Joe Sandbox Cloud Basic Analysis Report
Create Interactive Tour

Linux Analysis Report
xd.powerpc-440fp.elf

Overview

General Information

Sample name:xd.powerpc-440fp.elf
Analysis ID:1655022
MD5:c0eaa454ae080b7c1690454a672f92a4
SHA1:0600b71dd75ff1f350d1c65ef9eb381eb14bb1e7
SHA256:fcdacc5f7797c1ed7400c664a1354e6639c4360d4d46c7fe6113d5517f5fb5eb
Tags:elfuser-abuse_ch
Infos:

Detection

Mirai
Score:88
Range:0 - 100

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Yara detected Mirai
Sample deletes itself
Sample is packed with UPX
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to kill multiple processes (SIGKILL)
Deletes log files
Detected TCP or UDP traffic on non-standard ports
ELF contains segments with high entropy indicating compressed/encrypted content
Enumerates processes within the "proc" file system
Executes commands using a shell command-line interpreter
Executes the "grep" command used to find patterns in files or piped streams
Executes the "kill" or "pkill" command typically used to terminate processes
Reads CPU information from /sys indicative of miner or evasive malware
Sample contains only a LOAD segment without any section mappings
Sample listens on a socket
Sample tries to kill a process (SIGKILL)
Sample tries to set the executable flag
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

General Information

Joe Sandbox version:42.0.0 Malachite
Analysis ID:1655022
Start date and time:2025-04-02 21:47:28 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 38s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:xd.powerpc-440fp.elf
Detection:MAL
Classification:mal88.spre.troj.evad.linELF@0/16@0/0
  • Connection to analysis system has been lost, crash info: Unknown

Process Tree

  • system is lnxubuntu20
  • systemd New Fork (PID: 5465, Parent: 1)
  • journalctl (PID: 5465, Parent: 1, MD5: bf3a987344f3bacafc44efd882abda8b) Arguments: /usr/bin/journalctl --smart-relinquish-var
  • systemd New Fork (PID: 5484, Parent: 1)
  • systemd New Fork (PID: 5485, Parent: 1)
  • systemd New Fork (PID: 5486, Parent: 1)
  • systemd New Fork (PID: 5487, Parent: 1)
  • systemd New Fork (PID: 5490, Parent: 1)
  • systemd New Fork (PID: 5516, Parent: 1)
  • systemd New Fork (PID: 5548, Parent: 1)
  • systemd New Fork (PID: 5549, Parent: 1)
  • systemd New Fork (PID: 5550, Parent: 1)
  • systemd New Fork (PID: 5551, Parent: 1)
  • systemd New Fork (PID: 5552, Parent: 1)
  • systemd New Fork (PID: 5553, Parent: 2935)
  • pulseaudio (PID: 5553, Parent: 2935, MD5: 0c3b4c789d8ffb12b25507f27e14c186) Arguments: /usr/bin/pulseaudio --daemonize=no --log-target=journal
  • gdm3 New Fork (PID: 5554, Parent: 1400)
  • Default (PID: 5554, Parent: 1400, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default
  • gdm3 New Fork (PID: 5555, Parent: 1400)
  • Default (PID: 5555, Parent: 1400, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default
  • gdm3 New Fork (PID: 5556, Parent: 1400)
  • Default (PID: 5556, Parent: 1400, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default
  • systemd New Fork (PID: 5557, Parent: 1)
  • systemd New Fork (PID: 5559, Parent: 1)
  • systemd New Fork (PID: 5561, Parent: 1)
  • systemd New Fork (PID: 5562, Parent: 1)
  • systemd New Fork (PID: 5563, Parent: 1)
  • gpu-manager (PID: 5563, Parent: 1, MD5: 8fae9dd5dd67e1f33d873089c2fd8761) Arguments: /usr/bin/gpu-manager --log /var/log/gpu-manager.log
    • sh (PID: 5564, Parent: 5563, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"
      • sh New Fork (PID: 5565, Parent: 5564)
      • grep (PID: 5565, Parent: 5564, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
    • sh (PID: 5566, Parent: 5563, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"
      • sh New Fork (PID: 5567, Parent: 5566)
      • grep (PID: 5567, Parent: 5566, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
    • sh (PID: 5568, Parent: 5563, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf"
      • sh New Fork (PID: 5569, Parent: 5568)
      • grep (PID: 5569, Parent: 5568, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
    • sh (PID: 5570, Parent: 5563, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf"
      • sh New Fork (PID: 5571, Parent: 5570)
      • grep (PID: 5571, Parent: 5570, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
    • sh (PID: 5572, Parent: 5563, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /etc/modprobe.d/*.conf"
      • sh New Fork (PID: 5573, Parent: 5572)
      • grep (PID: 5573, Parent: 5572, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*amdgpu[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
    • sh (PID: 5574, Parent: 5563, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /lib/modprobe.d/*.conf"
      • sh New Fork (PID: 5575, Parent: 5574)
      • grep (PID: 5575, Parent: 5574, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*amdgpu[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
    • sh (PID: 5576, Parent: 5563, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /etc/modprobe.d/*.conf"
      • sh New Fork (PID: 5577, Parent: 5576)
      • grep (PID: 5577, Parent: 5576, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*nouveau[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
    • sh (PID: 5578, Parent: 5563, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /lib/modprobe.d/*.conf"
      • sh New Fork (PID: 5579, Parent: 5578)
      • grep (PID: 5579, Parent: 5578, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -G ^blacklist.*nouveau[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
  • generate-config (PID: 5580, Parent: 1, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /usr/share/gdm/generate-config
    • pkill (PID: 5581, Parent: 5580, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill --signal HUP --uid gdm dconf-service
  • fusermount (PID: 5582, Parent: 3122, MD5: 576a1b135c82bdcbc97a91acea900566) Arguments: fusermount -u -q -z -- /run/user/1000/gvfs
  • gdm-wait-for-drm (PID: 5583, Parent: 1, MD5: 82043ba752c6930b4e6aaea2f7747545) Arguments: /usr/lib/gdm3/gdm-wait-for-drm
  • gdm3 (PID: 5587, Parent: 1, MD5: 2492e2d8d34f9377e3e530a61a15674f) Arguments: /usr/sbin/gdm3
  • gpu-manager (PID: 5608, Parent: 1, MD5: 8fae9dd5dd67e1f33d873089c2fd8761) Arguments: /usr/bin/gpu-manager --log /var/log/gpu-manager.log
  • gpu-manager (PID: 5618, Parent: 1, MD5: 8fae9dd5dd67e1f33d873089c2fd8761) Arguments: /usr/bin/gpu-manager --log /var/log/gpu-manager.log
  • gpu-manager (PID: 5628, Parent: 1, MD5: 8fae9dd5dd67e1f33d873089c2fd8761) Arguments: /usr/bin/gpu-manager --log /var/log/gpu-manager.log
  • gpu-manager (PID: 5638, Parent: 1, MD5: 8fae9dd5dd67e1f33d873089c2fd8761) Arguments: /usr/bin/gpu-manager --log /var/log/gpu-manager.log
  • gpu-manager (PID: 5648, Parent: 1, MD5: 8fae9dd5dd67e1f33d873089c2fd8761) Arguments: /usr/bin/gpu-manager --log /var/log/gpu-manager.log
  • plymouth (PID: 5658, Parent: 1, MD5: 87003efd8dad470042f5e75360a8f49f) Arguments: /bin/plymouth quit
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
5439.1.00007f053000a000.00007f0530010000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
  • 0x562c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5640:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5654:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5668:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x567c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5690:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x56a4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x56b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x56cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x56e0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x56f4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5708:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x571c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5730:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5744:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5758:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x576c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5780:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5794:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x57a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x57bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5439.1.00007f053000a000.00007f0530010000.r-x.sdmpLinux_Trojan_Gafgyt_ea92cca8unknownunknown
  • 0x55c8:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64
5451.1.00007f053000a000.00007f0530010000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
  • 0x562c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5640:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5654:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5668:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x567c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5690:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x56a4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x56b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x56cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x56e0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x56f4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5708:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x571c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5730:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5744:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5758:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x576c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5780:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5794:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x57a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x57bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5451.1.00007f053000a000.00007f0530010000.r-x.sdmpLinux_Trojan_Gafgyt_ea92cca8unknownunknown
  • 0x55c8:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64
5444.1.00007f053000a000.00007f0530010000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
  • 0x562c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5640:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5654:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5668:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x567c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5690:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x56a4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x56b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x56cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x56e0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x56f4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5708:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x571c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5730:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5744:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5758:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x576c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5780:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5794:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x57a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x57bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Click to see the 17 entries

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

  • AV Detection
  • Bitcoin Miner
  • Networking
  • System Summary
  • Data Obfuscation
  • Persistence and Installation Behavior
  • Hooking and other Techniques for Hiding and Protection
  • Malware Analysis System Evasion
  • Stealing of Sensitive Information
  • Remote Access Functionality

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: xd.powerpc-440fp.elfAvira: detected
Source: /usr/bin/pulseaudio (PID: 5553)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
Source: /usr/bin/pkill (PID: 5581)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
Source: global trafficTCP traffic: 192.168.2.13:52646 -> 213.209.129.92:7887
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)Socket: 0.0.0.0:23Jump to behavior
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)Socket: 0.0.0.0:0Jump to behavior
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)Socket: 0.0.0.0:80Jump to behavior
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)Socket: 0.0.0.0:81Jump to behavior
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)Socket: 0.0.0.0:8443Jump to behavior
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)Socket: 0.0.0.0:9009Jump to behavior
Source: unknownTCP traffic detected without corresponding DNS query: 213.209.129.92
Source: unknownTCP traffic detected without corresponding DNS query: 173.74.117.22
Source: unknownTCP traffic detected without corresponding DNS query: 115.3.126.22
Source: unknownTCP traffic detected without corresponding DNS query: 211.207.222.183
Source: unknownTCP traffic detected without corresponding DNS query: 179.198.232.20
Source: unknownTCP traffic detected without corresponding DNS query: 200.125.55.72
Source: unknownTCP traffic detected without corresponding DNS query: 219.38.72.177
Source: unknownTCP traffic detected without corresponding DNS query: 197.99.82.255
Source: unknownTCP traffic detected without corresponding DNS query: 189.60.15.209
Source: unknownTCP traffic detected without corresponding DNS query: 126.207.170.103
Source: unknownTCP traffic detected without corresponding DNS query: 119.20.121.118
Source: unknownTCP traffic detected without corresponding DNS query: 75.233.53.124
Source: unknownTCP traffic detected without corresponding DNS query: 65.227.90.229
Source: unknownTCP traffic detected without corresponding DNS query: 73.233.19.172
Source: unknownTCP traffic detected without corresponding DNS query: 218.204.71.7
Source: unknownTCP traffic detected without corresponding DNS query: 97.9.85.127
Source: unknownTCP traffic detected without corresponding DNS query: 63.194.248.97
Source: unknownTCP traffic detected without corresponding DNS query: 85.160.150.1
Source: unknownTCP traffic detected without corresponding DNS query: 135.211.19.57
Source: unknownTCP traffic detected without corresponding DNS query: 78.1.59.55
Source: unknownTCP traffic detected without corresponding DNS query: 188.251.149.99
Source: unknownTCP traffic detected without corresponding DNS query: 70.58.184.36
Source: unknownTCP traffic detected without corresponding DNS query: 60.152.153.178
Source: unknownTCP traffic detected without corresponding DNS query: 154.62.123.205
Source: unknownTCP traffic detected without corresponding DNS query: 147.153.242.104
Source: unknownTCP traffic detected without corresponding DNS query: 96.216.201.246
Source: unknownTCP traffic detected without corresponding DNS query: 211.234.43.180
Source: unknownTCP traffic detected without corresponding DNS query: 1.250.39.35
Source: unknownTCP traffic detected without corresponding DNS query: 83.11.154.236
Source: unknownTCP traffic detected without corresponding DNS query: 12.225.203.47
Source: unknownTCP traffic detected without corresponding DNS query: 161.192.86.107
Source: unknownTCP traffic detected without corresponding DNS query: 162.196.177.236
Source: unknownTCP traffic detected without corresponding DNS query: 86.150.128.241
Source: unknownTCP traffic detected without corresponding DNS query: 165.197.249.181
Source: unknownTCP traffic detected without corresponding DNS query: 167.94.219.212
Source: unknownTCP traffic detected without corresponding DNS query: 45.120.3.0
Source: unknownTCP traffic detected without corresponding DNS query: 72.28.216.77
Source: unknownTCP traffic detected without corresponding DNS query: 57.53.25.25
Source: unknownTCP traffic detected without corresponding DNS query: 111.181.255.58
Source: unknownTCP traffic detected without corresponding DNS query: 173.202.84.5
Source: unknownTCP traffic detected without corresponding DNS query: 94.241.141.224
Source: unknownTCP traffic detected without corresponding DNS query: 19.243.154.105
Source: unknownTCP traffic detected without corresponding DNS query: 24.152.38.191
Source: unknownTCP traffic detected without corresponding DNS query: 150.102.140.220
Source: unknownTCP traffic detected without corresponding DNS query: 249.221.214.226
Source: unknownTCP traffic detected without corresponding DNS query: 206.151.101.48
Source: unknownTCP traffic detected without corresponding DNS query: 223.95.144.140
Source: unknownTCP traffic detected without corresponding DNS query: 1.224.75.116
Source: unknownTCP traffic detected without corresponding DNS query: 102.168.205.136
Source: unknownTCP traffic detected without corresponding DNS query: 209.45.226.25
Source: xd.powerpc-440fp.elfString found in binary or memory: http://upx.sf.net

System Summary

barindex
Source: 5439.1.00007f053000a000.00007f0530010000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5439.1.00007f053000a000.00007f0530010000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 5451.1.00007f053000a000.00007f0530010000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5451.1.00007f053000a000.00007f0530010000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 5444.1.00007f053000a000.00007f0530010000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5444.1.00007f053000a000.00007f0530010000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 5436.1.00007f053000a000.00007f0530010000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5436.1.00007f053000a000.00007f0530010000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 5441.1.00007f053000a000.00007f0530010000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5441.1.00007f053000a000.00007f0530010000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 5450.1.00007f053000a000.00007f0530010000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5450.1.00007f053000a000.00007f0530010000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: Process Memory Space: xd.powerpc-440fp.elf PID: 5436, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: xd.powerpc-440fp.elf PID: 5436, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: Process Memory Space: xd.powerpc-440fp.elf PID: 5439, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: xd.powerpc-440fp.elf PID: 5439, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: Process Memory Space: xd.powerpc-440fp.elf PID: 5451, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: xd.powerpc-440fp.elf PID: 5451, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)SIGKILL sent: pid: 936, result: successfulJump to behavior
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)SIGKILL sent: pid: 490, result: successfulJump to behavior
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)SIGKILL sent: pid: 660, result: successfulJump to behavior
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)SIGKILL sent: pid: 726, result: successfulJump to behavior
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)SIGKILL sent: pid: 727, result: successfulJump to behavior
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)SIGKILL sent: pid: 765, result: successfulJump to behavior
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)SIGKILL sent: pid: 767, result: successfulJump to behavior
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)SIGKILL sent: pid: 778, result: successfulJump to behavior
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)SIGKILL sent: pid: 780, result: successfulJump to behavior
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)SIGKILL sent: pid: 783, result: successfulJump to behavior
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)SIGKILL sent: pid: 790, result: successfulJump to behavior
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)SIGKILL sent: pid: 792, result: successfulJump to behavior
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)SIGKILL sent: pid: 793, result: successfulJump to behavior
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)SIGKILL sent: pid: 795, result: successfulJump to behavior
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)SIGKILL sent: pid: 800, result: successfulJump to behavior
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)SIGKILL sent: pid: 1410, result: successfulJump to behavior
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)SIGKILL sent: pid: 1411, result: successfulJump to behavior
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)SIGKILL sent: pid: 1432, result: successfulJump to behavior
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)SIGKILL sent: pid: 2935, result: successfulJump to behavior
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)SIGKILL sent: pid: 2936, result: successfulJump to behavior
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)SIGKILL sent: pid: 2970, result: successfulJump to behavior
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)SIGKILL sent: pid: 3132, result: successfulJump to behavior
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)SIGKILL sent: pid: 5276, result: successfulJump to behavior
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)SIGKILL sent: pid: 5419, result: successfulJump to behavior
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)SIGKILL sent: pid: 5420, result: successfulJump to behavior
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)SIGKILL sent: pid: 5553, result: successfulJump to behavior
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)SIGKILL sent: pid: 5587, result: successfulJump to behavior
Source: /tmp/xd.powerpc-440fp.elf (PID: 5441)SIGKILL sent: pid: -5441, result: unknownJump to behavior
Source: LOAD without section mappingsProgram segment: 0x100000
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)SIGKILL sent: pid: 936, result: successfulJump to behavior
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)SIGKILL sent: pid: 490, result: successfulJump to behavior
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)SIGKILL sent: pid: 660, result: successfulJump to behavior
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)SIGKILL sent: pid: 726, result: successfulJump to behavior
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)SIGKILL sent: pid: 727, result: successfulJump to behavior
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)SIGKILL sent: pid: 765, result: successfulJump to behavior
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)SIGKILL sent: pid: 767, result: successfulJump to behavior
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)SIGKILL sent: pid: 778, result: successfulJump to behavior
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)SIGKILL sent: pid: 780, result: successfulJump to behavior
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)SIGKILL sent: pid: 783, result: successfulJump to behavior
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)SIGKILL sent: pid: 790, result: successfulJump to behavior
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)SIGKILL sent: pid: 792, result: successfulJump to behavior
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)SIGKILL sent: pid: 793, result: successfulJump to behavior
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)SIGKILL sent: pid: 795, result: successfulJump to behavior
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)SIGKILL sent: pid: 800, result: successfulJump to behavior
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)SIGKILL sent: pid: 1410, result: successfulJump to behavior
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)SIGKILL sent: pid: 1411, result: successfulJump to behavior
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)SIGKILL sent: pid: 1432, result: successfulJump to behavior
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)SIGKILL sent: pid: 2935, result: successfulJump to behavior
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)SIGKILL sent: pid: 2936, result: successfulJump to behavior
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)SIGKILL sent: pid: 2970, result: successfulJump to behavior
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)SIGKILL sent: pid: 3132, result: successfulJump to behavior
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)SIGKILL sent: pid: 5276, result: successfulJump to behavior
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)SIGKILL sent: pid: 5419, result: successfulJump to behavior
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)SIGKILL sent: pid: 5420, result: successfulJump to behavior
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)SIGKILL sent: pid: 5553, result: successfulJump to behavior
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)SIGKILL sent: pid: 5587, result: successfulJump to behavior
Source: /tmp/xd.powerpc-440fp.elf (PID: 5441)SIGKILL sent: pid: -5441, result: unknownJump to behavior
Source: 5439.1.00007f053000a000.00007f0530010000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5439.1.00007f053000a000.00007f0530010000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 5451.1.00007f053000a000.00007f0530010000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5451.1.00007f053000a000.00007f0530010000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 5444.1.00007f053000a000.00007f0530010000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5444.1.00007f053000a000.00007f0530010000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 5436.1.00007f053000a000.00007f0530010000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5436.1.00007f053000a000.00007f0530010000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 5441.1.00007f053000a000.00007f0530010000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5441.1.00007f053000a000.00007f0530010000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 5450.1.00007f053000a000.00007f0530010000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5450.1.00007f053000a000.00007f0530010000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: Process Memory Space: xd.powerpc-440fp.elf PID: 5436, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: xd.powerpc-440fp.elf PID: 5436, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: Process Memory Space: xd.powerpc-440fp.elf PID: 5439, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: xd.powerpc-440fp.elf PID: 5439, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: Process Memory Space: xd.powerpc-440fp.elf PID: 5451, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: xd.powerpc-440fp.elf PID: 5451, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: classification engineClassification label: mal88.spre.troj.evad.linELF@0/16@0/0

Data Obfuscation

barindex
Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sampleString containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Persistence and Installation Behavior

barindex
Source: /bin/fusermount (PID: 5582)File: /proc/5582/mountsJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/230/statusJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/230/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/5381/statusJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/5381/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/110/statusJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/110/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/231/statusJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/231/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/111/statusJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/111/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/232/statusJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/232/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/112/statusJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/112/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/233/statusJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/233/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/113/statusJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/113/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/234/statusJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/234/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/114/statusJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/114/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/235/statusJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/235/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/115/statusJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/115/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/236/statusJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/236/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/116/statusJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/116/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/237/statusJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/237/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/117/statusJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/117/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/238/statusJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/238/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/118/statusJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/118/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/239/statusJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/239/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/119/statusJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/119/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/10/statusJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/10/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/11/statusJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/11/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/12/statusJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/12/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/13/statusJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/13/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/14/statusJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/14/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/15/statusJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/15/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/5276/statusJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/5276/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/16/statusJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/16/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/17/statusJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/17/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/18/statusJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/18/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/19/statusJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/19/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/240/statusJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/240/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/3095/statusJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/3095/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/120/statusJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/120/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/241/statusJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/241/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/121/statusJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/121/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/242/statusJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/242/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/1/statusJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/1/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/122/statusJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/122/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/243/statusJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/243/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/2/statusJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/2/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/123/statusJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/123/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/244/statusJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/244/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/3/statusJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/3/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/124/statusJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/124/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/245/statusJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/245/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/125/statusJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/125/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/4/statusJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/4/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/246/statusJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/246/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/126/statusJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/126/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/5/statusJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/5/cmdlineJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/247/statusJump to behavior
Source: /usr/bin/pkill (PID: 5581)File opened: /proc/247/cmdlineJump to behavior
Source: /usr/bin/gpu-manager (PID: 5564)Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5566)Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5568)Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf"Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5570)Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf"Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5572)Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /etc/modprobe.d/*.conf"Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5574)Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /lib/modprobe.d/*.conf"Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5576)Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /etc/modprobe.d/*.conf"Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5578)Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /lib/modprobe.d/*.conf"Jump to behavior
Source: /bin/sh (PID: 5565)Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.confJump to behavior
Source: /bin/sh (PID: 5567)Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.confJump to behavior
Source: /bin/sh (PID: 5569)Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.confJump to behavior
Source: /bin/sh (PID: 5571)Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.confJump to behavior
Source: /bin/sh (PID: 5573)Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.confJump to behavior
Source: /bin/sh (PID: 5575)Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.confJump to behavior
Source: /bin/sh (PID: 5577)Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.confJump to behavior
Source: /bin/sh (PID: 5579)Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.confJump to behavior
Source: /usr/share/gdm/generate-config (PID: 5581)Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-serviceJump to behavior
Source: /usr/sbin/gdm3 (PID: 5587)File: /var/run/gdm3 (bits: - usr: -x grp: x all: rwx)Jump to behavior
Source: /usr/sbin/gdm3 (PID: 5587)File: /var/log/gdm3 (bits: - usr: -x grp: x all: rwx)Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5563)Log file created: /var/log/gpu-manager.log
Source: /usr/bin/gpu-manager (PID: 5608)Log file created: /var/log/gpu-manager.log
Source: /usr/bin/gpu-manager (PID: 5618)Log file created: /var/log/gpu-manager.log
Source: /usr/bin/gpu-manager (PID: 5628)Log file created: /var/log/gpu-manager.log
Source: /usr/bin/gpu-manager (PID: 5638)Log file created: /var/log/gpu-manager.log
Source: /usr/bin/gpu-manager (PID: 5648)Log file created: /var/log/gpu-manager.logJump to dropped file

Hooking and other Techniques for Hiding and Protection

barindex
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)File: /usr/lib/systemd/systemdJump to behavior
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)File: /usr/lib/systemd/systemd (deleted)Jump to behavior
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)File: /usr/bin/pulseaudioJump to behavior
Source: /tmp/xd.powerpc-440fp.elf (PID: 5438)File: /usr/sbin/gdm3Jump to behavior
Source: xd.powerpc-440fp.elfSubmission file: segment LOAD with 7.9363 entropy (max. 8.0)
Source: /usr/bin/gpu-manager (PID: 5563)Truncated file: /var/log/gpu-manager.logJump to behavior
Source: /usr/bin/gpu-manager (PID: 5608)Truncated file: /var/log/gpu-manager.logJump to behavior
Source: /usr/bin/gpu-manager (PID: 5618)Truncated file: /var/log/gpu-manager.logJump to behavior
Source: /usr/bin/gpu-manager (PID: 5628)Truncated file: /var/log/gpu-manager.logJump to behavior
Source: /usr/bin/gpu-manager (PID: 5638)Truncated file: /var/log/gpu-manager.logJump to behavior
Source: /usr/bin/gpu-manager (PID: 5648)Truncated file: /var/log/gpu-manager.logJump to behavior
Source: /usr/bin/pulseaudio (PID: 5553)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
Source: /usr/bin/pkill (PID: 5581)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
Source: /tmp/xd.powerpc-440fp.elf (PID: 5436)Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/pulseaudio (PID: 5553)Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5563)Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5608)Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5618)Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5628)Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5638)Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5648)Queries kernel information via 'uname': Jump to behavior
Source: xd.powerpc-440fp.elf, 5436.1.0000555b8694f000.0000555b869ff000.rw-.sdmp, xd.powerpc-440fp.elf, 5441.1.0000555b8694f000.0000555b869ff000.rw-.sdmp, xd.powerpc-440fp.elf, 5451.1.0000555b8694f000.0000555b869ff000.rw-.sdmpBinary or memory string: !/etc/qemu-binfmt/ppc11!hotpluggableq
Source: xd.powerpc-440fp.elf, 5439.1.0000555b8694f000.0000555b869ff000.rw-.sdmp, xd.powerpc-440fp.elf, 5444.1.0000555b8694f000.0000555b869ff000.rw-.sdmp, xd.powerpc-440fp.elf, 5450.1.0000555b8694f000.0000555b869ff000.rw-.sdmpBinary or memory string: !/etc/qemu-binfmt/ppc1
Source: xd.powerpc-440fp.elf, 5436.1.00007fff63723000.00007fff63744000.rw-.sdmp, xd.powerpc-440fp.elf, 5439.1.00007fff63723000.00007fff63744000.rw-.sdmp, xd.powerpc-440fp.elf, 5441.1.00007fff63723000.00007fff63744000.rw-.sdmp, xd.powerpc-440fp.elf, 5444.1.00007fff63723000.00007fff63744000.rw-.sdmp, xd.powerpc-440fp.elf, 5450.1.00007fff63723000.00007fff63744000.rw-.sdmp, xd.powerpc-440fp.elf, 5451.1.00007fff63723000.00007fff63744000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-ppc/tmp/xd.powerpc-440fp.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/xd.powerpc-440fp.elf
Source: xd.powerpc-440fp.elf, 5436.1.0000555b8694f000.0000555b869ff000.rw-.sdmp, xd.powerpc-440fp.elf, 5439.1.0000555b8694f000.0000555b869ff000.rw-.sdmp, xd.powerpc-440fp.elf, 5441.1.0000555b8694f000.0000555b869ff000.rw-.sdmp, xd.powerpc-440fp.elf, 5444.1.0000555b8694f000.0000555b869ff000.rw-.sdmp, xd.powerpc-440fp.elf, 5450.1.0000555b8694f000.0000555b869ff000.rw-.sdmp, xd.powerpc-440fp.elf, 5451.1.0000555b8694f000.0000555b869ff000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/ppc
Source: xd.powerpc-440fp.elf, 5436.1.00007fff63723000.00007fff63744000.rw-.sdmp, xd.powerpc-440fp.elf, 5439.1.00007fff63723000.00007fff63744000.rw-.sdmp, xd.powerpc-440fp.elf, 5441.1.00007fff63723000.00007fff63744000.rw-.sdmp, xd.powerpc-440fp.elf, 5444.1.00007fff63723000.00007fff63744000.rw-.sdmp, xd.powerpc-440fp.elf, 5450.1.00007fff63723000.00007fff63744000.rw-.sdmp, xd.powerpc-440fp.elf, 5451.1.00007fff63723000.00007fff63744000.rw-.sdmpBinary or memory string: /usr/bin/qemu-ppc

Stealing of Sensitive Information

barindex
Source: Yara matchFile source: Process Memory Space: xd.powerpc-440fp.elf PID: 5436, type: MEMORYSTR
Source: Yara matchFile source: Process Memory Space: xd.powerpc-440fp.elf PID: 5451, type: MEMORYSTR

Remote Access Functionality

barindex
Source: Yara matchFile source: Process Memory Space: xd.powerpc-440fp.elf PID: 5436, type: MEMORYSTR
Source: Yara matchFile source: Process Memory Space: xd.powerpc-440fp.elf PID: 5451, type: MEMORYSTR

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		Valid AccountsWindows Management Instrumentation1
Scripting		Path Interception1
File and Directory Permissions Modification		1
OS Credential Dumping		11
Security Software Discovery		Remote ServicesData from Local System1
Non-Standard Port		Exfiltration Over Other Network Medium1
Service Stop
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Disable or Modify Tools		LSASS Memory1
File and Directory Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Indicator Removal		Security Account Manager1
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
Obfuscated Files or Information		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
File Deletion		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1655022 Sample: xd.powerpc-440fp.elf Startdate: 02/04/2025 Architecture: LINUX Score: 88 54 216.149.33.166, 23 XO-AS15US United States 2->54 56 84.56.198.146, 23 VODANETInternationalIP-BackboneofVodafoneDE Germany 2->56 58 98 other IPs or domains 2->58 64 Malicious sample detected (through community Yara rule) 2->64 66 Antivirus / Scanner detection for submitted sample 2->66 68 Yara detected Mirai 2->68 70 Sample is packed with UPX 2->70 8 xd.powerpc-440fp.elf 2->8         started        10 systemd gpu-manager 2->10         started        12 gvfsd-fuse fusermount 2->12         started        15 40 other processes 2->15 signatures3 process4 signatures5 17 xd.powerpc-440fp.elf 8->17         started        20 xd.powerpc-440fp.elf 8->20         started        22 xd.powerpc-440fp.elf 8->22         started        24 gpu-manager sh 10->24         started        26 gpu-manager sh 10->26         started        28 gpu-manager sh 10->28         started        32 5 other processes 10->32 72 Sample reads /proc/mounts (often used for finding a writable filesystem) 12->72 30 generate-config pkill 15->30         started        34 40 other processes 15->34 process6 signatures7 60 Sample tries to kill multiple processes (SIGKILL) 17->60 62 Sample deletes itself 17->62 36 xd.powerpc-440fp.elf 20->36         started        50 2 other processes 20->50 38 sh grep 24->38         started        40 sh grep 26->40         started        42 sh grep 28->42         started        44 sh grep 32->44         started        46 sh grep 32->46         started        48 sh grep 32->48         started        52 2 other processes 32->52 process8

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
xd.powerpc-440fp.elf100%AviraEXP/ELF.Agent.F.118

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Download Network PCAP: filteredfull

Contacted Domains

No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
http://upx.sf.netxd.powerpc-440fp.elffalse
    		high

    World Map of Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public IPs

    IPDomainCountryFlagASNASN NameMalicious
    24.152.38.191
    		unknownunknown
    		270564MasterDaWebBRfalse
    8.51.252.70
    		unknownUnited States
    		3356LEVEL3USfalse
    63.194.248.97
    		unknownUnited States
    		7018ATT-INTERNET4USfalse
    197.227.214.230
    		unknownMauritius
    		23889MauritiusTelecomMUfalse
    206.151.101.48
    		unknownUnited States
    		3561CENTURYLINK-LEGACY-SAVVISUSfalse
    57.53.25.25
    		unknownBelgium
    		2686ATGS-MMD-ASUSfalse
    1.250.39.35
    		unknownKorea Republic of
    		9318SKB-ASSKBroadbandCoLtdKRfalse
    172.95.72.121
    		unknownUnited States
    		5650FRONTIER-FRTRUSfalse
    84.56.198.146
    		unknownGermany
    		3209VODANETInternationalIP-BackboneofVodafoneDEfalse
    108.221.193.176
    		unknownUnited States
    		7018ATT-INTERNET4USfalse
    70.58.184.36
    		unknownUnited States
    		209CENTURYLINK-US-LEGACY-QWESTUSfalse
    208.78.80.242
    		unknownUnited States
    		32654TWRS-CHIUSfalse
    164.167.168.182
    		unknownUnited States
    		5972DNIC-ASBLK-05800-06055USfalse
    73.233.19.172
    		unknownUnited States
    		7922COMCAST-7922USfalse
    206.64.115.33
    		unknownUnited States
    		701UUNETUSfalse
    189.60.15.209
    		unknownBrazil
    		28573CLAROSABRfalse
    122.165.18.141
    		unknownIndia
    		24560AIRTELBROADBAND-AS-APBhartiAirtelLtdTelemediaServicesfalse
    92.66.63.74
    		unknownNetherlands
    		1136KPNKPNNationalEUfalse
    14.179.184.201
    		unknownViet Nam
    		45899VNPT-AS-VNVNPTCorpVNfalse
    253.65.66.119
    		unknownReserved
    		unknownunknownfalse
    45.120.3.0
    		unknownHong Kong
    		9381HKBNES-AS-APHKBNEnterpriseSolutionsHKLimitedHKfalse
    141.24.40.53
    		unknownGermany
    		680DFNVereinzurFoerderungeinesDeutschenForschungsnetzesefalse
    60.152.153.178
    		unknownJapan17676GIGAINFRASoftbankBBCorpJPfalse
    35.143.47.40
    		unknownUnited States
    		33363BHN-33363USfalse
    96.216.201.246
    		unknownUnited States
    		7922COMCAST-7922USfalse
    91.221.63.214
    		unknownLatvia
    		51763INTECHSYSTEMS-ASLVfalse
    31.231.3.132
    		unknownGermany
    		3320DTAGInternetserviceprovideroperationsDEfalse
    175.156.155.113
    		unknownSingapore
    		4773MOBILEONELTD-AS-APMobileOneLtdMobileInternetServicePrfalse
    249.221.214.226
    		unknownReserved
    		unknownunknownfalse
    192.219.160.1
    		unknownCanada
    		394352FASTNET-COMMUNICATIONSCAfalse
    111.181.255.58
    		unknownChina
    		4134CHINANET-BACKBONENo31Jin-rongStreetCNfalse
    2.35.223.218
    		unknownItaly
    		30722VODAFONE-IT-ASNITfalse
    247.55.126.141
    		unknownReserved
    		unknownunknownfalse
    133.222.200.221
    		unknownJapan2907SINET-ASResearchOrganizationofInformationandSystemsNfalse
    201.141.90.238
    		unknownMexico
    		28548CablevisionSAdeCVMXfalse
    245.51.251.71
    		unknownReserved
    		unknownunknownfalse
    35.30.158.150
    		unknownUnited States
    		36375UMICH-AS-5USfalse
    148.199.79.253
    		unknownUnited States
    		31382KAPSCH-ASATfalse
    104.174.66.47
    		unknownUnited States
    		20001TWC-20001-PACWESTUSfalse
    86.150.128.241
    		unknownUnited Kingdom
    		2856BT-UK-ASBTnetUKRegionalnetworkGBfalse
    92.64.98.217
    		unknownNetherlands
    		1136KPNKPNNationalEUfalse
    121.110.71.88
    		unknownJapan2516KDDIKDDICORPORATIONJPfalse
    103.52.115.182
    		unknownunknown
    		135852GLXNET-ASGalaxynetConnectionsPrivateLimitedINfalse
    255.29.173.90
    		unknownReserved
    		unknownunknownfalse
    59.173.136.152
    		unknownChina
    		4134CHINANET-BACKBONENo31Jin-rongStreetCNfalse
    200.125.55.72
    		unknownUruguay
    		6057AdministracionNacionaldeTelecomunicacionesUYfalse
    84.249.37.168
    		unknownFinland
    		1759TSF-IP-CORETeliaFinlandOyjEUfalse
    216.149.33.166
    		unknownUnited States
    		2828XO-AS15USfalse
    102.168.205.136
    		unknownTunisia
    		37693TUNISIANATNfalse
    64.30.36.79
    		unknownUnited States
    		3356LEVEL3USfalse
    185.35.151.125
    		unknownUnited Kingdom
    		13213UK2NET-ASGBfalse
    54.114.231.98
    		unknownUnited States
    		16509AMAZON-02USfalse
    44.153.151.136
    		unknownUnited States
    		62383LDS-ASBEfalse
    98.75.219.105
    		unknownUnited States
    		7018ATT-INTERNET4USfalse
    183.75.245.103
    		unknownJapan9605DOCOMONTTDOCOMOINCJPfalse
    77.186.103.75
    		unknownGermany
    		6805TDDE-ASN1DEfalse
    119.20.121.118
    		unknownChina
    		4134CHINANET-BACKBONENo31Jin-rongStreetCNfalse
    53.79.97.196
    		unknownGermany
    		31399DAIMLER-ASITIGNGlobalNetworkDEfalse
    223.95.144.140
    		unknownChina
    		56041CMNET-ZHEJIANG-APChinaMobilecommunicationscorporationCfalse
    162.52.129.115
    		unknownUnited States
    		35893ACPCAfalse
    108.114.132.195
    		unknownUnited States
    		10507SPCSUSfalse
    150.146.54.14
    		unknownItaly
    		137ASGARRConsortiumGARREUfalse
    99.185.4.139
    		unknownUnited States
    		7018ATT-INTERNET4USfalse
    186.218.251.252
    		unknownBrazil
    		28573CLAROSABRfalse
    206.204.146.3
    		unknownUnited States
    		4544CONXION-AUSfalse
    142.48.49.185
    		unknownCanada
    		3633PROVINCE-OF-BRITISH-COLUMBIACAfalse
    213.209.129.92
    		unknownGermany
    		42821RAPIDNET-DEHaunstetterStr19DEfalse
    167.94.219.212
    		unknownUnited States
    		20278NEXEONUSfalse
    58.185.92.31
    		unknownSingapore
    		3758SINGNETSingNetSGfalse
    219.38.72.177
    		unknownJapan17676GIGAINFRASoftbankBBCorpJPfalse
    126.207.170.103
    		unknownJapan17676GIGAINFRASoftbankBBCorpJPfalse
    32.120.166.85
    		unknownUnited States
    		7018ATT-INTERNET4USfalse
    133.120.168.236
    		unknownJapan2522PPP-EXPJapanNetworkInformationCenterJPfalse
    83.11.154.236
    		unknownPoland
    		5617TPNETPLfalse
    191.95.135.123
    		unknownColombia
    		27805EPMTelecomunicacionesSAESPCOfalse
    141.58.177.69
    		unknownGermany
    		553BELWUEBelWue-KoordinationEUfalse
    162.54.206.16
    		unknownUnited States
    		35893ACPCAfalse
    17.133.93.61
    		unknownUnited States
    		714APPLE-ENGINEERINGUSfalse
    188.112.36.200
    		unknownPoland
    		42739FONE-ASNPLfalse
    218.204.71.7
    		unknownChina
    		9808CMNET-GDGuangdongMobileCommunicationCoLtdCNfalse
    162.196.177.236
    		unknownUnited States
    		7018ATT-INTERNET4USfalse
    72.28.216.77
    		unknownUnited States
    		11776ATLANTICBB-JOHNSTOWNUSfalse
    95.225.237.39
    		unknownItaly
    		3269ASN-IBSNAZITfalse
    53.153.189.24
    		unknownGermany
    		31399DAIMLER-ASITIGNGlobalNetworkDEfalse
    64.9.22.52
    		unknownUnited States
    		3356LEVEL3USfalse
    115.3.126.22
    		unknownKorea Republic of
    		4766KIXS-AS-KRKoreaTelecomKRfalse
    173.202.84.5
    		unknownUnited States
    		209CENTURYLINK-US-LEGACY-QWESTUSfalse
    201.212.72.78
    		unknownArgentina
    		10481TelecomArgentinaSAARfalse
    211.207.222.183
    		unknownKorea Republic of
    		9318SKB-ASSKBroadbandCoLtdKRfalse
    199.108.151.31
    		unknownUnited States
    		7018ATT-INTERNET4USfalse
    36.22.80.62
    		unknownChina
    		4134CHINANET-BACKBONENo31Jin-rongStreetCNfalse
    45.16.142.91
    		unknownUnited States
    		7018ATT-INTERNET4USfalse
    245.136.211.105
    		unknownReserved
    		unknownunknownfalse
    161.192.86.107
    		unknownUnited States
    		263740CorporacionLaceibanetsocietyHNfalse
    165.197.249.181
    		unknownUnited States
    		2152CSUNET-NWUSfalse
    27.133.180.48
    		unknownJapan10013FBDCFreeBitCoLtdJPfalse
    202.188.60.200
    		unknownMalaysia
    		4788TMNET-AS-APTMNetInternetServiceProviderMYfalse
    61.108.123.1
    		unknownKorea Republic of
    		9316DACOM-PUBNETPLUS-AS-KRDACOM-PUBNETPLUSKRfalse
    162.26.170.131
    		unknownSwitzerland
    		385AFCONC-BLOCK1-ASUSfalse
    181.231.171.59
    		unknownArgentina
    		10481TelecomArgentinaSAARfalse

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASNs

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    ATT-INTERNET4USxd.x86.elfGet hashmaliciousMiraiBrowse
    • 206.121.192.0
    xd.sh4.elfGet hashmaliciousMiraiBrowse
    • 172.143.133.21
    xd.x86_64.elfGet hashmaliciousMiraiBrowse
    • 13.168.105.138
    http://vsuite-emea.omnicell.comGet hashmaliciousUnknownBrowse
    • 13.43.120.10
    IMP 7527518303 2507294.docx.docGet hashmaliciousUnknownBrowse
    • 216.9.224.185
    IMP 7527518303 2507294.docx.docGet hashmaliciousUnknownBrowse
    • 216.9.224.185
    xd.mips.elfGet hashmaliciousMiraiBrowse
    • 108.76.39.172
    xd.powerpc-440fp.elfGet hashmaliciousMiraiBrowse
    • 68.90.163.145
    xd.arm.elfGet hashmaliciousMiraiBrowse
    • 108.219.97.68
    xd.x86.elfGet hashmaliciousMiraiBrowse
    • 108.253.120.12
    MasterDaWebBR9Fat24-jfN6-5Skq7-T70.msiGet hashmaliciousUnknownBrowse
    • 24.152.38.223
    CPkRXs020F.exeGet hashmaliciousNjratBrowse
    • 24.152.38.77
    ring.exeGet hashmaliciousUnknownBrowse
    • 24.152.39.13
    ring.exeGet hashmaliciousUnknownBrowse
    • 24.152.39.13
    Nota1893.exeGet hashmaliciousUnknownBrowse
    • 24.152.39.13
    Reservation Detail Booking.com ID4336.vbsGet hashmaliciousAsyncRAT, PureLog Stealer, zgRATBrowse
    • 24.152.39.120
    image.ps1Get hashmaliciousAsyncRAT, PureLog Stealer, zgRATBrowse
    • 24.152.39.120
    17305370450a724087c7f6981143cf069ec0c685c80f69cbd81880d785e4b0d131e53bb2a9297.dat-decoded.exeGet hashmaliciousNjratBrowse
    • 24.152.38.77
    17305370457af8060c5c3c6d7e83c17b8f6083a3c41c5dd21323a637c4bf05d8d8bd79484b331.dat-decoded.exeGet hashmaliciousNjratBrowse
    • 24.152.38.77
    2ktrFR0W3v.exeGet hashmaliciousClipboard Hijacker, QuasarBrowse
    • 24.152.39.227
    LEVEL3USxd.x86.elfGet hashmaliciousMiraiBrowse
    • 206.243.46.192
    xd.sh4.elfGet hashmaliciousMiraiBrowse
    • 9.7.255.81
    xd.x86_64.elfGet hashmaliciousMiraiBrowse
    • 4.45.31.125
    utorrent_installer.exeGet hashmaliciousUnknownBrowse
    • 4.150.155.223
    xd.mips.elfGet hashmaliciousMiraiBrowse
    • 4.243.233.137
    xd.powerpc-440fp.elfGet hashmaliciousMiraiBrowse
    • 4.78.223.144
    xd.arm.elfGet hashmaliciousMiraiBrowse
    • 8.126.249.250
    xd.ppc.elfGet hashmaliciousMiraiBrowse
    • 9.204.255.240
    xd.x86.elfGet hashmaliciousMiraiBrowse
    • 4.225.26.173
    xd.arm7.elfGet hashmaliciousMiraiBrowse
    • 9.72.135.5
    MauritiusTelecomMUxd.spc.elfGet hashmaliciousMiraiBrowse
    • 102.117.55.84
    resgod.x86.elfGet hashmaliciousMiraiBrowse
    • 197.226.240.53
    rrrdsl.elfGet hashmaliciousGafgyt, MiraiBrowse
    • 197.225.3.106
    boatnet.arm7.elfGet hashmaliciousMiraiBrowse
    • 197.224.41.155
    boatnet.mpsl.elfGet hashmaliciousMiraiBrowse
    • 197.224.41.182
    boatnet.ppc.elfGet hashmaliciousMiraiBrowse
    • 197.226.240.80
    boatnet.sh4.elfGet hashmaliciousMiraiBrowse
    • 197.224.88.160
    boatnet.arm.elfGet hashmaliciousMiraiBrowse
    • 41.136.127.20
    boatnet.x86.elfGet hashmaliciousMiraiBrowse
    • 197.226.239.73
    mips.elfGet hashmaliciousMirai, MoobotBrowse
    • 41.136.251.129

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    Process:/usr/bin/pulseaudio
    File Type:ASCII text
    Category:dropped
    Size (bytes):10
    Entropy (8bit):2.9219280948873623
    Encrypted:false
    SSDEEP:3:5bkPn:pkP
    MD5:FF001A15CE15CF062A3704CEA2991B5F
    SHA1:B06F6855F376C3245B82212AC73ADED55DFE5DEF
    SHA-256:C54830B41ECFA1B6FBDC30397188DDA86B7B200E62AEAC21AE694A6192DCC38A
    SHA-512:65EBF7C31F6F65713CE01B38A112E97D0AE64A6BD1DA40CE4C1B998F10CD3912EE1A48BB2B279B24493062118AAB3B8753742E2AF28E56A31A7AAB27DE80E7BF
    Malicious:false
    Reputation:moderate, very likely benign file
    Preview:auto_null.
    Process:/usr/bin/pulseaudio
    File Type:ASCII text
    Category:dropped
    Size (bytes):18
    Entropy (8bit):3.4613201402110088
    Encrypted:false
    SSDEEP:3:5bkrIZsXvn:pkckv
    MD5:28FE6435F34B3367707BB1C5D5F6B430
    SHA1:EB8FE2D16BD6BBCCE106C94E4D284543B2573CF6
    SHA-256:721A37C69E555799B41D308849E8F8125441883AB021B723FED90A9B744F36C0
    SHA-512:6B6AB7C0979629D0FEF6BE47C5C6BCC367EDD0AAE3FC973F4DE2FD5F0A819C89E7656DB65D453B1B5398E54012B27EDFE02894AD87A7E0AF3A9C5F2EB24A9919
    Malicious:false
    Reputation:moderate, very likely benign file
    Preview:auto_null.monitor.
    Process:/usr/sbin/gdm3
    File Type:ASCII text
    Category:dropped
    Size (bytes):5
    Entropy (8bit):1.9219280948873623
    Encrypted:false
    SSDEEP:3:Fdcn:nc
    MD5:ED6EB13AEC2CD903943D6E440CD63013
    SHA1:623E520BFFFB648592A6103DD34A53C5233CA72E
    SHA-256:DF991FFF6B92569DB010ADECAC183EAA7BFA112B46A61A259C40FEC0597C3DF3
    SHA-512:D6E04CD12034B1BCB87149D2018B177D9AA345FE777209F77B75C5BE2E7334A1FAF3BC61116801B9D67A64E2DB2154D1C46D499FBB438E5CF35DC799E1D08C85
    Malicious:false
    Reputation:low
    Preview:5587.
    Process:/usr/bin/pulseaudio
    File Type:ASCII text
    Category:dropped
    Size (bytes):5
    Entropy (8bit):1.3709505944546687
    Encrypted:false
    SSDEEP:3:FQo:d
    MD5:9777879D6C08CAA3943D510585D2F1E4
    SHA1:6B73FC01915759DD03A690F77D2625B0A0CFD5DC
    SHA-256:872542909E99BEFE54104CE0BE375646285DA1658C7E70470429C0F4E1CD9517
    SHA-512:529D13A674FDC288335BC59500E5C2435AE37CA05B28B61418A6AC443B9EFB23F01476A499952C09A5A228588AC4BC27430C7FF07DB08FD24CA75E17B21133AB
    Malicious:false
    Reputation:low
    Preview:5553.
    Process:/usr/bin/gpu-manager
    File Type:ASCII text
    Category:dropped
    Size (bytes):25
    Entropy (8bit):2.7550849518197795
    Encrypted:false
    SSDEEP:3:JoT/V9fDVbn:M/V3n
    MD5:078760523943E160756979906B85FB5E
    SHA1:0962643266F4C5537F7D125046F28F21D6DD0C89
    SHA-256:048416AC7A9A99690B8B53718CD39F32F637B55CC8DD8E67E58E5AEF060DD41C
    SHA-512:DEFAAE8F8B54C61A716A0B0B4884358FEB8EB44DFEA01AAA5A687FDA7182792B7DEBB34AA840672EB3B40EB59FD0186749E08E47D181786C7FAA8C8F73F0104D
    Malicious:false
    Reputation:moderate, very likely benign file
    Preview:15ad:0405;0000:00:0f:0;1.
    Process:/usr/bin/gpu-manager
    File Type:ASCII text
    Category:dropped
    Size (bytes):1371
    Entropy (8bit):4.8296848499188485
    Encrypted:false
    SSDEEP:24:wPXXX9uV6BNu3WDF3GF3XFFxFFed2uk2HUvJlfWkpPpx7uvvAdow9555cJz:wPXXXe6vejpeC2HUR5WkpPpcvAdow95O
    MD5:3AF77E630DA00B3BE24F4E8AA5D78B13
    SHA1:BCF2D99E002F6DE2413A183227B011CFBEF5673D
    SHA-256:EB1CBBA20845237B4409274D693FEAE13F835274DA3337B7A9D14F4D7FDF9DEA
    SHA-512:8524B1E8A761F962B32F396812099B9B0B2DCF3C9FCA8605424753CFCFF4DC67EDC5EE1D8C91B9C0ED7FAE6BB1E752898B8D514B7C421D1839D6FEDA609C593C
    Malicious:false
    Reputation:moderate, very likely benign file
    Preview:log_file: /var/log/gpu-manager.log.last_boot_file: /var/lib/ubuntu-drivers-common/last_gfx_boot.new_boot_file: /var/lib/ubuntu-drivers-common/last_gfx_boot.can't access /run/u-d-c-nvidia-was-loaded file.can't get module info via kmodcan't access /opt/amdgpu-pro/bin/amdgpu-pro-px.Looking for nvidia modules in /lib/modules/5.4.0-72-generic/kernel.Looking for nvidia modules in /lib/modules/5.4.0-72-generic/updates/dkms.Looking for amdgpu modules in /lib/modules/5.4.0-72-generic/kernel.Looking for amdgpu modules in /lib/modules/5.4.0-72-generic/updates/dkms.Is nvidia loaded? no.Was nvidia unloaded? no.Is nvidia blacklisted? no.Is intel loaded? no.Is radeon loaded? no.Is radeon blacklisted? no.Is amdgpu loaded? no.Is amdgpu blacklisted? no.Is amdgpu versioned? no.Is amdgpu pro stack? no.Is nouveau loaded? no.Is nouveau blacklisted? no.Is nvidia kernel module available? no.Is amdgpu kernel module available? no.Vendor/Device Id: 15ad:405.BusID "PCI:0@0:15:0".Is boot vga? yes.Error: can't acce

    Static File Info

    General

    File type:ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (GNU/Linux), statically linked, no section header
    Entropy (8bit):7.933001562057124
    TrID:
    • ELF Executable and Linkable format (Linux) (4029/14) 50.16%
    • ELF Executable and Linkable format (generic) (4004/1) 49.84%
    File name:xd.powerpc-440fp.elf
    File size:28'344 bytes
    MD5:c0eaa454ae080b7c1690454a672f92a4
    SHA1:0600b71dd75ff1f350d1c65ef9eb381eb14bb1e7
    SHA256:fcdacc5f7797c1ed7400c664a1354e6639c4360d4d46c7fe6113d5517f5fb5eb
    SHA512:e4334a381b7093bb9deba02f8540ef42299ef31426e4e4b604b1c9ad78a078be8706ec8a347d004aeaf0a52a1baf3b0398781d1b07b70cec4dd4e53cb6dc1024
    SSDEEP:384:6U/AqTww77KcMxahkbgShjraGJcezN8Kvnf4kizS74fbLzLkYAM4uVcqgw05ixJ8:lAYMNxPblPd2eHX4k8L//4uVcqgw0+aZ
    TLSH:38D2E069CAB2DC98E3A6EDE90FB1C2153FD1181DF23086E128F07E46A927557290CCD8
    File Content Preview:.ELF......................[....4.........4. ...(......................m...m.........................................dt.Q.............................?..UPX!...........X...X.......Q.......?.E.h4...@b.............[GnE..M.........#...skS..........F.......DKP

    Static ELF Info

    ELF header

    Class:ELF32
    Data:2's complement, big endian
    Version:1 (current)
    Machine:PowerPC
    Version Number:0x1
    Type:EXEC (Executable file)
    OS/ABI:UNIX - Linux
    ABI Version:0
    Entry Point Address:0x105bd0
    Flags:0x0
    ELF Header Size:52
    Program Header Offset:52
    Program Header Size:32
    Number of Program Headers:3
    Section Header Offset:0
    Section Header Size:40
    Number of Section Headers:0
    Header String Table Index:0

    Program Segments

    TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
    LOAD0x00x1000000x1000000x6db80x6db87.93630x5R E0x10000
    LOAD0x7040x100107040x100107040x00x00.00000x6RW 0x10000
    GNU_STACK0x00x00x00x00x00.00000x6RW 0x4

    Network Behavior

    Download Network PCAP: filteredfull

    Network Port Distribution

    • Total Packets: 159
    • 7887 undefined
    • 23 (Telnet)
    TimestampSource PortDest PortSource IPDest IP
    Apr 2, 2025 21:48:19.597142935 CEST526467887192.168.2.13213.209.129.92
    Apr 2, 2025 21:48:19.631632090 CEST5249223192.168.2.13173.74.117.22
    Apr 2, 2025 21:48:19.631685972 CEST5249223192.168.2.13115.3.126.22
    Apr 2, 2025 21:48:19.631700039 CEST5249223192.168.2.13211.207.222.183
    Apr 2, 2025 21:48:19.631716967 CEST5249223192.168.2.13179.198.232.20
    Apr 2, 2025 21:48:19.631724119 CEST5249223192.168.2.13200.125.55.72
    Apr 2, 2025 21:48:19.631758928 CEST5249223192.168.2.13219.38.72.177
    Apr 2, 2025 21:48:19.631794930 CEST5249223192.168.2.13197.99.82.255
    Apr 2, 2025 21:48:19.631822109 CEST5249223192.168.2.13189.60.15.209
    Apr 2, 2025 21:48:19.632229090 CEST5249223192.168.2.13126.207.170.103
    Apr 2, 2025 21:48:19.632230043 CEST5249223192.168.2.13119.20.121.118
    Apr 2, 2025 21:48:19.632230043 CEST5249223192.168.2.1375.233.53.124
    Apr 2, 2025 21:48:19.632231951 CEST5249223192.168.2.1365.227.90.229
    Apr 2, 2025 21:48:19.632231951 CEST5249223192.168.2.1373.233.19.172
    Apr 2, 2025 21:48:19.632232904 CEST5249223192.168.2.13218.204.71.7
    Apr 2, 2025 21:48:19.632236958 CEST5249223192.168.2.1397.9.85.127
    Apr 2, 2025 21:48:19.632237911 CEST5249223192.168.2.1363.194.248.97
    Apr 2, 2025 21:48:19.632287025 CEST5249223192.168.2.1385.160.150.1
    Apr 2, 2025 21:48:19.632298946 CEST5249223192.168.2.13135.211.19.57
    Apr 2, 2025 21:48:19.632298946 CEST5249223192.168.2.1378.1.59.55
    Apr 2, 2025 21:48:19.632298946 CEST5249223192.168.2.13188.251.149.99
    Apr 2, 2025 21:48:19.632298946 CEST5249223192.168.2.1370.58.184.36
    Apr 2, 2025 21:48:19.632312059 CEST5249223192.168.2.1360.152.153.178
    Apr 2, 2025 21:48:19.632313967 CEST5249223192.168.2.13154.62.123.205
    Apr 2, 2025 21:48:19.632313967 CEST5249223192.168.2.13147.153.242.104
    Apr 2, 2025 21:48:19.632313967 CEST5249223192.168.2.1396.216.201.246
    Apr 2, 2025 21:48:19.632314920 CEST5249223192.168.2.13211.234.43.180
    Apr 2, 2025 21:48:19.632313967 CEST5249223192.168.2.131.250.39.35
    Apr 2, 2025 21:48:19.632317066 CEST5249223192.168.2.1383.11.154.236
    Apr 2, 2025 21:48:19.632317066 CEST5249223192.168.2.1312.225.203.47
    Apr 2, 2025 21:48:19.632317066 CEST5249223192.168.2.13161.192.86.107
    Apr 2, 2025 21:48:19.632317066 CEST5249223192.168.2.13162.196.177.236
    Apr 2, 2025 21:48:19.632320881 CEST5249223192.168.2.1386.150.128.241
    Apr 2, 2025 21:48:19.632320881 CEST5249223192.168.2.13165.197.249.181
    Apr 2, 2025 21:48:19.632320881 CEST5249223192.168.2.13167.94.219.212
    Apr 2, 2025 21:48:19.632328987 CEST5249223192.168.2.1345.120.3.0
    Apr 2, 2025 21:48:19.632328987 CEST5249223192.168.2.1372.28.216.77
    Apr 2, 2025 21:48:19.632328987 CEST5249223192.168.2.1357.53.25.25
    Apr 2, 2025 21:48:19.632333040 CEST5249223192.168.2.13111.181.255.58
    Apr 2, 2025 21:48:19.632339001 CEST5249223192.168.2.13173.202.84.5
    Apr 2, 2025 21:48:19.632339001 CEST5249223192.168.2.1394.241.141.224
    Apr 2, 2025 21:48:19.632339001 CEST5249223192.168.2.1319.243.154.105
    Apr 2, 2025 21:48:19.632364035 CEST5249223192.168.2.1324.152.38.191
    Apr 2, 2025 21:48:19.632364035 CEST5249223192.168.2.13150.102.140.220
    Apr 2, 2025 21:48:19.632383108 CEST5249223192.168.2.13249.221.214.226
    Apr 2, 2025 21:48:19.632430077 CEST5249223192.168.2.13206.151.101.48
    Apr 2, 2025 21:48:19.632520914 CEST5249223192.168.2.13223.95.144.140
    Apr 2, 2025 21:48:19.632529974 CEST5249223192.168.2.131.224.75.116
    Apr 2, 2025 21:48:19.632544041 CEST5249223192.168.2.13102.168.205.136
    Apr 2, 2025 21:48:19.632603884 CEST5249223192.168.2.13209.45.226.25
    Apr 2, 2025 21:48:19.632616043 CEST5249223192.168.2.13201.212.72.78
    Apr 2, 2025 21:48:19.632630110 CEST5249223192.168.2.13247.55.126.141
    Apr 2, 2025 21:48:19.632668018 CEST5249223192.168.2.1327.133.180.48
    Apr 2, 2025 21:48:19.632711887 CEST5249223192.168.2.13164.167.168.182
    Apr 2, 2025 21:48:19.632745028 CEST5249223192.168.2.13162.54.206.16
    Apr 2, 2025 21:48:19.632767916 CEST5249223192.168.2.13245.51.251.71
    Apr 2, 2025 21:48:19.632787943 CEST5249223192.168.2.13174.131.225.7
    Apr 2, 2025 21:48:19.632822037 CEST5249223192.168.2.1353.79.97.196
    Apr 2, 2025 21:48:19.632857084 CEST5249223192.168.2.13253.65.66.119
    Apr 2, 2025 21:48:19.632880926 CEST5249223192.168.2.1336.22.80.62
    Apr 2, 2025 21:48:19.632906914 CEST5249223192.168.2.13122.165.18.141
    Apr 2, 2025 21:48:19.632925034 CEST5249223192.168.2.13182.148.179.244
    Apr 2, 2025 21:48:19.632961035 CEST5249223192.168.2.13216.16.115.214
    Apr 2, 2025 21:48:19.633048058 CEST5249223192.168.2.1335.30.158.150
    Apr 2, 2025 21:48:19.633089066 CEST5249223192.168.2.1331.231.3.132
    Apr 2, 2025 21:48:19.633111000 CEST5249223192.168.2.13252.177.142.29
    Apr 2, 2025 21:48:19.633169889 CEST5249223192.168.2.13222.208.86.167
    Apr 2, 2025 21:48:19.633196115 CEST5249223192.168.2.1317.133.93.61
    Apr 2, 2025 21:48:19.633208990 CEST5249223192.168.2.1358.185.92.31
    Apr 2, 2025 21:48:19.633240938 CEST5249223192.168.2.13103.52.115.182
    Apr 2, 2025 21:48:19.633260965 CEST5249223192.168.2.1384.249.37.168
    Apr 2, 2025 21:48:19.633332014 CEST5249223192.168.2.1387.165.212.90
    Apr 2, 2025 21:48:19.633341074 CEST5249223192.168.2.1345.92.142.223
    Apr 2, 2025 21:48:19.633373022 CEST5249223192.168.2.13150.146.54.14
    Apr 2, 2025 21:48:19.633440971 CEST5249223192.168.2.1366.42.116.204
    Apr 2, 2025 21:48:19.633457899 CEST5249223192.168.2.13243.84.110.60
    Apr 2, 2025 21:48:19.633471966 CEST5249223192.168.2.13162.26.170.131
    Apr 2, 2025 21:48:19.633505106 CEST5249223192.168.2.13148.199.79.253
    Apr 2, 2025 21:48:19.633522034 CEST5249223192.168.2.13202.188.60.200
    Apr 2, 2025 21:48:19.633573055 CEST5249223192.168.2.13203.51.253.14
    Apr 2, 2025 21:48:19.633613110 CEST5249223192.168.2.13156.114.148.13
    Apr 2, 2025 21:48:19.633621931 CEST5249223192.168.2.13191.19.101.153
    Apr 2, 2025 21:48:19.633636951 CEST5249223192.168.2.13141.24.40.53
    Apr 2, 2025 21:48:19.633697033 CEST5249223192.168.2.13208.78.80.242
    Apr 2, 2025 21:48:19.633713007 CEST5249223192.168.2.1335.143.47.40
    Apr 2, 2025 21:48:19.633758068 CEST5249223192.168.2.13136.154.222.60
    Apr 2, 2025 21:48:19.633774042 CEST5249223192.168.2.13240.243.172.175
    Apr 2, 2025 21:48:19.633786917 CEST5249223192.168.2.13121.103.221.237
    Apr 2, 2025 21:48:19.633807898 CEST5249223192.168.2.13180.82.241.121
    Apr 2, 2025 21:48:19.633830070 CEST5249223192.168.2.1398.75.219.105
    Apr 2, 2025 21:48:19.633841991 CEST5249223192.168.2.13191.95.135.123
    Apr 2, 2025 21:48:19.633868933 CEST5249223192.168.2.13175.156.155.113
    Apr 2, 2025 21:48:19.633876085 CEST5249223192.168.2.1369.214.161.112
    Apr 2, 2025 21:48:19.633893967 CEST5249223192.168.2.13183.130.120.176
    Apr 2, 2025 21:48:19.633909941 CEST5249223192.168.2.13186.218.251.252
    Apr 2, 2025 21:48:19.633955002 CEST5249223192.168.2.13139.167.214.205
    Apr 2, 2025 21:48:19.633971930 CEST5249223192.168.2.13164.150.69.220
    Apr 2, 2025 21:48:19.634027958 CEST5249223192.168.2.1354.114.231.98
    Apr 2, 2025 21:48:19.634052038 CEST5249223192.168.2.13206.64.115.33
    Apr 2, 2025 21:48:19.634124994 CEST5249223192.168.2.1314.179.184.201
    Apr 2, 2025 21:48:19.634139061 CEST5249223192.168.2.13181.231.171.59
    Apr 2, 2025 21:48:19.634201050 CEST5249223192.168.2.13199.108.151.31
    Apr 2, 2025 21:48:19.634217024 CEST5249223192.168.2.1391.221.63.214
    Apr 2, 2025 21:48:19.634254932 CEST5249223192.168.2.13183.75.245.103
    Apr 2, 2025 21:48:19.634273052 CEST5249223192.168.2.1332.120.166.85
    Apr 2, 2025 21:48:19.634289980 CEST5249223192.168.2.1399.185.4.139
    Apr 2, 2025 21:48:19.634303093 CEST5249223192.168.2.13116.56.190.230
    Apr 2, 2025 21:48:19.634365082 CEST5249223192.168.2.13192.219.160.1
    Apr 2, 2025 21:48:19.634406090 CEST5249223192.168.2.13171.99.209.205
    Apr 2, 2025 21:48:19.634408951 CEST5249223192.168.2.1377.186.103.75
    Apr 2, 2025 21:48:19.634418011 CEST5249223192.168.2.1392.70.95.204
    Apr 2, 2025 21:48:19.634442091 CEST5249223192.168.2.13221.239.64.54
    Apr 2, 2025 21:48:19.634475946 CEST5249223192.168.2.1395.225.237.39
    Apr 2, 2025 21:48:19.634476900 CEST5249223192.168.2.1392.66.63.74
    Apr 2, 2025 21:48:19.634509087 CEST5249223192.168.2.13255.29.173.90
    Apr 2, 2025 21:48:19.634521961 CEST5249223192.168.2.13206.204.146.3
    Apr 2, 2025 21:48:19.634529114 CEST5249223192.168.2.13241.199.58.203
    Apr 2, 2025 21:48:19.634541035 CEST5249223192.168.2.13109.234.28.182
    Apr 2, 2025 21:48:19.634562969 CEST5249223192.168.2.13197.227.214.230
    Apr 2, 2025 21:48:19.634624958 CEST5249223192.168.2.13172.95.72.121
    Apr 2, 2025 21:48:19.634625912 CEST5249223192.168.2.13216.149.33.166
    Apr 2, 2025 21:48:19.634638071 CEST5249223192.168.2.1383.63.223.1
    Apr 2, 2025 21:48:19.634720087 CEST5249223192.168.2.13104.174.66.47
    Apr 2, 2025 21:48:19.634783030 CEST5249223192.168.2.1364.30.36.79
    Apr 2, 2025 21:48:19.634809017 CEST5249223192.168.2.13245.136.211.105
    Apr 2, 2025 21:48:19.634826899 CEST5249223192.168.2.13142.48.49.185
    Apr 2, 2025 21:48:19.634840012 CEST5249223192.168.2.13141.58.177.69
    Apr 2, 2025 21:48:19.634855986 CEST5249223192.168.2.13133.222.200.221
    Apr 2, 2025 21:48:19.634869099 CEST5249223192.168.2.1392.64.98.217
    Apr 2, 2025 21:48:19.634917974 CEST5249223192.168.2.1344.153.151.136
    Apr 2, 2025 21:48:19.634917974 CEST5249223192.168.2.1396.183.48.230
    Apr 2, 2025 21:48:19.634927988 CEST5249223192.168.2.13162.52.129.115
    Apr 2, 2025 21:48:19.634939909 CEST5249223192.168.2.13188.112.36.200
    Apr 2, 2025 21:48:19.634953022 CEST5249223192.168.2.13154.221.65.176
    Apr 2, 2025 21:48:19.634963989 CEST5249223192.168.2.1384.56.198.146
    Apr 2, 2025 21:48:19.634975910 CEST5249223192.168.2.1361.108.123.1
    Apr 2, 2025 21:48:19.635016918 CEST5249223192.168.2.13185.35.151.125
    Apr 2, 2025 21:48:19.635030985 CEST5249223192.168.2.1345.16.142.91
    Apr 2, 2025 21:48:19.635047913 CEST5249223192.168.2.132.35.223.218
    Apr 2, 2025 21:48:19.635047913 CEST5249223192.168.2.1353.135.181.4
    Apr 2, 2025 21:48:19.635066986 CEST5249223192.168.2.1386.173.88.179
    Apr 2, 2025 21:48:19.635210991 CEST5249223192.168.2.13168.66.225.187
    Apr 2, 2025 21:48:19.635292053 CEST5249223192.168.2.13149.48.215.131
    Apr 2, 2025 21:48:19.635302067 CEST5249223192.168.2.13121.110.71.88
    Apr 2, 2025 21:48:19.635364056 CEST5249223192.168.2.13207.245.91.95
    Apr 2, 2025 21:48:19.635379076 CEST5249223192.168.2.1359.173.136.152
    Apr 2, 2025 21:48:19.635400057 CEST5249223192.168.2.13133.120.168.236
    Apr 2, 2025 21:48:19.635413885 CEST5249223192.168.2.1353.153.189.24
    Apr 2, 2025 21:48:19.635500908 CEST5249223192.168.2.13108.221.193.176
    Apr 2, 2025 21:48:19.635504007 CEST5249223192.168.2.13152.108.244.33
    Apr 2, 2025 21:48:19.635513067 CEST5249223192.168.2.1312.12.208.151
    Apr 2, 2025 21:48:19.635576963 CEST5249223192.168.2.138.51.252.70
    Apr 2, 2025 21:48:19.635584116 CEST5249223192.168.2.13159.43.209.219
    Apr 2, 2025 21:48:19.635591030 CEST5249223192.168.2.139.156.171.70
    Apr 2, 2025 21:48:19.635617971 CEST5249223192.168.2.1364.9.22.52
    Apr 2, 2025 21:48:19.635643959 CEST5249223192.168.2.13108.114.132.195
    Apr 2, 2025 21:48:19.635752916 CEST5249223192.168.2.13201.141.90.238
    Apr 2, 2025 21:48:19.635757923 CEST5249223192.168.2.13170.8.151.38
    Apr 2, 2025 21:48:19.826246977 CEST788752646213.209.129.92192.168.2.13
    Apr 2, 2025 21:48:19.826338053 CEST526467887192.168.2.13213.209.129.92
    Apr 2, 2025 21:48:20.175919056 CEST526467887192.168.2.13213.209.129.92
    Apr 2, 2025 21:48:20.402911901 CEST788752646213.209.129.92192.168.2.13
    Apr 2, 2025 21:48:20.402991056 CEST526467887192.168.2.13213.209.129.92
    TimestampSource IPDest IPChecksumCodeType
    Apr 2, 2025 21:48:46.457109928 CEST192.168.2.13192.168.2.18279(Port unreachable)Destination Unreachable
    Apr 2, 2025 21:50:06.472376108 CEST192.168.2.13192.168.2.18279(Port unreachable)Destination Unreachable

    System Behavior

    General

    Start time (UTC):19:48:17
    Start date (UTC):02/04/2025
    Path:/tmp/xd.powerpc-440fp.elf
    Arguments:/tmp/xd.powerpc-440fp.elf
    File size:5388968 bytes
    MD5 hash:ae65271c943d3451b7f026d1fadccea6

    File Activities

    Process Activities

    System Activities

    Network Activities


    General

    Start time (UTC):19:48:18
    Start date (UTC):02/04/2025
    Path:/tmp/xd.powerpc-440fp.elf
    Arguments:-
    File size:5388968 bytes
    MD5 hash:ae65271c943d3451b7f026d1fadccea6

    File Activities

    Process Activities

    Network Activities


    General

    Start time (UTC):19:48:18
    Start date (UTC):02/04/2025
    Path:/tmp/xd.powerpc-440fp.elf
    Arguments:-
    File size:5388968 bytes
    MD5 hash:ae65271c943d3451b7f026d1fadccea6

    File Activities


    General

    Start time (UTC):19:48:18
    Start date (UTC):02/04/2025
    Path:/tmp/xd.powerpc-440fp.elf
    Arguments:-
    File size:5388968 bytes
    MD5 hash:ae65271c943d3451b7f026d1fadccea6

    Process Activities

    Network Activities


    General

    Start time (UTC):19:48:18
    Start date (UTC):02/04/2025
    Path:/tmp/xd.powerpc-440fp.elf
    Arguments:-
    File size:5388968 bytes
    MD5 hash:ae65271c943d3451b7f026d1fadccea6

    File Activities

    Process Activities


    General

    Start time (UTC):19:48:18
    Start date (UTC):02/04/2025
    Path:/tmp/xd.powerpc-440fp.elf
    Arguments:-
    File size:5388968 bytes
    MD5 hash:ae65271c943d3451b7f026d1fadccea6

    File Activities

    Process Activities


    General

    Start time (UTC):19:48:18
    Start date (UTC):02/04/2025
    Path:/tmp/xd.powerpc-440fp.elf
    Arguments:-
    File size:5388968 bytes
    MD5 hash:ae65271c943d3451b7f026d1fadccea6

    Process Activities

    Network Activities


    General

    Start time (UTC):19:48:29
    Start date (UTC):02/04/2025
    Path:/usr/lib/systemd/systemd
    Arguments:-
    File size:1620224 bytes
    MD5 hash:9b2bec7092a40488108543f9334aab75

    Process Activities


    General

    Start time (UTC):19:48:29
    Start date (UTC):02/04/2025
    Path:/usr/bin/journalctl
    Arguments:/usr/bin/journalctl --smart-relinquish-var
    File size:80120 bytes
    MD5 hash:bf3a987344f3bacafc44efd882abda8b

    File Activities

    Process Activities


    General

    Start time (UTC):19:48:29
    Start date (UTC):02/04/2025
    Path:/usr/lib/systemd/systemd
    Arguments:-
    File size:1620224 bytes
    MD5 hash:9b2bec7092a40488108543f9334aab75

    File Activities

    Process Activities

    Network Activities


    General

    Start time (UTC):19:48:29
    Start date (UTC):02/04/2025
    Path:/usr/lib/systemd/systemd
    Arguments:-
    File size:1620224 bytes
    MD5 hash:9b2bec7092a40488108543f9334aab75

    File Activities

    Process Activities

    Network Activities


    General

    Start time (UTC):19:48:29
    Start date (UTC):02/04/2025
    Path:/usr/lib/systemd/systemd
    Arguments:-
    File size:1620224 bytes
    MD5 hash:9b2bec7092a40488108543f9334aab75

    File Activities

    Process Activities

    Network Activities


    General

    Start time (UTC):19:48:29
    Start date (UTC):02/04/2025
    Path:/usr/lib/systemd/systemd
    Arguments:-
    File size:1620224 bytes
    MD5 hash:9b2bec7092a40488108543f9334aab75

    File Activities

    Process Activities

    Network Activities


    General

    Start time (UTC):19:48:29
    Start date (UTC):02/04/2025
    Path:/usr/lib/systemd/systemd
    Arguments:-
    File size:1620224 bytes
    MD5 hash:9b2bec7092a40488108543f9334aab75

    File Activities

    Process Activities

    Network Activities


    General

    Start time (UTC):19:48:42
    Start date (UTC):02/04/2025
    Path:/usr/lib/systemd/systemd
    Arguments:-
    File size:1620224 bytes
    MD5 hash:9b2bec7092a40488108543f9334aab75

    File Activities

    Process Activities

    Network Activities


    General

    Start time (UTC):19:48:42
    Start date (UTC):02/04/2025
    Path:/usr/lib/systemd/systemd
    Arguments:-
    File size:1620224 bytes
    MD5 hash:9b2bec7092a40488108543f9334aab75

    File Activities

    Process Activities

    Network Activities


    General

    Start time (UTC):19:48:42
    Start date (UTC):02/04/2025
    Path:/usr/lib/systemd/systemd
    Arguments:-
    File size:1620224 bytes
    MD5 hash:9b2bec7092a40488108543f9334aab75

    File Activities

    Process Activities

    Network Activities


    General

    Start time (UTC):19:48:42
    Start date (UTC):02/04/2025
    Path:/usr/lib/systemd/systemd
    Arguments:-
    File size:1620224 bytes
    MD5 hash:9b2bec7092a40488108543f9334aab75

    File Activities

    Process Activities

    Network Activities


    General

    Start time (UTC):19:48:42
    Start date (UTC):02/04/2025
    Path:/usr/lib/systemd/systemd
    Arguments:-
    File size:1620224 bytes
    MD5 hash:9b2bec7092a40488108543f9334aab75

    File Activities

    Process Activities

    Network Activities


    General

    Start time (UTC):19:48:42
    Start date (UTC):02/04/2025
    Path:/usr/lib/systemd/systemd
    Arguments:-
    File size:1620224 bytes
    MD5 hash:9b2bec7092a40488108543f9334aab75

    File Activities

    Process Activities

    Network Activities


    General

    Start time (UTC):19:48:42
    Start date (UTC):02/04/2025
    Path:/usr/lib/systemd/systemd
    Arguments:-
    File size:1620224 bytes
    MD5 hash:9b2bec7092a40488108543f9334aab75

    Process Activities


    General

    Start time (UTC):19:48:42
    Start date (UTC):02/04/2025
    Path:/usr/bin/pulseaudio
    Arguments:/usr/bin/pulseaudio --daemonize=no --log-target=journal
    File size:100832 bytes
    MD5 hash:0c3b4c789d8ffb12b25507f27e14c186

    File Activities

    Process Activities

    System Activities

    Network Activities


    General

    Start time (UTC):19:48:42
    Start date (UTC):02/04/2025
    Path:/usr/sbin/gdm3
    Arguments:-
    File size:453296 bytes
    MD5 hash:2492e2d8d34f9377e3e530a61a15674f

    Process Activities


    General

    Start time (UTC):19:48:42
    Start date (UTC):02/04/2025
    Path:/etc/gdm3/PrimeOff/Default
    Arguments:/etc/gdm3/PrimeOff/Default
    File size:129816 bytes
    MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

    File Activities


    General

    Start time (UTC):19:48:42
    Start date (UTC):02/04/2025
    Path:/usr/sbin/gdm3
    Arguments:-
    File size:453296 bytes
    MD5 hash:2492e2d8d34f9377e3e530a61a15674f

    Process Activities


    General

    Start time (UTC):19:48:42
    Start date (UTC):02/04/2025
    Path:/etc/gdm3/PrimeOff/Default
    Arguments:/etc/gdm3/PrimeOff/Default
    File size:129816 bytes
    MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

    File Activities


    General

    Start time (UTC):19:48:43
    Start date (UTC):02/04/2025
    Path:/usr/sbin/gdm3
    Arguments:-
    File size:453296 bytes
    MD5 hash:2492e2d8d34f9377e3e530a61a15674f

    Process Activities


    General

    Start time (UTC):19:48:43
    Start date (UTC):02/04/2025
    Path:/etc/gdm3/PrimeOff/Default
    Arguments:/etc/gdm3/PrimeOff/Default
    File size:129816 bytes
    MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

    File Activities


    General

    Start time (UTC):19:48:43
    Start date (UTC):02/04/2025
    Path:/usr/lib/systemd/systemd
    Arguments:-
    File size:1620224 bytes
    MD5 hash:9b2bec7092a40488108543f9334aab75

    File Activities

    Process Activities

    Network Activities


    General

    Start time (UTC):19:48:43
    Start date (UTC):02/04/2025
    Path:/usr/lib/systemd/systemd
    Arguments:-
    File size:1620224 bytes
    MD5 hash:9b2bec7092a40488108543f9334aab75

    File Activities

    Process Activities

    Network Activities


    General

    Start time (UTC):19:48:43
    Start date (UTC):02/04/2025
    Path:/usr/lib/systemd/systemd
    Arguments:-
    File size:1620224 bytes
    MD5 hash:9b2bec7092a40488108543f9334aab75

    File Activities

    Process Activities

    Network Activities


    General

    Start time (UTC):19:48:43
    Start date (UTC):02/04/2025
    Path:/usr/lib/systemd/systemd
    Arguments:-
    File size:1620224 bytes
    MD5 hash:9b2bec7092a40488108543f9334aab75

    File Activities

    Process Activities

    Network Activities


    General

    Start time (UTC):19:48:44
    Start date (UTC):02/04/2025
    Path:/usr/lib/systemd/systemd
    Arguments:-
    File size:1620224 bytes
    MD5 hash:9b2bec7092a40488108543f9334aab75

    Process Activities


    General

    Start time (UTC):19:48:44
    Start date (UTC):02/04/2025
    Path:/usr/bin/gpu-manager
    Arguments:/usr/bin/gpu-manager --log /var/log/gpu-manager.log
    File size:76616 bytes
    MD5 hash:8fae9dd5dd67e1f33d873089c2fd8761

    File Activities

    Process Activities

    System Activities


    General

    Start time (UTC):19:48:44
    Start date (UTC):02/04/2025
    Path:/usr/bin/gpu-manager
    Arguments:-
    File size:76616 bytes
    MD5 hash:8fae9dd5dd67e1f33d873089c2fd8761

    Process Activities


    General

    Start time (UTC):19:48:44
    Start date (UTC):02/04/2025
    Path:/bin/sh
    Arguments:sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"
    File size:129816 bytes
    MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

    File Activities

    Process Activities


    General

    Start time (UTC):19:48:44
    Start date (UTC):02/04/2025
    Path:/bin/sh
    Arguments:-
    File size:129816 bytes
    MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

    Process Activities


    General

    Start time (UTC):19:48:44
    Start date (UTC):02/04/2025
    Path:/usr/bin/grep
    Arguments:grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
    File size:199136 bytes
    MD5 hash:1e6ebb9dd094f774478f72727bdba0f5

    File Activities


    General

    Start time (UTC):19:48:44
    Start date (UTC):02/04/2025
    Path:/usr/bin/gpu-manager
    Arguments:-
    File size:76616 bytes
    MD5 hash:8fae9dd5dd67e1f33d873089c2fd8761

    Process Activities


    General

    Start time (UTC):19:48:44
    Start date (UTC):02/04/2025
    Path:/bin/sh
    Arguments:sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"
    File size:129816 bytes
    MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

    File Activities

    Process Activities


    General

    Start time (UTC):19:48:44
    Start date (UTC):02/04/2025
    Path:/bin/sh
    Arguments:-
    File size:129816 bytes
    MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

    Process Activities


    General

    Start time (UTC):19:48:44
    Start date (UTC):02/04/2025
    Path:/usr/bin/grep
    Arguments:grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
    File size:199136 bytes
    MD5 hash:1e6ebb9dd094f774478f72727bdba0f5

    File Activities


    General

    Start time (UTC):19:48:44
    Start date (UTC):02/04/2025
    Path:/usr/bin/gpu-manager
    Arguments:-
    File size:76616 bytes
    MD5 hash:8fae9dd5dd67e1f33d873089c2fd8761

    Process Activities


    General

    Start time (UTC):19:48:44
    Start date (UTC):02/04/2025
    Path:/bin/sh
    Arguments:sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf"
    File size:129816 bytes
    MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

    File Activities

    Process Activities


    General

    Start time (UTC):19:48:44
    Start date (UTC):02/04/2025
    Path:/bin/sh
    Arguments:-
    File size:129816 bytes
    MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

    Process Activities


    General

    Start time (UTC):19:48:44
    Start date (UTC):02/04/2025
    Path:/usr/bin/grep
    Arguments:grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
    File size:199136 bytes
    MD5 hash:1e6ebb9dd094f774478f72727bdba0f5

    File Activities


    General

    Start time (UTC):19:48:44
    Start date (UTC):02/04/2025
    Path:/usr/bin/gpu-manager
    Arguments:-
    File size:76616 bytes
    MD5 hash:8fae9dd5dd67e1f33d873089c2fd8761

    Process Activities


    General

    Start time (UTC):19:48:44
    Start date (UTC):02/04/2025
    Path:/bin/sh
    Arguments:sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf"
    File size:129816 bytes
    MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

    File Activities

    Process Activities


    General

    Start time (UTC):19:48:44
    Start date (UTC):02/04/2025
    Path:/bin/sh
    Arguments:-
    File size:129816 bytes
    MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

    Process Activities


    General

    Start time (UTC):19:48:44
    Start date (UTC):02/04/2025
    Path:/usr/bin/grep
    Arguments:grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
    File size:199136 bytes
    MD5 hash:1e6ebb9dd094f774478f72727bdba0f5

    File Activities


    General

    Start time (UTC):19:48:44
    Start date (UTC):02/04/2025
    Path:/usr/bin/gpu-manager
    Arguments:-
    File size:76616 bytes
    MD5 hash:8fae9dd5dd67e1f33d873089c2fd8761

    Process Activities


    General

    Start time (UTC):19:48:44
    Start date (UTC):02/04/2025
    Path:/bin/sh
    Arguments:sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /etc/modprobe.d/*.conf"
    File size:129816 bytes
    MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

    File Activities

    Process Activities


    General

    Start time (UTC):19:48:44
    Start date (UTC):02/04/2025
    Path:/bin/sh
    Arguments:-
    File size:129816 bytes
    MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

    Process Activities


    General

    Start time (UTC):19:48:44
    Start date (UTC):02/04/2025
    Path:/usr/bin/grep
    Arguments:grep -G ^blacklist.*amdgpu[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
    File size:199136 bytes
    MD5 hash:1e6ebb9dd094f774478f72727bdba0f5

    File Activities


    General

    Start time (UTC):19:48:44
    Start date (UTC):02/04/2025
    Path:/usr/bin/gpu-manager
    Arguments:-
    File size:76616 bytes
    MD5 hash:8fae9dd5dd67e1f33d873089c2fd8761

    Process Activities


    General

    Start time (UTC):19:48:44
    Start date (UTC):02/04/2025
    Path:/bin/sh
    Arguments:sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /lib/modprobe.d/*.conf"
    File size:129816 bytes
    MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

    File Activities

    Process Activities


    General

    Start time (UTC):19:48:44
    Start date (UTC):02/04/2025
    Path:/bin/sh
    Arguments:-
    File size:129816 bytes
    MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

    Process Activities


    General

    Start time (UTC):19:48:44
    Start date (UTC):02/04/2025
    Path:/usr/bin/grep
    Arguments:grep -G ^blacklist.*amdgpu[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
    File size:199136 bytes
    MD5 hash:1e6ebb9dd094f774478f72727bdba0f5

    File Activities


    General

    Start time (UTC):19:48:45
    Start date (UTC):02/04/2025
    Path:/usr/bin/gpu-manager
    Arguments:-
    File size:76616 bytes
    MD5 hash:8fae9dd5dd67e1f33d873089c2fd8761

    Process Activities


    General

    Start time (UTC):19:48:45
    Start date (UTC):02/04/2025
    Path:/bin/sh
    Arguments:sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /etc/modprobe.d/*.conf"
    File size:129816 bytes
    MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

    File Activities

    Process Activities


    General

    Start time (UTC):19:48:45
    Start date (UTC):02/04/2025
    Path:/bin/sh
    Arguments:-
    File size:129816 bytes
    MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

    Process Activities


    General

    Start time (UTC):19:48:45
    Start date (UTC):02/04/2025
    Path:/usr/bin/grep
    Arguments:grep -G ^blacklist.*nouveau[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
    File size:199136 bytes
    MD5 hash:1e6ebb9dd094f774478f72727bdba0f5

    File Activities


    General

    Start time (UTC):19:48:45
    Start date (UTC):02/04/2025
    Path:/usr/bin/gpu-manager
    Arguments:-
    File size:76616 bytes
    MD5 hash:8fae9dd5dd67e1f33d873089c2fd8761

    Process Activities


    General

    Start time (UTC):19:48:45
    Start date (UTC):02/04/2025
    Path:/bin/sh
    Arguments:sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /lib/modprobe.d/*.conf"
    File size:129816 bytes
    MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

    File Activities

    Process Activities


    General

    Start time (UTC):19:48:45
    Start date (UTC):02/04/2025
    Path:/bin/sh
    Arguments:-
    File size:129816 bytes
    MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

    Process Activities


    General

    Start time (UTC):19:48:45
    Start date (UTC):02/04/2025
    Path:/usr/bin/grep
    Arguments:grep -G ^blacklist.*nouveau[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
    File size:199136 bytes
    MD5 hash:1e6ebb9dd094f774478f72727bdba0f5

    File Activities


    General

    Start time (UTC):19:48:46
    Start date (UTC):02/04/2025
    Path:/usr/lib/systemd/systemd (deleted)
    Arguments:-
    File size:1620224 bytes
    MD5 hash:9b2bec7092a40488108543f9334aab75

    Process Activities


    General

    Start time (UTC):19:48:46
    Start date (UTC):02/04/2025
    Path:/usr/share/gdm/generate-config
    Arguments:/usr/share/gdm/generate-config
    File size:129816 bytes
    MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

    File Activities

    Process Activities


    General

    Start time (UTC):19:48:46
    Start date (UTC):02/04/2025
    Path:/usr/share/gdm/generate-config
    Arguments:-
    File size:129816 bytes
    MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

    Process Activities


    General

    Start time (UTC):19:48:46
    Start date (UTC):02/04/2025
    Path:/usr/bin/pkill
    Arguments:pkill --signal HUP --uid gdm dconf-service
    File size:30968 bytes
    MD5 hash:fa96a75a08109d8842e4865b2907d51f

    File Activities

    Network Activities


    General

    Start time (UTC):19:48:47
    Start date (UTC):02/04/2025
    Path:/usr/libexec/gvfsd-fuse
    Arguments:-
    File size:47632 bytes
    MD5 hash:d18fbf1cbf8eb57b17fac48b7b4be933

    Process Activities


    General

    Start time (UTC):19:48:47
    Start date (UTC):02/04/2025
    Path:/bin/fusermount
    Arguments:fusermount -u -q -z -- /run/user/1000/gvfs
    File size:39144 bytes
    MD5 hash:576a1b135c82bdcbc97a91acea900566

    File Activities

    Network Activities


    General

    Start time (UTC):19:48:47
    Start date (UTC):02/04/2025
    Path:/usr/lib/systemd/systemd (deleted)
    Arguments:-
    File size:1620224 bytes
    MD5 hash:9b2bec7092a40488108543f9334aab75

    Process Activities


    General

    Start time (UTC):19:48:47
    Start date (UTC):02/04/2025
    Path:/usr/lib/gdm3/gdm-wait-for-drm
    Arguments:/usr/lib/gdm3/gdm-wait-for-drm
    File size:14640 bytes
    MD5 hash:82043ba752c6930b4e6aaea2f7747545

    File Activities


    General

    Start time (UTC):19:48:58
    Start date (UTC):02/04/2025
    Path:/usr/lib/systemd/systemd (deleted)
    Arguments:-
    File size:1620224 bytes
    MD5 hash:9b2bec7092a40488108543f9334aab75

    Process Activities


    General

    Start time (UTC):19:48:58
    Start date (UTC):02/04/2025
    Path:/usr/sbin/gdm3
    Arguments:/usr/sbin/gdm3
    File size:453296 bytes
    MD5 hash:2492e2d8d34f9377e3e530a61a15674f

    File Activities

    Process Activities

    Network Activities


    General

    Start time (UTC):19:48:58
    Start date (UTC):02/04/2025
    Path:/usr/lib/systemd/systemd (deleted)
    Arguments:-
    File size:1620224 bytes
    MD5 hash:9b2bec7092a40488108543f9334aab75

    File Activities

    Process Activities

    Network Activities


    General

    Start time (UTC):19:48:58
    Start date (UTC):02/04/2025
    Path:/usr/lib/systemd/systemd (deleted)
    Arguments:-
    File size:1620224 bytes
    MD5 hash:9b2bec7092a40488108543f9334aab75

    File Activities

    Process Activities

    Network Activities


    General

    Start time (UTC):19:48:58
    Start date (UTC):02/04/2025
    Path:/usr/lib/systemd/systemd (deleted)
    Arguments:-
    File size:1620224 bytes
    MD5 hash:9b2bec7092a40488108543f9334aab75

    File Activities

    Process Activities

    Network Activities


    General

    Start time (UTC):19:48:58
    Start date (UTC):02/04/2025
    Path:/usr/lib/systemd/systemd (deleted)
    Arguments:-
    File size:1620224 bytes
    MD5 hash:9b2bec7092a40488108543f9334aab75

    File Activities

    Process Activities

    Network Activities


    General

    Start time (UTC):19:48:58
    Start date (UTC):02/04/2025
    Path:/usr/lib/systemd/systemd (deleted)
    Arguments:-
    File size:1620224 bytes
    MD5 hash:9b2bec7092a40488108543f9334aab75

    File Activities

    Process Activities

    Network Activities


    General

    Start time (UTC):19:49:12
    Start date (UTC):02/04/2025
    Path:/usr/lib/systemd/systemd (deleted)
    Arguments:-
    File size:1620224 bytes
    MD5 hash:9b2bec7092a40488108543f9334aab75

    Process Activities


    General

    Start time (UTC):19:49:12
    Start date (UTC):02/04/2025
    Path:/usr/bin/gpu-manager
    Arguments:/usr/bin/gpu-manager --log /var/log/gpu-manager.log
    File size:76616 bytes
    MD5 hash:8fae9dd5dd67e1f33d873089c2fd8761

    File Activities

    Process Activities

    System Activities


    General

    Start time (UTC):19:49:12
    Start date (UTC):02/04/2025
    Path:/usr/bin/gpu-manager
    Arguments:-
    File size:76616 bytes
    MD5 hash:8fae9dd5dd67e1f33d873089c2fd8761

    Process Activities


    General

    Start time (UTC):19:49:12
    Start date (UTC):02/04/2025
    Path:/usr/bin/gpu-manager
    Arguments:-
    File size:76616 bytes
    MD5 hash:8fae9dd5dd67e1f33d873089c2fd8761

    Process Activities


    General

    Start time (UTC):19:49:12
    Start date (UTC):02/04/2025
    Path:/usr/bin/gpu-manager
    Arguments:-
    File size:76616 bytes
    MD5 hash:8fae9dd5dd67e1f33d873089c2fd8761

    Process Activities


    General

    Start time (UTC):19:49:12
    Start date (UTC):02/04/2025
    Path:/usr/bin/gpu-manager
    Arguments:-
    File size:76616 bytes
    MD5 hash:8fae9dd5dd67e1f33d873089c2fd8761

    Process Activities


    General

    Start time (UTC):19:49:12
    Start date (UTC):02/04/2025
    Path:/usr/bin/gpu-manager
    Arguments:-
    File size:76616 bytes
    MD5 hash:8fae9dd5dd67e1f33d873089c2fd8761

    Process Activities


    General

    Start time (UTC):19:49:12
    Start date (UTC):02/04/2025
    Path:/usr/bin/gpu-manager
    Arguments:-
    File size:76616 bytes
    MD5 hash:8fae9dd5dd67e1f33d873089c2fd8761

    Process Activities


    General

    Start time (UTC):19:49:12
    Start date (UTC):02/04/2025
    Path:/usr/bin/gpu-manager
    Arguments:-
    File size:76616 bytes
    MD5 hash:8fae9dd5dd67e1f33d873089c2fd8761

    Process Activities


    General

    Start time (UTC):19:49:12
    Start date (UTC):02/04/2025
    Path:/usr/bin/gpu-manager
    Arguments:-
    File size:76616 bytes
    MD5 hash:8fae9dd5dd67e1f33d873089c2fd8761

    Process Activities


    General

    Start time (UTC):19:49:13
    Start date (UTC):02/04/2025
    Path:/usr/lib/systemd/systemd (deleted)
    Arguments:-
    File size:1620224 bytes
    MD5 hash:9b2bec7092a40488108543f9334aab75

    File Activities

    Process Activities

    Network Activities


    General

    Start time (UTC):19:49:14
    Start date (UTC):02/04/2025
    Path:/usr/lib/systemd/systemd (deleted)
    Arguments:-
    File size:1620224 bytes
    MD5 hash:9b2bec7092a40488108543f9334aab75

    Process Activities


    General

    Start time (UTC):19:49:14
    Start date (UTC):02/04/2025
    Path:/usr/bin/gpu-manager
    Arguments:/usr/bin/gpu-manager --log /var/log/gpu-manager.log
    File size:76616 bytes
    MD5 hash:8fae9dd5dd67e1f33d873089c2fd8761

    File Activities

    Process Activities

    System Activities


    General

    Start time (UTC):19:49:14
    Start date (UTC):02/04/2025
    Path:/usr/bin/gpu-manager
    Arguments:-
    File size:76616 bytes
    MD5 hash:8fae9dd5dd67e1f33d873089c2fd8761

    Process Activities


    General

    Start time (UTC):19:49:14
    Start date (UTC):02/04/2025
    Path:/usr/bin/gpu-manager
    Arguments:-
    File size:76616 bytes
    MD5 hash:8fae9dd5dd67e1f33d873089c2fd8761

    Process Activities


    General

    Start time (UTC):19:49:14
    Start date (UTC):02/04/2025
    Path:/usr/bin/gpu-manager
    Arguments:-
    File size:76616 bytes
    MD5 hash:8fae9dd5dd67e1f33d873089c2fd8761

    Process Activities


    General

    Start time (UTC):19:49:14
    Start date (UTC):02/04/2025
    Path:/usr/bin/gpu-manager
    Arguments:-
    File size:76616 bytes
    MD5 hash:8fae9dd5dd67e1f33d873089c2fd8761

    Process Activities


    General

    Start time (UTC):19:49:14
    Start date (UTC):02/04/2025
    Path:/usr/bin/gpu-manager
    Arguments:-
    File size:76616 bytes
    MD5 hash:8fae9dd5dd67e1f33d873089c2fd8761

    Process Activities


    General

    Start time (UTC):19:49:14
    Start date (UTC):02/04/2025
    Path:/usr/bin/gpu-manager
    Arguments:-
    File size:76616 bytes
    MD5 hash:8fae9dd5dd67e1f33d873089c2fd8761

    Process Activities


    General

    Start time (UTC):19:49:14
    Start date (UTC):02/04/2025
    Path:/usr/bin/gpu-manager
    Arguments:-
    File size:76616 bytes
    MD5 hash:8fae9dd5dd67e1f33d873089c2fd8761

    Process Activities


    General

    Start time (UTC):19:49:14
    Start date (UTC):02/04/2025
    Path:/usr/bin/gpu-manager
    Arguments:-
    File size:76616 bytes
    MD5 hash:8fae9dd5dd67e1f33d873089c2fd8761

    Process Activities


    General

    Start time (UTC):19:49:14
    Start date (UTC):02/04/2025
    Path:/usr/lib/systemd/systemd (deleted)
    Arguments:-
    File size:1620224 bytes
    MD5 hash:9b2bec7092a40488108543f9334aab75

    File Activities

    Process Activities

    Network Activities


    General

    Start time (UTC):19:49:16
    Start date (UTC):02/04/2025
    Path:/usr/lib/systemd/systemd (deleted)
    Arguments:-
    File size:1620224 bytes
    MD5 hash:9b2bec7092a40488108543f9334aab75

    Process Activities


    General

    Start time (UTC):19:49:16
    Start date (UTC):02/04/2025
    Path:/usr/bin/gpu-manager
    Arguments:/usr/bin/gpu-manager --log /var/log/gpu-manager.log
    File size:76616 bytes
    MD5 hash:8fae9dd5dd67e1f33d873089c2fd8761

    File Activities

    Process Activities

    System Activities


    General

    Start time (UTC):19:49:16
    Start date (UTC):02/04/2025
    Path:/usr/bin/gpu-manager
    Arguments:-
    File size:76616 bytes
    MD5 hash:8fae9dd5dd67e1f33d873089c2fd8761

    Process Activities


    General

    Start time (UTC):19:49:16
    Start date (UTC):02/04/2025
    Path:/usr/bin/gpu-manager
    Arguments:-
    File size:76616 bytes
    MD5 hash:8fae9dd5dd67e1f33d873089c2fd8761

    Process Activities


    General

    Start time (UTC):19:49:16
    Start date (UTC):02/04/2025
    Path:/usr/bin/gpu-manager
    Arguments:-
    File size:76616 bytes
    MD5 hash:8fae9dd5dd67e1f33d873089c2fd8761

    Process Activities


    General

    Start time (UTC):19:49:16
    Start date (UTC):02/04/2025
    Path:/usr/bin/gpu-manager
    Arguments:-
    File size:76616 bytes
    MD5 hash:8fae9dd5dd67e1f33d873089c2fd8761

    Process Activities


    General

    Start time (UTC):19:49:16
    Start date (UTC):02/04/2025
    Path:/usr/bin/gpu-manager
    Arguments:-
    File size:76616 bytes
    MD5 hash:8fae9dd5dd67e1f33d873089c2fd8761

    Process Activities


    General

    Start time (UTC):19:49:16
    Start date (UTC):02/04/2025
    Path:/usr/bin/gpu-manager
    Arguments:-
    File size:76616 bytes
    MD5 hash:8fae9dd5dd67e1f33d873089c2fd8761

    Process Activities


    General

    Start time (UTC):19:49:16
    Start date (UTC):02/04/2025
    Path:/usr/bin/gpu-manager
    Arguments:-
    File size:76616 bytes
    MD5 hash:8fae9dd5dd67e1f33d873089c2fd8761

    Process Activities


    General

    Start time (UTC):19:49:16
    Start date (UTC):02/04/2025
    Path:/usr/bin/gpu-manager
    Arguments:-
    File size:76616 bytes
    MD5 hash:8fae9dd5dd67e1f33d873089c2fd8761

    Process Activities


    General

    Start time (UTC):19:49:16
    Start date (UTC):02/04/2025
    Path:/usr/lib/systemd/systemd (deleted)
    Arguments:-
    File size:1620224 bytes
    MD5 hash:9b2bec7092a40488108543f9334aab75

    File Activities

    Process Activities

    Network Activities


    General

    Start time (UTC):19:49:17
    Start date (UTC):02/04/2025
    Path:/usr/lib/systemd/systemd (deleted)
    Arguments:-
    File size:1620224 bytes
    MD5 hash:9b2bec7092a40488108543f9334aab75

    Process Activities


    General

    Start time (UTC):19:49:17
    Start date (UTC):02/04/2025
    Path:/usr/bin/gpu-manager
    Arguments:/usr/bin/gpu-manager --log /var/log/gpu-manager.log
    File size:76616 bytes
    MD5 hash:8fae9dd5dd67e1f33d873089c2fd8761

    File Activities

    Process Activities

    System Activities


    General

    Start time (UTC):19:49:17
    Start date (UTC):02/04/2025
    Path:/usr/bin/gpu-manager
    Arguments:-
    File size:76616 bytes
    MD5 hash:8fae9dd5dd67e1f33d873089c2fd8761

    Process Activities


    General

    Start time (UTC):19:49:17
    Start date (UTC):02/04/2025
    Path:/usr/bin/gpu-manager
    Arguments:-
    File size:76616 bytes
    MD5 hash:8fae9dd5dd67e1f33d873089c2fd8761

    Process Activities


    General

    Start time (UTC):19:49:17
    Start date (UTC):02/04/2025
    Path:/usr/bin/gpu-manager
    Arguments:-
    File size:76616 bytes
    MD5 hash:8fae9dd5dd67e1f33d873089c2fd8761

    Process Activities


    General

    Start time (UTC):19:49:17
    Start date (UTC):02/04/2025
    Path:/usr/bin/gpu-manager
    Arguments:-
    File size:76616 bytes
    MD5 hash:8fae9dd5dd67e1f33d873089c2fd8761

    Process Activities


    General

    Start time (UTC):19:49:17
    Start date (UTC):02/04/2025
    Path:/usr/bin/gpu-manager
    Arguments:-
    File size:76616 bytes
    MD5 hash:8fae9dd5dd67e1f33d873089c2fd8761

    Process Activities


    General

    Start time (UTC):19:49:18
    Start date (UTC):02/04/2025
    Path:/usr/bin/gpu-manager
    Arguments:-
    File size:76616 bytes
    MD5 hash:8fae9dd5dd67e1f33d873089c2fd8761

    Process Activities


    General

    Start time (UTC):19:49:18
    Start date (UTC):02/04/2025
    Path:/usr/bin/gpu-manager
    Arguments:-
    File size:76616 bytes
    MD5 hash:8fae9dd5dd67e1f33d873089c2fd8761

    Process Activities


    General

    Start time (UTC):19:49:18
    Start date (UTC):02/04/2025
    Path:/usr/bin/gpu-manager
    Arguments:-
    File size:76616 bytes
    MD5 hash:8fae9dd5dd67e1f33d873089c2fd8761

    Process Activities


    General

    Start time (UTC):19:49:18
    Start date (UTC):02/04/2025
    Path:/usr/lib/systemd/systemd (deleted)
    Arguments:-
    File size:1620224 bytes
    MD5 hash:9b2bec7092a40488108543f9334aab75

    File Activities

    Process Activities

    Network Activities


    General

    Start time (UTC):19:49:19
    Start date (UTC):02/04/2025
    Path:/usr/lib/systemd/systemd (deleted)
    Arguments:-
    File size:1620224 bytes
    MD5 hash:9b2bec7092a40488108543f9334aab75

    Process Activities


    General

    Start time (UTC):19:49:19
    Start date (UTC):02/04/2025
    Path:/usr/bin/gpu-manager
    Arguments:/usr/bin/gpu-manager --log /var/log/gpu-manager.log
    File size:76616 bytes
    MD5 hash:8fae9dd5dd67e1f33d873089c2fd8761

    File Activities

    Process Activities

    System Activities


    General

    Start time (UTC):19:49:19
    Start date (UTC):02/04/2025
    Path:/usr/bin/gpu-manager
    Arguments:-
    File size:76616 bytes
    MD5 hash:8fae9dd5dd67e1f33d873089c2fd8761

    Process Activities


    General

    Start time (UTC):19:49:19
    Start date (UTC):02/04/2025
    Path:/usr/bin/gpu-manager
    Arguments:-
    File size:76616 bytes
    MD5 hash:8fae9dd5dd67e1f33d873089c2fd8761

    Process Activities


    General

    Start time (UTC):19:49:19
    Start date (UTC):02/04/2025
    Path:/usr/bin/gpu-manager
    Arguments:-
    File size:76616 bytes
    MD5 hash:8fae9dd5dd67e1f33d873089c2fd8761

    Process Activities


    General

    Start time (UTC):19:49:19
    Start date (UTC):02/04/2025
    Path:/usr/bin/gpu-manager
    Arguments:-
    File size:76616 bytes
    MD5 hash:8fae9dd5dd67e1f33d873089c2fd8761

    Process Activities


    General

    Start time (UTC):19:49:19
    Start date (UTC):02/04/2025
    Path:/usr/bin/gpu-manager
    Arguments:-
    File size:76616 bytes
    MD5 hash:8fae9dd5dd67e1f33d873089c2fd8761

    Process Activities


    General

    Start time (UTC):19:49:19
    Start date (UTC):02/04/2025
    Path:/usr/bin/gpu-manager
    Arguments:-
    File size:76616 bytes
    MD5 hash:8fae9dd5dd67e1f33d873089c2fd8761

    Process Activities


    General

    Start time (UTC):19:49:19
    Start date (UTC):02/04/2025
    Path:/usr/bin/gpu-manager
    Arguments:-
    File size:76616 bytes
    MD5 hash:8fae9dd5dd67e1f33d873089c2fd8761

    Process Activities


    General

    Start time (UTC):19:49:19
    Start date (UTC):02/04/2025
    Path:/usr/bin/gpu-manager
    Arguments:-
    File size:76616 bytes
    MD5 hash:8fae9dd5dd67e1f33d873089c2fd8761

    Process Activities


    General

    Start time (UTC):19:49:20
    Start date (UTC):02/04/2025
    Path:/usr/lib/systemd/systemd (deleted)
    Arguments:-
    File size:1620224 bytes
    MD5 hash:9b2bec7092a40488108543f9334aab75

    File Activities

    Process Activities

    Network Activities


    General

    Start time (UTC):19:49:21
    Start date (UTC):02/04/2025
    Path:/usr/lib/systemd/systemd (deleted)
    Arguments:-
    File size:1620224 bytes
    MD5 hash:9b2bec7092a40488108543f9334aab75

    Process Activities


    General

    Start time (UTC):19:49:21
    Start date (UTC):02/04/2025
    Path:/bin/plymouth
    Arguments:/bin/plymouth quit
    File size:51352 bytes
    MD5 hash:87003efd8dad470042f5e75360a8f49f

    File Activities

    Network Activities


    General

    Start time (UTC):19:50:17
    Start date (UTC):02/04/2025
    Path:/usr/lib/systemd/systemd (deleted)
    Arguments:-
    File size:1620224 bytes
    MD5 hash:9b2bec7092a40488108543f9334aab75

    File Activities

    Process Activities

    Network Activities