dc30e18cd588c7385d0ccb41ffcfc5a8411fb8d87d3283d0ce927475fb125ade

Analysis

max time kernel
0s
max time network
67s
platform
linux_amd64
resource
ubuntu1804-amd64-en-20211208
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-en-20211208kernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
04/03/2023, 20:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

run.sh
Size

8KB
MD5

e34bac21135beadf24e557e6a8cd7a64
SHA1

def390dddd27d379d4fb38c80fc69d7997425ff8
SHA256

82c388aafffef7d131167904bba3a514f2480757489b0810d04437050784ad31
SHA512

8bacb26ecd8a6157e6eaedc271db20590fe62848c4e742339384c01e4fcb1df4a8f19a089c950337061b40998a9de52666e0a3c232aed69080be1a26ee2242c8
SSDEEP

96:bCUA/F3XH3t3Zu5bufqufVuHWK7ZXkTKk9kfKkQkRkfIk4kv2k8kalhX5KsU6uZR:b7qnpWAFuWK71gVfwzXUstqVk8EbYF

Score

9^/10

persistence

Malware Config

Signatures

Deletes system logs 1 TTPs 2 IoCs

Indicator Removal on Host

T1070

description	ioc	Process
/var/log/wtmp	/var/log/wtmp	run.sh
/var/log/secure	/var/log/secure	run.sh

Modifies hosts file 2 IoCs

Adds to hosts file used for mapping hosts to IP addresses.

description	ioc	Process
/etc/hosts	/etc/hosts	http
/etc/hosts	/etc/hosts	http

Writes DNS configuration 1 TTPs 4 IoCs

Writes data to DNS resolver config file.

Dynamic Resolution

T1568

description	ioc	Process
/etc/resolv.conf	/etc/resolv.conf	http
/etc/resolv.conf	/etc/resolv.conf	grep
/etc/resolv.conf	/etc/resolv.conf	run.sh
/etc/resolv.conf	/etc/resolv.conf	http

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task

T1053

description	ioc	Process
/var/spool/cron/crontabs	/var/spool/cron/crontabs	rm

Write file to user bin folder 1 TTPs 4 IoCs

Hijack Execution Flow

T1574

description	ioc	Process
/usr/bin/apt-key	/usr/bin/apt-key	apt-key
/usr/bin/apt-key	/usr/bin/apt-key	apt-key
/usr/bin/apt-key	/usr/bin/apt-key	apt-key
/usr/bin/apt-key	/usr/bin/apt-key	apt-key

Reads CPU attributes 1 TTPs 1 IoCs

System Information Discovery

T1082

description	ioc	Process
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
/proc/25/status	/proc/25/status	ps
/proc/193/cmdline	/proc/193/cmdline	ps
/proc/347/stat	/proc/347/stat	ps
/proc/369/cmdline	/proc/369/cmdline	ps
/proc/600/cmdline	/proc/600/cmdline	ps
/proc/meminfo	/proc/meminfo	ps
/proc/252/cmdline	/proc/252/cmdline	ps
/proc/286/stat	/proc/286/stat	ps
/proc/418/cmdline	/proc/418/cmdline	ps
/proc/filesystems	/proc/filesystems	dpkg
/proc/29/status	/proc/29/status	ps
/proc/80/cmdline	/proc/80/cmdline	ps
/proc/154/status	/proc/154/status	ps
/proc/162/stat	/proc/162/stat	ps
/proc/30/cmdline	/proc/30/cmdline	ps
/proc/166/cmdline	/proc/166/cmdline	ps
/proc/169/stat	/proc/169/stat	ps
/proc/filesystems	/proc/filesystems	dpkg
/proc/4/stat	/proc/4/stat	ps
/proc/165/status	/proc/165/status	ps
/proc/193/stat	/proc/193/stat	ps
/proc/352/stat	/proc/352/stat	ps
/proc/420/stat	/proc/420/stat	ps
/proc/filesystems	/proc/filesystems	dpkg
/proc/1/cmdline	/proc/1/cmdline	ps
/proc/20/status	/proc/20/status	ps
/proc/21/stat	/proc/21/stat	ps
/proc/192/cmdline	/proc/192/cmdline	ps
/proc/447/stat	/proc/447/stat	ps
/proc/5/cmdline	/proc/5/cmdline	ps
/proc/31/stat	/proc/31/stat	ps
/proc/78/stat	/proc/78/stat	ps
/proc/289/stat	/proc/289/stat	ps
/proc/filesystems	/proc/filesystems	dpkg
/proc/16/cmdline	/proc/16/cmdline	ps
/proc/36/status	/proc/36/status	ps
/proc/159/stat	/proc/159/stat	ps
/proc/filesystems	/proc/filesystems	dpkg
/proc/36/cmdline	/proc/36/cmdline	ps
/proc/81/stat	/proc/81/stat	ps
/proc/158/cmdline	/proc/158/cmdline	ps
/proc/252/stat	/proc/252/stat	ps
/proc/8/cmdline	/proc/8/cmdline	ps
/proc/9/cmdline	/proc/9/cmdline	ps
/proc/19/status	/proc/19/status	ps
/proc/23/stat	/proc/23/stat	ps
/proc/filesystems	/proc/filesystems	find
/proc/filesystems	/proc/filesystems	dpkg
/proc/filesystems	/proc/filesystems	sed
/proc/uptime	/proc/uptime	ps
/proc/17/status	/proc/17/status	ps
/proc/333/cmdline	/proc/333/cmdline	ps
/proc/369/stat	/proc/369/stat	ps
/proc/1/stat	/proc/1/stat	ps
/proc/10/status	/proc/10/status	ps
/proc/81/cmdline	/proc/81/cmdline	ps
/proc/filesystems	/proc/filesystems	dpkg
/proc/13/cmdline	/proc/13/cmdline	ps
/proc/30/status	/proc/30/status	ps
/proc/filesystems	/proc/filesystems	dpkg
/proc/599/stat	/proc/599/stat	ps
/proc/filesystems	/proc/filesystems	cp
/proc/7/stat	/proc/7/stat	ps
/proc/35/cmdline	/proc/35/cmdline	ps

Writes file to tmp directory 64 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
/tmp/fileutl.message.JOJR33	/tmp/fileutl.message.JOJR33	apt-get
/tmp/apt.data.9zIadu	/tmp/apt.data.9zIadu	gpgv
/tmp/fileutl.message.59Lfch	/tmp/fileutl.message.59Lfch	apt-get
/tmp/apt.conf.rGINf0	/tmp/apt.conf.rGINf0	apt-config
/tmp/	/tmp/	run.sh
/tmp/apt.conf.7He0Xl	/tmp/apt.conf.7He0Xl	apt-config
/tmp/apt-key-gpghome.iyC3X6i1vW/pubring.gpg	/tmp/apt-key-gpghome.iyC3X6i1vW/pubring.gpg	gpgv
/tmp/apt-key-gpghome.d2bwiCAUG9/gpg.1.sh	/tmp/apt-key-gpghome.d2bwiCAUG9/gpg.1.sh	rm
/tmp/apt-key-gpghome.FK5C2Vq5ah/pubring.gpg	/tmp/apt-key-gpghome.FK5C2Vq5ah/pubring.gpg	rm
/tmp/apt.conf.KES3VI	/tmp/apt.conf.KES3VI	apt-config
/tmp/apt.data.VfUbKq	/tmp/apt.data.VfUbKq	Process not Found
/tmp/apt-key-gpghome.FK5C2Vq5ah/pubring.gpg	/tmp/apt-key-gpghome.FK5C2Vq5ah/pubring.gpg	touch
/tmp/apt.conf.hJphW7	/tmp/apt.conf.hJphW7	apt-config
/tmp/apt.conf.rGINf0	/tmp/apt.conf.rGINf0	apt-config
/tmp/apt.conf.rGINf0	/tmp/apt.conf.rGINf0	apt-config
/tmp/apt-key-gpghome.Xp4PC2pycL/pubring.gpg	/tmp/apt-key-gpghome.Xp4PC2pycL/pubring.gpg	rm
/tmp/apt.conf.7He0Xl	/tmp/apt.conf.7He0Xl	apt-config
/tmp/apt.sig.CdcWkT	/tmp/apt.sig.CdcWkT	Process not Found
/tmp/apt-key-gpghome.FK5C2Vq5ah/pubring.gpg	/tmp/apt-key-gpghome.FK5C2Vq5ah/pubring.gpg	gpgv
/tmp/apt.data.K3DOJ3	/tmp/apt.data.K3DOJ3	gpgv
/tmp/apt-key-gpghome.FK5C2Vq5ah/pubring.gpg	/tmp/apt-key-gpghome.FK5C2Vq5ah/pubring.gpg	rm
/tmp/apt.conf.hJphW7	/tmp/apt.conf.hJphW7	apt-config
/tmp/apt-key-gpghome.Xp4PC2pycL/pubring.gpg	/tmp/apt-key-gpghome.Xp4PC2pycL/pubring.gpg	touch
/tmp/apt-key-gpghome.iyC3X6i1vW/pubring.gpg	/tmp/apt-key-gpghome.iyC3X6i1vW/pubring.gpg	touch
/tmp/apt.conf.rGINf0	/tmp/apt.conf.rGINf0	apt-config
/tmp/systemd-private-ac1e6a06763947c182fe05199fb1756d-systemd-resolved.service-3vbPcN	/tmp/systemd-private-ac1e6a06763947c182fe05199fb1756d-systemd-resolved.service-3vbPcN	rm
/tmp/apt.sig.O7HYxv	/tmp/apt.sig.O7HYxv	Process not Found
/tmp/apt-key-gpghome.d2bwiCAUG9/gpg.1.sh	/tmp/apt-key-gpghome.d2bwiCAUG9/gpg.1.sh	apt-key
/tmp/apt-key-gpghome.FK5C2Vq5ah/gpg.1.sh	/tmp/apt-key-gpghome.FK5C2Vq5ah/gpg.1.sh	apt-key
/tmp/apt-key-gpghome.FK5C2Vq5ah/pubring.orig.gpg	/tmp/apt-key-gpghome.FK5C2Vq5ah/pubring.orig.gpg	rm
/tmp/apt-key-gpghome.iyC3X6i1vW/pubring.gpg	/tmp/apt-key-gpghome.iyC3X6i1vW/pubring.gpg	rm
/tmp/apt.conf.rGINf0	/tmp/apt.conf.rGINf0	apt-config
/tmp/apt.conf.rGINf0	/tmp/apt.conf.rGINf0	apt-config
/tmp/apt-key-gpghome.Xp4PC2pycL/pubring.orig.gpg	/tmp/apt-key-gpghome.Xp4PC2pycL/pubring.orig.gpg	cp
/tmp/apt.conf.7He0Xl	/tmp/apt.conf.7He0Xl	Process not Found
/tmp/apt-key-gpghome.d2bwiCAUG9/pubring.orig.gpg	/tmp/apt-key-gpghome.d2bwiCAUG9/pubring.orig.gpg	cp
/tmp/apt.data.7Qc87E	/tmp/apt.data.7Qc87E	gpgv
/tmp/apt.sig.KNZI4i	/tmp/apt.sig.KNZI4i	Process not Found
/tmp/apt.conf.hJphW7	/tmp/apt.conf.hJphW7	apt-config
/tmp/apt.sig.tYGZud	/tmp/apt.sig.tYGZud	Process not Found
/tmp/apt-key-gpghome.d2bwiCAUG9/pubring.gpg	/tmp/apt-key-gpghome.d2bwiCAUG9/pubring.gpg	cp
/tmp/apt-key-gpghome.d2bwiCAUG9/pubring.gpg	/tmp/apt-key-gpghome.d2bwiCAUG9/pubring.gpg	gpgv
/tmp/apt.sig.CdcWkT	/tmp/apt.sig.CdcWkT	gpgv
/tmp/apt-key-gpghome.FK5C2Vq5ah	/tmp/apt-key-gpghome.FK5C2Vq5ah	rm
/tmp/apt.conf.rGINf0	/tmp/apt.conf.rGINf0	apt-config
/tmp/apt.sig.KNZI4i	/tmp/apt.sig.KNZI4i	gpgv
/tmp/apt-key-gpghome.iyC3X6i1vW	/tmp/apt-key-gpghome.iyC3X6i1vW	rm
/tmp/run.sh	/tmp/run.sh	rm
/tmp/systemd-private-ac1e6a06763947c182fe05199fb1756d-systemd-timesyncd.service-thgPxt	/tmp/systemd-private-ac1e6a06763947c182fe05199fb1756d-systemd-timesyncd.service-thgPxt	rm
/tmp/sh-thd.vIi3dW	/tmp/sh-thd.vIi3dW	Process not Found
/tmp/apt.conf.7He0Xl	/tmp/apt.conf.7He0Xl	apt-config
/tmp/apt.conf.hJphW7	/tmp/apt.conf.hJphW7	Process not Found
/tmp/apt.conf.hJphW7	/tmp/apt.conf.hJphW7	apt-config
/tmp/apt-key-gpghome.iyC3X6i1vW/pubring.gpg	/tmp/apt-key-gpghome.iyC3X6i1vW/pubring.gpg	rm
/tmp/apt.conf.rGINf0	/tmp/apt.conf.rGINf0	Process not Found
/tmp/apt.data.9zIadu	/tmp/apt.data.9zIadu	Process not Found
/tmp/apt.conf.hJphW7	/tmp/apt.conf.hJphW7	apt-config
/tmp/run.sh	/tmp/run.sh	run.sh
/tmp/apt.data.7Qc87E	/tmp/apt.data.7Qc87E	Process not Found
/tmp/apt.conf.7He0Xl	/tmp/apt.conf.7He0Xl	apt-config
/tmp/apt-key-gpghome.d2bwiCAUG9/pubring.gpg	/tmp/apt-key-gpghome.d2bwiCAUG9/pubring.gpg	rm
/tmp/apt.data.K3DOJ3	/tmp/apt.data.K3DOJ3	Process not Found
/tmp/apt.conf.KES3VI	/tmp/apt.conf.KES3VI	apt-config
/tmp/apt-key-gpghome.iyC3X6i1vW/pubring.gpg	/tmp/apt-key-gpghome.iyC3X6i1vW/pubring.gpg	apt-key

/tmp/run.sh
/tmp/run.sh
1⤵
- Deletes system logs
- Writes DNS configuration
- Writes file to tmp directory
PID:577
- /bin/sleep
  sleep 1
  2⤵
  PID:578
- /usr/bin/find
  find /tmp/ -maxdepth 1 -name .mxff0 -type f -mmin +60 -delete
  2⤵
  PID:583
- /usr/bin/crontab
  crontab -r
  2⤵
  PID:585
- /bin/rm
  rm -rf /var/spool/cron
  2⤵
  - Creates/modifies Cron job
  PID:586
- /bin/grep
  grep -q 8.8.8.8 /etc/resolv.conf
  2⤵
  - Writes DNS configuration
  PID:587
- /bin/rm
  rm -rf /tmp/run.sh /tmp/systemd-private-ac1e6a06763947c182fe05199fb1756d-systemd-resolved.service-3vbPcN /tmp/systemd-private-ac1e6a06763947c182fe05199fb1756d-systemd-timesyncd.service-thgPxt
  2⤵
  - Writes file to tmp directory
  PID:588
- /bin/rm
  rm -rf /var/tmp/systemd-private-ac1e6a06763947c182fe05199fb1756d-systemd-resolved.service-ERRM2W /var/tmp/systemd-private-ac1e6a06763947c182fe05199fb1756d-systemd-timesyncd.service-wK0RmD
  2⤵
  PID:589
- /bin/rm
  rm -rf /etc/root.sh
  2⤵
  PID:590
- /bin/sync
  sync
  2⤵
  PID:591
- /bin/cat
  cat
  2⤵
  PID:592
- /sbin/iptables
  iptables -I INPUT 1 -p tcp --dport 6379 -j DROP
  2⤵
  PID:593
- /sbin/iptables
  iptables -I INPUT 1 -p tcp --dport 6379 -s 127.0.0.1 -j ACCEPT
  2⤵
  PID:598
- /bin/ps
  ps xf
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:599
- /bin/grep
  grep -v grep
  2⤵
  PID:600
- /bin/grep
  grep "redis-server\\|nicehash\\|linuxs\\|linuxl\\|crawler.weibo\\|243/44444\\|cryptonight\\|stratum\\|gpg-daemon\\|jobs.flu.cc\\|nmap\\|cranberry\\|start.sh\\|watch.sh\\|krun.sh\\|killTop.sh\\|cpuminer\\|/60009\\|ssh_deny.sh\\|clean.sh\\|\\./over\\|mrx1\\|redisscan\\|ebscan\\|redis-cli\\|barad_agent\\|\\.sr0\\|clay\\|udevs\\|\\.sshd\\|/tmp/init"
  2⤵
  PID:601
- /bin/rm
  rm -rf "/tmp/*"
  2⤵
  PID:603
- /bin/rm
  rm -rf "/var/tmp/*"
  2⤵
  PID:604
- /bin/cat
  cat /etc/lsb-release /etc/os-release
  2⤵
  PID:605
- /bin/grep
  grep -i CentOS
  2⤵
  PID:606
- /bin/cat
  cat /etc/lsb-release /etc/os-release
  2⤵
  PID:607
- /bin/grep
  grep -qi Red
  2⤵
  PID:608
- /bin/cat
  cat /etc/lsb-release /etc/os-release
  2⤵
  PID:609
- /bin/grep
  grep -qi Fedora
  2⤵
  PID:610
- /bin/cat
  cat /etc/lsb-release /etc/os-release
  2⤵
  PID:611
- /bin/grep
  grep -qi Ubuntu
  2⤵
  PID:612
- /bin/rm
  rm -rf /var/lib/apt/lists/auxfiles /var/lib/apt/lists/lock /var/lib/apt/lists/nl.archive.ubuntu.com_ubuntu_dists_bionic-backports_InRelease /var/lib/apt/lists/nl.archive.ubuntu.com_ubuntu_dists_bionic-backports_main_binary-amd64_Packages /var/lib/apt/lists/nl.archive.ubuntu.com_ubuntu_dists_bionic-backports_main_binary-i386_Packages /var/lib/apt/lists/nl.archive.ubuntu.com_ubuntu_dists_bionic-backports_main_i18n_Translation-en /var/lib/apt/lists/nl.archive.ubuntu.com_ubuntu_dists_bionic-backports_universe_binary-amd64_Packages /var/lib/apt/lists/nl.archive.ubuntu.com_ubuntu_dists_bionic-backports_universe_binary-i386_Packages /var/lib/apt/lists/nl.archive.ubuntu.com_ubuntu_dists_bionic-backports_universe_i18n_Translation-en /var/lib/apt/lists/nl.archive.ubuntu.com_ubuntu_dists_bionic_InRelease /var/lib/apt/lists/nl.archive.ubuntu.com_ubuntu_dists_bionic_main_binary-amd64_Packages /var/lib/apt/lists/nl.archive.ubuntu.com_ubuntu_dists_bionic_main_binary-i386_Packages /var/lib/apt/lists/nl.archive.ubuntu.com_ubuntu_dists_bionic_main_i18n_Translation-en /var/lib/apt/lists/nl.archive.ubuntu.com_ubuntu_dists_bionic_multiverse_binary-amd64_Packages /var/lib/apt/lists/nl.archive.ubuntu.com_ubuntu_dists_bionic_multiverse_binary-i386_Packages /var/lib/apt/lists/nl.archive.ubuntu.com_ubuntu_dists_bionic_multiverse_i18n_Translation-en /var/lib/apt/lists/nl.archive.ubuntu.com_ubuntu_dists_bionic_restricted_binary-amd64_Packages /var/lib/apt/lists/nl.archive.ubuntu.com_ubuntu_dists_bionic_restricted_binary-i386_Packages /var/lib/apt/lists/nl.archive.ubuntu.com_ubuntu_dists_bionic_restricted_i18n_Translation-en /var/lib/apt/lists/nl.archive.ubuntu.com_ubuntu_dists_bionic_universe_binary-amd64_Packages /var/lib/apt/lists/nl.archive.ubuntu.com_ubuntu_dists_bionic_universe_binary-i386_Packages /var/lib/apt/lists/nl.archive.ubuntu.com_ubuntu_dists_bionic_universe_i18n_Translation-en /var/lib/apt/lists/nl.archive.ubuntu.com_ubuntu_dists_bionic-updates_InRelease /var/lib/apt/lists/nl.archive.ubuntu.com_ubuntu_dists_bionic-updates_main_binary-amd64_Packages /var/lib/apt/lists/nl.archive.ubuntu.com_ubuntu_dists_bionic-updates_main_binary-i386_Packages /var/lib/apt/lists/nl.archive.ubuntu.com_ubuntu_dists_bionic-updates_main_i18n_Translation-en /var/lib/apt/lists/nl.archive.ubuntu.com_ubuntu_dists_bionic-updates_multiverse_binary-amd64_Packages /var/lib/apt/lists/nl.archive.ubuntu.com_ubuntu_dists_bionic-updates_multiverse_binary-i386_Packages /var/lib/apt/lists/nl.archive.ubuntu.com_ubuntu_dists_bionic-updates_multiverse_i18n_Translation-en /var/lib/apt/lists/nl.archive.ubuntu.com_ubuntu_dists_bionic-updates_restricted_binary-amd64_Packages /var/lib/apt/lists/nl.archive.ubuntu.com_ubuntu_dists_bionic-updates_restricted_binary-i386_Packages /var/lib/apt/lists/nl.archive.ubuntu.com_ubuntu_dists_bionic-updates_restricted_i18n_Translation-en /var/lib/apt/lists/nl.archive.ubuntu.com_ubuntu_dists_bionic-updates_universe_binary-amd64_Packages /var/lib/apt/lists/nl.archive.ubuntu.com_ubuntu_dists_bionic-updates_universe_binary-i386_Packages /var/lib/apt/lists/nl.archive.ubuntu.com_ubuntu_dists_bionic-updates_universe_i18n_Translation-en /var/lib/apt/lists/partial /var/lib/apt/lists/security.ubuntu.com_ubuntu_dists_bionic-security_InRelease /var/lib/apt/lists/security.ubuntu.com_ubuntu_dists_bionic-security_main_binary-amd64_Packages /var/lib/apt/lists/security.ubuntu.com_ubuntu_dists_bionic-security_main_binary-i386_Packages /var/lib/apt/lists/security.ubuntu.com_ubuntu_dists_bionic-security_main_i18n_Translation-en /var/lib/apt/lists/security.ubuntu.com_ubuntu_dists_bionic-security_multiverse_binary-amd64_Packages /var/lib/apt/lists/security.ubuntu.com_ubuntu_dists_bionic-security_multiverse_binary-i386_Packages /var/lib/apt/lists/security.ubuntu.com_ubuntu_dists_bionic-security_multiverse_i18n_Translation-en /var/lib/apt/lists/security.ubuntu.com_ubuntu_dists_bionic-security_restricted_binary-amd64_Packages /var/lib/apt/lists/security.ubuntu.com_ubuntu_dists_bionic-security_restricted_binary-i386_Packages /var/lib/apt/lists/security.ubuntu.com_ubuntu_dists_bionic-security_restricted_i18n_Translation-en /var/lib/apt/lists/security.ubuntu.com_ubuntu_dists_bionic-security_universe_binary-amd64_Packages /var/lib/apt/lists/security.ubuntu.com_ubuntu_dists_bionic-security_universe_binary-i386_Packages /var/lib/apt/lists/security.ubuntu.com_ubuntu_dists_bionic-security_universe_i18n_Translation-en
  2⤵
  PID:613
- /usr/bin/apt-get
  apt-get update -q --fix-missing
  2⤵
  - Writes file to tmp directory
  PID:614
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    PID:615
- - /usr/lib/apt/methods/http
    /usr/lib/apt/methods/http
    3⤵
    PID:616
- - /usr/lib/apt/methods/http
    /usr/lib/apt/methods/http
    3⤵
    - Modifies hosts file
    - Writes DNS configuration
    PID:617
- - /usr/lib/apt/methods/http
    /usr/lib/apt/methods/http
    3⤵
    - Modifies hosts file
    - Writes DNS configuration
    PID:618
- - /usr/lib/apt/methods/gpgv
    /usr/lib/apt/methods/gpgv
    3⤵
    PID:619
- - /usr/lib/apt/methods/gpgv
    /usr/lib/apt/methods/gpgv
    3⤵
    PID:620
- - /usr/lib/apt/methods/store
    /usr/lib/apt/methods/store
    3⤵
    PID:739
- - /usr/lib/apt/methods/store
    /usr/lib/apt/methods/store
    3⤵
    PID:742

/usr/bin/apt-key
/usr/bin/apt-key --quiet --readonly verify --status-fd 3 /tmp/apt.sig.O7HYxv /tmp/apt.data.7Qc87E
1⤵
- Write file to user bin folder
- Writes file to tmp directory
PID:622
- /usr/bin/apt-config
  apt-config shell MASTER_KEYRING APT::Key::MasterKeyring
  2⤵
  - Writes file to tmp directory
  PID:624
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    PID:625
- /usr/bin/apt-config
  apt-config shell ARCHIVE_KEYRING APT::Key::ArchiveKeyring
  2⤵
  PID:626
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    PID:627
- /usr/bin/apt-config
  apt-config shell REMOVED_KEYS APT::Key::RemovedKeys
  2⤵
  PID:628
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:629
- /usr/bin/apt-config
  apt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI
  2⤵
  - Writes file to tmp directory
  PID:630
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    PID:631
- /usr/bin/apt-config
  apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring
  2⤵
  - Writes file to tmp directory
  PID:632
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:633
- /usr/bin/apt-config
  apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f
  2⤵
  PID:634
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:635
- /usr/bin/apt-config
  apt-config shell GPGV Apt::Key::gpgvcommand
  2⤵
  PID:637
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    PID:638
- /bin/mktemp
  mktemp --directory --tmpdir apt-key-gpghome.XXXXXXXXXX
  2⤵
  PID:639
- /bin/chmod
  chmod 700 /tmp/apt-key-gpghome.d2bwiCAUG9
  2⤵
  PID:640
- /bin/readlink
  readlink -f /tmp/apt-key-gpghome.d2bwiCAUG9
  2⤵
  PID:641
- /bin/rm
  rm -f /tmp/apt-key-gpghome.d2bwiCAUG9/pubring.gpg
  2⤵
  PID:642
- /usr/bin/touch
  touch /tmp/apt-key-gpghome.d2bwiCAUG9/pubring.gpg
  2⤵
  PID:643
- /usr/bin/apt-config
  apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d
  2⤵
  - Writes file to tmp directory
  PID:644
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    PID:645
- /bin/readlink
  readlink -f /etc/apt/trusted.gpg.d/
  2⤵
  PID:646
- /usr/bin/find
  find /etc/apt/trusted.gpg.d -mindepth 1 -maxdepth 1 "(" -name "*.gpg" -o -name "*.asc" ")"
  2⤵
  PID:647
- /usr/bin/cmp
  cmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
  2⤵
  PID:652
- /bin/cat
  cat /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
  2⤵
  PID:654
- /usr/bin/cmp
  cmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
  2⤵
  PID:656
- /bin/cat
  cat /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
  2⤵
  PID:658
- /usr/bin/cmp
  cmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
  2⤵
  PID:660
- /bin/cat
  cat /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
  2⤵
  PID:662
- /bin/cp
  cp -a /tmp/apt-key-gpghome.d2bwiCAUG9/pubring.gpg /tmp/apt-key-gpghome.d2bwiCAUG9/pubring.orig.gpg
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:663
- /usr/bin/gpgv
  gpgv --homedir /tmp/apt-key-gpghome.d2bwiCAUG9 --keyring /tmp/apt-key-gpghome.d2bwiCAUG9/pubring.gpg --ignore-time-conflict --status-fd 3 /tmp/apt.sig.O7HYxv /tmp/apt.data.7Qc87E
  2⤵
  - Writes file to tmp directory
  PID:670
- /usr/bin/gpgconf
  gpgconf --kill all
  2⤵
  PID:671
- - /usr/bin/gpg-connect-agent
    gpg-connect-agent --no-autostart KILLAGENT
    3⤵
    PID:672
- - /usr/bin/gpg-connect-agent
    gpg-connect-agent -s --no-autostart "GETINFO scd_running" "/if \${! \$?}" "scd killscd" /end
    3⤵
    PID:673
- - /usr/bin/gpg-connect-agent
    gpg-connect-agent --no-autostart --dirmngr KILLDIRMNGR
    3⤵
    PID:674
- /bin/rm
  rm -rf /tmp/apt-key-gpghome.d2bwiCAUG9
  2⤵
  - Writes file to tmp directory
  PID:675

/usr/bin/sort
sort
1⤵
PID:650

/bin/sed
sed -e "s#'#'\"'\"'#g"
1⤵
PID:666

/bin/sed
sed -e "s#'#'\"'\"'#g"
1⤵
PID:669

/usr/bin/apt-key
/usr/bin/apt-key --quiet --readonly verify --status-fd 3 /tmp/apt.sig.CdcWkT /tmp/apt.data.K3DOJ3
1⤵
- Write file to user bin folder
- Writes file to tmp directory
PID:677
- /usr/bin/apt-config
  apt-config shell MASTER_KEYRING APT::Key::MasterKeyring
  2⤵
  PID:679
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    PID:680
- /usr/bin/apt-config
  apt-config shell ARCHIVE_KEYRING APT::Key::ArchiveKeyring
  2⤵
  PID:681
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    PID:682
- /usr/bin/apt-config
  apt-config shell REMOVED_KEYS APT::Key::RemovedKeys
  2⤵
  PID:683
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    PID:684
- /usr/bin/apt-config
  apt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI
  2⤵
  PID:685
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    PID:686
- /usr/bin/apt-config
  apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring
  2⤵
  PID:687
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    PID:688
- /usr/bin/apt-config
  apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f
  2⤵
  - Writes file to tmp directory
  PID:689
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    PID:690
- /usr/bin/apt-config
  apt-config shell GPGV Apt::Key::gpgvcommand
  2⤵
  PID:692
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:693
- /bin/mktemp
  mktemp --directory --tmpdir apt-key-gpghome.XXXXXXXXXX
  2⤵
  PID:694
- /bin/chmod
  chmod 700 /tmp/apt-key-gpghome.FK5C2Vq5ah
  2⤵
  PID:695
- /bin/readlink
  readlink -f /tmp/apt-key-gpghome.FK5C2Vq5ah
  2⤵
  PID:696
- /bin/rm
  rm -f /tmp/apt-key-gpghome.FK5C2Vq5ah/pubring.gpg
  2⤵
  - Writes file to tmp directory
  PID:697
- /usr/bin/touch
  touch /tmp/apt-key-gpghome.FK5C2Vq5ah/pubring.gpg
  2⤵
  - Writes file to tmp directory
  PID:698
- /usr/bin/apt-config
  apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d
  2⤵
  - Writes file to tmp directory
  PID:699
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    PID:700
- /bin/readlink
  readlink -f /etc/apt/trusted.gpg.d/
  2⤵
  PID:701
- /usr/bin/find
  find /etc/apt/trusted.gpg.d -mindepth 1 -maxdepth 1 "(" -name "*.gpg" -o -name "*.asc" ")"
  2⤵
  - Reads runtime system information
  PID:702
- /usr/bin/cmp
  cmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
  2⤵
  PID:707
- /bin/cat
  cat /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
  2⤵
  PID:709
- /usr/bin/cmp
  cmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
  2⤵
  PID:711
- /bin/cat
  cat /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
  2⤵
  PID:713
- /usr/bin/cmp
  cmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
  2⤵
  PID:715
- /bin/cat
  cat /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
  2⤵
  PID:717
- /bin/cp
  cp -a /tmp/apt-key-gpghome.FK5C2Vq5ah/pubring.gpg /tmp/apt-key-gpghome.FK5C2Vq5ah/pubring.orig.gpg
  2⤵
  PID:718
- /usr/bin/gpgv
  gpgv --homedir /tmp/apt-key-gpghome.FK5C2Vq5ah --keyring /tmp/apt-key-gpghome.FK5C2Vq5ah/pubring.gpg --ignore-time-conflict --status-fd 3 /tmp/apt.sig.CdcWkT /tmp/apt.data.K3DOJ3
  2⤵
  - Writes file to tmp directory
  PID:725
- /usr/bin/gpgconf
  gpgconf --kill all
  2⤵
  PID:726
- - /usr/bin/gpg-connect-agent
    gpg-connect-agent --no-autostart KILLAGENT
    3⤵
    PID:727
- - /usr/bin/gpg-connect-agent
    gpg-connect-agent -s --no-autostart "GETINFO scd_running" "/if \${! \$?}" "scd killscd" /end
    3⤵
    PID:728
- - /usr/bin/gpg-connect-agent
    gpg-connect-agent --no-autostart --dirmngr KILLDIRMNGR
    3⤵
    PID:729
- /bin/rm
  rm -rf /tmp/apt-key-gpghome.FK5C2Vq5ah
  2⤵
  - Writes file to tmp directory
  PID:730

/usr/bin/sort
sort
1⤵
PID:705

/bin/sed
sed -e "s#'#'\"'\"'#g"
1⤵
PID:721

/bin/sed
sed -e "s#'#'\"'\"'#g"
1⤵
PID:724

/usr/bin/apt-key
/usr/bin/apt-key --quiet --readonly verify --status-fd 3 /tmp/apt.sig.KNZI4i /tmp/apt.data.9zIadu
1⤵
- Write file to user bin folder
- Writes file to tmp directory
PID:732
- /usr/bin/apt-config
  apt-config shell MASTER_KEYRING APT::Key::MasterKeyring
  2⤵
  - Writes file to tmp directory
  PID:734
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    PID:735
- /usr/bin/apt-config
  apt-config shell ARCHIVE_KEYRING APT::Key::ArchiveKeyring
  2⤵
  PID:736
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:737
- /usr/bin/apt-config
  apt-config shell REMOVED_KEYS APT::Key::RemovedKeys
  2⤵
  PID:738
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    PID:740
- /usr/bin/apt-config
  apt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI
  2⤵
  - Writes file to tmp directory
  PID:741
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    PID:743
- /usr/bin/apt-config
  apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring
  2⤵
  PID:744
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    PID:745
- /usr/bin/apt-config
  apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f
  2⤵
  - Writes file to tmp directory
  PID:746
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    PID:747
- /usr/bin/apt-config
  apt-config shell GPGV Apt::Key::gpgvcommand
  2⤵
  - Writes file to tmp directory
  PID:749
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:750
- /bin/mktemp
  mktemp --directory --tmpdir apt-key-gpghome.XXXXXXXXXX
  2⤵
  PID:751
- /bin/chmod
  chmod 700 /tmp/apt-key-gpghome.iyC3X6i1vW
  2⤵
  PID:752
- /bin/readlink
  readlink -f /tmp/apt-key-gpghome.iyC3X6i1vW
  2⤵
  PID:753
- /bin/rm
  rm -f /tmp/apt-key-gpghome.iyC3X6i1vW/pubring.gpg
  2⤵
  - Writes file to tmp directory
  PID:754
- /usr/bin/touch
  touch /tmp/apt-key-gpghome.iyC3X6i1vW/pubring.gpg
  2⤵
  - Writes file to tmp directory
  PID:755
- /usr/bin/apt-config
  apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d
  2⤵
  - Writes file to tmp directory
  PID:756
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:757
- /bin/readlink
  readlink -f /etc/apt/trusted.gpg.d/
  2⤵
  PID:758
- /usr/bin/find
  find /etc/apt/trusted.gpg.d -mindepth 1 -maxdepth 1 "(" -name "*.gpg" -o -name "*.asc" ")"
  2⤵
  PID:759
- /usr/bin/cmp
  cmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
  2⤵
  PID:764
- /bin/cat
  cat /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
  2⤵
  PID:766
- /usr/bin/cmp
  cmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
  2⤵
  PID:768
- /bin/cat
  cat /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
  2⤵
  PID:770
- /usr/bin/cmp
  cmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
  2⤵
  PID:772
- /bin/cat
  cat /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
  2⤵
  PID:774
- /bin/cp
  cp -a /tmp/apt-key-gpghome.iyC3X6i1vW/pubring.gpg /tmp/apt-key-gpghome.iyC3X6i1vW/pubring.orig.gpg
  2⤵
  PID:775
- /usr/bin/gpgv
  gpgv --homedir /tmp/apt-key-gpghome.iyC3X6i1vW --keyring /tmp/apt-key-gpghome.iyC3X6i1vW/pubring.gpg --ignore-time-conflict --status-fd 3 /tmp/apt.sig.KNZI4i /tmp/apt.data.9zIadu
  2⤵
  - Writes file to tmp directory
  PID:782
- /usr/bin/gpgconf
  gpgconf --kill all
  2⤵
  PID:783
- - /usr/bin/gpg-connect-agent
    gpg-connect-agent --no-autostart KILLAGENT
    3⤵
    PID:784
- - /usr/bin/gpg-connect-agent
    gpg-connect-agent -s --no-autostart "GETINFO scd_running" "/if \${! \$?}" "scd killscd" /end
    3⤵
    PID:785
- - /usr/bin/gpg-connect-agent
    gpg-connect-agent --no-autostart --dirmngr KILLDIRMNGR
    3⤵
    PID:786
- /bin/rm
  rm -rf /tmp/apt-key-gpghome.iyC3X6i1vW
  2⤵
  - Writes file to tmp directory
  PID:787

/usr/bin/sort
sort
1⤵
PID:762

/bin/sed
sed -e "s#'#'\"'\"'#g"
1⤵
PID:778

/bin/sed
sed -e "s#'#'\"'\"'#g"
1⤵
- Reads runtime system information
PID:781

/usr/bin/apt-key
/usr/bin/apt-key --quiet --readonly verify --status-fd 3 /tmp/apt.sig.tYGZud /tmp/apt.data.VfUbKq
1⤵
- Write file to user bin folder
PID:789
- /usr/bin/apt-config
  apt-config shell MASTER_KEYRING APT::Key::MasterKeyring
  2⤵
  - Writes file to tmp directory
  PID:791
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    PID:792
- /usr/bin/apt-config
  apt-config shell ARCHIVE_KEYRING APT::Key::ArchiveKeyring
  2⤵
  PID:793
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:794
- /usr/bin/apt-config
  apt-config shell REMOVED_KEYS APT::Key::RemovedKeys
  2⤵
  - Writes file to tmp directory
  PID:795
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    PID:796
- /usr/bin/apt-config
  apt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI
  2⤵
  - Writes file to tmp directory
  PID:797
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    PID:798
- /usr/bin/apt-config
  apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring
  2⤵
  - Writes file to tmp directory
  PID:799
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    PID:800
- /usr/bin/apt-config
  apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f
  2⤵
  - Writes file to tmp directory
  PID:801
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    PID:802
- /usr/bin/apt-config
  apt-config shell GPGV Apt::Key::gpgvcommand
  2⤵
  - Writes file to tmp directory
  PID:804
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    PID:805
- /bin/mktemp
  mktemp --directory --tmpdir apt-key-gpghome.XXXXXXXXXX
  2⤵
  PID:806
- /bin/chmod
  chmod 700 /tmp/apt-key-gpghome.Xp4PC2pycL
  2⤵
  PID:807
- /bin/readlink
  readlink -f /tmp/apt-key-gpghome.Xp4PC2pycL
  2⤵
  PID:808
- /bin/rm
  rm -f /tmp/apt-key-gpghome.Xp4PC2pycL/pubring.gpg
  2⤵
  - Writes file to tmp directory
  PID:809
- /usr/bin/touch
  touch /tmp/apt-key-gpghome.Xp4PC2pycL/pubring.gpg
  2⤵
  - Writes file to tmp directory
  PID:810
- /usr/bin/apt-config
  apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d
  2⤵
  - Writes file to tmp directory
  PID:811
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    PID:812
- /bin/readlink
  readlink -f /etc/apt/trusted.gpg.d/
  2⤵
  PID:813
- /usr/bin/find
  find /etc/apt/trusted.gpg.d -mindepth 1 -maxdepth 1 "(" -name "*.gpg" -o -name "*.asc" ")"
  2⤵
  PID:814
- /usr/bin/cmp
  cmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
  2⤵
  PID:819
- /bin/cat
  cat /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
  2⤵
  PID:821
- /usr/bin/cmp
  cmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
  2⤵
  PID:823
- /bin/cat
  cat /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
  2⤵
  PID:825
- /usr/bin/cmp
  cmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
  2⤵
  PID:827
- /bin/cat
  cat /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
  2⤵
  PID:829
- /bin/cp
  cp -a /tmp/apt-key-gpghome.Xp4PC2pycL/pubring.gpg /tmp/apt-key-gpghome.Xp4PC2pycL/pubring.orig.gpg
  2⤵
  - Writes file to tmp directory
  PID:830