IOC Report
na.elf

loading gif

Files

File Path
Type
Category
Malicious
na.elf
ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header
initial sample
 malicious
/run/systemd/journal/streams/.#9:76223wJma1D
ASCII text
dropped
/run/systemd/journal/streams/.#9:76229xYYB4B
ASCII text
dropped
/run/systemd/journal/streams/.#9:762308PCR7D
ASCII text
dropped
/run/systemd/journal/streams/.#9:76231psvv0z
ASCII text
dropped
/run/systemd/journal/streams/.#9:7623272IsLC
ASCII text
dropped
/run/systemd/journal/streams/.#9:76236dJ5yeC
ASCII text
dropped
/run/systemd/journal/streams/.#9:76962YfCjRB
ASCII text
dropped
/run/systemd/journal/streams/.#9:770050PFVhB
ASCII text
dropped
/run/systemd/journal/streams/.#9:77087uqqBCD
ASCII text
dropped
/run/systemd/journal/streams/.#9:77251OvBJwE
ASCII text
dropped
/var/log/journal/ee49dfd4fa47433baee88884e2d7de7c/system.journal
data
dropped
/var/log/journal/ee49dfd4fa47433baee88884e2d7de7c/user-1000.journal
data
dropped
There are 3 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
/usr/bin/dash
-
/usr/bin/rm
rm -f /tmp/tmp.1brRPsfKyF /tmp/tmp.AXuv0IVXFE /tmp/tmp.c3haIYmp5I
/usr/bin/dash
-
/usr/bin/rm
rm -f /tmp/tmp.1brRPsfKyF /tmp/tmp.AXuv0IVXFE /tmp/tmp.c3haIYmp5I
/tmp/na.elf
/tmp/na.elf
/tmp/na.elf
-
/tmp/na.elf
-
/tmp/na.elf
-
/bin/sh
sh -c "ps -A -o pid,cmd --no-headers"
/bin/sh
-
/usr/bin/ps
ps -A -o pid,cmd --no-headers
/tmp/na.elf
-
/bin/sh
sh -c "ps -A -o pid,cmd --no-headers"
/bin/sh
-
/usr/bin/ps
ps -A -o pid,cmd --no-headers
/tmp/na.elf
-
/bin/sh
sh -c "ps -A -o pid,cmd --no-headers"
/bin/sh
-
/usr/bin/ps
ps -A -o pid,cmd --no-headers
/tmp/na.elf
-
/bin/sh
sh -c "ps -A -o pid,cmd --no-headers"
/bin/sh
-
/usr/bin/ps
ps -A -o pid,cmd --no-headers
/tmp/na.elf
-
/bin/sh
sh -c "ps -A -o pid,cmd --no-headers"
/bin/sh
-
/usr/bin/ps
ps -A -o pid,cmd --no-headers
/usr/libexec/gnome-session-binary
-
/bin/sh
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-wacom
/usr/libexec/gnome-session-binary
-
/usr/lib/systemd/systemd
-
/usr/lib/upower/upowerd
/usr/lib/upower/upowerd
/usr/libexec/gvfsd-fuse
-
/bin/fusermount
fusermount -u -q -z -- /run/user/1000/gvfs
/usr/sbin/gdm3
-
/etc/gdm3/PrimeOff/Default
/etc/gdm3/PrimeOff/Default
/usr/bin/xfce4-session
-
/usr/bin/xfwm4
xfwm4 --display :1.0 --sm-client-id 2389ab8d9-421f-49fc-90ad-c6cc4c15ac4c
/usr/sbin/gdm3
-
/etc/gdm3/PrimeOff/Default
/etc/gdm3/PrimeOff/Default
/usr/bin/xfce4-session
-
/usr/bin/xfce4-session
-
/usr/bin/rm
rm -f /home/saturnino/.cache/sessions/Thunar-2ec9153f1-6fa0-4067-96b1-e5fe875b1e51
/usr/bin/xfce4-session
-
/usr/bin/xfdesktop
xfdesktop --display :1.0 --sm-client-id 29178b886-02e2-48f2-9471-8dbd02206542
/usr/bin/xfce4-session
-
/usr/bin/xfwm4
xfwm4 --display :1.0 --sm-client-id 2389ab8d9-421f-49fc-90ad-c6cc4c15ac4c
/usr/bin/xfce4-session
-
/usr/bin/xfce4-panel
xfce4-panel --display :1.0 --sm-client-id 2b4cc744e-8b9d-436f-9a4a-312b40faa2ec
/usr/lib/systemd/systemd
-
/usr/lib/upower/upowerd
/usr/lib/upower/upowerd
/usr/lib/systemd/systemd
-
/usr/libexec/gvfsd
/usr/libexec/gvfsd
/usr/libexec/gvfsd
-
/usr/libexec/gvfsd
-
/usr/libexec/gvfsd-fuse
/usr/libexec/gvfsd-fuse /run/user/1000/gvfs -f -o big_writes
/usr/libexec/gvfsd-fuse
-
/bin/fusermount
fusermount -o rw,nosuid,nodev,subtype=gvfsd-fuse -- /run/user/1000/gvfs
/usr/bin/dbus-daemon
-
/usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd
/usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd
/usr/bin/xfce4-session
-
/usr/bin/xfdesktop
xfdesktop --display :1.0 --sm-client-id 29178b886-02e2-48f2-9471-8dbd02206542
/usr/bin/xfce4-session
-
/usr/bin/xfwm4
xfwm4 --display :1.0 --sm-client-id 2389ab8d9-421f-49fc-90ad-c6cc4c15ac4c
/usr/lib/systemd/systemd
-
/usr/bin/journalctl
/usr/bin/journalctl --smart-relinquish-var
/usr/lib/systemd/systemd
-
/lib/systemd/systemd-journald
/lib/systemd/systemd-journald
/usr/bin/xfce4-session
-
/usr/bin/xfce4-panel
xfce4-panel --display :1.0 --sm-client-id 2b4cc744e-8b9d-436f-9a4a-312b40faa2ec
/usr/bin/xfce4-session
-
/usr/bin/xfdesktop
xfdesktop --display :1.0 --sm-client-id 29178b886-02e2-48f2-9471-8dbd02206542
/usr/bin/xfce4-session
-
/usr/bin/xfwm4
xfwm4 --display :1.0 --sm-client-id 2389ab8d9-421f-49fc-90ad-c6cc4c15ac4c
/usr/lib/systemd/systemd
-
/usr/lib/upower/upowerd
/usr/lib/upower/upowerd
/usr/bin/dbus-daemon
-
/usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd
/usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd
/usr/bin/xfce4-session
-
/usr/bin/xfdesktop
xfdesktop --display :1.0 --sm-client-id 29178b886-02e2-48f2-9471-8dbd02206542
/usr/bin/xfce4-session
-
/usr/bin/xfwm4
xfwm4 --display :1.0 --sm-client-id 2389ab8d9-421f-49fc-90ad-c6cc4c15ac4c
/usr/lib/systemd/systemd
-
/usr/libexec/gvfsd
/usr/libexec/gvfsd
/usr/libexec/gvfsd
-
/usr/libexec/gvfsd
-
/usr/libexec/gvfsd-fuse
/usr/libexec/gvfsd-fuse /run/user/1000/gvfs -f -o big_writes
/usr/lib/systemd/systemd
-
/usr/bin/journalctl
/usr/bin/journalctl --flush
/usr/bin/xfce4-session
-
/usr/bin/xfdesktop
xfdesktop --display :1.0 --sm-client-id 29178b886-02e2-48f2-9471-8dbd02206542
/usr/bin/xfce4-session
-
/usr/bin/xfce4-panel
xfce4-panel --display :1.0 --sm-client-id 2b4cc744e-8b9d-436f-9a4a-312b40faa2ec
/usr/lib/systemd/systemd
-
/usr/lib/upower/upowerd
/usr/lib/upower/upowerd
/usr/bin/xfce4-session
-
/usr/bin/xfce4-panel
xfce4-panel --display :1.0 --sm-client-id 2b4cc744e-8b9d-436f-9a4a-312b40faa2ec
/usr/bin/xfce4-panel
-
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 6 4194312 systray "Notification Area" "Area where notification icons appear"
/usr/bin/xfce4-panel
-
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libstatusnotifier.so 7 4194313 statusnotifier "Status Notifier Plugin" "Provides a panel area for status notifier items (application indicators)"
/usr/bin/xfce4-panel
-
/usr/bin/xfce4-panel
-
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libxfce4powermanager.so 9 4194315 power-manager-plugin "Power Manager Plugin" "Display the battery levels of your devices and control the brightness of your display"
/usr/bin/xfce4-panel
-
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libnotification-plugin.so 10 4194316 notification-plugin "Notification Plugin" "Notification plugin for the Xfce panel"
/usr/bin/xfce4-panel
-
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libactions.so 14 4194317 actions "Action Buttons" "Log out, lock or other system actions"
/usr/bin/xfce4-panel
-
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 6 4194312 systray "Notification Area" "Area where notification icons appear"
/usr/bin/xfce4-panel
-
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libstatusnotifier.so 7 4194313 statusnotifier "Status Notifier Plugin" "Provides a panel area for status notifier items (application indicators)"
/usr/bin/xfce4-panel
-
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libxfce4powermanager.so 9 4194315 power-manager-plugin "Power Manager Plugin" "Display the battery levels of your devices and control the brightness of your display"
/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
-
/usr/sbin/xfpm-power-backlight-helper
/usr/sbin/xfpm-power-backlight-helper --get-max-brightness
/usr/lib/systemd/systemd
-
/usr/lib/upower/upowerd
/usr/lib/upower/upowerd
/usr/lib/systemd/systemd
-
/usr/libexec/gvfsd
/usr/libexec/gvfsd
/usr/libexec/gvfsd
-
/usr/libexec/gvfsd
-
/usr/libexec/gvfsd-fuse
/usr/libexec/gvfsd-fuse /run/user/1000/gvfs -f -o big_writes
/usr/lib/systemd/systemd
-
/usr/libexec/gvfsd
/usr/libexec/gvfsd
/usr/libexec/gvfsd
-
/usr/libexec/gvfsd
-
/usr/libexec/gvfsd-fuse
/usr/libexec/gvfsd-fuse /run/user/1000/gvfs -f -o big_writes
There are 118 hidden processes, click here to show them.

URLs

Name
IP
Malicious
http://upx.sf.net
unknown
 malicious

Domains

Name
IP
Malicious
cnc.merisprivate.net. [malformed]
unknown
 malicious

IPs

IP
Domain
Country
Malicious
194.120.230.54
unknown
unknown
109.202.202.202
unknown
Switzerland
91.189.91.43
unknown
United Kingdom
91.189.91.42
unknown
United Kingdom

Memdumps

Base Address
Regiontype
Protect
Malicious
417000
page execute read
 malicious
417000
page execute read
 malicious
417000
page execute read
 malicious
101000
page execute read
51a000
page read and write
300000
page execute and read and write
24c0000
page read and write
51a000
page read and write
7fff137e9000
page execute read
24c0000
page read and write
7fff136f7000
page read and write
24dc000
page read and write
101000
page execute read
7fff136f7000
page read and write
24c0000
page read and write
300000
page execute and read and write
7fff137e9000
page execute read
7fff137e9000
page execute read
101000
page execute read
300000
page execute and read and write
51a000
page read and write
7fff136f7000
page read and write
There are 12 hidden memdumps, click here to show them.