d6f0098f74a0481d5885f9a61f03ecbf302ae0fc18ca286b894591eb45adaac3

Analysis

max time kernel
0s
max time network
128s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240729-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240729-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
23/10/2024, 21:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

.kde/start
Size

5KB
MD5

bc7c80bf1fa56259a6c8969c563518ab
SHA1

130c897ecbc3955ad9a998e1f146dbfb1f21713f
SHA256

62270b2e715152a37dd72455d3bdf374c214c8a7cfc8f391cfafa2d65d1646a5
SHA512

4fc6724575496160e1a4948f137a7133ffe6fea7761155faebaff8ecb7056fe3dc310fa9e6807881569e144fa530347ea7c4851864b6949ba5b8697313efdb4b
SSDEEP

96:uyuYPRHzp8zW9wnqd+9I6bIVrKhI/uVcTa6bEkIev45Cj5MDmNA36anw9Wz8pyft:w9zbWm

Score

6^/10

defense_evasion discovery

Malware Config

Signatures

Enumerates running processes
Discovers information about currently running processes on the system

Virtualization/Sandbox Evasion: Time Based Evasion 1 TTPs 1 IoCs

Adversaries may detect and evade virtualized environments and sandboxes.

defense_evasion

Time Based Evasion

T1497.003

pid	Process
1553	uptime

Reads CPU attributes 1 TTPs 1 IoCs

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	uptime

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/1019/stat	killall
File opened for reading	/proc/31/stat	killall
File opened for reading	/proc/10/stat	killall
File opened for reading	/proc/170/stat	killall
File opened for reading	/proc/36/stat	killall
File opened for reading	/proc/1176/stat	killall
File opened for reading	/proc/filesystems	mv
File opened for reading	/proc/1331/stat	killall
File opened for reading	/proc/23/stat	killall
File opened for reading	/proc/522/stat	killall
File opened for reading	/proc/16/stat	killall
File opened for reading	/proc/523/stat	killall
File opened for reading	/proc/552/stat	killall
File opened for reading	/proc/613/stat	killall
File opened for reading	/proc/1156/stat	killall
File opened for reading	/proc/1285/cmdline	killall
File opened for reading	/proc/1076/cmdline	killall
File opened for reading	/proc/1099/stat	killall
File opened for reading	/proc/1316/stat	killall
File opened for reading	/proc/36/cmdline	killall
File opened for reading	/proc/83/stat	killall
File opened for reading	/proc/650/stat	killall
File opened for reading	/proc/674/cmdline	killall
File opened for reading	/proc/1143/stat	killall
File opened for reading	/proc/1189/stat	killall
File opened for reading	/proc/1299/cmdline	killall
File opened for reading	/proc/115/stat	killall
File opened for reading	/proc/725/stat	killall
File opened for reading	/proc/1090/stat	killall
File opened for reading	/proc/filesystems	killall
File opened for reading	/proc/1314/stat	killall
File opened for reading	/proc/167/stat	killall
File opened for reading	/proc/248/stat	killall
File opened for reading	/proc/1154/cmdline	killall
File opened for reading	/proc/162/stat	killall
File opened for reading	/proc/1550/stat	killall
File opened for reading	/proc/1546/stat	killall
File opened for reading	/proc/1090/cmdline	killall
File opened for reading	/proc/1148/stat	killall
File opened for reading	/proc/34/stat	killall
File opened for reading	/proc/89/stat	killall
File opened for reading	/proc/428/stat	killall
File opened for reading	/proc/443/stat	killall
File opened for reading	/proc/457/stat	killall
File opened for reading	/proc/955/cmdline	killall
File opened for reading	/proc/1331/cmdline	killall
File opened for reading	/proc/5/stat	killall
File opened for reading	/proc/1548/stat	killall
File opened for reading	/proc/705/stat	killall
File opened for reading	/proc/82/stat	killall
File opened for reading	/proc/137/stat	killall
File opened for reading	/proc/1189/cmdline	killall
File opened for reading	/proc/1244/stat	killall
File opened for reading	/proc/1350/stat	killall
File opened for reading	/proc/sys/kernel/ngroups_max	id
File opened for reading	/proc/18/stat	killall
File opened for reading	/proc/15/cmdline	killall
File opened for reading	/proc/25/stat	killall
File opened for reading	/proc/1147/stat	killall
File opened for reading	/proc/160/stat	killall
File opened for reading	/proc/1170/stat	killall
File opened for reading	/proc/203/stat	killall
File opened for reading	/proc/317/cmdline	killall
File opened for reading	/proc/485/cmdline	killall

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/.kde/info2	start

/tmp/.kde/start
/tmp/.kde/start
1⤵
- Writes file to tmp directory
PID:1550
- /tmp/.kde/a1
  ./a1
  2⤵
  PID:1551
- /sbin/ifconfig
  /sbin/ifconfig -a
  2⤵
  PID:1552
- /usr/bin/uptime
  uptime
  2⤵
  - Virtualization/Sandbox Evasion: Time Based Evasion
  - Reads CPU attributes
  PID:1553
- /bin/uname
  uname -a
  2⤵
  PID:1554
- /bin/cat
  cat /etc/issue
  2⤵
  PID:1555
- /bin/cat
  cat /etc/passwd
  2⤵
  PID:1556
- /usr/bin/id
  id
  2⤵
  - Reads runtime system information
  PID:1557
- /bin/df
  df -h
  2⤵
  PID:1558
- /bin/cat
  cat info2
  2⤵
  PID:1559
- /bin/rm
  rm -rf info2
  2⤵
  PID:1561
- /bin/mv
  mv a1 .a1
  2⤵
  - Reads runtime system information
  PID:1562
- /usr/bin/clear
  clear
  2⤵
  PID:1563
- /bin/cat
  cat vuln.txt
  2⤵
  PID:1564
- /tmp/.kde/a
  ./a .0
  2⤵
  PID:1566
- /tmp/.kde/a
  ./a .1
  2⤵
  PID:1567
- /tmp/.kde/a
  ./a .2
  2⤵
  PID:1568
- /tmp/.kde/a
  ./a .3
  2⤵
  PID:1569
- /tmp/.kde/a
  ./a .4
  2⤵
  PID:1570
- /tmp/.kde/a
  ./a .5
  2⤵
  PID:1571
- /tmp/.kde/a
  ./a .6
  2⤵
  PID:1572
- /tmp/.kde/a
  ./a .7
  2⤵
  PID:1573
- /tmp/.kde/a
  ./a .8
  2⤵
  PID:1574
- /tmp/.kde/a
  ./a .9
  2⤵
  PID:1575
- /tmp/.kde/a
  ./a .10
  2⤵
  PID:1576
- /bin/cat
  cat vuln.txt
  2⤵
  PID:1577
- /tmp/.kde/a
  ./a .11
  2⤵
  PID:1579
- /tmp/.kde/a
  ./a .12
  2⤵
  PID:1580
- /tmp/.kde/a
  ./a .13
  2⤵
  PID:1581
- /tmp/.kde/a
  ./a .14
  2⤵
  PID:1582
- /tmp/.kde/a
  ./a .15
  2⤵
  PID:1583
- /tmp/.kde/a
  ./a .16
  2⤵
  PID:1584
- /tmp/.kde/a
  ./a .17
  2⤵
  PID:1585
- /tmp/.kde/a
  ./a .18
  2⤵
  PID:1586
- /tmp/.kde/a
  ./a .19
  2⤵
  PID:1587
- /tmp/.kde/a
  ./a .20
  2⤵
  PID:1588
- /bin/cat
  cat vuln.txt
  2⤵
  PID:1589
- /tmp/.kde/a
  ./a .21
  2⤵
  PID:1591
- /tmp/.kde/a
  ./a .22
  2⤵
  PID:1592
- /tmp/.kde/a
  ./a .23
  2⤵
  PID:1593
- /tmp/.kde/a
  ./a .24
  2⤵
  PID:1594
- /tmp/.kde/a
  ./a .25
  2⤵
  PID:1595
- /tmp/.kde/a
  ./a .26
  2⤵
  PID:1596
- /tmp/.kde/a
  ./a .27
  2⤵
  PID:1597
- /tmp/.kde/a
  ./a .28
  2⤵
  PID:1598
- /tmp/.kde/a
  ./a .29
  2⤵
  PID:1599
- /tmp/.kde/a
  ./a .30
  2⤵
  PID:1600
- /bin/cat
  cat vuln.txt
  2⤵
  PID:1601
- /tmp/.kde/a
  ./a .31
  2⤵
  PID:1603
- /tmp/.kde/a
  ./a .32
  2⤵
  PID:1604
- /tmp/.kde/a
  ./a .33
  2⤵
  PID:1605
- /tmp/.kde/a
  ./a .34
  2⤵
  PID:1606
- /tmp/.kde/a
  ./a .35
  2⤵
  PID:1607
- /tmp/.kde/a
  ./a .36
  2⤵
  PID:1608
- /tmp/.kde/a
  ./a .37
  2⤵
  PID:1609
- /tmp/.kde/a
  ./a .38
  2⤵
  PID:1610
- /tmp/.kde/a
  ./a .39
  2⤵
  PID:1611
- /tmp/.kde/a
  ./a .40
  2⤵
  PID:1612
- /bin/cat
  cat vuln.txt
  2⤵
  PID:1613
- /tmp/.kde/a
  ./a .41
  2⤵
  PID:1615
- /tmp/.kde/a
  ./a .42
  2⤵
  PID:1616
- /tmp/.kde/a
  ./a .43
  2⤵
  PID:1617
- /tmp/.kde/a
  ./a .44
  2⤵
  PID:1618
- /tmp/.kde/a
  ./a .45
  2⤵
  PID:1619
- /tmp/.kde/a
  ./a .46
  2⤵
  PID:1620
- /tmp/.kde/a
  ./a .47
  2⤵
  PID:1621
- /tmp/.kde/a
  ./a .48
  2⤵
  PID:1622
- /tmp/.kde/a
  ./a .49
  2⤵
  PID:1623
- /tmp/.kde/a
  ./a .50
  2⤵
  PID:1624
- /bin/cat
  cat vuln.txt
  2⤵
  PID:1625
- /tmp/.kde/a
  ./a .51
  2⤵
  PID:1627
- /tmp/.kde/a
  ./a .52
  2⤵
  PID:1628
- /tmp/.kde/a
  ./a .53
  2⤵
  PID:1629
- /tmp/.kde/a
  ./a .54
  2⤵
  PID:1630
- /tmp/.kde/a
  ./a .55
  2⤵
  PID:1631
- /tmp/.kde/a
  ./a .56
  2⤵
  PID:1632
- /tmp/.kde/a
  ./a .57
  2⤵
  PID:1633
- /tmp/.kde/a
  ./a .58
  2⤵
  PID:1634
- /tmp/.kde/a
  ./a .59
  2⤵
  PID:1635
- /tmp/.kde/a
  ./a .60
  2⤵
  PID:1636
- /bin/cat
  cat vuln.txt
  2⤵
  PID:1637
- /tmp/.kde/a
  ./a .61
  2⤵
  PID:1639
- /tmp/.kde/a
  ./a .62
  2⤵
  PID:1640
- /tmp/.kde/a
  ./a .63
  2⤵
  PID:1641
- /tmp/.kde/a
  ./a .64
  2⤵
  PID:1642
- /tmp/.kde/a
  ./a .65
  2⤵
  PID:1643
- /tmp/.kde/a
  ./a .66
  2⤵
  PID:1644
- /tmp/.kde/a
  ./a .67
  2⤵
  PID:1645
- /tmp/.kde/a
  ./a .68
  2⤵
  PID:1646
- /tmp/.kde/a
  ./a .69
  2⤵
  PID:1647
- /tmp/.kde/a
  ./a .70
  2⤵
  PID:1648
- /bin/cat
  cat vuln.txt
  2⤵
  PID:1649
- /tmp/.kde/a
  ./a .71
  2⤵
  PID:1651
- /tmp/.kde/a
  ./a .72
  2⤵
  PID:1652
- /tmp/.kde/a
  ./a .73
  2⤵
  PID:1653
- /tmp/.kde/a
  ./a .74
  2⤵
  PID:1654
- /tmp/.kde/a
  ./a .75
  2⤵
  PID:1655
- /tmp/.kde/a
  ./a .76
  2⤵
  PID:1656
- /tmp/.kde/a
  ./a .77
  2⤵
  PID:1657
- /tmp/.kde/a
  ./a .78
  2⤵
  PID:1658
- /tmp/.kde/a
  ./a .79
  2⤵
  PID:1659
- /tmp/.kde/a
  ./a .80
  2⤵
  PID:1660
- /bin/cat
  cat vuln.txt
  2⤵
  PID:1661
- /tmp/.kde/a
  ./a .81
  2⤵
  PID:1663
- /tmp/.kde/a
  ./a .82
  2⤵
  PID:1664
- /tmp/.kde/a
  ./a .83
  2⤵
  PID:1665
- /tmp/.kde/a
  ./a .84
  2⤵
  PID:1666
- /tmp/.kde/a
  ./a .85
  2⤵
  PID:1667
- /tmp/.kde/a
  ./a .86
  2⤵
  PID:1668
- /tmp/.kde/a
  ./a .87
  2⤵
  PID:1669
- /tmp/.kde/a
  ./a .88
  2⤵
  PID:1670
- /tmp/.kde/a
  ./a .89
  2⤵
  PID:1671
- /tmp/.kde/a
  ./a .90
  2⤵
  PID:1672
- /bin/cat
  cat vuln.txt
  2⤵
  PID:1673
- /tmp/.kde/a
  ./a .91
  2⤵
  PID:1675
- /tmp/.kde/a
  ./a .92
  2⤵
  PID:1676
- /tmp/.kde/a
  ./a .93
  2⤵
  PID:1677
- /tmp/.kde/a
  ./a .94
  2⤵
  PID:1678
- /tmp/.kde/a
  ./a .95
  2⤵
  PID:1679
- /tmp/.kde/a
  ./a .96
  2⤵
  PID:1680
- /tmp/.kde/a
  ./a .97
  2⤵
  PID:1681
- /tmp/.kde/a
  ./a .98
  2⤵
  PID:1682
- /tmp/.kde/a
  ./a .99
  2⤵
  PID:1683
- /tmp/.kde/a
  ./a .100
  2⤵
  PID:1684
- /bin/cat
  cat vuln.txt
  2⤵
  PID:1685
- /tmp/.kde/a
  ./a .101
  2⤵
  PID:1687
- /tmp/.kde/a
  ./a .102
  2⤵
  PID:1688
- /tmp/.kde/a
  ./a .103
  2⤵
  PID:1689
- /tmp/.kde/a
  ./a .104
  2⤵
  PID:1690
- /tmp/.kde/a
  ./a .105
  2⤵
  PID:1691
- /tmp/.kde/a
  ./a .106
  2⤵
  PID:1692
- /tmp/.kde/a
  ./a .107
  2⤵
  PID:1693
- /tmp/.kde/a
  ./a .108
  2⤵
  PID:1694
- /tmp/.kde/a
  ./a .109
  2⤵
  PID:1695
- /tmp/.kde/a
  ./a .110
  2⤵
  PID:1696
- /bin/cat
  cat vuln.txt
  2⤵
  PID:1697
- /tmp/.kde/a
  ./a .111
  2⤵
  PID:1699
- /tmp/.kde/a
  ./a .112
  2⤵
  PID:1700
- /tmp/.kde/a
  ./a .113
  2⤵
  PID:1701
- /tmp/.kde/a
  ./a .114
  2⤵
  PID:1702
- /tmp/.kde/a
  ./a .115
  2⤵
  PID:1703
- /tmp/.kde/a
  ./a .116
  2⤵
  PID:1704
- /tmp/.kde/a
  ./a .117
  2⤵
  PID:1705
- /tmp/.kde/a
  ./a .118
  2⤵
  PID:1706
- /tmp/.kde/a
  ./a .119
  2⤵
  PID:1707
- /tmp/.kde/a
  ./a .120
  2⤵
  PID:1708
- /bin/cat
  cat vuln.txt
  2⤵
  PID:1709
- /tmp/.kde/a
  ./a .121
  2⤵
  PID:1711
- /tmp/.kde/a
  ./a .122
  2⤵
  PID:1712
- /tmp/.kde/a
  ./a .123
  2⤵
  PID:1713
- /tmp/.kde/a
  ./a .124
  2⤵
  PID:1714
- /tmp/.kde/a
  ./a .125
  2⤵
  PID:1715
- /tmp/.kde/a
  ./a .126
  2⤵
  PID:1716
- /tmp/.kde/a
  ./a .127
  2⤵
  PID:1717
- /tmp/.kde/a
  ./a .128
  2⤵
  PID:1718
- /tmp/.kde/a
  ./a .129
  2⤵
  PID:1719
- /tmp/.kde/a
  ./a .13
  2⤵
  PID:1720
- /bin/cat
  cat vuln.txt
  2⤵
  PID:1721
- /tmp/.kde/a
  ./a .131
  2⤵
  PID:1723
- /tmp/.kde/a
  ./a .132
  2⤵
  PID:1724
- /tmp/.kde/a
  ./a .133
  2⤵
  PID:1725
- /tmp/.kde/a
  ./a .134
  2⤵
  PID:1726
- /tmp/.kde/a
  ./a .135
  2⤵
  PID:1727
- /tmp/.kde/a
  ./a .136
  2⤵
  PID:1728
- /tmp/.kde/a
  ./a .137
  2⤵
  PID:1729
- /tmp/.kde/a
  ./a .138
  2⤵
  PID:1730
- /tmp/.kde/a
  ./a .139
  2⤵
  PID:1731
- /tmp/.kde/a
  ./a .140
  2⤵
  PID:1732
- /bin/cat
  cat vuln.txt
  2⤵
  PID:1733
- /tmp/.kde/a
  ./a .141
  2⤵
  PID:1735
- /tmp/.kde/a
  ./a .142
  2⤵
  PID:1736
- /tmp/.kde/a
  ./a .143
  2⤵
  PID:1737
- /tmp/.kde/a
  ./a .144
  2⤵
  PID:1738
- /tmp/.kde/a
  ./a .145
  2⤵
  PID:1739
- /tmp/.kde/a
  ./a .146
  2⤵
  PID:1740
- /tmp/.kde/a
  ./a .147
  2⤵
  PID:1741
- /tmp/.kde/a
  ./a .148
  2⤵
  PID:1742
- /tmp/.kde/a
  ./a .149
  2⤵
  PID:1743
- /tmp/.kde/a
  ./a .150
  2⤵
  PID:1744
- /bin/cat
  cat vuln.txt
  2⤵
  PID:1745
- /tmp/.kde/a
  ./a .151
  2⤵
  PID:1747
- /tmp/.kde/a
  ./a .152
  2⤵
  PID:1748
- /tmp/.kde/a
  ./a .153
  2⤵
  PID:1749
- /tmp/.kde/a
  ./a .154
  2⤵
  PID:1750
- /tmp/.kde/a
  ./a .155
  2⤵
  PID:1751
- /tmp/.kde/a
  ./a .156
  2⤵
  PID:1752
- /tmp/.kde/a
  ./a .157
  2⤵
  PID:1753
- /tmp/.kde/a
  ./a .158
  2⤵
  PID:1754
- /tmp/.kde/a
  ./a .159
  2⤵
  PID:1755
- /tmp/.kde/a
  ./a .160
  2⤵
  PID:1756
- /bin/cat
  cat vuln.txt
  2⤵
  PID:1757
- /tmp/.kde/a
  ./a .161
  2⤵
  PID:1759
- /tmp/.kde/a
  ./a .162
  2⤵
  PID:1760
- /tmp/.kde/a
  ./a .163
  2⤵
  PID:1761
- /tmp/.kde/a
  ./a .164
  2⤵
  PID:1762
- /tmp/.kde/a
  ./a .165
  2⤵
  PID:1763
- /tmp/.kde/a
  ./a .166
  2⤵
  PID:1764
- /tmp/.kde/a
  ./a .167
  2⤵
  PID:1765
- /tmp/.kde/a
  ./a .168
  2⤵
  PID:1766
- /tmp/.kde/a
  ./a .169
  2⤵
  PID:1767
- /tmp/.kde/a
  ./a .170
  2⤵
  PID:1768
- /bin/cat
  cat vuln.txt
  2⤵
  PID:1769
- /tmp/.kde/a
  ./a .171
  2⤵
  PID:1771
- /tmp/.kde/a
  ./a .172
  2⤵
  PID:1772
- /tmp/.kde/a
  ./a .173
  2⤵
  PID:1773
- /tmp/.kde/a
  ./a .174
  2⤵
  PID:1774
- /tmp/.kde/a
  ./a .175
  2⤵
  PID:1775
- /tmp/.kde/a
  ./a .176
  2⤵
  PID:1776
- /tmp/.kde/a
  ./a .177
  2⤵
  PID:1777
- /tmp/.kde/a
  ./a .178
  2⤵
  PID:1778
- /tmp/.kde/a
  ./a .179
  2⤵
  PID:1779
- /tmp/.kde/a
  ./a .180
  2⤵
  PID:1780
- /bin/cat
  cat vuln.txt
  2⤵
  PID:1781
- /tmp/.kde/a
  ./a .181
  2⤵
  PID:1783
- /tmp/.kde/a
  ./a .182
  2⤵
  PID:1784
- /tmp/.kde/a
  ./a .183
  2⤵
  PID:1785
- /tmp/.kde/a
  ./a .184
  2⤵
  PID:1786
- /tmp/.kde/a
  ./a .185
  2⤵
  PID:1787
- /tmp/.kde/a
  ./a .186
  2⤵
  PID:1788
- /tmp/.kde/a
  ./a .187
  2⤵
  PID:1789
- /tmp/.kde/a
  ./a .188
  2⤵
  PID:1790
- /tmp/.kde/a
  ./a .189
  2⤵
  PID:1791
- /tmp/.kde/a
  ./a .190
  2⤵
  PID:1792
- /bin/cat
  cat vuln.txt
  2⤵
  PID:1793
- /tmp/.kde/a
  ./a .191
  2⤵
  PID:1795
- /tmp/.kde/a
  ./a .192
  2⤵
  PID:1796
- /tmp/.kde/a
  ./a .193
  2⤵
  PID:1797
- /tmp/.kde/a
  ./a .194
  2⤵
  PID:1798
- /tmp/.kde/a
  ./a .195
  2⤵
  PID:1799
- /tmp/.kde/a
  ./a .196
  2⤵
  PID:1800
- /tmp/.kde/a
  ./a .197
  2⤵
  PID:1801
- /tmp/.kde/a
  ./a .198
  2⤵
  PID:1802
- /tmp/.kde/a
  ./a .199
  2⤵
  PID:1803
- /tmp/.kde/a
  ./a .200
  2⤵
  PID:1804
- /bin/cat
  cat vuln.txt
  2⤵
  PID:1805
- /tmp/.kde/a
  ./a .201
  2⤵
  PID:1807
- /tmp/.kde/a
  ./a .202
  2⤵
  PID:1808
- /tmp/.kde/a
  ./a .203
  2⤵
  PID:1809
- /tmp/.kde/a
  ./a .204
  2⤵
  PID:1810
- /tmp/.kde/a
  ./a .205
  2⤵
  PID:1811
- /tmp/.kde/a
  ./a .206
  2⤵
  PID:1812
- /tmp/.kde/a
  ./a .207
  2⤵
  PID:1813
- /tmp/.kde/a
  ./a .208
  2⤵
  PID:1814
- /tmp/.kde/a
  ./a .209
  2⤵
  PID:1815
- /tmp/.kde/a
  ./a .210
  2⤵
  PID:1816
- /bin/cat
  cat vuln.txt
  2⤵
  PID:1817
- /tmp/.kde/a
  ./a .211
  2⤵
  PID:1819
- /tmp/.kde/a
  ./a .212
  2⤵
  PID:1820
- /tmp/.kde/a
  ./a .213
  2⤵
  PID:1821
- /tmp/.kde/a
  ./a .214
  2⤵
  PID:1822
- /tmp/.kde/a
  ./a .215
  2⤵
  PID:1823
- /tmp/.kde/a
  ./a .216
  2⤵
  PID:1824
- /tmp/.kde/a
  ./a .217
  2⤵
  PID:1825
- /tmp/.kde/a
  ./a .218
  2⤵
  PID:1826
- /tmp/.kde/a
  ./a .219
  2⤵
  PID:1827
- /tmp/.kde/a
  ./a .220
  2⤵
  PID:1828
- /bin/cat
  cat vuln.txt
  2⤵
  PID:1829
- /tmp/.kde/a
  ./a .221
  2⤵
  PID:1831
- /tmp/.kde/a
  ./a .222
  2⤵
  PID:1832
- /tmp/.kde/a
  ./a .223
  2⤵
  PID:1833
- /tmp/.kde/a
  ./a .224
  2⤵
  PID:1834
- /tmp/.kde/a
  ./a .225
  2⤵
  PID:1835
- /tmp/.kde/a
  ./a .226
  2⤵
  PID:1836
- /tmp/.kde/a
  ./a .227
  2⤵
  PID:1837
- /tmp/.kde/a
  ./a .228
  2⤵
  PID:1838
- /tmp/.kde/a
  ./a .229
  2⤵
  PID:1839
- /bin/cat
  cat vuln.txt
  2⤵
  PID:1840
- /tmp/.kde/a
  ./a .230
  2⤵
  PID:1842
- /tmp/.kde/a
  ./a .231
  2⤵
  PID:1843
- /tmp/.kde/a
  ./a .232
  2⤵
  PID:1844
- /tmp/.kde/a
  ./a .233
  2⤵
  PID:1845
- /tmp/.kde/a
  ./a .234
  2⤵
  PID:1846
- /tmp/.kde/a
  ./a .235
  2⤵
  PID:1847
- /tmp/.kde/a
  ./a .236
  2⤵
  PID:1848
- /tmp/.kde/a
  ./a .237
  2⤵
  PID:1849
- /tmp/.kde/a
  ./a .238
  2⤵
  PID:1850
- /tmp/.kde/a
  ./a .239
  2⤵
  PID:1851
- /bin/cat
  cat vuln.txt
  2⤵
  PID:1852
- /tmp/.kde/a
  ./a .240
  2⤵
  PID:1854
- /tmp/.kde/a
  ./a .241
  2⤵
  PID:1855
- /tmp/.kde/a
  ./a .242
  2⤵
  PID:1856
- /tmp/.kde/a
  ./a .243
  2⤵
  PID:1857
- /tmp/.kde/a
  ./a .244
  2⤵
  PID:1858
- /tmp/.kde/a
  ./a .245
  2⤵
  PID:1859
- /tmp/.kde/a
  ./a .246
  2⤵
  PID:1860
- /tmp/.kde/a
  ./a .247
  2⤵
  PID:1861
- /tmp/.kde/a
  ./a .248
  2⤵
  PID:1862
- /tmp/.kde/a
  ./a .249
  2⤵
  PID:1863
- /bin/cat
  cat vuln.txt
  2⤵
  PID:1864
- /tmp/.kde/a
  ./a .250
  2⤵
  PID:1866
- /tmp/.kde/a
  ./a .251
  2⤵
  PID:1867
- /tmp/.kde/a
  ./a .252
  2⤵
  PID:1868
- /tmp/.kde/a
  ./a .253
  2⤵
  PID:1869
- /tmp/.kde/a
  ./a .254
  2⤵
  PID:1870
- /tmp/.kde/a
  ./a .255
  2⤵
  PID:1871
- /usr/bin/killall
  killall -9 a
  2⤵
  - Reads runtime system information
  PID:1872
- /bin/rm
  rm -rf ./a1
  2⤵
  PID:1873

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Time Based Evasion

T1497.003

Credential Access

Discovery

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Time Based Evasion

T1497.003

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/.kde/info2

Filesize
27B

MD5
210e3691abde94aba36fd981c007118b

SHA1
fbed82767e1e597632436aa2b4d5aed2c2585ac2

SHA256
a9913f505a1275a5c00a630ae232b04a982bb19efa5b00d5e22ca14e414b84c9

SHA512
65a8f42b99268ba4bc17f51f0e2e17d530b344c80bc483c510014bbf2920715517f5be0f770e30f55e1f2603f203fd4af9295bd979a82897e15b1593f08e1580

Download Submit
/tmp/.kde/info2

Filesize
54B

MD5
a2709419d80ba6b7fb126a5ed3cbebf1

SHA1
2400112d846a896b8bfee9d8c1791718ef0695b8

SHA256
24259785df747f8a38f250211b544b5885e937254a0a3d17658696f8515ca20a

SHA512
2f897325d3791ab80619d52978907900e0431518ae44906d06ccfe0dcae412c3d46a034f40da724bd4045d9c33258478bb6c96d33ea0f6c649ac81b7d4a62e8d

Download Submit
/tmp/.kde/info2

Filesize
85B

MD5
68e6530a51c4c7bf17dcf7051a6be710

SHA1
81380900211b5eca427f5632ff97cfd91eaaf7eb

SHA256
0b17dee730444d635adf2892a570927015e1bac71bf869df56bf25d104b1f529

SHA512
a103bbcdee57bafed8aa53eb08723aa1653e6e426e66ab6a1aca2e43f94200a2efd9288b0f51f67cc350beb08eb9648432e05feaca95f80179d6701c95b577e0

Download Submit
/tmp/.kde/info2

Filesize
146B

MD5
caf1040cd6acd26266899b47fabf6eb8

SHA1
4b6113b4951f044c9de28883907612335a07b88d

SHA256
f5859b816fbf69a709a856cf29d592f908b884a0d88d2a94ac4e2d3d6466946e

SHA512
44660a333217243db614206fc154b3d560a6e1c5b7dbcb604d49abb0be4ff46454a3f1d84483c9cd67666adecb242ec0c8e5eb3f72e08b4e56d19157ac6f7f82

Download Submit
/tmp/.kde/info2

Filesize
179B

MD5
352d1b388dc810aff236e133338d75fd

SHA1
81a193e575b944b836eb41189286511af13a5d6a

SHA256
a27a148fc90c8c6147b59603c4b0df46438dd53647a9d204b253aa1046474869

SHA512
264f77d013afa5fb0a24b141facbec9a0a4e82977d8d812379edc9c2ae22db402f0f7470f7da28ba5c0a40e7c0ac693750bbe44975f6fc5a3dd2db09bad537bd

Download Submit
/tmp/.kde/info2

Filesize
3KB

MD5
60cd48c81bb014b37182c375b8889c3b

SHA1
9e85a1fe1b5b66e97d336a7442b9f285038db4b1

SHA256
0b996c89695885f13bf0961fbd241866826cb641809b8de62d0278bb1a9d14ed

SHA512
349c8a6edc76bbef86cedc63800f63d63a9dc969aec3d6f82368c9a2c65e832d7e841121a2c5f88c7ae2b684e796a01b9172a9333166b7085d7ef7b33e8ce5bd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads