Play interactive tour

Edit tour

Analysis Report finspy.sh

Overview

General Information

Sample Name:	finspy.sh
Analysis ID:	1250217
MD5:	bd212fcdf3138b5c1dd890098f16f51e
SHA1:	a85e4c8c2afa4da357d2209535c4140bd9809617
SHA256:	1e9162cd0941557304a6a097dfaadf59f90bc8bbaa9879afe67b5ce0d1514be8

Detection

FinSpy

Score:	76
Range:	0 - 100
Whitelisted:	false

Signatures

Yara detected FinSpy

Modifies the '.bashrc' or '.bash_profile' file typically for persisting actions

Opens /sys/class/net/* files useful for querying network interface information

Sample deletes itself

Searches for processes related to Bluetooth scanning

Searches for processes related to IMSI grabbing

Searches for processes related to WiFI attacking

Writes ELF files to hidden directories

Creates hidden files and/or directories

Enumerates processes within the "proc" file system

Executes commands using a shell command-line interpreter

Executes the "chmod" command used to modify permissions

Executes the "grep" command used to find patterns in files or piped streams

Executes the "ps" command used to list the status of processes

Executes the "rm" command used to delete files or directories

Reads CPU information from /sys indicative of miner or evasive malware

Reads system information from the proc file system

Sample contains strings that are potentially command strings

Sample tries to set the executable flag

Uses the "uname" system call to query kernel version information (possible evasion)

Writes ELF files to disk

Classification

Startup

system is lnxcentos1

sh (PID: 3246, Parent: 3183, MD5: 0719e857695fd4c17ad5bb4547909e5a) Arguments: /bin/sh /tmp/finspy.sh

sh New Fork (PID: 3249, Parent: 3246)

sh New Fork (PID: 3252, Parent: 3249)

od (PID: 3252, Parent: 3249, MD5: 39105419a1e5a2d87eb8c61465a59c93) Arguments: od -j4 -N1 -An -t u1

sh New Fork (PID: 3253, Parent: 3249)

tr (PID: 3253, Parent: 3249, MD5: d395baaa4f54446576b2ccd7b96f764d) Arguments: tr -d " "

sh New Fork (PID: 3256, Parent: 3246)

sh New Fork (PID: 3259, Parent: 3256)

grep (PID: 3259, Parent: 3256, MD5: 6cd81dedcf076b9ad7cfbfec976245d5) Arguments: grep --text --line-number ^__x64xx__$ /tmp/finspy.sh

sh New Fork (PID: 3260, Parent: 3256)

cut (PID: 3260, Parent: 3256, MD5: efc6d453911f2a7118d4d8afb42aee00) Arguments: cut -d : -f 1

sh New Fork (PID: 3265, Parent: 3246)

tail (PID: 3265, Parent: 3246, MD5: 2f9dc46f27039ede203b1086e6fe5657) Arguments: tail -n +10905 /tmp/finspy.sh

sh New Fork (PID: 3311, Parent: 3246)

chmod (PID: 3311, Parent: 3246, MD5: 5a67425617564cb642037e48fde43fb4) Arguments: chmod +x /tmp/udev2

sh New Fork (PID: 3324, Parent: 3246)

su (PID: 3324, Parent: 3246, MD5: 5c28dbb5ba2104bbb4a1efceb1b79dd7) Arguments: su -c /tmp/udev2 user

su New Fork (PID: 3357, Parent: 3324)

bash (PID: 3357, Parent: 3324, MD5: 0719e857695fd4c17ad5bb4547909e5a) Arguments: bash -c /tmp/udev2

udev2 (PID: 3357, Parent: 3324, MD5: 0cd5adee35d5e3f15a5146148855eb99) Arguments: /tmp/udev2

udev2 New Fork (PID: 3376, Parent: 3357)

kthreadd (PID: 3376, Parent: 1, MD5: unknown) Arguments: kthreadd 80.so RunDll

kthreadd New Fork (PID: 3417, Parent: 3376)

kthreadd New Fork (PID: 3420, Parent: 3417)

bash (PID: 3420, Parent: 3417, MD5: 0719e857695fd4c17ad5bb4547909e5a) Arguments: sh -c "ls /dev/disk/by-id/ 2>/dev/null"

bash New Fork (PID: 3421, Parent: 3420)

ls (PID: 3421, Parent: 3420, MD5: a78c13d806e594dc4014d145d689f23d) Arguments: ls /dev/disk/by-id/

kthreadd New Fork (PID: 3425, Parent: 3417)

bash (PID: 3425, Parent: 3417, MD5: 0719e857695fd4c17ad5bb4547909e5a) Arguments: sh -c "cat /sys/class/net/eth?/address 2>/dev/null"

bash New Fork (PID: 3429, Parent: 3425)

cat (PID: 3429, Parent: 3425, MD5: 3e060fa294264b25491834c902dbeaba) Arguments: cat /sys/class/net/eth?/address

kthreadd New Fork (PID: 3443, Parent: 3417)

bash (PID: 3443, Parent: 3417, MD5: 0719e857695fd4c17ad5bb4547909e5a) Arguments: sh -c "cat /sys/class/net/wlan?/address 2>/dev/null"

bash New Fork (PID: 3447, Parent: 3443)

cat (PID: 3447, Parent: 3443, MD5: 3e060fa294264b25491834c902dbeaba) Arguments: cat /sys/class/net/wlan?/address

kthreadd New Fork (PID: 3454, Parent: 3417)

bash (PID: 3454, Parent: 3417, MD5: 0719e857695fd4c17ad5bb4547909e5a) Arguments: sh -c "ls /sys/class/net/ 2>/dev/null | awk '{printf (\"%s\\n\", $1)}' 2>/dev/null"

bash New Fork (PID: 3460, Parent: 3454)

ls (PID: 3460, Parent: 3454, MD5: a78c13d806e594dc4014d145d689f23d) Arguments: ls /sys/class/net/

bash New Fork (PID: 3461, Parent: 3454)

awk (PID: 3461, Parent: 3454, MD5: 36e491b1e47944fb397b84f790ef5093) Arguments: awk "{printf (\"%s\\n\", $1)}"

kthreadd New Fork (PID: 3473, Parent: 3417)

bash (PID: 3473, Parent: 3417, MD5: 0719e857695fd4c17ad5bb4547909e5a) Arguments: sh -c "cat /sys/class/net/enp0s3/address 2>/dev/null"

bash New Fork (PID: 3480, Parent: 3473)

cat (PID: 3480, Parent: 3473, MD5: 3e060fa294264b25491834c902dbeaba) Arguments: cat /sys/class/net/enp0s3/address

kthreadd New Fork (PID: 3488, Parent: 3417)

bash (PID: 3488, Parent: 3417, MD5: 0719e857695fd4c17ad5bb4547909e5a) Arguments: sh -c "cat /sys/class/net/virbr0/address 2>/dev/null"

bash New Fork (PID: 3495, Parent: 3488)

cat (PID: 3495, Parent: 3488, MD5: 3e060fa294264b25491834c902dbeaba) Arguments: cat /sys/class/net/virbr0/address

kthreadd New Fork (PID: 3502, Parent: 3417)

bash (PID: 3502, Parent: 3417, MD5: 0719e857695fd4c17ad5bb4547909e5a) Arguments: sh -c "cat /sys/class/net/virbr0-nic/address 2>/dev/null"

bash New Fork (PID: 3509, Parent: 3502)

cat (PID: 3509, Parent: 3502, MD5: 3e060fa294264b25491834c902dbeaba) Arguments: cat /sys/class/net/virbr0-nic/address

kthreadd New Fork (PID: 3516, Parent: 3417)

bash (PID: 3516, Parent: 3417, MD5: 0719e857695fd4c17ad5bb4547909e5a) Arguments: sh -c "cat /var/lib/dbus/machine-id 2>/dev/null"

bash New Fork (PID: 3523, Parent: 3516)

cat (PID: 3523, Parent: 3516, MD5: 3e060fa294264b25491834c902dbeaba) Arguments: cat /var/lib/dbus/machine-id

kthreadd New Fork (PID: 3657, Parent: 3417)

bash (PID: 3657, Parent: 3417, MD5: 0719e857695fd4c17ad5bb4547909e5a) Arguments: sh -c "ls /sys/class/net/ 2>/dev/null | awk '{printf (\"%s\\n\", $1)}' 2>/dev/null"

bash New Fork (PID: 3658, Parent: 3657)

ls (PID: 3658, Parent: 3657, MD5: a78c13d806e594dc4014d145d689f23d) Arguments: ls /sys/class/net/

bash New Fork (PID: 3659, Parent: 3657)

awk (PID: 3659, Parent: 3657, MD5: 36e491b1e47944fb397b84f790ef5093) Arguments: awk "{printf (\"%s\\n\", $1)}"

kthreadd New Fork (PID: 3731, Parent: 3417)

bash (PID: 3731, Parent: 3417, MD5: 0719e857695fd4c17ad5bb4547909e5a) Arguments: sh -c "ps auxww | grep -iEe 'wifi-scan' | grep -v -e grep"

bash New Fork (PID: 3732, Parent: 3731)

ps (PID: 3732, Parent: 3731, MD5: c13a1d1dad08ab8444f35ce966cc3e29) Arguments: ps auxww

bash New Fork (PID: 3733, Parent: 3731)

grep (PID: 3733, Parent: 3731, MD5: 6cd81dedcf076b9ad7cfbfec976245d5) Arguments: grep -iEe wifi-scan

bash New Fork (PID: 3734, Parent: 3731)

grep (PID: 3734, Parent: 3731, MD5: 6cd81dedcf076b9ad7cfbfec976245d5) Arguments: grep -v -e grep

kthreadd New Fork (PID: 3742, Parent: 3417)

bash (PID: 3742, Parent: 3417, MD5: 0719e857695fd4c17ad5bb4547909e5a) Arguments: sh -c "ps auxww | grep -iEe 'wifi-catcher' | grep -v -e grep"

bash New Fork (PID: 3750, Parent: 3742)

ps (PID: 3750, Parent: 3742, MD5: c13a1d1dad08ab8444f35ce966cc3e29) Arguments: ps auxww

bash New Fork (PID: 3751, Parent: 3742)

grep (PID: 3751, Parent: 3742, MD5: 6cd81dedcf076b9ad7cfbfec976245d5) Arguments: grep -iEe wifi-catcher

bash New Fork (PID: 3752, Parent: 3742)

grep (PID: 3752, Parent: 3742, MD5: 6cd81dedcf076b9ad7cfbfec976245d5) Arguments: grep -v -e grep

kthreadd New Fork (PID: 3794, Parent: 3417)

bash (PID: 3794, Parent: 3417, MD5: 0719e857695fd4c17ad5bb4547909e5a) Arguments: sh -c "ps auxww | grep -iEe 'wifi-attack' | grep -v -e grep"

bash New Fork (PID: 3798, Parent: 3794)

ps (PID: 3798, Parent: 3794, MD5: c13a1d1dad08ab8444f35ce966cc3e29) Arguments: ps auxww

bash New Fork (PID: 3799, Parent: 3794)

grep (PID: 3799, Parent: 3794, MD5: 6cd81dedcf076b9ad7cfbfec976245d5) Arguments: grep -iEe wifi-attack

bash New Fork (PID: 3800, Parent: 3794)

grep (PID: 3800, Parent: 3794, MD5: 6cd81dedcf076b9ad7cfbfec976245d5) Arguments: grep -v -e grep

kthreadd New Fork (PID: 3819, Parent: 3417)

bash (PID: 3819, Parent: 3417, MD5: 0719e857695fd4c17ad5bb4547909e5a) Arguments: sh -c "ps auxww | grep -iEe 'wifi-jam' | grep -v -e grep"

bash New Fork (PID: 3826, Parent: 3819)

ps (PID: 3826, Parent: 3819, MD5: c13a1d1dad08ab8444f35ce966cc3e29) Arguments: ps auxww

bash New Fork (PID: 3827, Parent: 3819)

grep (PID: 3827, Parent: 3819, MD5: 6cd81dedcf076b9ad7cfbfec976245d5) Arguments: grep -iEe wifi-jam

bash New Fork (PID: 3828, Parent: 3819)

grep (PID: 3828, Parent: 3819, MD5: 6cd81dedcf076b9ad7cfbfec976245d5) Arguments: grep -v -e grep

kthreadd New Fork (PID: 3865, Parent: 3417)

bash (PID: 3865, Parent: 3417, MD5: 0719e857695fd4c17ad5bb4547909e5a) Arguments: sh -c "ps auxww | grep -iEe 'wifi-imsi-grabber' | grep -v -e grep"

bash New Fork (PID: 3872, Parent: 3865)

ps (PID: 3872, Parent: 3865, MD5: c13a1d1dad08ab8444f35ce966cc3e29) Arguments: ps auxww

bash New Fork (PID: 3873, Parent: 3865)

grep (PID: 3873, Parent: 3865, MD5: 6cd81dedcf076b9ad7cfbfec976245d5) Arguments: grep -iEe wifi-imsi-grabber

bash New Fork (PID: 3874, Parent: 3865)

grep (PID: 3874, Parent: 3865, MD5: 6cd81dedcf076b9ad7cfbfec976245d5) Arguments: grep -v -e grep

kthreadd New Fork (PID: 3899, Parent: 3417)

bash (PID: 3899, Parent: 3417, MD5: 0719e857695fd4c17ad5bb4547909e5a) Arguments: sh -c "ps auxww | grep -iEe 'bt-scan' | grep -v -e grep"

bash New Fork (PID: 3906, Parent: 3899)

ps (PID: 3906, Parent: 3899, MD5: c13a1d1dad08ab8444f35ce966cc3e29) Arguments: ps auxww

bash New Fork (PID: 3907, Parent: 3899)

grep (PID: 3907, Parent: 3899, MD5: 6cd81dedcf076b9ad7cfbfec976245d5) Arguments: grep -iEe bt-scan

bash New Fork (PID: 3908, Parent: 3899)

grep (PID: 3908, Parent: 3899, MD5: 6cd81dedcf076b9ad7cfbfec976245d5) Arguments: grep -v -e grep

kthreadd New Fork (PID: 4051, Parent: 3417)

dbus-launch (PID: 4051, Parent: 3417, MD5: ab4ac72a6958515e8bdaae3d80b7d075) Arguments: dbus-launch --autolaunch 24cb8984dc734c5f8c17ef2abd3dba17 --binary-syntax --close-stderr

kthreadd New Fork (PID: 4068, Parent: 3417)

bash (PID: 4068, Parent: 3417, MD5: 0719e857695fd4c17ad5bb4547909e5a) Arguments: sh -c "ps auxww | grep -iEe 'wifi-scan' | grep -v -e grep"

bash New Fork (PID: 4069, Parent: 4068)

ps (PID: 4069, Parent: 4068, MD5: c13a1d1dad08ab8444f35ce966cc3e29) Arguments: ps auxww

bash New Fork (PID: 4070, Parent: 4068)

grep (PID: 4070, Parent: 4068, MD5: 6cd81dedcf076b9ad7cfbfec976245d5) Arguments: grep -iEe wifi-scan

bash New Fork (PID: 4071, Parent: 4068)

grep (PID: 4071, Parent: 4068, MD5: 6cd81dedcf076b9ad7cfbfec976245d5) Arguments: grep -v -e grep

kthreadd New Fork (PID: 4075, Parent: 3417)

bash (PID: 4075, Parent: 3417, MD5: 0719e857695fd4c17ad5bb4547909e5a) Arguments: sh -c "ps auxww | grep -iEe 'wifi-catcher' | grep -v -e grep"

bash New Fork (PID: 4079, Parent: 4075)

ps (PID: 4079, Parent: 4075, MD5: c13a1d1dad08ab8444f35ce966cc3e29) Arguments: ps auxww

bash New Fork (PID: 4080, Parent: 4075)

grep (PID: 4080, Parent: 4075, MD5: 6cd81dedcf076b9ad7cfbfec976245d5) Arguments: grep -iEe wifi-catcher

bash New Fork (PID: 4081, Parent: 4075)

grep (PID: 4081, Parent: 4075, MD5: 6cd81dedcf076b9ad7cfbfec976245d5) Arguments: grep -v -e grep

kthreadd New Fork (PID: 4097, Parent: 3417)

bash (PID: 4097, Parent: 3417, MD5: 0719e857695fd4c17ad5bb4547909e5a) Arguments: sh -c "ps auxww | grep -iEe 'wifi-attack' | grep -v -e grep"

bash New Fork (PID: 4109, Parent: 4097)

ps (PID: 4109, Parent: 4097, MD5: c13a1d1dad08ab8444f35ce966cc3e29) Arguments: ps auxww

bash New Fork (PID: 4110, Parent: 4097)

grep (PID: 4110, Parent: 4097, MD5: 6cd81dedcf076b9ad7cfbfec976245d5) Arguments: grep -iEe wifi-attack

bash New Fork (PID: 4111, Parent: 4097)

grep (PID: 4111, Parent: 4097, MD5: 6cd81dedcf076b9ad7cfbfec976245d5) Arguments: grep -v -e grep

kthreadd New Fork (PID: 4131, Parent: 3417)

bash (PID: 4131, Parent: 3417, MD5: 0719e857695fd4c17ad5bb4547909e5a) Arguments: sh -c "ps auxww | grep -iEe 'wifi-jam' | grep -v -e grep"

bash New Fork (PID: 4138, Parent: 4131)

ps (PID: 4138, Parent: 4131, MD5: c13a1d1dad08ab8444f35ce966cc3e29) Arguments: ps auxww

bash New Fork (PID: 4139, Parent: 4131)

grep (PID: 4139, Parent: 4131, MD5: 6cd81dedcf076b9ad7cfbfec976245d5) Arguments: grep -iEe wifi-jam

bash New Fork (PID: 4140, Parent: 4131)

grep (PID: 4140, Parent: 4131, MD5: 6cd81dedcf076b9ad7cfbfec976245d5) Arguments: grep -v -e grep

kthreadd New Fork (PID: 4164, Parent: 3417)

bash (PID: 4164, Parent: 3417, MD5: 0719e857695fd4c17ad5bb4547909e5a) Arguments: sh -c "ps auxww | grep -iEe 'wifi-imsi-grabber' | grep -v -e grep"

bash New Fork (PID: 4170, Parent: 4164)

ps (PID: 4170, Parent: 4164, MD5: c13a1d1dad08ab8444f35ce966cc3e29) Arguments: ps auxww

bash New Fork (PID: 4171, Parent: 4164)

grep (PID: 4171, Parent: 4164, MD5: 6cd81dedcf076b9ad7cfbfec976245d5) Arguments: grep -iEe wifi-imsi-grabber

bash New Fork (PID: 4172, Parent: 4164)

grep (PID: 4172, Parent: 4164, MD5: 6cd81dedcf076b9ad7cfbfec976245d5) Arguments: grep -v -e grep

kthreadd New Fork (PID: 4193, Parent: 3417)

bash (PID: 4193, Parent: 3417, MD5: 0719e857695fd4c17ad5bb4547909e5a) Arguments: sh -c "ps auxww | grep -iEe 'bt-scan' | grep -v -e grep"

bash New Fork (PID: 4200, Parent: 4193)

ps (PID: 4200, Parent: 4193, MD5: c13a1d1dad08ab8444f35ce966cc3e29) Arguments: ps auxww

bash New Fork (PID: 4201, Parent: 4193)

grep (PID: 4201, Parent: 4193, MD5: 6cd81dedcf076b9ad7cfbfec976245d5) Arguments: grep -iEe bt-scan

bash New Fork (PID: 4202, Parent: 4193)

grep (PID: 4202, Parent: 4193, MD5: 6cd81dedcf076b9ad7cfbfec976245d5) Arguments: grep -v -e grep

sh New Fork (PID: 3377, Parent: 3246)

rm (PID: 3377, Parent: 3246, MD5: 600aaa3669abb4a79eefa5881b390442) Arguments: rm -rf /tmp/finspy.sh

cleanup

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
finspy.sh	JoeSecurity_FinSpy	Yara detected FinSpy	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
/tmp/udev2	JoeSecurity_FinSpy	Yara detected FinSpy	Joe Security

Signature Overview

Click to jump to signature section

Show All Signature Results

Source: kthreadd (PID: 3417)

Reads CPU info from /sys: /sys/devices/system/cpu/online

Networking:

Opens /sys/class/net/* files useful for querying network interface information

Show sources

Source: /usr/bin/bash (PID: 3425)	Opens: /sys/class/net/
Source: /usr/bin/bash (PID: 3443)	Opens: /sys/class/net/
Source: /bin/ls (PID: 3460)	Opens: /sys/class/net/
Source: /bin/cat (PID: 3480)	Opens: /sys/class/net/enp0s3/address
Source: /bin/cat (PID: 3495)	Opens: /sys/class/net/virbr0/address
Source: /bin/cat (PID: 3509)	Opens: /sys/class/net/virbr0-nic/address
Source: /bin/ls (PID: 3658)	Opens: /sys/class/net/

Searches for processes related to Bluetooth scanning

Show sources

Source: kthreadd (PID: 3899)	Executable: /usr/bin/bash -> sh -c "ps auxww \| grep -iEe 'bt-scan' \| grep -v -e grep"
Source: kthreadd (PID: 4193)	Executable: /usr/bin/bash -> sh -c "ps auxww \| grep -iEe 'bt-scan' \| grep -v -e grep"

Searches for processes related to IMSI grabbing

Show sources

Source: kthreadd (PID: 3865)	Executable: /usr/bin/bash -> sh -c "ps auxww \| grep -iEe 'wifi-imsi-grabber' \| grep -v -e grep"
Source: kthreadd (PID: 4164)	Executable: /usr/bin/bash -> sh -c "ps auxww \| grep -iEe 'wifi-imsi-grabber' \| grep -v -e grep"

Searches for processes related to WiFI attacking

Show sources

Source: kthreadd (PID: 3731)	Executable: /usr/bin/bash -> sh -c "ps auxww \| grep -iEe 'wifi-scan' \| grep -v -e grep"
Source: kthreadd (PID: 3742)	Executable: /usr/bin/bash -> sh -c "ps auxww \| grep -iEe 'wifi-catcher' \| grep -v -e grep"
Source: kthreadd (PID: 3794)	Executable: /usr/bin/bash -> sh -c "ps auxww \| grep -iEe 'wifi-attack' \| grep -v -e grep"
Source: kthreadd (PID: 3819)	Executable: /usr/bin/bash -> sh -c "ps auxww \| grep -iEe 'wifi-jam' \| grep -v -e grep"
Source: kthreadd (PID: 4068)	Executable: /usr/bin/bash -> sh -c "ps auxww \| grep -iEe 'wifi-scan' \| grep -v -e grep"
Source: kthreadd (PID: 4075)	Executable: /usr/bin/bash -> sh -c "ps auxww \| grep -iEe 'wifi-catcher' \| grep -v -e grep"
Source: kthreadd (PID: 4097)	Executable: /usr/bin/bash -> sh -c "ps auxww \| grep -iEe 'wifi-attack' \| grep -v -e grep"
Source: kthreadd (PID: 4131)	Executable: /usr/bin/bash -> sh -c "ps auxww \| grep -iEe 'wifi-jam' \| grep -v -e grep"

Source: unknown	TCP traffic detected without corresponding DNS query: 129.177.13.60
Source: unknown	TCP traffic detected without corresponding DNS query: 152.199.19.161
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 216.176.179.218
Source: unknown	TCP traffic detected without corresponding DNS query: 129.177.13.60
Source: unknown	TCP traffic detected without corresponding DNS query: 152.199.19.161
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 216.176.179.218
Source: unknown	TCP traffic detected without corresponding DNS query: 129.177.13.60
Source: unknown	TCP traffic detected without corresponding DNS query: 185.25.50.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.25.50.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.25.50.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.25.50.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.25.50.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.25.50.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.25.50.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.25.50.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.25.50.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.25.50.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.25.50.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.25.50.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.25.50.74

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 48064
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 48062
Source: unknown	Network traffic detected: HTTP traffic on port 48062 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 48064 -> 443

Source: Initial sample	Potential command found: tail -n +$ARCHIVE $0 > /tmp/udev2 && chmod +x /tmp/udev2
Source: Initial sample	Potential command found: su -c /tmp/udev2 $SUDO_USER
Source: Initial sample	Potential command found: rm -rf "$0"
Source: Initial sample	Potential command found: lspci 2>/dev/null \| grep -i "system peripheral" \| grep -i "virtual"
Source: Initial sample	Potential command found: dmesg --notime 2>/dev/null \| grep -i "hypervisor detected" \| cut -d ':' -f2 \| tr -d "
Source: Initial sample	Potential command found: dmesg --notime 2>/dev/null \| grep -i "cpu" \| grep -i "virtual"
Source: Initial sample	Potential command found: ps ya8xw
Source: Initial sample	Potential command found: lc WxC
Source: Initial sample	Potential command found: X Uh
Source: Initial sample	Potential command found: w dLR
Source: Initial sample	Potential command found: X +f2
Source: Initial sample	Potential command found: cd r;

Source: classification engine

Classification label: mal76.troj.spyw.evad.linSH@0/49@0/0

Persistence and Installation Behavior:

Modifies the '.bashrc' or '.bash_profile' file typically for persisting actions

Show sources

Source: /tmp/udev2 (PID: 3357)	File written: /home/user/.bash_profile
Source: kthreadd (PID: 3417)	File written: /home/user/.bash_profile

Writes ELF files to hidden directories

Show sources

Source: /tmp/udev2 (PID: 3357)	File written to hidden directory: /home/user/.kde/.cfg/kthreadd	Jump to dropped file
Source: kthreadd (PID: 3417)	File written to hidden directory: /home/user/.kde/.cfg/mcli.so	Jump to dropped file
Source: kthreadd (PID: 3417)	File written to hidden directory: /home/user/.kde/.cfg/wbcm.so	Jump to dropped file
Source: kthreadd (PID: 3417)	File written to hidden directory: /home/user/.kde/.cfg/gtkx.so	Jump to dropped file

Source: /tmp/udev2 (PID: 3357)	Directory: /home/user/.kde
Source: /tmp/udev2 (PID: 3357)	Directory: /home/user/.kde/.cfg
Source: kthreadd (PID: 3417)	Directory: /home/user/.local

Source: /bin/ps (PID: 4079)	File opened: /proc/88/stat
Source: /bin/ps (PID: 4079)	File opened: /proc/88/status
Source: /bin/ps (PID: 4079)	File opened: /proc/88/cmdline
Source: /bin/ps (PID: 4079)	File opened: /proc/89/stat
Source: /bin/ps (PID: 4079)	File opened: /proc/89/status
Source: /bin/ps (PID: 4079)	File opened: /proc/89/cmdline
Source: /bin/ps (PID: 4079)	File opened: /proc/2032/stat
Source: /bin/ps (PID: 4079)	File opened: /proc/2032/status
Source: /bin/ps (PID: 4079)	File opened: /proc/2032/cmdline
Source: /bin/ps (PID: 4079)	File opened: /proc/2150/stat
Source: /bin/ps (PID: 4079)	File opened: /proc/2150/status
Source: /bin/ps (PID: 4079)	File opened: /proc/2150/cmdline
Source: /bin/ps (PID: 4079)	File opened: /proc/352/stat
Source: /bin/ps (PID: 4079)	File opened: /proc/352/status
Source: /bin/ps (PID: 4079)	File opened: /proc/352/cmdline
Source: /bin/ps (PID: 4079)	File opened: /proc/353/stat
Source: /bin/ps (PID: 4079)	File opened: /proc/353/status
Source: /bin/ps (PID: 4079)	File opened: /proc/353/cmdline
Source: /bin/ps (PID: 4079)	File opened: /proc/992/stat
Source: /bin/ps (PID: 4079)	File opened: /proc/992/status
Source: /bin/ps (PID: 4079)	File opened: /proc/992/cmdline
Source: /bin/ps (PID: 4079)	File opened: /proc/1732/stat
Source: /bin/ps (PID: 4079)	File opened: /proc/1732/status
Source: /bin/ps (PID: 4079)	File opened: /proc/1732/cmdline
Source: /bin/ps (PID: 4079)	File opened: /proc/631/stat
Source: /bin/ps (PID: 4079)	File opened: /proc/631/status
Source: /bin/ps (PID: 4079)	File opened: /proc/631/cmdline
Source: /bin/ps (PID: 4079)	File opened: /proc/2027/stat
Source: /bin/ps (PID: 4079)	File opened: /proc/2027/status
Source: /bin/ps (PID: 4079)	File opened: /proc/2027/cmdline
Source: /bin/ps (PID: 4079)	File opened: /proc/1850/stat
Source: /bin/ps (PID: 4079)	File opened: /proc/1850/status
Source: /bin/ps (PID: 4079)	File opened: /proc/1850/cmdline
Source: /bin/ps (PID: 4079)	File opened: /proc/633/stat
Source: /bin/ps (PID: 4079)	File opened: /proc/633/status
Source: /bin/ps (PID: 4079)	File opened: /proc/633/cmdline
Source: /bin/ps (PID: 4079)	File opened: /proc/1331/stat
Source: /bin/ps (PID: 4079)	File opened: /proc/1331/status
Source: /bin/ps (PID: 4079)	File opened: /proc/1331/cmdline
Source: /bin/ps (PID: 4079)	File opened: /proc/1617/stat
Source: /bin/ps (PID: 4079)	File opened: /proc/1617/status
Source: /bin/ps (PID: 4079)	File opened: /proc/1617/cmdline
Source: /bin/ps (PID: 4079)	File opened: /proc/10/stat
Source: /bin/ps (PID: 4079)	File opened: /proc/10/status
Source: /bin/ps (PID: 4079)	File opened: /proc/10/cmdline
Source: /bin/ps (PID: 4079)	File opened: /proc/11/stat
Source: /bin/ps (PID: 4079)	File opened: /proc/11/status
Source: /bin/ps (PID: 4079)	File opened: /proc/11/cmdline
Source: /bin/ps (PID: 4079)	File opened: /proc/13/stat
Source: /bin/ps (PID: 4079)	File opened: /proc/13/status
Source: /bin/ps (PID: 4079)	File opened: /proc/13/cmdline
Source: /bin/ps (PID: 4079)	File opened: /proc/14/stat
Source: /bin/ps (PID: 4079)	File opened: /proc/14/status
Source: /bin/ps (PID: 4079)	File opened: /proc/14/cmdline
Source: /bin/ps (PID: 4079)	File opened: /proc/15/stat
Source: /bin/ps (PID: 4079)	File opened: /proc/15/status
Source: /bin/ps (PID: 4079)	File opened: /proc/15/cmdline
Source: /bin/ps (PID: 4079)	File opened: /proc/16/stat
Source: /bin/ps (PID: 4079)	File opened: /proc/16/status
Source: /bin/ps (PID: 4079)	File opened: /proc/16/cmdline
Source: /bin/ps (PID: 4079)	File opened: /proc/17/stat
Source: /bin/ps (PID: 4079)	File opened: /proc/17/status
Source: /bin/ps (PID: 4079)	File opened: /proc/17/cmdline
Source: /bin/ps (PID: 4079)	File opened: /proc/18/stat
Source: /bin/ps (PID: 4079)	File opened: /proc/18/status
Source: /bin/ps (PID: 4079)	File opened: /proc/18/cmdline
Source: /bin/ps (PID: 4079)	File opened: /proc/19/stat
Source: /bin/ps (PID: 4079)	File opened: /proc/19/status
Source: /bin/ps (PID: 4079)	File opened: /proc/19/cmdline
Source: /bin/ps (PID: 4079)	File opened: /proc/2166/stat
Source: /bin/ps (PID: 4079)	File opened: /proc/2166/status
Source: /bin/ps (PID: 4079)	File opened: /proc/2166/cmdline
Source: /bin/ps (PID: 4079)	File opened: /proc/3376/stat
Source: /bin/ps (PID: 4079)	File opened: /proc/3376/status
Source: /bin/ps (PID: 4079)	File opened: /proc/3376/cmdline
Source: /bin/ps (PID: 4079)	File opened: /proc/2043/stat
Source: /bin/ps (PID: 4079)	File opened: /proc/2043/status
Source: /bin/ps (PID: 4079)	File opened: /proc/2043/cmdline
Source: /bin/ps (PID: 4079)	File opened: /proc/363/stat
Source: /bin/ps (PID: 4079)	File opened: /proc/363/status
Source: /bin/ps (PID: 4079)	File opened: /proc/363/cmdline
Source: /bin/ps (PID: 4079)	File opened: /proc/364/stat
Source: /bin/ps (PID: 4079)	File opened: /proc/364/status
Source: /bin/ps (PID: 4079)	File opened: /proc/364/cmdline
Source: /bin/ps (PID: 4079)	File opened: /proc/1/stat
Source: /bin/ps (PID: 4079)	File opened: /proc/1/status
Source: /bin/ps (PID: 4079)	File opened: /proc/1/cmdline
Source: /bin/ps (PID: 4079)	File opened: /proc/1986/stat
Source: /bin/ps (PID: 4079)	File opened: /proc/1986/status
Source: /bin/ps (PID: 4079)	File opened: /proc/1986/cmdline
Source: /bin/ps (PID: 4079)	File opened: /proc/486/stat
Source: /bin/ps (PID: 4079)	File opened: /proc/486/status
Source: /bin/ps (PID: 4079)	File opened: /proc/486/cmdline
Source: /bin/ps (PID: 4079)	File opened: /proc/2/stat
Source: /bin/ps (PID: 4079)	File opened: /proc/2/status
Source: /bin/ps (PID: 4079)	File opened: /proc/2/cmdline
Source: /bin/ps (PID: 4079)	File opened: /proc/3/stat
Source: /bin/ps (PID: 4079)	File opened: /proc/3/status
Source: /bin/ps (PID: 4079)	File opened: /proc/3/cmdline
Source: /bin/ps (PID: 4079)	File opened: /proc/2038/stat
Source: /bin/ps (PID: 4079)	File opened: /proc/2038/status
Source: /bin/ps (PID: 4079)	File opened: /proc/2038/cmdline
Source: /bin/ps (PID: 4079)	File opened: /proc/5/stat
Source: /bin/ps (PID: 4079)	File opened: /proc/5/status
Source: /bin/ps (PID: 4079)	File opened: /proc/5/cmdline

Source: /bin/su (PID: 3357)

Shell command executed: bash -c /tmp/udev2

Source: /bin/sh (PID: 3311)

Chmod executable: /bin/chmod -> chmod +x /tmp/udev2

Source: /bin/sh (PID: 3259)	Grep executable: /bin/grep -> grep --text --line-number ^__x64xx__$ /tmp/finspy.sh
Source: /usr/bin/bash (PID: 3733)	Grep executable: /bin/grep -> grep -iEe wifi-scan
Source: /usr/bin/bash (PID: 3734)	Grep executable: /bin/grep -> grep -v -e grep
Source: /usr/bin/bash (PID: 3751)	Grep executable: /bin/grep -> grep -iEe wifi-catcher
Source: /usr/bin/bash (PID: 3752)	Grep executable: /bin/grep -> grep -v -e grep
Source: /usr/bin/bash (PID: 3799)	Grep executable: /bin/grep -> grep -iEe wifi-attack
Source: /usr/bin/bash (PID: 3800)	Grep executable: /bin/grep -> grep -v -e grep
Source: /usr/bin/bash (PID: 3827)	Grep executable: /bin/grep -> grep -iEe wifi-jam
Source: /usr/bin/bash (PID: 3828)	Grep executable: /bin/grep -> grep -v -e grep
Source: /usr/bin/bash (PID: 3873)	Grep executable: /bin/grep -> grep -iEe wifi-imsi-grabber
Source: /usr/bin/bash (PID: 3874)	Grep executable: /bin/grep -> grep -v -e grep
Source: /usr/bin/bash (PID: 3907)	Grep executable: /bin/grep -> grep -iEe bt-scan
Source: /usr/bin/bash (PID: 3908)	Grep executable: /bin/grep -> grep -v -e grep
Source: /usr/bin/bash (PID: 4070)	Grep executable: /bin/grep -> grep -iEe wifi-scan
Source: /usr/bin/bash (PID: 4071)	Grep executable: /bin/grep -> grep -v -e grep
Source: /usr/bin/bash (PID: 4080)	Grep executable: /bin/grep -> grep -iEe wifi-catcher
Source: /usr/bin/bash (PID: 4081)	Grep executable: /bin/grep -> grep -v -e grep
Source: /usr/bin/bash (PID: 4110)	Grep executable: /bin/grep -> grep -iEe wifi-attack
Source: /usr/bin/bash (PID: 4111)	Grep executable: /bin/grep -> grep -v -e grep
Source: /usr/bin/bash (PID: 4139)	Grep executable: /bin/grep -> grep -iEe wifi-jam
Source: /usr/bin/bash (PID: 4140)	Grep executable: /bin/grep -> grep -v -e grep
Source: /usr/bin/bash (PID: 4171)	Grep executable: /bin/grep -> grep -iEe wifi-imsi-grabber
Source: /usr/bin/bash (PID: 4172)	Grep executable: /bin/grep -> grep -v -e grep
Source: /usr/bin/bash (PID: 4201)	Grep executable: /bin/grep -> grep -iEe bt-scan
Source: /usr/bin/bash (PID: 4202)	Grep executable: /bin/grep -> grep -v -e grep

Source: /usr/bin/bash (PID: 3732)	Ps executable: /bin/ps -> ps auxww
Source: /usr/bin/bash (PID: 3750)	Ps executable: /bin/ps -> ps auxww
Source: /usr/bin/bash (PID: 3798)	Ps executable: /bin/ps -> ps auxww
Source: /usr/bin/bash (PID: 3826)	Ps executable: /bin/ps -> ps auxww
Source: /usr/bin/bash (PID: 3872)	Ps executable: /bin/ps -> ps auxww
Source: /usr/bin/bash (PID: 3906)	Ps executable: /bin/ps -> ps auxww
Source: /usr/bin/bash (PID: 4069)	Ps executable: /bin/ps -> ps auxww
Source: /usr/bin/bash (PID: 4079)	Ps executable: /bin/ps -> ps auxww
Source: /usr/bin/bash (PID: 4109)	Ps executable: /bin/ps -> ps auxww
Source: /usr/bin/bash (PID: 4138)	Ps executable: /bin/ps -> ps auxww
Source: /usr/bin/bash (PID: 4170)	Ps executable: /bin/ps -> ps auxww
Source: /usr/bin/bash (PID: 4200)	Ps executable: /bin/ps -> ps auxww

Source: /bin/sh (PID: 3377)

Rm executable: /bin/rm -> rm -rf /tmp/finspy.sh

Source: /bin/sh (PID: 3246)	Reads from proc file: /proc/meminfo
Source: /bin/bash (PID: 3357)	Reads from proc file: /proc/meminfo
Source: /usr/bin/bash (PID: 3420)	Reads from proc file: /proc/meminfo
Source: /usr/bin/bash (PID: 3425)	Reads from proc file: /proc/meminfo
Source: /usr/bin/bash (PID: 3443)	Reads from proc file: /proc/meminfo
Source: /usr/bin/bash (PID: 3454)	Reads from proc file: /proc/meminfo
Source: /usr/bin/bash (PID: 3473)	Reads from proc file: /proc/meminfo
Source: /usr/bin/bash (PID: 3488)	Reads from proc file: /proc/meminfo
Source: /usr/bin/bash (PID: 3502)	Reads from proc file: /proc/meminfo
Source: /usr/bin/bash (PID: 3516)	Reads from proc file: /proc/meminfo
Source: /usr/bin/bash (PID: 3657)	Reads from proc file: /proc/meminfo
Source: /usr/bin/bash (PID: 3731)	Reads from proc file: /proc/meminfo
Source: /bin/ps (PID: 3732)	Reads from proc file: /proc/meminfo
Source: /bin/ps (PID: 3732)	Reads from proc file: /proc/stat
Source: /usr/bin/bash (PID: 3742)	Reads from proc file: /proc/meminfo
Source: /bin/ps (PID: 3750)	Reads from proc file: /proc/meminfo
Source: /bin/ps (PID: 3750)	Reads from proc file: /proc/stat
Source: /usr/bin/bash (PID: 3794)	Reads from proc file: /proc/meminfo
Source: /bin/ps (PID: 3798)	Reads from proc file: /proc/meminfo
Source: /bin/ps (PID: 3798)	Reads from proc file: /proc/stat
Source: /usr/bin/bash (PID: 3819)	Reads from proc file: /proc/meminfo
Source: /bin/ps (PID: 3826)	Reads from proc file: /proc/meminfo
Source: /bin/ps (PID: 3826)	Reads from proc file: /proc/stat
Source: /usr/bin/bash (PID: 3865)	Reads from proc file: /proc/meminfo
Source: /bin/ps (PID: 3872)	Reads from proc file: /proc/meminfo
Source: /bin/ps (PID: 3872)	Reads from proc file: /proc/stat
Source: /usr/bin/bash (PID: 3899)	Reads from proc file: /proc/meminfo
Source: /bin/ps (PID: 3906)	Reads from proc file: /proc/meminfo
Source: /bin/ps (PID: 3906)	Reads from proc file: /proc/stat
Source: /usr/bin/bash (PID: 4068)	Reads from proc file: /proc/meminfo
Source: /bin/ps (PID: 4069)	Reads from proc file: /proc/meminfo
Source: /bin/ps (PID: 4069)	Reads from proc file: /proc/stat
Source: /usr/bin/bash (PID: 4075)	Reads from proc file: /proc/meminfo
Source: /bin/ps (PID: 4079)	Reads from proc file: /proc/meminfo
Source: /bin/ps (PID: 4079)	Reads from proc file: /proc/stat
Source: /usr/bin/bash (PID: 4097)	Reads from proc file: /proc/meminfo
Source: /bin/ps (PID: 4109)	Reads from proc file: /proc/meminfo
Source: /bin/ps (PID: 4109)	Reads from proc file: /proc/stat
Source: /usr/bin/bash (PID: 4131)	Reads from proc file: /proc/meminfo
Source: /bin/ps (PID: 4138)	Reads from proc file: /proc/meminfo
Source: /bin/ps (PID: 4138)	Reads from proc file: /proc/stat
Source: /usr/bin/bash (PID: 4164)	Reads from proc file: /proc/meminfo
Source: /bin/ps (PID: 4170)	Reads from proc file: /proc/meminfo
Source: /bin/ps (PID: 4170)	Reads from proc file: /proc/stat
Source: /usr/bin/bash (PID: 4193)	Reads from proc file: /proc/meminfo
Source: /bin/ps (PID: 4200)	Reads from proc file: /proc/meminfo
Source: /bin/ps (PID: 4200)	Reads from proc file: /proc/stat

Source: /bin/chmod (PID: 3311)

File: /tmp/udev2 (bits: - usr: rx grp: rx all: rwx)

Source: /bin/tail (PID: 3265)	File written: /tmp/udev2	Jump to dropped file
Source: /tmp/udev2 (PID: 3357)	File written: /home/user/.kde/.cfg/kthreadd	Jump to dropped file
Source: kthreadd (PID: 3417)	File written: /home/user/.kde/.cfg/mcli.so	Jump to dropped file
Source: kthreadd (PID: 3417)	File written: /home/user/.kde/.cfg/wbcm.so	Jump to dropped file
Source: kthreadd (PID: 3417)	File written: /home/user/.kde/.cfg/gtkx.so	Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Sample deletes itself

Show sources

Source: kthreadd (PID: 3417)	File: kthreadd
Source: /bin/rm (PID: 3377)	File: /tmp/finspy.sh

Source: kthreadd (PID: 3417)

Reads CPU info from /sys: /sys/devices/system/cpu/online

Source: /bin/sh (PID: 3246)	Queries kernel information via 'uname':
Source: /bin/bash (PID: 3357)	Queries kernel information via 'uname':
Source: kthreadd (PID: 3417)	Queries kernel information via 'uname':
Source: /usr/bin/bash (PID: 3420)	Queries kernel information via 'uname':
Source: /usr/bin/bash (PID: 3425)	Queries kernel information via 'uname':
Source: /usr/bin/bash (PID: 3443)	Queries kernel information via 'uname':
Source: /usr/bin/bash (PID: 3454)	Queries kernel information via 'uname':
Source: /usr/bin/bash (PID: 3473)	Queries kernel information via 'uname':
Source: /usr/bin/bash (PID: 3488)	Queries kernel information via 'uname':
Source: /usr/bin/bash (PID: 3502)	Queries kernel information via 'uname':
Source: /usr/bin/bash (PID: 3516)	Queries kernel information via 'uname':
Source: /usr/bin/bash (PID: 3657)	Queries kernel information via 'uname':
Source: /usr/bin/bash (PID: 3731)	Queries kernel information via 'uname':
Source: /bin/ps (PID: 3732)	Queries kernel information via 'uname':
Source: /usr/bin/bash (PID: 3742)	Queries kernel information via 'uname':
Source: /bin/ps (PID: 3750)	Queries kernel information via 'uname':
Source: /usr/bin/bash (PID: 3794)	Queries kernel information via 'uname':
Source: /bin/ps (PID: 3798)	Queries kernel information via 'uname':
Source: /usr/bin/bash (PID: 3819)	Queries kernel information via 'uname':
Source: /bin/ps (PID: 3826)	Queries kernel information via 'uname':
Source: /usr/bin/bash (PID: 3865)	Queries kernel information via 'uname':
Source: /bin/ps (PID: 3872)	Queries kernel information via 'uname':
Source: /usr/bin/bash (PID: 3899)	Queries kernel information via 'uname':
Source: /bin/ps (PID: 3906)	Queries kernel information via 'uname':
Source: /usr/bin/dbus-launch (PID: 4051)	Queries kernel information via 'uname':
Source: /usr/bin/bash (PID: 4068)	Queries kernel information via 'uname':
Source: /bin/ps (PID: 4069)	Queries kernel information via 'uname':
Source: /usr/bin/bash (PID: 4075)	Queries kernel information via 'uname':
Source: /bin/ps (PID: 4079)	Queries kernel information via 'uname':
Source: /usr/bin/bash (PID: 4097)	Queries kernel information via 'uname':
Source: /bin/ps (PID: 4109)	Queries kernel information via 'uname':
Source: /usr/bin/bash (PID: 4131)	Queries kernel information via 'uname':
Source: /bin/ps (PID: 4138)	Queries kernel information via 'uname':
Source: /usr/bin/bash (PID: 4164)	Queries kernel information via 'uname':
Source: /bin/ps (PID: 4170)	Queries kernel information via 'uname':
Source: /usr/bin/bash (PID: 4193)	Queries kernel information via 'uname':
Source: /bin/ps (PID: 4200)	Queries kernel information via 'uname':

Stealing of Sensitive Information:

Yara detected FinSpy

Show sources

Source: Yara match	File source: finspy.sh, type: SAMPLE
Source: Yara match	File source: /tmp/udev2, type: DROPPED

Remote Access Functionality:

Yara detected FinSpy

Show sources

Source: Yara match	File source: finspy.sh, type: SAMPLE
Source: Yara match	File source: /tmp/udev2, type: DROPPED

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter1	.bash_profile and .bashrc1	.bash_profile and .bashrc1	File and Directory Permissions Modification1	OS Credential Dumping1	Security Software Discovery1	Remote Services	Network Information Discovery1	Exfiltration Over Other Network Medium	Encrypted Channel1	Jamming or Denial of Service1	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scripting1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Scripting1	LSASS Memory	Process Discovery31	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Hidden Files and Directories11	Security Account Manager	System Information Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	File Deletion11	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Country	ASN	ASN Name	Malicious
152.199.19.161	United States	15133	EDGECASTUS	false
185.25.50.74	Lithuania	61272	IST-ASLT	false
109.202.202.202	Switzerland	13030	INIT7CH	false
216.176.179.218	United States	23033	WOWUS	false
129.177.13.60	Norway	224	UNINETTUNINETTTheNorwegianUniversityResearchNetwork	false

General Information

Joe Sandbox Version:
Analysis ID:	1250217
Start date:	05.10.2020
Start time:	15:12:02
Joe Sandbox Product:	Cloud
Overall analysis duration:	0h 5m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	finspy.sh
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	CentOS Linux 7.5 x64 (Kernel 3.10.0-862, Firefox 52.8.0, Document Viewer 3.22.1, LibreOffice 5.3.6.1, OpenJDK 1.8.0_171)
Detection:	MAL
Classification:	mal76.troj.spyw.evad.linSH@0/49@0/0
Warnings:	Show All Report size exceeded maximum capacity and may have missing behavior information.

Runtime Messages

Command:	sh "/tmp/finspy.sh"
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:

Created / dropped Files

/home/user/.bash_profile Download File
Process:	kthreadd
File Type:	very short file (no magic)
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
MD5:	93B885ADFE0DA089CDF634904FD59F71
SHA1:	5BA93C9DB0CFF93F52B521D7420E43F6EDA2784F
SHA-256:	6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D
SHA-512:	B8244D028981D693AF7B456AF8EFA4CAD63D282E19FF14942C246E50D9351D22704A802A71C3580B6370DE4CEB293C324A8423342557D4E5C38438F0E36910EE
Malicious:	true
Reputation:	low
Preview:	.

/home/user/.bash_profile1 Download File
Process:	/tmp/udev2
File Type:	very short file (no magic)
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
MD5:	93B885ADFE0DA089CDF634904FD59F71
SHA1:	5BA93C9DB0CFF93F52B521D7420E43F6EDA2784F
SHA-256:	6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D
SHA-512:	B8244D028981D693AF7B456AF8EFA4CAD63D282E19FF14942C246E50D9351D22704A802A71C3580B6370DE4CEB293C324A8423342557D4E5C38438F0E36910EE
Malicious:	false
Reputation:	low
Preview:	.

/home/user/.kde/.cfg/02.so Download File
Process:	/tmp/udev2
File Type:	data
Size (bytes):	157375
Entropy (8bit):	7.8916527190645915
Encrypted:	false
MD5:	23972D068A144AC242CE2282294808D4
SHA1:	E2EEA237F4AA9B0317F324D3BEB68E4975BEAE3F
SHA-256:	FFB2C365F549E8454D678D9D318C40A165142E2A5B70408DC91F5E49D103E078
SHA-512:	F44C7D350DBC2F2FC5931C59D990B98F810733150100E9C7162D0DD4914D2B78AAFC7B62098820C9023D8D50C8131646DB4DD8D5D09E8B8047B366AF7687A864
Malicious:	false
Reputation:	low
Preview:	......ELF........>....V..@....(8...,8.V......... .8......#.&ct..1....8G......&....#g....2....<.p$....P.td.#xoB...L..6.8EQ.D.....Rp..........x......GNU...........w.......[.Fm.J. +N...wap.H.U$.....:..<..Z.B..0...=...9.,14.......n.p. ..........\..@.H....n..v g(....l..n.z....0.. ..H\..@F.....P_!.....@l..0$U....@o....O....Ad..@...........oP...E.....H.0...>...$.dF...Ap....."....4\.......H"JdL.MHN.O"RDST.n..Z._.`$bLd.g.i.l$pJq,er2.t9v.x..yL.z.}..$.I...D.......".D...$..".D....L....D....L....G.".D...........$.H...".D......$.J..y...$.J..e.2..$.H...".S..".D......$.H...".D......$.H...".D......%..!......s-...\|3.!....C...zY..i.P..Q.e.....D.....@^.Q.@......!..........0.".....D....m....F3...\c0w$1..W......?.L....0.'.)@..7R.[...&.(!DAB..m...@..2...#(^iD..,.G...Q...Z[1...As)H...=.....E;.".#...eU....y.........B..4....$..n.R..e\|`.....` ..W}}p.Z.C..?tH........6tp.VZ.P.0....~.......x....Pb.!ro.....0.}..r...+.Q.J...U...`C.....?=0.c..b.......d ...........~.fg!h....... .....K.........zo......M.!.V$UP..On=..r..

/home/user/.kde/.cfg/02C.dat Download File
Process:	/tmp/udev2
File Type:	Non-ISO extended-ASCII text
Size (bytes):	146
Entropy (8bit):	4.125173537317145
Encrypted:	false
MD5:	1646EAA6EF4E25DA4154D72966066D59
SHA1:	2237BD6C1528479BF8C37AC72E557111D67C503F
SHA-256:	CBECC8FF2C4F790451DBE8D887DF8E26143AF2C5971D0ABA09A92D3430ABC6C6
SHA-512:	520C4B41057C2D08617E83296F1FA5D160176FDDA736E207AC75895875FD6507FE7DED471C5709B987BB115C2F271ABB759267C0C70F05D2AB430E5844A25C8D
Malicious:	false
Reputation:	low
Preview:	8Z....TZ/.Z.....V..Z.....Z..V..Z.....Z..V..Z....._..S..Z.....V..Z.....Z..V..Z.....Z..S..Z.....S..Z.....P..Z%....Z..Z..:[.X..Z..Z.....Z..Z.....X...

/home/user/.kde/.cfg/04.so Download File
Process:	/tmp/udev2
File Type:	data
Size (bytes):	56342
Entropy (8bit):	7.899002476132214
Encrypted:	false
MD5:	5045D09F5C5A4E6705430A7C39DE060F
SHA1:	2267435B6BF1B9A4EB28797F2794B8BC7C10D289
SHA-256:	B3D2E096D61859E5CAE82E52602CFE9FDCDA8E219E8B0FB4F82FF42C46B3419C
SHA-512:	E1DBA933696C28AB1087DE051EE7445362B366A097B591DF7FB959ADF2CFA27D795913D46E5DD325546F2E7F64F27646AC18A74BE81A2544B5C0541FC25C26DA
Malicious:	false
Reputation:	low
Preview:	.v....ELF........>....9..@....(8...,8.V..(]..... .8...lI...".x.Ll..O8#....#.........b....M...8$G...P.td...M...Y...m.8Q....u!.ER5pj..p......xH....GNpU.&..Z.;........../.-g...2a.7$.H..UE.....B.!x.`..T..@.&.D..0...X$.s..Q.L.C.2.7.\...!...Q..B.u..U.J.....a.^.@P............ch.k.......lD....q .@...$..t.HX..7$8R#w;).>..?r.A$BHD.E2H.J$KHL.N<LO.HP..2.S9U.W%Y,4Z.].^$_Hb.c"dDef.hK0"lDmo.r.t..Dvx.z.\|.....%.2..$.H...".D... D....L......$.J..e.2....D......%.2.......%........o x........2W.9......>...!P.....D..~.....z.:/.......o..@..F....P. ....)..Z[.....^._.9Q..e..A.0xB.M..0ND....".F;.V.h.+.QCE...I!\)......^...e`!...".......\...`.qw..%!..)..'...........:.r. .4>..L.)1m....0..A#..=..a...?...9....b...qX...x.i.P..0..\|?..V..=..{>...8.fh.}o*.`.w4<:..=.Z..K...,.Gc);.\<w..!rd..C...6...fL..}...~.i.>.....e\|`...w.........j...X..............)t.~.$.y,......W.[.1...z$`.)...vf....D.K......On........s.zc7'..L.....x.....u.3W.)!"."..2..W}p\|.(.^i%,...?..s.`&...+.....L...3....J..,V)........`;H)O0.....(;H...!.y.,J.h.+..e.

/home/user/.kde/.cfg/04C.dat Download File
Process:	/tmp/udev2
File Type:	Non-ISO extended-ASCII text
Size (bytes):	73
Entropy (8bit):	3.7278897001071813
Encrypted:	false
MD5:	B9CEF110B78CB1F5074DC8709C1E78A1
SHA1:	D839C7EDA4B895E74197EF095E8F0210914EAB3C
SHA-256:	7C98C5E4DD7597902B561BACBA97AF7F0056B75A30ED56B6BBA740621EFB5E68
SHA-512:	FAE70213B9F1466459890F74756D6BDCA6D26423DD1D96C667C3F053058E8FEE9FEDA6E48733C2007DEA3EE2BBC4090CD4D5D86C8E6E4BF3A968CA238CD7E80D
Malicious:	false
Reputation:	low
Preview:	.Z....TZ..Z.....V..Z.....Z..V..Z.....Z..V..Z....._..S..Z.....V..Z.....Z..

/home/user/.kde/.cfg/05.so Download File
Process:	/tmp/udev2
File Type:	data
Size (bytes):	73879
Entropy (8bit):	7.882233989233881
Encrypted:	false
MD5:	C3E2A13FD60C6FB6792C7AE64006CFD1
SHA1:	E09DC0099CC2EE3F570E5A642E6E4F710353F8F8
SHA-256:	73E88E61DB957B909521DAA880702DAE8F6CE8FFA1CDD9D91ECEA3A8DE70488F
SHA-512:	72449C0D34EAC7546FEEAE8BD9EB75D8509B1B8E43C7B793BD97B7C2798B72D91AF06C154BBFDF7C0C5E85C4084CE0E1443A499E3FA345BDC7A2D28E3469CE0F
Malicious:	false
Reputation:	low
Preview:	`"....ELF........>... 5..@....(8...,8.V.........r8."....#.#e.1U...B8#....#.........b....M...8$G...P.td..h....X....F8"Q....H.QRMpZ..p.f...#x..6...GNU...W..c..w..............La......#UE.....B.!.....T...@&.D..0........s.Q<.L.C2 l.\..z.....,Pu..U......L..>@...".....l'T.j..%....:l..... ~>@..>$....XD9./.0&1.D36..D78.9.:".<M=..B.C"DHFL.G9IL.J.GL"NDPR..DST.W.X.[.\$]H^._t<c.d".eDfi.kK."mDoq.sL.v.y.{..}..$.H...".S. ".D....D......%.2.....O.".D.........L.........5.>......o x........2W.9......>...!P.....D..~.....zY.........o..@..F....P. ....)..Z[.....^._..Q.JO.K.e..A...B.M...ND......F..V.h.+.Q.CE..I!...Fr\)..~...^...e!.."....\....`qw..`%!.)..`'.......... .,>..L.))m....1..A..=...?P.......b...qX...x.i.P.0...\|?..V.."......8.f.h.}o.`..4s:..=.Z...K..,.Gcc).\.w..!rad.C..1.....}...~.i..}....e\|`...w..3.............0...t....Hy.0....W..[.1...$...)...v.......K.....%i....On.......k..zc'........x..}.f.!!.D"..2..W}p\|.(^(i%(...?..s.&....+.r..`D.. V0..J.a.+,2.1...:.\|CY.b....\|S.0.a.......BF..+.v)..`..?.!...O...`vSJ

/home/user/.kde/.cfg/05C.dat Download File
Process:	/tmp/udev2
File Type:	data
Size (bytes):	61
Entropy (8bit):	3.727303257896783
Encrypted:	false
MD5:	6BFBA62E20F270002943D88E6636D352
SHA1:	9C5852A7CD558AE64E5219C8CC28E8EB95D7A845
SHA-256:	5AB08940F09BBC898C10E1A48506A5A23CDEDA22528331EB2C86E4E6BD2B3C8D
SHA-512:	312C3A4D226FAE1846238576FC953AE5B61AF4AACCF488DB5E12AC1D7FB80903B665E799C02044739BF2C861FA2AFA1C9C49A92E3555907068AA0B980955169C
Malicious:	false
Reputation:	low
Preview:	.Z....TZ..Z..X..V..Z.....Z..V..Z.....Z..V..Z....._..S..Z.....

/home/user/.kde/.cfg/10.so Download File
Process:	/tmp/udev2
File Type:	data
Size (bytes):	277150
Entropy (8bit):	7.871759933511614
Encrypted:	false
MD5:	DAA72A0745FA64FFDA8007B3D342F697
SHA1:	73338123D2600B9C0D0E04A476A694D9C6180CFC
SHA-256:	8DFFB24119EA678FB23F6877FE8147B237860BA4AF5CC8FBC0AAD2FB0223B6B5
SHA-512:	CB13CE75AB5E3D45AB7F3C6C9C1185FD149CEBF7E7093473B044A9EA2A73B970BCC5322BAA74D963FCCA7BF0B18641F730AAEF4B732BC2CFDBF1732A0EFAAB6A
Malicious:	false
Reputation:	low
Preview:	`.%...ELF........>.......@....(8...&8.V..L ......8..E.+&..G(...1....8..G.x...8..F.v...e.4.x.$..#..P.td.Eh.P....p...8.QA....(.R.p..FP........F...GNU.1e..H....A..~...v.)pB..&.cIfN...w.U...#.@...7..(..TD..+.H...d"c....$.Q..`@D2.............X%...A`g..}..V.....I(....0.I...".H..`.. .....i.7.0l.......?&Z.,.......$`.I8C..#.T.... ..]9.....I..Q..........Hc..B....A. .....S.....@....u.<AL.Q........)..H....A.T!c.....E.y.....g....r]z.......i`"...B..w...!H...j.l$m.yn.p..qL.t.u.w%x2.z..{.}$.H...".D...$D......$.H...".D....L0.......D.........$.J..Y...$.H...".D......$.H...".D....LH.....$.H...".D....L,.....$.H...".D........7.X.......D......d.H...2...........L...... .!.s."2.#.%..(...,.-$.H/.0)1$.3"5D78.9.:..>.@$AHB.C..E.H..K.L2O.Q$RJS.eT<.V.Y.[&\.D`a.g..0.h..i2.l.n..p..q.r.u$wJx0Y{.}$.J..Y...$.H.......$.H...".D......$.H...P...d.L.....D........L..........d.L.......$.J. d.H...D..&..S..2........&..D......$.H...D.m...0.....wd...4..@...._..Q.....T7.L.=\|m.]H.M..._D.0..};".#.....zn....D...C..t....Q...]...$W....

/home/user/.kde/.cfg/10C.dat Download File
Process:	/tmp/udev2
File Type:	Non-ISO extended-ASCII text, with LF, NEL line terminators
Size (bytes):	85
Entropy (8bit):	3.8305954595097123
Encrypted:	false
MD5:	C6A460AB215B31D3DB609B34501BE17E
SHA1:	9EE188EF8326F045BE89C547CC1745A6BF7B6D85
SHA-256:	E41FC5667CC5DB275595CF9EBB550A858AAF4056FCEFB28923E6CFABDB11594C
SHA-512:	ADBAA1591D708078020C7B36567D7E9D458428ECC3DBC19E76C298422EAC713EFD04E42D8DD86809AAC927C1C13C57761A767C1F0BD3B77F9D1CD7E814CEBB8F
Malicious:	false
Reputation:	low
Preview:	.Z....TZ..Z..k..V..Z.....Z..V..Z.....Z..V..Z....._..S..Z.....V..Z.....Z..V..Z.....\|..

/home/user/.kde/.cfg/12.so Download File
Process:	/tmp/udev2
File Type:	data
Size (bytes):	111928
Entropy (8bit):	7.898002301161979
Encrypted:	false
MD5:	4EFBF4007F39CB0B8B4BA03A5815A360
SHA1:	F1C8A826E79287481924987F008E8249B148DF09
SHA-256:	556E5AD1606F28C068CA4AC821F40CC4713FD3BBE994ACC0976D0A03160E998D
SHA-512:	937F8861D061011241B2042955AA4FB733B342F2E333EC997C6E98029E54EC7F10D5FC5805DC368064FA258189F63D163D02C754753CC301BE406865645E84BD
Malicious:	false
Reputation:	low
Preview:	......ELF........>....R..@....(8...,8.V......... .8....I...$.....8..O8#..#.2.$68..F.G.......h..$.<G..P.td...s%.......18Q.....B..Rpj..#..5.9..x.....GNU......5.hH\.......M-.z.2y.Y..$.GUE......1!&....T...@&.D..0..... .....yQ<.N.C2.........rp... Q..}...=...%P3...H....@...p".......:..0.j.%....lF..C..."(.Hq..$....X..DZ\.^.._"`Wa."cDef.i..j"nDoq.r.t$vHx.\|)}<.~......x............$.H...+.$d.H...".S..".D......$.J. e.2..$.H...X.......$.H...".D.......,...$.J..^D......$.H...".D......$.H...2..$.J..d.H...".D......$.H...8......1...Lz.0....Pr..e...9....!."..^.Q....F..!........"@.....&...... .\cw$.)..W......?.L....0.'.A...u.2.).B m.....2..#(^ioD!.,.G...Q...Z[1.>.A.)H...=.....E....eT...\|.....U.B..$...e\|`..... ...W}p........VZ.P.0....x......m.c.!r..0.}.....+.0Q`.......?=.J.2.c.!.b......d.............~.g.!.2ybh......9..m...K.....^..n.zo... u.N....On..V.......qX.[..1......w..$B....>...)......<?h...a#.".=0..!...06...x..i...?..v...... .%....G...f*'.....?8..h........+.[k.}o.t.....{.......h..4....\...\|$...3.=.Z

/home/user/.kde/.cfg/12C.dat Download File
Process:	/tmp/udev2
File Type:	Non-ISO extended-ASCII text, with LF, NEL line terminators
Size (bytes):	85
Entropy (8bit):	3.752090752467995
Encrypted:	false
MD5:	70E0376FDE7F03B7B042C3E0F9A44303
SHA1:	E61D91E023DF6FD107795E833E57AC8EC2344C2F
SHA-256:	1C68FE0A3BC5A671D49D28764852A37AB0F59571398363E16D660219257E14A3
SHA-512:	AFE3D14B98701C1935923DE591A0737273788CC485BD917831E3C72026B3F73CC8082AEAFD3BCAA0B3F764BA719ED3D1870CFBE0DC877EBA18C40CC61D22392B
Malicious:	false
Reputation:	low
Preview:	.Z....TZ..Z..k..V..Z.....Z..V..Z.....Z..V..Z....._..S..Z.....V..Z.....Z..V..Z..H..Z..

/home/user/.kde/.cfg/14.so Download File
Process:	/tmp/udev2
File Type:	data
Size (bytes):	347017
Entropy (8bit):	7.8800442470390974
Encrypted:	false
MD5:	1E0399DED79930DA2164207B993E3FC8
SHA1:	6547E9F77BD478820B0724AF066FB0CC6C38E1B4
SHA-256:	4B39B6F1EA8B55CF46F5CB9D6AEA58DDABF079698A90D7BBAD4576A8C94801E4
SHA-512:	717C32A8BFCBB413AAD3AD1B66C313FA6B460282FEB5717A7B3EB7BD4B015A68770B965713BC0F96F9D76AE6CCC694255852CF9663B8416265F99936100767A6
Malicious:	false
Reputation:	low
Preview:	@.'...ELF........>......8@R..(p8G.@,..Z......... 8..Ep.&..F+.....`...8G.#..GF....#g....2....<.p$....P.tdQ8........#h8.QP.C....)Rp..P...O.)........GNU......L....C...N..1...I.L.c......j`.w4 ...oT:Y)......"..r.<.(EE.j.a.oMj...a@.P(.. ..zT...%....A<....G-@. (:.0&...AaI.@....@..,Pt3..&...X.H..u....."...AR.3...P.......B.e%X.L...S....Q$.............A ......f...(.....A...r......U.....".....!'.....Q_........... ._.`......[26.=.....1..q...Z."a*D.g..R....v..........tI...?.. .&0... .n...'H..L.L... D.0...A...>x(...........I...dT .........T..$..n.T..5...[<.`9,.BP.V.@....=@.Ub..!`c {....&..G.m......B0.E"(..8APU....[8H.$.._.w@I.....&..M.P........d.H...)....".D......$.H...".D......$.H...".D.......\...%..(".D....S..".D....K0".D......$.K.9=....".D......$.H...".D..... $"H%.'"(Y)..,.0..1.2"5D68.9.:$<H@.A"EDGI.M.O'P..qR..U.W.X$ZH\.])_(.b.cL.e.f.h".lDop.P.q"rDtw.{.}. .L.......".D......$.J.,d.H...".S..".S..".D.......).......$.H...".D...)0....f....J.8.......".R.0....".e...3..2....$.H...".D......$.H...".D....L

/home/user/.kde/.cfg/14C.dat Download File
Process:	/tmp/udev2
File Type:	Non-ISO extended-ASCII text, with LF, NEL line terminators
Size (bytes):	141
Entropy (8bit):	4.1072374375231275
Encrypted:	false
MD5:	95DE6C2F58D2FE69117A5FA7735F1E23
SHA1:	E50CCCF9BD5F3FFBF3D2AC5DDF8378DF7AB9A91D
SHA-256:	A8D57E396012183BD8538CC13E414BD8C3AFA0D438A081CD3E96B7390348E01C
SHA-512:	D3B5806717CF8837317534E41E75885C777D3B3476D0890A073AFBF03DE0CE4A0825D3F12237EE7039E63BDCDF1974509381127843BC61BA112BDFC873498051
Malicious:	false
Reputation:	low
Preview:	'Z....TZ .Z..k..V..Z.....Z..V..Z.....Z..V..Z....._..S..Z.....V..Z.....Z..S..Z..N..V..Z.....\|..S..Z..N..S..Z..N..S..Z..N..V..Z....UZ..R..Z%H..

/home/user/.kde/.cfg/16.so Download File
Process:	/tmp/udev2
File Type:	data
Size (bytes):	98527
Entropy (8bit):	7.900054772699157
Encrypted:	false
MD5:	AFDE2AEC5264E80813A4009B0A700E4D
SHA1:	6B92F4AD09732948223C0583A61A9D4EB9A3FCEA
SHA-256:	48A6DF4A0515579098BE87EF05D0B4C63A2391FFB60B3C4B436C55CDF2CA82CB
SHA-512:	84222144E53E4E521C4A67B0843D0D6121B9D06BAC932708BEC236624546F333931DDB8E9E6CB03237DB4F48AF53FEA72DB7E915752EE9675A5E9683F273B040
Malicious:	false
Reputation:	low
Preview:	.r....ELF........>.......@....(8...,8.V...F..... .8...JI...$..'...-.O8#..#K2.$68..F......e.4.x.$..#..P.td.Fp.%..cd..m.8Q....u!.ER5pj.........xH....GNpU.e..Tz...w....u...pe.SA.$cZN....wa.%....T.u.....@PG....... ..~E....lUV..8,. ......R...h...a.A`...&..! :v\.`.V..K.t.=..:.).....TPc.(.......1l....A....D.9........$B.......]!.@.....\....~...P..D.x.B@.d-Q?....i(.1..p.\|..B.....@.....3P."....".(....@.............@.$.f.-..b.CpI......(....W....D.".\$]L^.`.b.eG..f"gSh."iDjl.m.n$oHq.r"tSv,"xDz{.\|.}$~H...".D......$.H...&.(..............9...$.H...".D......$.H...".S.@".D......$.H...$...e.<......%.2..$.H...".D....L$.....$.J..d.H...".E.b.,.....\|Q.L....D.......".D......$.H!.#"%S&<"(D+.,L.-./.0..2.4$5L7.8.9.;$<H=.?)@0.B)D..E..G.J.L.M$OOS.x.V.!W.[.\.]%^l$`.b.h$iHj.k>mC.n.o"rDsv.x.y9z..\|.}.~$.H... ....".D....L...h..".S..)..e.,.....1...'..M4e.2.......).....)....H..2....$.H...".D.......0<.....@9.5_.Q..z.f/....1...A.H..0\......p..b..U.....0.}.R.M{.><$7u.5t........s....[..S%...3...x.*...k.!e..)?....D..-...<.

/home/user/.kde/.cfg/16C.dat Download File
Process:	/tmp/udev2
File Type:	data
Size (bytes):	285
Entropy (8bit):	4.682938535499455
Encrypted:	false
MD5:	E6B77538E4D2625E8B1132DE5B55A917
SHA1:	CFD0B2CF28897233BFBE9D35C9BDFC5FB9BF975E
SHA-256:	D8F0A9F5566E6C8D5A8B589EFDAC8FCD3C039BB1EE1D9EA04FCF76B701D86F3E
SHA-512:	6CDFCE08752C349F9C383EB4F94BC96ECA8769449DFC05DBB0E270B18CB9C0B2B49F965BAF97A5FE9F799986A8294AE70FEFC2B040586E098ACC68F7B1B14EA8
Malicious:	false
Reputation:	low
Preview:	.[....TZ..Z..k..V..Z.....Z..V..Z.....Z..V..Z....._..S..Z.....V..Z.....Z..V..Z.....Z..P..Z%....Z..Z..[.$..Z..5..Z..7..Z.....Z..Z..[.$..Z..5..Z..6..Z..>..Z..Z..[.$..Z..?..Z.....Z..J..Z%....Z..7..Z..Z..[.u..Z..9..Z....TZ../..Z..B..Z%....Z..;..Z..6..Z..V..Z....UZ..R..Z%....Z.....Z....

/home/user/.kde/.cfg/17.so Download File
Process:	/tmp/udev2
File Type:	data
Size (bytes):	101467
Entropy (8bit):	7.90118340754
Encrypted:	false
MD5:	3C55AC84AAFFA349E8BC9223A22B2888
SHA1:	215994EB886AAE2D4AEAAEF862C1C2744DB4269A
SHA-256:	452830D5A6F1AFA294C7C1F8D57A4A7E2CCCA9593AC80D750E709DBCF53636E7
SHA-512:	7C4A5A05C0E63831F388F8E792738F41FCD10B1FE4BE473E6EB6E6F435B019B16E9C600D7C8F2DC00B2DB4A52B6A46F2C3B9FF3B88BE2EACFB44A60194D36365
Malicious:	false
Reputation:	low
Preview:	......ELF........>...P...@....(8...,8.V...e..... .8..k...$....'...-.8y..0......p....#......h..$.<G..P.td.. 7%...d...18Q.....B..Rpj.........bx.F...GNU..Y.<....v..hT=......%...cZ'N0..wa.&%....T......:@P8......C ..E..#..UaV..,.........R...h..a..A`..&...! v\....V..K.........H...T{P..(......1l.........D.9........$B.......]!..@....\.....~..P..D..xB@.d-.Q....i(.1....>..B.....@......P."....."(....@....V....p.{..@$.f....b!.pI......(`...W....D...\.]&^.D`b.e#..f.g)h..i"jDlm.n.o$qHr.t)v,.x"zD{\|.}.~$.H...".D......$.H...\|(..V......H.y.......$.H...".D......$.H...).@..".D......$.J.$e.2....D...........$.H...".D...$D......%.2..$.H...".....s...(\|...S..".d...H...".D......$!H#.%)&<.("D+,..D-/.0L.2.4.5&7.D89.;.<$=H?.@0.B.D..E.dGLJ.L.M.O'S.<.fV!W.D[\.].^.$D`b.h.i$jHk.m!.nHo.r"sDvx.y.z..\|.}.~..$.J. d.H...".D....R.h....).........D...........4.....L...............HY........$.H...".D......0..N...9.5_..Q.z.f/....1...A.H..0\......p..b..U.....0.}.R.M.{><$7u.5.t........s...[..S\|%..3...x.*...k.!e..)?....D..-....<

/home/user/.kde/.cfg/17C.dat Download File
Process:	/tmp/udev2
File Type:	DOS executable (COM)
Size (bytes):	294
Entropy (8bit):	4.685865393269546
Encrypted:	false
MD5:	84124690409614DC462D4EA649DEC2C8
SHA1:	AFF61969D18DA47622DF1483A58E33E88688626E
SHA-256:	08F2E0C3242981F351C9C5419E1D1D32968F2E5B79925CC62D1690102CA4A6C1
SHA-512:	4C0154E4394BFE2A214DECEE980675C6E7B27B8B5527FFD7F133B9A7312E323EA4EA5C657A5CEB0B89A3BE050F94B12B92788966FFB5C2CCDE48E2C84B0A3E07
Malicious:	false
Reputation:	low
Preview:	.[....TZ..Z..k..V..Z.....Z..V..Z.....Z..V..Z....._..S..Z.....V..Z.....Z..V..Z.....Z..P..Z%....Z..Z..[.$..Z..5..Z..7..Z.....Z..Z..[.$..Z..5..Z..6..Z..>..Z..Z..[.$..Z..?..Z.....Z..J..Z%....Z..7..Z..Z..[.u..Z..9..Z....TZ../..Z..B..Z%....Z..;..Z..6..Z..V..Z.....Z..R..Z%....Z.....Z..Z..Z..j....

/home/user/.kde/.cfg/19.so Download File
Process:	/tmp/udev2
File Type:	data
Size (bytes):	97373
Entropy (8bit):	7.896742744236124
Encrypted:	false
MD5:	022444FC202EBF5B372D9B1B004698D5
SHA1:	CDF2870A74B7E6472DB72972C833CFDE9912AD47
SHA-256:	918C35D102DA88DCAA4A62F0372A1740E5E41B3F2A119C65620C9B1A0DFDE85F
SHA-512:	F9A43C7C4F3A5BE61751ED148C9311449A663B47D1E173B6E132E3A6A78DA83AE1A67C94C9A0C2658866D741DD16BD90AB87CD7CF9806D914D21CD3488157E35
Malicious:	false
Reputation:	low
Preview:	.:....ELF........>.......@....(8...,8.V......... 8..E..&..F$.\|..c.-.<8..G.x...8..F......e.4.x.$..#..P.td.C ....^8,.F.8.Q.&:....R.p...x...N.Fx$..l.G8NU..wo.....}..6....?+?.8v"d.cV.N....a.$..j..b..T..@.8........ .......U ..,..H..........(..a.bs`c}&... >vX.B....J`....vj.I...PG.. .`....1~l..M.Z.....A ..I.....@.....tPc#6...z.....}.f....n.....%P.^..I..1(U...B.....2...@.. g...."(.....@..4R..>..X.@$.Fhp.RB..pI.!.r.8"...V...D..N@DXY.[.]$.^.y_.`%a2.b$cHe.f"gDhj.lL$m..Dnq.r.t$uHw.y"\|D......$.H...".S..........@R....y...$.H...".D......$.H...".D....LH.....$.H...".S.$).......$.J..d.H...".D......$.H...".D......$.H...".I.....G.).........A......".D...Y...........g..\|..L....D....D...... "!S"."#D$%..S&.")e+..lh2.3..4..5.7.$.8":D?@..A.B$.C$DHG.I"KCL.N.P..Q.fR.eS.T2.U$VHW.X\.Y..DZ\.r..]..g_.`H.aHc.d%54.f..h.diLk.l..Dmo..RpH.q.r..s.t"vDxz.\|.~$.@..0......_.Q.z.f./...1....A.H.0....pU......}..R.M{><$7.u.5t........s...[...S%..3....x...j.!.e...i...?DA...........zc'.................. ..:..F...s.`.Y"."f.)..n#..F.

/home/user/.kde/.cfg/19C.dat Download File
Process:	/tmp/udev2
File Type:	data
Size (bytes):	273
Entropy (8bit):	4.638982645254158
Encrypted:	false
MD5:	846797B2881EBF3FACDACB79A89F8B04
SHA1:	6D01E812169833213A41C661F4F9C012948525C9
SHA-256:	460D88B0A734B01EAB91D6E828E269459159D86485E6FA2770E839A5DB80E0FC
SHA-512:	E32FC2E5308BEABD237046ADA7116B14BC9D7E5D82A569B93C839CE332925C113B37C6799BF81E4AF901004B5D8345CB14723FC1D7583D33FD8EDCDD9001E295
Malicious:	false
Reputation:	low
Preview:	.[....TZ..Z..k..V..Z.....Z..V..Z.....Z..V..Z....._..S..Z.....V..Z.....Z..V..Z.....Z..P..Z%....Z..Z..[.$..Z..5..Z..7..Z.....Z..Z..[.$..Z..5..Z..6..Z..>..Z..Z..[.$..Z..?..Z.....Z..J..Z%....Z..7..Z..Z..[.u..Z..9..Z....TZ../..Z..B..Z%....Z..;..Z..6..Z..V..Z....UZ..R..Z%H..

/home/user/.kde/.cfg/22.so Download File
Process:	/tmp/udev2
File Type:	data
Size (bytes):	94841
Entropy (8bit):	7.907616731270398
Encrypted:	false
MD5:	AC2FFD13D25EFD37BC5D9B25618165B4
SHA1:	CA7497016720511EE7C5DF5B0559226FAF643939
SHA-256:	A265E3FF413B77686485A440A077D4DA5F6E34DA2C241F6561DDDD9B1653A66B
SHA-512:	A3264656FADD02514F14419722F8E5A85F2CD612883EDBA1AD2621AF8526CB5CF97D4FA8C1885E4C5C3A5983194C56D95A4F5404D9943C3606D4056E08F05954
Malicious:	false
Reputation:	low
Preview:	0t....ELF........>....K..@....(8...,8.V.. ].....r8.".k..#.$c`..1....8G.#..GF....#hGn...e.4.x.$..#..P.td.<I%..c...m.8Q....u!.ER5pj..0......xH....GNpU.K.!..Pyv...#...'@...(..2..U$.H..Wm.....C_!.`$....T..A&.D v......u.. s.aQ.LDC.2..q\....`E.....*u.$.....R..w.H3.$."....(B..8.@..j..%....lDX.... ..@...$..t.hXl..VJW..XJY.d[H\.]"_D`d.e.g$iHk.m"pDtu.<Sv.#x.y/x"zS{.+..d.I.94...%.l$.....$.J..e.2..$.H...)....".D.......XS..".D......$.H...".R.8....)..y...9...$.r.$.H...".D......$.H...".D......$.H...".D......$.J.pe.\|....z...Qe....c..^..............".....D.,.P.\cw`$!..W......?.L....0.')1@..U.0c(..A.B.m.(.....2..#(^iPD.,..G..Q....Z[1..A.)`H..=......E...e...$..`\|`..9... ..W}p.~....I....P..0...x..z..c.!r...}..r...+.Q`.......?=.c...b..N........d!............~.gLh........K..X.O.zo..&@.M...u.N....On..V...;.........y..qX.[.1.......w..B...~.>..,;1...f...)...`...a#..".=.......6....x.i...?..v...... .!%......(i...8.fh.L......}o..u...k.......\...\|.=..Z..s......5o:..yA....CE........v...^h.....7.....\).....+.K.....!

/home/user/.kde/.cfg/22C.dat Download File
Process:	/tmp/udev2
File Type:	data
Size (bytes):	496
Entropy (8bit):	4.878298422669574
Encrypted:	false
MD5:	5BA198356D1BE9DCF4188F2AE975DBF2
SHA1:	6A44D7C0569297E41C6C522D299143328CF12354
SHA-256:	60D92C4FA2EF4072535D50ECC4E7BCCBE08DC586E90E88E4AFC88ED17EB8796F
SHA-512:	3A891595AF00B017B0B7F853326EAD0DC095AABBE72801BC911ADDF2E4B9EE9D1D7573EA2553F68FCB87A61A31A15198963A9A19CB6FBD86F7CBC516CBB6A762
Malicious:	false
Reputation:	low
Preview:	Z[....TZM.Z..k..V..Z.....Z..V..Z.....Z..V..Z....._..S..Z.....V..Z.....Z..S..Z.....V..Z.....Z..V..Z..x..Z..V..Z..x..Z..S..Z.=...S..Z.2...V..Z.3...Z..V..Z..x..Z.....Z%....Z..7..Z..?..Z..3..Z..z..Z..5..Z%....Z....Z..)..Z$....Z.....Z%....Z..5..Z..?..Z%.<..Z..?..Z..".+Y..5..Z..6..Z..z..Z..(..Z..5..Z$.5..Z..(..Z$.9..Z..5..Z.....Z..?..Z..;..Z..6.+Y..5..Z../..Z..5..Z..Z.g[....Z..9..Z..?..Z.....Z..8..Z..(..Z.....Z..8..Z..(..Z$.1..Z..8..Z$.9..Z..3..Z../.+Y..5..Z$.3..Z.....Z..5..Z..4..Z..V..Z.....Z..

/home/user/.kde/.cfg/23.so Download File
Process:	/tmp/udev2
File Type:	data
Size (bytes):	179568
Entropy (8bit):	7.930402053796992
Encrypted:	false
MD5:	ABDDE9E203E97325A3538A167B2D3EFE
SHA1:	9CDA82FFE3F18E8E7FF10AFF84483BAC3B5BADC7
SHA-256:	6B2205507C2A739DA01028F936561094FB649E71D44FD68949C2032B6E0070ED
SHA-512:	FCA5644A9B6939C644191CE8B739F87BBC3CAC84EFD4DA0F74BB67FDF695ED6F28F750299D094FE242566015374853C6ADCD59ED4134B743CBF6FFE689FCF66D
Malicious:	false
Reputation:	low
Preview:	......ELF........>...@O..8R..(p8G.@,..Z.. ......8...8..L.......Hn.8#..`.#.......7G..2....<.p$....P.td.#H.B...l..6.8EQ..:....R.p.......N.Fx$..l.G8NU...j.....RQ........}..;....>'N0...a.t......B.q.........@.o ..7..Q...d,"..\|.........A.> .}`....PX.j..H.R..d0..@!3Q....H...f.. .O`..@.....P.#Z.`.4...0.4...i@...7[....3d..^U..B....k..@...g....0!7..V,%.....V..bAp..X."...3.T.c...>...#A.B..D.E<.F.GK."HDIJ.L.N$PHU.X"ZD\^.`.a.8bL.c.d.e%f2.g.`Li0.j.Sk."lDnq.t.v$xH{.~66.p........).Pe.+d".S..".G.".G.).0d.H...2..$.H...".D......$.H...4...^S..)..d.J..e.,....D......$.H...".D......$.J.HY....4.........K.".G.)..d.H...".D......$.J.,e.2..9....xD......H...".D......$.H...".].M...........MW}p\|q.w....m95.o:.........x....k.pL..yY........`...^.Q............@."(^0i.!...P......e.1....3...1.....H...+.Q.......x.i.?=....$.. t.....30..A..\cw.2../....O.?.t.N...z. .b.!.r..^.......7@~...#.."...1$..x/%..8.fh...t)..'..G).j......:v!`D...?...+.zo....U.B..Z[<3W.9...e..>.D..1....`.=h..v....Qe.......,..G@....s.C.E....2 .G.x...!.."

/home/user/.kde/.cfg/23C.dat Download File
Process:	/tmp/udev2
File Type:	Non-ISO extended-ASCII text, with LF, NEL line terminators
Size (bytes):	148
Entropy (8bit):	3.8846685903879883
Encrypted:	false
MD5:	C4D7AA3D9FC2A95049831DF568212C4B
SHA1:	49E6A73ED67EBEB25CDBFBE8BBDFE564D29E0D61
SHA-256:	C6D81C1AD1FB89F6F0677DE142662DE179F2357327534EE475F081A20D834239
SHA-512:	C68BF1A585F092B380669453785AF80E748EE2278B5FF0E11949EDDC844A29C8EC5055E3E96D8CE01B0A51CF3226DE34D963382B46CC05570F707233A0F78F3E
Malicious:	false
Reputation:	low
Preview:	>Z....TZ).Z..k..V..Z.....Z..V..Z.....Z..V..Z....._..S..Z.....V..Z.....Z..V..Z.....Z..S..Z.....V..Z.....Z..V..Z.....Z..S..Z.=...S..Z.2...V..Z.3...Z..

/home/user/.kde/.cfg/24.so Download File
Process:	/tmp/udev2
File Type:	data
Size (bytes):	155643
Entropy (8bit):	7.897760525497651
Encrypted:	false
MD5:	4C395C84CFB214386B4607831146DEF2
SHA1:	41A2BE327766FCBFD53B1CA445289637D33E1529
SHA-256:	53F2812D1700124ED4A09DCF874928E1E853A3B50A99FF87AC663FC7525ACB4B
SHA-512:	23F344CCFF2A231B44917EA04068E20B0F9EF29F26CE3C1F75E4762F99B5C00A668E0C941A7B198E4E5AF01520CDE4335D3352AD2B1B7DD46D371BF181E19D7E
Malicious:	false
Reputation:	low
Preview:	.4....ELF........>....V..@....(8...,8.V......... .8..x+I...'.\...P..O8#....#.........b....M...8$G...P.td..4....X....F8"Q....H.QRMpZ....f...#x..6...GNU..J...+..Q.o.....]u..v[.L..N.N....a.....U... ...!.....}......O ...QP..C.,D...j..,..H<\|..A@..........X...fH......@.k..x.h.3..+.of.. 9O...`...tPc#...94E..0$..s..v...l.p..1.Ad..FU..B....q...@.(........Gs,%......V&.A.p.;..."...#.T.......O.P&R.DST.U'X"WDXY..D\`.a.d$fHi.k"nDsv.w.x$zJ{<d}H~..i ........D.......".R. ....".D..........$.H...".D......$.H...\..$.H...".D......$.H...8..$.J......$.H...".D......$.H...".D......$.H...".D......n.d...H...".D....s.......".zA......Qe...@....^.(Q...!.......E" H7.....D.\c0w$!..W......?.L....0.&.,..e@@.Uc......(.)A!B..m......2...#(^iD..,.G...Q..H.^..Z[.0..A$lr.E.9G..H..=..I....@E;".#....e.1.....=v.U.B...$..e\|`.....*.... ...W}p\|..;....VZ.P.0.#......x....c..!r.0.}..r...+.Qy.f.a`......?.=.....J..2.c).b...N.?......d!............~.g.y..Rh...!.........K...`.z.o..&..M...u.N...O.n...d..V............qX.[.1.......w..B. .~

/home/user/.kde/.cfg/24C.dat Download File
Process:	/tmp/udev2
File Type:	Non-ISO extended-ASCII text, with LF, NEL line terminators
Size (bytes):	148
Entropy (8bit):	3.8846685903879883
Encrypted:	false
MD5:	AFA179073CECA62AEF5B1E60CE8C5294
SHA1:	F9359EA5C390FC5DBB95B88B83FA0B6F3A9AD030
SHA-256:	60E90EB97CE6CC9C365E00A9B76C4A20557EF6268543C2D12F6D569AFBBE2BD6
SHA-512:	7D084401D2FD9528C10AE8C2AFE916EE8B540FE802C159C5DCCD0B4CDBDC446946E12723B73AE4E6EB15FE591FD3D2A4C9AD88357F93033414A4CE886D8D92FE
Malicious:	false
Reputation:	low
Preview:	>Z....TZ).Z..k..V..Z.....Z..V..Z.....Z..V..Z....._..S..Z.....V..Z.....Z..V..Z.....Z..S..Z.....V..Z.....Z..V..Z.....Z..S..Z.=...S..Z.2...V..Z.3...Z..

/home/user/.kde/.cfg/27.so Download File
Process:	/tmp/udev2
File Type:	data
Size (bytes):	136293
Entropy (8bit):	7.892721368390249
Encrypted:	false
MD5:	5EFEA797FAB6D41B13A7C43479B57FA7
SHA1:	AFEBBF20D9DCF4E6B34CB6F0C71713E332C192DC
SHA-256:	A3BA4E9224EB3AC3A6F4D97C326EA2F143C14F840C41AE71D6A3AD9A41B9A1B8
SHA-512:	25C2170C426DAAF7906A321A03590E8C04EDC839728F4141609FB3D752C2FCBB9E54C1D8F93EE7A9B8F91DD61A798DAC27F7FF4AE4DA863DF08255D834656626
Malicious:	false
Reputation:	low
Preview:	......ELF........>...@b..8R..(p8G.@,..Z......... 8..E..&..F%.(..c...<8..#..2.%68..F......e.4.x.$..#..P.td.F.....c<..m.8Q.C&....)Rp..P.......bx.F...GNU. \_.b.m..u>.2...N....,....V'NRc.uA.......l....O....H.."...`@D.Y!..c.z...H.....n.\|..a..0._8@..WN...D..7I...'.\.@...`...q..........<B. 0UH...@....`.pU!.....D...0$.?.r;.@.. <........lQd.w..`....B.j.._h..H.l...F.....j.. ...B>...`$.F.6.U..p....."h.[..T.+.V..W..Y.Z..#[.\.]K."^D_`.b.e$iHj.o"qDst.v.w%z2<{..\|.}%.2..%.,d..........%.,$.....$.H...".G.".D......$.J. d...".D....D....D...........$.......2..9....D....7.@..........XY.K.".V.x....".S..".D....D......$.J..d.H...)..y.......$.H........".D......%.2$.....t..........\|..2!...%.2.......)............L....L.!.........b...}p.\|qw..5o:.....x7(y.%.......=S.....M<...s......C.O..)^.Q.........V[..\|).."..."(^i.........o3..9.!.......'.....+.Q.v~0..!..p......x..i.?=.0z.Y...$..!...7...0...A.\cw.2...k]..`V....u....r....../.....1.KB.U.i.x...!r...^.........."..R...,)....E8.fh...%.L._...6).j.......v!..4...?...+..N

/home/user/.kde/.cfg/27C.dat Download File
Process:	/tmp/udev2
File Type:	data
Size (bytes):	153
Entropy (8bit):	4.121042231247292
Encrypted:	false
MD5:	616BFC08B0A8C73846FB6B5DC4AA840B
SHA1:	F84BB5734E256FB0441EE237158F0924327C81E3
SHA-256:	5268CAA6453A301209BD10DC394644B694BAF54340B8573FB94BE51C6B930E1A
SHA-512:	422AB48BF97C3BB57BA91CA842D37B15DA3FF1D4251CE3DCFAEE7A2384AAD42ADF163B0325663AE7985774A4E40766881908593F8C5743415C09C1B8B0395CF3
Malicious:	false
Reputation:	low
Preview:	3Z....TZ4.Z..k..V..Z.....Z..V..Z.....Z..V..Z....._..S..Z.....V..Z.....Z..V..Z....UZ..R..Z%....Z.....Z..z..Z..j..Z..Z..j..Z..Z..j..Z..Z..j..Z..Z.....Z....

/home/user/.kde/.cfg/28.so Download File
Process:	/tmp/udev2
File Type:	data
Size (bytes):	83766
Entropy (8bit):	7.902114645846429
Encrypted:	false
MD5:	DB14A2E982A6E3F5F2B8A070868A6392
SHA1:	ECC1AC08DC3D218174211052FE4F40128F00DC95
SHA-256:	21263FDCD33591E3907C61841EBC2BEECC81EBC8BA1749C14B3DEA246DC7E5FF
SHA-512:	D970C8FCE868C7440CF3095F98D2156329654714167A797F616059EC8778DC487FC6BA1C4C9021EB7AD2B528C8796C2F9F097F097C02AB899100AEF99494C7B4
Malicious:	false
Reputation:	low
Preview:	.u....ELF........>...P]..@....(8...,8.V..pg..... .8.....#.#b...l...8G..`l..#....#g....2....<.p$....P.td.#.LB......6.8EQ..:....R.p...`...N.Fx$..l.G8NU.....D\|:.t%u....O.M...C....X'N0..uA...S.E{........B.@$ ..."..QD.3.l...h..r.X.<.a=....u.0.U.......l..L.........@....0..d$..P....0.. NH....@....!XU#....2<D.u.d...!.e...&...(.Ad.D......R....#k...H.Q{.3.l....."V..$P..w.2.F......ph....].V\........I...^#`.b2e.f..h.n$oHq.s"uDwy.}.~.,.L...H....$.L........ D......$.H...).(d.H...".D......$.H...".S.8)....".D....L...d..".D......$.H...(....".D....... ...$.H...".D......$.H...".D...DD.......,.F..D......$.H...r%.......D.....zY..i.......a...7Qe...0)....l.....@_.Q..v,.. .....h......"....@DF3........\cw$.)..W......?.L....0.'.@....&[..D..).!B.m....2...#(^iD_.,.G..Q....Z[1..}A.)H...=..;".#....e~+....h.R...........$..e\|...o......`a...W}p\|Z.C..4"+.H.uq..... .C..P...J#.....x....c..!r.,u.0..}... .+.Q..Mf.`.......?=.c...b...........d!................~.f.)....y-...h........K....~.zo..&..M....w.:..k........On..V.

/home/user/.kde/.cfg/28C.dat Download File
Process:	/tmp/udev2
File Type:	Non-ISO extended-ASCII text, with LF, NEL line terminators
Size (bytes):	121
Entropy (8bit):	3.983970525241234
Encrypted:	false
MD5:	D467056AA0AFE85D5F4C0AADD9779BC7
SHA1:	E6EB7CFDB21F3660C119BB2DA84557195EAD48D9
SHA-256:	B7555070E8637C43AAE7DEE908FA51994C21130972D86E6A9689A911CBDD3480
SHA-512:	0429C15DA6D5F6EE4C4BDD8626C0EB09989A67D8FFE361C29714F2BCA767E8FC19D9E09F65274489766AE045B2BA9992F2B3A9B612213F90E2B2D13FDEE01129
Malicious:	false
Reputation:	low
Preview:	.Z....TZ..Z..k..V..Z.....Z..V..Z.....Z..V..Z....._..S..Z.....V..Z.....Z..S..Z..r..S..Z..r..V..Z..r..[..S..Z..r..S..Z..r..

/home/user/.kde/.cfg/29.so Download File
Process:	/tmp/udev2
File Type:	data
Size (bytes):	79889
Entropy (8bit):	7.887368868933333
Encrypted:	false
MD5:	1B3E921BB718A6F1B09418474799F04F
SHA1:	0F69F8AA23907650BCBE4584A2C3F29AC9991239
SHA-256:	02917AF32EB15DC810B2C046049179BD5B6C429FA1989E94436930EF35F39667
SHA-512:	817A564E8F6E73184B497B9D5910F4EB25E496CE39D2DB57F754EE513EA25377C069B48E8AFC07C0D43228AE33099C2ECB32E91D1E340B3D6528B26071A6EFAA
Malicious:	false
Reputation:	low
Preview:	.v....ELF........>....o..@....(8...,8.V..\|]..... .8...l&..F#...3...<8..Ghx...8..F......e.4.x.$..#..P.td.FX>...c...m.8Q....u!.ER5pj.........xH....GNpU..C.%M..)...\.a.U..h....2..NNN`..uA..8..$._.@.....w.y.= ...g ..U-..f,..............a!b..u?..W.~................P#..!.&....0l.........= ..IgH..@......PU!6...TL`..$\|.m....w..P.%P...@^.1.GU...B.......f.F.'..."n(L.....4R..>..2..$.Fh....'vI..{"...@.V...DH...P.Q2R.SNPST."UHV..WO..Y"[d\.]H_.`"dDeh.i.k$lJn8dpHq.r"tRuT.v.x"yDz}.0y~K.".D......%.2.......$.H...).De.+d".G.".R.....d.H...".S..".S..".D......$.H...".D...0D....L....L....D.........$.H...".S..)........".D....D......O........J..d.H.......d.H...).........r.%.2..............S..".S..".G.".D.......".D...$S!.""....j.........W}p\|...b.qw..5o:..OW.....x.........,.y..7#.........^..Q..........X...^i.!......)....S....2.}.!,.U.z.)..+.Q..O.......x.......i....;.....?=...$.q7..M0..A.\.cw....O...R.2.......yBY$........;/.z... ...z..Z..Sb.!.rv7.p..^...) .........."..@.!...18.fh...%)&...Cv.....X(.....Fj.......

/home/user/.kde/.cfg/29C.dat Download File
Process:	/tmp/udev2
File Type:	data
Size (bytes):	111
Entropy (8bit):	4.128518324538023
Encrypted:	false
MD5:	041DB353B571E867EC295E1225A565CD
SHA1:	44BABA85667816BBBF2ECC3F120BDF62F1887FEB
SHA-256:	28FF514D741360922ADEFEC84BC98EDCC19485B1B39646178DA60EC36F1084B6
SHA-512:	FCD6E16E1DC6642D2E401EAD6E30D85802A27FE6E9BD2BBE2FD909D6649F3521007C7099CAF07D8BFF68FEDCF7E79BCDA6F7963566786409FB4B30ECC58B78D6
Malicious:	false
Reputation:	low
Preview:	.Z....TZ..Z..k..V..Z.....Z..V..Z.....Z..V..Z....._..S..Z.....V..Z.....Z..V..Z.....Z..R..Z%....Z..j..Z..Z..j.)..

/home/user/.kde/.cfg/7f.so Download File
Process:	/tmp/udev2
File Type:	data
Size (bytes):	126399
Entropy (8bit):	7.940058731218218
Encrypted:	false
MD5:	C8A521E783491FBA15EB5D52DA1CE71C
SHA1:	C20B763354F39DD97157A19DC993118C8920405D
SHA-256:	F68A1F6FA9D048F1BA8EB64046C4C6A8D30EC7C53387C5080B0133DF86EBE7CE
SHA-512:	A718AFA98AC1E3501534BE9B3BAAE1ED1D8357EBE07A2C90260E01B3D45E59E946044FD528894B62863B45AAB42E8AD33EF45A791750AECF0009B63873BFD268
Malicious:	false
Reputation:	low
Preview:	......ELF........>...@u..8R..(p8G.@,..Z..t...... 8..E..&..F$.0.3/).<8..G.x...8..F......e.4.x.$..#..P.td.<.%..cD..m.8Q.C&....)Rp..Px......bx.F...GNU..g..xb..As1...m%.....B...c.'N0..%.....(..0...(...!...6.D@r.qA..`..!s..5..!(..H4).....N80A..U.:...... ...w...LD..AgHBB......$..@..........C...(`...D.....T.v4......&.......2hK..I.............$..$.C.L.....".Bp...9.,.......M.Gb:..T....J.......M.....#....( ....f..0.c......$(.... .......$..L...6v..!..#$%.^R&..*.+H../"1D45.6.:$;H<.=,?h.BHC.DP.E9I.J%K,.L.DMP.xI.H..DSU.V.W..YL.[._.`$aHc.e..g.h)i..k"mDoq.rb...u.v$w...y.{2}.~%.2........0D......$.H...".D......%.28.%.,H...L..........$.J..^D....R......)..e.2..9...$.H...)....+.ld.H...".D....c.B.8.C......D...P..)....#...".D....D......%.2..$.H.../ ".G.".R......".D...D...Ld.J......$.H...K...R.g....8...!......D...$S..".d...H...".D......y..Hv{db.....Gs....?.@OEtp....m..o.]...9.O.+.Y.qH..0[W.z.....D.-_Cy... ...a.P8.)..w..i....c...SO.C.e..5..~...:X..w...'......B........D.;a............c.......\./.]..Q....M.N.!.)

/home/user/.kde/.cfg/7fC.dat Download File
Process:	/tmp/udev2
File Type:	Sendmail frozen configuration - version \001\001
Size (bytes):	2403
Entropy (8bit):	7.864122365732561
Encrypted:	false
MD5:	7AD1D560E7089BB33F03081729B29DC0
SHA1:	4E24F2C656CA98D5337D893DDC23B58FD6FC56AB
SHA-256:	8EF61F6B2EB040061C132CF2A483E35D6B68721AF36C667469CE75FF854B3D17
SHA-512:	BB28405A52EDCD796B52D27AD5684DB0177576F6A333DAFECA3760F7595BB0161F2EE352857C268683681704AC80FACEDC73F31410DAEB0F1492E2F70B2C11C8
Malicious:	false
Reputation:	low
Preview:	&.0.."0....H.............0.........{e..r.+..R..Sf..t....{..Yw.v..S.M.5>3.Y../')..P.-],.Q.x@wf............i.........[fr...q.}\|.....(.A..$..Qg[t..svo9...]:>............F =.B%._......T...i..FTE[MI...........z...k......5}j..DI@#KG..&.U+..R.........~..A..%0..W5+.N[........t$...KL.qh.....8.....w.....&.0.."0....H.............0............s.e.D.<I.;myI..M8.f..J"......r.x..M.....I.O.2S......h........n0t}.4.........ngp..\..........hP.w2;..H.\|;.'.4bA..;eZ..xh=._.....u..5..D[R.XW.-..az....M.......I......O.B_.R...V{u...}f.@..M.Zv...mr]....I.)..+Z..y..Pb.......l?....u.......H.."J......,I.8.......@.0..<....A......5A...A..EU.&U..e...nE.@z...J....7\|.$...1c.D....b...Y...W.^.......@d_.\|...\|.+N.u.'...L.......2<hCu......F...q...Q.B.o~.S.16.v...@Y.!...$6.[.q.xq.YBv.s...e....~v....#.!...j.7#^.J....c....f..d.yW.Z).....!..g.~.~....n....]...)..w...A9.D2..!..MA.).5>WZ.w.`...P..'...#..A.`.5.!.......M.2.Z....^f.?...#Sh9.EN=....0............dh.\|....K$.......5..R.#G.o.....=2$.w/5r...5.Bhxp. ...l...{h....1k..R..5

/home/user/.kde/.cfg/80.so Download File
Process:	/tmp/udev2
File Type:	data
Size (bytes):	338260
Entropy (8bit):	7.887084189664659
Encrypted:	false
MD5:	EBC0AF066FE69A5B5E7C13D0B9C1B15D
SHA1:	049DDF6FEACA31509AACFFD107CD2921110245CE
SHA-256:	CA63CFD9C7C286367790427D1550603946A8513181B38BD3C1EAC872ED415DE5
SHA-512:	CED5CAE4615E931F5B6A56252254ECB6AECB5773C68641BF1AF2D783F004D9F58F9314B95961344895661A11F89B111B598A8A13057BA9119AD8B14EF85CD187
Malicious:	false
Reputation:	low
Preview:	......ELF........>...p...@....(8...,8.V..<...... .8..h..#.-bx../...8.G#..GF....#g....2....<.p$....P.td.#0.B......<..Q.q.C....)Rp..P.......bx.F...GNU.^......0J......q...,t..&.cIwN.......". ...G.t.yO..z..(..RZ.`.A.i.8.P.c..., .....<..ch...J...A(......=...TX.@.....H.\"..,0..(....@a$ 5$.B2.\|.....C......,H..$o.r.:.Q.P.R.N?.X..O.......U...R.A....LE...!.lc.(.`v..R.)..H.. ..BIb.D...q..H.(......D....M.-.@%.. .&...)..p...>$fc..B..\.@.....y"zd\|.}H...rX.%.2............%.2.......$.H........".D......$.H...".D...(..H......eT..,..........%.2.......$.H...".D......$.J.4d.H...".R.x...d.H...".D......$.H...<..$.V#.."..D......%........x....S..".d...H...""D%(.,..$4H5.7"9D<=.>.A.LB.D..t.E)F..H.I)J$.K.M..O"QDRS.U.V$YHZ.]"^D`b.d.f.Di[p)j.ekl.l.m..o"pDrs.$.t.v..y"\|D~.....$.J.0f..d...J..d.H...+.\|d....................e...2..$.H...P..2....%.3..2....$.J..d.H...@..$.H...>.K3.."..D..........St..V...^.Q.....`..T;g..f,........!h~[.p...U.....Q.]..........0..}.7....KL.6...cu.5....zj...[....J..(%..3....B...xt6.k.5:.]....

/home/user/.kde/.cfg/80C.dat Download File
Process:	kthreadd
File Type:	data
Size (bytes):	5197
Entropy (8bit):	3.92137070723419
Encrypted:	false
MD5:	9DC97010D28FC047AE91277EB3A7FAC5
SHA1:	67D43B88D9B9D280F82ECE672032865EEDFF2A99
SHA-256:	9F4FB1E43306518BD2B0FD927300D6C081B1BD204CAE410E4595EF804EDF4009
SHA-512:	2B6FF04D8C6B586CB24CB525B69316AD82E7F0DDF67463E108B61B9C6EC

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report finspy.sh

Overview

General Information

Detection

Signatures

Classification

Startup

Yara Overview

Initial Sample

Dropped Files

Signature Overview

Bitcoin Miner:

Networking:

System Summary:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

Public

General Information

Runtime Messages

Created / dropped Files