Malware Analysis Report

2024-10-24 21:45

Sample ID 240520-h3yscahd32
Target 5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118
SHA256 bb6cb684d2845050828adef8e78e6a242ad595064bce60d675d2b240a4ebf87d
Tags
upx antivm persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

bb6cb684d2845050828adef8e78e6a242ad595064bce60d675d2b240a4ebf87d

Threat Level: Shows suspicious behavior

The file 5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx antivm persistence

Executes dropped EXE

UPX packed file

Modifies init.d

Reads system routing table

Write file to user bin folder

Writes file to system bin folder

Checks CPU configuration

Reads system network configuration

Reads runtime system information

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-20 07:16

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-20 07:16

Reported

2024-05-20 07:18

Platform

ubuntu2004-amd64-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

[/tmp/5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118h /tmp/5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118h N/A
N/A /usr/bin/bsd-port/getty /usr/bin/bsd-port/getty N/A
N/A /etc/ssh/sshpa /etc/ssh/sshpa N/A
N/A /usr/bin/bsd-port/udevd /usr/bin/bsd-port/udevd N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies init.d

persistence
Description Indicator Process Target
File opened for modification /etc/init.d/DbSecuritySpt /tmp/5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118 N/A
File opened for modification /etc/init.d/selinux /usr/bin/bsd-port/getty N/A

Reads system routing table

Description Indicator Process Target
File opened for reading /proc/net/route /tmp/5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118h N/A
File opened for reading /proc/net/route /tmp/5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118 N/A

Write file to user bin folder

Description Indicator Process Target
File opened for modification /usr/bin/lsof /usr/bin/cp N/A
File opened for modification /usr/bin/ps /usr/bin/cp N/A
File opened for modification /usr/bin/bsd-port/getty.lock /tmp/5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118 N/A
File opened for modification /usr/bin/bsd-port/getty /usr/bin/cp N/A
File opened for modification /usr/bin/bsd-port/udevd /usr/bin/bsd-port/getty N/A
File opened for modification /usr/bin/bsd-port/udevd.lock /usr/bin/bsd-port/udevd N/A
File opened for modification /usr/bin/bsd-port/getty.lock /usr/bin/bsd-port/getty N/A
File opened for modification /usr/bin/dpkgd/lsof /usr/bin/cp N/A
File opened for modification /usr/bin/dpkgd/ps /usr/bin/cp N/A

Writes file to system bin folder

Description Indicator Process Target
File opened for modification /bin/lsof /usr/bin/cp N/A
File opened for modification /bin/ps /usr/bin/cp N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /tmp/5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118h N/A
File opened for reading /proc/cpuinfo /tmp/5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118 N/A
File opened for reading /proc/cpuinfo /usr/bin/bsd-port/udevd N/A
File opened for reading /proc/cpuinfo /usr/bin/bsd-port/getty N/A

Reads system network configuration

Description Indicator Process Target
File opened for reading /proc/net/route /tmp/5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118h N/A
File opened for reading /proc/net/arp /tmp/5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118h N/A
File opened for reading /proc/net/dev /usr/bin/bsd-port/getty N/A
File opened for reading /proc/net/dev /tmp/5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118h N/A
File opened for reading /proc/net/dev /tmp/5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118 N/A
File opened for reading /proc/net/dev /usr/bin/bsd-port/udevd N/A
File opened for reading /proc/net/route /tmp/5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118 N/A
File opened for reading /proc/net/arp /tmp/5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118 N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/sys/kernel/version /tmp/5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118 N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/cmdline /usr/sbin/insmod N/A
File opened for reading /proc/sys/kernel/version /tmp/5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118h N/A
File opened for reading /proc/stat /tmp/5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118 N/A
File opened for reading /proc/sys/kernel/version /usr/bin/bsd-port/udevd N/A
File opened for reading /proc/filesystems /usr/bin/mkdir N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/filesystems /usr/bin/mkdir N/A
File opened for reading /proc/meminfo /tmp/5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118 N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/sys/kernel/version /usr/bin/bsd-port/getty N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/filesystems /usr/bin/mkdir N/A
File opened for reading /proc/filesystems /usr/bin/mkdir N/A
File opened for reading /proc/meminfo /usr/bin/bsd-port/getty N/A
File opened for reading /proc/meminfo /tmp/5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118h N/A
File opened for reading /proc/filesystems /usr/bin/mkdir N/A
File opened for reading /proc/filesystems /usr/bin/mkdir N/A
File opened for reading /proc/stat /usr/bin/bsd-port/udevd N/A
File opened for reading /proc/meminfo /usr/bin/bsd-port/udevd N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/stat /tmp/5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118h N/A
File opened for reading /proc/cmdline /usr/sbin/insmod N/A
File opened for reading /proc/sys/kernel/version /etc/ssh/sshpa N/A
File opened for reading /proc/filesystems /usr/bin/mkdir N/A
File opened for reading /proc/stat /usr/bin/bsd-port/getty N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/moni.lock /etc/ssh/sshpa N/A
File opened for modification /tmp/notify.file /etc/ssh/sshpa N/A
File opened for modification /tmp/5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118h /tmp/5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118 N/A
File opened for modification /tmp/notify.file /tmp/5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118 N/A
File opened for modification /tmp/conf.n /tmp/5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118 N/A
File opened for modification /tmp/gates.lock /etc/ssh/sshpa N/A
File opened for modification /tmp/moni.lock /tmp/5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118 N/A
File opened for modification /tmp/gates.lock /tmp/5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118 N/A
File opened for modification /tmp/bill.lock /tmp/5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118h N/A

Processes

/tmp/5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118

[/tmp/5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118]

/bin/sh

[sh -c /tmp/5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118h]

/tmp/5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118h

[/tmp/5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118h]

/bin/sh

[sh -c insmod /usr/lib/xpacket.ko]

/usr/sbin/insmod

[insmod /usr/lib/xpacket.ko]

/bin/sh

[sh -c ln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt]

/usr/bin/ln

[ln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt]

/bin/sh

[sh -c ln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt]

/usr/bin/ln

[ln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt]

/bin/sh

[sh -c ln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt]

/usr/bin/ln

[ln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt]

/bin/sh

[sh -c ln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt]

/usr/bin/ln

[ln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt]

/bin/sh

[sh -c ln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt]

/usr/bin/ln

[ln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt]

/bin/sh

[sh -c mkdir -p /usr/bin/bsd-port]

/usr/bin/mkdir

[mkdir -p /usr/bin/bsd-port]

/bin/sh

[sh -c cp -f /tmp/5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118 /usr/bin/bsd-port/getty]

/usr/bin/cp

[cp -f /tmp/5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118 /usr/bin/bsd-port/getty]

/bin/sh

[sh -c /usr/bin/bsd-port/getty]

/usr/bin/bsd-port/getty

[/usr/bin/bsd-port/getty]

/bin/sh

[sh -c mkdir -p /etc/ssh]

/usr/bin/mkdir

[mkdir -p /etc/ssh]

/bin/sh

[sh -c cp -f /tmp/5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118 /etc/ssh/sshpa]

/usr/bin/cp

[cp -f /tmp/5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118 /etc/ssh/sshpa]

/bin/sh

[sh -c /etc/ssh/sshpa]

/etc/ssh/sshpa

[/etc/ssh/sshpa]

/bin/sh

[sh -c ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux]

/usr/bin/ln

[ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux]

/bin/sh

[sh -c ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux]

/usr/bin/ln

[ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux]

/bin/sh

[sh -c ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux]

/usr/bin/ln

[ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux]

/bin/sh

[sh -c ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux]

/usr/bin/ln

[ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux]

/bin/sh

[sh -c ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux]

/usr/bin/ln

[ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux]

/bin/sh

[sh -c /usr/bin/bsd-port/udevd]

/usr/bin/bsd-port/udevd

[/usr/bin/bsd-port/udevd]

/bin/sh

[sh -c insmod /usr/lib/xpacket.ko]

/usr/sbin/insmod

[insmod /usr/lib/xpacket.ko]

/bin/sh

[sh -c mkdir -p /usr/bin/dpkgd]

/usr/bin/mkdir

[mkdir -p /usr/bin/dpkgd]

/bin/sh

[sh -c cp -f /bin/lsof /usr/bin/dpkgd/lsof]

/usr/bin/cp

[cp -f /bin/lsof /usr/bin/dpkgd/lsof]

/bin/sh

[sh -c mkdir -p /bin]

/usr/bin/mkdir

[mkdir -p /bin]

/bin/sh

[sh -c cp -f /usr/bin/bsd-port/getty /bin/lsof]

/usr/bin/cp

[cp -f /usr/bin/bsd-port/getty /bin/lsof]

/bin/sh

[sh -c chmod 0755 /bin/lsof]

/usr/bin/chmod

[chmod 0755 /bin/lsof]

/bin/sh

[sh -c cp -f /bin/ps /usr/bin/dpkgd/ps]

/usr/bin/cp

[cp -f /bin/ps /usr/bin/dpkgd/ps]

/bin/sh

[sh -c mkdir -p /bin]

/usr/bin/mkdir

[mkdir -p /bin]

/bin/sh

[sh -c cp -f /usr/bin/bsd-port/getty /bin/ps]

/usr/bin/cp

[cp -f /usr/bin/bsd-port/getty /bin/ps]

/bin/sh

[sh -c chmod 0755 /bin/ps]

/usr/bin/chmod

[chmod 0755 /bin/ps]

/bin/sh

[sh -c mkdir -p /usr/bin]

/usr/bin/mkdir

[mkdir -p /usr/bin]

/bin/sh

[sh -c cp -f /usr/bin/bsd-port/getty /usr/bin/lsof]

/usr/bin/cp

[cp -f /usr/bin/bsd-port/getty /usr/bin/lsof]

/bin/sh

[sh -c chmod 0755 /usr/bin/lsof]

/usr/bin/chmod

[chmod 0755 /usr/bin/lsof]

/bin/sh

[sh -c mkdir -p /usr/bin]

/usr/bin/mkdir

[mkdir -p /usr/bin]

/bin/sh

[sh -c cp -f /usr/bin/bsd-port/getty /usr/bin/ps]

/usr/bin/cp

[cp -f /usr/bin/bsd-port/getty /usr/bin/ps]

/bin/sh

[sh -c chmod 0755 /usr/bin/ps]

/usr/bin/chmod

[chmod 0755 /usr/bin/ps]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
TR 194.55.187.56:36000 tcp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
TR 194.55.187.56:36000 tcp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp
US 1.1.1.1:53 bbb.dj6cc.com udp

Files

/tmp/5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118h

MD5 ba0fe97c515fad8562417fed51763a26
SHA1 9127171c177261ccc5745715223d51d8553be510
SHA256 e20cdd06a09e352ec1037385f226ec1c5ad2248d539a91e0f9f2a81c2609d7b8
SHA512 4c5464dbcaea48440c6469ef51d289951df5ad395bee4e66c41173760400e4136e2229820c673f0e897277bb27aa915ab1dc0d3b3d482ce3efef5325548271b4

/tmp/gates.lock

MD5 9701a1c165dd9420816bfec5edd6c2b1
SHA1 e4b5a2b01ee1b51b2d17a165855b43c142d822c4
SHA256 afd679cd3f9a81fd9ce02e6434a24f848937f09909fabcc3b3781e06036e284c
SHA512 f4596df70f72dc79c62da6b3a8af26ff242ae224525a1e241006735ddc8b04bf95c59b03bf095873e1fcfa28a68029146a9f8f66ddf0198710448b385eb1721c

/tmp/bill.lock

MD5 afe434653a898da20044041262b3ac74
SHA1 ee176776f84a8e7eb91c3560943535558748ab9e
SHA256 2315bd64e75a346541681575e5b227059bc726907f5a5b893505b648a3062e77
SHA512 fe563a8a3e842094a20ab2263438dedd05cf2b347a0e541a4198a855514788fe8a3c1ddfdaf6af76a554da878694296b74e7cbe75eaf4a94111cde51299c9faf

memory/1443-1-0x0000000008048000-0x0000000008112c2c-memory.dmp

/etc/init.d/DbSecuritySpt

MD5 0d18626dc1370fb69a3dcadbdb62af33
SHA1 4253c6aaeaeee1d6c706f24fc2a5124a4a119a3a
SHA256 72a6861b01758fdb3b00ea9652e6336a4c24ec198bd0bb9ab683e90c6afb7b41
SHA512 3a7e3376a0fb8f4ccdc1107c8f69b6c7f04bf8fa6d3e0a441c8fe8626be0a294cd3da3512a59038df20b3bbff097adf67f6b54c955532d6953bf2b977494469b

/usr/bin/bsd-port/getty

MD5 5dd0958ec75fcf14d16d03b2ec7629d0
SHA1 b72c201d1fb3b239395b1136675760e3a7365111
SHA256 bb6cb684d2845050828adef8e78e6a242ad595064bce60d675d2b240a4ebf87d
SHA512 74bfda790e337735e33d7a1b633369f64cb3ba8df4280213f3d4f6a7cb9dbd73db3f77f305d34cf7868fd3da251a15f152dc7db89091ae8bcf475c1f72535ee4

/tmp/notify.file

MD5 fbf63607cb2541b33889789656aff149
SHA1 824a5166c2daec99b7ecb9aff8ba86866527cb09
SHA256 ff21aac2d30e7b2704e7d504629a879797fc3faa9a0da014e06e831305092f7b
SHA512 bc9cae6409a0b2d4ee0019b7d2bb34c28b9691dcf45c42fb70d505c8846b2caac9eb091427dd52d34641eb476d7f9f0e491e63cc5e513779f22cb356fd19da54

/etc/init.d/selinux

MD5 993cc15058142d96c3daf7852c3d5ee8
SHA1 0950b8b391b04dd3895ea33cd3141543ebd2525d
SHA256 8171d077918611803d93088409f220c66fae1c670b297e1aa5d8cbd548ce9208
SHA512 0c4256c00a3710f97e92581b552682b36b62afc35fe72622c491323c618c19ea62611ac04ccafc3dfcde2254a2ebbd93b69b66795b16e36332293bed83adb928

memory/1493-2-0x0000000008048000-0x0000000008112c2c-memory.dmp

/usr/bin/dpkgd/lsof

MD5 061386937ec7acf924438a2643a32be0
SHA1 01a044b9e58839bea3e58c66cb32acc16241bf91
SHA256 8a26bbae9eb85aa98ef29cfe5b0a291234db6eb394c3e0c2841983dcf7dda959
SHA512 2de2e56ac4c32f47b4a1945ccfb0db378e6d59019ee8004e3e5d2ec8935efb5aa8ee14b8a0b21c61a267e195d42a3232a6dcade8720de06118fd579277f59db7

/usr/bin/dpkgd/ps

MD5 d194576b899af45b1d2a448612ec21e5
SHA1 492f7d8f28cd4397ce22fcf0d8bf3304ea93465a
SHA256 a8cf81f3a1137c999c3cf336507ce120b3065e633ade01db6280d427b7d986ca
SHA512 b323babd9580b91772cde29c9f22ae75b27f5ce8ce0268a48ca41713c3545dd72409932a5c48f6af66ac6e43127eb5461d1f686bd667fa1b0e56a1564db3c539

/tmp/moni.lock

MD5 7d6044e95a16761171b130dcb476a43e
SHA1 fcd8b5b9ecb89e65d56504f6f6cfe82eed26887e
SHA256 3a047b4a81effb2caf23b20df833b025335658cf85b97b02138786ff6301be36
SHA512 9a56f289b19b3466787c937bcb7e1b83668939aa733c0baac5c10afaa3ef1c4a676defb299db217aa7089747fd788fe49acdf48a563489efa1f4df5b1630777b