Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
r3M3VGE5AG.elf
|
ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header
|
initial sample
|
 |
|
|
/run/systemd/journal/streams/.#9:77547ikht4x
|
ASCII text
|
dropped
|
||
|
/run/systemd/journal/streams/.#9:77552Cn2iiv
|
ASCII text
|
dropped
|
||
|
/run/systemd/journal/streams/.#9:77562OHT9wu
|
ASCII text
|
dropped
|
||
|
/run/systemd/journal/streams/.#9:77565Rd54Ex
|
ASCII text
|
dropped
|
||
|
/run/systemd/journal/streams/.#9:775669uAHUu
|
ASCII text
|
dropped
|
||
|
/run/systemd/journal/streams/.#9:77567gWMeFx
|
ASCII text
|
dropped
|
||
|
/run/systemd/journal/streams/.#9:77569Lfhtov
|
ASCII text
|
dropped
|
||
|
/run/systemd/journal/streams/.#9:77654kiPujv
|
ASCII text
|
dropped
|
||
|
/run/systemd/journal/streams/.#9:77757BpZ7Cu
|
ASCII text
|
dropped
|
||
|
/run/systemd/journal/streams/.#9:77758FtS4tu
|
ASCII text
|
dropped
|
||
|
/run/systemd/journal/streams/.#9:77869vzNguw
|
ASCII text
|
dropped
|
||
|
/run/systemd/journal/streams/.#9:77904sKKbvv
|
ASCII text
|
dropped
|
||
|
/run/systemd/journal/streams/.#9:78111bxrX4u
|
ASCII text
|
dropped
|
||
|
/var/log/journal/ee49dfd4fa47433baee88884e2d7de7c/system.journal
|
data
|
dropped
|
||
|
/var/log/journal/ee49dfd4fa47433baee88884e2d7de7c/user-1000.journal
|
data
|
dropped
|
There are 6 hidden files, click here to show them.
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
/tmp/r3M3VGE5AG.elf
|
/tmp/r3M3VGE5AG.elf
|
||
|
/tmp/r3M3VGE5AG.elf
|
-
|
||
|
/tmp/r3M3VGE5AG.elf
|
-
|
||
|
/tmp/r3M3VGE5AG.elf
|
-
|
||
|
/tmp/r3M3VGE5AG.elf
|
-
|
||
|
/bin/sh
|
sh -c "ps -A -o pid,cmd --no-headers"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/ps
|
ps -A -o pid,cmd --no-headers
|
||
|
/tmp/r3M3VGE5AG.elf
|
-
|
||
|
/bin/sh
|
sh -c "ps -A -o pid,cmd --no-headers"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/ps
|
ps -A -o pid,cmd --no-headers
|
||
|
/tmp/r3M3VGE5AG.elf
|
-
|
||
|
/bin/sh
|
sh -c "ps -A -o pid,cmd --no-headers"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/ps
|
ps -A -o pid,cmd --no-headers
|
||
|
/tmp/r3M3VGE5AG.elf
|
-
|
||
|
/bin/sh
|
sh -c "ps -A -o pid,cmd --no-headers"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/ps
|
ps -A -o pid,cmd --no-headers
|
||
|
/usr/libexec/gnome-session-binary
|
-
|
||
|
/bin/sh
|
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-wacom
|
||
|
/usr/libexec/gsd-wacom
|
/usr/libexec/gsd-wacom
|
||
|
/usr/libexec/gnome-session-binary
|
-
|
||
|
/bin/sh
|
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-keyboard
|
||
|
/usr/libexec/gsd-keyboard
|
/usr/libexec/gsd-keyboard
|
||
|
/usr/libexec/gnome-session-binary
|
-
|
||
|
/bin/sh
|
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-media-keys
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/lib/upower/upowerd
|
/usr/lib/upower/upowerd
|
||
|
/usr/sbin/gdm3
|
-
|
||
|
/etc/gdm3/PrimeOff/Default
|
/etc/gdm3/PrimeOff/Default
|
||
|
/usr/sbin/gdm3
|
-
|
||
|
/etc/gdm3/PrimeOff/Default
|
/etc/gdm3/PrimeOff/Default
|
||
|
/usr/libexec/gvfsd-fuse
|
-
|
||
|
/bin/fusermount
|
fusermount -u -q -z -- /run/user/1000/gvfs
|
||
|
/usr/bin/xfce4-session
|
-
|
||
|
/usr/bin/xfwm4
|
xfwm4 --display :1.0 --sm-client-id 2389ab8d9-421f-49fc-90ad-c6cc4c15ac4c
|
||
|
/usr/bin/xfce4-session
|
-
|
||
|
/usr/bin/xfce4-panel
|
xfce4-panel --display :1.0 --sm-client-id 2b4cc744e-8b9d-436f-9a4a-312b40faa2ec
|
||
|
/usr/bin/xfce4-session
|
-
|
||
|
/usr/bin/rm
|
rm -f /home/saturnino/.cache/sessions/Thunar-2ec9153f1-6fa0-4067-96b1-e5fe875b1e51
|
||
|
/usr/bin/xfce4-session
|
-
|
||
|
/usr/bin/xfdesktop
|
xfdesktop --display :1.0 --sm-client-id 29178b886-02e2-48f2-9471-8dbd02206542
|
||
|
/usr/bin/xfce4-session
|
-
|
||
|
/usr/bin/xfwm4
|
xfwm4 --display :1.0 --sm-client-id 2389ab8d9-421f-49fc-90ad-c6cc4c15ac4c
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/lib/upower/upowerd
|
/usr/lib/upower/upowerd
|
||
|
/usr/bin/xfce4-session
|
-
|
||
|
/usr/bin/xfce4-panel
|
xfce4-panel --display :1.0 --sm-client-id 2b4cc744e-8b9d-436f-9a4a-312b40faa2ec
|
||
|
/usr/bin/xfce4-session
|
-
|
||
|
/usr/bin/xfdesktop
|
xfdesktop --display :1.0 --sm-client-id 29178b886-02e2-48f2-9471-8dbd02206542
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/libexec/gvfsd
|
/usr/libexec/gvfsd
|
||
|
/usr/libexec/gvfsd
|
-
|
||
|
/usr/libexec/gvfsd
|
-
|
||
|
/usr/libexec/gvfsd-fuse
|
/usr/libexec/gvfsd-fuse /run/user/1000/gvfs -f -o big_writes
|
||
|
/usr/libexec/gvfsd-fuse
|
-
|
||
|
/bin/fusermount
|
fusermount -o rw,nosuid,nodev,subtype=gvfsd-fuse -- /run/user/1000/gvfs
|
||
|
/usr/libexec/gvfsd-fuse
|
-
|
||
|
/bin/fusermount
|
fusermount -u -q -z -- /run/user/1000/gvfs
|
||
|
/usr/bin/dbus-daemon
|
-
|
||
|
/usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd
|
/usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/bin/journalctl
|
/usr/bin/journalctl --smart-relinquish-var
|
||
|
/usr/bin/xfce4-session
|
-
|
||
|
/usr/bin/xfwm4
|
xfwm4 --display :1.0 --sm-client-id 2389ab8d9-421f-49fc-90ad-c6cc4c15ac4c
|
||
|
/usr/bin/xfce4-session
|
-
|
||
|
/usr/bin/xfdesktop
|
xfdesktop --display :1.0 --sm-client-id 29178b886-02e2-48f2-9471-8dbd02206542
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/lib/systemd/systemd-journald
|
/lib/systemd/systemd-journald
|
||
|
/usr/bin/xfce4-session
|
-
|
||
|
/usr/bin/xfce4-panel
|
xfce4-panel --display :1.0 --sm-client-id 2b4cc744e-8b9d-436f-9a4a-312b40faa2ec
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/lib/upower/upowerd
|
/usr/lib/upower/upowerd
|
||
|
/usr/bin/xfce4-session
|
-
|
||
|
/usr/bin/xfwm4
|
xfwm4 --display :1.0 --sm-client-id 2389ab8d9-421f-49fc-90ad-c6cc4c15ac4c
|
||
|
/usr/bin/xfce4-session
|
-
|
||
|
/usr/bin/xfce4-panel
|
xfce4-panel --display :1.0 --sm-client-id 2b4cc744e-8b9d-436f-9a4a-312b40faa2ec
|
||
|
/usr/bin/xfce4-panel
|
-
|
||
|
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
|
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 6 6291464 systray
"Notification Area" "Area where notification icons appear"
|
||
|
/usr/bin/xfce4-panel
|
-
|
||
|
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
|
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libstatusnotifier.so 7 6291465
statusnotifier "Status Notifier Plugin" "Provides a panel area for status notifier items (application indicators)"
|
||
|
/usr/bin/xfce4-panel
|
-
|
||
|
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
|
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libpulseaudio-plugin.so 8
6291466 pulseaudio "PulseAudio Plugin" "Adjust the audio volume of the PulseAudio sound system"
|
||
|
/usr/bin/xfce4-panel
|
-
|
||
|
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
|
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libxfce4powermanager.so 9
6291467 power-manager-plugin "Power Manager Plugin" "Display the battery levels of your devices and control the brightness
of your display"
|
||
|
/usr/bin/xfce4-panel
|
-
|
||
|
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
|
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libnotification-plugin.so
10 6291468 notification-plugin "Notification Plugin" "Notification plugin for the Xfce panel"
|
||
|
/usr/bin/xfce4-panel
|
-
|
||
|
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
|
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libactions.so 14 6291469 actions
"Action Buttons" "Log out, lock or other system actions"
|
||
|
/usr/bin/xfce4-panel
|
-
|
||
|
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
|
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 6 6291464 systray
"Notification Area" "Area where notification icons appear"
|
||
|
/usr/bin/xfce4-panel
|
-
|
||
|
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
|
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libstatusnotifier.so 7 6291465
statusnotifier "Status Notifier Plugin" "Provides a panel area for status notifier items (application indicators)"
|
||
|
/usr/bin/xfce4-panel
|
-
|
||
|
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
|
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libpulseaudio-plugin.so 8
6291466 pulseaudio "PulseAudio Plugin" "Adjust the audio volume of the PulseAudio sound system"
|
||
|
/usr/bin/xfce4-panel
|
-
|
||
|
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
|
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libxfce4powermanager.so 9
6291467 power-manager-plugin "Power Manager Plugin" "Display the battery levels of your devices and control the brightness
of your display"
|
||
|
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
|
-
|
||
|
/usr/sbin/xfpm-power-backlight-helper
|
/usr/sbin/xfpm-power-backlight-helper --get-max-brightness
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/lib/upower/upowerd
|
/usr/lib/upower/upowerd
|
||
|
/usr/bin/xfce4-session
|
-
|
||
|
/usr/bin/xfdesktop
|
xfdesktop --display :1.0 --sm-client-id 29178b886-02e2-48f2-9471-8dbd02206542
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/libexec/gvfsd
|
/usr/libexec/gvfsd
|
||
|
/usr/libexec/gvfsd
|
-
|
||
|
/usr/libexec/gvfsd
|
-
|
||
|
/usr/libexec/gvfsd-fuse
|
/usr/libexec/gvfsd-fuse /run/user/1000/gvfs -f -o big_writes
|
||
|
/usr/libexec/gvfsd-fuse
|
-
|
||
|
/bin/fusermount
|
fusermount -o rw,nosuid,nodev,subtype=gvfsd-fuse -- /run/user/1000/gvfs
|
||
|
/usr/libexec/gvfsd-fuse
|
-
|
||
|
/bin/fusermount
|
fusermount -u -q -z -- /run/user/1000/gvfs
|
||
|
/usr/bin/dbus-daemon
|
-
|
||
|
/usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd
|
/usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd
|
||
|
/usr/bin/xfce4-session
|
-
|
||
|
/usr/bin/xfwm4
|
xfwm4 --display :1.0 --sm-client-id 2389ab8d9-421f-49fc-90ad-c6cc4c15ac4c
|
||
|
/usr/bin/xfce4-session
|
-
|
||
|
/usr/bin/xfdesktop
|
xfdesktop --display :1.0 --sm-client-id 29178b886-02e2-48f2-9471-8dbd02206542
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/bin/journalctl
|
/usr/bin/journalctl --flush
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/libexec/gvfsd
|
/usr/libexec/gvfsd
|
||
|
/usr/libexec/gvfsd
|
-
|
||
|
/usr/libexec/gvfsd
|
-
|
||
|
/usr/libexec/gvfsd-fuse
|
/usr/libexec/gvfsd-fuse /run/user/1000/gvfs -f -o big_writes
|
||
|
/usr/libexec/gvfsd-fuse
|
-
|
||
|
/bin/fusermount
|
fusermount -o rw,nosuid,nodev,subtype=gvfsd-fuse -- /run/user/1000/gvfs
|
||
|
/usr/libexec/gvfsd-fuse
|
-
|
||
|
/bin/fusermount
|
fusermount -u -q -z -- /run/user/1000/gvfs
|
||
|
/usr/bin/dbus-daemon
|
-
|
||
|
/usr/lib/x86_64-linux-gnu/tumbler-1/tumblerd
|
/usr/lib/x86_64-linux-gnu/tumbler-1/tumblerd
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/libexec/gvfsd
|
/usr/libexec/gvfsd
|
||
|
/usr/libexec/gvfsd
|
-
|
||
|
/usr/libexec/gvfsd
|
-
|
||
|
/usr/libexec/gvfsd-fuse
|
/usr/libexec/gvfsd-fuse /run/user/1000/gvfs -f -o big_writes
|
||
|
/usr/libexec/gvfsd-fuse
|
-
|
||
|
/bin/fusermount
|
fusermount -o rw,nosuid,nodev,subtype=gvfsd-fuse -- /run/user/1000/gvfs
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/lib/x86_64-linux-gnu/xfce4/notifyd/xfce4-notifyd
|
/usr/lib/x86_64-linux-gnu/xfce4/notifyd/xfce4-notifyd
|
There are 132 hidden processes, click here to show them.
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://upx.sf.net
|
unknown
|
|
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
cnc.merisprivate.net. [malformed]
|
unknown
|
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
194.120.230.54
|
unknown
|
unknown
|
||
|
109.202.202.202
|
unknown
|
Switzerland
|
||
|
91.189.91.43
|
unknown
|
United Kingdom
|
||
|
91.189.91.42
|
unknown
|
United Kingdom
|
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
101000
|
page execute read
|
|||
|
101000
|
page execute read
|
|||
|
11ea000
|
page read and write
|
|||
|
101000
|
page execute read
|
|||
|
300000
|
page execute and read and write
|
|||
|
413000
|
page execute read
|
|||
|
413000
|
page execute read
|
|||
|
7ffc225cc000
|
page read and write
|
|||
|
300000
|
page execute and read and write
|
|||
|
300000
|
page execute and read and write
|
|||
|
11ea000
|
page read and write
|
|||
|
7ffc225ed000
|
page execute read
|
|||
|
7ffc225ed000
|
page execute read
|
|||
|
7ffc225ed000
|
page execute read
|
|||
|
413000
|
page execute read
|
|||
|
7ffc225cc000
|
page read and write
|
|||
|
516000
|
page read and write
|
|||
|
516000
|
page read and write
|
|||
|
11ea000
|
page read and write
|
|||
|
11ff000
|
page read and write
|
|||
|
7ffc225cc000
|
page read and write
|
|||
|
516000
|
page read and write
|
There are 12 hidden memdumps, click here to show them.