70766f30eea4ba5c5fa75fff207b707bef8681e24b48fd9aa7f4bbe340602b91

Analysis

max time kernel
29s
max time network
16s
platform
debian-9_armhf
resource
debian9-armhf-20231215-en
resource tags

arch:armhfimage:debian9-armhf-20231215-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
07-02-2024 01:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e27b76b3903312cc5e93f250d7cf90b7b999592d70dcf2922bb450023014006.sh
Size

35KB
MD5

2550990d2d52581b213e7c9305c392d3
SHA1

f7f069915c9b97550dc1fb6cf631f6222416dcf5
SHA256

8e27b76b3903312cc5e93f250d7cf90b7b999592d70dcf2922bb450023014006
SHA512

a30d4a39203e6a98937e8670b7b3caaa63d2141fdf404bb28ca240d95cb7420bdfb8c695db81cc9c799e8818266600c137b8b0df2dfc69d7566bae64eee2ad50
SSDEEP

768:X87XzQ5VFNcDAFLcIwgnoYq0xFB6ytguz:X3VF+D6cIwgos/z

Score

7^/10

evasion

Malware Config

Signatures

Deletes system logs 1 TTPs 1 IoCs
Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.
evasion

Indicator Removal
T1070

Processes:

rm

description ioc process

File deleted /var/log/syslog rm
Flushes firewall rules 1 IoCs
Flushes/ disables firewall rules inside the Linux kernel.

Processes:

iptables

pid process

683 iptables
Attempts to change immutable files 6 IoCs
Modifies inode attributes on the filesystem to allow changing of immutable files.

Processes:

chattrchattrchattrchattrchattrchattr

pid process

681 chattr
682 chattr
701 chattr
702 chattr
677 chattr
679 chattr

description	ioc	process
File deleted	/var/log/syslog	rm

pid	process
683	iptables

pid	process
681	chattr
682	chattr
701	chattr
702	chattr
677	chattr
679	chattr

Reads CPU attributes 1 TTPs 3 IoCs

System Information Discovery

T1082

Processes:

exim4sysctlexim4

description	ioc	process
File opened for reading	/sys/devices/system/cpu/online	exim4
File opened for reading	/sys/devices/system/cpu/online	sysctl
File opened for reading	/sys/devices/system/cpu/online	exim4

Reads runtime system information 48 IoCs

Reads data from /proc virtual filesystem.

Processes:

lssudosysctluserdellslslslslssendmailuserdellslslslslslslslslslslssendmaillsls

description	ioc	process
File opened for reading	/proc/141	ls
File opened for reading	/proc/filesystems	sudo
File opened for reading	/proc/sys/kernel/osrelease	sysctl
File opened for reading	/proc/filesystems	userdel
File opened for reading	/proc/100	ls
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/13	ls
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/sys/kernel/ngroups_max	sudo
File opened for reading	/proc/filesystems	sysctl
File opened for reading	/proc/sys/kernel/ngroups_max	sendmail
File opened for reading	/proc/filesystems	userdel
File opened for reading	/proc/111	ls
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/1	ls
File opened for reading	/proc/109	ls
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/144	ls
File opened for reading	/proc/15	ls
File opened for reading	/proc/169	ls
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/11	ls
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/151	ls
File opened for reading	/proc/154	ls
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/16	ls
File opened for reading	/proc/17	ls
File opened for reading	/proc/self/fd
File opened for reading	/proc/sys/kernel/ngroups_max	sendmail
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/18	ls
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/10	ls
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/14	ls
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/self/stat	sudo
File opened for reading	/proc/112	ls
File opened for reading	/proc/12	ls

Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.

Processes:

8e27b76b3903312cc5e93f250d7cf90b7b999592d70dcf2922bb450023014006.sh

description ioc process

File opened for modification /tmp/log_rot 8e27b76b3903312cc5e93f250d7cf90b7b999592d70dcf2922bb450023014006.sh

description	ioc	process
File opened for modification	/tmp/log_rot	8e27b76b3903312cc5e93f250d7cf90b7b999592d70dcf2922bb450023014006.sh

/tmp/8e27b76b3903312cc5e93f250d7cf90b7b999592d70dcf2922bb450023014006.sh
/tmp/8e27b76b3903312cc5e93f250d7cf90b7b999592d70dcf2922bb450023014006.sh
1⤵
- Writes file to tmp directory
PID:670
- /bin/rm
  rm -rf /var/log/syslog
  2⤵
  - Deletes system logs
  PID:672
- /usr/bin/chattr
  chattr -iua /tmp/
  2⤵
  - Attempts to change immutable files
  PID:677
- /usr/bin/chattr
  chattr -iua /var/tmp/
  2⤵
  - Attempts to change immutable files
  PID:679
- /usr/bin/chattr
  chattr -R -i /var/spool/cron
  2⤵
  - Attempts to change immutable files
  PID:681
- /usr/bin/chattr
  chattr -i /etc/crontab
  2⤵
  - Attempts to change immutable files
  PID:682
- /sbin/iptables
  iptables -F
  2⤵
  - Flushes firewall rules
  PID:683
- /usr/bin/sudo
  sudo sysctl "kernel.nmi_watchdog=0"
  2⤵
  - Reads runtime system information
  PID:688
- - /sbin/sysctl
    sysctl "kernel.nmi_watchdog=0"
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:698
- /usr/sbin/userdel
  userdel akay
  2⤵
  - Reads runtime system information
  PID:699
- /usr/sbin/userdel
  userdel vfinder
  2⤵
  - Reads runtime system information
  PID:700
- /usr/bin/chattr
  chattr -iae /root/.ssh/
  2⤵
  - Attempts to change immutable files
  PID:701
- /usr/bin/chattr
  chattr -iae /root/.ssh/authorized_keys
  2⤵
  - Attempts to change immutable files
  PID:702
- /bin/rm
  rm -rf "/tmp/addres*"
  2⤵
  PID:705
- /bin/rm
  rm -rf "/tmp/walle*"
  2⤵
  PID:706
- /bin/rm
  rm -rf /tmp/keys
  2⤵
  PID:707
- /bin/grep
  grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
  2⤵
  PID:712
- /bin/grep
  grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
  2⤵
  PID:718
- /bin/grep
  grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
  2⤵
  PID:726
- /bin/grep
  grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
  2⤵
  PID:731
- /bin/grep
  grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
  2⤵
  PID:736
- /bin/grep
  grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
  2⤵
  PID:746
- /bin/grep
  grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
  2⤵
  PID:753
- /bin/grep
  grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
  2⤵
  PID:759
- /bin/grep
  grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
  2⤵
  PID:766
- /bin/grep
  grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
  2⤵
  PID:773
- /bin/grep
  grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
  2⤵
  PID:780
- /bin/grep
  grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
  2⤵
  PID:787
- /bin/grep
  grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
  2⤵
  PID:794
- /bin/grep
  grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
  2⤵
  PID:801
- /bin/grep
  grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
  2⤵
  PID:808
- /bin/grep
  grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
  2⤵
  PID:815
- /bin/grep
  grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
  2⤵
  PID:822
- /bin/grep
  grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
  2⤵
  PID:829
- /bin/grep
  grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
  2⤵
  PID:836

/usr/sbin/sendmail
sendmail -t
1⤵
- Reads runtime system information
PID:693
- /usr/sbin/exim4
  /usr/sbin/exim4 -Mc 1rXVZT-0000BB-Pe
  2⤵
  - Reads CPU attributes
  PID:703

/usr/sbin/sendmail
sendmail -t
1⤵
- Reads runtime system information
PID:696
- /usr/sbin/exim4
  /usr/sbin/exim4 -Mc 1rXVZU-0000BE-0t
  2⤵
  - Reads CPU attributes
  PID:704

/bin/ls
ls -latrh /proc/1
1⤵
- Reads runtime system information
PID:709

/bin/grep
grep exe
1⤵
PID:710

/bin/ls
ls -latrh /proc/10
1⤵
- Reads runtime system information
PID:714

/bin/grep
grep exe
1⤵
PID:715

/bin/ls
ls -latrh /proc/100
1⤵
- Reads runtime system information
PID:723

/bin/grep
grep exe
1⤵
PID:724

/bin/ls
ls -latrh /proc/109
1⤵
- Reads runtime system information
PID:728

/bin/grep
grep exe
1⤵
PID:729

/bin/ls
ls -latrh /proc/11
1⤵
- Reads runtime system information
PID:733

/bin/grep
grep exe
1⤵
PID:734

/bin/ls
ls -latrh /proc/111
1⤵
- Reads runtime system information
PID:740

/bin/grep
grep exe
1⤵
PID:741

/bin/ls
ls -latrh /proc/112
1⤵
- Reads runtime system information
PID:749

/bin/grep
grep exe
1⤵
PID:750

/bin/ls
ls -latrh /proc/12
1⤵
- Reads runtime system information
PID:756

/bin/grep
grep exe
1⤵
PID:757

/bin/ls
ls -latrh /proc/13
1⤵
- Reads runtime system information
PID:763

/bin/grep
grep exe
1⤵
PID:764

/bin/ls
ls -latrh /proc/14
1⤵
- Reads runtime system information
PID:769

/bin/grep
grep exe
1⤵
PID:770

/bin/ls
ls -latrh /proc/141
1⤵
- Reads runtime system information
PID:776

/bin/grep
grep exe
1⤵
PID:777

/bin/ls
ls -latrh /proc/144
1⤵
- Reads runtime system information
PID:783

/bin/grep
grep exe
1⤵
PID:784

/bin/ls
ls -latrh /proc/15
1⤵
- Reads runtime system information
PID:789

/bin/grep
grep exe
1⤵
PID:790

/bin/ls
ls -latrh /proc/151
1⤵
- Reads runtime system information
PID:796

/bin/grep
grep exe
1⤵
PID:797

/bin/ls
ls -latrh /proc/154
1⤵
- Reads runtime system information
PID:803

/bin/grep
grep exe
1⤵
PID:804

/bin/ls
ls -latrh /proc/16
1⤵
- Reads runtime system information
PID:810

/bin/grep
grep exe
1⤵
PID:811

/bin/ls
ls -latrh /proc/169
1⤵
- Reads runtime system information
PID:817

/bin/grep
grep exe
1⤵
PID:818

/bin/grep
grep exe
1⤵
PID:825

/bin/ls
ls -latrh /proc/17
1⤵
- Reads runtime system information
PID:824

/bin/ls
ls -latrh /proc/18
1⤵
- Reads runtime system information
PID:831

/bin/grep
grep exe
1⤵
PID:832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/log_rot

Filesize
5B

MD5
727479ef7cedf30c03459bec7d87b0f0

SHA1
2082e7f715f058acab2398d25d135cf5f4c0ce41

SHA256
29872037c9573567744ef10ed2de57864ded7554c9fa2ef03fc1244c65794ba6

SHA512
4cb59d37f8481f9bb2745f494baa0910a68aad40ac2903ef1513547e091e1e772a5f9436f789ab91fcafb75b8a28c2112ede89004be41f33c01d936b542ca6ba

Download Submit
/var/mail/user

Filesize
820B

MD5
de75dc68504aa678bbd9fe3563c405bd

SHA1
a37124e98461e2012bdcc9f23c5849bbbe91a47b

SHA256
259027781815b016d6056cf094db8ad6869cd1ab9739074e28e316cfe5addef8

SHA512
a96895b3ba784677b40689cd8eb11cf114dfd68fb510620629e39c12da98d9a90a2f8c5cd82326c329c8683043003f2d501d1e4be632fcd588b5fcf8d882761c

Download Submit
/var/mail/user

Filesize
1KB

MD5
7fde51c03b255eb651a00ac44702c8f4

SHA1
a0877bf88c90839811a7b41a134fd20d3d155882

SHA256
04bca5d9d6156f784427d36a2e9bdf82b823444fd51db0253cc6e6c9672ca089

SHA512
d70c988280829a92c9f66d3a5ca07953c0bc7ba13144d8181836ecc8ff0bb911c04b80638cfa5a0b7747c5cb2276d1042e573996d0254988da30db62a51a0fe7

Download Submit
/var/spool/exim4/input/1rXVZT-0000BB-Pe-D

Filesize
126B

MD5
c41bd19767894373fd241e93a6f9ad27

SHA1
d50e503e929d274eb581e3a2859ead264ff5f401

SHA256
b8b78813ae8e9bbd99c7a175780205ecabdb68be4fc620de9c57f583da06fd44

SHA512
2462124a95f186cd1d09a694f52e69d4f4dadc3807888e1e4c8be6ef207a90742300ac052c95b1f5d56fea415fb2cbf81f3bd0814c5303ad0141c0404d1052f1

Download Submit
/var/spool/exim4/input/1rXVZT-0000BB-Pe-J

Filesize
34B

MD5
d7d96d63d643a4ce3e408eba7dfcedc5

SHA1
c53607f95c5c57beafc1d8266646797a035f76ea

SHA256
21db3a59b2d0ce18fb250b787d6e2c85d12919f5fdf1448c8f48207c4083b159

SHA512
703a03e54776a6ad9b8adc6c475bbc91c06502618fa3b6f495b1a01a4f6f7aa6fb65dc6ba6885ddc6af961627062f1ce1e1d66688288cbd3bef7754d249fa9b3

Download Submit
/var/spool/exim4/input/1rXVZU-0000BE-0t-D

Filesize
145B

MD5
11a7a490d45ac24fe3ee7087741b5c72

SHA1
f1b1382134e7d202c16e82c6fdda6d8ea071260a

SHA256
63bd1714961cbe859e302b8683d74caa99efef9718951ddecb7a51ecd832692a

SHA512
a879e01729a5feb3529ccd0c693ab9c37fefc72b1a74e4347fe22bb7a4ea7aec50c20003499284c0310ae5d7500c97616eb36f0242fc88bd5d2b9cb2a6a1733c

Download Submit
/var/spool/exim4/input/hdr.693

Filesize
912B

MD5
ecafac76c2f085867a6c72a483bdc83f

SHA1
717cc70e275d66bba38be06cd345e516a5015b45

SHA256
d4c272b2e6c1a9b6ed77e3ea0702ccdd0a490e0975ce41af9493451c67720cd9

SHA512
899855d44312528f31134bdc0e3196a810ebd922200cbfdde4eae2bcf3a6d488ea33f39ae5f903ce2c01240ed9e2f5850f2b3216fd0d519eb7d19cc81fd5f0bc

Download Submit
/var/spool/exim4/input/hdr.696

Filesize
912B

MD5
b2b9e61e6e8cf1d6485cf7932769988d

SHA1
05a2accdad5ff4cb814af37b2681fd8eb37b4370

SHA256
085e82812132062e3b738cd5646ec38a718021e3fdb872c6727069363563641e

SHA512
985c052ab3f65c61fa38b3b6b854db654513fc0b6cfae6d1e9a3a0fcdae0b5ebd9aa9c0ed66a4a868ae8694cc1b91cb4c8f54d08ed7b20db2abdbcc90e0a0ce3

Download Submit
/var/spool/exim4/msglog/1rXVZT-0000BB-Pe

Filesize
288B

MD5
e824bd341e8791061eabbd4efe657be1

SHA1
da2d0f9bc8c2d521e52038478296258ca471efc5

SHA256
861fc55eaf55d38e2c892b1bd5d2c501578366e74e197118dc3e2835c2841c64

SHA512
bbd9d26761515a8b0506e929b654412e0ffeeef65864f26c55d0ff846aeea99ab467ff3ae72db942d2992d1307cdeba42feeabf587949a61cea98d56a35a62b6

Download Submit
/var/spool/exim4/msglog/1rXVZT-0000BB-Pe

Filesize
89B

MD5
1dcbe8766a4f6479f5c950f205bb91fd

SHA1
5bf31c54a3bd78be9f6a9f9a036aa49ddec99431

SHA256
7db79de0887216ca33cee8e29facf66a0faf9972fd298d454e3155015f1a88ad

SHA512
51617abb0483579fcf4c69dfe10087ff000478368190b990e3ccbd4af2ae9d3a6974e88fff25c545350bf95ae42cc046dc59e43c36f84fa98bd2c2fa2832caf3

Download Submit
/var/spool/exim4/msglog/1rXVZU-0000BE-0t

Filesize
288B

MD5
65a00cccaa56f7461b2c63f12040087e

SHA1
8c98375c4399fbb907982eb54b3fd8b2ff56edbc

SHA256
3c1b5986eff71566d3ddf777d354143143ce231ceaa9d3cf5a5edc7d5bb07ae1

SHA512
b48f717dfbbaf3e02101f703cc3a81e27a6f96a6e86d950f79b358de995a53f4a5da2de309eaa44023533dda47e2a55ddeeaa7966dc67b85ea871e526ab56f67

Download Submit
/var/spool/exim4/msglog/1rXVZU-0000BE-0t

Filesize
89B

MD5
5cc0ca3d18c804cd6c4a60549e58df2c

SHA1
fb0f4b4bbc7662a8918be27efe003450b18ccbb6

SHA256
38ac225d9bb98eb6d065bbbe42f3322f42617bdea042965b27cc3bd237a9d712

SHA512
4b0dbc5718a319d829db5c92d1ae5d76ab9655fb49b30960a6926a3cd811a14bdc59119d811eeb0b4a9d4350b7d3828ae0b67baeb7ef28191ad19a65c66dc957

Download Submit
memory/714-1-0xb6bdd000-0xb6bee044-memory.dmp

Download
memory/733-2-0xb6b7e000-0xb6b8f044-memory.dmp

Download
memory/810-3-0xb6bf6000-0xb6c07044-memory.dmp

Download
memory/825-4-0xb6b7f000-0xb6b90044-memory.dmp

Download