Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Download

Tsunami.x86

ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped

initial sample

/home/saturnino/.config/pulse/ee49dfd4fa47433baee88884e2d7de7c-default-sink

ASCII text

dropped

/home/saturnino/.config/pulse/ee49dfd4fa47433baee88884e2d7de7c-default-source

ASCII text

dropped

/memfd:30-systemd-environment-d-generator (deleted)

ASCII text

dropped

/memfd:user-environment-generators (deleted)

ASCII text

dropped

/proc/5272/oom_score_adj

ASCII text

dropped

/proc/5798/oom_score_adj

very short file (no magic)

dropped

/proc/5855/oom_score_adj

ASCII text

dropped

/proc/6286/oom_score_adj

very short file (no magic)

dropped

/proc/6312/oom_score_adj

ASCII text

dropped

/proc/6992/oom_score_adj

ASCII text

dropped

/proc/7407/oom_score_adj

ASCII text

dropped

/proc/7543/oom_score_adj

very short file (no magic)

dropped

/run/sshd.pid

ASCII text

dropped

/run/systemd/inhibit/.#10NlkwDx

ASCII text

dropped

/run/systemd/inhibit/.#12WzZgf

ASCII text

dropped

/run/systemd/inhibit/.#1BKY53w

ASCII text

dropped

/run/systemd/inhibit/.#1GAO4W5

ASCII text

dropped

/run/systemd/inhibit/.#1NfQcC6

ASCII text

dropped

/run/systemd/inhibit/.#1h2BAS0

ASCII text

dropped

/run/systemd/inhibit/.#1hg7ovx

ASCII text

dropped

/run/systemd/inhibit/.#1nU4LUu

ASCII text

dropped

/run/systemd/inhibit/.#1sclL5Z

ASCII text

dropped

/run/systemd/inhibit/.#1suv1Gi

ASCII text

dropped

/run/systemd/inhibit/.#1zsbRCu

ASCII text

dropped

/run/systemd/inhibit/.#3Iv8zNx

ASCII text

dropped

/run/systemd/inhibit/.#4AerQex

ASCII text

dropped

/run/systemd/inhibit/.#4C47xyt

ASCII text

dropped

/run/systemd/inhibit/.#4aAOR7X

ASCII text

dropped

/run/systemd/inhibit/.#4gJiWe7

ASCII text

dropped

/run/systemd/inhibit/.#4s0F5Li

ASCII text

dropped

/run/systemd/inhibit/.#5LrNTPy

ASCII text

dropped

/run/systemd/inhibit/.#6ZLxYkv

ASCII text

dropped

/run/systemd/inhibit/.#7bGwKDw

ASCII text

dropped

/run/systemd/inhibit/.#83hcOfx

ASCII text

dropped

/run/systemd/resolve/.#resolv.confCboaha

ASCII text

dropped

/run/systemd/resolve/.#resolv.confb8fRMh

ASCII text

dropped

/run/systemd/resolve/.#resolv.confbWzEo8

ASCII text

dropped

/run/systemd/resolve/.#resolv.confgCJZAP

ASCII text

dropped

/run/systemd/resolve/.#resolv.confoqrlLH

ASCII text

dropped

/run/systemd/resolve/.#stub-resolv.confBReyjO

ASCII text

dropped

/run/systemd/resolve/.#stub-resolv.confEODxFa

ASCII text

dropped

/run/systemd/resolve/.#stub-resolv.confj0zCb8

ASCII text

dropped

/run/systemd/resolve/.#stub-resolv.confjKIhFG

ASCII text

dropped

/run/systemd/resolve/.#stub-resolv.conftKQjFi

ASCII text

dropped

/run/systemd/seats/.#seat02qDckX

ASCII text

dropped

/run/systemd/seats/.#seat046OY2g

ASCII text

dropped

/run/systemd/seats/.#seat0AO62w8

ASCII text

dropped

/run/systemd/seats/.#seat0KDc8xx

ASCII text

dropped

/run/systemd/seats/.#seat0M0cr9y

ASCII text

dropped

/run/systemd/seats/.#seat0M37b6X

ASCII text

dropped

/run/systemd/seats/.#seat0QoBTOu

ASCII text

dropped

/run/systemd/seats/.#seat0coiqu6

ASCII text

dropped

/run/systemd/seats/.#seat0r3rbZf

ASCII text

dropped

/run/systemd/users/.#12747MNR8

ASCII text

dropped

/run/systemd/users/.#1276XT3Nw

ASCII text

dropped

/run/systemd/users/.#12783frXX

ASCII text

dropped

/run/systemd/users/.#1279FTDn7

ASCII text

dropped

/run/systemd/users/.#127ESlsZh

ASCII text

dropped

/run/systemd/users/.#127EeiJ4X

ASCII text

dropped

/run/systemd/users/.#127FXZ6Iw

ASCII text

dropped

/run/systemd/users/.#127FjEyjh

ASCII text

dropped

/run/systemd/users/.#127KG8sav

ASCII text

dropped

/run/systemd/users/.#127M9yga9

ASCII text

dropped

/run/systemd/users/.#127PTqSKf

ASCII text

dropped

/run/systemd/users/.#127SWvIvy

ASCII text

dropped

/run/systemd/users/.#127VSl0A8

ASCII text

dropped

/run/systemd/users/.#127W4w1sw

ASCII text

dropped

/run/systemd/users/.#127Xyem45

ASCII text

dropped

/run/systemd/users/.#127l2Tfz5

ASCII text

dropped

/run/systemd/users/.#127osNmKY

ASCII text

dropped

/run/user/1000/pulse/pid

ASCII text

dropped

/sys/fs/cgroup/systemd/user.slice/user-127.slice/user@127.service/dbus.socket/cgroup.procs

ASCII text

dropped

/sys/fs/cgroup/systemd/user.slice/user-127.slice/user@127.service/init.scope/cgroup.procs

ASCII text

dropped

/sys/fs/cgroup/systemd/user.slice/user-127.slice/user@127.service/pulseaudio.service/cgroup.procs

ASCII text

dropped

/sys/fs/cgroup/unified/user.slice/user-127.slice/user@127.service/dbus.socket/cgroup.procs

ASCII text

dropped

/sys/fs/cgroup/unified/user.slice/user-127.slice/user@127.service/init.scope/cgroup.procs

ASCII text

dropped

/sys/fs/cgroup/unified/user.slice/user-127.slice/user@127.service/pulseaudio.service/cgroup.procs

ASCII text

dropped

/tmp/server-0.xkm

Compiled XKB Keymap: lsb, version 15

dropped

/var/lib/AccountsService/users/gdm.1HJVB1

ASCII text

dropped

/var/lib/AccountsService/users/gdm.2I6LB1

ASCII text

dropped

/var/lib/AccountsService/users/gdm.75G5B1

ASCII text

dropped

/var/lib/AccountsService/users/gdm.XCO5B1

ASCII text

dropped

/var/lib/gdm3/.cache/gdm/Xauthority

X11 Xauthority data

dropped

/var/log/Xorg.0.log

ASCII text

dropped

There are 75 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

/tmp/Tsunami.x86

n/a

/tmp/Tsunami.x86

n/a

/tmp/Tsunami.x86

n/a

/tmp/Tsunami.x86

n/a

/tmp/Tsunami.x86

n/a

/tmp/Tsunami.x86

n/a

/tmp/Tsunami.x86

n/a

/tmp/Tsunami.x86

n/a

/tmp/Tsunami.x86

n/a

/usr/lib/systemd/systemd

n/a

/usr/sbin/sshd

/usr/sbin/sshd -t

/usr/lib/systemd/systemd

n/a

/usr/sbin/sshd

/usr/sbin/sshd -D

/usr/lib/systemd/systemd

n/a

/lib/systemd/systemd-resolved

/usr/lib/systemd/systemd

n/a

/lib/systemd/systemd-logind

/usr/lib/systemd/systemd

n/a

/usr/lib/accountsservice/accounts-daemon

n/a

/usr/share/language-tools/language-validate

/usr/share/language-tools/language-validate en_US.UTF-8

/usr/share/language-tools/language-validate

n/a

/usr/share/language-tools/language-options

n/a

/bin/sh

sh -c "locale -a | grep -F .utf8 "

/bin/sh

n/a

/usr/bin/locale

locale -a

/bin/sh

n/a

/usr/bin/grep

grep -F .utf8

/usr/bin/xfce4-session

n/a

/usr/bin/rm

rm -f /home/saturnino/.cache/sessions/Thunar-2ec9153f1-6fa0-4067-96b1-e5fe875b1e51

/usr/lib/systemd/systemd

n/a

/usr/bin/pulseaudio

/usr/bin/pulseaudio --daemonize=no --log-target=journal

/usr/lib/gdm3/gdm-session-worker

n/a

/etc/gdm3/PostSession/Default

/usr/sbin/gdm3

n/a

/usr/lib/gdm3/gdm-session-worker

"gdm-session-worker [pam/gdm-launch-environment]"

/usr/lib/gdm3/gdm-session-worker

n/a

/usr/lib/gdm3/gdm-x-session

/usr/lib/gdm3/gdm-x-session "dbus-run-session -- gnome-session --autostart /usr/share/gdm/greeter/autostart"

/usr/lib/gdm3/gdm-x-session

n/a

/usr/bin/Xorg

/usr/bin/Xorg vt2 -displayfd 3 -auth /var/lib/gdm3/.cache/gdm/Xauthority -background none -noreset -keeptty -verbose 3

/usr/lib/xorg/Xorg.wrap

/usr/lib/xorg/Xorg.wrap vt2 -displayfd 3 -auth /var/lib/gdm3/.cache/gdm/Xauthority -background none -noreset -keeptty -verbose 3

/usr/lib/xorg/Xorg

/usr/lib/xorg/Xorg vt2 -displayfd 3 -auth /var/lib/gdm3/.cache/gdm/Xauthority -background none -noreset -keeptty -verbose 3

/usr/lib/xorg/Xorg

n/a

/bin/sh

sh -c "\"/usr/bin/xkbcomp\" -w 1 \"-R/usr/share/X11/xkb\" -xkm \"-\" -em1 \"The XKEYBOARD keymap compiler (xkbcomp) reports:\" -emp \"> \" -eml \"Errors from xkbcomp are not fatal to the X server\" \"/tmp/server-0.xkm\""

/bin/sh

n/a

/usr/bin/xkbcomp

/usr/bin/xkbcomp -w 1 -R/usr/share/X11/xkb -xkm - -em1 "The XKEYBOARD keymap compiler (xkbcomp) reports:" -emp "> " -eml "Errors from xkbcomp are not fatal to the X server" /tmp/server-0.xkm

/usr/lib/gdm3/gdm-x-session

n/a

/usr/bin/dbus-daemon

dbus-daemon --print-address 4 --session

/usr/bin/dbus-daemon

n/a

/usr/bin/dbus-daemon

n/a

/bin/false

/usr/sbin/gdm3

n/a

/etc/gdm3/PrimeOff/Default

/usr/sbin/gdm3

n/a

/etc/gdm3/PrimeOff/Default

/usr/sbin/gdm3

n/a

/etc/gdm3/PrimeOff/Default

/usr/sbin/gdm3

n/a

/etc/gdm3/PrimeOff/Default

/usr/sbin/gdm3

n/a

/etc/gdm3/PrimeOff/Default

/usr/lib/systemd/systemd

n/a

/usr/sbin/sshd

/usr/sbin/sshd -t

/usr/lib/systemd/systemd

n/a

/usr/sbin/sshd

/usr/sbin/sshd -D

/usr/lib/systemd/systemd

n/a

/lib/systemd/systemd-resolved

/usr/lib/systemd/systemd

n/a

/lib/systemd/systemd-logind

/usr/sbin/gdm3

n/a

/usr/lib/gdm3/gdm-session-worker

"gdm-session-worker [pam/gdm-launch-environment]"

/usr/lib/gdm3/gdm-session-worker

n/a

/usr/lib/gdm3/gdm-x-session

/usr/lib/gdm3/gdm-x-session "dbus-run-session -- gnome-session --autostart /usr/share/gdm/greeter/autostart"

/usr/lib/gdm3/gdm-x-session

n/a

/usr/bin/Xorg

/usr/bin/Xorg vt2 -displayfd 3 -auth /var/lib/gdm3/.cache/gdm/Xauthority -background none -noreset -keeptty -verbose 3

/usr/lib/xorg/Xorg.wrap

/usr/lib/xorg/Xorg.wrap vt2 -displayfd 3 -auth /var/lib/gdm3/.cache/gdm/Xauthority -background none -noreset -keeptty -verbose 3

/usr/lib/xorg/Xorg

/usr/lib/xorg/Xorg vt2 -displayfd 3 -auth /var/lib/gdm3/.cache/gdm/Xauthority -background none -noreset -keeptty -verbose 3

/usr/lib/xorg/Xorg

n/a

/bin/sh

n/a

/usr/bin/xkbcomp

/usr/bin/xkbcomp -w 1 -R/usr/share/X11/xkb -xkm - -em1 "The XKEYBOARD keymap compiler (xkbcomp) reports:" -emp "> " -eml "Errors from xkbcomp are not fatal to the X server" /tmp/server-0.xkm

/usr/lib/gdm3/gdm-x-session

n/a

/usr/bin/dbus-daemon

dbus-daemon --print-address 4 --session

/usr/bin/dbus-daemon

n/a

/usr/bin/dbus-daemon

n/a

/bin/false

/usr/lib/systemd/systemd

n/a

/usr/lib/accountsservice/accounts-daemon

n/a

/usr/share/language-tools/language-validate

/usr/share/language-tools/language-validate en_US.UTF-8

/usr/share/language-tools/language-validate

n/a

/usr/share/language-tools/language-options

n/a

/bin/sh

sh -c "locale -a | grep -F .utf8 "

/bin/sh

n/a

/usr/bin/locale

locale -a

/bin/sh

n/a

/usr/bin/grep

grep -F .utf8

/usr/lib/systemd/systemd

n/a

/lib/systemd/systemd

/lib/systemd/systemd --user

/lib/systemd/systemd

n/a

/lib/systemd/systemd

n/a

/usr/lib/systemd/user-environment-generators/30-systemd-environment-d-generator

/lib/systemd/systemd

n/a

/bin/systemctl

/bin/systemctl --user set-environment DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/127/bus

/lib/systemd/systemd

n/a

/usr/bin/pulseaudio

/usr/bin/pulseaudio --daemonize=no --log-target=journal

/usr/sbin/gdm3

n/a

/etc/gdm3/PrimeOff/Default

/usr/sbin/gdm3

n/a

/etc/gdm3/PrimeOff/Default

/usr/lib/systemd/systemd

n/a

/usr/sbin/sshd

/usr/sbin/sshd -t

/usr/lib/systemd/systemd

n/a

/usr/sbin/sshd

/usr/sbin/sshd -D

/usr/lib/systemd/systemd

n/a

/lib/systemd/systemd-resolved

/usr/lib/systemd/systemd

n/a

/lib/systemd/systemd-logind

/usr/lib/systemd/systemd

n/a

/usr/lib/accountsservice/accounts-daemon

n/a

/usr/share/language-tools/language-validate

/usr/share/language-tools/language-validate en_US.UTF-8

/usr/share/language-tools/language-validate

n/a

/usr/share/language-tools/language-options

n/a

/bin/sh

sh -c "locale -a | grep -F .utf8 "

/bin/sh

n/a

/usr/bin/locale

locale -a

/bin/sh

n/a

/usr/bin/grep

grep -F .utf8

/usr/sbin/gdm3

n/a

/usr/lib/gdm3/gdm-session-worker

"gdm-session-worker [pam/gdm-launch-environment]"

/usr/lib/gdm3/gdm-session-worker

n/a

/usr/lib/gdm3/gdm-x-session

/usr/lib/gdm3/gdm-x-session "dbus-run-session -- gnome-session --autostart /usr/share/gdm/greeter/autostart"

/usr/lib/gdm3/gdm-x-session

n/a

/usr/bin/Xorg

/usr/bin/Xorg vt2 -displayfd 3 -auth /var/lib/gdm3/.cache/gdm/Xauthority -background none -noreset -keeptty -verbose 3

/usr/lib/xorg/Xorg.wrap

/usr/lib/xorg/Xorg.wrap vt2 -displayfd 3 -auth /var/lib/gdm3/.cache/gdm/Xauthority -background none -noreset -keeptty -verbose 3

/usr/lib/xorg/Xorg

/usr/lib/xorg/Xorg vt2 -displayfd 3 -auth /var/lib/gdm3/.cache/gdm/Xauthority -background none -noreset -keeptty -verbose 3

/usr/lib/xorg/Xorg

n/a

/bin/sh

n/a

/usr/bin/xkbcomp

/usr/bin/xkbcomp -w 1 -R/usr/share/X11/xkb -xkm - -em1 "The XKEYBOARD keymap compiler (xkbcomp) reports:" -emp "> " -eml "Errors from xkbcomp are not fatal to the X server" /tmp/server-0.xkm

/usr/lib/gdm3/gdm-x-session

n/a

/usr/bin/dbus-daemon

dbus-daemon --print-address 4 --session

/usr/bin/dbus-daemon

n/a

/usr/bin/dbus-daemon

n/a

/bin/false

/usr/lib/systemd/systemd

n/a

/lib/systemd/systemd

/lib/systemd/systemd --user

/lib/systemd/systemd

n/a

/lib/systemd/systemd

n/a

/usr/lib/systemd/user-environment-generators/30-systemd-environment-d-generator

/usr/lib/systemd/systemd

n/a

/usr/sbin/sshd

/usr/sbin/sshd -t

/usr/lib/systemd/systemd

n/a

/lib/systemd/systemd-resolved

/usr/lib/systemd/systemd

n/a

/usr/sbin/sshd

/usr/sbin/sshd -D

/usr/lib/systemd/systemd

n/a

/lib/systemd/systemd-logind

/usr/sbin/gdm3

n/a

/etc/gdm3/PrimeOff/Default

/usr/sbin/gdm3

n/a

/etc/gdm3/PrimeOff/Default

/usr/lib/systemd/systemd

n/a

/usr/lib/accountsservice/accounts-daemon

n/a

/usr/share/language-tools/language-validate

/usr/share/language-tools/language-validate en_US.UTF-8

/usr/share/language-tools/language-validate

n/a

/usr/share/language-tools/language-options

n/a

/bin/sh

sh -c "locale -a | grep -F .utf8 "

/bin/sh

n/a

/usr/bin/locale

locale -a

/bin/sh

n/a

/usr/bin/grep

grep -F .utf8

/usr/sbin/gdm3

n/a

/usr/lib/gdm3/gdm-session-worker

"gdm-session-worker [pam/gdm-launch-environment]"

/usr/lib/systemd/systemd

n/a

/lib/systemd/systemd

/lib/systemd/systemd --user

/lib/systemd/systemd

n/a

/lib/systemd/systemd

n/a

/usr/lib/systemd/user-environment-generators/30-systemd-environment-d-generator

/usr/lib/systemd/systemd

n/a

/lib/systemd/systemd-resolved

/usr/lib/systemd/systemd

n/a

/usr/sbin/sshd

/usr/sbin/sshd -t

/usr/lib/systemd/systemd

n/a

/usr/sbin/sshd

/usr/sbin/sshd -D

/usr/lib/systemd/systemd

n/a

/lib/systemd/systemd-logind

/usr/sbin/gdm3

n/a

/etc/gdm3/PrimeOff/Default

/usr/sbin/gdm3

n/a

/etc/gdm3/PrimeOff/Default

There are 188 hidden processes, click here to show them.

URLs

Name

Malicious

http://127.0.0.1:80/tmUnblock.cgi

172.65.108.228

http://23.94.37.59/bins/Tsunami.x86

unknown

http://schemas.xmlsoap.org/soap/encoding//%22%3E

unknown

http://schemas.xmlsoap.org/soap/encoding/

unknown

http://wiki.x.org

unknown

http://schemas.xmlsoap.org/soap/envelope/

unknown

http://23.94.37.59/bin

unknown

http://upx.sf.net

unknown

http://23.94.37.59/bins/Tsunami.mips;

unknown

http://schemas.xmlsoap.org/soap/envelope//

unknown

http://www.ubuntu.com/support)

unknown

http://23.94.37.59/zyxel.sh;

unknown

http://192.168.0.14:80/cgi-bin/ViewLog.asp

62.171.171.37

There are 3 hidden URLs, click here to show them.

IPs

Domain

Country

Malicious

5.251.149.212

unknown

Kazakhstan

31.220.220.232

unknown

United Kingdom

94.54.78.106

unknown

Turkey

94.128.103.24

unknown

Kuwait

94.154.174.107

unknown

Germany

41.169.50.120

unknown

South Africa

41.8.13.47

unknown

South Africa

41.102.161.69

unknown

Algeria

98.102.147.236

unknown

United States

98.131.204.227

unknown

United States

79.24.218.190

unknown

Italy

98.72.203.127

unknown

United States

95.94.164.61

unknown

Portugal

85.97.99.160

unknown

Turkey

172.227.134.123

unknown

United States

95.94.164.44

unknown

Portugal

85.128.224.43

unknown

Poland

98.187.110.140

unknown

United States

95.183.142.107

unknown

Turkey

109.207.189.122

unknown

Russian Federation

98.15.44.70

unknown

United States

197.143.201.43

unknown

Algeria

98.46.251.30

unknown

United States

157.2.30.58

unknown

Japan

95.141.197.174

unknown

Russian Federation

94.37.176.233

unknown

Italy

157.242.55.146

unknown

United States

184.195.61.175

unknown

United States

172.126.245.224

unknown

United States

94.122.78.47

unknown

Turkey

41.206.191.250

unknown

South Africa

94.70.69.71

unknown

Greece

172.182.199.15

unknown

United States

172.68.102.161

unknown

United States

197.51.4.224

unknown

Egypt

98.117.62.40

unknown

United States

172.99.210.159

unknown

Reserved

41.102.161.89

unknown

Algeria

62.52.13.79

unknown

Germany

95.20.61.41

unknown

Spain

94.35.200.87

unknown

Italy

88.43.235.155

unknown

Italy

98.72.203.146

unknown

United States

157.162.143.22

unknown

Germany

95.170.75.147

unknown

Netherlands

157.220.202.140

unknown

United States

98.48.231.124

unknown

United States

157.21.250.133

unknown

United States

157.120.163.204

unknown

Singapore

85.108.147.95

unknown

Turkey

98.198.78.52

unknown

United States

157.33.247.171

unknown

India

95.239.15.30

unknown

Italy

62.69.168.213

unknown

Finland

41.85.32.164

unknown

South Africa

62.86.66.102

unknown

Italy

95.183.142.128

unknown

Turkey

98.101.210.184

unknown

United States

98.4.62.253

unknown

United States

62.108.98.137

unknown

Serbia

41.216.23.2

unknown

31.121.22.174

unknown

United Kingdom

184.223.137.41

unknown

United States

62.195.46.182

unknown

Netherlands

41.216.159.7

unknown

Burkina Faso

94.175.48.242

unknown

United Kingdom

197.0.175.9

unknown

Tunisia

172.222.74.220

unknown

United States

94.30.214.5

unknown

Latvia

184.38.13.73

unknown

United States

157.187.216.154

unknown

United States

31.34.241.17

unknown

France

41.8.13.86

unknown

South Africa

172.50.129.160

unknown

United States

197.91.228.133

unknown

South Africa

197.38.240.101

unknown

Egypt

98.199.107.150

unknown

United States

95.252.144.217

unknown

Italy

31.136.150.75

unknown

Netherlands

98.117.62.66

unknown

United States

94.60.211.161

unknown

Portugal

31.143.175.39

unknown

Turkey

31.59.81.141

unknown

Iran (ISLAMIC Republic Of)

184.181.236.222

unknown

United States

98.65.114.253

unknown

United States

197.149.52.132

unknown

Madagascar

85.30.134.204

unknown

Sweden

94.154.174.133

unknown

Germany

197.173.155.16

unknown

South Africa

31.115.246.44

unknown

United Kingdom

98.163.162.235

unknown

United States

31.69.207.235

unknown

United Kingdom

197.16.42.172

unknown

Tunisia

85.158.231.111

unknown

Austria

98.250.136.55

unknown

United States

95.210.240.229

unknown

Italy

85.158.231.114

unknown

Austria

157.21.237.99

unknown

United States

98.60.86.37

unknown

United States

85.193.76.41

unknown

Russian Federation

There are 90 hidden IPs, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report

Files

Processes

URLs

IPs