094887362
Encrypted:	false
SSDEEP:	3:e/n:e/n
MD5:	E5FF0C2E56E122E4A757F8D8E097DD4E
SHA1:	5B5A4644974662A2A40899F940A6FAD187096450
SHA-256:	98678881DD5F95271B5F9F7534BBF87E039749C9CF0B84A658C56B5A14930229
SHA-512:	B25F6FF19C24B767421A57A3D0EFF9072DB8E35D6D341214B57E334DE5A8ABF27D9EA213BDFE4BA7787DE7772B325033DD5CEF3CDDE7FD426B3C6AB71320F603
Malicious:	false
Preview:	6302.

/run/utmp

Download File

Process:	/sbin/agetty
File Type:	data
Category:	dropped
Size (bytes):	384
Entropy (8bit):	0.670329327231591
Encrypted:	false
SSDEEP:	3:ZlSsXlXEWtl/ACbs:7+ylzs
MD5:	7859296B53F1D6E248862BE8AB69DC03
SHA1:	2D08421F9A39A6D2D9E3A80B5208950D7D6A3F0E
SHA-256:	DEE07B5CB04E3B906A5829C0ED7A2655A278362DC75C1A9992CEB8862FE4650F
SHA-512:	4DF261D2A4F107C9505075CF2F28A544A0C0AD5D52774416D3CA480B7D8B0A3DBB304CAEC8E3A665FD41E8400F9AA651FA0ED9313579C0B7CEE4E87600EAD622
Malicious:	false
Preview:	........tty2.tty2.......................tty2LOGIN.....................................................................................................................................................................................................................................................................................................g........................................

/tmp/qemu-open.M2gNxz (deleted)

Download File

Process:	/tmp/Aqua.arm7.elf
File Type:	data
Category:	dropped
Size (bytes):	29
Entropy (8bit):	4.1162646156680225
Encrypted:	false
SSDEEP:	3:Tg2I8HJN:TggJN
MD5:	AE01A55EDFEBB175718FEF844D567F93
SHA1:	F34721848DD919F7771D6707D211F6D02FB979E6
SHA-256:	485A707A99D19B3B0EA0BED39B9B9738D4B232562E9D3943091AEFE59366330F
SHA-512:	A6B3104E52059F23AC0564428D6870F737CEBE1875C78F4BD3DB6EB3FAD46DF832DBA7D8BF467FA6CB4D995035F0AE1B62D158EEF27AED358597A5795596ACAD
Malicious:	false
Preview:	/tmp/Aqua.arm7.elf.nwlrbbmqbh

/var/lib/AccountsService/users/gdm.N8QK02

Download File

Process:	/usr/lib/accountsservice/accounts-daemon
File Type:	ASCII text
Category:	dropped
Size (bytes):	61
Entropy (8bit):	4.66214589518167
Encrypted:	false
SSDEEP:	3:urzMQvNT+PzKLrAan4R8AKn:gzMQIzKLrAa4M
MD5:	542BA3FB41206AE43928AF1C5E61FEBC
SHA1:	F56F574DAF50D609526B36B5B54FDD59EA4D6A26
SHA-256:	730D9509D4EAA7266829A8F5A8CFEBA6BBDDD5873FC2BD580AD464F4A237E11A
SHA-512:	D774B8F191A5C65228D1B3CA1181701CFCD07A3D91C5571B0DDF32AD3E241C2D7BDFC0697AB97DC10441EF9CDC8AEE5B19BC34E13E5C8B0B91AD06EEF42F5AEA
Malicious:	false
Preview:	[User].XSession=.Icon=/var/lib/gdm3/.face.SystemAccount=true.

/var/lib/ubuntu-drivers-common/last_gfx_boot

Download File

Process:	/usr/bin/gpu-manager
File Type:	ASCII text
Category:	dropped
Size (bytes):	25
Entropy (8bit):	2.7550849518197795
Encrypted:	false
SSDEEP:	3:JoT/V9fDVbn:M/V3n
MD5:	078760523943E160756979906B85FB5E
SHA1:	0962643266F4C5537F7D125046F28F21D6DD0C89
SHA-256:	048416AC7A9A99690B8B53718CD39F32F637B55CC8DD8E67E58E5AEF060DD41C
SHA-512:	DEFAAE8F8B54C61A716A0B0B4884358FEB8EB44DFEA01AAA5A687FDA7182792B7DEBB34AA840672EB3B40EB59FD0186749E08E47D181786C7FAA8C8F73F0104D
Malicious:	false
Preview:	15ad:0405;0000:00:0f:0;1.

/var/log/gpu-manager.log

Download File

Process:	/usr/bin/gpu-manager
File Type:	ASCII text
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	4.8296848499188485
Encrypted:	false
SSDEEP:	24:wPXXX9uV6BNu3WDF3GF3XFFxFFed2uk2HUvJlfWkpPpx7uvvAdow9555cJz:wPXXXe6vejpeC2HUR5WkpPpcvAdow95O
MD5:	3AF77E630DA00B3BE24F4E8AA5D78B13
SHA1:	BCF2D99E002F6DE2413A183227B011CFBEF5673D
SHA-256:	EB1CBBA20845237B4409274D693FEAE13F835274DA3337B7A9D14F4D7FDF9DEA
SHA-512:	8524B1E8A761F962B32F396812099B9B0B2DCF3C9FCA8605424753CFCFF4DC67EDC5EE1D8C91B9C0ED7FAE6BB1E752898B8D514B7C421D1839D6FEDA609C593C
Malicious:	false
Preview:	log_file: /var/log/gpu-manager.log.last_boot_file: /var/lib/ubuntu-drivers-common/last_gfx_boot.new_boot_file: /var/lib/ubuntu-drivers-common/last_gfx_boot.can't access /run/u-d-c-nvidia-was-loaded file.can't get module info via kmodcan't access /opt/amdgpu-pro/bin/amdgpu-pro-px.Looking for nvidia modules in /lib/modules/5.4.0-72-generic/kernel.Looking for nvidia modules in /lib/modules/5.4.0-72-generic/updates/dkms.Looking for amdgpu modules in /lib/modules/5.4.0-72-generic/kernel.Looking for amdgpu modules in /lib/modules/5.4.0-72-generic/updates/dkms.Is nvidia loaded? no.Was nvidia unloaded? no.Is nvidia blacklisted? no.Is intel loaded? no.Is radeon loaded? no.Is radeon blacklisted? no.Is amdgpu loaded? no.Is amdgpu blacklisted? no.Is amdgpu versioned? no.Is amdgpu pro stack? no.Is nouveau loaded? no.Is nouveau blacklisted? no.Is nvidia kernel module available? no.Is amdgpu kernel module available? no.Vendor/Device Id: 15ad:405.BusID "PCI:0@0:15:0".Is boot vga? yes.Error: can't acce

/var/log/wtmp

Download File

Process:	/sbin/agetty
File Type:	data
Category:	dropped
Size (bytes):	384
Entropy (8bit):	0.670329327231591
Encrypted:	false
SSDEEP:	3:ZlSsXlXEWtl/ACbs:7+ylzs
MD5:	7859296B53F1D6E248862BE8AB69DC03
SHA1:	2D08421F9A39A6D2D9E3A80B5208950D7D6A3F0E
SHA-256:	DEE07B5CB04E3B906A5829C0ED7A2655A278362DC75C1A9992CEB8862FE4650F
SHA-512:	4DF261D2A4F107C9505075CF2F28A544A0C0AD5D52774416D3CA480B7D8B0A3DBB304CAEC8E3A665FD41E8400F9AA651FA0ED9313579C0B7CEE4E87600EAD622
Malicious:	true
Preview:	........tty2.tty2.......................tty2LOGIN.....................................................................................................................................................................................................................................................................................................g........................................

File type:	ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, missing section headers at 178244
Entropy (8bit):	6.238141657256362
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	Aqua.arm7.elf
File size:	170'599 bytes
MD5:	01a083125eaa53dd09755e2fa57d1da2
SHA1:	fdfc0a9266976fea799184fe185f7df1d45f5fc9
SHA256:	a7c7393869871186599a3ee6a6e8fd5c0e33d09cb4e14f0601cd9e4d7a1deeaf
SHA512:	4d8def0ca467d956c8aef43c1b948050fe6d715497a5b4425828341a2d519cac29f9cea4a032cff6e65b47eb3f2a87dce82241419cd4bd0bd61c28ebfe094bfd
SSDEEP:	3072:oGdkMq+jB5uW0mgac1x9kcaDxoWCZ8NrTy8sLmMeOpM+D6soGM/RX:Rdq+j3uigacvucaDxoWCZGq8kvVpM+uL
TLSH:	B7F32A55FA418F12C4D722FAFA9F424833536BA8E3FA7102D9206F6137C659B0F63616
File Content Preview:	.ELF..............(.........4...........4. ...(........p4'..4...4...p...p............................(...(...............(...(...(.......V...............(...(...(..................Q.td..................................-...L..................@-.,@...0....S

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 16, 2025 07:35:46.438205004 CET	43928	443	192.168.2.23	91.189.91.42
Jan 16, 2025 07:35:49.982755899 CET	50026	7733	192.168.2.23	89.190.156.145
Jan 16, 2025 07:35:49.987840891 CET	7733	50026	89.190.156.145	192.168.2.23
Jan 16, 2025 07:35:49.987989902 CET	50026	7733	192.168.2.23	89.190.156.145
Jan 16, 2025 07:35:50.021960974 CET	50026	7733	192.168.2.23	89.190.156.145
Jan 16, 2025 07:35:50.026943922 CET	7733	50026	89.190.156.145	192.168.2.23
Jan 16, 2025 07:35:51.578599930 CET	7733	50026	89.190.156.145	192.168.2.23
Jan 16, 2025 07:35:51.581326962 CET	50026	7733	192.168.2.23	89.190.156.145
Jan 16, 2025 07:35:52.069272995 CET	42836	443	192.168.2.23	91.189.91.43
Jan 16, 2025 07:35:52.795639992 CET	53080	443	192.168.2.23	162.213.35.25
Jan 16, 2025 07:35:52.795681000 CET	443	53080	162.213.35.25	192.168.2.23
Jan 16, 2025 07:35:52.795728922 CET	53080	443	192.168.2.23	162.213.35.25
Jan 16, 2025 07:35:56.891824007 CET	53080	443	192.168.2.23	162.213.35.25
Jan 16, 2025 07:35:56.891906023 CET	443	53080	162.213.35.25	192.168.2.23
Jan 16, 2025 07:35:57.409029007 CET	443	53080	162.213.35.25	192.168.2.23
Jan 16, 2025 07:35:57.409116030 CET	53080	443	192.168.2.23	162.213.35.25
Jan 16, 2025 07:35:57.409308910 CET	53080	443	192.168.2.23	162.213.35.25
Jan 16, 2025 07:35:57.409326077 CET	443	53080	162.213.35.25	192.168.2.23
Jan 16, 2025 07:35:57.409547091 CET	53080	443	192.168.2.23	162.213.35.25
Jan 16, 2025 07:35:57.409569025 CET	443	53080	162.213.35.25	192.168.2.23
Jan 16, 2025 07:35:57.409646988 CET	443	53080	162.213.35.25	192.168.2.23
Jan 16, 2025 07:35:57.409696102 CET	53080	443	192.168.2.23	162.213.35.25
Jan 16, 2025 07:35:57.409708977 CET	443	53080	162.213.35.25	192.168.2.23
Jan 16, 2025 07:35:57.409758091 CET	53080	443	192.168.2.23	162.213.35.25
Jan 16, 2025 07:35:57.409986973 CET	53080	443	192.168.2.23	162.213.35.25
Jan 16, 2025 07:35:57.451360941 CET	443	53080	162.213.35.25	192.168.2.23
Jan 16, 2025 07:35:57.633351088 CET	443	53080	162.213.35.25	192.168.2.23
Jan 16, 2025 07:35:57.633599043 CET	53080	443	192.168.2.23	162.213.35.25
Jan 16, 2025 07:35:57.633599997 CET	53080	443	192.168.2.23	162.213.35.25
Jan 16, 2025 07:35:57.633599997 CET	53080	443	192.168.2.23	162.213.35.25
Jan 16, 2025 07:35:57.633599997 CET	53080	443	192.168.2.23	162.213.35.25
Jan 16, 2025 07:35:57.633701086 CET	443	53080	162.213.35.25	192.168.2.23
Jan 16, 2025 07:35:57.633733988 CET	443	53080	162.213.35.25	192.168.2.23
Jan 16, 2025 07:35:57.633754969 CET	443	53080	162.213.35.25	192.168.2.23
Jan 16, 2025 07:35:57.633774996 CET	53080	443	192.168.2.23	162.213.35.25
Jan 16, 2025 07:35:57.633774996 CET	53080	443	192.168.2.23	162.213.35.25
Jan 16, 2025 07:35:57.633793116 CET	443	53080	162.213.35.25	192.168.2.23
Jan 16, 2025 07:35:57.633812904 CET	443	53080	162.213.35.25	192.168.2.23
Jan 16, 2025 07:35:57.633861065 CET	53080	443	192.168.2.23	162.213.35.25
Jan 16, 2025 07:35:57.633862019 CET	53080	443	192.168.2.23	162.213.35.25
Jan 16, 2025 07:35:57.633862019 CET	53080	443	192.168.2.23	162.213.35.25
Jan 16, 2025 07:35:57.633902073 CET	53080	443	192.168.2.23	162.213.35.25
Jan 16, 2025 07:35:57.633902073 CET	53080	443	192.168.2.23	162.213.35.25
Jan 16, 2025 07:35:57.633902073 CET	53080	443	192.168.2.23	162.213.35.25
Jan 16, 2025 07:35:57.634032011 CET	443	53080	162.213.35.25	192.168.2.23
Jan 16, 2025 07:35:57.634130001 CET	53080	443	192.168.2.23	162.213.35.25
Jan 16, 2025 07:35:57.634149075 CET	443	53080	162.213.35.25	192.168.2.23
Jan 16, 2025 07:35:57.634172916 CET	53080	443	192.168.2.23	162.213.35.25
Jan 16, 2025 07:35:57.634182930 CET	443	53080	162.213.35.25	192.168.2.23
Jan 16, 2025 07:35:57.634193897 CET	443	53080	162.213.35.25	192.168.2.23
Jan 16, 2025 07:35:57.634243965 CET	53080	443	192.168.2.23	162.213.35.25
Jan 16, 2025 07:35:57.634263039 CET	443	53080	162.213.35.25	192.168.2.23
Jan 16, 2025 07:35:57.634293079 CET	53080	443	192.168.2.23	162.213.35.25
Jan 16, 2025 07:35:57.634305000 CET	443	53080	162.213.35.25	192.168.2.23
Jan 16, 2025 07:35:57.634342909 CET	53080	443	192.168.2.23	162.213.35.25
Jan 16, 2025 07:35:57.634361982 CET	443	53080	162.213.35.25	192.168.2.23
Jan 16, 2025 07:35:57.634397030 CET	53080	443	192.168.2.23	162.213.35.25
Jan 16, 2025 07:35:57.634397030 CET	53080	443	192.168.2.23	162.213.35.25
Jan 16, 2025 07:35:57.634417057 CET	443	53080	162.213.35.25	192.168.2.23
Jan 16, 2025 07:35:57.634433031 CET	53080	443	192.168.2.23	162.213.35.25
Jan 16, 2025 07:35:57.634447098 CET	443	53080	162.213.35.25	192.168.2.23
Jan 16, 2025 07:35:57.634458065 CET	443	53080	162.213.35.25	192.168.2.23
Jan 16, 2025 07:35:58.033565998 CET	443	53080	162.213.35.25	192.168.2.23
Jan 16, 2025 07:35:58.033653975 CET	53080	443	192.168.2.23	162.213.35.25
Jan 16, 2025 07:35:58.033674002 CET	443	53080	162.213.35.25	192.168.2.23
Jan 16, 2025 07:35:58.033705950 CET	53080	443	192.168.2.23	162.213.35.25
Jan 16, 2025 07:35:58.033759117 CET	443	53080	162.213.35.25	192.168.2.23
Jan 16, 2025 07:35:58.033859968 CET	53080	443	192.168.2.23	162.213.35.25
Jan 16, 2025 07:35:58.033879042 CET	443	53080	162.213.35.25	192.168.2.23
Jan 16, 2025 07:36:06.403331995 CET	43928	443	192.168.2.23	91.189.91.42
Jan 16, 2025 07:36:12.546505928 CET	42516	80	192.168.2.23	109.202.202.202
Jan 16, 2025 07:36:18.689631939 CET	42836	443	192.168.2.23	91.189.91.43
Jan 16, 2025 07:36:20.326675892 CET	33606	443	192.168.2.23	54.171.230.55
Jan 16, 2025 07:36:20.331901073 CET	443	33606	54.171.230.55	192.168.2.23
Jan 16, 2025 07:36:20.331947088 CET	33606	443	192.168.2.23	54.171.230.55
Jan 16, 2025 07:36:47.357831001 CET	43928	443	192.168.2.23	91.189.91.42

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Jan 16, 2025 07:35:56.248924971 CET	192.168.2.23	192.168.2.1	8283	(Port unreachable)	Destination Unreachable
Jan 16, 2025 07:37:16.264906883 CET	192.168.2.23	192.168.2.1	8283	(Port unreachable)	Destination Unreachable

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 16, 2025 07:35:48.746048927 CET	192.168.2.23	8.8.8.8	0x4e05	Standard query (0)	server.eye-network.ru	A (IP address)	IN (0x0001)	false
Jan 16, 2025 07:35:48.769962072 CET	192.168.2.23	8.8.8.8	0x4e05	Standard query (0)	server.eye-network.ru	A (IP address)	IN (0x0001)	false
Jan 16, 2025 07:35:48.778703928 CET	192.168.2.23	8.8.8.8	0x4e05	Standard query (0)	server.eye-network.ru	A (IP address)	IN (0x0001)	false
Jan 16, 2025 07:35:48.796480894 CET	192.168.2.23	8.8.8.8	0x4e05	Standard query (0)	server.eye-network.ru	A (IP address)	IN (0x0001)	false
Jan 16, 2025 07:35:48.817502022 CET	192.168.2.23	8.8.8.8	0x4e05	Standard query (0)	server.eye-network.ru	A (IP address)	IN (0x0001)	false
Jan 16, 2025 07:35:48.826164961 CET	192.168.2.23	8.8.8.8	0xec97	Standard query (0)	server.eye-network.ru. [malformed]	256	452	false
Jan 16, 2025 07:35:48.834283113 CET	192.168.2.23	8.8.8.8	0xec97	Standard query (0)	server.eye-network.ru. [malformed]	256	452	false
Jan 16, 2025 07:35:48.843818903 CET	192.168.2.23	8.8.8.8	0xec97	Standard query (0)	server.eye-network.ru. [malformed]	256	452	false
Jan 16, 2025 07:35:48.851880074 CET	192.168.2.23	8.8.8.8	0xec97	Standard query (0)	server.eye-network.ru. [malformed]	256	452	false
Jan 16, 2025 07:35:48.859217882 CET	192.168.2.23	8.8.8.8	0xec97	Standard query (0)	server.eye-network.ru. [malformed]	256	452	false
Jan 16, 2025 07:35:51.999038935 CET	192.168.2.23	8.8.8.8	0x8d09	Standard query (0)	server.eye-network.ru. [malformed]	256	456	false
Jan 16, 2025 07:35:52.012535095 CET	192.168.2.23	8.8.8.8	0x8d09	Standard query (0)	server.eye-network.ru. [malformed]	256	456	false
Jan 16, 2025 07:35:52.028052092 CET	192.168.2.23	8.8.8.8	0x8d09	Standard query (0)	server.eye-network.ru. [malformed]	256	456	false
Jan 16, 2025 07:35:52.038721085 CET	192.168.2.23	8.8.8.8	0x8d09	Standard query (0)	server.eye-network.ru. [malformed]	256	456	false
Jan 16, 2025 07:35:52.048870087 CET	192.168.2.23	8.8.8.8	0x8d09	Standard query (0)	server.eye-network.ru. [malformed]	256	456	false
Jan 16, 2025 07:35:52.434432983 CET	192.168.2.23	1.1.1.1	0xec5a	Standard query (0)	daisy.ubuntu.com	A (IP address)	IN (0x0001)	false
Jan 16, 2025 07:35:52.434623003 CET	192.168.2.23	1.1.1.1	0x6ce2	Standard query (0)	daisy.ubuntu.com	28	IN (0x0001)	false
Jan 16, 2025 07:35:52.778693914 CET	192.168.2.23	1.1.1.1	0xc5aa	Standard query (0)	daisy.ubuntu.com	28	IN (0x0001)	false
Jan 16, 2025 07:36:00.145237923 CET	192.168.2.23	8.8.8.8	0x346d	Standard query (0)	server.eye-network.ru. [malformed]	256	464	false
Jan 16, 2025 07:36:00.155327082 CET	192.168.2.23	8.8.8.8	0x346d	Standard query (0)	server.eye-network.ru. [malformed]	256	464	false
Jan 16, 2025 07:36:00.167450905 CET	192.168.2.23	8.8.8.8	0x346d	Standard query (0)	server.eye-network.ru. [malformed]	256	464	false
Jan 16, 2025 07:36:00.178750992 CET	192.168.2.23	8.8.8.8	0x346d	Standard query (0)	server.eye-network.ru. [malformed]	256	464	false
Jan 16, 2025 07:36:00.198069096 CET	192.168.2.23	8.8.8.8	0x346d	Standard query (0)	server.eye-network.ru. [malformed]	256	464	false
Jan 16, 2025 07:36:01.277432919 CET	192.168.2.23	8.8.8.8	0xb99e	Standard query (0)	server.eye-network.ru. [malformed]	256	465	false
Jan 16, 2025 07:36:01.289067030 CET	192.168.2.23	8.8.8.8	0xb99e	Standard query (0)	server.eye-network.ru. [malformed]	256	465	false
Jan 16, 2025 07:36:01.299540997 CET	192.168.2.23	8.8.8.8	0xb99e	Standard query (0)	server.eye-network.ru. [malformed]	256	465	false
Jan 16, 2025 07:36:01.310539961 CET	192.168.2.23	8.8.8.8	0xb99e	Standard query (0)	server.eye-network.ru. [malformed]	256	465	false
Jan 16, 2025 07:36:01.322257996 CET	192.168.2.23	8.8.8.8	0xb99e	Standard query (0)	server.eye-network.ru. [malformed]	256	465	false
Jan 16, 2025 07:36:11.378758907 CET	192.168.2.23	8.8.8.8	0x8949	Standard query (0)	server.eye-network.ru. [malformed]	256	475	false
Jan 16, 2025 07:36:11.385996103 CET	192.168.2.23	8.8.8.8	0x8949	Standard query (0)	server.eye-network.ru. [malformed]	256	475	false
Jan 16, 2025 07:36:11.393523932 CET	192.168.2.23	8.8.8.8	0x8949	Standard query (0)	server.eye-network.ru. [malformed]	256	475	false
Jan 16, 2025 07:36:11.400671005 CET	192.168.2.23	8.8.8.8	0x8949	Standard query (0)	server.eye-network.ru. [malformed]	256	475	false
Jan 16, 2025 07:36:11.407748938 CET	192.168.2.23	8.8.8.8	0x8949	Standard query (0)	server.eye-network.ru. [malformed]	256	475	false
Jan 16, 2025 07:36:15.454354048 CET	192.168.2.23	8.8.8.8	0x69e4	Standard query (0)	server.eye-network.ru. [malformed]	256	479	false
Jan 16, 2025 07:36:15.461466074 CET	192.168.2.23	8.8.8.8	0x69e4	Standard query (0)	server.eye-network.ru. [malformed]	256	479	false
Jan 16, 2025 07:36:15.468425035 CET	192.168.2.23	8.8.8.8	0x69e4	Standard query (0)	server.eye-network.ru. [malformed]	256	479	false
Jan 16, 2025 07:36:15.475709915 CET	192.168.2.23	8.8.8.8	0x69e4	Standard query (0)	server.eye-network.ru. [malformed]	256	479	false
Jan 16, 2025 07:36:15.482944012 CET	192.168.2.23	8.8.8.8	0x69e4	Standard query (0)	server.eye-network.ru. [malformed]	256	479	false
Jan 16, 2025 07:36:22.526480913 CET	192.168.2.23	8.8.8.8	0x40bb	Standard query (0)	server.eye-network.ru. [malformed]	256	486	false
Jan 16, 2025 07:36:22.533390999 CET	192.168.2.23	8.8.8.8	0x40bb	Standard query (0)	server.eye-network.ru. [malformed]	256	486	false
Jan 16, 2025 07:36:22.540365934 CET	192.168.2.23	8.8.8.8	0x40bb	Standard query (0)	server.eye-network.ru. [malformed]	256	486	false
Jan 16, 2025 07:36:22.547652006 CET	192.168.2.23	8.8.8.8	0x40bb	Standard query (0)	server.eye-network.ru. [malformed]	256	486	false
Jan 16, 2025 07:36:22.554644108 CET	192.168.2.23	8.8.8.8	0x40bb	Standard query (0)	server.eye-network.ru. [malformed]	256	486	false
Jan 16, 2025 07:36:23.598911047 CET	192.168.2.23	8.8.8.8	0xee2	Standard query (0)	server.eye-network.ru. [malformed]	256	487	false
Jan 16, 2025 07:36:23.605989933 CET	192.168.2.23	8.8.8.8	0xee2	Standard query (0)	server.eye-network.ru. [malformed]	256	487	false
Jan 16, 2025 07:36:23.612983942 CET	192.168.2.23	8.8.8.8	0xee2	Standard query (0)	server.eye-network.ru. [malformed]	256	487	false
Jan 16, 2025 07:36:23.620274067 CET	192.168.2.23	8.8.8.8	0xee2	Standard query (0)	server.eye-network.ru. [malformed]	256	487	false
Jan 16, 2025 07:36:23.627485037 CET	192.168.2.23	8.8.8.8	0xee2	Standard query (0)	server.eye-network.ru. [malformed]	256	487	false
Jan 16, 2025 07:36:30.671515942 CET	192.168.2.23	8.8.8.8	0xa912	Standard query (0)	server.eye-network.ru. [malformed]	256	494	false
Jan 16, 2025 07:36:30.680171013 CET	192.168.2.23	8.8.8.8	0xa912	Standard query (0)	server.eye-network.ru. [malformed]	256	494	false
Jan 16, 2025 07:36:30.687124014 CET	192.168.2.23	8.8.8.8	0xa912	Standard query (0)	server.eye-network.ru. [malformed]	256	494	false
Jan 16, 2025 07:36:30.694643021 CET	192.168.2.23	8.8.8.8	0xa912	Standard query (0)	server.eye-network.ru. [malformed]	256	494	false
Jan 16, 2025 07:36:30.701611042 CET	192.168.2.23	8.8.8.8	0xa912	Standard query (0)	server.eye-network.ru. [malformed]	256	494	false
Jan 16, 2025 07:36:33.749197960 CET	192.168.2.23	8.8.8.8	0x7730	Standard query (0)	server.eye-network.ru. [malformed]	256	497	false
Jan 16, 2025 07:36:33.756834030 CET	192.168.2.23	8.8.8.8	0x7730	Standard query (0)	server.eye-network.ru. [malformed]	256	497	false
Jan 16, 2025 07:36:33.765364885 CET	192.168.2.23	8.8.8.8	0x7730	Standard query (0)	server.eye-network.ru. [malformed]	256	497	false
Jan 16, 2025 07:36:33.772746086 CET	192.168.2.23	8.8.8.8	0x7730	Standard query (0)	server.eye-network.ru. [malformed]	256	497	false
Jan 16, 2025 07:36:33.780159950 CET	192.168.2.23	8.8.8.8	0x7730	Standard query (0)	server.eye-network.ru. [malformed]	256	497	false
Jan 16, 2025 07:36:40.832494020 CET	192.168.2.23	8.8.8.8	0x6ab2	Standard query (0)	server.eye-network.ru. [malformed]	256	504	false
Jan 16, 2025 07:36:40.847481966 CET	192.168.2.23	8.8.8.8	0x6ab2	Standard query (0)	server.eye-network.ru. [malformed]	256	504	false
Jan 16, 2025 07:36:40.855817080 CET	192.168.2.23	8.8.8.8	0x6ab2	Standard query (0)	server.eye-network.ru. [malformed]	256	504	false
Jan 16, 2025 07:36:40.863564014 CET	192.168.2.23	8.8.8.8	0x6ab2	Standard query (0)	server.eye-network.ru. [malformed]	256	504	false
Jan 16, 2025 07:36:40.871406078 CET	192.168.2.23	8.8.8.8	0x6ab2	Standard query (0)	server.eye-network.ru. [malformed]	256	504	false
Jan 16, 2025 07:36:42.928148031 CET	192.168.2.23	8.8.8.8	0x6937	Standard query (0)	server.eye-network.ru. [malformed]	256	506	false
Jan 16, 2025 07:36:42.935870886 CET	192.168.2.23	8.8.8.8	0x6937	Standard query (0)	server.eye-network.ru. [malformed]	256	506	false
Jan 16, 2025 07:36:42.943694115 CET	192.168.2.23	8.8.8.8	0x6937	Standard query (0)	server.eye-network.ru. [malformed]	256	506	false
Jan 16, 2025 07:36:42.951488018 CET	192.168.2.23	8.8.8.8	0x6937	Standard query (0)	server.eye-network.ru. [malformed]	256	506	false
Jan 16, 2025 07:36:42.959832907 CET	192.168.2.23	8.8.8.8	0x6937	Standard query (0)	server.eye-network.ru. [malformed]	256	506	false
Jan 16, 2025 07:36:52.015913010 CET	192.168.2.23	8.8.8.8	0xb4ba	Standard query (0)	server.eye-network.ru. [malformed]	256	260	false
Jan 16, 2025 07:36:52.024883032 CET	192.168.2.23	8.8.8.8	0xb4ba	Standard query (0)	server.eye-network.ru. [malformed]	256	260	false
Jan 16, 2025 07:36:52.034398079 CET	192.168.2.23	8.8.8.8	0xb4ba	Standard query (0)	server.eye-network.ru. [malformed]	256	260	false
Jan 16, 2025 07:36:52.043037891 CET	192.168.2.23	8.8.8.8	0xb4ba	Standard query (0)	server.eye-network.ru. [malformed]	256	260	false
Jan 16, 2025 07:36:52.051995993 CET	192.168.2.23	8.8.8.8	0xb4ba	Standard query (0)	server.eye-network.ru. [malformed]	256	260	false
Jan 16, 2025 07:37:00.106843948 CET	192.168.2.23	8.8.8.8	0x8e92	Standard query (0)	server.eye-network.ru. [malformed]	256	268	false
Jan 16, 2025 07:37:00.114700079 CET	192.168.2.23	8.8.8.8	0x8e92	Standard query (0)	server.eye-network.ru. [malformed]	256	268	false
Jan 16, 2025 07:37:00.123398066 CET	192.168.2.23	8.8.8.8	0x8e92	Standard query (0)	server.eye-network.ru. [malformed]	256	268	false
Jan 16, 2025 07:37:00.131144047 CET	192.168.2.23	8.8.8.8	0x8e92	Standard query (0)	server.eye-network.ru. [malformed]	256	268	false
Jan 16, 2025 07:37:00.139900923 CET	192.168.2.23	8.8.8.8	0x8e92	Standard query (0)	server.eye-network.ru. [malformed]	256	268	false
Jan 16, 2025 07:37:10.195663929 CET	192.168.2.23	8.8.8.8	0xcec4	Standard query (0)	server.eye-network.ru. [malformed]	256	278	false
Jan 16, 2025 07:37:10.203749895 CET	192.168.2.23	8.8.8.8	0xcec4	Standard query (0)	server.eye-network.ru. [malformed]	256	278	false
Jan 16, 2025 07:37:10.211940050 CET	192.168.2.23	8.8.8.8	0xcec4	Standard query (0)	server.eye-network.ru. [malformed]	256	278	false
Jan 16, 2025 07:37:10.220076084 CET	192.168.2.23	8.8.8.8	0xcec4	Standard query (0)	server.eye-network.ru. [malformed]	256	278	false
Jan 16, 2025 07:37:10.228399992 CET	192.168.2.23	8.8.8.8	0xcec4	Standard query (0)	server.eye-network.ru. [malformed]	256	278	false
Jan 16, 2025 07:37:13.285958052 CET	192.168.2.23	8.8.8.8	0x2540	Standard query (0)	server.eye-network.ru. [malformed]	256	281	false
Jan 16, 2025 07:37:13.296451092 CET	192.168.2.23	8.8.8.8	0x2540	Standard query (0)	server.eye-network.ru. [malformed]	256	281	false
Jan 16, 2025 07:37:13.304136992 CET	192.168.2.23	8.8.8.8	0x2540	Standard query (0)	server.eye-network.ru. [malformed]	256	281	false
Jan 16, 2025 07:37:13.312439919 CET	192.168.2.23	8.8.8.8	0x2540	Standard query (0)	server.eye-network.ru. [malformed]	256	281	false
Jan 16, 2025 07:37:13.320656061 CET	192.168.2.23	8.8.8.8	0x2540	Standard query (0)	server.eye-network.ru. [malformed]	256	281	false
Jan 16, 2025 07:37:14.370208025 CET	192.168.2.23	8.8.8.8	0xf4a2	Standard query (0)	server.eye-network.ru. [malformed]	256	282	false
Jan 16, 2025 07:37:14.377780914 CET	192.168.2.23	8.8.8.8	0xf4a2	Standard query (0)	server.eye-network.ru. [malformed]	256	282	false
Jan 16, 2025 07:37:14.385092020 CET	192.168.2.23	8.8.8.8	0xf4a2	Standard query (0)	server.eye-network.ru. [malformed]	256	282	false
Jan 16, 2025 07:37:14.392529964 CET	192.168.2.23	8.8.8.8	0xf4a2	Standard query (0)	server.eye-network.ru. [malformed]	256	282	false
Jan 16, 2025 07:37:14.400218010 CET	192.168.2.23	8.8.8.8	0xf4a2	Standard query (0)	server.eye-network.ru. [malformed]	256	282	false
Jan 16, 2025 07:37:17.449992895 CET	192.168.2.23	8.8.8.8	0x7b47	Standard query (0)	server.eye-network.ru. [malformed]	256	285	false
Jan 16, 2025 07:37:17.457230091 CET	192.168.2.23	8.8.8.8	0x7b47	Standard query (0)	server.eye-network.ru. [malformed]	256	285	false
Jan 16, 2025 07:37:17.464684963 CET	192.168.2.23	8.8.8.8	0x7b47	Standard query (0)	server.eye-network.ru. [malformed]	256	285	false
Jan 16, 2025 07:37:17.471959114 CET	192.168.2.23	8.8.8.8	0x7b47	Standard query (0)	server.eye-network.ru. [malformed]	256	285	false
Jan 16, 2025 07:37:17.479052067 CET	192.168.2.23	8.8.8.8	0x7b47	Standard query (0)	server.eye-network.ru. [malformed]	256	285	false
Jan 16, 2025 07:37:21.528855085 CET	192.168.2.23	8.8.8.8	0x880b	Standard query (0)	server.eye-network.ru. [malformed]	256	289	false
Jan 16, 2025 07:37:21.536829948 CET	192.168.2.23	8.8.8.8	0x880b	Standard query (0)	server.eye-network.ru. [malformed]	256	289	false
Jan 16, 2025 07:37:21.544374943 CET	192.168.2.23	8.8.8.8	0x880b	Standard query (0)	server.eye-network.ru. [malformed]	256	289	false
Jan 16, 2025 07:37:21.552540064 CET	192.168.2.23	8.8.8.8	0x880b	Standard query (0)	server.eye-network.ru. [malformed]	256	289	false
Jan 16, 2025 07:37:21.560944080 CET	192.168.2.23	8.8.8.8	0x880b	Standard query (0)	server.eye-network.ru. [malformed]	256	289	false
Jan 16, 2025 07:37:29.611048937 CET	192.168.2.23	8.8.8.8	0x9381	Standard query (0)	server.eye-network.ru. [malformed]	256	297	false
Jan 16, 2025 07:37:29.619278908 CET	192.168.2.23	8.8.8.8	0x9381	Standard query (0)	server.eye-network.ru. [malformed]	256	297	false
Jan 16, 2025 07:37:29.627053976 CET	192.168.2.23	8.8.8.8	0x9381	Standard query (0)	server.eye-network.ru. [malformed]	256	297	false
Jan 16, 2025 07:37:29.634929895 CET	192.168.2.23	8.8.8.8	0x9381	Standard query (0)	server.eye-network.ru. [malformed]	256	297	false
Jan 16, 2025 07:37:29.642592907 CET	192.168.2.23	8.8.8.8	0x9381	Standard query (0)	server.eye-network.ru. [malformed]	256	297	false
Jan 16, 2025 07:37:35.692437887 CET	192.168.2.23	8.8.8.8	0xe299	Standard query (0)	server.eye-network.ru. [malformed]	256	303	false
Jan 16, 2025 07:37:35.700092077 CET	192.168.2.23	8.8.8.8	0xe299	Standard query (0)	server.eye-network.ru. [malformed]	256	303	false
Jan 16, 2025 07:37:35.721441031 CET	192.168.2.23	8.8.8.8	0xe299	Standard query (0)	server.eye-network.ru. [malformed]	256	303	false
Jan 16, 2025 07:37:35.729857922 CET	192.168.2.23	8.8.8.8	0xe299	Standard query (0)	server.eye-network.ru. [malformed]	256	303	false
Jan 16, 2025 07:37:35.738054991 CET	192.168.2.23	8.8.8.8	0xe299	Standard query (0)	server.eye-network.ru. [malformed]	256	303	false
Jan 16, 2025 07:37:45.802920103 CET	192.168.2.23	8.8.8.8	0x7915	Standard query (0)	server.eye-network.ru. [malformed]	256	313	false
Jan 16, 2025 07:37:45.813162088 CET	192.168.2.23	8.8.8.8	0x7915	Standard query (0)	server.eye-network.ru. [malformed]	256	313	false
Jan 16, 2025 07:37:45.823147058 CET	192.168.2.23	8.8.8.8	0x7915	Standard query (0)	server.eye-network.ru. [malformed]	256	313	false
Jan 16, 2025 07:37:45.832844973 CET	192.168.2.23	8.8.8.8	0x7915	Standard query (0)	server.eye-network.ru. [malformed]	256	313	false
Jan 16, 2025 07:37:45.842380047 CET	192.168.2.23	8.8.8.8	0x7915	Standard query (0)	server.eye-network.ru. [malformed]	256	313	false
Jan 16, 2025 07:37:48.904609919 CET	192.168.2.23	8.8.8.8	0xbff2	Standard query (0)	server.eye-network.ru. [malformed]	256	316	false
Jan 16, 2025 07:37:48.914130926 CET	192.168.2.23	8.8.8.8	0xbff2	Standard query (0)	server.eye-network.ru. [malformed]	256	316	false
Jan 16, 2025 07:37:48.925271988 CET	192.168.2.23	8.8.8.8	0xbff2	Standard query (0)	server.eye-network.ru. [malformed]	256	316	false
Jan 16, 2025 07:37:48.935255051 CET	192.168.2.23	8.8.8.8	0xbff2	Standard query (0)	server.eye-network.ru. [malformed]	256	316	false
Jan 16, 2025 07:37:48.945211887 CET	192.168.2.23	8.8.8.8	0xbff2	Standard query (0)	server.eye-network.ru. [malformed]	256	316	false
Jan 16, 2025 07:37:52.005986929 CET	192.168.2.23	8.8.8.8	0xe61	Standard query (0)	server.eye-network.ru. [malformed]	256	320	false
Jan 16, 2025 07:37:52.014854908 CET	192.168.2.23	8.8.8.8	0xe61	Standard query (0)	server.eye-network.ru. [malformed]	256	320	false
Jan 16, 2025 07:37:52.023475885 CET	192.168.2.23	8.8.8.8	0xe61	Standard query (0)	server.eye-network.ru. [malformed]	256	320	false
Jan 16, 2025 07:37:52.031424046 CET	192.168.2.23	8.8.8.8	0xe61	Standard query (0)	server.eye-network.ru. [malformed]	256	320	false
Jan 16, 2025 07:37:52.040601015 CET	192.168.2.23	8.8.8.8	0xe61	Standard query (0)	server.eye-network.ru. [malformed]	256	320	false
Jan 16, 2025 07:38:01.105664015 CET	192.168.2.23	8.8.8.8	0xd868	Standard query (0)	server.eye-network.ru. [malformed]	256	329	false
Jan 16, 2025 07:38:01.115240097 CET	192.168.2.23	8.8.8.8	0xd868	Standard query (0)	server.eye-network.ru. [malformed]	256	329	false
Jan 16, 2025 07:38:01.124983072 CET	192.168.2.23	8.8.8.8	0xd868	Standard query (0)	server.eye-network.ru. [malformed]	256	329	false
Jan 16, 2025 07:38:01.134911060 CET	192.168.2.23	8.8.8.8	0xd868	Standard query (0)	server.eye-network.ru. [malformed]	256	329	false
Jan 16, 2025 07:38:01.144149065 CET	192.168.2.23	8.8.8.8	0xd868	Standard query (0)	server.eye-network.ru. [malformed]	256	329	false
Jan 16, 2025 07:38:11.201320887 CET	192.168.2.23	8.8.8.8	0xe829	Standard query (0)	server.eye-network.ru. [malformed]	256	339	false
Jan 16, 2025 07:38:11.209728956 CET	192.168.2.23	8.8.8.8	0xe829	Standard query (0)	server.eye-network.ru. [malformed]	256	339	false
Jan 16, 2025 07:38:11.218790054 CET	192.168.2.23	8.8.8.8	0xe829	Standard query (0)	server.eye-network.ru. [malformed]	256	339	false
Jan 16, 2025 07:38:11.227751017 CET	192.168.2.23	8.8.8.8	0xe829	Standard query (0)	server.eye-network.ru. [malformed]	256	339	false
Jan 16, 2025 07:38:11.236310959 CET	192.168.2.23	8.8.8.8	0xe829	Standard query (0)	server.eye-network.ru. [malformed]	256	339	false

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 16, 2025 07:35:48.753042936 CET	8.8.8.8	192.168.2.23	0x4e05	Name error (3)	server.eye-network.ru	none	none	A (IP address)	IN (0x0001)	false
Jan 16, 2025 07:35:48.777605057 CET	8.8.8.8	192.168.2.23	0x4e05	Name error (3)	server.eye-network.ru	none	none	A (IP address)	IN (0x0001)	false
Jan 16, 2025 07:35:48.785607100 CET	8.8.8.8	192.168.2.23	0x4e05	Name error (3)	server.eye-network.ru	none	none	A (IP address)	IN (0x0001)	false
Jan 16, 2025 07:35:48.803553104 CET	8.8.8.8	192.168.2.23	0x4e05	Name error (3)	server.eye-network.ru	none	none	A (IP address)	IN (0x0001)	false
Jan 16, 2025 07:35:48.824489117 CET	8.8.8.8	192.168.2.23	0x4e05	Name error (3)	server.eye-network.ru	none	none	A (IP address)	IN (0x0001)	false
Jan 16, 2025 07:35:52.441405058 CET	1.1.1.1	192.168.2.23	0xec5a	No error (0)	daisy.ubuntu.com		162.213.35.24	A (IP address)	IN (0x0001)	false
Jan 16, 2025 07:35:52.441405058 CET	1.1.1.1	192.168.2.23	0xec5a	No error (0)	daisy.ubuntu.com		162.213.35.25	A (IP address)	IN (0x0001)	false

Timestamp	Bytes transferred	Direction	Data
2025-01-16 06:35:57 UTC	307	OUT	POST /9aadafe2051348cd32033e1cad68f0a5fe46fba3240ac1e6e42158f31b8a1371790c09baf3996b4979fe8e533446c7dedf30f654c68b25357334c66911dc6a9e HTTP/1.1 Host: daisy.ubuntu.com Accept: / Content-Type: application/octet-stream X-Whoopsie-Version: 0.2.69ubuntu0.3 Content-Length: 164887 Expect: 100-continue
2025-01-16 06:35:57 UTC	25	IN	HTTP/1.1 100 Continue
2025-01-16 06:35:57 UTC	16384	OUT	Data Raw: 17 84 02 00 02 50 72 6f 63 45 6e 76 69 72 6f 6e 00 4e 00 00 00 50 41 54 48 3d 28 63 75 73 74 6f 6d 2c 20 6e 6f 20 75 73 65 72 29 0a 58 44 47 5f 52 55 4e 54 49 4d 45 5f 44 49 52 3d 3c 73 65 74 3e 0a 4c 41 4e 47 3d 65 6e 5f 55 53 2e 55 54 46 2d 38 0a 53 48 45 4c 4c 3d 2f 62 69 6e 2f 62 61 73 68 00 02 5f 4c 6f 67 69 6e 64 53 65 73 73 69 6f 6e 00 02 00 00 00 35 00 02 44 61 74 65 00 19 00 00 00 54 75 65 20 41 75 67 20 31 37 20 32 30 3a 31 38 3a 30 34 20 32 30 32 31 00 02 53 6f 75 72 63 65 50 61 63 6b 61 67 65 00 0d 00 00 00 6c 69 67 68 74 2d 6c 6f 63 6b 65 72 00 02 50 61 63 6b 61 67 65 41 72 63 68 69 74 65 63 74 75 72 65 00 06 00 00 00 61 6d 64 36 34 00 02 41 72 63 68 69 74 65 63 74 75 72 65 00 06 00 00 00 61 6d 64 36 34 00 02 44 69 73 74 72 6f 52 65 6c 65 61 Data Ascii: ProcEnvironNPATH=(custom, no user)XDG_RUNTIME_DIR=<set>LANG=en_US.UTF-8SHELL=/bin/bash_LogindSession5DateTue Aug 17 20:18:04 2021SourcePackagelight-lockerPackageArchitectureamd64Architectureamd64DistroRelea
2025-01-16 06:35:57 UTC	16384	OUT	Data Raw: 74 75 34 2e 31 0a 6c 69 62 70 61 6d 2d 72 75 6e 74 69 6d 65 20 31 2e 33 2e 31 2d 35 75 62 75 6e 74 75 34 2e 31 0a 6c 69 62 70 61 6d 2d 73 79 73 74 65 6d 64 20 32 34 35 2e 34 2d 34 75 62 75 6e 74 75 33 2e 31 31 0a 6c 69 62 70 61 6d 30 67 20 31 2e 33 2e 31 2d 35 75 62 75 6e 74 75 34 2e 31 0a 6c 69 62 70 61 6e 67 6f 2d 31 2e 30 2d 30 20 31 2e 34 34 2e 37 2d 32 75 62 75 6e 74 75 34 0a 6c 69 62 70 61 6e 67 6f 63 61 69 72 6f 2d 31 2e 30 2d 30 20 31 2e 34 34 2e 37 2d 32 75 62 75 6e 74 75 34 0a 6c 69 62 70 61 6e 67 6f 66 74 32 2d 31 2e 30 2d 30 20 31 2e 34 34 2e 37 2d 32 75 62 75 6e 74 75 34 0a 6c 69 62 70 61 6e 67 6f 78 66 74 2d 31 2e 30 2d 30 20 31 2e 34 34 2e 37 2d 32 75 62 75 6e 74 75 34 0a 6c 69 62 70 61 70 65 72 2d 75 74 69 6c 73 20 31 2e 31 2e 32 38 0a 6c Data Ascii: tu4.1libpam-runtime 1.3.1-5ubuntu4.1libpam-systemd 245.4-4ubuntu3.11libpam0g 1.3.1-5ubuntu4.1libpango-1.0-0 1.44.7-2ubuntu4libpangocairo-1.0-0 1.44.7-2ubuntu4libpangoft2-1.0-0 1.44.7-2ubuntu4libpangoxft-1.0-0 1.44.7-2ubuntu4libpaper-utils 1.1.28l
2025-01-16 06:35:57 UTC	16384	OUT	Data Raw: 20 20 20 20 20 20 20 20 30 78 30 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 30 0a 67 73 20 20 20 20 20 20 20 20 20 20 20 20 20 30 78 30 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 30 0a 6b 30 20 20 20 20 20 20 20 20 20 20 20 20 20 30 78 30 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 30 0a 6b 31 20 20 20 20 20 20 20 20 20 20 20 20 20 30 78 30 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 30 0a 6b 32 20 20 20 20 20 20 20 20 20 20 20 20 20 30 78 30 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 30 0a 6b 33 20 20 20 20 20 20 20 20 20 20 20 20 20 30 78 30 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 30 0a 6b 34 20 20 20 20 20 20 20 20 20 20 20 20 20 30 78 30 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 30 0a 6b 35 20 Data Ascii: 0x0 0gs 0x0 0k0 0x0 0k1 0x0 0k2 0x0 0k3 0x0 0k4 0x0 0k5
2025-01-16 06:35:57 UTC	16384	OUT	Data Raw: 20 20 20 20 20 20 20 20 20 2f 75 73 72 2f 6c 69 62 2f 78 38 36 5f 36 34 2d 6c 69 6e 75 78 2d 67 6e 75 2f 6c 69 62 78 63 62 2d 72 65 6e 64 65 72 2e 73 6f 2e 30 2e 30 2e 30 0a 37 66 37 39 31 63 30 37 34 30 30 30 2d 37 66 37 39 31 63 30 37 35 30 30 30 20 2d 2d 2d 70 20 30 30 30 30 63 30 30 30 20 66 64 3a 30 30 20 38 30 36 32 36 30 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2f 75 73 72 2f 6c 69 62 2f 78 38 36 5f 36 34 2d 6c 69 6e 75 78 2d 67 6e 75 2f 6c 69 62 78 63 62 2d 72 65 6e 64 65 72 2e 73 6f 2e 30 2e 30 2e 30 0a 37 66 37 39 31 63 30 37 35 30 30 30 2d 37 66 37 39 31 63 30 37 36 30 30 30 20 72 2d 2d 70 20 30 30 30 30 63 30 30 30 20 66 64 3a 30 30 20 38 30 36 32 36 30 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2f 75 Data Ascii: /usr/lib/x86_64-linux-gnu/libxcb-render.so.0.0.07f791c074000-7f791c075000 ---p 0000c000 fd:00 806260 /usr/lib/x86_64-linux-gnu/libxcb-render.so.0.0.07f791c075000-7f791c076000 r--p 0000c000 fd:00 806260 /u
2025-01-16 06:35:57 UTC	16384	OUT	Data Raw: 6e 75 78 2d 67 6e 75 2f 6c 69 62 67 64 6b 5f 70 69 78 62 75 66 2d 32 2e 30 2e 73 6f 2e 30 2e 34 30 30 30 2e 30 0a 37 66 37 39 31 63 37 37 33 30 30 30 2d 37 66 37 39 31 63 37 37 34 30 30 30 20 72 77 2d 70 20 30 30 30 32 36 30 30 30 20 66 64 3a 30 30 20 38 30 36 32 34 35 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2f 75 73 72 2f 6c 69 62 2f 78 38 36 5f 36 34 2d 6c 69 6e 75 78 2d 67 6e 75 2f 6c 69 62 67 64 6b 5f 70 69 78 62 75 66 2d 32 2e 30 2e 73 6f 2e 30 2e 34 30 30 30 2e 30 0a 37 66 37 39 31 63 37 37 34 30 30 30 2d 37 66 37 39 31 63 37 37 38 30 30 30 20 72 2d 2d 70 20 30 30 30 30 30 30 30 30 20 66 64 3a 30 30 20 38 30 36 32 36 38 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2f 75 73 72 2f 6c 69 62 2f 78 38 36 5f 36 34 Data Ascii: nux-gnu/libgdk_pixbuf-2.0.so.0.4000.07f791c773000-7f791c774000 rw-p 00026000 fd:00 806245 /usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.4000.07f791c774000-7f791c778000 r--p 00000000 fd:00 806268 /usr/lib/x86_64
2025-01-16 06:35:57 UTC	16384	OUT	Data Raw: 20 70 6c 61 74 66 6f 72 6d 20 65 69 73 61 2e 30 3a 20 43 61 6e 6e 6f 74 20 61 6c 6c 6f 63 61 74 65 20 72 65 73 6f 75 72 63 65 20 66 6f 72 20 45 49 53 41 20 73 6c 6f 74 20 37 0a 41 75 67 20 31 37 20 32 30 3a 32 34 3a 34 36 20 67 61 6c 61 73 73 69 61 20 6b 65 72 6e 65 6c 3a 20 70 6c 61 74 66 6f 72 6d 20 65 69 73 61 2e 30 3a 20 43 61 6e 6e 6f 74 20 61 6c 6c 6f 63 61 74 65 20 72 65 73 6f 75 72 63 65 20 66 6f 72 20 45 49 53 41 20 73 6c 6f 74 20 38 0a 41 75 67 20 31 37 20 32 30 3a 32 34 3a 34 36 20 67 61 6c 61 73 73 69 61 20 6b 65 72 6e 65 6c 3a 20 73 64 20 33 32 3a 30 3a 30 3a 30 3a 20 5b 73 64 61 5d 20 41 73 73 75 6d 69 6e 67 20 64 72 69 76 65 20 63 61 63 68 65 3a 20 77 72 69 74 65 20 74 68 72 6f 75 67 68 0a 41 75 67 20 31 37 20 32 30 3a 32 34 3a 34 37 20 67 Data Ascii: platform eisa.0: Cannot allocate resource for EISA slot 7Aug 17 20:24:46 galassia kernel: platform eisa.0: Cannot allocate resource for EISA slot 8Aug 17 20:24:46 galassia kernel: sd 32:0:0:0: [sda] Assuming drive cache: write throughAug 17 20:24:47 g
2025-01-16 06:35:57 UTC	16384	OUT	Data Raw: 35 35 31 5d 3a 20 28 49 49 29 20 4c 6f 61 64 4d 6f 64 75 6c 65 3a 20 22 66 62 64 65 76 68 77 22 0a 41 75 67 20 31 37 20 32 30 3a 32 35 3a 30 34 20 67 61 6c 61 73 73 69 61 20 2f 75 73 72 2f 6c 69 62 2f 67 64 6d 33 2f 67 64 6d 2d 78 2d 73 65 73 73 69 6f 6e 5b 31 35 35 31 5d 3a 20 28 49 49 29 20 4c 6f 61 64 69 6e 67 20 2f 75 73 72 2f 6c 69 62 2f 78 6f 72 67 2f 6d 6f 64 75 6c 65 73 2f 6c 69 62 66 62 64 65 76 68 77 2e 73 6f 0a 41 75 67 20 31 37 20 32 30 3a 32 35 3a 30 34 20 67 61 6c 61 73 73 69 61 20 2f 75 73 72 2f 6c 69 62 2f 67 64 6d 33 2f 67 64 6d 2d 78 2d 73 65 73 73 69 6f 6e 5b 31 35 35 31 5d 3a 20 28 49 49 29 20 4d 6f 64 75 6c 65 20 66 62 64 65 76 68 77 3a 20 76 65 6e 64 6f 72 3d 22 58 2e 4f 72 67 20 46 6f 75 6e 64 61 74 69 6f 6e 22 0a 41 75 67 20 31 37 Data Ascii: 551]: (II) LoadModule: "fbdevhw"Aug 17 20:25:04 galassia /usr/lib/gdm3/gdm-x-session[1551]: (II) Loading /usr/lib/xorg/modules/libfbdevhw.soAug 17 20:25:04 galassia /usr/lib/gdm3/gdm-x-session[1551]: (II) Module fbdevhw: vendor="X.Org Foundation"Aug 17
2025-01-16 06:35:57 UTC	16384	OUT	Data Raw: 2f 6c 69 62 2f 67 64 6d 33 2f 67 64 6d 2d 78 2d 73 65 73 73 69 6f 6e 5b 31 35 35 31 5d 3a 20 28 49 49 29 20 76 6d 77 61 72 65 28 30 29 3a 20 4e 6f 74 20 75 73 69 6e 67 20 64 65 66 61 75 6c 74 20 6d 6f 64 65 20 22 31 39 32 30 78 31 32 30 30 22 20 28 69 6e 73 75 66 66 69 63 69 65 6e 74 20 6d 65 6d 6f 72 79 20 66 6f 72 20 6d 6f 64 65 29 0a 41 75 67 20 31 37 20 32 30 3a 32 35 3a 30 35 20 67 61 6c 61 73 73 69 61 20 2f 75 73 72 2f 6c 69 62 2f 67 64 6d 33 2f 67 64 6d 2d 78 2d 73 65 73 73 69 6f 6e 5b 31 35 35 31 5d 3a 20 28 49 49 29 20 76 6d 77 61 72 65 28 30 29 3a 20 4e 6f 74 20 75 73 69 6e 67 20 64 65 66 61 75 6c 74 20 6d 6f 64 65 20 22 39 36 30 78 36 30 30 22 20 28 62 61 64 20 6d 6f 64 65 20 63 6c 6f 63 6b 2f 69 6e 74 65 72 6c 61 63 65 2f 64 6f 75 62 6c 65 73 Data Ascii: /lib/gdm3/gdm-x-session[1551]: (II) vmware(0): Not using default mode "1920x1200" (insufficient memory for mode)Aug 17 20:25:05 galassia /usr/lib/gdm3/gdm-x-session[1551]: (II) vmware(0): Not using default mode "960x600" (bad mode clock/interlace/doubles
2025-01-16 06:35:57 UTC	16384	OUT	Data Raw: 20 31 33 33 36 20 31 35 32 30 20 20 38 36 34 20 38 36 35 20 38 36 38 20 38 39 35 20 2d 68 73 79 6e 63 20 2b 76 73 79 6e 63 20 28 35 33 2e 37 20 6b 48 7a 20 64 29 0a 41 75 67 20 31 37 20 32 30 3a 32 35 3a 30 35 20 67 61 6c 61 73 73 69 61 20 2f 75 73 72 2f 6c 69 62 2f 67 64 6d 33 2f 67 64 6d 2d 78 2d 73 65 73 73 69 6f 6e 5b 31 35 35 31 5d 3a 20 28 2a 2a 29 20 76 6d 77 61 72 65 28 30 29 3a 20 20 44 65 66 61 75 6c 74 20 6d 6f 64 65 20 22 31 30 32 34 78 37 36 38 22 3a 20 39 34 2e 35 20 4d 48 7a 2c 20 36 38 2e 37 20 6b 48 7a 2c 20 38 35 2e 30 20 48 7a 0a 41 75 67 20 31 37 20 32 30 3a 32 35 3a 30 35 20 67 61 6c 61 73 73 69 61 20 2f 75 73 72 2f 6c 69 62 2f 67 64 6d 33 2f 67 64 6d 2d 78 2d 73 65 73 73 69 6f 6e 5b 31 35 35 31 5d 3a 20 28 49 49 29 20 76 6d 77 61 72 Data Ascii: 1336 1520 864 865 868 895 -hsync +vsync (53.7 kHz d)Aug 17 20:25:05 galassia /usr/lib/gdm3/gdm-x-session[1551]: (**) vmware(0): Default mode "1024x768": 94.5 MHz, 68.7 kHz, 85.0 HzAug 17 20:25:05 galassia /usr/lib/gdm3/gdm-x-session[1551]: (II) vmwar
2025-01-16 06:35:57 UTC	16384	OUT	Data Raw: 65 64 20 53 65 74 20 32 20 6b 65 79 62 6f 61 72 64 3a 20 61 6c 77 61 79 73 20 72 65 70 6f 72 74 73 20 63 6f 72 65 20 65 76 65 6e 74 73 0a 41 75 67 20 31 37 20 32 30 3a 32 35 3a 30 35 20 67 61 6c 61 73 73 69 61 20 2f 75 73 72 2f 6c 69 62 2f 67 64 6d 33 2f 67 64 6d 2d 78 2d 73 65 73 73 69 6f 6e 5b 31 35 35 31 5d 3a 20 28 2a 2a 29 20 4f 70 74 69 6f 6e 20 22 44 65 76 69 63 65 22 20 22 2f 64 65 76 2f 69 6e 70 75 74 2f 65 76 65 6e 74 31 22 0a 41 75 67 20 31 37 20 32 30 3a 32 35 3a 30 35 20 67 61 6c 61 73 73 69 61 20 2f 75 73 72 2f 6c 69 62 2f 67 64 6d 33 2f 67 64 6d 2d 78 2d 73 65 73 73 69 6f 6e 5b 31 35 35 31 5d 3a 20 28 2a 2a 29 20 4f 70 74 69 6f 6e 20 22 5f 73 6f 75 72 63 65 22 20 22 73 65 72 76 65 72 2f 75 64 65 76 22 0a 41 75 67 20 31 37 20 32 30 3a 32 35 Data Ascii: ed Set 2 keyboard: always reports core eventsAug 17 20:25:05 galassia /usr/lib/gdm3/gdm-x-session[1551]: () Option "Device" "/dev/input/event1"Aug 17 20:25:05 galassia /usr/lib/gdm3/gdm-x-session[1551]: () Option "_source" "server/udev"Aug 17 20:25
2025-01-16 06:35:58 UTC	279	IN	HTTP/1.1 400 Bad Request Date: Thu, 16 Jan 2025 06:35:57 GMT Server: gunicorn/19.7.1 X-Daisy-Revision-Number: 979 X-Oops-Repository-Version: 0.0.0 Strict-Transport-Security: max-age=2592000 Connection: close Transfer-Encoding: chunked 17 Crash already reported. 0

Start time (UTC):	06:35:47
Start date (UTC):	16/01/2025
Path:	/tmp/Aqua.arm7.elf
Arguments:	/tmp/Aqua.arm7.elf
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time (UTC):	06:35:48
Start date (UTC):	16/01/2025
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	06:35:49
Start date (UTC):	16/01/2025
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	06:35:50
Start date (UTC):	16/01/2025
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	06:35:51
Start date (UTC):	16/01/2025
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	06:35:57
Start date (UTC):	16/01/2025
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	06:35:52
Start date (UTC):	16/01/2025
Path:	/usr/sbin/gdm3
Arguments:	-
File size:	453296 bytes
MD5 hash:	2492e2d8d34f9377e3e530a61a15674f

Start time (UTC):	06:35:53
Start date (UTC):	16/01/2025
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	06:35:54
Start date (UTC):	16/01/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	06:35:55
Start date (UTC):	16/01/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	06:35:56
Start date (UTC):	16/01/2025
Path:	/usr/bin/gpu-manager
Arguments:	-
File size:	76616 bytes
MD5 hash:	8fae9dd5dd67e1f33d873089c2fd8761

Start time (UTC):	06:36:00
Start date (UTC):	16/01/2025
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	06:36:04
Start date (UTC):	16/01/2025
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	06:36:14
Start date (UTC):	16/01/2025
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report Aqua.arm7.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Initial Sample

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Spreading

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/home/saturnino/.config/pulse/ee49dfd4fa47433baee88884e2d7de7c-default-sink

/home/saturnino/.config/pulse/ee49dfd4fa47433baee88884e2d7de7c-default-source

/proc/6445/oom_score_adj

/run/gdm3.pid

/run/systemd/seats/.#seat0DEFbLc

/run/systemd/seats/.#seat0gJ7Kr9

/run/systemd/users/.#1271cb1V9

/run/systemd/users/.#1275uh928

/run/systemd/users/.#127JX0wZb

/run/systemd/users/.#127Xj6Hxc

/run/systemd/users/.#127d06mDa

/run/user/1000/pulse/pid

/run/utmp

/tmp/qemu-open.M2gNxz (deleted)

/var/lib/AccountsService/users/gdm.N8QK02

/var/lib/ubuntu-drivers-common/last_gfx_boot

/var/log/gpu-manager.log

/var/log/wtmp

Static File Info

General

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

Linux Analysis Report
Aqua.arm7.elf

Start time (UTC):	06:36:15
Start date (UTC):	16/01/2025
Path:	/usr/sbin/gdm3
Arguments:	-
File size:	453296 bytes
MD5 hash:	2492e2d8d34f9377e3e530a61a15674f

Start time (UTC):	06:36:17
Start date (UTC):	16/01/2025
Path:	/usr/lib/gdm3/gdm-session-worker
Arguments:	-
File size:	293360 bytes
MD5 hash:	692243754bd9f38fe9bd7e230b5c060a

Start time (UTC):	06:36:18
Start date (UTC):	16/01/2025
Path:	/usr/lib/gdm3/gdm-wayland-session
Arguments:	-
File size:	76368 bytes
MD5 hash:	d3def63cf1e83f7fb8a0f13b1744ff7c

Start time (UTC):	06:36:19
Start date (UTC):	16/01/2025
Path:	/usr/sbin/gdm3
Arguments:	-
File size:	453296 bytes
MD5 hash:	2492e2d8d34f9377e3e530a61a15674f

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
Tactics:	Defense Evasion
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Deletion, File: File Metadata, File: File Modification, Firewall: Firewall Rule Modification, Network Traffic: Network Traffic Content, Process: OS API Execution, Process: Process Creation, Scheduled Job: Scheduled Job Modification, User Account: User Account Authentication, User Account: User Account Deletion, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, Google Workspace, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre