a86b877e9e694a1f2b70a3a193fe135b751d78fa1ad4a795f11cbc34d4b78a51

Analysis

max time kernel
148s
max time network
144s
platform
debian-9_mipsel
resource
debian9-mipsel-20240226-en
resource tags

arch:mipselimage:debian9-mipsel-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
21-11-2024 07:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a86b877e9e694a1f2b70a3a193fe135b751d78fa1ad4a795f11cbc34d4b78a51.sh
Size

24KB
MD5

583c626e8ba30e2c920358b3b1c28519
SHA1

3b96052208c8a976ddc930a91ed7d507f31bc868
SHA256

a86b877e9e694a1f2b70a3a193fe135b751d78fa1ad4a795f11cbc34d4b78a51
SHA512

fd4b8f91a161f3086290e92a2f9502f7005bd83e00535f3376c2827b20ec40754b31250908242311f7f756644a25262794c80b898533dea698e86611274b7fbd
SSDEEP

768:32xRI1YH38QoMfzBIef2Wcu/J5L/J5+15BKll:0IXWcmjAmz

Score

6^/10

antivm defense_evasion discovery execution

Malware Config

Signatures

Deletes log files 1 TTPs 1 IoCs

Deletes log files on the system.

defense_evasion

Clear Linux or Mac System Logs

T1070.002

Processes:

apt-get

description	ioc	Process
File deleted	/var/log/apt/eipp.log.xz	apt-get

Enumerates running processes
Discovers information about currently running processes on the system

Checks CPU configuration 1 TTPs 3 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

Processes:

awkawkawk

description	ioc	Process
File opened for reading	/proc/cpuinfo	awk
File opened for reading	/proc/cpuinfo	awk
File opened for reading	/proc/cpuinfo	awk

Reads CPU attributes 1 TTPs 3 IoCs

discovery

System Information Discovery

T1082

Processes:

freefreew

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	free
File opened for reading	/sys/devices/system/cpu/online	free
File opened for reading	/sys/devices/system/cpu/online	w

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

dpkgfreewapt-configgpgconfapt-configgpgconfapt-configgpgvgpg-connect-agentdpkgawkdpkggpg-connect-agentgpg-connect-agentdpkgsedgpgvawkdpkggpgvsedapt-configapt-configdpkgapt-configsedfree

description	ioc	Process
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/sys/kernel/osrelease	free
File opened for reading	/proc/3/cmdline	w
File opened for reading	/proc/self/fd	apt-config
File opened for reading	/proc/self/fd	gpgconf
File opened for reading	/proc/self/fd	apt-config
File opened for reading	/proc/116/stat	w
File opened for reading	/proc/146/cmdline	w
File opened for reading	/proc/396/stat	w
File opened for reading	/proc/self/fd	gpgconf
File opened for reading	/proc/73/cmdline	w
File opened for reading	/proc/146/stat	w
File opened for reading	/proc/self/fd	apt-config
File opened for reading	/proc/sys/crypto/fips_enabled	gpgv
File opened for reading	/proc/2/stat	w
File opened for reading	/proc/sys/crypto/fips_enabled	gpg-connect-agent
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/uptime	awk
File opened for reading	/proc/386/stat	w
File opened for reading	/proc/71/stat	w
File opened for reading	/proc/74/stat	w
File opened for reading	/proc/401/stat	w
File opened for reading	/proc/8/cmdline	w
File opened for reading	/proc/72/cmdline	w
File opened for reading	/proc/708/stat	w
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/sys/crypto/fips_enabled	gpg-connect-agent
File opened for reading	/proc/166/cmdline	w
File opened for reading	/proc/383/stat	w
File opened for reading	/proc/sys/crypto/fips_enabled	gpg-connect-agent
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/8/stat	w
File opened for reading	/proc/18/cmdline	w
File opened for reading	/proc/68/cmdline	w
File opened for reading	/proc/401/cmdline	w
File opened for reading	/proc/sys/crypto/fips_enabled	gpgconf
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/11/cmdline	w
File opened for reading	/proc/22/cmdline	w
File opened for reading	/proc/82/cmdline	w
File opened for reading	/proc/sys/crypto/fips_enabled	gpgv
File opened for reading	/proc/472/cmdline	w
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/761/stat	w
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/sys/crypto/fips_enabled	gpgv
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/1/cmdline	w
File opened for reading	/proc/70/cmdline	w
File opened for reading	/proc/self/fd	apt-config
File opened for reading	/proc/filesystems	w
File opened for reading	/proc/18/stat	w
File opened for reading	/proc/396/cmdline	w
File opened for reading	/proc/514/stat	w
File opened for reading	/proc/705/cmdline	w
File opened for reading	/proc/70/stat	w
File opened for reading	/proc/763/cmdline	w
File opened for reading	/proc/self/fd	apt-config
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/self/fd	apt-config
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	free
File opened for reading	/proc/10/cmdline	w

System Network Configuration Discovery 1 TTPs 2 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

Processes:

ipwget

pid	Process
731	ip
738	wget

Writes file to tmp directory 31 IoCs

Malware often drops required files in the /tmp directory.

Processes:

gpgvcpapt-getcpapt-keyapt-getapt-keytouchtouchteeapt-key

description	ioc	Process
File opened for modification	/tmp/apt.data.pk1j3L	gpgv
File opened for modification	/tmp/apt-key-gpghome.PA6IA8b7ZW/pubring.orig.gpg	cp
File opened for modification	/tmp/fileutl.message.Pfa27F	apt-get
File opened for modification	/tmp/fileutl.message.oRxYbk	apt-get
File opened for modification	/tmp/apt-key-gpghome.u63IoUdi4p/pubring.orig.gpg	cp
File opened for modification	/tmp/apt-key-gpghome.PA6IA8b7ZW/gpg.1.sh	apt-key
File opened for modification	/tmp/fileutl.message.qrzH8n	apt-get
File opened for modification	/tmp/fileutl.message.Z1fkeD	apt-get
File opened for modification	/tmp/fileutl.message.9Hle9b	apt-get
File opened for modification	/tmp/apt-key-gpghome.u63IoUdi4p/gpg.1.sh	apt-key
File opened for modification	/tmp/apt-key-gpghome.PA6IA8b7ZW/pubring.gpg	touch
File opened for modification	/tmp/apt.conf.k8oPM0	gpgv
File opened for modification	/tmp/fileutl.message.nC46Ld	apt-get
File opened for modification	/tmp/fileutl.message.m4LpJj	apt-get
File opened for modification	/tmp/apt-key-gpghome.u63IoUdi4p/pubring.gpg	touch
File opened for modification	/tmp/apt-key-gpghome.u63IoUdi4p/pubring.gpg	apt-key
File opened for modification	/tmp/fileutl.message.cjPDcn	apt-get
File opened for modification	/tmp/apt-key-gpghome.PA6IA8b7ZW/pubring.gpg	apt-key
File opened for modification	/tmp/fileutl.message.6bjySq	apt-get
File opened for modification	/tmp/fileutl.message.k3h2jE	apt-get
File opened for modification	/tmp/l2tp.log	tee
File opened for modification	/tmp/fileutl.message.awNPFS	apt-get
File opened for modification	/tmp/fileutl.message.h30iTH	apt-get
File opened for modification	/tmp/apt.sig.ICclMw	gpgv
File opened for modification	/tmp/apt.conf.TWGbgg	gpgv
File opened for modification	/tmp/fileutl.message.f9hplG	apt-get
File opened for modification	/tmp/apt.sig.8q6e2U	gpgv
File opened for modification	/tmp/apt-key-gpghome.zkzS4smG69/gpg.1.sh	apt-key
File opened for modification	/tmp/apt.conf.LOMUMg	gpgv
File opened for modification	/tmp/apt.data.sIe7eP	gpgv
File opened for modification	/tmp/fileutl.message.sbca0A	apt-get

Software Deployment Tools 1 TTPs 1 IoCs

Use software deployment tools to execute code.

execution

Software Deployment Tools

T1072

Processes:

apt-get

pid	Process
785	apt-get

/tmp/a86b877e9e694a1f2b70a3a193fe135b751d78fa1ad4a795f11cbc34d4b78a51.sh
/tmp/a86b877e9e694a1f2b70a3a193fe135b751d78fa1ad4a795f11cbc34d4b78a51.sh
1⤵
PID:708

/usr/local/sbin/bash
bash /tmp/a86b877e9e694a1f2b70a3a193fe135b751d78fa1ad4a795f11cbc34d4b78a51.sh
1⤵
PID:708

/usr/local/bin/bash
bash /tmp/a86b877e9e694a1f2b70a3a193fe135b751d78fa1ad4a795f11cbc34d4b78a51.sh
1⤵
PID:708

/usr/sbin/bash
bash /tmp/a86b877e9e694a1f2b70a3a193fe135b751d78fa1ad4a795f11cbc34d4b78a51.sh
1⤵
PID:708

/usr/bin/bash
bash /tmp/a86b877e9e694a1f2b70a3a193fe135b751d78fa1ad4a795f11cbc34d4b78a51.sh
1⤵
PID:708

/sbin/bash
bash /tmp/a86b877e9e694a1f2b70a3a193fe135b751d78fa1ad4a795f11cbc34d4b78a51.sh
1⤵
PID:708

/bin/bash
bash /tmp/a86b877e9e694a1f2b70a3a193fe135b751d78fa1ad4a795f11cbc34d4b78a51.sh
1⤵
PID:708
- /usr/bin/basename
  basename /tmp/a86b877e9e694a1f2b70a3a193fe135b751d78fa1ad4a795f11cbc34d4b78a51.sh
  2⤵
  PID:717
- /usr/bin/tee
  tee /tmp/l2tp.log
  2⤵
  - Writes file to tmp directory
  PID:720
- /usr/bin/clear
  clear
  2⤵
  PID:722
- /bin/grep
  grep "SELINUX=enforcing" /etc/selinux/config
  2⤵
  PID:724
- /bin/cat
  cat /etc/issue
  2⤵
  PID:726
- /bin/grep
  grep -Eqi debian
  2⤵
  PID:727
- /bin/ip
  ip addr
  2⤵
  - System Network Configuration Discovery
  PID:731
- /bin/egrep
  egrep -o "[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}"
  2⤵
  PID:732
- /bin/egrep
  egrep -v "^192\\.168|^172\\.1[6-9]\\.|^172\\.2[0-9]\\.|^172\\.3[0-2]\\.|^10\\.|^127\\.|^255\\.|^0\\."
  2⤵
  PID:733
- /usr/bin/head
  head -n 1
  2⤵
  PID:734
- /bin/grep
  grep -E -v "^192\\.168|^172\\.1[6-9]\\.|^172\\.2[0-9]\\.|^172\\.3[0-2]\\.|^10\\.|^127\\.|^255\\.|^0\\."
  2⤵
  PID:733
- /bin/grep
  grep -E -o "[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}"
  2⤵
  PID:732
- /usr/bin/wget
  wget -qO- -t1 -T2 ipv4.icanhazip.com
  2⤵
  - System Network Configuration Discovery
  PID:738
- /bin/sed
  sed "s/^[ \\t]*//;s/[ \\t]*\$//"
  2⤵
  - Reads runtime system information
  PID:743
- /usr/bin/awk
  awk -F: "/model name/ {name=\$2} END {print name}" /proc/cpuinfo
  2⤵
  - Checks CPU configuration
  PID:742
- /usr/bin/awk
  awk -F: "/model name/ {core++} END {print core}" /proc/cpuinfo
  2⤵
  - Checks CPU configuration
  PID:746
- /usr/bin/awk
  awk -F: "/cpu MHz/ {freq=\$2} END {print freq}" /proc/cpuinfo
  2⤵
  - Checks CPU configuration
  PID:748
- /bin/sed
  sed "s/^[ \\t]*//;s/[ \\t]*\$//"
  2⤵
  - Reads runtime system information
  PID:749
- /usr/bin/awk
  awk "/Mem/ {print \$2}"
  2⤵
  PID:754
- /usr/bin/free
  free -m
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:753
- /usr/bin/free
  free -m
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:757
- /usr/bin/awk
  awk "/Swap/ {print \$2}"
  2⤵
  PID:758
- /usr/bin/awk
  awk "{a=\$1/86400;b=(\$1%86400)/3600;c=(\$1%3600)/60;d=\$1%60} {printf(\"%ddays, %d:%d:%d\\n\",a,b,c,d)}" /proc/uptime
  2⤵
  - Reads runtime system information
  PID:759
- /usr/bin/w
  w
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:762
- /usr/bin/head
  head -1
  2⤵
  PID:763
- /usr/bin/awk
  awk "-Fload average:" "{print \$2}"
  2⤵
  PID:764
- /bin/sed
  sed "s/^[ \\t]*//;s/[ \\t]*\$//"
  2⤵
  PID:765
- /usr/bin/awk
  awk "-F[= \"]" "/PRETTY_NAME/{print \$3,\$4,\$5}" /etc/os-release
  2⤵
  - Reads runtime system information
  PID:767
- /bin/uname
  uname -m
  2⤵
  PID:769
- /usr/bin/getconf
  getconf LONG_BIT
  2⤵
  PID:770
- /bin/hostname
  hostname
  2⤵
  PID:771
- /bin/uname
  uname -r
  2⤵
  PID:772
- /bin/stty
  stty -g
  2⤵
  PID:775
- /bin/stty
  stty -echo
  2⤵
  PID:776
- /bin/stty
  stty cbreak
  2⤵
  PID:777
- /bin/dd
  dd "if=/dev/tty" "bs=1" "count=1"
  2⤵
  PID:778
- /bin/stty
  stty -raw
  2⤵
  PID:779
- /bin/stty
  stty echo
  2⤵
  PID:780
- /bin/stty
  stty
  2⤵
  PID:781
- /bin/mknod
  mknod /dev/random c 1 9
  2⤵
  PID:782
- /bin/grep
  grep -Eqi debian
  2⤵
  PID:784
- /bin/cat
  cat /etc/issue
  2⤵
  PID:783
- /usr/bin/apt-get
  apt-get -y update
  2⤵
  - Writes file to tmp directory
  - Software Deployment Tools
  PID:785
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    PID:786
- - /usr/lib/apt/methods/http
    /usr/lib/apt/methods/http
    3⤵
    PID:787
- - /usr/lib/apt/methods/https
    /usr/lib/apt/methods/https
    3⤵
    PID:788
- - /usr/lib/apt/methods/https
    /usr/lib/apt/methods/https
    3⤵
    PID:789
- - /usr/lib/apt/methods/http
    /usr/lib/apt/methods/http
    3⤵
    PID:790
- - /usr/lib/apt/methods/gpgv
    /usr/lib/apt/methods/gpgv
    3⤵
    PID:792
- - /usr/lib/apt/methods/gpgv
    /usr/lib/apt/methods/gpgv
    3⤵
    - Writes file to tmp directory
    PID:793
  - - /usr/bin/apt-key
      /usr/bin/apt-key --quiet --readonly verify --status-fd 3 /tmp/apt.sig.ICclMw /tmp/apt.data.pk1j3L
      4⤵
      Writes file to tmp directory
      PID:795
    - - /usr/bin/apt-config
        
        apt-config shell MASTER_KEYRING APT::Key::MasterKeyring
        5⤵
        Reads runtime system information
        
        PID:797
      - /usr/bin/dpkg
        
        /usr/bin/dpkg --print-foreign-architectures
        6⤵
        Reads runtime system information
        
        PID:798
    - - /usr/bin/apt-config
        
        apt-config shell ARCHIVE_KEYRING APT::Key::ArchiveKeyring
        5⤵
        
        PID:799
      - /usr/bin/dpkg
        
        /usr/bin/dpkg --print-foreign-architectures
        6⤵
        
        PID:805
    - - /usr/bin/apt-config
        
        apt-config shell REMOVED_KEYS APT::Key::RemovedKeys
        5⤵
        Reads runtime system information
        
        PID:806
      - /usr/bin/dpkg
        
        /usr/bin/dpkg --print-foreign-architectures
        6⤵
        Reads runtime system information
        
        PID:809
    - - /usr/bin/apt-config
        
        apt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI
        5⤵
        
        PID:810
      - /usr/bin/dpkg
        
        /usr/bin/dpkg --print-foreign-architectures
        6⤵
        Reads runtime system information
        
        PID:813
    - - /usr/bin/apt-config
        
        apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring
        5⤵
        
        PID:814
      - /usr/bin/dpkg
        
        /usr/bin/dpkg --print-foreign-architectures
        6⤵
        
        PID:817
    - - /usr/bin/apt-config
        
        apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f
        5⤵
        
        PID:818
      - /usr/bin/dpkg
        
        /usr/bin/dpkg --print-foreign-architectures
        6⤵
        
        PID:821
    - - /usr/bin/apt-config
        
        apt-config shell GPGV Apt::Key::gpgvcommand
        5⤵
        
        PID:823
      - /usr/bin/dpkg
        
        /usr/bin/dpkg --print-foreign-architectures
        6⤵
        
        PID:826
    - - /bin/mktemp
        
        mktemp --directory --tmpdir apt-key-gpghome.XXXXXXXXXX
        5⤵
        
        PID:827
    - - /bin/chmod
        
        chmod 700 /tmp/apt-key-gpghome.u63IoUdi4p
        5⤵
        
        PID:828
    - - /bin/readlink
        
        readlink -f /tmp/apt-key-gpghome.u63IoUdi4p
        5⤵
        
        PID:830
    - - /bin/rm
        
        rm -f /tmp/apt-key-gpghome.u63IoUdi4p/pubring.gpg
        5⤵
        
        PID:831
    - - /bin/touch
        
        touch /tmp/apt-key-gpghome.u63IoUdi4p/pubring.gpg
        5⤵
        Writes file to tmp directory
        
        PID:832
    - - /usr/bin/apt-config
        
        apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d
        5⤵
        
        PID:834
      - /usr/bin/dpkg
        
        /usr/bin/dpkg --print-foreign-architectures
        6⤵
        
        PID:836
    - - /bin/readlink
        
        readlink -f /etc/apt/trusted.gpg.d/
        5⤵
        
        PID:838
    - - /usr/bin/find
        
        find /etc/apt/trusted.gpg.d -mindepth 1 -maxdepth 1 "(" -name "*.gpg" -o -name "*.asc" ")"
        5⤵
        
        PID:839
    - - /usr/bin/sort
        
        sort
        5⤵
        
        PID:842
    - - /bin/cat
        
        cat /etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg
        5⤵
        
        PID:845
    - - /bin/cat
        
        cat /etc/apt/trusted.gpg.d/debian-archive-buster-security-automatic.gpg
        5⤵
        
        PID:848
    - - /bin/cat
        
        cat /etc/apt/trusted.gpg.d/debian-archive-buster-stable.gpg
        5⤵
        
        PID:850
    - - /bin/cat
        
        cat /etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg
        5⤵
        
        PID:852
    - - /bin/cat
        
        cat /etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg
        5⤵
        
        PID:854
    - - /bin/cat
        
        cat /etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg
        5⤵
        
        PID:857
    - - /bin/cat
        
        cat /etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg
        5⤵
        
        PID:859
    - - /bin/cat
        
        cat /etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg
        5⤵
        
        PID:862
    - - /bin/cat
        
        cat /etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg
        5⤵
        
        PID:864
    - - /bin/cp
        
        cp -a /tmp/apt-key-gpghome.u63IoUdi4p/pubring.gpg /tmp/apt-key-gpghome.u63IoUdi4p/pubring.orig.gpg
        5⤵
        Writes file to tmp directory
        
        PID:865
    - - /bin/sed
        
        sed -e "s#'#'\"'\"'#g"
        5⤵
        
        PID:868
    - - /bin/sed
        
        sed -e "s#'#'\"'\"'#g"
        5⤵
        
        PID:872
    - - /usr/bin/gpgv
        
        gpgv --homedir /tmp/apt-key-gpghome.u63IoUdi4p --keyring /tmp/apt-key-gpghome.u63IoUdi4p/pubring.gpg --ignore-time-conflict --status-fd 3 /tmp/apt.sig.ICclMw /tmp/apt.data.pk1j3L
        5⤵
        Reads runtime system information
        
        PID:874
    - - /usr/bin/gpgconf
        
        gpgconf --kill gpg-agent
        5⤵
        Reads runtime system information
        
        PID:875
      - /usr/bin/gpg-connect-agent
        
        gpg-connect-agent --no-autostart KILLAGENT
        6⤵
        Reads runtime system information
        
        PID:877
    - - /bin/rm
        
        rm -rf /tmp/apt-key-gpghome.u63IoUdi4p
        5⤵
        
        PID:879
  - - /usr/bin/apt-key
      /usr/bin/apt-key --quiet --readonly verify --status-fd 3 /var/lib/apt/lists/archive.debian.org_debian_dists_stretch_Release.gpg /var/lib/apt/lists/archive.debian.org_debian_dists_stretch_Release
      4⤵
      Writes file to tmp directory
      PID:881
    - - /usr/bin/apt-config
        
        apt-config shell MASTER_KEYRING APT::Key::MasterKeyring
        5⤵
        
        PID:884
      - /usr/bin/dpkg
        
        /usr/bin/dpkg --print-foreign-architectures
        6⤵
        
        PID:886
    - - /usr/bin/apt-config
        
        apt-config shell ARCHIVE_KEYRING APT::Key::ArchiveKeyring
        5⤵
        
        PID:888
      - /usr/bin/dpkg
        
        /usr/bin/dpkg --print-foreign-architectures
        6⤵
        
        PID:890
    - - /usr/bin/apt-config
        
        apt-config shell REMOVED_KEYS APT::Key::RemovedKeys
        5⤵
        
        PID:892
      - /usr/bin/dpkg
        
        /usr/bin/dpkg --print-foreign-architectures
        6⤵
        
        PID:896
    - - /usr/bin/apt-config
        
        apt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI
        5⤵
        
        PID:897
      - /usr/bin/dpkg
        
        /usr/bin/dpkg --print-foreign-architectures
        6⤵
        
        PID:899
    - - /usr/bin/apt-config
        
        apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring
        5⤵
        Reads runtime system information
        
        PID:902
      - /usr/bin/dpkg
        
        /usr/bin/dpkg --print-foreign-architectures
        6⤵
        
        PID:906
    - - /usr/bin/apt-config
        
        apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f
        5⤵
        
        PID:907
      - /usr/bin/dpkg
        
        /usr/bin/dpkg --print-foreign-architectures
        6⤵
        
        PID:910
    - - /usr/bin/apt-config
        
        apt-config shell GPGV Apt::Key::gpgvcommand
        5⤵
        
        PID:912
      - /usr/bin/dpkg
        
        /usr/bin/dpkg --print-foreign-architectures
        6⤵
        Reads runtime system information
        
        PID:915
    - - /bin/mktemp
        
        mktemp --directory --tmpdir apt-key-gpghome.XXXXXXXXXX
        5⤵
        
        PID:917
    - - /bin/chmod
        
        chmod 700 /tmp/apt-key-gpghome.PA6IA8b7ZW
        5⤵
        
        PID:918
    - - /bin/readlink
        
        readlink -f /tmp/apt-key-gpghome.PA6IA8b7ZW
        5⤵
        
        PID:919
    - - /bin/rm
        
        rm -f /tmp/apt-key-gpghome.PA6IA8b7ZW/pubring.gpg
        5⤵
        
        PID:920
    - - /bin/touch
        
        touch /tmp/apt-key-gpghome.PA6IA8b7ZW/pubring.gpg
        5⤵
        Writes file to tmp directory
        
        PID:921
    - - /usr/bin/apt-config
        
        apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d
        5⤵
        Reads runtime system information
        
        PID:923
      - /usr/bin/dpkg
        
        /usr/bin/dpkg --print-foreign-architectures
        6⤵
        
        PID:924
    - - /bin/readlink
        
        readlink -f /etc/apt/trusted.gpg.d/
        5⤵
        
        PID:925
    - - /usr/bin/find
        
        find /etc/apt/trusted.gpg.d -mindepth 1 -maxdepth 1 "(" -name "*.gpg" -o -name "*.asc" ")"
        5⤵
        
        PID:926
    - - /usr/bin/sort
        
        sort
        5⤵
        
        PID:929
    - - /bin/cat
        
        cat /etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg
        5⤵
        
        PID:932
    - - /bin/cat
        
        cat /etc/apt/trusted.gpg.d/debian-archive-buster-security-automatic.gpg
        5⤵
        
        PID:934
    - - /bin/cat
        
        cat /etc/apt/trusted.gpg.d/debian-archive-buster-stable.gpg
        5⤵
        
        PID:936
    - - /bin/cat
        
        cat /etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg
        5⤵
        
        PID:938
    - - /bin/cat
        
        cat /etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg
        5⤵
        
        PID:940
    - - /bin/cat
        
        cat /etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg
        5⤵
        
        PID:942
    - - /bin/cat
        
        cat /etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg
        5⤵
        
        PID:944
    - - /bin/cat
        
        cat /etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg
        5⤵
        
        PID:946
    - - /bin/cat
        
        cat /etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg
        5⤵
        
        PID:948
    - - /bin/cp
        
        cp -a /tmp/apt-key-gpghome.PA6IA8b7ZW/pubring.gpg /tmp/apt-key-gpghome.PA6IA8b7ZW/pubring.orig.gpg
        5⤵
        Writes file to tmp directory
        
        PID:949
    - - /bin/sed
        
        sed -e "s#'#'\"'\"'#g"
        5⤵
        
        PID:952
    - - /bin/sed
        
        sed -e "s#'#'\"'\"'#g"
        5⤵
        
        PID:955
    - - /usr/bin/gpgv
        
        gpgv --homedir /tmp/apt-key-gpghome.PA6IA8b7ZW --keyring /tmp/apt-key-gpghome.PA6IA8b7ZW/pubring.gpg --ignore-time-conflict --status-fd 3 /var/lib/apt/lists/archive.debian.org_debian_dists_stretch_Release.gpg /var/lib/apt/lists/archive.debian.org_debian_dists_stretch_Release
        5⤵
        Reads runtime system information
        
        PID:956
    - - /usr/bin/gpgconf
        
        gpgconf --kill gpg-agent
        5⤵
        
        PID:957
      - /usr/bin/gpg-connect-agent
        
        gpg-connect-agent --no-autostart KILLAGENT
        6⤵
        Reads runtime system information
        
        PID:958
    - - /bin/rm
        
        rm -rf /tmp/apt-key-gpghome.PA6IA8b7ZW
        5⤵
        
        PID:959
  - - /usr/bin/apt-key
      /usr/bin/apt-key --quiet --readonly --keyring /usr/share/keyrings/nodesource.gpg verify --status-fd 3 /tmp/apt.sig.8q6e2U /tmp/apt.data.sIe7eP
      4⤵
      Writes file to tmp directory
      PID:961
    - - /usr/bin/apt-config
        
        apt-config shell MASTER_KEYRING APT::Key::MasterKeyring
        5⤵
        
        PID:963
      - /usr/bin/dpkg
        
        /usr/bin/dpkg --print-foreign-architectures
        6⤵
        Reads runtime system information
        
        PID:964
    - - /usr/bin/apt-config
        
        apt-config shell ARCHIVE_KEYRING APT::Key::ArchiveKeyring
        5⤵
        Reads runtime system information
        
        PID:965
      - /usr/bin/dpkg
        
        /usr/bin/dpkg --print-foreign-architectures
        6⤵
        
        PID:966
    - - /usr/bin/apt-config
        
        apt-config shell REMOVED_KEYS APT::Key::RemovedKeys
        5⤵
        
        PID:967
      - /usr/bin/dpkg
        
        /usr/bin/dpkg --print-foreign-architectures
        6⤵
        
        PID:968
    - - /usr/bin/apt-config
        
        apt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI
        5⤵
        
        PID:969
      - /usr/bin/dpkg
        
        /usr/bin/dpkg --print-foreign-architectures
        6⤵
        
        PID:970
    - - /usr/bin/apt-config
        
        apt-config shell GPGV Apt::Key::gpgvcommand
        5⤵
        Reads runtime system information
        
        PID:972
      - /usr/bin/dpkg
        
        /usr/bin/dpkg --print-foreign-architectures
        6⤵
        
        PID:973
    - - /bin/mktemp
        
        mktemp --directory --tmpdir apt-key-gpghome.XXXXXXXXXX
        5⤵
        
        PID:974
    - - /bin/chmod
        
        chmod 700 /tmp/apt-key-gpghome.zkzS4smG69
        5⤵
        
        PID:975
    - - /bin/sed
        
        sed -e "s#'#'\"'\"'#g"
        5⤵
        Reads runtime system information
        
        PID:980
    - - /bin/sed
        
        sed -e "s#'#'\"'\"'#g"
        5⤵
        
        PID:984
    - - /usr/bin/gpgv
        
        gpgv --homedir /tmp/apt-key-gpghome.zkzS4smG69 --keyring /usr/share/keyrings/nodesource.gpg --ignore-time-conflict --status-fd 3 /tmp/apt.sig.8q6e2U /tmp/apt.data.sIe7eP
        5⤵
        Reads runtime system information
        
        PID:986
    - - /usr/bin/gpgconf
        
        gpgconf --kill gpg-agent
        5⤵
        Reads runtime system information
        
        PID:989
      - /usr/bin/gpg-connect-agent
        
        gpg-connect-agent --no-autostart KILLAGENT
        6⤵
        Reads runtime system information
        
        PID:990
    - - /bin/rm
        
        rm -rf /tmp/apt-key-gpghome.zkzS4smG69
        5⤵
        
        PID:991
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    PID:994
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    PID:1019
- /bin/cat
  cat /etc/issue
  2⤵
  PID:1020
- /bin/grep
  grep -Eqi debian
  2⤵
  PID:1021
- /usr/bin/awk
  awk "-F[= \"]" "/PRETTY_NAME/{print \$3,\$4,\$5}" /etc/os-release
  2⤵
  PID:1023
- /bin/sed
  sed "s/[^0-9]//g"
  2⤵
  PID:1026
- /usr/bin/apt-get
  apt-get -y install wget gcc ppp flex bison make python libnss3-dev libnss3-tools libselinux-dev iptables libnspr4-dev pkg-config libpam0g-dev libcap-ng-dev libcap-ng-utils libunbound-dev libevent-dev libcurl4-nss-dev libsystemd-dev
  2⤵
  - Deletes log files
  - Writes file to tmp directory
  PID:1027
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1028
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    PID:1029
- - /usr/lib/apt/methods/http
    /usr/lib/apt/methods/http
    3⤵
    PID:1030
- - /usr/lib/apt/methods/http
    /usr/lib/apt/methods/http
    3⤵
    PID:1031

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Software Deployment Tools

T1072

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Clear Linux or Mac System Logs

T1070.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Software Deployment Tools

T1072

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/apt-key-gpghome.PA6IA8b7ZW/gpg.1.sh

Filesize
82B

MD5
4eaf9d99fa02a9845da4269c0727023b

SHA1
3ee362c4b3b1778b9d62cb5ce14daa537419117e

SHA256
af70283788387fce84d093e8bfa42a7509a356946d80e823c38d5a451aa09800

SHA512
ad48f1c436a1cc56f3af84b65319d88b61bf24a17672dfb695c78c9749437b2d19f1a7f429f7daf2f9d08830ad0591a1fb0977acbbf966257b0fcde07bcdcace

Download Submit
/tmp/apt-key-gpghome.u63IoUdi4p/gpg.1.sh

Filesize
82B

MD5
f08a6cc4f2d5da3432b2c4683b8c7e5a

SHA1
21be5f77f93bb33285c3d45111fc470b7146473f

SHA256
489c724c45d72b93bc4f71239b9d29123c687d07af5643199597832ac7fef67e

SHA512
2974404cab95dec57c97efd693b237f54e5a81b3ac60b7c2da1ab2d0f3178b784a97776ca0fc74122015ada3d19118afa3445d82c8fb27f530cbd32c1c3247cb

Download Submit
/tmp/apt-key-gpghome.u63IoUdi4p/pubring.gpg

Filesize
7KB

MD5
b53e6ca4ed295fc38621315853f623d0

SHA1
45a416f014809735ec88854a3540c8e9e89eb102

SHA256
6246307cc0130f6bd52510a477960f7c7be431b25979d7e20a88dc2fac58ac93

SHA512
30b5d2571840c2319a4af3907afda8ab00cf2879c83aaee1048ca972c0d3ddbf7995a167a31b19c45195b636ab46e73b0534459c6ee79c557fac8bfc01d857ac

Download Submit
/tmp/apt-key-gpghome.u63IoUdi4p/pubring.gpg

Filesize
15KB

MD5
2713b38b3d7345961d8b80f4463483b8

SHA1
e6ec76aaebfea6a82f7984b57e07522a20365201

SHA256
389d00b5cbd2f69f32065448000a0607aec056e39af958f62e89c4c7e6228248

SHA512
ecee7b3045f49f7fa7443a8658602817bb2c8d2d07ae930536e3f2daaa5854903bf339af6c2fd4b02f8627f050ce360d2feddcf40569b58d304cfc459f418978

Download Submit
/tmp/apt-key-gpghome.u63IoUdi4p/pubring.gpg

Filesize
18KB

MD5
760d3ab91f417958475b9a6342a5b92e

SHA1
137a06aea4b5c9e9ca11f0f5f1225da1c275c334

SHA256
42b348802c4290af6f9f30f984513f22fdd342ac3561ccb82957561a6b7c291f

SHA512
6cefcfae1c95c94b66b46d9242e62ddf7d7c65bd8d9bc9dc4e4c6230443ba33668ed160e1882f48a0b5daf59a46ccca09240ebe666017f059bd55e02fb1f2db6

Download Submit
/tmp/apt-key-gpghome.u63IoUdi4p/pubring.gpg

Filesize
23KB

MD5
d63fbab9dfb826d53f7b3aaea45dbfb5

SHA1
59841d8e5423f788292af76d4350a948f4e25f53

SHA256
de329f1f48b751a7527f8ce3150452a4282ce69990e9318ab82d5b46b9f751ca

SHA512
20118f98c87eb60f0abafd5b4c2ffb4b1faf92777ee7402b98c0f5dc42d492c83f94d6903bdeee006187ac344a57afeaa84b54a973b483ff13e49773071d8198

Download Submit
/tmp/apt-key-gpghome.u63IoUdi4p/pubring.gpg

Filesize
47KB

MD5
a4dc094481f22304cab5550218e6e4de

SHA1
f5886a324c0c026d0168656f23d1d898a0e43bd6

SHA256
eef8c4d7d518a986e4f1cfeec729b55369b863ed6b62a23cbe9d88aa56de5391

SHA512
0f040c957db3d500ba18315db33cca6eb18f9c80d952710f839833a73dd89b72e2e01178084c17348e312a427a6b9150937199b4912e71dfd1a7e2dd43723f68

Download Submit
/tmp/apt-key-gpghome.zkzS4smG69/gpg.1.sh

Filesize
73B

MD5
b67eec294a99b2826e6380e50400efb9

SHA1
f692aed05a7300e93f312a2efa0da820d13bb78a

SHA256
cc159dd92a3828c99c3884da5eff5f5e44abcbd90d1f2d04dca6f2ae11ae88e2

SHA512
c11ab997476310ebb1b4980cf8ce85a221d995d869e34fda5f1cd08d7892bd582a19caec4ae7d6246dd651df369bbcef3008108bb8d4c0b5d381730795070b4f

Download Submit
/tmp/apt.conf.LOMUMg

Filesize
7KB

MD5
cc6215bd5f69f08a7605f78da19c20f8

SHA1
40e85cedba9dca9e6d0a6ae65741e9b7542a912a

SHA256
805feca42eedd7538fd9afb9c519696c99f92d7f15041bc8a87ab33361e919e4

SHA512
c3ac166d079b430fab51163c7529a5b6826771d949fa8b9a9a3b4d6fa858a4db6663dbbe908520d904e992a244eb64b288fa435e8db41bb09e4eecdebb9d29c9

Download Submit
/tmp/apt.data.pk1j3L

Filesize
56KB

MD5
fd96c8ce5d0ef18d63bbe9ae17bb2659

SHA1
76b284743d95d3546df9d85c09712c830a30f614

SHA256
ffc8a7a283b61633aac383ddf8f863df3f39ef241a07a4127f51a2495ef674b3

SHA512
2486acdfc102f8f8498d8db2f205915115444dd118507369044202dc9a97109b4c738a2faf16c1f5ce5e4452ae0af17ae4691ac3bf5e7c5e2db271c0f40a4cb2

Download Submit
/tmp/apt.sig.ICclMw

Filesize
1KB

MD5
70274ce622b0cc437ef7f0caddc9d232

SHA1
124513a3ad2eb5aafa9be0920681e3bb8625979b

SHA256
4055d2ccc7c4be062ed390944548206ece5ed7613eae114b9e53ef15f3905230

SHA512
fed0054da258bb4a99e8adac359322d9ecc67caeee872309ea7d9863db6a1ec2a55497100e31538f42b43b9efc997e779e3774c8a0c6b0206254d7252d8699c8

Download Submit
/tmp/l2tp.log

Filesize
3KB

MD5
8ad8a90f4c6fe92e4765eae0344c508f

SHA1
2ce258d7bc805e2aa6d9bac22e04edd9b717c250

SHA256
9149b447eb8590d78ac57459d785fea96af81890359c44710c8869c5478eaaaa

SHA512
ca4e06d2151169b6cfdce9cfe9600c71b51d050a907fb94e52f643d2a2a1b4cdc3b89370366f07d79952bc401729c00c7a92b0a52f96c6c013ec3964c63d42f7

Download Submit
/var/cache/apt/archives/partial/bison_2%3a3.0.4.dfsg-1+b1_mipsel.deb

Filesize
755KB

MD5
a043201e40765fabe4e9c2972baac45b

SHA1
f7ae3423c88379a801416de85d3a722988c1b6bf

SHA256
fae72bf6f9a5de3e964f047f40297f8cca1130d76de5d7390e6b8a111f19762f

SHA512
e188f870cea455df1831f15cbe0c5fd4e3467e2e430f0ee4476b0f47cb8024f6572f14021ca92e3176cafa59892b89362d1ba67cc9750f013b67201aeba94a27

Download Submit
/var/cache/apt/archives/partial/flex_2.6.1-1.3_mipsel.deb

Filesize
418KB

MD5
ff5b416d0b3637907b1c9a3643f85a49

SHA1
edb71a8bcddc68ca53f8df2bb022033f1b9b9e43

SHA256
8db9901d92ec9ee6f94ae01f788b54271bb32c8272b2327d6bb4cc7563e5f34c

SHA512
4f77fce990ec9fda07e3d79f0b3da2494b403d392bf36b7a6b07864128e8f42ef8daaa3c36ebad329c5a1ae58a331c9002200689dfb16123cecb16f7b959c96c

Download Submit
/var/cache/apt/archives/partial/libbison-dev_2%3a3.0.4.dfsg-1+b1_mipsel.deb

Filesize
423KB

MD5
847357b3cbe22a9dc78de2d7b147100b

SHA1
9cc51c616895d2a95127701fc6636c74090d42a5

SHA256
f28ca90efbd8531bd1d3e2b1d79a4046fd7deaffb6521af0cb3a010ec688b5cc

SHA512
e79394247e8d637879e0327a61beb0e20607024bf4b0e26a7b86567ded8a7c37ae282aaae4e667ca430066770ae73bea888d9a762cfddb669d0f32d42a256289

Download Submit
/var/cache/apt/archives/partial/libcap-ng-dev_0.7.7-3+b1_mipsel.deb

Filesize
25KB

MD5
812633775b88ba10bdc7daa3475e187d

SHA1
269d7414719e741fa6232de80f58202ca82f7162

SHA256
9b31835e01d9dc9069319cf19c078b5f2006bc3e01968e485a489e63cd63dd3d

SHA512
eeef4542a273938e9351ddc3acd7e3016552f32c3bdb9dc2e19584d46182c81cc004202411b37855828a728a0a03579648fdbefb63a3e0296a73e332bfe5fdd2

Download Submit
/var/cache/apt/archives/partial/libcap-ng-utils_0.7.7-3+b1_mipsel.deb

Filesize
18KB

MD5
98997036f73354f4f76d725c599102be

SHA1
ff23ab4d20d66edc68d65b4e05fcc8560314e24d

SHA256
3ef4d7998b5471be70a7fb377d1ad2fcad3683af00fb04c5f9b2bdd1903e400b

SHA512
84b54581fb7f24e00ba2ceb605e29c2468c334b328291ea61c80c2937a5333ce178cb2db7ef09042079f1d07c13a9232a804431c672780cccd49f82a1162db22

Download Submit
/var/cache/apt/archives/partial/libevent-2.0-5_2.0.21-stable-3_mipsel.deb

Filesize
132KB

MD5
773a210ad0c744a7c64752d04cb2081f

SHA1
5922b68476c7afb1e11eb5d7ea9d5e3dab82b5d8

SHA256
de81371f5dd33e849ee0f8764274ef4037c87db17fa95ef9c0e5508e5f0354a2

SHA512
831de5172efc13bb60335a6a88afbfaa489695b39a32d5b4ea1a6dcf5ede4d5532f39b96bc202ccdf541f66c2085a20ad16796963111959cbeb5161121d00632

Download Submit
/var/cache/apt/archives/partial/libnspr4_2%3a4.12-6_mipsel.deb

Filesize
104KB

MD5
9a71c0d4a76bd32c4c5b10a0c97693b9

SHA1
06426926634a012ed543bc7bd73aa6917b7e7aa6

SHA256
b1552a806f9daea7ee2edb7f0505837f26335687ad8555a1f984d8619e3260df

SHA512
96af708402714597cd63dcba15eee075abfa065c14da41b737ea016995a24b422d01bfe629d3e0f3d9ac28c6c405676c3c17b81855f2c4d762c7edf68b5e0a2b

Download Submit
/var/cache/apt/archives/partial/libnss3_2%3a3.26.2-1.1+deb9u1_mipsel.deb

Filesize
172KB

MD5
df79c8e0f84316d0901088f91d5551e7

SHA1
d50deb8b848c5c379d5261a26d6c834e622c02bd

SHA256
91afc90727bc9a82eba633ae000c1869e2c85bd06de546e9429ccd6d39680d94

SHA512
c31b5f2e6167e0f39ab3958ad8f415638bba147f4c9dd1fb9149c234ac1a0a001377fb482b623c331333b9842597c312dd39d217d241ee464229c896c03664f8

Download Submit
/var/cache/apt/archives/partial/libpcrecpp0v5_2%3a8.39-3_mipsel.deb

Filesize
147KB

MD5
64897294f96ea37eee9ef9ea605e22f8

SHA1
d0a6f62cfceaa464b614657eccbe8df2413569ef

SHA256
4c384532e5ed2a5a3442b2530da7db4eeea5bb1cc3724eb84f685fadb88337ab

SHA512
df69834b2da31ef06fcf76c32a5f43e66969ed842b9b4d68c7e4d10106531eeea10129604e285e211760f89b0e502197e911b30372c8565913f89f584713779e

Download Submit