Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
na.elf
|
ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, no section header
|
initial sample
|
 |
|
|
/run/systemd/journal/streams/.#9:64623cOsG8P
|
ASCII text
|
dropped
|
||
|
/run/systemd/journal/streams/.#9:64646xQJskQ
|
ASCII text
|
dropped
|
||
|
/run/systemd/journal/streams/.#9:64662vLMv2P
|
ASCII text
|
dropped
|
||
|
/run/systemd/journal/streams/.#9:64663sYhzMS
|
ASCII text
|
dropped
|
||
|
/run/systemd/journal/streams/.#9:64666jJD8vQ
|
ASCII text
|
dropped
|
||
|
/run/systemd/journal/streams/.#9:64686mRoq8P
|
ASCII text
|
dropped
|
||
|
/run/systemd/journal/streams/.#9:64687jxbULQ
|
ASCII text
|
dropped
|
||
|
/run/systemd/journal/streams/.#9:64688vmwmvP
|
ASCII text
|
dropped
|
||
|
/run/systemd/journal/streams/.#9:64689Bs55PQ
|
ASCII text
|
dropped
|
||
|
/run/systemd/journal/streams/.#9:64690bODurP
|
ASCII text
|
dropped
|
||
|
/run/systemd/journal/streams/.#9:64691zJkajS
|
ASCII text
|
dropped
|
||
|
/run/systemd/journal/streams/.#9:64742dOFzNR
|
ASCII text
|
dropped
|
||
|
/run/systemd/journal/streams/.#9:64766DervMS
|
ASCII text
|
dropped
|
||
|
/run/systemd/journal/streams/.#9:64767fTC4ZP
|
ASCII text
|
dropped
|
||
|
/run/systemd/journal/streams/.#9:648139XnuaQ
|
ASCII text
|
dropped
|
||
|
/run/systemd/journal/streams/.#9:64832vSLcMR
|
ASCII text
|
dropped
|
||
|
/run/systemd/journal/streams/.#9:64868imKUKO
|
ASCII text
|
dropped
|
||
|
/run/systemd/journal/streams/.#9:649132pRsgP
|
ASCII text
|
dropped
|
||
|
/run/systemd/journal/streams/.#9:64966XK1sVQ
|
ASCII text
|
dropped
|
||
|
/run/user/1000/dconf/user
|
very short file (no magic)
|
dropped
|
||
|
/var/log/journal/ee49dfd4fa47433baee88884e2d7de7c/system.journal
|
data
|
dropped
|
||
|
/var/log/journal/ee49dfd4fa47433baee88884e2d7de7c/user-1000.journal
|
data
|
dropped
|
There are 13 hidden files, click here to show them.
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
/usr/bin/dash
|
-
|
||
|
/usr/bin/rm
|
rm -f /tmp/tmp.nNPFxb16jB /tmp/tmp.JAVKQHsnD7 /tmp/tmp.JJECfR6OHN
|
||
|
/usr/bin/dash
|
-
|
||
|
/usr/bin/cat
|
cat /tmp/tmp.nNPFxb16jB
|
||
|
/usr/bin/dash
|
-
|
||
|
/usr/bin/head
|
head -n 10
|
||
|
/usr/bin/dash
|
-
|
||
|
/usr/bin/tr
|
tr -d \\000-\\011\\013\\014\\016-\\037
|
||
|
/usr/bin/dash
|
-
|
||
|
/usr/bin/cut
|
cut -c -80
|
||
|
/usr/bin/dash
|
-
|
||
|
/usr/bin/cat
|
cat /tmp/tmp.nNPFxb16jB
|
||
|
/usr/bin/dash
|
-
|
||
|
/usr/bin/head
|
head -n 10
|
||
|
/usr/bin/dash
|
-
|
||
|
/usr/bin/tr
|
tr -d \\000-\\011\\013\\014\\016-\\037
|
||
|
/usr/bin/dash
|
-
|
||
|
/usr/bin/cut
|
cut -c -80
|
||
|
/usr/bin/dash
|
-
|
||
|
/usr/bin/rm
|
rm -f /tmp/tmp.nNPFxb16jB /tmp/tmp.JAVKQHsnD7 /tmp/tmp.JJECfR6OHN
|
||
|
/tmp/na.elf
|
/tmp/na.elf
|
||
|
/tmp/na.elf
|
-
|
||
|
/tmp/na.elf
|
-
|
||
|
/tmp/na.elf
|
-
|
||
|
/tmp/na.elf
|
-
|
||
|
/bin/sh
|
sh -c "ps -A -o pid,cmd --no-headers"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/ps
|
ps -A -o pid,cmd --no-headers
|
||
|
/usr/libexec/gnome-session-binary
|
-
|
||
|
/bin/sh
|
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-wacom
|
||
|
/usr/libexec/gsd-wacom
|
/usr/libexec/gsd-wacom
|
||
|
/usr/libexec/gnome-session-binary
|
-
|
||
|
/bin/sh
|
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-sharing
|
||
|
/usr/libexec/gsd-sharing
|
/usr/libexec/gsd-sharing
|
||
|
/usr/libexec/gnome-session-binary
|
-
|
||
|
/bin/sh
|
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-keyboard
|
||
|
/usr/libexec/gnome-session-binary
|
-
|
||
|
/bin/sh
|
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-color
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/lib/upower/upowerd
|
/usr/lib/upower/upowerd
|
||
|
/usr/sbin/gdm3
|
-
|
||
|
/etc/gdm3/PrimeOff/Default
|
/etc/gdm3/PrimeOff/Default
|
||
|
/usr/sbin/gdm3
|
-
|
||
|
/etc/gdm3/PrimeOff/Default
|
/etc/gdm3/PrimeOff/Default
|
||
|
/usr/libexec/gvfsd-fuse
|
-
|
||
|
/bin/fusermount
|
fusermount -u -q -z -- /run/user/1000/gvfs
|
||
|
/usr/bin/xfce4-session
|
-
|
||
|
/usr/bin/xfwm4
|
xfwm4 --display :1.0 --sm-client-id 27575c7dd-2dac-48f0-9f3a-eff67ec043e5
|
||
|
/usr/bin/xfce4-session
|
-
|
||
|
/usr/bin/xfce4-panel
|
xfce4-panel --display :1.0 --sm-client-id 2d6b1caf2-8023-452b-bd0d-d23295482740
|
||
|
/usr/bin/xfce4-session
|
-
|
||
|
/usr/bin/rm
|
rm -f /home/saturnino/.cache/sessions/Thunar-2ec7c2e14-9c4d-40f3-9704-8617ab831fb4
|
||
|
/usr/bin/xfce4-session
|
-
|
||
|
/usr/bin/xfdesktop
|
xfdesktop --display :1.0 --sm-client-id 260d40b3c-9c6a-4cb1-bbe4-3557725aa528
|
||
|
/usr/bin/xfce4-session
|
-
|
||
|
/usr/bin/xfwm4
|
xfwm4 --display :1.0 --sm-client-id 27575c7dd-2dac-48f0-9f3a-eff67ec043e5
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/lib/upower/upowerd
|
/usr/lib/upower/upowerd
|
||
|
/usr/bin/xfce4-session
|
-
|
||
|
/usr/bin/xfce4-panel
|
xfce4-panel --display :1.0 --sm-client-id 2d6b1caf2-8023-452b-bd0d-d23295482740
|
||
|
/usr/bin/xfce4-panel
|
-
|
||
|
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
|
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 6 6291464 systray
"Notification Area" "Area where notification icons appear"
|
||
|
/usr/bin/xfce4-panel
|
-
|
||
|
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
|
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libstatusnotifier.so 7 6291465
statusnotifier "Status Notifier Plugin" "Provides a panel area for status notifier items (application indicators)"
|
||
|
/usr/bin/xfce4-panel
|
-
|
||
|
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
|
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libpulseaudio-plugin.so 8
6291466 pulseaudio "PulseAudio Plugin" "Adjust the audio volume of the PulseAudio sound system"
|
||
|
/usr/bin/xfce4-panel
|
-
|
||
|
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
|
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libxfce4powermanager.so 9
6291467 power-manager-plugin "Power Manager Plugin" "Display the battery levels of your devices and control the brightness
of your display"
|
||
|
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
|
-
|
||
|
/usr/sbin/xfpm-power-backlight-helper
|
/usr/sbin/xfpm-power-backlight-helper --get-max-brightness
|
||
|
/usr/bin/xfce4-panel
|
-
|
||
|
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
|
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libnotification-plugin.so
10 6291468 notification-plugin "Notification Plugin" "Notification plugin for the Xfce panel"
|
||
|
/usr/bin/xfce4-panel
|
-
|
||
|
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
|
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libactions.so 14 6291469 actions
"Action Buttons" "Log out, lock or other system actions"
|
||
|
/usr/bin/xfce4-session
|
-
|
||
|
/usr/bin/xfdesktop
|
xfdesktop --display :1.0 --sm-client-id 260d40b3c-9c6a-4cb1-bbe4-3557725aa528
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/libexec/gvfsd
|
/usr/libexec/gvfsd
|
||
|
/usr/libexec/gvfsd
|
-
|
||
|
/usr/libexec/gvfsd
|
-
|
||
|
/usr/libexec/gvfsd-fuse
|
/usr/libexec/gvfsd-fuse /run/user/1000/gvfs -f -o big_writes
|
||
|
/usr/libexec/gvfsd-fuse
|
-
|
||
|
/bin/fusermount
|
fusermount -o rw,nosuid,nodev,subtype=gvfsd-fuse -- /run/user/1000/gvfs
|
||
|
/usr/libexec/gvfsd
|
-
|
||
|
/usr/libexec/gvfsd-trash
|
/usr/libexec/gvfsd-trash --spawner :1.62 /org/gtk/gvfs/exec_spaw/0
|
||
|
/usr/bin/dbus-daemon
|
-
|
||
|
/usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd
|
/usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd
|
||
|
/usr/bin/xfce4-session
|
-
|
||
|
/usr/bin/xfwm4
|
xfwm4 --display :1.0 --sm-client-id 27575c7dd-2dac-48f0-9f3a-eff67ec043e5
|
||
|
/usr/bin/xfce4-session
|
-
|
||
|
/usr/bin/xfdesktop
|
xfdesktop --display :1.0 --sm-client-id 260d40b3c-9c6a-4cb1-bbe4-3557725aa528
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/lib/systemd/systemd-user-runtime-dir
|
/lib/systemd/systemd-user-runtime-dir stop 127
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/bin/journalctl
|
/usr/bin/journalctl --smart-relinquish-var
|
||
|
/usr/bin/xfce4-session
|
-
|
||
|
/usr/bin/xfwm4
|
xfwm4 --display :1.0 --sm-client-id 27575c7dd-2dac-48f0-9f3a-eff67ec043e5
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/lib/systemd/systemd-journald
|
/lib/systemd/systemd-journald
|
||
|
/usr/bin/dbus-daemon
|
-
|
||
|
/usr/lib/x86_64-linux-gnu/tumbler-1/tumblerd
|
/usr/lib/x86_64-linux-gnu/tumbler-1/tumblerd
|
||
|
/usr/bin/xfce4-session
|
-
|
||
|
/usr/bin/xfwm4
|
xfwm4 --display :1.0 --sm-client-id 27575c7dd-2dac-48f0-9f3a-eff67ec043e5
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/libexec/gvfs-udisks2-volume-monitor
|
/usr/libexec/gvfs-udisks2-volume-monitor
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/libexec/gvfs-mtp-volume-monitor
|
/usr/libexec/gvfs-mtp-volume-monitor
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/bin/journalctl
|
/usr/bin/journalctl --flush
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/libexec/gvfs-goa-volume-monitor
|
/usr/libexec/gvfs-goa-volume-monitor
|
||
|
/usr/bin/dbus-daemon
|
-
|
||
|
/usr/libexec/goa-daemon
|
/usr/libexec/goa-daemon
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/bin/Thunar
|
/usr/bin/Thunar --daemon
|
||
|
/usr/bin/dbus-daemon
|
-
|
||
|
/usr/libexec/goa-identity-service
|
/usr/libexec/goa-identity-service
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/libexec/gvfs-afc-volume-monitor
|
/usr/libexec/gvfs-afc-volume-monitor
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/libexec/gvfs-gphoto2-volume-monitor
|
/usr/libexec/gvfs-gphoto2-volume-monitor
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/libexec/gvfsd-metadata
|
/usr/libexec/gvfsd-metadata
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/lib/x86_64-linux-gnu/xfce4/notifyd/xfce4-notifyd
|
/usr/lib/x86_64-linux-gnu/xfce4/notifyd/xfce4-notifyd
|
||
|
/usr/lib/systemd/systemd
|
-
|
||
|
/usr/lib/accountsservice/accounts-daemon
|
/usr/lib/accountsservice/accounts-daemon
|
||
|
/usr/lib/accountsservice/accounts-daemon
|
-
|
||
|
/usr/share/language-tools/language-validate
|
/usr/share/language-tools/language-validate en_US.UTF-8
|
||
|
/usr/share/language-tools/language-validate
|
-
|
||
|
/usr/share/language-tools/language-options
|
/usr/share/language-tools/language-options
|
||
|
/usr/share/language-tools/language-options
|
-
|
||
|
/bin/sh
|
sh -c "locale -a | grep -F .utf8 "
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/locale
|
locale -a
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/grep
|
grep -F .utf8
|
There are 127 hidden processes, click here to show them.
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://upx.sf.net
|
unknown
|
|
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
daisy.ubuntu.com
|
162.213.35.25
|
||
|
cnc.merisprivate.net
|
194.120.230.54
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
194.120.230.54
|
cnc.merisprivate.net
|
unknown
|
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
f7f1c000
|
page execute read
|
|||
|
8059000
|
page execute read
|
|||
|
805c000
|
page read and write
|
|||
|
ffb92000
|
page read and write
|
|||
|
805c000
|
page read and write
|
|||
|
8529000
|
page read and write
|
|||
|
c02000
|
page execute read
|
|||
|
ffb92000
|
page read and write
|
|||
|
8539000
|
page read and write
|
|||
|
8059000
|
page execute read
|
|||
|
8529000
|
page read and write
|
|||
|
c02000
|
page execute read
|
|||
|
805c000
|
page read and write
|
|||
|
8059000
|
page execute read
|
|||
|
f7f1c000
|
page execute read
|
|||
|
8529000
|
page read and write
|
|||
|
c02000
|
page execute read
|
|||
|
ffb92000
|
page read and write
|
|||
|
f7f1c000
|
page execute read
|
There are 9 hidden memdumps, click here to show them.