Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

gbk4XWulUo

ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (GNU/Linux), statically linked, stripped

initial sample

/home/saturnino/.config/pulse/ee49dfd4fa47433baee88884e2d7de7c-default-sink

ASCII text

dropped

/home/saturnino/.config/pulse/ee49dfd4fa47433baee88884e2d7de7c-default-source

ASCII text

dropped

/memfd:30-systemd-environment-d-generator (deleted)

ASCII text

dropped

/memfd:user-environment-generators (deleted)

ASCII text

dropped

/proc/5280/oom_score_adj

ASCII text

dropped

/proc/5786/oom_score_adj

very short file (no magic)

dropped

/proc/5843/oom_score_adj

ASCII text

dropped

/proc/6281/oom_score_adj

very short file (no magic)

dropped

/proc/6307/oom_score_adj

ASCII text

dropped

/proc/6760/oom_score_adj

ASCII text

dropped

/proc/7387/oom_score_adj

ASCII text

dropped

/proc/7775/oom_score_adj

ASCII text

dropped

/run/sshd.pid

777 archive data

dropped

/run/systemd/inhibit/.#10OUI7H2

ASCII text

dropped

/run/systemd/inhibit/.#13vd9pl

ASCII text

dropped

/run/systemd/inhibit/.#17CJ8Am

ASCII text

dropped

/run/systemd/inhibit/.#17kyse0

ASCII text

dropped

/run/systemd/inhibit/.#1H5EvVn

ASCII text

dropped

/run/systemd/inhibit/.#1KOhwz0

ASCII text

dropped

/run/systemd/inhibit/.#1U9lhv2

ASCII text

dropped

/run/systemd/inhibit/.#1X36won

ASCII text

dropped

/run/systemd/inhibit/.#1ceCsuZ

ASCII text

dropped

/run/systemd/inhibit/.#1eUm2L2

ASCII text

dropped

/run/systemd/inhibit/.#1w57UC1

ASCII text

dropped

/run/systemd/inhibit/.#34guGp1

ASCII text

dropped

/run/systemd/inhibit/.#456I8u0

ASCII text

dropped

/run/systemd/inhibit/.#47f9Zpl

ASCII text

dropped

/run/systemd/inhibit/.#49vfNT2

ASCII text

dropped

/run/systemd/inhibit/.#4E7Emu0

ASCII text

dropped

/run/systemd/inhibit/.#4a8Fa0m

ASCII text

dropped

/run/systemd/inhibit/.#5eu6e12

ASCII text

dropped

/run/systemd/inhibit/.#6YsqYU2

ASCII text

dropped

/run/systemd/inhibit/.#7Bnun04

ASCII text

dropped

/run/systemd/inhibit/.#8ljz5X1

ASCII text

dropped

/run/systemd/resolve/.#resolv.confKo4mby

ASCII text

dropped

/run/systemd/resolve/.#resolv.confMv1Hmk

ASCII text

dropped

/run/systemd/resolve/.#resolv.confd9lEXg

ASCII text

dropped

/run/systemd/resolve/.#resolv.conffvkcLg

ASCII text

dropped

/run/systemd/resolve/.#resolv.conflZR0wO

ASCII text

dropped

/run/systemd/resolve/.#resolv.confwXkBCi

ASCII text

dropped

/run/systemd/resolve/.#stub-resolv.confJtpFSk

ASCII text

dropped

/run/systemd/resolve/.#stub-resolv.confLUyiDN

ASCII text

dropped

/run/systemd/resolve/.#stub-resolv.confUgemty

ASCII text

dropped

/run/systemd/resolve/.#stub-resolv.confVaY0ek

ASCII text

dropped

/run/systemd/resolve/.#stub-resolv.confWFuFuh

ASCII text

dropped

/run/systemd/resolve/.#stub-resolv.confe97g2g

ASCII text

dropped

/run/systemd/seats/.#seat09Tf4C1

ASCII text

dropped

/run/systemd/seats/.#seat0NShKo1

ASCII text

dropped

/run/systemd/seats/.#seat0jdoze1

ASCII text

dropped

/run/systemd/seats/.#seat0n6rBZk

ASCII text

dropped

/run/systemd/seats/.#seat0ns0Gkn

ASCII text

dropped

/run/systemd/seats/.#seat0p8hc6X

ASCII text

dropped

/run/systemd/seats/.#seat0z4jVcn

ASCII text

dropped

/run/systemd/users/.#1276NnbD3

ASCII text

dropped

/run/systemd/users/.#127BZIp71

ASCII text

dropped

/run/systemd/users/.#127JEjKKm

ASCII text

dropped

/run/systemd/users/.#127OvDKS5

ASCII text

dropped

/run/systemd/users/.#127SWGxmn

ASCII text

dropped

/run/systemd/users/.#127URjwxk

ASCII text

dropped

/run/systemd/users/.#127Wqa37l

ASCII text

dropped

/run/systemd/users/.#127WuC1N3

ASCII text

dropped

/run/systemd/users/.#127dBxcq2

ASCII text

dropped

/run/systemd/users/.#127oPwtUm

ASCII text

dropped

/run/systemd/users/.#127rZpK8k

ASCII text

dropped

/run/user/1000/pulse/pid

ASCII text

dropped

/run/user/127/pulse/pid

ASCII text

dropped

/sys/fs/cgroup/systemd/user.slice/user-127.slice/user@127.service/dbus.socket/cgroup.procs

ASCII text

dropped

/sys/fs/cgroup/systemd/user.slice/user-127.slice/user@127.service/init.scope/cgroup.procs

ASCII text

dropped

/sys/fs/cgroup/systemd/user.slice/user-127.slice/user@127.service/pulseaudio.service/cgroup.procs

ASCII text

dropped

/sys/fs/cgroup/unified/user.slice/user-127.slice/user@127.service/dbus.socket/cgroup.procs

ASCII text

dropped

/sys/fs/cgroup/unified/user.slice/user-127.slice/user@127.service/init.scope/cgroup.procs

ASCII text

dropped

/sys/fs/cgroup/unified/user.slice/user-127.slice/user@127.service/pulseaudio.service/cgroup.procs

ASCII text

dropped

/tmp/server-0.xkm

Compiled XKB Keymap: lsb, version 15

dropped

/var/lib/AccountsService/users/gdm.60B5B1

ASCII text

dropped

/var/lib/AccountsService/users/gdm.8FX0B1

ASCII text

dropped

/var/lib/AccountsService/users/gdm.ZOKNB1

ASCII text

dropped

/var/lib/gdm3/.cache/gdm/Xauthority

X11 Xauthority data

dropped

/var/lib/gdm3/.config/pulse/ee49dfd4fa47433baee88884e2d7de7c-default-sink

very short file (no magic)

dropped

/var/lib/gdm3/.config/pulse/ee49dfd4fa47433baee88884e2d7de7c-default-source

very short file (no magic)

dropped

/var/log/Xorg.0.log

ASCII text

dropped

There are 71 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

/tmp/gbk4XWulUo

n/a

/tmp/gbk4XWulUo

n/a

/tmp/gbk4XWulUo

n/a

/tmp/gbk4XWulUo

n/a

/tmp/gbk4XWulUo

n/a

/tmp/gbk4XWulUo

n/a

/tmp/gbk4XWulUo

n/a

/tmp/gbk4XWulUo

n/a

/tmp/gbk4XWulUo

n/a

/usr/lib/systemd/systemd

n/a

/usr/sbin/sshd

/usr/sbin/sshd -t

/usr/lib/systemd/systemd

n/a

/usr/sbin/sshd

/usr/sbin/sshd -D

/usr/lib/systemd/systemd

n/a

/lib/systemd/systemd-resolved

/usr/lib/systemd/systemd

n/a

/lib/systemd/systemd-logind

/usr/lib/systemd/systemd

n/a

/usr/lib/accountsservice/accounts-daemon

n/a

/usr/share/language-tools/language-validate

/usr/share/language-tools/language-validate en_US.UTF-8

/usr/share/language-tools/language-validate

n/a

/usr/share/language-tools/language-options

n/a

/bin/sh

sh -c "locale -a | grep -F .utf8 "

/bin/sh

n/a

/usr/bin/locale

locale -a

/bin/sh

n/a

/usr/bin/grep

grep -F .utf8

/usr/bin/xfce4-session

n/a

/usr/lib/systemd/systemd

n/a

/usr/bin/pulseaudio

/usr/bin/pulseaudio --daemonize=no --log-target=journal

/usr/lib/gdm3/gdm-session-worker

n/a

/etc/gdm3/PostSession/Default

/usr/sbin/gdm3

n/a

/usr/lib/gdm3/gdm-session-worker

"gdm-session-worker [pam/gdm-launch-environment]"

/usr/lib/gdm3/gdm-session-worker

n/a

/usr/lib/gdm3/gdm-x-session

/usr/lib/gdm3/gdm-x-session "dbus-run-session -- gnome-session --autostart /usr/share/gdm/greeter/autostart"

/usr/lib/gdm3/gdm-x-session

n/a

/usr/bin/Xorg

/usr/bin/Xorg vt2 -displayfd 3 -auth /var/lib/gdm3/.cache/gdm/Xauthority -background none -noreset -keeptty -verbose 3

/usr/lib/xorg/Xorg.wrap

/usr/lib/xorg/Xorg.wrap vt2 -displayfd 3 -auth /var/lib/gdm3/.cache/gdm/Xauthority -background none -noreset -keeptty -verbose 3

/usr/lib/xorg/Xorg

/usr/lib/xorg/Xorg vt2 -displayfd 3 -auth /var/lib/gdm3/.cache/gdm/Xauthority -background none -noreset -keeptty -verbose 3

/usr/lib/xorg/Xorg

n/a

/bin/sh

sh -c "\"/usr/bin/xkbcomp\" -w 1 \"-R/usr/share/X11/xkb\" -xkm \"-\" -em1 \"The XKEYBOARD keymap compiler (xkbcomp) reports:\" -emp \"> \" -eml \"Errors from xkbcomp are not fatal to the X server\" \"/tmp/server-0.xkm\""

/bin/sh

n/a

/usr/bin/xkbcomp

/usr/bin/xkbcomp -w 1 -R/usr/share/X11/xkb -xkm - -em1 "The XKEYBOARD keymap compiler (xkbcomp) reports:" -emp "> " -eml "Errors from xkbcomp are not fatal to the X server" /tmp/server-0.xkm

/usr/lib/gdm3/gdm-x-session

n/a

/usr/bin/dbus-daemon

dbus-daemon --print-address 4 --session

/usr/bin/dbus-daemon

n/a

/usr/bin/dbus-daemon

n/a

/bin/false

/usr/sbin/gdm3

n/a

/etc/gdm3/PrimeOff/Default

/usr/sbin/gdm3

n/a

/etc/gdm3/PrimeOff/Default

/usr/sbin/gdm3

n/a

/etc/gdm3/PrimeOff/Default

/usr/sbin/gdm3

n/a

/etc/gdm3/PrimeOff/Default

/usr/sbin/gdm3

n/a

/etc/gdm3/PrimeOff/Default

/usr/lib/systemd/systemd

n/a

/usr/sbin/sshd

/usr/sbin/sshd -t

/usr/lib/systemd/systemd

n/a

/usr/sbin/sshd

/usr/sbin/sshd -D

/usr/lib/systemd/systemd

n/a

/lib/systemd/systemd-resolved

/usr/lib/systemd/systemd

n/a

/lib/systemd/systemd-logind

/usr/sbin/gdm3

n/a

/usr/lib/gdm3/gdm-session-worker

"gdm-session-worker [pam/gdm-launch-environment]"

/usr/lib/gdm3/gdm-session-worker

n/a

/usr/lib/gdm3/gdm-x-session

/usr/lib/gdm3/gdm-x-session "dbus-run-session -- gnome-session --autostart /usr/share/gdm/greeter/autostart"

/usr/lib/gdm3/gdm-x-session

n/a

/usr/bin/Xorg

/usr/bin/Xorg vt2 -displayfd 3 -auth /var/lib/gdm3/.cache/gdm/Xauthority -background none -noreset -keeptty -verbose 3

/usr/lib/xorg/Xorg.wrap

/usr/lib/xorg/Xorg.wrap vt2 -displayfd 3 -auth /var/lib/gdm3/.cache/gdm/Xauthority -background none -noreset -keeptty -verbose 3

/usr/lib/xorg/Xorg

/usr/lib/xorg/Xorg vt2 -displayfd 3 -auth /var/lib/gdm3/.cache/gdm/Xauthority -background none -noreset -keeptty -verbose 3

/usr/lib/xorg/Xorg

n/a

/bin/sh

n/a

/usr/bin/xkbcomp

/usr/bin/xkbcomp -w 1 -R/usr/share/X11/xkb -xkm - -em1 "The XKEYBOARD keymap compiler (xkbcomp) reports:" -emp "> " -eml "Errors from xkbcomp are not fatal to the X server" /tmp/server-0.xkm

/usr/lib/gdm3/gdm-x-session

n/a

/usr/bin/dbus-daemon

dbus-daemon --print-address 4 --session

/usr/bin/dbus-daemon

n/a

/usr/bin/dbus-daemon

n/a

/bin/false

/usr/lib/systemd/systemd

n/a

/usr/lib/accountsservice/accounts-daemon

n/a

/usr/share/language-tools/language-validate

/usr/share/language-tools/language-validate en_US.UTF-8

/usr/share/language-tools/language-validate

n/a

/usr/share/language-tools/language-options

n/a

/bin/sh

sh -c "locale -a | grep -F .utf8 "

/bin/sh

n/a

/usr/bin/locale

locale -a

/bin/sh

n/a

/usr/bin/grep

grep -F .utf8

/usr/lib/systemd/systemd

n/a

/lib/systemd/systemd

/lib/systemd/systemd --user

/lib/systemd/systemd

n/a

/lib/systemd/systemd

n/a

/usr/lib/systemd/user-environment-generators/30-systemd-environment-d-generator

/lib/systemd/systemd

n/a

/bin/systemctl

/bin/systemctl --user set-environment DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/127/bus

/lib/systemd/systemd

n/a

/usr/bin/pulseaudio

/usr/bin/pulseaudio --daemonize=no --log-target=journal

/usr/sbin/gdm3

n/a

/etc/gdm3/PrimeOff/Default

/usr/sbin/gdm3

n/a

/etc/gdm3/PrimeOff/Default

/usr/lib/systemd/systemd

n/a

/usr/sbin/sshd

/usr/sbin/sshd -t

/usr/lib/systemd/systemd

n/a

/usr/sbin/sshd

/usr/sbin/sshd -D

/usr/lib/systemd/systemd

n/a

/lib/systemd/systemd-resolved

/usr/lib/systemd/systemd

n/a

/lib/systemd/systemd-logind

/usr/sbin/gdm3

n/a

/usr/lib/gdm3/gdm-session-worker

"gdm-session-worker [pam/gdm-launch-environment]"

/usr/lib/systemd/systemd

n/a

/usr/lib/accountsservice/accounts-daemon

n/a

/usr/share/language-tools/language-validate

/usr/share/language-tools/language-validate en_US.UTF-8

/usr/share/language-tools/language-validate

n/a

/usr/share/language-tools/language-options

n/a

/bin/sh

sh -c "locale -a | grep -F .utf8 "

/bin/sh

n/a

/usr/bin/locale

locale -a

/bin/sh

n/a

/usr/bin/grep

grep -F .utf8

/usr/lib/systemd/systemd

n/a

/usr/sbin/sshd

/usr/sbin/sshd -t

/usr/lib/systemd/systemd

n/a

/lib/systemd/systemd-resolved

/usr/lib/systemd/systemd

n/a

/usr/sbin/sshd

/usr/sbin/sshd -D

/usr/lib/systemd/systemd

n/a

/lib/systemd/systemd-logind

/usr/sbin/gdm3

n/a

/etc/gdm3/PrimeOff/Default

/usr/sbin/gdm3

n/a

/etc/gdm3/PrimeOff/Default

/usr/lib/systemd/systemd

n/a

/lib/systemd/systemd-resolved

/usr/lib/systemd/systemd

n/a

/usr/sbin/sshd

/usr/sbin/sshd -t

/usr/lib/systemd/systemd

n/a

/usr/sbin/sshd

/usr/sbin/sshd -D

/usr/lib/systemd/systemd

n/a

/lib/systemd/systemd-logind

/usr/lib/systemd/systemd

n/a

/lib/systemd/systemd-resolved

/usr/lib/systemd/systemd

n/a

/usr/sbin/sshd

/usr/sbin/sshd -t

/usr/lib/systemd/systemd

n/a

/usr/sbin/sshd

/usr/sbin/sshd -D

There are 150 hidden processes, click here to show them.

URLs

Name

Malicious

http://127.0.0.1:80/tmUnblock.cgi

172.65.178.105

http://23.94.37.59/bins/Tsunami.mips;

unknown

http://23.94.37.59/bins/Tsunami.x86

unknown

http://schemas.xmlsoap.org/soap/encoding//%22%3E

unknown

http://schemas.xmlsoap.org/soap/encoding/

unknown

http://wiki.x.org

unknown

http://schemas.xmlsoap.org/soap/envelope/

unknown

http://23.94.37.59/bin

unknown

http://upx.sf.net

unknown

http://schemas.xmlsoap.org/soap/envelope//

unknown

http://www.ubuntu.com/support)

unknown

http://23.94.37.59/zyxel.sh;

unknown

http://192.168.0.14:80/cgi-bin/ViewLog.asp

95.216.73.49

There are 3 hidden URLs, click here to show them.

IPs

Domain

Country

Malicious

197.211.66.30

unknown

South Africa

41.57.207.91

unknown

Ghana

31.13.174.159

unknown

Germany

184.202.247.239

unknown

United States

31.167.93.118

unknown

Saudi Arabia

184.165.67.230

unknown

United States

31.220.220.239

unknown

United Kingdom

184.205.51.41

unknown

United States

95.24.169.224

unknown

Russian Federation

184.223.137.52

unknown

United States

42.238.240.201

unknown

China

210.189.146.206

unknown

Japan

31.97.46.25

unknown

United Kingdom

88.153.178.22

unknown

Germany

95.20.61.27

unknown

Spain

157.62.32.95

unknown

United States

178.137.182.51

unknown

Ukraine

172.105.113.3

unknown

United States

172.41.213.143

unknown

United States

184.113.29.145

unknown

United States

112.114.205.159

unknown

China

98.63.246.114

unknown

United States

112.54.85.190

unknown

China

94.204.241.67

unknown

United Arab Emirates

85.52.91.101

unknown

Spain

172.234.69.193

unknown

United States

172.116.65.23

unknown

United States

62.74.130.34

unknown

Greece

172.195.251.17

unknown

Australia

5.81.121.65

unknown

United Kingdom

88.177.97.110

unknown

France

31.61.72.58

unknown

Poland

212.167.164.218

unknown

European Union

98.220.73.88

unknown

United States

95.94.139.87

unknown

Portugal

31.61.47.70

unknown

Poland

98.47.185.8

unknown

United States

184.203.237.117

unknown

United States

172.1.141.17

unknown

United States

62.13.69.253

unknown

Sweden

156.15.146.145

unknown

United States

85.230.251.255

unknown

Sweden

184.170.188.165

unknown

United States

98.127.87.252

unknown

United States

85.18.200.255

unknown

Italy

184.21.29.113

unknown

United States

94.8.166.122

unknown

United Kingdom

95.239.40.26

unknown

Italy

85.218.240.56

unknown

Denmark

2.227.70.24

unknown

Italy

172.72.181.219

unknown

United States

172.175.149.97

unknown

United States

79.36.116.239

unknown

Italy

172.51.68.53

unknown

United States

112.213.7.17

unknown

Korea Republic of

2.187.183.238

unknown

Iran (ISLAMIC Republic Of)

197.116.61.88

unknown

Algeria

31.240.167.78

unknown

Germany

98.153.107.46

unknown

United States

98.153.107.47

unknown

United States

62.225.64.114

unknown

Germany

37.48.232.47

unknown

Croatia (LOCAL Name: Hrvatska)

109.160.97.244

unknown

Bulgaria

184.113.29.161

unknown

United States

62.76.192.82

unknown

Russian Federation

172.234.69.156

unknown

United States

94.227.247.129

unknown

Belgium

112.80.112.7

unknown

China

31.242.82.129

unknown

Germany

62.10.234.156

unknown

Italy

98.39.11.76

unknown

United States

184.49.234.70

unknown

United States

85.92.69.3

unknown

United Kingdom

112.245.183.47

unknown

China

98.97.28.194

unknown

United States

62.64.57.21

unknown

France

172.188.250.129

unknown

United States

172.195.251.38

unknown

Australia

62.174.98.72

unknown

Spain

112.114.205.176

unknown

China

112.8.57.141

unknown

China

85.19.149.180

unknown

Norway

31.137.99.216

unknown

Netherlands

172.51.68.68

unknown

United States

184.105.254.56

unknown

United States

98.160.221.187

unknown

United States

62.144.231.120

unknown

Germany

184.205.51.89

unknown

United States

157.177.232.97

unknown

Austria

85.242.161.183

unknown

Portugal

184.170.188.138

unknown

United States

212.192.76.51

unknown

Russian Federation

95.255.173.74

unknown

Italy

197.51.4.244

unknown

Egypt

95.160.85.221

unknown

Poland

172.75.60.34

unknown

United States

85.218.215.78

unknown

Denmark

172.75.250.81

unknown

United States

172.99.210.134

unknown

Reserved

95.210.240.239

unknown

Italy

There are 90 hidden IPs, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report

Files

Processes

URLs

IPs