Malware Analysis Report

2024-11-13 16:11

Sample ID 241102-dcw4lswpc1
Target 639af202eb3c903183b8ae3d8ba4951e.elf
SHA256 668e2cdc076b620be68a4d5aa2ed14d2fa9b48b556f0e8f69548d8a972436155
Tags
kaiji defense_evasion discovery execution persistence privilege_escalatio privilege_escalation
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

668e2cdc076b620be68a4d5aa2ed14d2fa9b48b556f0e8f69548d8a972436155

Threat Level: Known bad

The file 639af202eb3c903183b8ae3d8ba4951e.elf was found to be: Known bad.

Malicious Activity Summary

kaiji defense_evasion discovery execution persistence privilege_escalatio privilege_escalation

Kaiji family

Kaiji

Modifies Watchdog functionality

Executes dropped EXE

Creates/modifies Cron job

Creates/modifies environment variables

Enumerates running processes

Modifies init.d

Write file to user bin folder

Modifies Bash startup script

Command and Scripting Interpreter: Unix Shell

Reads runtime system information

Enumerates kernel/hardware configuration

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-02 02:52

Signatures

Kaiji

Description Indicator Process Target
N/A N/A N/A N/A

Kaiji family

kaiji

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-02 02:52

Reported

2024-11-02 02:54

Platform

debian9-armhf-20240611-en

Max time kernel

149s

Max time network

154s

Command Line

[/tmp/639af202eb3c903183b8ae3d8ba4951e.elf]

Signatures

Kaiji

Description Indicator Process Target
N/A N/A N/A N/A

Kaiji family

kaiji

Executes dropped EXE

Description Indicator Process Target
N/A /etc/32676 /etc/32676 N/A
N/A /etc/opt.services.cfg /etc/opt.services.cfg N/A
N/A /etc/opt.services.cfg /etc/opt.services.cfg N/A
N/A /etc/opt.services.cfg /etc/opt.services.cfg N/A
N/A /etc/opt.services.cfg /etc/opt.services.cfg N/A

Modifies Watchdog functionality

defense_evasion
Description Indicator Process Target
File opened for modification /dev/watchdog /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for modification /dev/misc/watchdog /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A

Creates/modifies Cron job

execution persistence privilege_escalatio
Description Indicator Process Target
File opened for modification /etc/crontab /bin/sh N/A

Creates/modifies environment variables

persistence privilege_escalation defense_evasion
Description Indicator Process Target
File opened for modification /etc/profile.d/bash_cfg /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for modification /etc/profile.d/bash_cfg.sh /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for modification /etc/profile.d/gateway.sh /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A

Enumerates running processes

Modifies init.d

persistence
Description Indicator Process Target
File opened for modification /etc/init.d/ssh /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for modification /etc/init.d/sudo /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for modification /etc/init.d/udev /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for modification /etc/init.d/exim4 /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for modification /etc/init.d/keyboard-setup.sh /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for modification /etc/init.d/selinux-autorelabel /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for modification /etc/init.d/alsa-utils /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for modification /etc/init.d/console-setup.sh /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for modification /etc/init.d/networking /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for modification /etc/init.d/hwclock.sh /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for modification /etc/init.d/kmod /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for modification /etc/init.d/procps /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for modification /etc/init.d/rsyslog /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for modification /etc/init.d/x11-common /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for modification /etc/init.d/auditd /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for modification /etc/init.d/cron /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for modification /etc/init.d/dbus /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A

Write file to user bin folder

persistence
Description Indicator Process Target
File opened for modification /usr/bin/include/find /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for modification /usr/bin/find /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A

Modifies Bash startup script

persistence
Description Indicator Process Target
File opened for modification /etc/profile.d/bash_cfg /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for modification /etc/profile.d/bash_cfg.sh /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for modification /etc/profile.d/gateway.sh /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A

Command and Scripting Interpreter: Unix Shell

execution
Description Indicator Process Target
N/A N/A /bin/sh N/A
N/A N/A /bin/sh N/A

Enumerates kernel/hardware configuration

discovery
Description Indicator Process Target
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /etc/opt.services.cfg N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /etc/opt.services.cfg N/A
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /etc/opt.services.cfg N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /etc/opt.services.cfg N/A
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/29/stat /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for reading /proc/665/stat /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for reading /proc/670/stat /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/5/stat /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for reading /proc/18/stat /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for reading /proc/23/stat /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/1/stat /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for reading /proc/106/stat /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for reading /proc/149/stat /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for reading /proc/287/stat /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for reading /proc/27/stat /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for reading /proc/filesystems /bin/mount N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/6/stat /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for reading /proc/19/stat /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for reading /proc/21/stat /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for reading /proc/24/stat /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for reading /proc/394/stat /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for reading /proc/650/stat /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for reading /proc/659/stat /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for reading /proc/666/stat /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for reading /proc/26/stat /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for reading /proc/97/stat /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for reading /proc/137/stat /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for reading /proc/286/stat /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/3/stat /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/651/stat /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/41/stat /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for reading /proc/42/stat /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for reading /proc/138/stat /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for reading /proc/155/stat /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for reading /proc/398/stat /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/12/stat /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for reading /proc/17/stat /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for reading /proc/20/stat /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for reading /proc/43/stat /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for reading /proc/284/stat /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for reading /proc/filesystems /bin/sed N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/4/stat /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for reading /proc/7/stat /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for reading /proc/76/stat /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for reading /proc/108/stat /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for reading /proc/658/stat /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/8/stat /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for reading /proc/13/stat /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for reading /proc/274/stat /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A
File opened for reading /proc/306/stat /tmp/639af202eb3c903183b8ae3d8ba4951e.elf N/A

Processes

/tmp/639af202eb3c903183b8ae3d8ba4951e.elf

[/tmp/639af202eb3c903183b8ae3d8ba4951e.elf]

/tmp/639af202eb3c903183b8ae3d8ba4951e.elf

[/tmp/639af202eb3c903183b8ae3d8ba4951e.elf ]

/bin/sh

[/bin/sh -c /etc/32676&]

/etc/32676

[/etc/32676]

/usr/sbin/service

[service crond start]

/bin/sleep

[sleep 60]

/usr/bin/basename

[basename /usr/sbin/service]

/usr/bin/basename

[basename /usr/sbin/service]

/bin/systemctl

[systemctl --quiet is-active multi-user.target]

/bin/sed

[sed -ne s/\.socket\s*[a-z]*\s*$/.socket/p]

/bin/systemctl

[systemctl list-unit-files --full --type=socket]

/usr/local/sbin/systemctl

[systemctl --job-mode=ignore-dependencies start crond.service]

/usr/local/bin/systemctl

[systemctl --job-mode=ignore-dependencies start crond.service]

/usr/sbin/systemctl

[systemctl --job-mode=ignore-dependencies start crond.service]

/usr/bin/systemctl

[systemctl --job-mode=ignore-dependencies start crond.service]

/sbin/systemctl

[systemctl --job-mode=ignore-dependencies start crond.service]

/bin/systemctl

[systemctl --job-mode=ignore-dependencies start crond.service]

/bin/sh

[/bin/sh -c echo "*/1 * * * * root /.mod " >> /etc/crontab]

/usr/bin/renice

[renice -20 666]

/bin/mount

[mount -o bind /tmp/ /proc/666]

/usr/sbin/service

[service cron start]

/usr/bin/basename

[basename /usr/sbin/service]

/usr/bin/basename

[basename /usr/sbin/service]

/bin/systemctl

[systemctl --quiet is-active multi-user.target]

/bin/systemctl

[systemctl list-unit-files --full --type=socket]

/bin/sed

[sed -ne s/\.socket\s*[a-z]*\s*$/.socket/p]

/usr/local/sbin/systemctl

[systemctl --job-mode=ignore-dependencies start cron.service]

/usr/local/bin/systemctl

[systemctl --job-mode=ignore-dependencies start cron.service]

/usr/sbin/systemctl

[systemctl --job-mode=ignore-dependencies start cron.service]

/usr/bin/systemctl

[systemctl --job-mode=ignore-dependencies start cron.service]

/sbin/systemctl

[systemctl --job-mode=ignore-dependencies start cron.service]

/bin/systemctl

[systemctl --job-mode=ignore-dependencies start cron.service]

/bin/systemctl

[systemctl start crond.service]

/etc/opt.services.cfg

[/etc/opt.services.cfg]

/etc/opt.services.cfg

[/etc/opt.services.cfg ]

/bin/sleep

[sleep 60]

/etc/opt.services.cfg

[/etc/opt.services.cfg]

/etc/opt.services.cfg

[/etc/opt.services.cfg ]

/bin/sleep

[sleep 60]

Network

Country Destination Domain Proto
US 1.1.1.1:53 www.google.com udp
US 1.1.1.1:53 www.google.com udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp
US 1.1.1.1:53 ss.us-tv.top udp

Files

/etc/.walk

MD5 bd5200042c2d93c06332794e70842aa3
SHA1 c1ed0f33ebe8c81f83893d3a7c11307807243114
SHA256 36365132b46f5a24a78d726ea48c64fb4ee15712e90a3d9ead78fd4ec9da34db
SHA512 6f85dc569cc94562bb693754467ecf50959720ad5210ce436b08c8169105a983adc23ef5daf851acb3618e078ab014c89c373cf88779621df86c3d6c8a56185b

/etc/.walk

MD5 165cd16149a4db6c9bac369094f58268
SHA1 ba97b130648042a2f0d1337474e9e7c94f512033
SHA256 ef735507a28452384d2dfcbb26e9e735ea1f2fa7898273e529714c1877bcdcc5
SHA512 618624ca3e53fa500ad0e93a23d3299c43731b3f0a5ec983182f5797ab64b5302104284f2c033af98a9573cc971c147e5072c58aca16beb3fdd85d5bafeb1560

/etc/opt.services.cfg

MD5 639af202eb3c903183b8ae3d8ba4951e
SHA1 78ad606c247165cb75c4e349d9be702517203224
SHA256 668e2cdc076b620be68a4d5aa2ed14d2fa9b48b556f0e8f69548d8a972436155
SHA512 1eb84b880900795da9bb834e88422c8a81bd83f7fb0dcdf090f8b178b21e486e0010126bd249c84cf2b2f6dcad3fc0597acad073b299512fba8f9f02ef0c4767

/etc/32676

MD5 47684525bfdf26f49fd1cf742b17c015
SHA1 c4ab14ba22420ff9acadfc698a38d0cd99e9fbfa
SHA256 b7ce294613dd2c237a4a50548bfcd5c14d166107f2d2e965499bc78695300d5b
SHA512 948f9c519ae9afe1c821c5d58da2e584e50356dabef597ccd408853a9038560b9fb1c5894900e2725b48977ffd49d18a439436bb4946e2164ac9fcf2a8637621

/.mod

MD5 f5a3713282e43c200f30342f5ff5e2ea
SHA1 2b2ce1a207e2b691a074c6f78f71c4785aae426a
SHA256 6ab64e727571458d4884fb2fe82c27c467db0699cb8f648b3f0217c35d2b7511
SHA512 5bcb8cd360409147a486755f90e0cdd97183af02ce8de5135b7c6a8a010deb9ef12dcd5ee9a2a8fd2e159347f68e72d6b7fd75e943b4fcd928d7a74b97476013

/usr/bin/include/find

MD5 138a27d6fe52fa1132760a4fa48922e0
SHA1 e0250e4d7bf33a5a1064344224148b889cb15138
SHA256 81a10dad907b23521461bd3fc83c2cedb2218933a328d9a05e3c9f6a9a1d42aa
SHA512 ee0078afad63fc2aaffdebb7127d1c7d4459287fee75358f57c82d397c39b7bf64338fb6996dfb1747cd9a896d714b3c76f0948727be91550f1affa1c0298a9e

/etc/profile.d/gateway.sh

MD5 dc6a9b4472df32de481b4167da1e6b2a
SHA1 d637ce0d6f1da12df1b1db75048483ad0880e2f6
SHA256 6edd780fb06a8238388aa1f757772ffe629eaf377d7a611a8aed1f994bf8dcc2
SHA512 46b3d2dc982bcadb78c811fa7dee33e17347319b512a2d7afa3463b122bef4fbde4754f406d369b536f06c5ee402e577ccdb2fe2af5ba128135bec136afd0760