Analysis Overview
SHA256
f606bfbb0a2f55cb9c7eb523ca03775260d253f0c4940c12a2467020be0a8e2a
Threat Level: Known bad
The file sus.txt was found to be: Known bad.
Malicious Activity Summary
xmrig
XMRig Miner payload
UPX packed file
Unexpected DNS network traffic destination
Executes dropped EXE
Runs EXE from memory
Checks hardware identifiers (DMI)
Enumerates running processes
Reads hardware information
Checks CPU configuration
Reads CPU attributes
Writes file to tmp directory
Reads runtime system information
Enumerates kernel/hardware configuration
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-23 14:05
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-23 14:05
Reported
2024-08-23 14:07
Platform
ubuntu2404-amd64-20240523-en
Max time kernel
149s
Max time network
131s
Command Line
Signatures
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /usr/share/netplan/netplan_cli/__pycache__/apache2 | /usr/share/netplan/netplan_cli/__pycache__/apache2 | N/A |
| N/A | /usr/include/sound/intel/avs/apache2 | /usr/include/sound/intel/avs/apache2 | N/A |
| N/A | /usr/include/sound/intel/avs/apache2 | /usr/include/sound/intel/avs/apache2 | N/A |
Runs EXE from memory
| Description | Indicator | Process | Target |
| N/A | /proc/2844/fd/10 | /proc/2844/fd/10 | N/A |
| N/A | /proc/2874/fd/4 | /proc/2874/fd/4 | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
Checks hardware identifiers (DMI)
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/virtual/dmi/id/product_name | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/board_vendor | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/bios_vendor | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/sys_vendor | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/product_name | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/board_vendor | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/bios_vendor | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/sys_vendor | /proc/2844/fd/10 | N/A |
Enumerates running processes
Reads hardware information
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/virtual/dmi/id/chassis_serial | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/product_serial | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/chassis_vendor | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/chassis_asset_tag | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/bios_version | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/bios_date | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/board_name | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/chassis_asset_tag | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/bios_version | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/chassis_vendor | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/product_version | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/board_serial | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/board_version | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/product_version | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/board_version | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/chassis_version | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/chassis_serial | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/product_serial | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/board_name | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/board_asset_tag | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/product_uuid | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/bios_date | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/product_uuid | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/chassis_type | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/chassis_type | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/chassis_version | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/board_serial | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/board_asset_tag | /proc/2874/fd/4 | N/A |
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /tmp/sus.txt | N/A |
| File opened for reading | /proc/cpuinfo | /proc/2844/fd/10 | N/A |
| File opened for reading | /proc/cpuinfo | /proc/2874/fd/4 | N/A |
Reads CPU attributes
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index0/physical_line_partition | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index1/type | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index7/shared_cpu_map | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index3/level | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/topology/core_cpus | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index3/level | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index2/number_of_sets | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/topology/cluster_cpus | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index0/shared_cpu_map | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index2/coherency_line_size | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index0/number_of_sets | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index8/shared_cpu_map | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/topology/package_cpus | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index1/id | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/topology/package_cpus | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index1/type | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index2/type | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index0/size | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index2/coherency_line_size | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index3/size | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index3/physical_line_partition | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index7/shared_cpu_map | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index4/shared_cpu_map | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index0/id | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index1/level | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index2/shared_cpu_map | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index2/physical_line_partition | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index3/type | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cpufreq/base_frequency | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index0/type | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index0/level | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index2/physical_line_partition | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index9/shared_cpu_map | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index2/shared_cpu_map | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index4/shared_cpu_map | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index6/shared_cpu_map | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index0/type | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index6/shared_cpu_map | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/topology/die_cpus | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index2/level | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index0/coherency_line_size | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index3/coherency_line_size | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index3/number_of_sets | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index3/physical_line_partition | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/topology/core_cpus | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/topology/core_id | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index0/coherency_line_size | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index0/physical_line_partition | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index3/shared_cpu_map | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index5/shared_cpu_map | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index1/level | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/topology/physical_package_id | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index3/number_of_sets | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index3/type | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index0/id | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index1/shared_cpu_map | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index2/id | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index2/size | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index3/id | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index3/size | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index0/size | /proc/2874/fd/4 | N/A |
Enumerates kernel/hardware configuration
| Description | Indicator | Process | Target |
| File opened for reading | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size | /tmp/sus.txt | N/A |
| File opened for reading | /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/devices/system/node/node0/access0/initiators/write_latency | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/devices/virtual/block/loop6/loop/autoclear | /usr/bin/mount | N/A |
| File opened for reading | /sys/devices/virtual/block/loop2/loop/autoclear | /usr/bin/mount | N/A |
| File opened for reading | /sys/devices/cpu_core/cpus | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/devices/virtual/block/loop4/loop/backing_file | /usr/bin/mount | N/A |
| File opened for reading | /sys/devices/system/node/node0/hugepages/hugepages-2048kB/free_hugepages | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/devices/cpu_atom/cpus | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/devices/system/node/node0/cpumap | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/devices/system/node/node0/meminfo | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/devices/virtual/block/loop1/loop/autoclear | /usr/bin/mount | N/A |
| File opened for reading | /sys/devices/virtual/block/loop3/loop/backing_file | /usr/bin/mount | N/A |
| File opened for reading | /sys/fs/cgroup/cgroup.controllers | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/devices/system/node/online | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/bus/dax/devices | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/firmware/dmi/tables/smbios_entry_point | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/devices/virtual/block/loop3/loop/backing_file | /usr/bin/mount | N/A |
| File opened for reading | /sys/devices/system/node/node0/meminfo | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/devices/system/node/node0/access0/initiators/write_bandwidth | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/kernel/mm/hugepages | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/devices/system/node/node0/hugepages/hugepages-1048576kB/nr_hugepages | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/devices/system/node/node0/hugepages | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/firmware/dmi/tables/smbios_entry_point | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/devices/cpu_core/cpus | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/dev/block/7:0 | /usr/bin/mount | N/A |
| File opened for reading | /sys/dev/block/7:3 | /usr/bin/mount | N/A |
| File opened for reading | /sys/devices/virtual/block/loop5/loop/autoclear | /usr/bin/mount | N/A |
| File opened for reading | /sys/firmware/dmi/tables/DMI | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/devices/cpu_atom/cpus | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size | /usr/include/sound/intel/avs/apache2 | N/A |
| File opened for reading | /sys/devices/virtual/block/loop6/loop/backing_file | /usr/bin/mount | N/A |
| File opened for reading | /sys/fs/cgroup/cpuset.mems.effective | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/devices/virtual/block/loop4/loop/backing_file | /usr/bin/mount | N/A |
| File opened for reading | /sys/block/dm-0/dm/name | /usr/bin/mount | N/A |
| File opened for reading | /sys/dev/block/7:0 | /usr/bin/mount | N/A |
| File opened for reading | /sys/kernel/mm/hugepages/hugepages-1048576kB/nr_hugepages | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/devices/system/node/node0/hugepages/hugepages-2048kB/free_hugepages | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/dev/block/7:1 | /usr/bin/mount | N/A |
| File opened for reading | /sys/devices/virtual/block/loop2/loop/backing_file | /usr/bin/mount | N/A |
| File opened for reading | /sys/dev/block/7:6 | /usr/bin/mount | N/A |
| File opened for reading | /sys/devices/system/cpu | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/devices/system/node/node0/access0/initiators | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/devices/virtual/block/loop4/loop/autoclear | /usr/bin/mount | N/A |
| File opened for reading | /sys/dev/block/7:5 | /usr/bin/mount | N/A |
| File opened for reading | /sys/devices/system/node/node0/hugepages/hugepages-1048576kB/nr_hugepages | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/devices/system/node/node0/access0/initiators/read_latency | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size | /tmp/sus.txt | N/A |
| File opened for reading | /sys/bus/soc/devices | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/fs/cgroup/cpuset.cpus.effective | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/dev/block/7:2 | /usr/bin/mount | N/A |
| File opened for reading | /sys/firmware/dmi/tables/DMI | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/fs/cgroup/cpuset.mems.effective | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/devices/virtual/block/loop2/loop/backing_file | /usr/bin/mount | N/A |
| File opened for reading | /sys/dev/block/7:3 | /usr/bin/mount | N/A |
| File opened for reading | /sys/dev/block/7:5 | /usr/bin/mount | N/A |
| File opened for reading | /sys/devices/virtual/block/loop5/loop/backing_file | /usr/bin/mount | N/A |
| File opened for reading | /sys/kernel/mm/hugepages | /proc/2844/fd/10 | N/A |
| File opened for reading | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size | /usr/include/sound/intel/avs/apache2 | N/A |
| File opened for reading | /sys/kernel/mm/hugepages/hugepages-1048576kB/nr_hugepages | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/devices/system/node/node0/access0/initiators/write_bandwidth | /proc/2874/fd/4 | N/A |
| File opened for reading | /sys/devices/system/node/node0/hugepages | /proc/2874/fd/4 | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/pressure | /tmp/sus.txt | N/A |
| File opened for reading | /proc/2553 | /tmp/sus.txt | N/A |
| File opened for reading | /proc/2138/cmdline | /usr/include/sound/intel/avs/apache2 | N/A |
| File opened for reading | /proc/2035 | /tmp/sus.txt | N/A |
| File opened for reading | /proc/508 | /tmp/sus.txt | N/A |
| File opened for reading | /proc/19 | /tmp/sus.txt | N/A |
| File opened for reading | /proc/364 | /tmp/sus.txt | N/A |
| File opened for reading | /proc/71 | /tmp/sus.txt | N/A |
| File opened for reading | /proc/2277/cmdline | /tmp/sus.txt | N/A |
| File opened for reading | /proc/791/cmdline | /usr/include/sound/intel/avs/apache2 | N/A |
| File opened for reading | /proc/2497/cmdline | /tmp/sus.txt | N/A |
| File opened for reading | /proc/2462 | /tmp/sus.txt | N/A |
| File opened for reading | /proc/2630 | /tmp/sus.txt | N/A |
| File opened for reading | /proc/33 | /tmp/sus.txt | N/A |
| File opened for reading | /proc/234/cmdline | /tmp/sus.txt | N/A |
| File opened for reading | /proc/37/cmdline | /tmp/sus.txt | N/A |
| File opened for reading | /proc/195/cmdline | /usr/include/sound/intel/avs/apache2 | N/A |
| File opened for reading | /proc/51 | /tmp/sus.txt | N/A |
| File opened for reading | /proc/2211/cmdline | /tmp/sus.txt | N/A |
| File opened for reading | /proc/2491/cmdline | /tmp/sus.txt | N/A |
| File opened for reading | /proc/508/cmdline | /tmp/sus.txt | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/mount | N/A |
| File opened for reading | /proc/driver/nvidia/gpus | /proc/2844/fd/10 | N/A |
| File opened for reading | /proc/151/cmdline | /tmp/sus.txt | N/A |
| File opened for reading | /proc/456/cmdline | /tmp/sus.txt | N/A |
| File opened for reading | /proc/53/cmdline | /usr/include/sound/intel/avs/apache2 | N/A |
| File opened for reading | /proc/188/cmdline | /tmp/sus.txt | N/A |
| File opened for reading | /proc/188 | /tmp/sus.txt | N/A |
| File opened for reading | /proc/2348/cmdline | /usr/include/sound/intel/avs/apache2 | N/A |
| File opened for reading | /proc/580 | /tmp/sus.txt | N/A |
| File opened for reading | /proc/833 | /tmp/sus.txt | N/A |
| File opened for reading | /proc/15/cmdline | /tmp/sus.txt | N/A |
| File opened for reading | /proc/2573/cmdline | /tmp/sus.txt | N/A |
| File opened for reading | /proc/41/cmdline | /tmp/sus.txt | N/A |
| File opened for reading | /proc/2015/cmdline | /usr/include/sound/intel/avs/apache2 | N/A |
| File opened for reading | /proc/2658 | /tmp/sus.txt | N/A |
| File opened for reading | /proc/2322/cmdline | /tmp/sus.txt | N/A |
| File opened for reading | /proc/199 | /tmp/sus.txt | N/A |
| File opened for reading | /proc/17/cmdline | /tmp/sus.txt | N/A |
| File opened for reading | /proc/2565/cmdline | /tmp/sus.txt | N/A |
| File opened for reading | /proc/1069/cmdline | /usr/include/sound/intel/avs/apache2 | N/A |
| File opened for reading | /proc/11/cmdline | /usr/include/sound/intel/avs/apache2 | N/A |
| File opened for reading | /proc/456/cmdline | /usr/include/sound/intel/avs/apache2 | N/A |
| File opened for reading | /proc/2334 | /tmp/sus.txt | N/A |
| File opened for reading | /proc/2767 | /tmp/sus.txt | N/A |
| File opened for reading | /proc/438 | /tmp/sus.txt | N/A |
| File opened for reading | /proc/198/cmdline | /tmp/sus.txt | N/A |
| File opened for reading | /proc/80/cmdline | /tmp/sus.txt | N/A |
| File opened for reading | /proc/364/cmdline | /usr/include/sound/intel/avs/apache2 | N/A |
| File opened for reading | /proc/2616 | /tmp/sus.txt | N/A |
| File opened for reading | /proc/37 | /tmp/sus.txt | N/A |
| File opened for reading | /proc/2491 | /tmp/sus.txt | N/A |
| File opened for reading | /proc/2187/cmdline | /tmp/sus.txt | N/A |
| File opened for reading | /proc/36/cmdline | /tmp/sus.txt | N/A |
| File opened for reading | /proc/9 | /tmp/sus.txt | N/A |
| File opened for reading | /proc/64 | /tmp/sus.txt | N/A |
| File opened for reading | /proc/2015 | /tmp/sus.txt | N/A |
| File opened for reading | /proc/792 | /tmp/sus.txt | N/A |
| File opened for reading | /proc/1343/cmdline | /tmp/sus.txt | N/A |
| File opened for reading | /proc/2491/cmdline | /tmp/sus.txt | N/A |
| File opened for reading | /proc/7/cmdline | /tmp/sus.txt | N/A |
| File opened for reading | /proc/2553/cmdline | /usr/include/sound/intel/avs/apache2 | N/A |
| File opened for reading | /proc/2630 | /tmp/sus.txt | N/A |
| File opened for reading | /proc/29/cmdline | /tmp/sus.txt | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/.kkk | /usr/share/netplan/netplan_cli/__pycache__/apache2 | N/A |
| File opened for modification | /tmp/.pp | /usr/include/sound/intel/avs/apache2 | N/A |
| File opened for modification | /tmp/.ll | /usr/include/sound/intel/avs/apache2 | N/A |
| File opened for modification | /tmp/.kkk | /usr/include/sound/intel/avs/apache2 | N/A |
Processes
/tmp/sus.txt
[/tmp/sus.txt]
/tmp/sus.txt
[kdev_tfs]
/usr/bin/mount
[mount]
/usr/bin/mount
[mount]
/usr/bin/bash
[bash -c ./apache2]
/usr/share/netplan/netplan_cli/__pycache__/apache2
[./apache2]
/proc/2844/fd/10
[./10 -c/tmp/.kkk]
/usr/bin/bash
[bash -c ./apache2]
/usr/include/sound/intel/avs/apache2
[./apache2]
/usr/include/sound/intel/avs/apache2
[/usr/libexec/goa-identity-seTrice]
/proc/2874/fd/4
[./4 -c/tmp/.kkk]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 1.1.1.1:53 | api.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 1.1.1.1:53 | github.com | udp |
| US | 1.1.1.1:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 1.1.1.1:53 | objects.githubusercontent.com | udp |
| US | 1.1.1.1:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 208.67.222.222:53 | mine.c3pool.com | udp |
| US | 1.1.1.1:53 | api.github.com | udp |
| US | 1.1.1.1:53 | api.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 1.1.1.1:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 1.1.1.1:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 208.67.222.222:53 | mine.c3pool.com | udp |
Files
memory/2830-1-0x0000000000400000-0x0000000001385d18-memory.dmp
/var/tmp/systemd-private-cPScUvjOx3qpNfGdVXDitop9UKyJDl4g-ModemManager.service-IYNQpD
| MD5 | 4e563c55f6f4d1b34241bb756e6ad59c |
| SHA1 | c95bd09a2463a7786892b647f3bd8f55f08f24bc |
| SHA256 | abdd3ab96772e81397cf4c909af1bbe7cd07531f7f49e5f4c4c56e3b353ec4db |
| SHA512 | 4fe91963fb1ae1cae15af2ab6113fe56aec345315e9b72e303d48a67bfa145bb52f6491cef4e7e38aa68720dad32cc7230283aefed866d84d5cc4d3a55fbf633 |
/var/tmp/systemd-private-Zn1pX98sIA6UypDhjHVpsU4szxzpT8ct-ModemManager.service-U9mnmc
| MD5 | 6775a0635c302542da2c32aa19d86be0 |
| SHA1 | 1840914967dc0c2863a4ea68a2c13f044bc115a6 |
| SHA256 | dfaab096bd21200516e6780b2dd4c5dbff2f8f1172b9dfc3741331d2fe6af997 |
| SHA512 | 1ae9e5d1f881c63c4bdd8b391256961b4922c5e0f8aff54ad246486096c9d65809e6a1634acd26ec42b91b9d5db1ea52ed814d3029fe307b3b8fd5cfcaa03bf1 |
memory/2835-2-0x0000000000400000-0x0000000001385d18-memory.dmp
/usr/share/netplan/netplan_cli/__pycache__/apache2
| MD5 | 2bec6ef2881caac7d1bb4b2c57c4773f |
| SHA1 | 2ee6359c2983751bbe82f3f466f4a6f055f48d95 |
| SHA256 | e85169d1faa3926b29e82b9799bc96dd6144adef421312e94d24668cf82e44d1 |
| SHA512 | f2c0ded44febdf0019ea0dabce42b496ae58c283f936c7503bca0410efa18aa2410c1670cdb7026461a1ba168693fad21fd2571e817b53df91458d3b8fc11421 |
memory/2844-3-0x0000000000400000-0x0000000000f399f8-memory.dmp
/tmp/.kkk
| MD5 | 70ad4e6f1089d13e412a9f7046cc51fc |
| SHA1 | 83920f222e58c1dd9e83d8b77e59262dce8c41e4 |
| SHA256 | c877649ee42669d9e65222265e8fa6ed6020a0eeeb96760406921e8b7c08a055 |
| SHA512 | bd9d71cf6181bdc388bcc4885cd84a6d7f76607cdb52280db1dacfee92a564e96d249f36e4337c284905771a22ad276fd926d6f56b49518bae359f6a09f38e94 |
/proc/2844/fd/10
| MD5 | 0f0adb77cf679daf2d49e341fbfd7460 |
| SHA1 | 8e42b566c1a60737b12ee752a285e3cf5fdb7050 |
| SHA256 | 7d09b48bfcd06abcca521ff32ce5b7a7e05865a7b6cf2d655fad690e6d896915 |
| SHA512 | 2b244e2d64cb5e844d883d328a324e9bc9612548232c820d4f246ef335363307a16262c424bec507d82f9ac613144b500ca55738d7ee6411bef73bc730ca53ba |
memory/2848-4-0x0000000000400000-0x0000000000cbed38-memory.dmp
memory/2870-5-0x0000000000400000-0x0000000000f399f8-memory.dmp
/tmp/.ll
| MD5 | 55f7dad946353d3658e52e334413d3b4 |
| SHA1 | cb93c8ff972bbc512ec469e8a5c9adc7e252c858 |
| SHA256 | 52cab02b56ed3baa70bdf95ab6641740959f8fba74d7975e1f70a8ba333ab9f4 |
| SHA512 | 960d61a2d7fcc21398e6e4d3b89b9dd8021f5ae1ed498fd13a853b0c3dcf1e7c659c7709860da80b2a48ca7a0a49237719c6dd97d12c01521d62b8029cfe79ac |
/tmp/.pp
| MD5 | e6af401c28c1790eaef7d55c92ab6ab6 |
| SHA1 | 00204e1a5b3b38239885d598ee136dc54e3b6bba |
| SHA256 | 25f2044c9fa1f3e56e58318f7c675baee722466f25e3694420997ec8984448da |
| SHA512 | c597ee19fb20d446a24418784bef95af89805acdee2ffadce5069be3225f18518d1225a694cf60209f2f76ebad3be9130fd8793e0b7d969fbef347d1c70da636 |
memory/2874-6-0x0000000000400000-0x0000000000f399f8-memory.dmp
/tmp/.kkk
| MD5 | 7b558e4b1d263c610a08a0859e59c18b |
| SHA1 | 10407b20e2544da1eaa68ac84a53d6ad1315feb1 |
| SHA256 | 3ec57124a8811a8163e2fe007ec92adea9f1e8532c0658165878a48fa808b257 |
| SHA512 | b8470acd20055b32e48d96eb1d929dcd0b947468b4c8f0e0723812fe83570dd8cbd8fbe65c8fb2d2571304438e484eca6078ec41d338f43f4897eb2d93e9d29f |
memory/2878-7-0x0000000000400000-0x0000000000cbed38-memory.dmp