Linux Analysis Report arm7

Overview

General Information

Sample Name: arm7
Analysis ID: 518903
MD5: 18e0a7425fa5b743bb6dd7002a71cfcc
SHA1: 32fb441007353ad30ae7c10c7e1368686c999d3c
SHA256: ac4582bf75332e1b51b11e1dcaa362e5fa933bf13497bab1da64079dab0c1d6f
Tags: Mirai
Infos:

Detection

Mirai
Score: 84
Range: 0 - 100
Whitelisted: false

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Mirai
Multi AV Scanner detection for submitted file
Sample tries to kill many processes (SIGKILL)
Reads system files that contain records of logged in users
Sample is packed with UPX
Uses known network protocols on non-standard ports
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample contains only a LOAD segment without any section mappings
Reads CPU information from /sys indicative of miner or evasive malware
Yara signature match
Executes the "grep" command used to find patterns in files or piped streams
Uses the "uname" system call to query kernel version information (possible evasion)
Enumerates processes within the "proc" file system
Detected TCP or UDP traffic on non-standard ports
Sample listens on a socket
Sample tries to kill a process (SIGKILL)
Deletes log files
Creates hidden files and/or directories
Sample tries to set the executable flag
Executes commands using a shell command-line interpreter
Executes the "rm" command used to delete files or directories

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: arm7 ReversingLabs: Detection: 15%

Bitcoin Miner:

barindex
Reads CPU information from /sys indicative of miner or evasive malware
Source: /usr/lib/xorg/Xorg (PID: 5407) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/libexec/gnome-session-check-accelerated (PID: 5456) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/libexec/gnome-session-check-accelerated-gl-helper (PID: 5516) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/libexec/gnome-session-check-accelerated-gles-helper (PID: 5528) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/gnome-shell (PID: 5558) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pulseaudio (PID: 5414) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pulseaudio (PID: 5873) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: unknown HTTPS traffic detected: 162.213.33.108:443 -> 192.168.2.23:37180 version: TLS 1.2

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 492 INFO TELNET login failed 218.65.35.13:23 -> 192.168.2.23:43786
Source: Traffic Snort IDS: 716 INFO TELNET access 110.12.142.194:23 -> 192.168.2.23:39384
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 72.27.206.111:23 -> 192.168.2.23:53578
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 72.27.206.111:23 -> 192.168.2.23:53578
Source: Traffic Snort IDS: 492 INFO TELNET login failed 110.12.142.194:23 -> 192.168.2.23:39384
Source: Traffic Snort IDS: 716 INFO TELNET access 59.14.130.244:23 -> 192.168.2.23:52436
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 111.43.92.108:23 -> 192.168.2.23:46308
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 111.43.92.108:23 -> 192.168.2.23:46308
Source: Traffic Snort IDS: 716 INFO TELNET access 110.12.142.194:23 -> 192.168.2.23:39560
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 59.14.130.244:23 -> 192.168.2.23:52436
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 59.14.130.244:23 -> 192.168.2.23:52436
Source: Traffic Snort IDS: 492 INFO TELNET login failed 110.12.142.194:23 -> 192.168.2.23:39560
Source: Traffic Snort IDS: 716 INFO TELNET access 59.14.130.244:23 -> 192.168.2.23:52538
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 116.125.236.113:23 -> 192.168.2.23:57640
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 116.125.236.113:23 -> 192.168.2.23:57640
Source: Traffic Snort IDS: 716 INFO TELNET access 110.12.142.194:23 -> 192.168.2.23:39694
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 59.14.130.244:23 -> 192.168.2.23:52538
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 59.14.130.244:23 -> 192.168.2.23:52538
Source: Traffic Snort IDS: 492 INFO TELNET login failed 110.12.142.194:23 -> 192.168.2.23:39694
Source: Traffic Snort IDS: 716 INFO TELNET access 110.12.142.194:23 -> 192.168.2.23:39824
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 111.43.92.108:23 -> 192.168.2.23:46694
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 111.43.92.108:23 -> 192.168.2.23:46694
Source: Traffic Snort IDS: 716 INFO TELNET access 59.14.130.244:23 -> 192.168.2.23:52824
Source: Traffic Snort IDS: 492 INFO TELNET login failed 110.12.142.194:23 -> 192.168.2.23:39824
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 198.1.63.150:23 -> 192.168.2.23:53796
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 198.1.63.150:23 -> 192.168.2.23:53796
Source: Traffic Snort IDS: 716 INFO TELNET access 110.12.142.194:23 -> 192.168.2.23:39928
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 59.14.130.244:23 -> 192.168.2.23:52824
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 59.14.130.244:23 -> 192.168.2.23:52824
Source: Traffic Snort IDS: 492 INFO TELNET login failed 110.12.142.194:23 -> 192.168.2.23:39928
Source: Traffic Snort IDS: 716 INFO TELNET access 124.110.3.96:23 -> 192.168.2.23:58656
Source: Traffic Snort IDS: 716 INFO TELNET access 95.188.189.120:23 -> 192.168.2.23:46030
Source: Traffic Snort IDS: 716 INFO TELNET access 110.12.142.194:23 -> 192.168.2.23:39994
Source: Traffic Snort IDS: 716 INFO TELNET access 95.188.189.120:23 -> 192.168.2.23:46054
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 116.125.236.113:23 -> 192.168.2.23:58060
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 116.125.236.113:23 -> 192.168.2.23:58060
Source: Traffic Snort IDS: 716 INFO TELNET access 124.110.3.96:23 -> 192.168.2.23:58694
Source: Traffic Snort IDS: 492 INFO TELNET login failed 110.12.142.194:23 -> 192.168.2.23:39994
Source: Traffic Snort IDS: 716 INFO TELNET access 95.188.189.120:23 -> 192.168.2.23:46062
Source: Traffic Snort IDS: 716 INFO TELNET access 124.110.3.96:23 -> 192.168.2.23:58702
Source: Traffic Snort IDS: 716 INFO TELNET access 95.188.189.120:23 -> 192.168.2.23:46076
Source: Traffic Snort IDS: 716 INFO TELNET access 95.188.189.120:23 -> 192.168.2.23:46086
Source: Traffic Snort IDS: 716 INFO TELNET access 124.110.3.96:23 -> 192.168.2.23:58718
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 111.43.92.108:23 -> 192.168.2.23:46930
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 111.43.92.108:23 -> 192.168.2.23:46930
Source: Traffic Snort IDS: 716 INFO TELNET access 180.150.18.5:23 -> 192.168.2.23:47634
Source: Traffic Snort IDS: 716 INFO TELNET access 95.188.189.120:23 -> 192.168.2.23:46122
Source: Traffic Snort IDS: 716 INFO TELNET access 110.12.142.194:23 -> 192.168.2.23:40072
Source: Traffic Snort IDS: 716 INFO TELNET access 124.110.3.96:23 -> 192.168.2.23:58764
Source: Traffic Snort IDS: 716 INFO TELNET access 59.14.130.244:23 -> 192.168.2.23:53056
Source: Traffic Snort IDS: 716 INFO TELNET access 95.188.189.120:23 -> 192.168.2.23:46162
Source: Traffic Snort IDS: 716 INFO TELNET access 124.110.3.96:23 -> 192.168.2.23:58800
Source: Traffic Snort IDS: 716 INFO TELNET access 95.188.189.120:23 -> 192.168.2.23:46172
Source: Traffic Snort IDS: 716 INFO TELNET access 95.188.189.120:23 -> 192.168.2.23:46178
Source: Traffic Snort IDS: 716 INFO TELNET access 124.110.3.96:23 -> 192.168.2.23:58810
Source: Traffic Snort IDS: 716 INFO TELNET access 112.165.81.76:23 -> 192.168.2.23:40110
Source: Traffic Snort IDS: 716 INFO TELNET access 95.188.189.120:23 -> 192.168.2.23:46184
Source: Traffic Snort IDS: 492 INFO TELNET login failed 110.12.142.194:23 -> 192.168.2.23:40072
Source: Traffic Snort IDS: 716 INFO TELNET access 124.110.3.96:23 -> 192.168.2.23:58820
Source: Traffic Snort IDS: 716 INFO TELNET access 95.188.189.120:23 -> 192.168.2.23:46190
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 59.14.130.244:23 -> 192.168.2.23:53056
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 59.14.130.244:23 -> 192.168.2.23:53056
Source: Traffic Snort IDS: 716 INFO TELNET access 124.110.3.96:23 -> 192.168.2.23:58826
Source: Traffic Snort IDS: 716 INFO TELNET access 95.188.189.120:23 -> 192.168.2.23:46200
Source: Traffic Snort IDS: 716 INFO TELNET access 95.188.189.120:23 -> 192.168.2.23:46208
Source: Traffic Snort IDS: 716 INFO TELNET access 124.110.3.96:23 -> 192.168.2.23:58840
Source: Traffic Snort IDS: 716 INFO TELNET access 110.12.142.194:23 -> 192.168.2.23:40162
Source: Traffic Snort IDS: 716 INFO TELNET access 95.188.189.120:23 -> 192.168.2.23:46214
Source: Traffic Snort IDS: 716 INFO TELNET access 124.110.3.96:23 -> 192.168.2.23:58852
Source: Traffic Snort IDS: 716 INFO TELNET access 124.110.3.96:23 -> 192.168.2.23:58862
Source: Traffic Snort IDS: 492 INFO TELNET login failed 110.12.142.194:23 -> 192.168.2.23:40162
Source: Traffic Snort IDS: 492 INFO TELNET login failed 41.174.122.154:23 -> 192.168.2.23:55788
Source: Traffic Snort IDS: 716 INFO TELNET access 124.110.3.96:23 -> 192.168.2.23:58876
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 72.27.206.111:23 -> 192.168.2.23:54360
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 72.27.206.111:23 -> 192.168.2.23:54360
Source: Traffic Snort IDS: 716 INFO TELNET access 124.110.3.96:23 -> 192.168.2.23:58884
Source: Traffic Snort IDS: 716 INFO TELNET access 124.110.3.96:23 -> 192.168.2.23:58904
Source: Traffic Snort IDS: 716 INFO TELNET access 110.12.142.194:23 -> 192.168.2.23:40218
Source: Traffic Snort IDS: 716 INFO TELNET access 124.110.3.96:23 -> 192.168.2.23:58930
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 111.43.92.108:23 -> 192.168.2.23:47130
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 111.43.92.108:23 -> 192.168.2.23:47130
Source: Traffic Snort IDS: 492 INFO TELNET login failed 110.12.142.194:23 -> 192.168.2.23:40218
Source: Traffic Snort IDS: 716 INFO TELNET access 124.110.3.96:23 -> 192.168.2.23:58952
Source: Traffic Snort IDS: 716 INFO TELNET access 59.14.130.244:23 -> 192.168.2.23:53244
Source: Traffic Snort IDS: 716 INFO TELNET access 124.110.3.96:23 -> 192.168.2.23:58968
Source: Traffic Snort IDS: 716 INFO TELNET access 124.110.3.96:23 -> 192.168.2.23:58976
Source: Traffic Snort IDS: 716 INFO TELNET access 110.12.142.194:23 -> 192.168.2.23:40298
Source: Traffic Snort IDS: 716 INFO TELNET access 124.110.3.96:23 -> 192.168.2.23:58996
Source: Traffic Snort IDS: 492 INFO TELNET login failed 110.12.142.194:23 -> 192.168.2.23:40298
Source: Traffic Snort IDS: 716 INFO TELNET access 124.110.3.96:23 -> 192.168.2.23:59014
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 59.14.130.244:23 -> 192.168.2.23:53244
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 59.14.130.244:23 -> 192.168.2.23:53244
Source: Traffic Snort IDS: 716 INFO TELNET access 59.14.130.244:23 -> 192.168.2.23:53308
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 72.27.206.111:23 -> 192.168.2.23:54500
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 72.27.206.111:23 -> 192.168.2.23:54500
Source: Traffic Snort IDS: 716 INFO TELNET access 124.110.3.96:23 -> 192.168.2.23:59038
Source: Traffic Snort IDS: 716 INFO TELNET access 124.110.3.96:23 -> 192.168.2.23:59066
Source: Traffic Snort IDS: 716 INFO TELNET access 110.12.142.194:23 -> 192.168.2.23:40396
Source: Traffic Snort IDS: 716 INFO TELNET access 124.110.3.96:23 -> 192.168.2.23:59088
Source: Traffic Snort IDS: 492 INFO TELNET login failed 192.144.0.18:23 -> 192.168.2.23:42244
Source: Traffic Snort IDS: 492 INFO TELNET login failed 110.12.142.194:23 -> 192.168.2.23:40396
Source: Traffic Snort IDS: 716 INFO TELNET access 124.110.3.96:23 -> 192.168.2.23:59102
Source: Traffic Snort IDS: 716 INFO TELNET access 110.12.142.194:23 -> 192.168.2.23:40424
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 59.14.130.244:23 -> 192.168.2.23:53308
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 59.14.130.244:23 -> 192.168.2.23:53308
Source: Traffic Snort IDS: 716 INFO TELNET access 124.110.3.96:23 -> 192.168.2.23:59110
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 111.43.92.108:23 -> 192.168.2.23:47328
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 111.43.92.108:23 -> 192.168.2.23:47328
Source: Traffic Snort IDS: 716 INFO TELNET access 124.110.3.96:23 -> 192.168.2.23:59122
Source: Traffic Snort IDS: 492 INFO TELNET login failed 110.12.142.194:23 -> 192.168.2.23:40424
Source: Traffic Snort IDS: 716 INFO TELNET access 124.110.3.96:23 -> 192.168.2.23:59148
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 198.1.63.150:23 -> 192.168.2.23:54382
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 198.1.63.150:23 -> 192.168.2.23:54382
Source: Traffic Snort IDS: 404 ICMP Destination Unreachable Protocol Unreachable 2.249.90.152: -> 192.168.2.23:
Source: Traffic Snort IDS: 716 INFO TELNET access 110.12.142.194:23 -> 192.168.2.23:40506
Source: Traffic Snort IDS: 492 INFO TELNET login failed 110.12.142.194:23 -> 192.168.2.23:40506
Source: Traffic Snort IDS: 716 INFO TELNET access 180.150.18.5:23 -> 192.168.2.23:48118
Source: Traffic Snort IDS: 716 INFO TELNET access 59.14.130.244:23 -> 192.168.2.23:53576
Source: Traffic Snort IDS: 716 INFO TELNET access 110.12.142.194:23 -> 192.168.2.23:40614
Source: Traffic Snort IDS: 716 INFO TELNET access 112.165.81.76:23 -> 192.168.2.23:40604
Source: Traffic Snort IDS: 492 INFO TELNET login failed 110.12.142.194:23 -> 192.168.2.23:40614
Source: Traffic Snort IDS: 716 INFO TELNET access 95.188.189.120:23 -> 192.168.2.23:46746
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 59.14.130.244:23 -> 192.168.2.23:53576
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 59.14.130.244:23 -> 192.168.2.23:53576
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 111.43.92.108:23 -> 192.168.2.23:47562
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 111.43.92.108:23 -> 192.168.2.23:47562
Source: Traffic Snort IDS: 716 INFO TELNET access 95.188.189.120:23 -> 192.168.2.23:46758
Source: Traffic Snort IDS: 2023439 ET TROJAN Possible Linux.Mirai Login Attempt (hi3518) 192.168.2.23:54832 -> 81.141.62.27:23
Source: Traffic Snort IDS: 716 INFO TELNET access 110.12.142.194:23 -> 192.168.2.23:40708
Source: Traffic Snort IDS: 716 INFO TELNET access 95.188.189.120:23 -> 192.168.2.23:46782
Source: Traffic Snort IDS: 716 INFO TELNET access 95.188.189.120:23 -> 192.168.2.23:46820
Source: Traffic Snort IDS: 492 INFO TELNET login failed 110.12.142.194:23 -> 192.168.2.23:40708
Source: Traffic Snort IDS: 716 INFO TELNET access 125.128.127.25:23 -> 192.168.2.23:49840
Source: Traffic Snort IDS: 716 INFO TELNET access 95.188.189.120:23 -> 192.168.2.23:46860
Source: Traffic Snort IDS: 716 INFO TELNET access 95.188.189.120:23 -> 192.168.2.23:46896
Source: Traffic Snort IDS: 492 INFO TELNET login failed 125.128.127.25:23 -> 192.168.2.23:49840
Source: Traffic Snort IDS: 716 INFO TELNET access 95.188.189.120:23 -> 192.168.2.23:46916
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 116.125.236.113:23 -> 192.168.2.23:58820
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 116.125.236.113:23 -> 192.168.2.23:58820
Source: Traffic Snort IDS: 716 INFO TELNET access 95.188.189.120:23 -> 192.168.2.23:46932
Source: Traffic Snort IDS: 716 INFO TELNET access 110.12.142.194:23 -> 192.168.2.23:40880
Source: Traffic Snort IDS: 716 INFO TELNET access 95.188.189.120:23 -> 192.168.2.23:46948
Source: Traffic Snort IDS: 492 INFO TELNET login failed 110.12.142.194:23 -> 192.168.2.23:40880
Source: Traffic Snort IDS: 716 INFO TELNET access 95.188.189.120:23 -> 192.168.2.23:46954
Source: Traffic Snort IDS: 716 INFO TELNET access 125.128.127.25:23 -> 192.168.2.23:49962
Source: Traffic Snort IDS: 716 INFO TELNET access 95.188.189.120:23 -> 192.168.2.23:46962
Source: Traffic Snort IDS: 492 INFO TELNET login failed 125.128.127.25:23 -> 192.168.2.23:49962
Source: Traffic Snort IDS: 716 INFO TELNET access 95.188.189.120:23 -> 192.168.2.23:46974
Source: Traffic Snort IDS: 716 INFO TELNET access 59.14.130.244:23 -> 192.168.2.23:53894
Source: Traffic Snort IDS: 716 INFO TELNET access 95.188.189.120:23 -> 192.168.2.23:46984
Source: Traffic Snort IDS: 716 INFO TELNET access 110.12.142.194:23 -> 192.168.2.23:40940
Source: Traffic Snort IDS: 716 INFO TELNET access 95.188.189.120:23 -> 192.168.2.23:47000
Source: Traffic Snort IDS: 716 INFO TELNET access 125.128.127.25:23 -> 192.168.2.23:50018
Source: Traffic Snort IDS: 492 INFO TELNET login failed 110.12.142.194:23 -> 192.168.2.23:40940
Source: Traffic Snort IDS: 492 INFO TELNET login failed 125.128.127.25:23 -> 192.168.2.23:50018
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 59.14.130.244:23 -> 192.168.2.23:53894
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 59.14.130.244:23 -> 192.168.2.23:53894
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51254
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51260
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51272
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51284
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51292
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51296
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51302
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51318
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51324
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51332
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51348
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51360
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51376
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51388
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51404
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51426
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51440
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51452
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51462
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51470
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51476
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51480
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51486
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51498
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51504
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51518
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51528
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51548
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.23:56100 -> 185.227.108.66:40485
Source: global traffic TCP traffic: 192.168.2.23:45900 -> 209.141.62.214:3074
Sample listens on a socket
Source: /tmp/arm7 (PID: 5256) Socket: 0.0.0.0::23 Jump to behavior
Source: /usr/sbin/sshd (PID: 5309) Socket: 0.0.0.0::22 Jump to behavior
Source: /usr/sbin/sshd (PID: 5309) Socket: [::]::22 Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 5349) Socket: <unknown socket type>:unknown Jump to behavior
Source: /usr/libexec/gnome-session-binary (PID: 5350) Socket: <unknown socket type>:unknown Jump to behavior
Source: /usr/lib/xorg/Xorg (PID: 5407) Socket: <unknown socket type>:unknown Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 5454) Socket: <unknown socket type>:unknown Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 5515) Socket: <unknown socket type>:unknown Jump to behavior
Source: /usr/libexec/gnome-session-binary (PID: 5455) Socket: <unknown socket type>:unknown Jump to behavior
Source: /usr/bin/ibus-daemon (PID: 5609) Socket: <unknown socket type>:unknown Jump to behavior
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 37180
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 37180 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 73.63.79.59
Source: unknown TCP traffic detected without corresponding DNS query: 177.99.7.54
Source: unknown TCP traffic detected without corresponding DNS query: 61.253.77.41
Source: unknown TCP traffic detected without corresponding DNS query: 120.25.196.209
Source: unknown TCP traffic detected without corresponding DNS query: 200.224.244.59
Source: unknown TCP traffic detected without corresponding DNS query: 38.89.55.46
Source: unknown TCP traffic detected without corresponding DNS query: 209.163.89.194
Source: unknown TCP traffic detected without corresponding DNS query: 109.237.51.10
Source: unknown TCP traffic detected without corresponding DNS query: 63.95.228.224
Source: unknown TCP traffic detected without corresponding DNS query: 155.170.130.172
Source: unknown TCP traffic detected without corresponding DNS query: 13.174.147.226
Source: unknown TCP traffic detected without corresponding DNS query: 103.104.192.96
Source: unknown TCP traffic detected without corresponding DNS query: 79.111.115.25
Source: unknown TCP traffic detected without corresponding DNS query: 95.1.147.97
Source: unknown TCP traffic detected without corresponding DNS query: 113.124.157.95
Source: unknown TCP traffic detected without corresponding DNS query: 150.211.222.31
Source: unknown TCP traffic detected without corresponding DNS query: 4.52.253.58
Source: unknown TCP traffic detected without corresponding DNS query: 31.66.196.192
Source: unknown TCP traffic detected without corresponding DNS query: 42.250.3.112
Source: unknown TCP traffic detected without corresponding DNS query: 205.180.9.144
Source: unknown TCP traffic detected without corresponding DNS query: 140.169.223.189
Source: unknown TCP traffic detected without corresponding DNS query: 148.180.221.164
Source: unknown TCP traffic detected without corresponding DNS query: 101.236.119.185
Source: unknown TCP traffic detected without corresponding DNS query: 209.30.28.229
Source: unknown TCP traffic detected without corresponding DNS query: 176.56.85.110
Source: unknown TCP traffic detected without corresponding DNS query: 118.212.24.179
Source: unknown TCP traffic detected without corresponding DNS query: 222.35.245.96
Source: unknown TCP traffic detected without corresponding DNS query: 48.253.72.178
Source: unknown TCP traffic detected without corresponding DNS query: 40.108.44.125
Source: unknown TCP traffic detected without corresponding DNS query: 43.122.79.244
Source: unknown TCP traffic detected without corresponding DNS query: 151.95.130.213
Source: unknown TCP traffic detected without corresponding DNS query: 58.214.87.204
Source: unknown TCP traffic detected without corresponding DNS query: 202.184.218.33
Source: unknown TCP traffic detected without corresponding DNS query: 134.229.195.208
Source: unknown TCP traffic detected without corresponding DNS query: 107.249.56.132
Source: unknown TCP traffic detected without corresponding DNS query: 200.61.115.230
Source: unknown TCP traffic detected without corresponding DNS query: 124.27.214.210
Source: unknown TCP traffic detected without corresponding DNS query: 47.105.90.30
Source: unknown TCP traffic detected without corresponding DNS query: 101.104.76.244
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.24.3
Source: unknown TCP traffic detected without corresponding DNS query: 99.31.245.205
Source: unknown TCP traffic detected without corresponding DNS query: 111.46.6.165
Source: unknown TCP traffic detected without corresponding DNS query: 193.199.105.50
Source: unknown TCP traffic detected without corresponding DNS query: 44.153.128.70
Source: unknown TCP traffic detected without corresponding DNS query: 157.48.244.152
Source: unknown TCP traffic detected without corresponding DNS query: 125.162.234.146
Source: unknown TCP traffic detected without corresponding DNS query: 220.193.217.115
Source: unknown TCP traffic detected without corresponding DNS query: 61.135.224.116
Source: unknown TCP traffic detected without corresponding DNS query: 88.135.211.241
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.106.242
Source: arm7 String found in binary or memory: http://upx.sf.net
Source: Xorg.0.log.104.dr String found in binary or memory: http://wiki.x.org
Source: Xorg.0.log.104.dr String found in binary or memory: http://www.ubuntu.com/support)
Source: motd-news.16.dr String found in binary or memory: https://ubuntu.com/blog/microk8s-memory-optimisation
Source: unknown DNS traffic detected: queries for: daisy.ubuntu.com
Source: unknown HTTPS traffic detected: 162.213.33.108:443 -> 192.168.2.23:37180 version: TLS 1.2

System Summary:

barindex
Sample tries to kill many processes (SIGKILL)
Source: /tmp/arm7 (PID: 5256) SIGKILL sent: pid: 658, result: successful Jump to behavior
Source: /tmp/arm7 (PID: 5256) SIGKILL sent: pid: 720, result: successful Jump to behavior
Source: /tmp/arm7 (PID: 5256) SIGKILL sent: pid: 759, result: successful Jump to behavior
Source: /tmp/arm7 (PID: 5256) SIGKILL sent: pid: 772, result: successful Jump to behavior
Source: /tmp/arm7 (PID: 5256) SIGKILL sent: pid: 789, result: successful Jump to behavior
Source: /tmp/arm7 (PID: 5256) SIGKILL sent: pid: 800, result: successful Jump to behavior
Source: /tmp/arm7 (PID: 5256) SIGKILL sent: pid: 904, result: successful Jump to behavior
Source: /tmp/arm7 (PID: 5256) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: /tmp/arm7 (PID: 5256) SIGKILL sent: pid: 1320, result: successful Jump to behavior
Source: /tmp/arm7 (PID: 5256) SIGKILL sent: pid: 1334, result: successful Jump to behavior
Source: /tmp/arm7 (PID: 5256) SIGKILL sent: pid: 1335, result: successful Jump to behavior
Source: /tmp/arm7 (PID: 5256) SIGKILL sent: pid: 1389, result: successful Jump to behavior
Source: /tmp/arm7 (PID: 5256) SIGKILL sent: pid: 1809, result: successful Jump to behavior
Source: /tmp/arm7 (PID: 5256) SIGKILL sent: pid: 1872, result: successful Jump to behavior
Source: /tmp/arm7 (PID: 5256) SIGKILL sent: pid: 1888, result: successful Jump to behavior
Source: /tmp/arm7 (PID: 5256) SIGKILL sent: pid: 1983, result: successful Jump to behavior
Source: /tmp/arm7 (PID: 5256) SIGKILL sent: pid: 2048, result: successful Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 5454) SIGKILL sent: pid: 5509, result: successful Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 5454) SIGKILL sent: pid: 5861, result: successful Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 5454) SIGKILL sent: pid: 6095, result: successful Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 5515) SIGKILL sent: pid: 5931, result: successful Jump to behavior
Sample contains only a LOAD segment without any section mappings
Source: LOAD without section mappings Program segment: 0x8000
Yara signature match
Source: arm7, type: SAMPLE Matched rule: SUSP_ELF_LNX_UPX_Compressed_File date = 2018-12-12, author = Florian Roth, description = Detects a suspicious ELF binary with UPX compression, reference = Internal Research, score = 038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4
Sample tries to kill a process (SIGKILL)
Source: /tmp/arm7 (PID: 5256) SIGKILL sent: pid: 658, result: successful Jump to behavior
Source: /tmp/arm7 (PID: 5256) SIGKILL sent: pid: 720, result: successful Jump to behavior
Source: /tmp/arm7 (PID: 5256) SIGKILL sent: pid: 759, result: successful Jump to behavior
Source: /tmp/arm7 (PID: 5256) SIGKILL sent: pid: 772, result: successful Jump to behavior
Source: /tmp/arm7 (PID: 5256) SIGKILL sent: pid: 789, result: successful Jump to behavior
Source: /tmp/arm7 (PID: 5256) SIGKILL sent: pid: 800, result: successful Jump to behavior
Source: /tmp/arm7 (PID: 5256) SIGKILL sent: pid: 904, result: successful Jump to behavior
Source: /tmp/arm7 (PID: 5256) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: /tmp/arm7 (PID: 5256) SIGKILL sent: pid: 1320, result: successful Jump to behavior
Source: /tmp/arm7 (PID: 5256) SIGKILL sent: pid: 1334, result: successful Jump to behavior
Source: /tmp/arm7 (PID: 5256) SIGKILL sent: pid: 1335, result: successful Jump to behavior
Source: /tmp/arm7 (PID: 5256) SIGKILL sent: pid: 1389, result: successful Jump to behavior
Source: /tmp/arm7 (PID: 5256) SIGKILL sent: pid: 1809, result: successful Jump to behavior
Source: /tmp/arm7 (PID: 5256) SIGKILL sent: pid: 1872, result: successful Jump to behavior
Source: /tmp/arm7 (PID: 5256) SIGKILL sent: pid: 1888, result: successful Jump to behavior
Source: /tmp/arm7 (PID: 5256) SIGKILL sent: pid: 1983, result: successful Jump to behavior
Source: /tmp/arm7 (PID: 5256) SIGKILL sent: pid: 2048, result: successful Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 5454) SIGKILL sent: pid: 5509, result: successful Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 5454) SIGKILL sent: pid: 5861, result: successful Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 5454) SIGKILL sent: pid: 6095, result: successful Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 5515) SIGKILL sent: pid: 5931, result: successful Jump to behavior
Source: arm7 Joe Sandbox Cloud Basic: Detection: clean Score: 0 Perma Link
Source: classification engine Classification label: mal84.spre.troj.evad.lin@0/52@3/0

Data Obfuscation:

barindex
Sample is packed with UPX
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Persistence and Installation Behavior:

barindex
Sample reads /proc/mounts (often used for finding a writable filesystem)
Source: /usr/bin/dbus-daemon (PID: 5349) File: /proc/5349/mounts Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 5454) File: /proc/5454/mounts Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 5515) File: /proc/5515/mounts Jump to behavior
Source: /usr/bin/gjs (PID: 6096) File: /proc/6096/mounts Jump to behavior
Source: /usr/bin/gnome-shell (PID: 5558) File: /proc/5558/mounts Jump to behavior
Source: /bin/fusermount (PID: 5460) File: /proc/5460/mounts
Executes the "grep" command used to find patterns in files or piped streams
Source: /bin/sh (PID: 5338) Grep executable: /usr/bin/grep -> grep -F .utf8 Jump to behavior
Enumerates processes within the "proc" file system
Source: /tmp/arm7 (PID: 5256) File opened: /proc/1582/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/2033/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/670/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/793/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/1579/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/1699/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/674/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/1335/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/2028/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/675/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/796/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/1334/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/1532/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/1576/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/797/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/676/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/677/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/2025/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/799/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/910/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/912/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/517/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/759/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/918/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/1594/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/1349/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/761/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/840/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/884/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/1389/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/1983/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/2038/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/720/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/1344/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/1465/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/1586/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/721/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/1463/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/800/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/801/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/847/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/1900/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/491/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/2050/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/1877/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/2009/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/772/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/1599/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/774/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/1477/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/654/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/896/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/1476/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/1872/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/2048/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/655/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/1475/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/656/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/777/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/657/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/658/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/419/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/936/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/1809/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/1494/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/1890/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/2062/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/1888/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/1601/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/420/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/1886/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/2018/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/1489/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/785/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/2014/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/1320/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/788/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/667/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/789/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/904/exe Jump to behavior
Source: /tmp/arm7 (PID: 5256) File opened: /proc/1207/exe Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 5454) File opened: /proc/6131/cmdline Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 5454) File opened: /proc/6134/cmdline Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 5454) File opened: /proc/6137/cmdline Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 5454) File opened: /proc/5862/cmdline Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 5454) File opened: /proc/6096/cmdline Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 5454) File opened: /proc/5456/cmdline Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 5454) File opened: /proc/6128/cmdline Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 5454) File opened: /proc/6129/cmdline Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 5454) File opened: /proc/5558/cmdline Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 5454) File opened: /proc/5934/cmdline Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 5454) File opened: /proc/6120/cmdline Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 5454) File opened: /proc/6122/cmdline Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 5454) File opened: /proc/6144/cmdline Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 5454) File opened: /proc/6121/cmdline Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 5454) File opened: /proc/6124/cmdline Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 5454) File opened: /proc/6443/cmdline Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 5454) File opened: /proc/6123/cmdline Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 5454) File opened: /proc/5454/status Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 5454) File opened: /proc/5454/attr/current Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 5454) File opened: /proc/5455/cmdline Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 5454) File opened: /proc/5510/cmdline Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 5454) File opened: /proc/5609/cmdline Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 5454) File opened: /proc/6139/cmdline Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 5454) File opened: /proc/6116/cmdline Jump to behavior
Creates hidden files and/or directories
Source: /usr/bin/whoopsie (PID: 5296) Directory: /nonexistent/.cache Jump to behavior
Source: /usr/lib/accountsservice/accounts-daemon (PID: 5319) Directory: /root/.cache Jump to behavior
Sample tries to set the executable flag
Source: /usr/lib/accountsservice/accounts-daemon (PID: 5319) File: /var/lib/AccountsService/icons (bits: - usr: rx grp: rwx all: rwx) Jump to behavior
Source: /usr/lib/accountsservice/accounts-daemon (PID: 5319) File: /var/lib/AccountsService/users (bits: - usr: - grp: - all: rwx) Jump to behavior
Executes commands using a shell command-line interpreter
Source: /usr/share/language-tools/language-options (PID: 5336) Shell command executed: sh -c "locale -a | grep -F .utf8 " Jump to behavior
Source: /usr/lib/xorg/Xorg (PID: 5443) Shell command executed: sh -c "\"/usr/bin/xkbcomp\" -w 1 \"-R/usr/share/X11/xkb\" -xkm \"-\" -em1 \"The XKEYBOARD keymap compiler (xkbcomp) reports:\" -emp \"> \" -eml \"Errors from xkbcomp are not fatal to the X server\" \"/tmp/server-0.xkm\"" Jump to behavior
Source: /usr/lib/xorg/Xorg (PID: 5866) Shell command executed: sh -c "\"/usr/bin/xkbcomp\" -w 1 \"-R/usr/share/X11/xkb\" -xkm \"-\" -em1 \"The XKEYBOARD keymap compiler (xkbcomp) reports:\" -emp \"> \" -eml \"Errors from xkbcomp are not fatal to the X server\" \"/tmp/server-0.xkm\"" Jump to behavior
Executes the "rm" command used to delete files or directories
Source: /usr/bin/dash (PID: 5219) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.F8yqW15XWY /tmp/tmp.FsztahiAst /tmp/tmp.rbFtGPyqdP Jump to behavior
Source: /usr/lib/xorg/Xorg (PID: 5407) Log file created: /var/log/Xorg.0.log Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51254
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51260
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51272
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51284
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51292
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51296
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51302
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51318
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51324
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51332
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51348
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51360
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51376
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51388
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51404
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51426
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51440
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51452
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51462
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51470
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51476
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51480
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51486
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51498
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51504
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51518
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51528
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51548

Malware Analysis System Evasion:

barindex
Reads CPU information from /sys indicative of miner or evasive malware
Source: /usr/lib/xorg/Xorg (PID: 5407) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/libexec/gnome-session-check-accelerated (PID: 5456) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/libexec/gnome-session-check-accelerated-gl-helper (PID: 5516) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/libexec/gnome-session-check-accelerated-gles-helper (PID: 5528) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/gnome-shell (PID: 5558) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pulseaudio (PID: 5414) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pulseaudio (PID: 5873) Reads CPU info from /sys: /sys/devices/system/cpu/online
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/arm7 (PID: 5249) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/whoopsie (PID: 5296) Queries kernel information via 'uname': Jump to behavior
Source: /usr/lib/gdm3/gdm-session-worker (PID: 5339) Queries kernel information via 'uname': Jump to behavior
Source: /usr/libexec/gnome-session-binary (PID: 5350) Queries kernel information via 'uname': Jump to behavior
Source: /usr/lib/gdm3/gdm-session-worker (PID: 5398) Queries kernel information via 'uname': Jump to behavior
Source: /usr/lib/gdm3/gdm-x-session (PID: 5405) Queries kernel information via 'uname': Jump to behavior
Source: /usr/lib/xorg/Xorg (PID: 5407) Queries kernel information via 'uname': Jump to behavior
Source: /usr/libexec/at-spi-bus-launcher (PID: 5510) Queries kernel information via 'uname': Jump to behavior
Source: /usr/libexec/at-spi2-registryd (PID: 5934) Queries kernel information via 'uname': Jump to behavior
Source: /usr/libexec/gnome-session-binary (PID: 5455) Queries kernel information via 'uname': Jump to behavior
Source: /usr/libexec/gnome-session-check-accelerated (PID: 5456) Queries kernel information via 'uname': Jump to behavior
Source: /usr/libexec/gnome-session-check-accelerated-gl-helper (PID: 5516) Queries kernel information via 'uname': Jump to behavior
Source: /usr/libexec/gnome-session-check-accelerated-gles-helper (PID: 5528) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/gnome-shell (PID: 5558) Queries kernel information via 'uname': Jump to behavior
Source: /usr/libexec/ibus-x11 (PID: 5860) Queries kernel information via 'uname': Jump to behavior
Source: /usr/libexec/gsd-wacom (PID: 6118) Queries kernel information via 'uname': Jump to behavior
Source: /usr/libexec/gsd-color (PID: 6120) Queries kernel information via 'uname': Jump to behavior
Source: /usr/libexec/gsd-keyboard (PID: 6121) Queries kernel information via 'uname': Jump to behavior
Source: /usr/libexec/gsd-smartcard (PID: 6124) Queries kernel information via 'uname': Jump to behavior
Source: /usr/libexec/gsd-media-keys (PID: 6129) Queries kernel information via 'uname': Jump to behavior
Source: /usr/libexec/gsd-power (PID: 6144) Queries kernel information via 'uname':
Source: /usr/bin/pulseaudio (PID: 5414) Queries kernel information via 'uname':
Source: /usr/bin/pulseaudio (PID: 5873) Queries kernel information via 'uname':
Source: /lib/systemd/systemd-hostnamed (PID: 6169) Queries kernel information via 'uname':
Source: /usr/libexec/fprintd (PID: 6783) Queries kernel information via 'uname':
Deletes log files
Source: /usr/lib/xorg/Xorg (PID: 5407) Truncated file: /var/log/Xorg.pid-5407.log Jump to behavior
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.088] (II) vmware(0): Not using default mode "1680x1050" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.161] (II) vmware(0): Not using default mode "2048x1536" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.322] (II) vmware(0): Not using default mode "2560x1440" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.071] (II) vmware(0): Not using default mode "720x450" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.318] (II) vmware(0): Not using default mode "1280x720" (width requires unsupported line pitch)
Source: Xorg.0.log.104.dr Binary or memory string: [ 492.631] (==) vmware(0): Backing store enabled
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.583] (--) vmware(0): depth: 24
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.400] (II) vmware(0): Not using default mode "5120x2880" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 491.990] (II) vmware(0): Modeline "640x350"x85.1 31.50 640 672 736 832 350 382 385 445 +hsync -vsync (37.9 kHz d)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.118] (II) vmware(0): Not using default mode "1680x1050" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 491.653] (II) vmware(0): Modeline "1152x864"x75.0 104.99 1152 1224 1352 1552 864 865 868 902 -hsync +vsync (67.6 kHz d)
Source: Xorg.0.log.104.dr Binary or memory string: [ 492.357] (II) vmware(0): vgaHWGetIOBase: hwp->IOBase is 0x03d0
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.994] (II) vmware(0): Not using default mode "1920x1440" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 491.762] (**) vmware(0): Default mode "800x600": 56.3 MHz, 53.7 kHz, 85.1 Hz
Source: Xorg.0.log.104.dr Binary or memory string: [ 491.770] (II) vmware(0): Modeline "800x600"x85.1 56.30 800 832 896 1048 600 601 604 631 +hsync +vsync (53.7 kHz d)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.212] (II) vmware(0): Not using default mode "480x270" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.826] (II) vmware(0): Not using default mode "1280x960" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.123] (II) vmware(0): Not using default mode "840x525" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.545] (II) vmware(0): Not using default mode "2560x1600" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.094] (II) vmware(0): Not using default mode "1680x1050" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 488.120] (EE) vmware(0): Failed to open drm.
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.127] (II) vmware(0): Not using default mode "1920x1080" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 491.675] (II) vmware(0): Modeline "1024x768"x85.0 94.50 1024 1072 1168 1376 768 769 772 808 +hsync +vsync (68.7 kHz d)
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.936] (II) vmware(0): Not using default mode "1792x1344" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.187] (II) vmware(0): Not using default mode "864x486" (monitor doesn't support reduced blanking)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.378] (II) vmware(0): Not using default mode "1920x1080" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 491.927] (II) vmware(0): Modeline "720x400"x85.0 35.50 720 756 828 936 400 401 404 446 -hsync +vsync (37.9 kHz d)
Source: Xorg.0.log.104.dr Binary or memory string: [ 499.689] (II) config/udev: Adding input device VirtualPS/2 VMware VMMouse (/dev/input/mouse1)
Source: Xorg.0.log.104.dr Binary or memory string: [ 499.871] (II) event2 - VirtualPS/2 VMware VMMouse: is tagged by udev as: Mouse
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.957] (II) vmware(0): Not using default mode "1856x1392" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 499.001] (II) event3 - VirtualPS/2 VMware VMMouse: is tagged by udev as: Mouse
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.695] (==) vmware(0): Using gamma correction (1.0, 1.0, 1.0)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.216] (II) vmware(0): Not using default mode "1024x576" (monitor doesn't support reduced blanking)
Source: Xorg.0.log.104.dr Binary or memory string: [ 491.755] (II) vmware(0): Modeline "960x540"x59.6 40.75 960 992 1088 1216 540 543 548 562 -hsync +vsync (33.5 kHz d)
Source: Xorg.0.log.104.dr Binary or memory string: [ 499.825] (II) XINPUT: Adding extended input device "VirtualPS/2 VMware VMMouse" (type: MOUSE, id 9)
Source: Xorg.0.log.104.dr Binary or memory string: [ 491.681] (II) vmware(0): Modeline "1024x768"x75.0 78.75 1024 1040 1136 1312 768 769 772 800 +hsync +vsync (60.0 kHz d)
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.618] (--) vmware(0): bpp: 32
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.357] (II) vmware(0): Not using default mode "3200x1800" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.915] (II) vmware(0): Not using default mode "1600x1200" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.066] (II) vmware(0): Not using default mode "700x525" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 491.786] (II) vmware(0): Modeline "800x600"x75.0 49.50 800 816 896 1056 600 601 604 625 +hsync +vsync (46.9 kHz d)
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.833] (II) vmware(0): Not using default mode "640x480" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 491.660] (II) vmware(0): Modeline "1152x864"x70.0 96.77 1152 1224 1344 1536 864 865 868 900 -hsync +vsync (63.0 kHz d)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.396] (II) vmware(0): Not using default mode "2048x1152" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.975] (II) vmware(0): Not using default mode "928x696" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.430] (II) vmware(0): Not using default mode "15360x8640" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 491.728] (II) vmware(0): Modeline "1024x576"x59.9 46.50 1024 1064 1160 1296 576 579 584 599 -hsync +vsync (35.9 kHz d)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.403] (II) vmware(0): Not using default mode "2560x1440" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 491.909] (**) vmware(0): Default mode "720x405": 22.5 MHz, 25.1 kHz, 59.5 Hz
Source: Xorg.0.log.104.dr Binary or memory string: [ 499.635] (**) VirtualPS/2 VMware VMMouse: (accel) acceleration factor: 2.000
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.947] (II) vmware(0): Not using default mode "1792x1344" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.771] (II) vmware(0): Not using default mode "400x300" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 491.939] (II) vmware(0): Modeline "640x400"x85.1 31.50 640 672 736 832 400 401 404 445 -hsync +vsync (37.9 kHz d)
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.895] (II) vmware(0): Not using default mode "1600x1200" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.748] (II) vmware(0): Not using default mode "400x300" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.595] (II) vmware(0): Modeline "vmwlegacy-default-800x600"x60.0 36.25 800 801 802 1002 600 601 602 603 (36.2 kHz ez)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.049] (II) vmware(0): Not using default mode "700x525" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 491.887] (II) vmware(0): Modeline "640x480"x72.8 31.50 640 664 704 832 480 489 492 520 -hsync -vsync (37.9 kHz d)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.471] (II) vmware(0): Not using default mode "1400x900" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.743] (II) vmware(0): Not using default mode "320x240" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 491.895] (**) vmware(0): Default mode "640x480": 25.2 MHz, 31.5 kHz, 59.9 Hz
Source: arm7, 5249.1.000000003ae29ced.0000000091cae7cb.rw-.sdmp Binary or memory string: /usr/bin/qemu-arm
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.453] (--) vmware(0): caps: 0xFDFF83E2
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.158] (II) vmware(0): Not using default mode "1024x768" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.953] (II) vmware(0): Not using default mode "896x672" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 491.644] (**) vmware(0): Default mode "1152x864": 105.0 MHz, 67.6 kHz, 75.0 Hz
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.063] (II) vmware(0): Not using default mode "1400x1050" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 499.382] (II) XINPUT: Adding extended input device "VirtualPS/2 VMware VMMouse" (type: MOUSE, id 8)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.164] (II) vmware(0): Not using default mode "1024x768" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 491.828] (II) vmware(0): Modeline "800x600"x56.2 36.00 800 824 896 1024 600 601 603 625 +hsync +vsync (35.2 kHz d)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.052] (II) vmware(0): Not using default mode "1400x1050" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.279] (II) vmware(0): Not using default mode "1920x1080" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.307] (II) vmware(0): Not using default mode "2048x1152" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 491.793] (**) vmware(0): Default mode "800x600": 50.0 MHz, 48.1 kHz, 72.2 Hz
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.777] (II) vmware(0): Not using default mode "1024x768i" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.046] (II) vmware(0): Not using default mode "1400x1050" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 491.814] (II) vmware(0): Modeline "800x600"x60.3 40.00 800 840 968 1056 600 601 605 628 +hsync +vsync (37.9 kHz d)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.177] (II) vmware(0): Not using default mode "360x202" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.475] (II) vmware(0): Not using default mode "700x450" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.345] (II) vmware(0): Not using default mode "3200x1800" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.236] (II) vmware(0): Not using default mode "640x360" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.015] (II) vmware(0): Not using default mode "416x312" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.366] (II) vmware(0): Not using default mode "3840x2160" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.422] (II) vmware(0): Not using default mode "7680x4320" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.201] (II) vmware(0): Not using default mode "432x243" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.738] (II) vmware(0): Not using default mode "320x240" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.538] (II) vmware(0): Not using default mode "960x600" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.967] (II) vmware(0): Not using default mode "1856x1392" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.560] (II) vmware(0): Not using default mode "2560x1600" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 499.236] (II) event3 - VirtualPS/2 VMware VMMouse: device removed
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.787] (II) vmware(0): Not using default mode "512x384i" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.257] (II) vmware(0): Not using default mode "1600x900" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.223] (II) vmware(0): Not using default mode "512x288" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.351] (II) vmware(0): Not using default mode "1600x900" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.686] (==) vmware(0): Default visual is TrueColor
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.865] (II) vmware(0): Not using default mode "640x512" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 498.540] (**) VirtualPS/2 VMware VMMouse: Applying InputClass "libinput pointer catchall"
Source: Xorg.0.log.104.dr Binary or memory string: [ 491.780] (**) vmware(0): Default mode "800x600": 49.5 MHz, 46.9 kHz, 75.0 Hz
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.315] (II) vmware(0): Not using default mode "2560x1440" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.659] (--) vmware(0): w.red: 8
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.135] (II) vmware(0): Not using default mode "1920x1200" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.174] (II) vmware(0): Not using default mode "720x405" (monitor doesn't support reduced blanking)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.295] (II) vmware(0): Not using default mode "960x540" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.849] (II) vmware(0): Not using default mode "1280x1024" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.625] (--) vmware(0): vram: 4194304
Source: Xorg.0.log.104.dr Binary or memory string: [ 499.521] (**) VirtualPS/2 VMware VMMouse: (accel) selected scheme none/0
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.407] (II) vmware(0): Not using default mode "5120x2880" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.060] (II) vmware(0): Not using default mode "700x525" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 491.933] (**) vmware(0): Default mode "640x400": 31.5 MHz, 37.9 kHz, 85.1 Hz
Source: Xorg.0.log.104.dr Binary or memory string: [ 491.735] (**) vmware(0): Default mode "832x624": 57.3 MHz, 49.7 kHz, 74.6 Hz
Source: Xorg.0.log.104.dr Binary or memory string: [ 491.637] (II) vmware(0): Modeline "1152x864"x75.0 108.00 1152 1216 1344 1600 864 865 868 900 +hsync +vsync (67.5 kHz d)
Source: Xorg.0.log.104.dr Binary or memory string: [ 499.799] (II) event2 - VirtualPS/2 VMware VMMouse: is tagged by udev as: Mouse
Source: Xorg.0.log.104.dr Binary or memory string: [ 491.835] (**) vmware(0): Default mode "864x486": 32.5 MHz, 30.3 kHz, 59.9 Hz
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.449] (II) vmware(0): Not using default mode "640x400" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.245] (II) vmware(0): Not using default mode "1368x768" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 491.684] (**) vmware(0): Default mode "1024x768": 75.0 MHz, 56.5 kHz, 70.1 Hz
Source: Xorg.0.log.104.dr Binary or memory string: [ 488.152] (--) vmware(0): VMware SVGA regs at (0x1070, 0x1071)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.291] (II) vmware(0): Not using default mode "1920x1080" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 491.949] (**) vmware(0): Default mode "640x360": 18.0 MHz, 22.5 kHz, 59.8 Hz
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.032] (II) vmware(0): Not using default mode "576x432" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.910] (II) vmware(0): Not using default mode "800x600" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.205] (II) vmware(0): Not using default mode "960x540" (monitor doesn't support reduced blanking)
Source: Xorg.0.log.104.dr Binary or memory string: [ 491.678] (**) vmware(0): Default mode "1024x768": 78.8 MHz, 60.0 kHz, 75.0 Hz
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.085] (II) vmware(0): Not using default mode "840x525" (bad mode clock/interlace/doublescan)
Source: arm7, 5249.1.000000003ae29ced.0000000091cae7cb.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/arm7SUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/arm7
Source: Xorg.0.log.104.dr Binary or memory string: [ 493.079] (==) vmware(0): Silken mouse enabled
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.662] (--) vmware(0): w.grn: 8
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.452] (II) vmware(0): Not using default mode "1280x800" (width requires unsupported line pitch)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.248] (II) vmware(0): Not using default mode "684x384" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 499.892] (II) config/udev: Adding input device VirtualPS/2 VMware VMMouse (/dev/input/mouse0)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.018] (II) vmware(0): Not using default mode "576x432" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.670] (--) vmware(0): vis: 4
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.644] (--) vmware(0): mwidt: 1176
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.931] (II) vmware(0): Not using default mode "800x600" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.170] (II) vmware(0): Not using default mode "320x180" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.311] (II) vmware(0): Not using default mode "1024x576" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 491.690] (II) vmware(0): Modeline "1024x768"x70.1 75.00 1024 1048 1184 1328 768 771 777 806 -hsync -vsync (56.5 kHz d)
Source: Xorg.0.log.104.dr Binary or memory string: [ 491.842] (II) vmware(0): Modeline "864x486"x59.9 32.50 864 888 968 1072 486 489 494 506 -hsync +vsync (30.3 kHz d)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.575] (II) vmware(0): Virtual size is 800x600 (pitch 1176)
Source: Xorg.0.log.104.dr Binary or memory string: [ 487.759] (II) vmware: driver for VMware SVGA: vmware0405, vmware0710
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.326] (II) vmware(0): Not using default mode "1280x720" (width requires unsupported line pitch)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.433] (II) vmware(0): Not using default mode "7680x4320" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.038] (II) vmware(0): Not using default mode "680x384" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.242] (II) vmware(0): Not using default mode "684x384" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.415] (II) vmware(0): Not using default mode "7680x4320" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 499.765] (**) VirtualPS/2 VMware VMMouse: always reports core events
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.680] (==) vmware(0): RGB weight 888
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.882] (II) vmware(0): Not using default mode "1600x1200" (insufficient memory for mode)
Source: arm7, 5249.1.0000000048cded24.0000000058105968.rw-.sdmp Binary or memory string: 0V!/etc/qemu-binfmt/arm
Source: Xorg.0.log.104.dr Binary or memory string: [ 488.139] (WW) vmware(0): Disabling Render Acceleration.
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.389] (II) vmware(0): Not using default mode "2048x1152" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.661] (**) vmware(0): Default mode "1152x864": 121.5 MHz, 77.5 kHz, 85.1 Hz
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.035] (II) vmware(0): Not using default mode "1360x768" (width requires unsupported line pitch)
Source: Xorg.0.log.104.dr Binary or memory string: [ 491.855] (II) vmware(0): Modeline "640x480"x85.0 36.00 640 696 752 832 480 481 484 509 -hsync -vsync (43.3 kHz d)
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.905] (II) vmware(0): Not using default mode "1600x1200" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.418] (II) vmware(0): Not using default mode "3840x2160" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 491.341] (**) vmware(0): Default mode "1152x864": 119.7 MHz, 77.1 kHz, 85.0 Hz
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.058] (II) vmware(0): Not using default mode "1400x1050" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 491.742] (II) vmware(0): Modeline "832x624"x74.6 57.28 832 864 928 1152 624 625 628 667 -hsync -vsync (49.7 kHz d)
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.808] (II) vmware(0): Not using default mode "512x384" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 491.849] (**) vmware(0): Default mode "640x480": 36.0 MHz, 43.3 kHz, 85.0 Hz
Source: Xorg.0.log.104.dr Binary or memory string: [ 498.534] (II) config/udev: Adding input device VirtualPS/2 VMware VMMouse (/dev/input/event3)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.362] (II) vmware(0): Not using default mode "1600x900" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.655] (--) vmware(0): bpp: 32
Source: Xorg.0.log.104.dr Binary or memory string: [ 499.847] (**) VirtualPS/2 VMware VMMouse: (accel) acceleration factor: 2.000
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.138] (II) vmware(0): Not using default mode "960x600" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 499.806] (II) event2 - VirtualPS/2 VMware VMMouse: device removed
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.426] (II) vmware(0): Not using default mode "3840x2160" (insufficient memory for mode)
Source: arm7, 5256.1.0000000048cded24.0000000058105968.rw-.sdmp Binary or memory string: /usr/bin/vmtoolsd
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.131] (II) vmware(0): Not using default mode "960x540" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.839] (II) vmware(0): Not using default mode "1280x960" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.080] (II) vmware(0): Not using default mode "1680x1050" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.055] (II) vmware(0): Not using default mode "700x525" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 499.672] (II) event3 - VirtualPS/2 VMware VMMouse: is tagged by udev as: Mouse
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.920] (II) vmware(0): Not using default mode "800x600" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.941] (II) vmware(0): Not using default mode "896x672" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 491.997] (==) vmware(0): DPI set to (96, 96)
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.859] (II) vmware(0): Not using default mode "1280x1024" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 491.880] (**) vmware(0): Default mode "640x480": 31.5 MHz, 37.9 kHz, 72.8 Hz
Source: Xorg.0.log.104.dr Binary or memory string: [ 486.478] (==) Matched vmware as autoconfigured driver 0
Source: Xorg.0.log.104.dr Binary or memory string: [ 491.582] (II) vmware(0): Modeline "1152x864"x85.0 119.65 1152 1224 1352 1552 864 865 868 907 -hsync +vsync (77.1 kHz d)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.510] (II) vmware(0): Not using default mode "840x525" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 491.634] (**) vmware(0): Default mode "1152x864": 108.0 MHz, 67.5 kHz, 75.0 Hz
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.504] (II) vmware(0): Not using default mode "1680x1050" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.567] (II) vmware(0): Not using default mode "1280x800" (width requires unsupported line pitch)
Source: Xorg.0.log.104.dr Binary or memory string: [ 486.497] (II) LoadModule: "vmware"
Source: Xorg.0.log.104.dr Binary or memory string: [ 499.731] (**) VirtualPS/2 VMware VMMouse: Applying InputClass "libinput pointer catchall"
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.254] (II) vmware(0): Not using default mode "800x450" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.665] (--) vmware(0): w.blu: 8
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.820] (II) vmware(0): Not using default mode "576x432" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.674] (==) vmware(0): Depth 24, (==) framebuffer bpp 32
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.801] (II) vmware(0): Not using default mode "512x384" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 491.657] (**) vmware(0): Default mode "1152x864": 96.8 MHz, 63.0 kHz, 70.0 Hz
Source: Xorg.0.log.104.dr Binary or memory string: [ 498.590] (**) VirtualPS/2 VMware VMMouse: always reports core events
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.854] (II) vmware(0): Not using default mode "640x512" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.142] (II) vmware(0): Not using default mode "1920x1440" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.531] (II) vmware(0): Not using default mode "1920x1200" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 486.511] (II) Loading /usr/lib/xorg/modules/drivers/vmware_drv.so
Source: Xorg.0.log.104.dr Binary or memory string: [ 499.803] (II) event2 - VirtualPS/2 VMware VMMouse: device is a pointer
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.466] (II) vmware(0): Not using default mode "700x450" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.341] (II) vmware(0): Not using default mode "1440x810" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.209] (II) vmware(0): Not using default mode "480x270" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.145] (II) vmware(0): Not using default mode "960x720" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.727] (II) vmware(0): Not using default mode "320x240" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.334] (II) vmware(0): Not using default mode "1440x810" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.648] (--) vmware(0): mheig: 885
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.723] (II) vmware(0): Not using default mode "360x200" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.870] (II) vmware(0): Not using default mode "1280x1024" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.640] (--) vmware(0): pbase: 0xe8000000
Source: Xorg.0.log.104.dr Binary or memory string: [ 498.549] (II) Using input driver 'libinput' for 'VirtualPS/2 VMware VMMouse'
Source: Xorg.0.log.104.dr Binary or memory string: [ 499.876] (II) event2 - VirtualPS/2 VMware VMMouse: device is a pointer
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.760] (II) vmware(0): Not using default mode "400x300" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 491.720] (**) vmware(0): Default mode "1024x576": 46.5 MHz, 35.9 kHz, 59.9 Hz
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.251] (II) vmware(0): Not using default mode "1600x900" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.891] (II) vmware(0): Not using default mode "800x600" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.689] (==) vmware(0): Using HW cursor
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.795] (II) vmware(0): Not using default mode "512x384" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.040] (II) vmware(0): Not using default mode "1360x768" (width requires unsupported line pitch)
Source: Xorg.0.log.104.dr Binary or memory string: [ 486.565] (II) Module vmware: vendor="X.Org Foundation"
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.981] (II) vmware(0): Not using default mode "1920x1440" (insufficient memory for mode)
Source: arm7, 5256.1.0000000048cded24.0000000058105968.rw-.sdmp Binary or memory string: !/proc/1601/exe0!/usr/bin/vmtoolsd1
Source: Xorg.0.log.104.dr Binary or memory string: [ 499.153] (II) event3 - VirtualPS/2 VMware VMMouse: device is a pointer
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.765] (II) vmware(0): Not using default mode "400x300" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.844] (II) vmware(0): Not using default mode "640x480" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.701] (II) vmware(0): Not using default mode "320x175" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.962] (II) vmware(0): Not using default mode "928x696" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.754] (II) vmware(0): Not using default mode "400x300" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.582] (**) vmware(0): *Driver mode "vmwlegacy-default-800x600": 36.3 MHz, 36.2 kHz, 60.0 Hz
Source: Xorg.0.log.104.dr Binary or memory string: [ 499.648] (**) VirtualPS/2 VMware VMMouse: (accel) acceleration threshold: 4
Source: Xorg.0.log.104.dr Binary or memory string: [ 491.669] (II) vmware(0): Modeline "1152x864"x60.0 81.62 1152 1216 1336 1520 864 865 868 895 -hsync +vsync (53.7 kHz d)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.552] (II) vmware(0): Not using default mode "1280x800" (width requires unsupported line pitch)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.457] (II) vmware(0): Not using default mode "640x400" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.518] (II) vmware(0): Not using default mode "1920x1200" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.733] (II) vmware(0): Not using default mode "320x240" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.613] (II) vmware(0): Modeline "1152x864"x100.0 143.47 1152 1232 1360 1568 864 865 868 915 -hsync +vsync (91.5 kHz d)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.273] (II) vmware(0): Not using default mode "800x450" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.381] (II) vmware(0): Not using default mode "4096x2304" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.226] (II) vmware(0): Not using default mode "1280x720" (width requires unsupported line pitch)
Source: Xorg.0.log.104.dr Binary or memory string: [ 499.840] (**) VirtualPS/2 VMware VMMouse: (accel) selected scheme none/0
Source: Xorg.0.log.104.dr Binary or memory string: [ 499.735] (II) Using input driver 'libinput' for 'VirtualPS/2 VMware VMMouse'
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.024] (II) vmware(0): Not using default mode "576x432" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 491.821] (**) vmware(0): Default mode "800x600": 36.0 MHz, 35.2 kHz, 56.2 Hz
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.338] (II) vmware(0): Not using default mode "2880x1620" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.299] (II) vmware(0): Not using default mode "2048x1152" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 491.672] (**) vmware(0): Default mode "1024x768": 94.5 MHz, 68.7 kHz, 85.0 Hz
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.167] (II) vmware(0): Not using default mode "320x180" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.027] (II) vmware(0): Not using default mode "576x432" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 487.957] (II) vmware(0): Creating default Display subsection in Screen section
Source: Xorg.0.log.104.dr Binary or memory string: [ 488.146] (WW) vmware(0): Disabling RandR12+ support.
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.875] (II) vmware(0): Not using default mode "640x512" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.106] (II) vmware(0): Not using default mode "840x525" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.152] (II) vmware(0): Not using default mode "1024x768" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 491.914] (II) vmware(0): Modeline "720x405"x59.5 22.50 720 744 808 896 405 408 413 422 -hsync +vsync (25.1 kHz d)
Source: Xorg.0.log.104.dr Binary or memory string: [ 491.871] (II) vmware(0): Modeline "640x480"x75.0 31.50 640 656 720 840 480 481 484 500 -hsync -vsync (37.5 kHz d)
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.692] (==) vmware(0): Will set up a driver mode with dimensions 800x600.
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.437] (II) vmware(0): Not using default mode "15360x8640" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.286] (II) vmware(0): Not using default mode "960x540" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.098] (II) vmware(0): Not using default mode "840x525" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 499.726] (II) config/udev: Adding input device VirtualPS/2 VMware VMMouse (/dev/input/event2)
Source: Xorg.0.log.104.dr Binary or memory string: [ 491.862] (**) vmware(0): Default mode "640x480": 31.5 MHz, 37.5 kHz, 75.0 Hz
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.148] (II) vmware(0): Not using default mode "2048x1536" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.303] (II) vmware(0): Not using default mode "1024x576" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 491.902] (II) vmware(0): Modeline "640x480"x59.9 25.18 640 656 752 800 480 490 492 525 -hsync -vsync (31.5 kHz d)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.021] (II) vmware(0): Not using default mode "576x432" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.371] (II) vmware(0): Not using default mode "1920x1080" (insufficient memory for mode)
Source: arm7, 5249.1.0000000048cded24.0000000058105968.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/arm
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.232] (II) vmware(0): Not using default mode "1280x720" (width requires unsupported line pitch)
Source: Xorg.0.log.104.dr Binary or memory string: [ 492.334] (II) vmware(0): Initialized VMWARE_CTRL extension version 0.2
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.392] (II) vmware(0): Not using default mode "4096x2304" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.900] (II) vmware(0): Not using default mode "800x600" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.239] (II) vmware(0): Not using default mode "1368x768" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.441] (II) vmware(0): Not using default mode "7680x4320" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 491.702] (II) vmware(0): Modeline "1024x768"x60.0 65.00 1024 1048 1184 1344 768 771 777 806 -hsync -vsync (48.4 kHz d)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.011] (II) vmware(0): Not using default mode "960x720" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 491.981] (**) vmware(0): Default mode "640x350": 31.5 MHz, 37.9 kHz, 85.1 Hz
Source: Xorg.0.log.104.dr Binary or memory string: [ 491.920] (**) vmware(0): Default mode "720x400": 35.5 MHz, 37.9 kHz, 85.0 Hz
Source: Xorg.0.log.104.dr Binary or memory string: [ 499.676] (II) event3 - VirtualPS/2 VMware VMMouse: device is a pointer
Source: Xorg.0.log.104.dr Binary or memory string: [ 492.352] (II) vmware(0): Initialized VMware Xinerama extension.
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.989] (II) vmware(0): Not using default mode "960x720" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.814] (II) vmware(0): Not using default mode "512x384" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.499] (II) vmware(0): Not using default mode "840x525" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.219] (II) vmware(0): Not using default mode "512x288" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.651] (--) vmware(0): depth: 24
Source: Xorg.0.log.104.dr Binary or memory string: [ 499.851] (**) VirtualPS/2 VMware VMMouse: (accel) acceleration threshold: 4
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.461] (II) vmware(0): Not using default mode "1400x900" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.493] (II) vmware(0): Not using default mode "1680x1050" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 491.956] (II) vmware(0): Modeline "640x360"x59.8 18.00 640 664 720 800 360 363 368 376 -hsync +vsync (22.5 kHz d)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.374] (II) vmware(0): Not using default mode "3840x2160" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.698] (II) vmware(0): Clock range: 0.00 to 400000.00 MHz
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.925] (II) vmware(0): Not using default mode "1600x1200" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.331] (II) vmware(0): Not using default mode "2880x1620" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.229] (II) vmware(0): Not using default mode "640x360" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 491.695] (**) vmware(0): Default mode "1024x768": 65.0 MHz, 48.4 kHz, 60.0 Hz
Source: Xorg.0.log.104.dr Binary or memory string: [ 491.800] (II) vmware(0): Modeline "800x600"x72.2 50.00 800 856 976 1040 600 637 643 666 +hsync +vsync (48.1 kHz d)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.444] (II) vmware(0): Not using default mode "1280x800" (width requires unsupported line pitch)
Source: Xorg.0.log.104.dr Binary or memory string: [ 491.078] (II) vmware(0): Modeline "1152x864"x85.1 121.50 1152 1216 1344 1568 864 865 868 911 +hsync -vsync (77.5 kHz d)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.102] (II) vmware(0): Not using default mode "1680x1050" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 491.663] (**) vmware(0): Default mode "1152x864": 81.6 MHz, 53.7 kHz, 60.0 Hz
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.029] (II) vmware(0): Not using default mode "576x432" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.069] (II) vmware(0): Not using default mode "1440x900" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 488.133] (WW) vmware(0): Disabling 3D support.
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.091] (II) vmware(0): Not using default mode "840x525" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.043] (II) vmware(0): Not using default mode "680x384" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 491.749] (**) vmware(0): Default mode "960x540": 40.8 MHz, 33.5 kHz, 59.6 Hz
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.180] (II) vmware(0): Not using default mode "360x202" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.077] (II) vmware(0): Not using default mode "800x512" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.411] (II) vmware(0): Not using default mode "2560x1440" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 491.973] (II) vmware(0): Modeline "640x360"x59.3 17.75 640 688 720 800 360 363 368 374 +hsync -vsync (22.2 kHz d)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.524] (II) vmware(0): Not using default mode "960x600" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.074] (II) vmware(0): Not using default mode "1600x1024" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 491.962] (**) vmware(0): Default mode "640x360": 17.8 MHz, 22.2 kHz, 59.3 Hz
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.195] (II) vmware(0): Not using default mode "432x243" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 493.459] (II) vmware(0): Initialized VMware Xv extension successfully.
Source: Xorg.0.log.104.dr Binary or memory string: [ 489.718] (II) vmware(0): Not using default mode "320x200" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.155] (II) vmware(0): Not using default mode "2048x1536" (insufficient memory for mode)
Source: Xorg.0.log.104.dr Binary or memory string: [ 491.807] (**) vmware(0): Default mode "800x600": 40.0 MHz, 37.9 kHz, 60.3 Hz
Source: Xorg.0.log.104.dr Binary or memory string: [ 490.605] (**) vmware(0): Default mode "1152x864": 143.5 MHz, 91.5 kHz, 100.0 Hz

Language, Device and Operating System Detection:

barindex
Reads system files that contain records of logged in users
Source: /usr/lib/accountsservice/accounts-daemon (PID: 5319) Logged in records file read: /var/log/wtmp Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Mirai
Source: Yara match File source: dump.pcap, type: PCAP

Remote Access Functionality:

barindex
Yara detected Mirai
Source: Yara match File source: dump.pcap, type: PCAP

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
170.212.145.26
 unknown United States
46274 UPHSUS false
105.65.190.125
 unknown Morocco
36884 MAROCCONNECTMA false
188.246.20.171
 unknown Germany
15987 PORTUNITY-ASDE false
180.120.16.34
 unknown China
137702 CHINATELECOM-JIANGSU-NANJING-IDCNanjingJiangsuProvince false
209.195.10.55
 unknown United States
6597 CBDC-6597US false
76.113.207.15
 unknown United States
7922 COMCAST-7922US false
175.12.182.161
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
128.12.205.42
 unknown United States
32 STANFORDUS false
153.144.103.33
 unknown Japan 4713 OCNNTTCommunicationsCorporationJP false
20.180.146.143
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
95.195.139.139
 unknown Sweden
3301 TELIANET-SWEDENTeliaCompanySE false
190.18.242.84
 unknown Argentina
10318 TelecomArgentinaSAAR false
109.48.20.63
 unknown Portugal
2860 NOS_COMUNICACOESPT false
98.21.254.198
 unknown United States
7029 WINDSTREAMUS false
79.185.87.133
 unknown Poland
5617 TPNETPL false
156.73.219.193
 unknown United States
2024 NUUS false
103.153.197.182
 unknown unknown
134687 TWIDC-AS-APTWIDCLimitedHK false
211.100.37.85
 unknown China
23724 CHINANET-IDC-BJ-APIDCChinaTelecommunicationsCorporation false
114.38.29.71
 unknown Taiwan; Republic of China (ROC)
3462 HINETDataCommunicationBusinessGroupTW false
119.13.248.48
 unknown Australia
9723 ISEEK-AS-APiseekCommunicationsPtyLtdAU false
59.89.206.225
 unknown India
9829 BSNL-NIBNationalInternetBackboneIN false
16.233.48.150
 unknown United States
unknown unknown false
86.61.47.5
 unknown Slovenia
5603 SIOL-NETTelekomSlovenijeddSI false
172.76.159.4
 unknown United States
5650 FRONTIER-FRTRUS false
82.139.21.125
 unknown Poland
29314 VECTRANET-ASAlZwyciestwa25381-525GdyniaPolandPL false
83.126.63.20
 unknown European Union
44307 MDSOLDE false
223.197.123.195
 unknown Hong Kong
132585 SIA-HK-ASSkyExchangeInternetAccessHK false
59.75.11.76
 unknown China
4538 ERX-CERNET-BKBChinaEducationandResearchNetworkCenter false
128.150.78.4
 unknown United States
102 NSF-HQ-ASUS false
111.188.156.126
 unknown Japan 37903 EMOBILEYmobileCorporationJP false
168.114.199.237
 unknown United States
36026 AS-CHI-CORPUS false
85.22.119.239
 unknown Germany
15763 ASDOKOMDE false
213.25.144.224
 unknown Poland
5617 TPNETPL false
139.245.51.216
 unknown United States
37963 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd false
85.91.248.195
 unknown United Kingdom
34270 INETCInternetConnectionsLtdGB false
106.97.90.23
 unknown Korea Republic of
17853 LGTELECOM-AS-KRLGTELECOMKR false
134.111.224.1
 unknown United States
394990 STRATUS false
4.199.89.71
 unknown United States
3356 LEVEL3US false
145.83.49.160
 unknown Netherlands
1103 SURFNET-NLSURFnetTheNetherlandsNL false
107.59.27.67
 unknown United States
16567 NETRIX-16567US false
47.183.28.100
 unknown United States
5650 FRONTIER-FRTRUS false
9.155.176.99
 unknown United States
3356 LEVEL3US false
155.251.195.38
 unknown Gambia
37309 QCellGM false
172.116.139.149
 unknown United States
20001 TWC-20001-PACWESTUS false
204.43.48.115
 unknown United States
62600 ABOR-SUN-CORRIDORUS false
39.188.163.203
 unknown China
56041 CMNET-ZHEJIANG-APChinaMobilecommunicationscorporationC false
63.255.73.32
 unknown United States
7029 WINDSTREAMUS false
76.4.235.154
 unknown United States
209 CENTURYLINK-US-LEGACY-QWESTUS false
129.49.188.202
 unknown United States
5719 SUNYSBUS false
156.124.147.111
 unknown United States
393504 XNSTGCA false
183.1.94.120
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
130.107.97.233
 unknown United States
30 SRI-AICNETUS false
190.10.105.36
 unknown Costa Rica
11830 InstitutoCostarricensedeElectricidadyTelecomCR false
141.249.35.45
 unknown Switzerland
559 SWITCHPeeringrequestspeeringswitchchEU false
191.27.216.180
 unknown Brazil
26599 TELEFONICABRASILSABR false
173.45.88.166
 unknown United States
10297 ENET-2US false
95.29.14.199
 unknown Russian Federation
8402 CORBINA-ASOJSCVimpelcomRU false
141.194.211.199
 unknown France
3215 FranceTelecom-OrangeFR false
80.154.177.192
 unknown Germany
3320 DTAGInternetserviceprovideroperationsDE false
169.74.17.62
 unknown United States
37611 AfrihostZA false
173.213.255.221
 unknown United States
6130 AIS-WESTUS false
37.220.16.93
 unknown United Kingdom
20860 IOMART-ASGB false
110.229.133.172
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
73.36.184.226
 unknown United States
7922 COMCAST-7922US false
187.226.12.43
 unknown Mexico
8151 UninetSAdeCVMX false
223.24.215.96
 unknown Thailand
7470 TRUEINTERNET-AS-APTRUEINTERNETCoLtdTH false
195.189.97.168
 unknown Lithuania
59642 CHERRYSERVERS2-ASLT false
169.106.1.81
 unknown United States
37611 AfrihostZA false
90.141.14.164
 unknown Sweden
2119 TELENOR-NEXTELTelenorNorgeASNO false
212.198.158.88
 unknown France
21502 ASN-NUMERICABLEFR false
182.127.195.29
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
62.137.142.218
 unknown United Kingdom
12337 NORIS-NETWORKITServiceProviderlocatedinNuernbergGerm false
219.158.227.86
 unknown China
4808 CHINA169-BJChinaUnicomBeijingProvinceNetworkCN false
187.183.39.5
 unknown Brazil
28573 CLAROSABR false
147.12.222.5
 unknown United Kingdom
201838 ASN-COMMUNITYFIBREGB false
164.71.189.136
 unknown Japan 2510 INFOWEBFUJITSULIMITEDJP false
79.246.126.247
 unknown Germany
3320 DTAGInternetserviceprovideroperationsDE false
189.207.91.14
 unknown Mexico
6503 AxtelSABdeCVMX false
86.184.165.197
 unknown United Kingdom
2856 BT-UK-ASBTnetUKRegionalnetworkGB false
199.117.111.48
 unknown United States
26819 TOIBGP1US false
121.15.186.182
 unknown China
58466 CT-GUANGZHOU-IDCCHINANETGuangdongprovincenetworkCN false
99.179.58.217
 unknown United States
7018 ATT-INTERNET4US false
170.249.28.54
 unknown United States
46208 PFNL-ASNUS false
110.12.142.194
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true
46.12.7.13
 unknown Greece
1241 FORTHNET-GRForthnetEU false
204.134.225.188
 unknown United States
17380 PROJ-MUT-TELUS false
72.106.171.198
 unknown United States
22394 CELLCOUS false
201.116.34.142
 unknown Mexico
8151 UninetSAdeCVMX false
94.252.222.15
 unknown Syrian Arab Republic
29256 INT-PDN-STE-ASSTEPDNInternalASSY false
161.13.166.242
 unknown United States
14351 SOUTHWESTERN-EDUUS false
98.244.162.230
 unknown United States
7922 COMCAST-7922US false
89.47.85.218
 unknown Syrian Arab Republic
29256 INT-PDN-STE-ASSTEPDNInternalASSY false
218.87.200.152
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
97.208.169.168
 unknown United States
6167 CELLCO-PARTUS false
84.239.60.225
 unknown Romania
5541 ADNET-TELECOMRO false
116.226.86.236
 unknown China
4812 CHINANET-SH-APChinaTelecomGroupCN false
178.252.201.48
 unknown Russian Federation
24689 ROSINTEL-ASRU false
183.34.226.62
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
32.20.49.106
 unknown United States
2686 ATGS-MMD-ASUS false
62.248.99.166
 unknown Turkey
9121 TTNETTR false

Contacted Domains

Name IP Active
daisy.ubuntu.com 162.213.33.132 true