mrblack | 3c1daabc22d5f5c1639c4b43ab9c8cb3f81b720931d71045ab702d54adc6555f

Analysis

max time kernel
149s
max time network
144s
platform
ubuntu-22.04_amd64
resource
ubuntu2204-amd64-20240729-en
resource tags

arch:amd64arch:i386image:ubuntu2204-amd64-20240729-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
submitted
06-09-2024 07:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf0c9c132a13a3097012530bb312afee_JaffaCakes118
Size

1.1MB
MD5

cf0c9c132a13a3097012530bb312afee
SHA1

bf196eaa6b0c90a3ef45b81ada29eded7e6031d9
SHA256

3c1daabc22d5f5c1639c4b43ab9c8cb3f81b720931d71045ab702d54adc6555f
SHA512

f4d28ca9d0ec69de01e1a65596e485a39d5bf38d7ad4689a8c829890d263cafde25c73a683750b6296ae5a07228ba8104ab9b5d31f4bd4b1aafbe8f8d45d3bbf
SSDEEP

24576:4vRE7caCfKGPqVEDNLFxKsfalI+gIGYuuCol7r:4vREKfPqVE5jKsfalRHGVo7r

Score

10^/10

mrblack antivm botnet discovery persistence trojan

Malware Config

Signatures

MrBlack Trojan
IoT botnet which infects routers to be used for DDoS attacks.
trojan botnet mrblack

MrBlack trojan 1 IoCs

resource	yara_rule
behavioral1/files/fstream-4.dat	family_mrblack

Executes dropped EXE 32 IoCs

ioc	pid	Process
/usr/bin/bsd-port/systm	1587	systm
/usr/bin/pythno	1595	pythno
/usr/bin/bsd-port/systm	1613	systm
/usr/bin/pythno	1621	pythno
/usr/bin/bsd-port/systm	1639	systm
/usr/bin/pythno	1647	pythno
/usr/bin/bsd-port/systm	1667	systm
/usr/bin/pythno	1675	pythno
/usr/bin/bsd-port/systm	1693	systm
/usr/bin/pythno	1701	pythno
/usr/bin/bsd-port/systm	1719	systm
/usr/bin/pythno	1727	pythno
/usr/bin/bsd-port/systm	1751	systm
/usr/bin/pythno	1759	pythno
/usr/bin/bsd-port/systm	1777	systm
/usr/bin/pythno	1785	pythno
/usr/bin/bsd-port/systm	1803	systm
/usr/bin/pythno	1811	pythno
/usr/bin/bsd-port/systm	1829	systm
/usr/bin/pythno	1837	pythno
/usr/bin/bsd-port/systm	1855	systm
/usr/bin/pythno	1863	pythno
/usr/bin/bsd-port/systm	1881	systm
/usr/bin/pythno	1889	pythno
/usr/bin/bsd-port/systm	1907	systm
/usr/bin/pythno	1915	pythno
/usr/bin/bsd-port/systm	1936	systm
/usr/bin/pythno	1944	pythno
/usr/bin/bsd-port/systm	1962	systm
/usr/bin/pythno	1970	pythno
/usr/bin/bsd-port/systm	1988	systm
/usr/bin/pythno	1996	pythno

Modifies init.d 2 TTPs 17 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

RC Scripts

T1037.004

description	ioc	Process
File opened for modification	/etc/init.d/VsystemsshMdt	systm
File opened for modification	/etc/init.d/VsystemsshMdt	systm
File opened for modification	/etc/init.d/VsystemsshMdt	systm
File opened for modification	/etc/init.d/VsystemsshMdt	systm
File opened for modification	/etc/init.d/VsystemsshMdt	systm
File opened for modification	/etc/init.d/VsystemsshMdt	systm
File opened for modification	/etc/init.d/VsystemsshMdt	systm
File opened for modification	/etc/init.d/VsystemsshMdt	systm
File opened for modification	/etc/init.d/VsystemsshMdt	systm
File opened for modification	/etc/init.d/VsystemsshMdt	systm
File opened for modification	/etc/init.d/VsystemsshMdt	systm
File opened for modification	/etc/init.d/VsystemsshMdt	systm
File opened for modification	/etc/init.d/VsystemsshMdt	systm
File opened for modification	/etc/init.d/VsystemsshMdt	systm
File opened for modification	/etc/init.d/VsystemsshMdt	cf0c9c132a13a3097012530bb312afee_JaffaCakes118
File opened for modification	/etc/init.d/VsystemsshMdt	systm
File opened for modification	/etc/init.d/VsystemsshMdt	systm

Reads system routing table 1 TTPs 16 IoCs

Gets active network interfaces from /proc virtual filesystem.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	systm
File opened for reading	/proc/net/route	systm
File opened for reading	/proc/net/route	systm
File opened for reading	/proc/net/route	systm
File opened for reading	/proc/net/route	systm
File opened for reading	/proc/net/route	systm
File opened for reading	/proc/net/route	systm
File opened for reading	/proc/net/route	systm
File opened for reading	/proc/net/route	systm
File opened for reading	/proc/net/route	systm
File opened for reading	/proc/net/route	systm
File opened for reading	/proc/net/route	cf0c9c132a13a3097012530bb312afee_JaffaCakes118
File opened for reading	/proc/net/route	systm
File opened for reading	/proc/net/route	systm
File opened for reading	/proc/net/route	systm
File opened for reading	/proc/net/route	systm

Write file to user bin folder 64 IoCs

persistence

description	ioc	Process
File opened for modification	/usr/bin/bsd-port/systm.conf	cf0c9c132a13a3097012530bb312afee_JaffaCakes118
File opened for modification	/usr/bin/bsd-port/udevd.conf	systm
File opened for modification	/usr/bin/bsd-port/conf.n	systm
File opened for modification	/usr/bin/bsd-port/conf.n	systm
File opened for modification	/usr/bin/bsd-port/systm.conf	systm
File opened for modification	/usr/bin/bsd-port/udevd.conf	systm
File opened for modification	/usr/bin/bsd-port/conf.n	systm
File opened for modification	/usr/bin/bsd-port/systm.conf	systm
File opened for modification	/usr/bin/bsd-port/conf.n	systm
File opened for modification	/usr/bin/bsd-port/conf.n	systm
File opened for modification	/usr/bin/pythno	cp
File opened for modification	/usr/bin/bsd-port/conf.n	systm
File opened for modification	/usr/bin/bsd-port/systm.conf	systm
File opened for modification	/usr/bin/pythno	cp
File opened for modification	/usr/bin/pythno	cp
File opened for modification	/usr/bin/pythno	cp
File opened for modification	/usr/bin/bsd-port/systm	cp
File opened for modification	/usr/bin/bsd-port/udevd.conf	systm
File opened for modification	/usr/bin/bsd-port/conf.n	systm
File opened for modification	/usr/bin/bsd-port/systm.conf	systm
File opened for modification	/usr/bin/bsd-port/systm.conf	systm
File opened for modification	/usr/bin/bsd-port/systm.conf	systm
File opened for modification	/usr/bin/bsd-port/systm.conf	systm
File opened for modification	/usr/bin/pythno	cp
File opened for modification	/usr/bin/bsd-port/systm.conf	systm
File opened for modification	/usr/bin/bsd-port/conf.n	systm
File opened for modification	/usr/bin/bsd-port/udevd.conf	systm
File opened for modification	/usr/bin/pythno	cp
File opened for modification	/usr/bin/pythno	cp
File opened for modification	/usr/bin/bsd-port/conf.n	systm
File opened for modification	/usr/bin/bsd-port/udevd.conf	systm
File opened for modification	/usr/bin/bsd-port/systm.conf	systm
File opened for modification	/usr/bin/bsd-port/udevd.conf	systm
File opened for modification	/usr/bin/pythno	cp
File opened for modification	/usr/bin/bsd-port/systm.conf	systm
File opened for modification	/usr/bin/pythno	cp
File opened for modification	/usr/bin/pythno	cp
File opened for modification	/usr/bin/pythno	cp
File opened for modification	/usr/bin/bsd-port/conf.n	systm
File opened for modification	/usr/bin/bsd-port/udevd.conf	systm
File opened for modification	/usr/bin/bsd-port/udevd.conf	systm
File opened for modification	/usr/bin/pythno	cp
File opened for modification	/usr/bin/pythno	cp
File opened for modification	/usr/bin/bsd-port/systm.conf	systm
File opened for modification	/usr/bin/bsd-port/udevd.conf	cf0c9c132a13a3097012530bb312afee_JaffaCakes118
File opened for modification	/usr/bin/bsd-port/conf.n	systm
File opened for modification	/usr/bin/bsd-port/systm.conf	systm
File opened for modification	/usr/bin/bsd-port/udevd.conf	systm
File opened for modification	/usr/bin/bsd-port/udevd.conf	systm
File opened for modification	/usr/bin/pythno	cp
File opened for modification	/usr/bin/pythno	cp
File opened for modification	/usr/bin/bsd-port/udevd.conf	systm
File opened for modification	/usr/bin/bsd-port/udevd.conf	systm
File opened for modification	/usr/bin/pythno	cp
File opened for modification	/usr/bin/bsd-port/systm.conf	systm
File opened for modification	/usr/bin/bsd-port/conf.n	systm
File opened for modification	/usr/bin/bsd-port/conf.n	systm
File opened for modification	/usr/bin/bsd-port/udevd.conf	systm
File opened for modification	/usr/bin/bsd-port/conf.n	systm
File opened for modification	/usr/bin/bsd-port/udevd.conf	systm
File opened for modification	/usr/bin/bsd-port/systm.conf	systm
File opened for modification	/usr/bin/bsd-port/udevd.conf	systm
File opened for modification	/usr/bin/bsd-port/systm.conf	systm
File opened for modification	/usr/bin/bsd-port/udevd.conf	systm

Checks CPU configuration 1 TTPs 16 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	systm
File opened for reading	/proc/cpuinfo	systm
File opened for reading	/proc/cpuinfo	cf0c9c132a13a3097012530bb312afee_JaffaCakes118
File opened for reading	/proc/cpuinfo	systm
File opened for reading	/proc/cpuinfo	systm
File opened for reading	/proc/cpuinfo	systm
File opened for reading	/proc/cpuinfo	systm
File opened for reading	/proc/cpuinfo	systm
File opened for reading	/proc/cpuinfo	systm
File opened for reading	/proc/cpuinfo	systm
File opened for reading	/proc/cpuinfo	systm
File opened for reading	/proc/cpuinfo	systm
File opened for reading	/proc/cpuinfo	systm
File opened for reading	/proc/cpuinfo	systm
File opened for reading	/proc/cpuinfo	systm
File opened for reading	/proc/cpuinfo	systm

Reads system network configuration 1 TTPs 48 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/arp	systm
File opened for reading	/proc/net/route	systm
File opened for reading	/proc/net/dev	systm
File opened for reading	/proc/net/arp	systm
File opened for reading	/proc/net/route	systm
File opened for reading	/proc/net/arp	systm
File opened for reading	/proc/net/dev	systm
File opened for reading	/proc/net/dev	systm
File opened for reading	/proc/net/route	systm
File opened for reading	/proc/net/route	systm
File opened for reading	/proc/net/dev	systm
File opened for reading	/proc/net/dev	systm
File opened for reading	/proc/net/route	systm
File opened for reading	/proc/net/dev	systm
File opened for reading	/proc/net/dev	systm
File opened for reading	/proc/net/dev	systm
File opened for reading	/proc/net/route	systm
File opened for reading	/proc/net/dev	systm
File opened for reading	/proc/net/arp	systm
File opened for reading	/proc/net/route	systm
File opened for reading	/proc/net/route	systm
File opened for reading	/proc/net/dev	systm
File opened for reading	/proc/net/route	systm
File opened for reading	/proc/net/arp	systm
File opened for reading	/proc/net/dev	systm
File opened for reading	/proc/net/dev	systm
File opened for reading	/proc/net/arp	systm
File opened for reading	/proc/net/dev	systm
File opened for reading	/proc/net/arp	systm
File opened for reading	/proc/net/arp	systm
File opened for reading	/proc/net/arp	systm
File opened for reading	/proc/net/dev	systm
File opened for reading	/proc/net/route	systm
File opened for reading	/proc/net/arp	systm
File opened for reading	/proc/net/route	systm
File opened for reading	/proc/net/arp	systm
File opened for reading	/proc/net/route	systm
File opened for reading	/proc/net/arp	systm
File opened for reading	/proc/net/route	systm
File opened for reading	/proc/net/route	cf0c9c132a13a3097012530bb312afee_JaffaCakes118
File opened for reading	/proc/net/arp	cf0c9c132a13a3097012530bb312afee_JaffaCakes118
File opened for reading	/proc/net/arp	systm
File opened for reading	/proc/net/arp	systm
File opened for reading	/proc/net/route	systm
File opened for reading	/proc/net/dev	cf0c9c132a13a3097012530bb312afee_JaffaCakes118
File opened for reading	/proc/net/route	systm
File opened for reading	/proc/net/arp	systm
File opened for reading	/proc/net/dev	systm

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/stat	systm
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/sys/kernel/version	systm
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/stat	systm
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/sys/kernel/version	systm
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/sys/kernel/version	pythno
File opened for reading	/proc/sys/kernel/version	systm
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/sys/kernel/version	pythno
File opened for reading	/proc/stat	systm
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/meminfo	systm
File opened for reading	/proc/sys/kernel/version	systm
File opened for reading	/proc/cmdline	insmod
File opened for reading	/proc/meminfo	systm
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/stat	systm
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/sys/kernel/version	systm
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/cmdline	insmod
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/cmdline	insmod
File opened for reading	/proc/sys/kernel/version	pythno
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/stat	systm
File opened for reading	/proc/cmdline	insmod
File opened for reading	/proc/sys/kernel/version	systm
File opened for reading	/proc/sys/kernel/version	pythno
File opened for reading	/proc/meminfo	systm
File opened for reading	/proc/sys/kernel/version	pythno
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/cmdline	insmod
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/meminfo	systm
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/cmdline	insmod
File opened for reading	/proc/meminfo	systm
File opened for reading	/proc/meminfo	systm
File opened for reading	/proc/sys/kernel/version	pythno

Writes file to tmp directory 64 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/idus.log	systm
File opened for modification	/tmp/idus.log	pythno
File opened for modification	/tmp/notify.file	pythno
File opened for modification	/tmp/apsh.conf	systm
File opened for modification	/tmp/notify.file	pythno
File opened for modification	/tmp/vga.conf	systm
File opened for modification	/tmp/idus.log	pythno
File opened for modification	/tmp/idus.log	systm
File opened for modification	/tmp/notify.file	pythno
File opened for modification	/tmp/idus.log	pythno
File opened for modification	/tmp/notify.file	systm
File opened for modification	/tmp/vga.conf	systm
File opened for modification	/tmp/notify.file	pythno
File opened for modification	/tmp/idus.log	systm
File opened for modification	/tmp/idus.log	systm
File opened for modification	/tmp/notify.file	pythno
File opened for modification	/tmp/apsh.conf	systm
File opened for modification	/tmp/apsh.conf	systm
File opened for modification	/tmp/idus.log	systm
File opened for modification	/tmp/apsh.conf	systm
File opened for modification	/tmp/apsh.conf	systm
File opened for modification	/tmp/idus.log	pythno
File opened for modification	/tmp/notify.file	cf0c9c132a13a3097012530bb312afee_JaffaCakes118
File opened for modification	/tmp/notify.file	pythno
File opened for modification	/tmp/vga.conf	systm
File opened for modification	/tmp/idus.log	pythno
File opened for modification	/tmp/notify.file	systm
File opened for modification	/tmp/vga.conf	systm
File opened for modification	/tmp/notify.file	pythno
File opened for modification	/tmp/notify.file	systm
File opened for modification	/tmp/idus.log	pythno
File opened for modification	/tmp/idus.log	systm
File opened for modification	/tmp/apsh.conf	systm
File opened for modification	/tmp/apsh.conf	systm
File opened for modification	/tmp/apsh.conf	systm
File opened for modification	/tmp/notify.file	pythno
File opened for modification	/tmp/apsh.conf	systm
File opened for modification	/tmp/notify.file	pythno
File opened for modification	/tmp/vga.conf	systm
File opened for modification	/tmp/notify.file	systm
File opened for modification	/tmp/notify.file	systm
File opened for modification	/tmp/notify.file	pythno
File opened for modification	/tmp/vga.conf	systm
File opened for modification	/tmp/notify.file	pythno
File opened for modification	/tmp/idus.log	systm
File opened for modification	/tmp/notify.file	systm
File opened for modification	/tmp/notify.file	systm
File opened for modification	/tmp/idus.log	systm
File opened for modification	/tmp/idus.log	systm
File opened for modification	/tmp/apsh.conf	cf0c9c132a13a3097012530bb312afee_JaffaCakes118
File opened for modification	/tmp/vga.conf	systm
File opened for modification	/tmp/notify.file	systm
File opened for modification	/tmp/vga.conf	systm
File opened for modification	/tmp/vga.conf	systm
File opened for modification	/tmp/idus.log	systm
File opened for modification	/tmp/vga.conf	systm
File opened for modification	/tmp/idus.log	pythno
File opened for modification	/tmp/notify.file	systm
File opened for modification	/tmp/idus.log	systm
File opened for modification	/tmp/idus.log	pythno
File opened for modification	/tmp/vga.conf	systm
File opened for modification	/tmp/notify.file	systm
File opened for modification	/tmp/notify.file	pythno
File opened for modification	/tmp/notify.file	systm

/tmp/cf0c9c132a13a3097012530bb312afee_JaffaCakes118
/tmp/cf0c9c132a13a3097012530bb312afee_JaffaCakes118
1⤵
- Modifies init.d
- Reads system routing table
- Write file to user bin folder
- Checks CPU configuration
- Reads system network configuration
- Writes file to tmp directory
PID:1565
- /bin/sh
  sh -c "ln -s /etc/init.d/VsystemsshMdt /etc/rc1.d/S97VsystemsshMdt"
  2⤵
  PID:1571
- - /usr/bin/ln
    ln -s /etc/init.d/VsystemsshMdt /etc/rc1.d/S97VsystemsshMdt
    3⤵
    PID:1572
- /bin/sh
  sh -c "ln -s /etc/init.d/VsystemsshMdt /etc/rc2.d/S97VsystemsshMdt"
  2⤵
  PID:1573
- - /usr/bin/ln
    ln -s /etc/init.d/VsystemsshMdt /etc/rc2.d/S97VsystemsshMdt
    3⤵
    PID:1574
- /bin/sh
  sh -c "ln -s /etc/init.d/VsystemsshMdt /etc/rc3.d/S97VsystemsshMdt"
  2⤵
  PID:1575
- - /usr/bin/ln
    ln -s /etc/init.d/VsystemsshMdt /etc/rc3.d/S97VsystemsshMdt
    3⤵
    PID:1576
- /bin/sh
  sh -c "ln -s /etc/init.d/VsystemsshMdt /etc/rc4.d/S97VsystemsshMdt"
  2⤵
  PID:1577
- - /usr/bin/ln
    ln -s /etc/init.d/VsystemsshMdt /etc/rc4.d/S97VsystemsshMdt
    3⤵
    PID:1578
- /bin/sh
  sh -c "ln -s /etc/init.d/VsystemsshMdt /etc/rc5.d/S97VsystemsshMdt"
  2⤵
  PID:1579
- - /usr/bin/ln
    ln -s /etc/init.d/VsystemsshMdt /etc/rc5.d/S97VsystemsshMdt
    3⤵
    PID:1580
- /bin/sh
  sh -c "mkdir -p /usr/bin/bsd-port"
  2⤵
  PID:1581
- - /usr/bin/mkdir
    mkdir -p /usr/bin/bsd-port
    3⤵
    - Reads runtime system information
    PID:1582
- /bin/sh
  sh -c "cp -f /tmp/cf0c9c132a13a3097012530bb312afee_JaffaCakes118 /usr/bin/bsd-port/systm"
  2⤵
  PID:1583
- - /usr/bin/cp
    cp -f /tmp/cf0c9c132a13a3097012530bb312afee_JaffaCakes118 /usr/bin/bsd-port/systm
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:1584
- /bin/sh
  sh -c /usr/bin/bsd-port/systm
  2⤵
  PID:1586
- - /usr/bin/bsd-port/systm
    /usr/bin/bsd-port/systm
    3⤵
    - Executes dropped EXE
    - Modifies init.d
    - Reads system routing table
    - Write file to user bin folder
    - Checks CPU configuration
    - Reads system network configuration
    - Reads runtime system information
    - Writes file to tmp directory
    PID:1587
  - - /bin/sh
      sh -c "mkdir -p /usr/bin/bsd-port"
      4⤵
      PID:1607
    - - /usr/bin/mkdir
        
        mkdir -p /usr/bin/bsd-port
        5⤵
        Reads runtime system information
        
        PID:1608
  - - /bin/sh
      sh -c "cp -f /usr/bin/bsd-port/systm /usr/bin/bsd-port/systm"
      4⤵
      PID:1609
    - - /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/systm /usr/bin/bsd-port/systm
        5⤵
        
        PID:1610
  - - /bin/sh
      sh -c /usr/bin/bsd-port/systm
      4⤵
      PID:1612
    - - /usr/bin/bsd-port/systm
        
        /usr/bin/bsd-port/systm
        5⤵
        Executes dropped EXE
        Modifies init.d
        Reads system routing table
        Write file to user bin folder
        Checks CPU configuration
        Reads system network configuration
        Writes file to tmp directory
        
        PID:1613
      - /bin/sh
        
        sh -c "mkdir -p /usr/bin/bsd-port"
        6⤵
        
        PID:1633
        
        /usr/bin/mkdir
        
        mkdir -p /usr/bin/bsd-port
        7⤵
        Reads runtime system information
        
        PID:1634
      - /bin/sh
        
        sh -c "cp -f /usr/bin/bsd-port/systm /usr/bin/bsd-port/systm"
        6⤵
        
        PID:1635
        
        /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/systm /usr/bin/bsd-port/systm
        7⤵
        Reads runtime system information
        
        PID:1636
      - /bin/sh
        
        sh -c /usr/bin/bsd-port/systm
        6⤵
        
        PID:1638
        
        /usr/bin/bsd-port/systm
        
        /usr/bin/bsd-port/systm
        7⤵
        Executes dropped EXE
        Modifies init.d
        Reads system routing table
        Write file to user bin folder
        Checks CPU configuration
        Reads system network configuration
        Writes file to tmp directory
        
        PID:1639
        
        /bin/sh
        
        sh -c "mkdir -p /usr/bin/bsd-port"
        8⤵
        
        PID:1661
        
        /usr/bin/mkdir
        
        mkdir -p /usr/bin/bsd-port
        9⤵
        
        PID:1662
        
        /bin/sh
        
        sh -c "cp -f /usr/bin/bsd-port/systm /usr/bin/bsd-port/systm"
        8⤵
        
        PID:1663
        
        /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/systm /usr/bin/bsd-port/systm
        9⤵
        
        PID:1664
        
        /bin/sh
        
        sh -c /usr/bin/bsd-port/systm
        8⤵
        
        PID:1666
        
        /usr/bin/bsd-port/systm
        
        /usr/bin/bsd-port/systm
        9⤵
        Executes dropped EXE
        Modifies init.d
        Reads system routing table
        Write file to user bin folder
        Checks CPU configuration
        Reads system network configuration
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1667
        
        /bin/sh
        
        sh -c "mkdir -p /usr/bin/bsd-port"
        10⤵
        
        PID:1687
        
        /usr/bin/mkdir
        
        mkdir -p /usr/bin/bsd-port
        11⤵
        Reads runtime system information
        
        PID:1688
        
        /bin/sh
        
        sh -c "cp -f /usr/bin/bsd-port/systm /usr/bin/bsd-port/systm"
        10⤵
        
        PID:1689
        
        /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/systm /usr/bin/bsd-port/systm
        11⤵
        Reads runtime system information
        
        PID:1690
        
        /bin/sh
        
        sh -c /usr/bin/bsd-port/systm
        10⤵
        
        PID:1692
        
        /usr/bin/bsd-port/systm
        
        /usr/bin/bsd-port/systm
        11⤵
        Executes dropped EXE
        Modifies init.d
        Reads system routing table
        Write file to user bin folder
        Checks CPU configuration
        Reads system network configuration
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1693
        
        /bin/sh
        
        sh -c "mkdir -p /usr/bin/bsd-port"
        12⤵
        
        PID:1713
        
        /usr/bin/mkdir
        
        mkdir -p /usr/bin/bsd-port
        13⤵
        Reads runtime system information
        
        PID:1714
        
        /bin/sh
        
        sh -c "cp -f /usr/bin/bsd-port/systm /usr/bin/bsd-port/systm"
        12⤵
        
        PID:1715
        
        /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/systm /usr/bin/bsd-port/systm
        13⤵
        
        PID:1716
        
        /bin/sh
        
        sh -c /usr/bin/bsd-port/systm
        12⤵
        
        PID:1718
        
        /usr/bin/bsd-port/systm
        
        /usr/bin/bsd-port/systm
        13⤵
        Executes dropped EXE
        Modifies init.d
        Reads system routing table
        Write file to user bin folder
        Checks CPU configuration
        Reads system network configuration
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1719
        
        /bin/sh
        
        sh -c "mkdir -p /usr/bin/bsd-port"
        14⤵
        
        PID:1739
        
        /usr/bin/mkdir
        
        mkdir -p /usr/bin/bsd-port
        15⤵
        Reads runtime system information
        
        PID:1740
        
        /bin/sh
        
        sh -c "cp -f /usr/bin/bsd-port/systm /usr/bin/bsd-port/systm"
        14⤵
        
        PID:1741
        
        /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/systm /usr/bin/bsd-port/systm
        15⤵
        Reads runtime system information
        
        PID:1742
        
        /bin/sh
        
        sh -c /usr/bin/bsd-port/systm
        14⤵
        
        PID:1750
        
        /usr/bin/bsd-port/systm
        
        /usr/bin/bsd-port/systm
        15⤵
        Executes dropped EXE
        Modifies init.d
        Reads system routing table
        Write file to user bin folder
        Checks CPU configuration
        Reads system network configuration
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1751
        
        /bin/sh
        
        sh -c "mkdir -p /usr/bin/bsd-port"
        16⤵
        
        PID:1771
        
        /usr/bin/mkdir
        
        mkdir -p /usr/bin/bsd-port
        17⤵
        
        PID:1772
        
        /bin/sh
        
        sh -c "cp -f /usr/bin/bsd-port/systm /usr/bin/bsd-port/systm"
        16⤵
        
        PID:1773
        
        /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/systm /usr/bin/bsd-port/systm
        17⤵
        
        PID:1774
        
        /bin/sh
        
        sh -c /usr/bin/bsd-port/systm
        16⤵
        
        PID:1776
        
        /usr/bin/bsd-port/systm
        
        /usr/bin/bsd-port/systm
        17⤵
        Executes dropped EXE
        Modifies init.d
        Reads system routing table
        Write file to user bin folder
        Checks CPU configuration
        Reads system network configuration
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1777
        
        /bin/sh
        
        sh -c "mkdir -p /usr/bin/bsd-port"
        18⤵
        
        PID:1797
        
        /usr/bin/mkdir
        
        mkdir -p /usr/bin/bsd-port
        19⤵
        
        PID:1798
        
        /bin/sh
        
        sh -c "cp -f /usr/bin/bsd-port/systm /usr/bin/bsd-port/systm"
        18⤵
        
        PID:1799
        
        /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/systm /usr/bin/bsd-port/systm
        19⤵
        Reads runtime system information
        
        PID:1800
        
        /bin/sh
        
        sh -c /usr/bin/bsd-port/systm
        18⤵
        
        PID:1802
        
        /usr/bin/bsd-port/systm
        
        /usr/bin/bsd-port/systm
        19⤵
        Executes dropped EXE
        Modifies init.d
        Reads system routing table
        Write file to user bin folder
        Checks CPU configuration
        Reads system network configuration
        Writes file to tmp directory
        
        PID:1803
        
        /bin/sh
        
        sh -c "mkdir -p /usr/bin/bsd-port"
        20⤵
        
        PID:1823
        
        /usr/bin/mkdir
        
        mkdir -p /usr/bin/bsd-port
        21⤵
        Reads runtime system information
        
        PID:1824
        
        /bin/sh
        
        sh -c "cp -f /usr/bin/bsd-port/systm /usr/bin/bsd-port/systm"
        20⤵
        
        PID:1825
        
        /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/systm /usr/bin/bsd-port/systm
        21⤵
        Reads runtime system information
        
        PID:1826
        
        /bin/sh
        
        sh -c /usr/bin/bsd-port/systm
        20⤵
        
        PID:1828
        
        /usr/bin/bsd-port/systm
        
        /usr/bin/bsd-port/systm
        21⤵
        Executes dropped EXE
        Modifies init.d
        Reads system routing table
        Write file to user bin folder
        Checks CPU configuration
        Reads system network configuration
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1829
        
        /bin/sh
        
        sh -c "mkdir -p /usr/bin/bsd-port"
        22⤵
        
        PID:1849
        
        /usr/bin/mkdir
        
        mkdir -p /usr/bin/bsd-port
        23⤵
        Reads runtime system information
        
        PID:1850
        
        /bin/sh
        
        sh -c "cp -f /usr/bin/bsd-port/systm /usr/bin/bsd-port/systm"
        22⤵
        
        PID:1851
        
        /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/systm /usr/bin/bsd-port/systm
        23⤵
        
        PID:1852
        
        /bin/sh
        
        sh -c /usr/bin/bsd-port/systm
        22⤵
        
        PID:1854
        
        /usr/bin/bsd-port/systm
        
        /usr/bin/bsd-port/systm
        23⤵
        Executes dropped EXE
        Modifies init.d
        Reads system routing table
        Write file to user bin folder
        Checks CPU configuration
        Reads system network configuration
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1855
        
        /bin/sh
        
        sh -c "mkdir -p /usr/bin/bsd-port"
        24⤵
        
        PID:1875
        
        /usr/bin/mkdir
        
        mkdir -p /usr/bin/bsd-port
        25⤵
        
        PID:1876
        
        /bin/sh
        
        sh -c "cp -f /usr/bin/bsd-port/systm /usr/bin/bsd-port/systm"
        24⤵
        
        PID:1877
        
        /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/systm /usr/bin/bsd-port/systm
        25⤵
        Reads runtime system information
        
        PID:1878
        
        /bin/sh
        
        sh -c /usr/bin/bsd-port/systm
        24⤵
        
        PID:1880
        
        /usr/bin/bsd-port/systm
        
        /usr/bin/bsd-port/systm
        25⤵
        Executes dropped EXE
        Modifies init.d
        Reads system routing table
        Write file to user bin folder
        Checks CPU configuration
        Reads system network configuration
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1881
        
        /bin/sh
        
        sh -c "mkdir -p /usr/bin/bsd-port"
        26⤵
        
        PID:1901
        
        /usr/bin/mkdir
        
        mkdir -p /usr/bin/bsd-port
        27⤵
        Reads runtime system information
        
        PID:1902
        
        /bin/sh
        
        sh -c "cp -f /usr/bin/bsd-port/systm /usr/bin/bsd-port/systm"
        26⤵
        
        PID:1903
        
        /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/systm /usr/bin/bsd-port/systm
        27⤵
        
        PID:1904
        
        /bin/sh
        
        sh -c /usr/bin/bsd-port/systm
        26⤵
        
        PID:1906
        
        /usr/bin/bsd-port/systm
        
        /usr/bin/bsd-port/systm
        27⤵
        Executes dropped EXE
        Modifies init.d
        Reads system routing table
        Write file to user bin folder
        Checks CPU configuration
        Reads system network configuration
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1907
        
        /bin/sh
        
        sh -c "mkdir -p /usr/bin/bsd-port"
        28⤵
        
        PID:1930
        
        /usr/bin/mkdir
        
        mkdir -p /usr/bin/bsd-port
        29⤵
        Reads runtime system information
        
        PID:1931
        
        /bin/sh
        
        sh -c "cp -f /usr/bin/bsd-port/systm /usr/bin/bsd-port/systm"
        28⤵
        
        PID:1932
        
        /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/systm /usr/bin/bsd-port/systm
        29⤵
        Reads runtime system information
        
        PID:1933
        
        /bin/sh
        
        sh -c /usr/bin/bsd-port/systm
        28⤵
        
        PID:1935
        
        /usr/bin/bsd-port/systm
        
        /usr/bin/bsd-port/systm
        29⤵
        Executes dropped EXE
        Modifies init.d
        Reads system routing table
        Write file to user bin folder
        Checks CPU configuration
        Reads system network configuration
        Writes file to tmp directory
        
        PID:1936
        
        /bin/sh
        
        sh -c "mkdir -p /usr/bin/bsd-port"
        30⤵
        
        PID:1956
        
        /usr/bin/mkdir
        
        mkdir -p /usr/bin/bsd-port
        31⤵
        Reads runtime system information
        
        PID:1957
        
        /bin/sh
        
        sh -c "cp -f /usr/bin/bsd-port/systm /usr/bin/bsd-port/systm"
        30⤵
        
        PID:1958
        
        /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/systm /usr/bin/bsd-port/systm
        31⤵
        Reads runtime system information
        
        PID:1959
        
        /bin/sh
        
        sh -c /usr/bin/bsd-port/systm
        30⤵
        
        PID:1961
        
        /usr/bin/bsd-port/systm
        
        /usr/bin/bsd-port/systm
        31⤵
        Executes dropped EXE
        Modifies init.d
        Reads system routing table
        Write file to user bin folder
        Checks CPU configuration
        Reads system network configuration
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1962
        
        /bin/sh
        
        sh -c "mkdir -p /usr/bin/bsd-port"
        32⤵
        
        PID:1982
        
        /usr/bin/mkdir
        
        mkdir -p /usr/bin/bsd-port
        33⤵
        
        PID:1983
        
        /bin/sh
        
        sh -c "cp -f /usr/bin/bsd-port/systm /usr/bin/bsd-port/systm"
        32⤵
        
        PID:1984
        
        /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/systm /usr/bin/bsd-port/systm
        33⤵
        
        PID:1985
        
        /bin/sh
        
        sh -c /usr/bin/bsd-port/systm
        32⤵
        
        PID:1987
        
        /usr/bin/bsd-port/systm
        
        /usr/bin/bsd-port/systm
        33⤵
        Executes dropped EXE
        Modifies init.d
        Write file to user bin folder
        Writes file to tmp directory
        
        PID:1988
        
        /bin/sh
        
        sh -c "mkdir -p /usr/bin/bsd-port"
        34⤵
        
        PID:2008
        
        /usr/bin/mkdir
        
        mkdir -p /usr/bin/bsd-port
        35⤵
        
        PID:2009
        
        /bin/sh
        
        sh -c "cp -f /usr/bin/bsd-port/systm /usr/bin/bsd-port/systm"
        34⤵
        
        PID:2010
        
        /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/systm /usr/bin/bsd-port/systm
        35⤵
        
        PID:2011
        
        /bin/sh
        
        sh -c "mkdir -p /usr/bin"
        32⤵
        
        PID:1990
        
        /usr/bin/mkdir
        
        mkdir -p /usr/bin
        33⤵
        
        PID:1991
        
        /bin/sh
        
        sh -c "cp -f /usr/bin/bsd-port/systm /usr/bin/pythno"
        32⤵
        
        PID:1992
        
        /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/systm /usr/bin/pythno
        33⤵
        Write file to user bin folder
        Reads runtime system information
        
        PID:1993
        
        /bin/sh
        
        sh -c /usr/bin/pythno
        32⤵
        
        PID:1995
        
        /usr/bin/pythno
        
        /usr/bin/pythno
        33⤵
        Executes dropped EXE
        Writes file to tmp directory
        
        PID:1996
        
        /bin/sh
        
        sh -c "insmod /usr/lib/xpacket.ko"
        32⤵
        
        PID:1998
        
        /usr/sbin/insmod
        
        insmod /usr/lib/xpacket.ko
        33⤵
        
        PID:1999
        
        /bin/sh
        
        sh -c "mkdir -p /usr/bin"
        30⤵
        
        PID:1964
        
        /usr/bin/mkdir
        
        mkdir -p /usr/bin
        31⤵
        
        PID:1965
        
        /bin/sh
        
        sh -c "cp -f /usr/bin/bsd-port/systm /usr/bin/pythno"
        30⤵
        
        PID:1966
        
        /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/systm /usr/bin/pythno
        31⤵
        Write file to user bin folder
        Reads runtime system information
        
        PID:1967
        
        /bin/sh
        
        sh -c /usr/bin/pythno
        30⤵
        
        PID:1969
        
        /usr/bin/pythno
        
        /usr/bin/pythno
        31⤵
        Executes dropped EXE
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1970
        
        /bin/sh
        
        sh -c "insmod /usr/lib/xpacket.ko"
        30⤵
        
        PID:1972
        
        /usr/sbin/insmod
        
        insmod /usr/lib/xpacket.ko
        31⤵
        
        PID:1973
        
        /bin/sh
        
        sh -c "mkdir -p /usr/bin"
        28⤵
        
        PID:1938
        
        /usr/bin/mkdir
        
        mkdir -p /usr/bin
        29⤵
        
        PID:1939
        
        /bin/sh
        
        sh -c "cp -f /usr/bin/bsd-port/systm /usr/bin/pythno"
        28⤵
        
        PID:1940
        
        /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/systm /usr/bin/pythno
        29⤵
        Write file to user bin folder
        
        PID:1941
        
        /bin/sh
        
        sh -c /usr/bin/pythno
        28⤵
        
        PID:1943
        
        /usr/bin/pythno
        
        /usr/bin/pythno
        29⤵
        Executes dropped EXE
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1944
        
        /bin/sh
        
        sh -c "insmod /usr/lib/xpacket.ko"
        28⤵
        
        PID:1946
        
        /usr/sbin/insmod
        
        insmod /usr/lib/xpacket.ko
        29⤵
        Reads runtime system information
        
        PID:1947
        
        /bin/sh
        
        sh -c "mkdir -p /usr/bin"
        26⤵
        
        PID:1909
        
        /usr/bin/mkdir
        
        mkdir -p /usr/bin
        27⤵
        
        PID:1910
        
        /bin/sh
        
        sh -c "cp -f /usr/bin/bsd-port/systm /usr/bin/pythno"
        26⤵
        
        PID:1911
        
        /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/systm /usr/bin/pythno
        27⤵
        Write file to user bin folder
        Reads runtime system information
        
        PID:1912
        
        /bin/sh
        
        sh -c /usr/bin/pythno
        26⤵
        
        PID:1914
        
        /usr/bin/pythno
        
        /usr/bin/pythno
        27⤵
        Executes dropped EXE
        
        PID:1915
        
        /bin/sh
        
        sh -c "insmod /usr/lib/xpacket.ko"
        26⤵
        
        PID:1917
        
        /usr/sbin/insmod
        
        insmod /usr/lib/xpacket.ko
        27⤵
        Reads runtime system information
        
        PID:1918
        
        /bin/sh
        
        sh -c "mkdir -p /usr/bin"
        24⤵
        
        PID:1883
        
        /usr/bin/mkdir
        
        mkdir -p /usr/bin
        25⤵
        
        PID:1884
        
        /bin/sh
        
        sh -c "cp -f /usr/bin/bsd-port/systm /usr/bin/pythno"
        24⤵
        
        PID:1885
        
        /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/systm /usr/bin/pythno
        25⤵
        Write file to user bin folder
        Reads runtime system information
        
        PID:1886
        
        /bin/sh
        
        sh -c /usr/bin/pythno
        24⤵
        
        PID:1888
        
        /usr/bin/pythno
        
        /usr/bin/pythno
        25⤵
        Executes dropped EXE
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1889
        
        /bin/sh
        
        sh -c "insmod /usr/lib/xpacket.ko"
        24⤵
        
        PID:1891
        
        /usr/sbin/insmod
        
        insmod /usr/lib/xpacket.ko
        25⤵
        Reads runtime system information
        
        PID:1892
        
        /bin/sh
        
        sh -c "mkdir -p /usr/bin"
        22⤵
        
        PID:1857
        
        /usr/bin/mkdir
        
        mkdir -p /usr/bin
        23⤵
        Reads runtime system information
        
        PID:1858
        
        /bin/sh
        
        sh -c "cp -f /usr/bin/bsd-port/systm /usr/bin/pythno"
        22⤵
        
        PID:1859
        
        /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/systm /usr/bin/pythno
        23⤵
        Write file to user bin folder
        
        PID:1860
        
        /bin/sh
        
        sh -c /usr/bin/pythno
        22⤵
        
        PID:1862
        
        /usr/bin/pythno
        
        /usr/bin/pythno
        23⤵
        Executes dropped EXE
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1863
        
        /bin/sh
        
        sh -c "insmod /usr/lib/xpacket.ko"
        22⤵
        
        PID:1865
        
        /usr/sbin/insmod
        
        insmod /usr/lib/xpacket.ko
        23⤵
        Reads runtime system information
        
        PID:1866
        
        /bin/sh
        
        sh -c "mkdir -p /usr/bin"
        20⤵
        
        PID:1831
        
        /usr/bin/mkdir
        
        mkdir -p /usr/bin
        21⤵
        
        PID:1832
        
        /bin/sh
        
        sh -c "cp -f /usr/bin/bsd-port/systm /usr/bin/pythno"
        20⤵
        
        PID:1833
        
        /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/systm /usr/bin/pythno
        21⤵
        Write file to user bin folder
        Reads runtime system information
        
        PID:1834
        
        /bin/sh
        
        sh -c /usr/bin/pythno
        20⤵
        
        PID:1836
        
        /usr/bin/pythno
        
        /usr/bin/pythno
        21⤵
        Executes dropped EXE
        
        PID:1837
        
        /bin/sh
        
        sh -c "insmod /usr/lib/xpacket.ko"
        20⤵
        
        PID:1839
        
        /usr/sbin/insmod
        
        insmod /usr/lib/xpacket.ko
        21⤵
        
        PID:1840
        
        /bin/sh
        
        sh -c "mkdir -p /usr/bin"
        18⤵
        
        PID:1805
        
        /usr/bin/mkdir
        
        mkdir -p /usr/bin
        19⤵
        Reads runtime system information
        
        PID:1806
        
        /bin/sh
        
        sh -c "cp -f /usr/bin/bsd-port/systm /usr/bin/pythno"
        18⤵
        
        PID:1807
        
        /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/systm /usr/bin/pythno
        19⤵
        Write file to user bin folder
        
        PID:1808
        
        /bin/sh
        
        sh -c /usr/bin/pythno
        18⤵
        
        PID:1810
        
        /usr/bin/pythno
        
        /usr/bin/pythno
        19⤵
        Executes dropped EXE
        Writes file to tmp directory
        
        PID:1811
        
        /bin/sh
        
        sh -c "insmod /usr/lib/xpacket.ko"
        18⤵
        
        PID:1813
        
        /usr/sbin/insmod
        
        insmod /usr/lib/xpacket.ko
        19⤵
        
        PID:1814
        
        /bin/sh
        
        sh -c "mkdir -p /usr/bin"
        16⤵
        
        PID:1779
        
        /usr/bin/mkdir
        
        mkdir -p /usr/bin
        17⤵
        
        PID:1780
        
        /bin/sh
        
        sh -c "cp -f /usr/bin/bsd-port/systm /usr/bin/pythno"
        16⤵
        
        PID:1781
        
        /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/systm /usr/bin/pythno
        17⤵
        Write file to user bin folder
        
        PID:1782
        
        /bin/sh
        
        sh -c /usr/bin/pythno
        16⤵
        
        PID:1784
        
        /usr/bin/pythno
        
        /usr/bin/pythno
        17⤵
        Executes dropped EXE
        Writes file to tmp directory
        
        PID:1785
        
        /bin/sh
        
        sh -c "insmod /usr/lib/xpacket.ko"
        16⤵
        
        PID:1787
        
        /usr/sbin/insmod
        
        insmod /usr/lib/xpacket.ko
        17⤵
        
        PID:1788
        
        /bin/sh
        
        sh -c "mkdir -p /usr/bin"
        14⤵
        
        PID:1753
        
        /usr/bin/mkdir
        
        mkdir -p /usr/bin
        15⤵
        
        PID:1754
        
        /bin/sh
        
        sh -c "cp -f /usr/bin/bsd-port/systm /usr/bin/pythno"
        14⤵
        
        PID:1755
        
        /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/systm /usr/bin/pythno
        15⤵
        Write file to user bin folder
        Reads runtime system information
        
        PID:1756
        
        /bin/sh
        
        sh -c /usr/bin/pythno
        14⤵
        
        PID:1758
        
        /usr/bin/pythno
        
        /usr/bin/pythno
        15⤵
        Executes dropped EXE
        Writes file to tmp directory
        
        PID:1759
        
        /bin/sh
        
        sh -c "insmod /usr/lib/xpacket.ko"
        14⤵
        
        PID:1761
        
        /usr/sbin/insmod
        
        insmod /usr/lib/xpacket.ko
        15⤵
        
        PID:1762
        
        /bin/sh
        
        sh -c "mkdir -p /usr/bin"
        12⤵
        
        PID:1721
        
        /usr/bin/mkdir
        
        mkdir -p /usr/bin
        13⤵
        Reads runtime system information
        
        PID:1722
        
        /bin/sh
        
        sh -c "cp -f /usr/bin/bsd-port/systm /usr/bin/pythno"
        12⤵
        
        PID:1723
        
        /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/systm /usr/bin/pythno
        13⤵
        Write file to user bin folder
        Reads runtime system information
        
        PID:1724
        
        /bin/sh
        
        sh -c /usr/bin/pythno
        12⤵
        
        PID:1726
        
        /usr/bin/pythno
        
        /usr/bin/pythno
        13⤵
        Executes dropped EXE
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1727
        
        /bin/sh
        
        sh -c "insmod /usr/lib/xpacket.ko"
        12⤵
        
        PID:1729
        
        /usr/sbin/insmod
        
        insmod /usr/lib/xpacket.ko
        13⤵
        
        PID:1730
        
        /bin/sh
        
        sh -c "mkdir -p /usr/bin"
        10⤵
        
        PID:1695
        
        /usr/bin/mkdir
        
        mkdir -p /usr/bin
        11⤵
        Reads runtime system information
        
        PID:1696
        
        /bin/sh
        
        sh -c "cp -f /usr/bin/bsd-port/systm /usr/bin/pythno"
        10⤵
        
        PID:1697
        
        /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/systm /usr/bin/pythno
        11⤵
        Write file to user bin folder
        
        PID:1698
        
        /bin/sh
        
        sh -c /usr/bin/pythno
        10⤵
        
        PID:1700
        
        /usr/bin/pythno
        
        /usr/bin/pythno
        11⤵
        Executes dropped EXE
        
        PID:1701
        
        /bin/sh
        
        sh -c "insmod /usr/lib/xpacket.ko"
        10⤵
        
        PID:1703
        
        /usr/sbin/insmod
        
        insmod /usr/lib/xpacket.ko
        11⤵
        
        PID:1704
        
        /bin/sh
        
        sh -c "mkdir -p /usr/bin"
        8⤵
        
        PID:1669
        
        /usr/bin/mkdir
        
        mkdir -p /usr/bin
        9⤵
        Reads runtime system information
        
        PID:1670
        
        /bin/sh
        
        sh -c "cp -f /usr/bin/bsd-port/systm /usr/bin/pythno"
        8⤵
        
        PID:1671
        
        /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/systm /usr/bin/pythno
        9⤵
        Write file to user bin folder
        Reads runtime system information
        
        PID:1672
        
        /bin/sh
        
        sh -c /usr/bin/pythno
        8⤵
        
        PID:1674
        
        /usr/bin/pythno
        
        /usr/bin/pythno
        9⤵
        Executes dropped EXE
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1675
        
        /bin/sh
        
        sh -c "insmod /usr/lib/xpacket.ko"
        8⤵
        
        PID:1677
        
        /usr/sbin/insmod
        
        insmod /usr/lib/xpacket.ko
        9⤵
        Reads runtime system information
        
        PID:1678
      - /bin/sh
        
        sh -c "mkdir -p /usr/bin"
        6⤵
        
        PID:1641
        
        /usr/bin/mkdir
        
        mkdir -p /usr/bin
        7⤵
        
        PID:1642
      - /bin/sh
        
        sh -c "cp -f /usr/bin/bsd-port/systm /usr/bin/pythno"
        6⤵
        
        PID:1643
        
        /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/systm /usr/bin/pythno
        7⤵
        Write file to user bin folder
        Reads runtime system information
        
        PID:1644
      - /bin/sh
        
        sh -c /usr/bin/pythno
        6⤵
        
        PID:1646
        
        /usr/bin/pythno
        
        /usr/bin/pythno
        7⤵
        Executes dropped EXE
        Writes file to tmp directory
        
        PID:1647
      - /bin/sh
        
        sh -c "insmod /usr/lib/xpacket.ko"
        6⤵
        
        PID:1649
        
        /usr/sbin/insmod
        
        insmod /usr/lib/xpacket.ko
        7⤵
        
        PID:1650
  - - /bin/sh
      sh -c "mkdir -p /usr/bin"
      4⤵
      PID:1615
    - - /usr/bin/mkdir
        
        mkdir -p /usr/bin
        5⤵
        
        PID:1616
  - - /bin/sh
      sh -c "cp -f /usr/bin/bsd-port/systm /usr/bin/pythno"
      4⤵
      PID:1617
    - - /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/systm /usr/bin/pythno
        5⤵
        Write file to user bin folder
        Reads runtime system information
        
        PID:1618
  - - /bin/sh
      sh -c /usr/bin/pythno
      4⤵
      PID:1620
    - - /usr/bin/pythno
        
        /usr/bin/pythno
        5⤵
        Executes dropped EXE
        Writes file to tmp directory
        
        PID:1621
  - - /bin/sh
      sh -c "insmod /usr/lib/xpacket.ko"
      4⤵
      PID:1623
    - - /usr/sbin/insmod
        
        insmod /usr/lib/xpacket.ko
        5⤵
        Reads runtime system information
        
        PID:1624
- /bin/sh
  sh -c "mkdir -p /usr/bin"
  2⤵
  PID:1589
- - /usr/bin/mkdir
    mkdir -p /usr/bin
    3⤵
    PID:1590
- /bin/sh
  sh -c "cp -f /tmp/cf0c9c132a13a3097012530bb312afee_JaffaCakes118 /usr/bin/pythno"
  2⤵
  PID:1591
- - /usr/bin/cp
    cp -f /tmp/cf0c9c132a13a3097012530bb312afee_JaffaCakes118 /usr/bin/pythno
    3⤵
    - Write file to user bin folder
    PID:1592
- /bin/sh
  sh -c /usr/bin/pythno
  2⤵
  PID:1594
- - /usr/bin/pythno
    /usr/bin/pythno
    3⤵
    - Executes dropped EXE
    - Writes file to tmp directory
    PID:1595
- /bin/sh
  sh -c "insmod /usr/lib/xpacket.ko"
  2⤵
  PID:1597
- - /usr/sbin/insmod
    insmod /usr/lib/xpacket.ko
    3⤵
    PID:1598

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Defense Evasion

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/init.d/VsystemsshMdt

Filesize
36B

MD5
d3d8e718a08f3e10ab2ed52c3cedea01

SHA1
6090372e5a89f39111825d9692988a3544473991

SHA256
ff09c451d0f3c5f27282fc550e63c5bda9a1701cf54a610df3cbabc0584c42ba

SHA512
13a4a807483b3f4f5319166062ff2cb39e20ea11732fb881fe71cbe3df165070b162b85edb8834860e19afdca5ea939b17c2ee175b8ad91bf86e2d0f18851d5c

Download Submit
/etc/init.d/VsystemsshMdt

Filesize
64B

MD5
b8529bfabe29dbf05859885133d39fd7

SHA1
3104b0c2b52c20dc027f88638bbfc2094b624623

SHA256
9e72426a5cb3d15539b5a9b2b29f74f98931db6f94b3d6f3820805a8e1758591

SHA512
3fd93a02120423652e434f6c77bfec69899b4f1dedfdfca34108dfdfae1bd7a601f2d38b26689b7568e0e9f1555a568542b8e7806e92dd0ec317618bc68662d2

Download Submit
/tmp/conf.n

Filesize
69B

MD5
227856889c50184308123071d54e9a8c

SHA1
ef1f44f44c1b9cda768cedbf085d984fac1094c0

SHA256
842f3c609faab1be3d68bf9e9e6fd594be0057450988cc00274c0d8ed5b14345

SHA512
edc405aa41c9bb428455d737bf4e57b3a735a80aafd935b7cdbae0da2f3dc5126e3eb8396b2fe22e1f1680550e9c23830a7214c9ab98e2dde5b9c268d18c9243

Download Submit
/tmp/idus.log

Filesize
4B

MD5
c7af0926b294e47e52e46cfebe173f20

SHA1
948b13c7ba369f02fc29d936c124689877023958

SHA256
6d7be37d6aa3665ddca5b4c3ab26e689e4efc1c33bea69ccbaeec6ed49569558

SHA512
84ff72624f10220c6960fc1d0fe9bbdd329bdc5b8eeef36d8b31d9f3b78f050f11d21b67839576982d1aa87312a1c19e075d284f7b13d28d87631735d73310e6

Download Submit
/tmp/idus.log

Filesize
4B

MD5
7437d136770f5b35194cb46c1653efaa

SHA1
fcc78b5fcb5a7d9ea7f3b136af0efd88bc24500b

SHA256
a16c0ab260e30b22cd06fadf9a6a30c454ddc845925cc831796b2988874d6a5a

SHA512
1e66aa2b6d9287080dde2826252b5df22e7cf9cdf726f92226cf5982f1f362712e7c77f5629398f4a11e61524836044fa0aa4135e5a73834b3eab8d3b5d6c909

Download Submit
/tmp/idus.log

Filesize
4B

MD5
831c2f88a604a07ca94314b56a4921b8

SHA1
e4fb11694cd7bab54173d1d9664eb70b6b6b8a14

SHA256
df6822cd01387e05c8ea01eae408dacae839ebf27c2ce1ffa3b6a0b7f3f0ffa1

SHA512
10a3f9ea81f15a045197d0afa900930081489c363acb934d7aa3125c1f32540dea17e0d47612a70fcf3707c35573372033214ffdb9314e5c636a2d0f45920a9d

Download Submit
/tmp/idus.log

Filesize
4B

MD5
06964dce9addb1c5cb5d6e3d9838f733

SHA1
2cfe534aa66900e81f6f20b02826b6132d2df8de

SHA256
0985b889a1fe4f4e1fb925061ac6fb2247f10875f5fcbe63eec2ab55ed68970e

SHA512
106d8c285b8d4ce4f095ef7cb89c0a4b1c5c2797187c54c3407db19fc505a59f89250d5546c62f9de9e82cf69f0c524e57325f424a5c2a975c4e75c1dc175171

Download Submit
/tmp/idus.log

Filesize
4B

MD5
309fee4e541e51de2e41f21bebb342aa

SHA1
ee8abc188469df780d869b862fde433a2327678e

SHA256
a19fbf8bf0530ca46179b803a8234f56276f21c0e7dc2f84c682924b95de5801

SHA512
3fb050c47892b04da1c6021ebb875e271716d181db95965a26350151429613e986e7c7e26060ecd2cb508f5492ba655a52ccba8b2f95a0c88237553165fe8971

Download Submit
/tmp/notify.file

Filesize
23B

MD5
6ac315e05e2c546cbfc7377183868dbb

SHA1
c813c277a22442e2e4eda52d458d357cb2165bdc

SHA256
8ae13b41755e857e5dee9e7089151678a8f47c57a6dfa11de267ec551bd4fc7a

SHA512
cdd7c48f082f0c59698aa1da7bc41749468d17e1b1de51922adc2966b12d3424035543d9479919ab96694c36d78081181e4777e924d7901a3c1e49db6095eefa

Download Submit
/tmp/notify.file

Filesize
51B

MD5
b2fc2dcf4e3d411aed21e9ae7bfe3b2f

SHA1
8dc442e445abcbb987636119261e85645d1713dc

SHA256
5eea9f1b8dc7fade154a5432266090455bca402d9ca2efa929be4060f640e589

SHA512
fc438e1fafa3c0ce5b807319a2b61047ebe47d180ca688ee7c68f1ac84197c642621b9aedc39f22b36aabaa55082a45d1eb07974ce5d86f4a138ffc1a0df1d4f

Download Submit
/tmp/vga.conf

Filesize
4B

MD5
894b77f805bd94d292574c38c5d628d5

SHA1
1784f0e37c1fdd6200c1e8b28e8caae5402e74e0

SHA256
d24eac45e69be063cc0053eb02650954eec62c314c405e564a4d11e951392e75

SHA512
605b8ee18c6bd7c9d489faa803dc4c00fed6e7a4b21a9a69ba7b429642a06d7fe42e5fd45162f72fff76f1ec518c5840399c97d4ab0f7633651d35e2b19f2e05

Download Submit
/tmp/vga.conf

Filesize
4B

MD5
e9fd7c2c6623306db59b6aef5c0d5cac

SHA1
23bfd8a26fdeaa0ccf8a0b3f8705506064a99ba0

SHA256
583b08e38c98f4350a8906d25344ac80b099921a8a8929e64b2dc2b553521343

SHA512
0d19563eb4d989fdbdbe9250ef2c8856bcca196bcbff66c21a564f5da3f6270cb3040997d04abbf7e4a2ded7bae5160119471ab541604c0e7696422dd9d80d32

Download Submit
/tmp/vga.conf

Filesize
4B

MD5
be53ee61104935234b174e62a07e53cf

SHA1
150afba2f606bf3e450d7dbfba16c6673580cb77

SHA256
a9ffbdf317b2dabf198f59653da551149ad51173b2014ae1df5d183c2ddfcf26

SHA512
be6aab77ff13b95b184c78f1e5fd75e661c1d5817b96d9c914f32e016ce9de260423934e48ec592bc8a0caf5f39e79fb584be0f779fe51c4b991afde8b623428

Download Submit
/tmp/vga.conf

Filesize
4B

MD5
84f0f20482cde7e5eacaf7364a643d33

SHA1
89d89e5773c4210782aa5783b7dfba5e0af85ccc

SHA256
cdbe4e7e26e3a55307dac9da65edc0d33fa6b54f79a83373cb997770856c23bd

SHA512
0cbd9735e463305a3833f113c0d5669a601cbec557f42fca9d5179908ceb3f233876bd9519dbea4adbc9fd75f537bd2cabda86b1776e196d9bf1d92f54ffaaed

Download Submit
/tmp/vga.conf

Filesize
4B

MD5
4a3e00961a08879c34f91ca0070ea2f5

SHA1
3d7b4f23b8f853910e4c64f09cdf897a59db524a

SHA256
9113b98df80f877c7a2ee5d865a04c9514b4e9bf25a49d315b0b15f115d2f0d2

SHA512
d1f2ce8c63117858895e34c65a83ae4e16e21026cb12e15abeeeacbd3b140a80509d23937aea6577e4605ec770cf48dfbe7b923a972c7fd4cb98ffb128019e95

Download Submit
/usr/bin/bsd-port/systm

Filesize
1.1MB

MD5
cf0c9c132a13a3097012530bb312afee

SHA1
bf196eaa6b0c90a3ef45b81ada29eded7e6031d9

SHA256
3c1daabc22d5f5c1639c4b43ab9c8cb3f81b720931d71045ab702d54adc6555f

SHA512
f4d28ca9d0ec69de01e1a65596e485a39d5bf38d7ad4689a8c829890d263cafde25c73a683750b6296ae5a07228ba8104ab9b5d31f4bd4b1aafbe8f8d45d3bbf

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads