Malware Analysis Report

2024-11-15 08:27

Sample ID 241108-lcla4ssldr
Target linux_arm7.elf
SHA256 ff466605516a4e2b5b2baf5f98efff8178892a96d9043a77b29088953ea3f12a
Tags
kaiji defense_evasion discovery execution persistence privilege_escalatio privilege_escalation
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ff466605516a4e2b5b2baf5f98efff8178892a96d9043a77b29088953ea3f12a

Threat Level: Known bad

The file linux_arm7.elf was found to be: Known bad.

Malicious Activity Summary

kaiji defense_evasion discovery execution persistence privilege_escalatio privilege_escalation

Kaiji

Kaiji family

kaiji_chaosbot

Modifies Watchdog functionality

Executes dropped EXE

Modifies init.d

Creates/modifies Cron job

Creates/modifies environment variables

Enumerates running processes

Write file to user bin folder

Modifies Bash startup script

Changes its process name

Reads CPU attributes

Reads runtime system information

Enumerates kernel/hardware configuration

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-08 09:23

Signatures

Kaiji

Description Indicator Process Target
N/A N/A N/A N/A

Kaiji family

kaiji

kaiji_chaosbot

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-08 09:23

Reported

2024-11-08 09:25

Platform

debian9-armhf-20240418-en

Max time kernel

149s

Max time network

150s

Command Line

[/tmp/linux_arm7.elf]

Signatures

Kaiji

Description Indicator Process Target
N/A N/A N/A N/A

Kaiji family

kaiji

kaiji_chaosbot

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A /etc/32678 /etc/32678 N/A
N/A /etc/id.services.conf /etc/id.services.conf N/A
N/A /etc/id.services.conf /etc/id.services.conf N/A
N/A /etc/32678 /etc/32678 N/A
N/A /etc/id.services.conf /etc/id.services.conf N/A
N/A /etc/id.services.conf /etc/id.services.conf N/A
N/A /etc/32678 /etc/32678 N/A

Modifies Watchdog functionality

defense_evasion
Description Indicator Process Target
File opened for modification /dev/watchdog /tmp/linux_arm7.elf N/A
File opened for modification /dev/misc/watchdog /tmp/linux_arm7.elf N/A

Creates/modifies Cron job

execution persistence privilege_escalatio
Description Indicator Process Target
File opened for modification /etc/crontab /bin/bash N/A

Creates/modifies environment variables

persistence privilege_escalation defense_evasion
Description Indicator Process Target
File opened for modification /etc/profile.d/bash_config.sh /tmp/linux_arm7.elf N/A
File opened for modification /etc/profile.d/bash_config /tmp/linux_arm7.elf N/A
File opened for modification /etc/profile.d/linux.sh /tmp/linux_arm7.elf N/A

Enumerates running processes

Modifies init.d

persistence
Description Indicator Process Target
File opened for modification /etc/init.d/linux_kill /tmp/linux_arm7.elf N/A
File opened for modification /etc/init.d/ssh /tmp/linux_arm7.elf N/A

Write file to user bin folder

persistence
Description Indicator Process Target
File opened for modification /usr/bin/find /tmp/linux_arm7.elf N/A

Modifies Bash startup script

persistence
Description Indicator Process Target
File opened for modification /etc/profile.d/linux.sh /tmp/linux_arm7.elf N/A
File opened for modification /etc/profile.d/bash_config.sh /tmp/linux_arm7.elf N/A
File opened for modification /etc/profile.d/bash_config /tmp/linux_arm7.elf N/A

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself ksoftirqd/0 /tmp/linux_arm7.elf N/A

Reads CPU attributes

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A

Enumerates kernel/hardware configuration

discovery
Description Indicator Process Target
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /etc/id.services.conf N/A
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /etc/id.services.conf N/A
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /tmp/linux_arm7.elf N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /tmp/linux_arm7.elf N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /etc/id.services.conf N/A
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /etc/id.services.conf N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A
File opened for reading /sys/fs/kdbus/0-system/bus /bin/systemctl N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/278/stat /tmp/linux_arm7.elf N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/107/status /usr/bin/pkill N/A
File opened for reading /proc/15/status /usr/bin/pkill N/A
File opened for reading /proc/25/cmdline /usr/bin/pkill N/A
File opened for reading /proc/280/cmdline /usr/bin/pkill N/A
File opened for reading /proc/6/cmdline /usr/bin/pkill N/A
File opened for reading /proc/24/cmdline /usr/bin/pkill N/A
File opened for reading /proc/75/cmdline /usr/bin/pkill N/A
File opened for reading /proc/635/cmdline /usr/bin/pkill N/A
File opened for reading /proc/688/stat /tmp/linux_arm7.elf N/A
File opened for reading /proc/794/stat /tmp/linux_arm7.elf N/A
File opened for reading /proc/42/cmdline /usr/bin/pkill N/A
File opened for reading /proc/280/status /usr/bin/pkill N/A
File opened for reading /proc/108/cmdline /usr/bin/pkill N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/10/cmdline /usr/bin/pkill N/A
File opened for reading /proc/149/status /usr/bin/pkill N/A
File opened for reading /proc/312/status /usr/bin/pkill N/A
File opened for reading /proc/805/status /usr/bin/pkill N/A
File opened for reading /proc/314/status /usr/bin/pkill N/A
File opened for reading /proc/844/cmdline /usr/bin/pkill N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/143/status /usr/bin/pkill N/A
File opened for reading /proc/591/cmdline /usr/bin/pkill N/A
File opened for reading /proc/8/status /usr/bin/pkill N/A
File opened for reading /proc/266/cmdline /usr/bin/pkill N/A
File opened for reading /proc/276/cmdline /usr/bin/pkill N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/41/cmdline /usr/bin/pkill N/A
File opened for reading /proc/139/status /usr/bin/pkill N/A
File opened for reading /proc/300/status /usr/bin/pkill N/A
File opened for reading /proc/844/status /usr/bin/pkill N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/9/status /usr/bin/pkill N/A
File opened for reading /proc/105/cmdline /usr/bin/pkill N/A
File opened for reading /proc/108/cmdline /usr/bin/pkill N/A
File opened for reading /proc/592/status /usr/bin/pkill N/A
File opened for reading /proc/304/cmdline /usr/bin/pkill N/A
File opened for reading /proc/571/status /usr/bin/pkill N/A
File opened for reading /proc/8/status /usr/bin/pkill N/A
File opened for reading /proc/9/cmdline /usr/bin/pkill N/A
File opened for reading /proc/107/cmdline /usr/bin/pkill N/A
File opened for reading /proc/864/stat /tmp/linux_arm7.elf N/A
File opened for reading /proc/108/status /usr/bin/pkill N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/784/stat /tmp/linux_arm7.elf N/A
File opened for reading /proc/802/stat /tmp/linux_arm7.elf N/A
File opened for reading /proc/1/cmdline /usr/bin/pkill N/A
File opened for reading /proc/4/cmdline /usr/bin/pkill N/A
File opened for reading /proc/28/cmdline /usr/bin/pkill N/A
File opened for reading /proc/6/cmdline /usr/bin/pkill N/A
File opened for reading /proc/304/status /usr/bin/pkill N/A
File opened for reading /proc/592/status /usr/bin/pkill N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/663/stat /tmp/linux_arm7.elf N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/275/status /usr/bin/pkill N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/826/stat /tmp/linux_arm7.elf N/A
File opened for reading /proc/829/stat /tmp/linux_arm7.elf N/A
File opened for reading /proc/4/status /usr/bin/pkill N/A
File opened for reading /proc/filesystems /bin/sed N/A

Processes

/tmp/linux_arm7.elf

[/tmp/linux_arm7.elf]

/bin/sh

[sh -c /etc/32678&]

/usr/sbin/service

[service crond start]

/tmp/linux_arm7.elf

[/tmp/linux_arm7.elf ]

/etc/32678

[/etc/32678]

/usr/bin/basename

[basename /usr/sbin/service]

/bin/sleep

[sleep 60]

/usr/bin/basename

[basename /usr/sbin/service]

/bin/systemctl

[systemctl --quiet is-active multi-user.target]

/usr/sbin/update-rc.d

[update-rc.d linux_kill defaults]

/bin/sed

[sed -ne s/\.socket\s*[a-z]*\s*$/.socket/p]

/bin/systemctl

[systemctl list-unit-files --full --type=socket]

/usr/local/sbin/systemctl

[systemctl --job-mode=ignore-dependencies start crond.service]

/usr/local/bin/systemctl

[systemctl --job-mode=ignore-dependencies start crond.service]

/usr/sbin/systemctl

[systemctl --job-mode=ignore-dependencies start crond.service]

/usr/bin/systemctl

[systemctl --job-mode=ignore-dependencies start crond.service]

/sbin/systemctl

[systemctl --job-mode=ignore-dependencies start crond.service]

/bin/systemctl

[systemctl --job-mode=ignore-dependencies start crond.service]

/usr/local/sbin/systemctl

[systemctl daemon-reload]

/usr/local/bin/systemctl

[systemctl daemon-reload]

/usr/sbin/systemctl

[systemctl daemon-reload]

/usr/bin/systemctl

[systemctl daemon-reload]

/sbin/systemctl

[systemctl daemon-reload]

/bin/systemctl

[systemctl daemon-reload]

/bin/bash

[bash -c echo "*/1 * * * * root /.img " >> /etc/crontab]

/usr/bin/renice

[renice -20 661]

/bin/mount

[mount -o bind /tmp/ /proc/661]

/usr/sbin/service

[service cron start]

/usr/bin/basename

[basename /usr/sbin/service]

/usr/bin/basename

[basename /usr/sbin/service]

/bin/systemctl

[systemctl --quiet is-active multi-user.target]

/bin/systemctl

[systemctl list-unit-files --full --type=socket]

/bin/sed

[sed -ne s/\.socket\s*[a-z]*\s*$/.socket/p]

/usr/local/sbin/systemctl

[systemctl --job-mode=ignore-dependencies start cron.service]

/usr/local/bin/systemctl

[systemctl --job-mode=ignore-dependencies start cron.service]

/usr/sbin/systemctl

[systemctl --job-mode=ignore-dependencies start cron.service]

/usr/bin/systemctl

[systemctl --job-mode=ignore-dependencies start cron.service]

/sbin/systemctl

[systemctl --job-mode=ignore-dependencies start cron.service]

/bin/systemctl

[systemctl --job-mode=ignore-dependencies start cron.service]

/bin/systemctl

[systemctl start crond.service]

/etc/id.services.conf

[/etc/id.services.conf]

/usr/bin/pkill

[pkill -9 32678]

/bin/sh

[sh -c /etc/32678&]

/usr/sbin/service

[service crond start]

/etc/id.services.conf

[/etc/id.services.conf ]

/etc/32678

[/etc/32678]

/usr/bin/basename

[basename /usr/sbin/service]

/bin/sleep

[sleep 60]

/usr/bin/basename

[basename /usr/sbin/service]

/bin/systemctl

[systemctl --quiet is-active multi-user.target]

/bin/systemctl

[systemctl list-unit-files --full --type=socket]

/bin/sed

[sed -ne s/\.socket\s*[a-z]*\s*$/.socket/p]

/usr/local/sbin/systemctl

[systemctl --job-mode=ignore-dependencies start crond.service]

/usr/local/bin/systemctl

[systemctl --job-mode=ignore-dependencies start crond.service]

/usr/sbin/systemctl

[systemctl --job-mode=ignore-dependencies start crond.service]

/usr/bin/systemctl

[systemctl --job-mode=ignore-dependencies start crond.service]

/sbin/systemctl

[systemctl --job-mode=ignore-dependencies start crond.service]

/bin/systemctl

[systemctl --job-mode=ignore-dependencies start crond.service]

/etc/id.services.conf

[/etc/id.services.conf]

/usr/bin/pkill

[pkill -9 32678]

/bin/sh

[sh -c /etc/32678&]

/usr/sbin/service

[service crond start]

/etc/id.services.conf

[/etc/id.services.conf ]

/etc/32678

[/etc/32678]

/usr/bin/basename

[basename /usr/sbin/service]

/bin/sleep

[sleep 60]

/usr/bin/basename

[basename /usr/sbin/service]

/bin/systemctl

[systemctl --quiet is-active multi-user.target]

/bin/sed

[sed -ne s/\.socket\s*[a-z]*\s*$/.socket/p]

/bin/systemctl

[systemctl list-unit-files --full --type=socket]

/usr/local/sbin/systemctl

[systemctl --job-mode=ignore-dependencies start crond.service]

/usr/local/bin/systemctl

[systemctl --job-mode=ignore-dependencies start crond.service]

/usr/sbin/systemctl

[systemctl --job-mode=ignore-dependencies start crond.service]

/usr/bin/systemctl

[systemctl --job-mode=ignore-dependencies start crond.service]

/sbin/systemctl

[systemctl --job-mode=ignore-dependencies start crond.service]

/bin/systemctl

[systemctl --job-mode=ignore-dependencies start crond.service]

Network

Country Destination Domain Proto
US 1.1.1.1:53 www.google.com udp
US 1.1.1.1:53 www.google.com udp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
US 1.1.1.1:53 debian9-armhf-20240418-en-3 udp
US 1.1.1.1:53 debian9-armhf-20240418-en-3 udp
US 1.1.1.1:53 debian9-armhf-20240418-en-3 udp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
US 1.1.1.1:53 debian9-armhf-20240418-en-3 udp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
US 1.1.1.1:53 debian9-armhf-20240418-en-3 udp
US 1.1.1.1:53 debian9-armhf-20240418-en-3 udp
HK 154.201.84.237:7850 tcp
US 1.1.1.1:53 debian9-armhf-20240418-en-3 udp
HK 154.201.84.237:7850 tcp
US 1.1.1.1:53 debian9-armhf-20240418-en-3 udp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
US 1.1.1.1:53 debian9-armhf-20240418-en-3 udp
US 1.1.1.1:53 debian9-armhf-20240418-en-3 udp
HK 154.201.84.237:7850 tcp
US 1.1.1.1:53 debian9-armhf-20240418-en-3 udp
US 1.1.1.1:53 debian9-armhf-20240418-en-3 udp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp
HK 154.201.84.237:7850 tcp

Files

/etc/id.services.conf

MD5 7c906062c4cbd0ca1eb795a1adcd48bb
SHA1 8253d4e0fa13fe8a05961ffbf8e1245c9080556c
SHA256 ff466605516a4e2b5b2baf5f98efff8178892a96d9043a77b29088953ea3f12a
SHA512 37f969c03ec5c07e3d4facd241b0c5d808570f6535fb785aee85352d849278fdf98a091b5234fc104fd24251f6d6e79c19c4df53ff2079a4ec7c261255978b1c

/etc/32678

MD5 768eaf287796da19e1cf5e0b2fb1b161
SHA1 6a1ce2ee5ccc86d1f33806feb14547b35290df2a
SHA256 1d22620dfb2a6715e5d745aed5cf841ede0e75e1747f12b9b925a2d346bc7ecb
SHA512 e6af30c9df4f7f47696069511e64ecbc8e841629d692ee4056503df3533fb7a7a74960698826260355e1dba7b6c562482a27a39bb51a4237473ce4b68472d620

/etc/init.d/linux_kill

MD5 3909975f7cc0d1121c1819b800069f31
SHA1 3e68de708c2e6c40fab6794afdee3104e5590189
SHA256 6876dac71f13a068afb863d257134275f2edba43b2acaf4924fabf97c079070b
SHA512 50600cceeb03b05f45ae61d890caee9f51ff390b6776930866e527e071d65d08241fc66673fd9b99d62fbc77d3c00fc3de4d7378cbc42f5daba5d83072b0906e

/etc/profile.d/bash_config.sh

MD5 cfb4e51061485fe91169381fbdc1538e
SHA1 9a85b9b766a15b01737a41d680e4593b7a9bde87
SHA256 897f37267d0ceaa2fbdaa09847f5d08e6f8b01a0348a0d666264b0f10acd0c90
SHA512 fb154ec711d2090a7461da4db8ddad2b522649a27e74162ecb203f539b1729430288bc02d78d2071bde9c4bbc005693403a57612ef50277d52f816cb94524216

/.img

MD5 d73d3376908ea075a939e3871ad0fabe
SHA1 320ff65831247ba199515f1b94df26cc8a3e5f76
SHA256 edbdabe30d8236a2c0a4eb89dfd597552130e4c1a4e93f8fe1568920442ad73a
SHA512 57b83fef88620598beb5d65626bf757d0abef242d2d6a01796a61474dedc5095a4a9d0f292b6abb450cad3d4410ab8456253600f58ddb66cfe6d79e1c8415536