b838a3143cb4b4c6b105b1e2ea4b72525ade567995902a2ed65cf613535615c3

Analysis

max time kernel
13s
max time network
4s
platform
debian-9_armhf
resource
debian9-armhf-20240226-en
resource tags

arch:armhfimage:debian9-armhf-20240226-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
01-05-2024 06:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b363f246f77dd55699e7d67063c957a_JaffaCakes118
Size

28KB
MD5

0b363f246f77dd55699e7d67063c957a
SHA1

41bcbaec1ff4239bfd813d52df896b0a068bb3c4
SHA256

b838a3143cb4b4c6b105b1e2ea4b72525ade567995902a2ed65cf613535615c3
SHA512

682e50b730819a8e1749e25e12e4cdea7e2061601805e6decd86170dfc5003d64d2c078fb3d57b6f63fb524ac6b861b29f6ab89c88dbb80a27ba73d0dffeee72
SSDEEP

384:p7pQQwQHDf6jlpTWg3vMGQiKMvU/4Qdre21jT58vKpG2Y0orcfKLUv0KZnNEVdes:p7JVFNcD8FLcIwgiYq0xFBi5

Score

7^/10

evasion

Malware Config

Signatures

Deletes system logs 1 TTPs 1 IoCs

Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

evasion

Indicator Removal

T1070

description	ioc	Process
File deleted	/var/log/syslog	rm

Flushes firewall rules 1 IoCs

Flushes/ disables firewall rules inside the Linux kernel.

pid	Process
676	iptables

Attempts to change immutable files 40 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

pid	Process
671	chattr
719	grep
738	xargs
821	xargs
918	xargs
868	xargs
786	xargs
814	xargs
665	chattr
705	chattr
716	grep
744	xargs
768	xargs
774	xargs
835	xargs
861	xargs
762	xargs
798	xargs
875	xargs
756	xargs
807	xargs
828	xargs
842	xargs
854	xargs
889	xargs
663	chattr
792	xargs
849	xargs
882	xargs
910	xargs
673	chattr
706	chattr
732	xargs
750	xargs
896	xargs
925	xargs
724	xargs
780	xargs
903	xargs
934	xargs

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 18 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	sysctl
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	exim4
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	exim4
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/275/stat	ps
File opened for reading	/proc/28/cmdline	ps
File opened for reading	/proc/719/cmdline	ps
File opened for reading	/proc/18/cmdline	ps
File opened for reading	/proc/81/stat	ps
File opened for reading	/proc/11/status	ps
File opened for reading	/proc/8/stat	ps
File opened for reading	/proc/42/stat	ps
File opened for reading	/proc/174/cmdline	ps
File opened for reading	/proc/10/status	ps
File opened for reading	/proc/616/cmdline	ps
File opened for reading	/proc/22/status	ps
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/1/status	ps
File opened for reading	/proc/297/cmdline	ps
File opened for reading	/proc/661/status	ps
File opened for reading	/proc/self/fd	xargs
File opened for reading	/proc/5/cmdline	ps
File opened for reading	/proc/115/status	ps
File opened for reading	/proc/654/cmdline	ps
File opened for reading	/proc/meminfo	ps
File opened for reading	/proc/8/cmdline	ps
File opened for reading	/proc/5/stat	ps
File opened for reading	/proc/221/status	ps
File opened for reading	/proc/114/cmdline	ps
File opened for reading	/proc/148/cmdline	ps
File opened for reading	/proc/tty/drivers	ps
File opened for reading	/proc/4/stat	ps
File opened for reading	/proc/610/stat	ps
File opened for reading	/proc/self/fd	xargs
File opened for reading	/proc/20/stat	ps
File opened for reading	/proc/5/status	ps
File opened for reading	/proc/653/status	ps
File opened for reading	/proc/42/status	ps
File opened for reading	/proc/613/stat	ps
File opened for reading	/proc/stat	ps
File opened for reading	/proc/275/status	ps
File opened for reading	/proc/19/status	ps
File opened for reading	/proc/321/cmdline	ps
File opened for reading	/proc/self/stat	ps
File opened for reading	/proc/3/cmdline	ps
File opened for reading	/proc/sys/kernel/osrelease	ps
File opened for reading	/proc/18/stat	ps
File opened for reading	/proc/9/status	ps
File opened for reading	/proc/6/status	ps
File opened for reading	/proc/5/cmdline	ps
File opened for reading	/proc/297/status	ps
File opened for reading	/proc/23/cmdline	ps
File opened for reading	/proc/615/status	ps
File opened for reading	/proc/313/cmdline	ps
File opened for reading	/proc/659/cmdline	ps
File opened for reading	/proc/901/status	ps
File opened for reading	/proc/23/status	ps
File opened for reading	/proc/610/cmdline	ps
File opened for reading	/proc/112/cmdline	ps
File opened for reading	/proc/43/stat	ps
File opened for reading	/proc/615/status	ps
File opened for reading	/proc/13/cmdline	ps
File opened for reading	/proc/278/status	ps
File opened for reading	/proc/221/cmdline	ps
File opened for reading	/proc/20/stat	ps
File opened for reading	/proc/704/cmdline	ps
File opened for reading	/proc/613/status	ps
File opened for reading	/proc/24/status	ps

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/log_rot	0b363f246f77dd55699e7d67063c957a_JaffaCakes118

/tmp/0b363f246f77dd55699e7d67063c957a_JaffaCakes118
/tmp/0b363f246f77dd55699e7d67063c957a_JaffaCakes118
1⤵
- Writes file to tmp directory
PID:661
- /bin/rm
  rm -rf /var/log/syslog
  2⤵
  - Deletes system logs
  PID:662
- /usr/bin/chattr
  chattr -iua /tmp/
  2⤵
  - Attempts to change immutable files
  PID:663
- /usr/bin/chattr
  chattr -iua /var/tmp/
  2⤵
  - Attempts to change immutable files
  PID:665
- /usr/bin/chattr
  chattr -R -i /var/spool/cron
  2⤵
  - Attempts to change immutable files
  PID:671
- /usr/bin/chattr
  chattr -i /etc/crontab
  2⤵
  - Attempts to change immutable files
  PID:673
- /sbin/iptables
  iptables -F
  2⤵
  - Flushes firewall rules
  PID:676
- /usr/bin/sudo
  sudo sysctl "kernel.nmi_watchdog=0"
  2⤵
  PID:682
- - /usr/sbin/sendmail
    sendmail -t
    3⤵
    PID:693
  - - /usr/sbin/exim4
      /usr/sbin/exim4 -Mc 1s218i-0000BB-Ep
      4⤵
      Reads CPU attributes
      PID:712
- - /usr/sbin/sendmail
    sendmail -t
    3⤵
    PID:697
  - - /usr/sbin/exim4
      /usr/sbin/exim4 -Mc 1s218i-0000BF-Gp
      4⤵
      Reads CPU attributes
      PID:713
- - /sbin/sysctl
    sysctl "kernel.nmi_watchdog=0"
    3⤵
    - Reads CPU attributes
    PID:699
- /usr/sbin/userdel
  userdel akay
  2⤵
  PID:700
- /usr/sbin/userdel
  userdel vfinder
  2⤵
  PID:702
- /usr/bin/chattr
  chattr -iae /root/.ssh/
  2⤵
  - Attempts to change immutable files
  PID:705
- /usr/bin/chattr
  chattr -iae /root/.ssh/authorized_keys
  2⤵
  - Attempts to change immutable files
  PID:706
- /bin/rm
  rm -rf "/tmp/addres*"
  2⤵
  PID:709
- /bin/rm
  rm -rf "/tmp/walle*"
  2⤵
  PID:711
- /bin/rm
  rm -rf /tmp/keys
  2⤵
  PID:714
- /bin/grep
  grep -i "[a]liyun"
  2⤵
  - Attempts to change immutable files
  PID:716
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:715
- /bin/grep
  grep -i "[y]unjing"
  2⤵
  - Attempts to change immutable files
  PID:719
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:718
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:723
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:722
- /bin/grep
  grep 185.71.65.238
  2⤵
  PID:721
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:724
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:732
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:731
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:730
- /bin/grep
  grep 140.82.52.87
  2⤵
  PID:729
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:738
- /bin/grep
  grep -v -
  2⤵
  PID:737
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:736
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:735
- /bin/grep
  grep :443
  2⤵
  PID:734
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:744
- /bin/grep
  grep -v -
  2⤵
  PID:743
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  - Reads runtime system information
  PID:742
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:741
- /bin/grep
  grep :23
  2⤵
  PID:740
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:750
- /bin/grep
  grep -v -
  2⤵
  PID:749
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:748
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:747
- /bin/grep
  grep :443
  2⤵
  PID:746
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:756
- /bin/grep
  grep -v -
  2⤵
  PID:755
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:754
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:753
- /bin/grep
  grep :143
  2⤵
  PID:752
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:762
- /bin/grep
  grep -v -
  2⤵
  PID:761
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:760
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:759
- /bin/grep
  grep :2222
  2⤵
  PID:758
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:768
- /bin/grep
  grep -v -
  2⤵
  PID:767
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:766
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:765
- /bin/grep
  grep :3333
  2⤵
  PID:764
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:774
- /bin/grep
  grep -v -
  2⤵
  PID:773
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:772
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:771
- /bin/grep
  grep :3389
  2⤵
  PID:770
- /bin/grep
  grep -v -
  2⤵
  PID:779
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  - Reads runtime system information
  PID:780
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:778
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:777
- /bin/grep
  grep :4444
  2⤵
  PID:776
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:786
- /bin/grep
  grep -v -
  2⤵
  PID:785
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:784
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:783
- /bin/grep
  grep :5555
  2⤵
  PID:782
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:792
- /bin/grep
  grep -v -
  2⤵
  PID:791
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:790
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:789
- /bin/grep
  grep :6666
  2⤵
  PID:788
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:798
- /bin/grep
  grep -v -
  2⤵
  PID:797
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:796
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:795
- /bin/grep
  grep :6665
  2⤵
  PID:794
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:807
- /bin/grep
  grep -v -
  2⤵
  PID:806
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:805
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:804
- /bin/grep
  grep :6667
  2⤵
  PID:803
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:814
- /bin/grep
  grep -v -
  2⤵
  PID:813
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:812
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:811
- /bin/grep
  grep :7777
  2⤵
  PID:810
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:821
- /bin/grep
  grep -v -
  2⤵
  PID:820
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:819
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:818
- /bin/grep
  grep :8444
  2⤵
  PID:817
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:828
- /bin/grep
  grep -v -
  2⤵
  PID:827
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:826
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:825
- /bin/grep
  grep :3347
  2⤵
  PID:824
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:835
- /bin/grep
  grep -v -
  2⤵
  PID:834
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:833
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:832
- /bin/grep
  grep :14444
  2⤵
  PID:831
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:842
- /bin/grep
  grep -v -
  2⤵
  PID:841
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:840
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:839
- /bin/grep
  grep :14433
  2⤵
  PID:838
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:849
- /bin/grep
  grep -v -
  2⤵
  PID:848
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:847
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:846
- /bin/grep
  grep :13531
  2⤵
  PID:845
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:854
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:853
- /bin/grep
  grep -v grep
  2⤵
  PID:852
- /bin/grep
  grep "sleep 60"
  2⤵
  PID:851
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:850
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:861
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:860
- /bin/grep
  grep -v grep
  2⤵
  PID:859
- /bin/grep
  grep ./crun
  2⤵
  PID:858
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:857
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:868
- /usr/bin/awk
  awk "{if(\$3>80.0) print \$2}"
  2⤵
  PID:867
- /bin/grep
  grep -v grep
  2⤵
  PID:866
- /bin/grep
  grep -vw kdevtmpfsi
  2⤵
  PID:865
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:864
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:875
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:874
- /bin/grep
  grep :3333
  2⤵
  PID:873
- /bin/grep
  grep -v grep
  2⤵
  PID:872
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:871
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:882
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:881
- /bin/grep
  grep :5555
  2⤵
  PID:880
- /bin/grep
  grep -v grep
  2⤵
  PID:879
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:878
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:889
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:888
- /bin/grep
  grep "kworker -c\\"
  2⤵
  PID:887
- /bin/grep
  grep -v grep
  2⤵
  PID:886
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:885
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:896
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:895
- /bin/grep
  grep log_
  2⤵
  PID:894
- /bin/grep
  grep -v grep
  2⤵
  PID:893
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:892
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:903
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:902
- /bin/grep
  grep systemten
  2⤵
  PID:901
- /bin/grep
  grep -v grep
  2⤵
  PID:900
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:899
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  - Reads runtime system information
  PID:910
- - /usr/local/sbin/kill
    kill -9 14
    3⤵
    PID:913
- - /usr/local/bin/kill
    kill -9 14
    3⤵
    PID:913
- - /usr/sbin/kill
    kill -9 14
    3⤵
    PID:913
- - /usr/bin/kill
    kill -9 14
    3⤵
    PID:913
- - /sbin/kill
    kill -9 14
    3⤵
    PID:913
- - /bin/kill
    kill -9 14
    3⤵
    - Reads CPU attributes
    PID:913
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:909
- /bin/grep
  grep netns
  2⤵
  PID:908
- /bin/grep
  grep -v grep
  2⤵
  PID:907
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:906
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:918
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:917
- /bin/grep
  grep voltuned
  2⤵
  PID:916
- /bin/grep
  grep -v grep
  2⤵
  PID:915
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:914
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:925
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:924
- /bin/grep
  grep darwin
  2⤵
  PID:923
- /bin/grep
  grep -v grep
  2⤵
  PID:922
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:921
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:934
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:933
- /bin/grep
  grep /tmp/dl
  2⤵
  PID:932
- /bin/grep
  grep -v grep
  2⤵
  PID:931
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:930

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/log_rot

Filesize
5B

MD5
727479ef7cedf30c03459bec7d87b0f0

SHA1
2082e7f715f058acab2398d25d135cf5f4c0ce41

SHA256
29872037c9573567744ef10ed2de57864ded7554c9fa2ef03fc1244c65794ba6

SHA512
4cb59d37f8481f9bb2745f494baa0910a68aad40ac2903ef1513547e091e1e772a5f9436f789ab91fcafb75b8a28c2112ede89004be41f33c01d936b542ca6ba

Download Submit
/var/mail/user

Filesize
820B

MD5
c7c168332d9e6df13beea475c4e7323b

SHA1
2319f7eb417958bec957c143ee91d3828a849b09

SHA256
a3157235d45432a3ca8d141d33abdcb2d5471ea6cfcda679fa4c4d8eb78a7b06

SHA512
5eef3dfa5f83096e0a9da6abe10dd54e88b3e506e188bf1315fa76e4de840b222ad5d2db13229ebac83171404fcdca6098f0dfccc1676650efc5d9f8a5859b0b

Download Submit
/var/mail/user

Filesize
1KB

MD5
79cce7bf98eaa3c8b037e98afa7ebdec

SHA1
59e200aee09d0b68ef6b538345278d67df29cb86

SHA256
17a0e9acc0a1e1ab536ffa6f4bf941032401971210b134d8faf05bf58de5f8b5

SHA512
d47b04fe38917942809d1a840dd1d5e47f21823c270d670fc4728fcfe13ef76bc7adec86508d57a02907255992ab6cf31a02e5e9d77d8ad575ebf7fa64193e9d

Download Submit
/var/spool/exim4/input/1s218i-0000BB-Ep-D

Filesize
126B

MD5
1e4c75c86053e93945692ac494a3ed9b

SHA1
fdd92be1bf34135f6fe819d5fb318ae6a1ac6fc0

SHA256
c2d5ba57b8f3fd56a8190b0e120836462e1a69a5811dbe1c805b9b766e3e36d0

SHA512
64df7cba0a469e3f27001ea83e02b754007c8954e756d7c7d88055e822968824ed1c212cf82b0a2ea5822b493f72c9fff7367c2a1ff674643370e95865fcc7b9

Download Submit
/var/spool/exim4/input/1s218i-0000BB-Ep-J

Filesize
34B

MD5
d7d96d63d643a4ce3e408eba7dfcedc5

SHA1
c53607f95c5c57beafc1d8266646797a035f76ea

SHA256
21db3a59b2d0ce18fb250b787d6e2c85d12919f5fdf1448c8f48207c4083b159

SHA512
703a03e54776a6ad9b8adc6c475bbc91c06502618fa3b6f495b1a01a4f6f7aa6fb65dc6ba6885ddc6af961627062f1ce1e1d66688288cbd3bef7754d249fa9b3

Download Submit
/var/spool/exim4/input/1s218i-0000BF-Gp-D

Filesize
145B

MD5
53bdd3c46de9451c08b53648c513bc4f

SHA1
b204fafd361e4a1444e801664342d4db9408115f

SHA256
11e084a97f2ffcaa0239a98711fef30145349333a50146c368b44c295a366a5a

SHA512
88a4acf1b01851ceaf8c1c92f14bd5ea92f030c3200c792f2e065fee7e3161c44807e07f56c32be9187484bc1a3963b1164e803ec4afe7a657950b97d8f0d09c

Download Submit
/var/spool/exim4/input/hdr.693

Filesize
912B

MD5
c70d58ab25b1ccee0c4d89a2e69412c5

SHA1
a634d328edb2eda3f3d68b43f1756e64e4f5847c

SHA256
1b791d2d666a1465fdf464042d321a820aa0f820d02d233d68a76923b7f12ee2

SHA512
ad553786d3c57a6c75a6c9f5f4defafa0426e0eff035bb686e942fd67d86e81b57ccaf6d33da5c3f3fc646ede9b46daadbca3d58cb3ae07e847eaec12fcde9af

Download Submit
/var/spool/exim4/input/hdr.697

Filesize
912B

MD5
8797d8d491b50a0875176737fcc88e68

SHA1
4785d250ccc5c6e4c40164bc0bf04367bcebc548

SHA256
0a429cda886b95db12a4b489e226ca2e6cafe4707ffe06bf32e916a5ac58c726

SHA512
60fa3cc0d2318793c99ce5a7e36617327858be2866f68c68024a17e344a396add14d0da0a15f9ced984a3e19f553631e9b22beec561a0d667fa6ef7a9c73860e

Download Submit
/var/spool/exim4/msglog/1s218i-0000BB-Ep

Filesize
288B

MD5
130a6a044016490b06d56f861a2fa2ba

SHA1
f1b11dfcff58c5ef56e9dfc5af66f1355af2f3af

SHA256
c80284a34e04cddcd0aa6a8c59d3c3f3d886c9427761644fab77379e2170de69

SHA512
ddcfd6ea3fc07af70a8533c51078af3125b5954430a3b0b08456fa00e56e5562361bf5afd32a566f5bec5c7157803b54ddd95ef0667e9a61d4eef5c469a228d4

Download Submit
/var/spool/exim4/msglog/1s218i-0000BB-Ep

Filesize
89B

MD5
0d2fc355c185cc555fa97dd48834fcfd

SHA1
f7b64d23cbdb9f381ed3e751cf56268f75117e98

SHA256
fbe6bfdcb5820f392f70a93c9541384d6fb782416e75e6ef4de5acb606552921

SHA512
3ad8c565a6ec77a92846ccc963cb69ae9b0fb499eb576316d1df556969b589f95a0dce4062121d47d3cc3959f2717780adb75a6c717d1556e998507e59b372f5

Download Submit
/var/spool/exim4/msglog/1s218i-0000BF-Gp

Filesize
288B

MD5
24ea67b4ad78c3b5d982042cf5e9f504

SHA1
960fd9c46820ba1eef02bfe1aa69fb7fa651a827

SHA256
350bc98f7bebd18ffad95d9662a34322f3fbb148d35d77f9676b779940d82bf6

SHA512
829a7fc1599605001c1ecfd49966e44edeecd127021236e34e18f075dc1111af4e0ed0920d38857ea67932584b122abad1eba027598fe77ac7972c07f45ccdd7

Download Submit
/var/spool/exim4/msglog/1s218i-0000BF-Gp

Filesize
89B

MD5
b600b4a52bef7039492a7ce3237b8beb

SHA1
88fdab734be80a856f5fc5c64cb6dd0bfc0afdd3

SHA256
6b696652509c9b5d01ad4bbfd0e521b552a7012088e9559a832f5f08b874720a

SHA512
8e6e88728c3e22bfdf3cc0703743803ec75876eaf5d7e1990f1aee7c6cc064a11796eaddbf9135b19d8fa26c7ee55111fc0e6f98ac21b80c1b171e9a9ac84bb6

Download Submit
memory/866-1-0xb6c14000-0xb6c25044-memory.dmp

Download